two factor auth

[ChristophWurst]

This PR adds two factor authorization to all requests using the app framework. Unless at least one 2FA app is enabled (install this https://github.com/owncloud/twofactor_email app for testing), nothing changes with respect to authentication. The dummy app included prompts the user for a token sent by email, which is the hard-coded value 'passme'. This 2FA system architecture allows app developers to write own 2FA providers which can be plugged in as apps.

fixes #12102

TODO - basic

• parse 2FA providers from info.xml
• build list of 2FA providers
• check if 2FA is enforced for the user
• show 2FA provider selection view
• show selected 2FA provider challenge view
• check the validity of the submitted token
• show 2FA token error message
• unit tests
• OCC command to disable 2FA for users
• prettier 2FA login screen

TODO - email 2FA app

• dummy validation (always enforce + hard-coded token)
• extract demo app into it's own repo

TODO - enhanced (done in separate PRs if possible)

• if 2FA is used, clients can only log in with client-specific passwords -> Forbid password login on APIs if user is two-factor authenticated #24768
• send out real email with a generated temporary password
• remember redirect_url across requests

Other ideas

• make it possible to cancel 2FA to log in as an other user

[mention-bot]

By analyzing the blame information on this pull request, we identified @bantu, @DeepDiver1975 and @icewind1991 to be potential reviewers

[DeepDiver1975]

max-version is required as well

[ChristophWurst]

• TODO: change license header email address 🙈

[LukasReschke]

Can't enable 😢

[LukasReschke]

id needs to be twofactor_email otherwise installation will fail 😉

[ChristophWurst]

installation via occ works 😉

[LukasReschke]

Easily bypassed using the following URL:

http://localhost/index.php/login?redirect_url=%252Foc%252Findex.php%252Fapps%252Ffiles%252F

Needs some more state checks 😄

[ChristophWurst]

• BUG: emtpy can not be used for return values

Parse error: ./lib/private/Authentication/TwoFactorAuth/Manager.php:58

    56|      */

    57|     public function isTwoFactorAuthenticated(IUser $user) {

  > 58|         return !empty($this->getProviders($user));

    59|     }

    60| 

Fatal error: Can't use method return value

[ChristophWurst]

[ChristophWurst]

2FA can be disabled/enabled via OCC:

$ php occ twofactor:disable admin
2FA disabled for user admin

$ php occ twofactor:enable admin
2FA enabled for user admin

Note that 2FA is enforced for all users by default if at least one 2FA provider app is enabled.

[PVince81]

About the CI error not sure, maybe something went wrong with all the recent merges.
That sqlite issue doesn't seem to happen on master: https://ci.owncloud.org/job/server-master-linux/
(there's a mysql error "too many connections" on master, unrelated)

So not sure, did you try running the sqlite tests locally ?

[PVince81]

Reproducible on your branch:

% ./autotest.sh sqlite
Using PHP executable /usr/bin/php
Parsing all files in lib/public for the presence of @since or @deprecated on each method...

Using database oc_autotest
Setup environment for sqlite testing on local storage ...
Installing ....
The process control (PCNTL) extensions are required in case you want to interrupt long running commands - see http://php.net/manual/en/book.pcntl.php
ownCloud is not installed - only a limited number of commands are available
{"reqId":"gRq23Q1VbUONT8pIzumE","remoteAddr":"","app":"PHP","message":"file_put_contents(\/srv\/www\/htdocs\/owncloud\/data\/.htaccess): failed to open stream: Permission denied at \/srv\/www\/htdocs\/owncloud\/lib\/private\/Setup.php#498","level":3,"time":"2016-05-20T12:20:41+00:00","method":"--","url":"--","user":"--"}
{"reqId":"gRq23Q1VbUONT8pIzumE","remoteAddr":"","app":"PHP","message":"file_put_contents(\/srv\/www\/htdocs\/owncloud\/data\/index.html): failed to open stream: Permission denied at \/srv\/www\/htdocs\/owncloud\/lib\/private\/Setup.php#499","level":3,"time":"2016-05-20T12:20:41+00:00","method":"--","url":"--","user":"--"}
creating sqlite db
ownCloud was successfully installed
{"reqId":"gRq23Q1VbUONT8pIzumE","remoteAddr":"","app":"PHP","message":"chmod(): Operation not permitted at \/srv\/www\/htdocs\/owncloud\/lib\/private\/Log\/Owncloud.php#114","level":3,"time":"2016-05-20T12:20:41+00:00","method":"--","url":"--","user":"admin"}
Testing with sqlite ...
No coverage
/home/vincent/opt/bin/phpunit --configuration phpunit-autotest.xml --log-junit autotest-results-sqlite.xml  
PHP Fatal error:  Uncaught exception 'PDOException' with message 'SQLSTATE[HY000]: General error: 1 no such table: oc_appconfig' in /srv/www/htdocs/owncloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php:104
Stack trace:
#0 /srv/www/htdocs/owncloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Driver/PDOConnection.php(104): PDO->query('SELECT * FROM "...')
#1 /srv/www/htdocs/owncloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php(833): Doctrine\DBAL\Driver\PDOConnection->query('SELECT * FROM "...')
#2 /srv/www/htdocs/owncloud/lib/private/DB/Connection.php(184): Doctrine\DBAL\Connection->executeQuery('SELECT * FROM "...', Array, Array, NULL)
#3 /srv/www/htdocs/owncloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Query/QueryBuilder.php(206): OC\DB\Connection->executeQuery('SELECT * FROM `...', Array, Array)
#4 /srv/www/htdocs/owncloud/lib/private/DB/QueryBuilder/QueryBuilder.php(141): Doctrine\DBAL\Query\QueryBuilder->execute()
#5 /srv/www/htdocs/owncloud/lib/private/AppConfig.php(274): OC\DB\QueryBuilder\Que in /srv/www/htdocs/owncloud/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Driver/AbstractSQLiteDriver.php on line 58

[PVince81]

Cannot reproduce on master. Weird.

[ChristophWurst]

opened an issue for canceling 2fa: #24745

[ChristophWurst]

Reproducible locally

./autotest.sh sqlite                                                                                                                                                                           
Using PHP executable /usr/bin/php                                                                                                                                                                                                 
Parsing all files in lib/public for the presence of @since or @deprecated on each method...                                                                                                                                       

Using database oc_autotest                                                                                                                                                                                                        
Setup environment for sqlite testing on local storage ...                                                                                                                                                                         
Installing ....                                                                                                                                                                                                                   
ownCloud is not installed - only a limited number of commands are available                                                                                                                                                       
creating sqlite db                                                                                                                                                                                                                
Error while trying to create admin user: An exception occurred while executing 'CREATE TABLE "oc_appconfig" ("appid" VARCHAR(32) DEFAULT '' NOT NULL, "configkey" VARCHAR(64) DEFAULT '' NOT NULL, "configvalue" CLOB DEFAULT NULL, PRIMARY KEY("appid", "configkey"))':

SQLSTATE[HY000]: General error: 1 table "oc_appconfig" already exists

I have no idea where that comes from…

[PVince81]

@ChristophWurst it is likely that some of your code is running very early, even before the database tables are created. The code is question is likely the part that reads the two factor auth flags ?

[PVince81]

There might also be some config code that runs whenever you call \OC::$server->getXXXConfig() and preloads all config values. Maybe this is happening too early.

[ChristophWurst]

sqlite error fixed.

@LukasReschke @PVince81 @rullzer @nickvergessen @BernhardPosselt review please :)

[PVince81]

👍

[ChristophWurst]

Unit tests fail…

[ChristophWurst]

Unrelated?

05:26:15 There was 1 failure:
05:26:15 
05:26:15 1) Test\Files\Utils\ScannerTest::testReuseExistingRoot
05:26:15 Failed asserting that two objects are equal.
05:26:15 --- Expected
05:26:15 +++ Actual
05:26:15 @@ @@
05:26:15          'encrypted' => false
05:26:15 -        'etag' => '5742cc2463af2'
05:26:15 +        'etag' => '5742cc2464566'
05:26:15          'permissions' => 23
05:26:15          'checksum' => ''
05:26:15          'encryptedVersion' => 0
05:26:15      )
05:26:15  )

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.