|
|
|
@ -38,6 +38,7 @@ use OCP\AppFramework\OCSController;
|
|
|
|
|
use OCP\AppFramework\Utility\ITimeFactory;
|
|
|
|
|
use OCP\BackgroundJob\IJobList;
|
|
|
|
|
use OCP\IRequest;
|
|
|
|
|
use OCP\Security\Bruteforce\IThrottler;
|
|
|
|
|
use OCP\Security\ISecureRandom;
|
|
|
|
|
use Psr\Log\LoggerInterface;
|
|
|
|
|
|
|
|
|
@ -56,6 +57,7 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
private DbHandler $dbHandler;
|
|
|
|
|
private LoggerInterface $logger;
|
|
|
|
|
private ITimeFactory $timeFactory;
|
|
|
|
|
private IThrottler $throttler;
|
|
|
|
|
|
|
|
|
|
public function __construct(
|
|
|
|
|
string $appName,
|
|
|
|
@ -65,7 +67,8 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
TrustedServers $trustedServers,
|
|
|
|
|
DbHandler $dbHandler,
|
|
|
|
|
LoggerInterface $logger,
|
|
|
|
|
ITimeFactory $timeFactory
|
|
|
|
|
ITimeFactory $timeFactory,
|
|
|
|
|
IThrottler $throttler
|
|
|
|
|
) {
|
|
|
|
|
parent::__construct($appName, $request);
|
|
|
|
|
|
|
|
|
@ -75,6 +78,7 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
$this->dbHandler = $dbHandler;
|
|
|
|
|
$this->logger = $logger;
|
|
|
|
|
$this->timeFactory = $timeFactory;
|
|
|
|
|
$this->throttler = $throttler;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
@ -82,6 +86,7 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
*
|
|
|
|
|
* @NoCSRFRequired
|
|
|
|
|
* @PublicPage
|
|
|
|
|
* @BruteForceProtection(action=federationSharedSecret)
|
|
|
|
|
*
|
|
|
|
|
* @param string $url URL of the server
|
|
|
|
|
* @param string $token Token of the server
|
|
|
|
@ -100,6 +105,7 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
*
|
|
|
|
|
* @NoCSRFRequired
|
|
|
|
|
* @PublicPage
|
|
|
|
|
* @BruteForceProtection(action=federationSharedSecret)
|
|
|
|
|
*
|
|
|
|
|
* @param string $url URL of the server
|
|
|
|
|
* @param string $token Token of the server
|
|
|
|
@ -117,6 +123,7 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
*
|
|
|
|
|
* @NoCSRFRequired
|
|
|
|
|
* @PublicPage
|
|
|
|
|
* @BruteForceProtection(action=federationSharedSecret)
|
|
|
|
|
*
|
|
|
|
|
* @param string $url URL of the server
|
|
|
|
|
* @param string $token Token of the server
|
|
|
|
@ -127,6 +134,7 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
*/
|
|
|
|
|
public function requestSharedSecret(string $url, string $token): DataResponse {
|
|
|
|
|
if ($this->trustedServers->isTrustedServer($url) === false) {
|
|
|
|
|
$this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress());
|
|
|
|
|
$this->logger->error('remote server not trusted (' . $url . ') while requesting shared secret', ['app' => 'federation']);
|
|
|
|
|
throw new OCSForbiddenException();
|
|
|
|
|
}
|
|
|
|
@ -159,6 +167,7 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
*
|
|
|
|
|
* @NoCSRFRequired
|
|
|
|
|
* @PublicPage
|
|
|
|
|
* @BruteForceProtection(action=federationSharedSecret)
|
|
|
|
|
*
|
|
|
|
|
* @param string $url URL of the server
|
|
|
|
|
* @param string $token Token of the server
|
|
|
|
@ -169,11 +178,13 @@ class OCSAuthAPIController extends OCSController {
|
|
|
|
|
*/
|
|
|
|
|
public function getSharedSecret(string $url, string $token): DataResponse {
|
|
|
|
|
if ($this->trustedServers->isTrustedServer($url) === false) {
|
|
|
|
|
$this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress());
|
|
|
|
|
$this->logger->error('remote server not trusted (' . $url . ') while getting shared secret', ['app' => 'federation']);
|
|
|
|
|
throw new OCSForbiddenException();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($this->isValidToken($url, $token) === false) {
|
|
|
|
|
$this->throttler->registerAttempt('federationSharedSecret', $this->request->getRemoteAddress());
|
|
|
|
|
$expectedToken = $this->dbHandler->getToken($url);
|
|
|
|
|
$this->logger->error(
|
|
|
|
|
'remote server (' . $url . ') didn\'t send a valid token (got "' . $token . '" but expected "'. $expectedToken . '") while getting shared secret',
|
|
|
|
|