From 7768cbb19ef0b0a643e6e7deb8e68719b97f8c3d Mon Sep 17 00:00:00 2001 From: Christoph Wurst Date: Wed, 8 Jan 2020 10:51:44 +0100 Subject: [PATCH] Clean up 2FA provider registry when a user is deleted Signed-off-by: Christoph Wurst --- core/Application.php | 3 ++ lib/composer/composer/autoload_classmap.php | 1 + lib/composer/composer/autoload_static.php | 1 + .../UserDeletedStoreCleanupListener.php | 50 +++++++++++++++++++ .../Db/ProviderUserAssignmentDao.php | 9 ++++ .../Authentication/TwoFactorAuth/Registry.php | 7 +++ .../Db/ProviderUserAssignmentDaoTest.php | 14 ++++++ .../TwoFactorAuth/RegistryTest.php | 10 ++++ 8 files changed, 95 insertions(+) create mode 100644 lib/private/Authentication/Listeners/UserDeletedStoreCleanupListener.php diff --git a/core/Application.php b/core/Application.php index 06b8a6fede..879ac1cff7 100644 --- a/core/Application.php +++ b/core/Application.php @@ -36,6 +36,7 @@ use OC\Authentication\Events\RemoteWipeStarted; use OC\Authentication\Listeners\RemoteWipeActivityListener; use OC\Authentication\Listeners\RemoteWipeEmailListener; use OC\Authentication\Listeners\RemoteWipeNotificationsListener; +use OC\Authentication\Listeners\UserDeletedStoreCleanupListener; use OC\Authentication\Notifications\Notifier as AuthenticationNotifier; use OC\Core\Notification\RemoveLinkSharesNotifier; use OC\DB\MissingIndexInformation; @@ -44,6 +45,7 @@ use OCP\AppFramework\App; use OCP\EventDispatcher\IEventDispatcher; use OCP\IDBConnection; use OCP\IServerContainer; +use OCP\User\Events\UserDeletedEvent; use OCP\Util; use Symfony\Component\EventDispatcher\GenericEvent; @@ -172,6 +174,7 @@ class Application extends App { $eventDispatcher->addServiceListener(RemoteWipeFinished::class, RemoteWipeActivityListener::class); $eventDispatcher->addServiceListener(RemoteWipeFinished::class, RemoteWipeNotificationsListener::class); $eventDispatcher->addServiceListener(RemoteWipeFinished::class, RemoteWipeEmailListener::class); + $eventDispatcher->addServiceListener(UserDeletedEvent::class, UserDeletedStoreCleanupListener::class); } } diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php index 95156cf633..88058b0c88 100644 --- a/lib/composer/composer/autoload_classmap.php +++ b/lib/composer/composer/autoload_classmap.php @@ -602,6 +602,7 @@ return array( 'OC\\Authentication\\Listeners\\RemoteWipeActivityListener' => $baseDir . '/lib/private/Authentication/Listeners/RemoteWipeActivityListener.php', 'OC\\Authentication\\Listeners\\RemoteWipeEmailListener' => $baseDir . '/lib/private/Authentication/Listeners/RemoteWipeEmailListener.php', 'OC\\Authentication\\Listeners\\RemoteWipeNotificationsListener' => $baseDir . '/lib/private/Authentication/Listeners/RemoteWipeNotificationsListener.php', + 'OC\\Authentication\\Listeners\\UserDeletedStoreCleanupListener' => $baseDir . '/lib/private/Authentication/Listeners/UserDeletedStoreCleanupListener.php', 'OC\\Authentication\\LoginCredentials\\Credentials' => $baseDir . '/lib/private/Authentication/LoginCredentials/Credentials.php', 'OC\\Authentication\\LoginCredentials\\Store' => $baseDir . '/lib/private/Authentication/LoginCredentials/Store.php', 'OC\\Authentication\\Login\\ALoginCommand' => $baseDir . '/lib/private/Authentication/Login/ALoginCommand.php', diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php index f6af611ac1..a69fbcd06d 100644 --- a/lib/composer/composer/autoload_static.php +++ b/lib/composer/composer/autoload_static.php @@ -631,6 +631,7 @@ class ComposerStaticInit53792487c5a8370acc0b06b1a864ff4c 'OC\\Authentication\\Listeners\\RemoteWipeActivityListener' => __DIR__ . '/../../..' . '/lib/private/Authentication/Listeners/RemoteWipeActivityListener.php', 'OC\\Authentication\\Listeners\\RemoteWipeEmailListener' => __DIR__ . '/../../..' . '/lib/private/Authentication/Listeners/RemoteWipeEmailListener.php', 'OC\\Authentication\\Listeners\\RemoteWipeNotificationsListener' => __DIR__ . '/../../..' . '/lib/private/Authentication/Listeners/RemoteWipeNotificationsListener.php', + 'OC\\Authentication\\Listeners\\UserDeletedStoreCleanupListener' => __DIR__ . '/../../..' . '/lib/private/Authentication/Listeners/UserDeletedStoreCleanupListener.php', 'OC\\Authentication\\LoginCredentials\\Credentials' => __DIR__ . '/../../..' . '/lib/private/Authentication/LoginCredentials/Credentials.php', 'OC\\Authentication\\LoginCredentials\\Store' => __DIR__ . '/../../..' . '/lib/private/Authentication/LoginCredentials/Store.php', 'OC\\Authentication\\Login\\ALoginCommand' => __DIR__ . '/../../..' . '/lib/private/Authentication/Login/ALoginCommand.php', diff --git a/lib/private/Authentication/Listeners/UserDeletedStoreCleanupListener.php b/lib/private/Authentication/Listeners/UserDeletedStoreCleanupListener.php new file mode 100644 index 0000000000..4a74ca82e1 --- /dev/null +++ b/lib/private/Authentication/Listeners/UserDeletedStoreCleanupListener.php @@ -0,0 +1,50 @@ + + * + * @author 2020 Christoph Wurst + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ + +namespace OC\Authentication\Listeners; + +use OC\Authentication\TwoFactorAuth\Registry; +use OCP\EventDispatcher\Event; +use OCP\EventDispatcher\IEventListener; +use OCP\User\Events\UserDeletedEvent; + +class UserDeletedStoreCleanupListener implements IEventListener { + + /** @var Registry */ + private $registry; + + public function __construct(Registry $registry) { + $this->registry = $registry; + } + + public function handle(Event $event): void { + if (!($event instanceof UserDeletedEvent)) { + return; + } + + $this->registry->deleteUserData($event->getUser()); + } + +} diff --git a/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php b/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php index adf16887ef..4e8f9731d9 100644 --- a/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php +++ b/lib/private/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDao.php @@ -93,6 +93,15 @@ class ProviderUserAssignmentDao { } + public function deleteByUser(string $uid) { + $qb = $this->conn->getQueryBuilder(); + + $deleteQuery = $qb->delete(self::TABLE_NAME) + ->where($qb->expr()->eq('uid', $qb->createNamedParameter($uid))); + + $deleteQuery->execute(); + } + public function deleteAll(string $providerId) { $qb = $this->conn->getQueryBuilder(); diff --git a/lib/private/Authentication/TwoFactorAuth/Registry.php b/lib/private/Authentication/TwoFactorAuth/Registry.php index 151299b28e..97df2bd531 100644 --- a/lib/private/Authentication/TwoFactorAuth/Registry.php +++ b/lib/private/Authentication/TwoFactorAuth/Registry.php @@ -66,6 +66,13 @@ class Registry implements IRegistry { $this->dispatcher->dispatch(self::EVENT_PROVIDER_DISABLED, $event); } + /** + * @todo evaluate if we should emit RegistryEvents for each of the deleted rows -> needs documentation + */ + public function deleteUserData(IUser $user): void { + $this->assignmentDao->deleteByUser($user->getUID()); + } + public function cleanUp(string $providerId) { $this->assignmentDao->deleteAll($providerId); } diff --git a/tests/lib/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDaoTest.php b/tests/lib/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDaoTest.php index 67eb27cfde..9be2e64e98 100644 --- a/tests/lib/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDaoTest.php +++ b/tests/lib/Authentication/TwoFactorAuth/Db/ProviderUserAssignmentDaoTest.php @@ -131,6 +131,20 @@ class ProviderUserAssignmentDaoTest extends TestCase { $this->assertCount(1, $data); } + public function testDeleteByUser() { + $this->dao->persist('twofactor_fail', 'user1', 1); + $this->dao->persist('twofactor_u2f', 'user1', 1); + $this->dao->persist('twofactor_fail', 'user2', 0); + $this->dao->persist('twofactor_u2f', 'user1', 0); + + $this->dao->deleteByUser('user1'); + + $statesUser1 = $this->dao->getState('user1'); + $statesUser2 = $this->dao->getState('user2'); + $this->assertCount(0, $statesUser1); + $this->assertCount(1, $statesUser2); + } + public function testDeleteAll() { $this->dao->persist('twofactor_fail', 'user1', 1); $this->dao->persist('twofactor_u2f', 'user1', 1); diff --git a/tests/lib/Authentication/TwoFactorAuth/RegistryTest.php b/tests/lib/Authentication/TwoFactorAuth/RegistryTest.php index 2f59d14992..90fc4a9d27 100644 --- a/tests/lib/Authentication/TwoFactorAuth/RegistryTest.php +++ b/tests/lib/Authentication/TwoFactorAuth/RegistryTest.php @@ -108,6 +108,16 @@ class RegistryTest extends TestCase { $this->registry->disableProviderFor($provider, $user); } + public function testDeleteUserData() { + $user = $this->createMock(IUser::class); + $user->expects($this->once())->method('getUID')->willReturn('user123'); + $this->dao->expects($this->once()) + ->method('deleteByUser') + ->with('user123'); + + $this->registry->deleteUserData($user); + } + public function testCleanUp() { $this->dao->expects($this->once()) ->method('deleteAll')