Require CSRF token for non WebDAV authenticated requests

This commit is contained in:
Lukas Reschke 2016-02-16 13:16:52 +01:00
parent 3a97a0ad7f
commit 9b3c4e8dc4
9 changed files with 112 additions and 107 deletions

View file

@ -30,6 +30,7 @@ use Sabre\CalDAV\CalendarRoot;
$authBackend = new Auth(
\OC::$server->getSession(),
\OC::$server->getUserSession(),
\OC::$server->getRequest(),
'principals/'
);
$principalBackend = new Principal(

View file

@ -32,6 +32,7 @@ use Sabre\CardDAV\Plugin;
$authBackend = new Auth(
\OC::$server->getSession(),
\OC::$server->getUserSession(),
\OC::$server->getRequest(),
'principals/'
);
$principalBackend = new Principal(

View file

@ -41,6 +41,7 @@ $serverFactory = new \OCA\DAV\Connector\Sabre\ServerFactory(
$authBackend = new \OCA\DAV\Connector\Sabre\Auth(
\OC::$server->getSession(),
\OC::$server->getUserSession(),
\OC::$server->getRequest(),
'principals/'
);
$requestUri = \OC::$server->getRequest()->getRequestUri();

View file

@ -30,6 +30,7 @@
namespace OCA\DAV\Connector\Sabre;
use Exception;
use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession;
use Sabre\DAV\Auth\Backend\AbstractBasic;
@ -45,17 +46,22 @@ class Auth extends AbstractBasic {
private $session;
/** @var IUserSession */
private $userSession;
/** @var IRequest */
private $request;
/**
* @param ISession $session
* @param IUserSession $userSession
* @param IRequest $request
* @param string $principalPrefix
*/
public function __construct(ISession $session,
IUserSession $userSession,
IRequest $request,
$principalPrefix = 'principals/users/') {
$this->session = $session;
$this->userSession = $userSession;
$this->request = $request;
$this->principalPrefix = $principalPrefix;
}
@ -106,26 +112,6 @@ class Auth extends AbstractBasic {
}
}
/**
* Returns information about the currently logged in username.
*
* If nobody is currently logged in, this method should return null.
*
* @return string|null
*/
public function getCurrentUser() {
$user = $this->userSession->getUser() ? $this->userSession->getUser()->getUID() : null;
if($user !== null && $this->isDavAuthenticated($user)) {
return $user;
}
if($user !== null && is_null($this->session->get(self::DAV_AUTHENTICATED))) {
return $user;
}
return null;
}
/**
* @param RequestInterface $request
* @param ResponseInterface $response
@ -150,8 +136,19 @@ class Auth extends AbstractBasic {
* @param RequestInterface $request
* @param ResponseInterface $response
* @return array
* @throws NotAuthenticated
*/
private function auth(RequestInterface $request, ResponseInterface $response) {
// If request is not GET and not authenticated via WebDAV a requesttoken is required
if($this->userSession->isLoggedIn() &&
$this->request->getMethod() !== 'GET' &&
!$this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
if(!$this->request->passesCSRFCheck()) {
$response->setStatus(401);
throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
}
}
if (\OC_User::handleApacheAuth() ||
//Fix for broken webdav clients
($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED))) ||

View file

@ -129,9 +129,6 @@ class Plugin extends ServerPlugin {
return;
}
// CSRF protection
$this->protectAgainstCSRF();
$requestBody = $request->getBodyAsString();
// If this request handler could not deal with this POST request, it
@ -201,18 +198,4 @@ class Plugin extends ServerPlugin {
}
}
private function protectAgainstCSRF() {
$user = $this->auth->getCurrentUser();
if ($this->auth->isDavAuthenticated($user)) {
return true;
}
if ($this->request->passesCSRFCheck()) {
return true;
}
throw new BadRequest();
}
}

View file

@ -53,7 +53,8 @@ class Server {
// Backends
$authBackend = new Auth(
\OC::$server->getSession(),
\OC::$server->getUserSession()
\OC::$server->getUserSession(),
\OC::$server->getRequest()
);
// Set URL explicitly due to reverse-proxy situations

View file

@ -24,6 +24,7 @@
namespace OCA\DAV\Tests\Unit\Connector\Sabre;
use OCP\IRequest;
use OCP\IUser;
use Test\TestCase;
use OCP\ISession;
@ -42,6 +43,8 @@ class Auth extends TestCase {
private $auth;
/** @var IUserSession */
private $userSession;
/** @var IRequest */
private $request;
public function setUp() {
parent::setUp();
@ -49,7 +52,13 @@ class Auth extends TestCase {
->disableOriginalConstructor()->getMock();
$this->userSession = $this->getMockBuilder('\OCP\IUserSession')
->disableOriginalConstructor()->getMock();
$this->auth = new \OCA\DAV\Connector\Sabre\Auth($this->session, $this->userSession);
$this->request = $this->getMockBuilder('\OCP\IRequest')
->disableOriginalConstructor()->getMock();
$this->auth = new \OCA\DAV\Connector\Sabre\Auth(
$this->session,
$this->userSession,
$this->request
);
}
public function testIsDavAuthenticatedWithoutDavSession() {
@ -189,71 +198,11 @@ class Auth extends TestCase {
$this->assertFalse($this->invokePrivate($this->auth, 'validateUserPass', ['MyTestUser', 'MyTestPassword']));
}
public function testGetCurrentUserWithoutBeingLoggedIn() {
$this->assertSame(null, $this->auth->getCurrentUser());
}
public function testGetCurrentUserWithValidDAVLogin() {
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()
->getMock();
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('MyTestUser'));
$this->userSession
->expects($this->exactly(2))
->method('getUser')
->will($this->returnValue($user));
$this->session
->expects($this->exactly(2))
->method('get')
->with('AUTHENTICATED_TO_DAV_BACKEND')
->will($this->returnValue('MyTestUser'));
$this->assertSame('MyTestUser', $this->auth->getCurrentUser());
}
public function testGetCurrentUserWithoutAnyDAVLogin() {
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()
->getMock();
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('MyTestUser'));
$this->userSession
->expects($this->exactly(2))
->method('getUser')
->will($this->returnValue($user));
$this->session
->expects($this->exactly(2))
->method('get')
->with('AUTHENTICATED_TO_DAV_BACKEND')
->will($this->returnValue(null));
$this->assertSame('MyTestUser', $this->auth->getCurrentUser());
}
public function testGetCurrentUserWithWrongDAVUser() {
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()
->getMock();
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('MyWrongDavUser'));
$this->userSession
->expects($this->exactly(2))
->method('getUser')
->will($this->returnValue($user));
$this->session
->expects($this->exactly(3))
->method('get')
->with('AUTHENTICATED_TO_DAV_BACKEND')
->will($this->returnValue('AnotherUser'));
$this->assertSame(null, $this->auth->getCurrentUser());
}
public function testAuthenticateAlreadyLoggedIn() {
/**
* @expectedException \Sabre\DAV\Exception\NotAuthenticated
* @expectedExceptionMessage CSRF check not passed.
*/
public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenForNonGet() {
$request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
->disableOriginalConstructor()
->getMock();
@ -279,9 +228,77 @@ class Auth extends TestCase {
->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
$response = $this->auth->check($request, $response);
$this->assertEquals([true, 'principals/users/MyWrongDavUser'], $response);
}
public function testAuthenticateAlreadyLoggedInWithoutCsrfTokenForGet() {
$request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
->disableOriginalConstructor()
->getMock();
$response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface')
->disableOriginalConstructor()
->getMock();
$this->userSession
->expects($this->exactly(2))
->method('isLoggedIn')
->will($this->returnValue(true));
$this->session
->expects($this->once())
->method('close');
->method('get')
->with('AUTHENTICATED_TO_DAV_BACKEND')
->will($this->returnValue(null));
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()
->getMock();
$user->expects($this->once())
->method('getUID')
->will($this->returnValue('MyWrongDavUser'));
$this->userSession
->expects($this->once())
->method('getUser')
->will($this->returnValue($user));
$this->request
->expects($this->once())
->method('getMethod')
->willReturn('GET');
$response = $this->auth->check($request, $response);
$this->assertEquals([true, 'principals/users/MyWrongDavUser'], $response);
}
public function testAuthenticateAlreadyLoggedInWithCsrfTokenForGet() {
$request = $this->getMockBuilder('Sabre\HTTP\RequestInterface')
->disableOriginalConstructor()
->getMock();
$response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface')
->disableOriginalConstructor()
->getMock();
$this->userSession
->expects($this->exactly(2))
->method('isLoggedIn')
->will($this->returnValue(true));
$this->session
->expects($this->exactly(2))
->method('get')
->with('AUTHENTICATED_TO_DAV_BACKEND')
->will($this->returnValue(null));
$user = $this->getMockBuilder('\OCP\IUser')
->disableOriginalConstructor()
->getMock();
$user->expects($this->exactly(2))
->method('getUID')
->will($this->returnValue('MyWrongDavUser'));
$this->userSession
->expects($this->exactly(2))
->method('getUser')
->will($this->returnValue($user));
$this->request
->expects($this->once())
->method('passesCSRFCheck')
->willReturn(true);
$response = $this->auth->check($request, $response);
$this->assertEquals([true, 'principals/users/MyWrongDavUser'], $response);

View file

@ -37,7 +37,10 @@
}
url += options.host + this._root;
this._defaultHeaders = options.defaultHeaders || {'X-Requested-With': 'XMLHttpRequest'};
this._defaultHeaders = options.defaultHeaders || {
'X-Requested-With': 'XMLHttpRequest',
'requesttoken': OC.requestToken
};
this._baseUrl = url;
var clientOptions = {

View file

@ -240,7 +240,8 @@
return options.url;
};
var headers = _.extend({
'X-Requested-With': 'XMLHttpRequest'
'X-Requested-With': 'XMLHttpRequest',
'requesttoken': OC.requestToken
}, options.headers);
if (options.type === 'PROPFIND') {
return callPropFind(client, options, model, headers);