server/lib/private/user.php
Vincent Petry 4e957c7b18 Merge pull request #8443 from owncloud/csrf-on-login-and-logout
Add CSRF check on login and logout
2014-06-02 11:27:20 +02:00

644 lines
16 KiB
PHP

<?php
/**
* ownCloud
*
* @author Frank Karlitschek
* @copyright 2012 Frank Karlitschek frank@owncloud.org
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
* License as published by the Free Software Foundation; either
* version 3 of the License, or any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
*
* You should have received a copy of the GNU Affero General Public
* License along with this library. If not, see <http://www.gnu.org/licenses/>.
*
*/
/**
* This class provides wrapper methods for user management. Multiple backends are
* supported. User management operations are delegated to the configured backend for
* execution.
*
* Hooks provided:
* pre_createUser(&run, uid, password)
* post_createUser(uid, password)
* pre_deleteUser(&run, uid)
* post_deleteUser(uid)
* pre_setPassword(&run, uid, password, recoveryPassword)
* post_setPassword(uid, password, recoveryPassword)
* pre_login(&run, uid, password)
* post_login(uid)
* logout()
*/
class OC_User {
/**
* @return \OC\User\Session
*/
public static function getUserSession() {
return OC::$server->getUserSession();
}
/**
* @return \OC\User\Manager
*/
public static function getManager() {
return OC::$server->getUserManager();
}
private static $_backends = array();
private static $_usedBackends = array();
private static $_setupedBackends = array();
// bool, stores if a user want to access a resource anonymously, e.g if he opens a public link
private static $incognitoMode = false;
/**
* registers backend
* @param string $backend name of the backend
* @deprecated Add classes by calling useBackend with a class instance instead
* @return bool
*
* Makes a list of backends that can be used by other modules
*/
public static function registerBackend($backend) {
self::$_backends[] = $backend;
return true;
}
/**
* gets available backends
* @deprecated
* @return array an array of backends
*
* Returns the names of all backends.
*/
public static function getBackends() {
return self::$_backends;
}
/**
* gets used backends
* @deprecated
* @return array an array of backends
*
* Returns the names of all used backends.
*/
public static function getUsedBackends() {
return array_keys(self::$_usedBackends);
}
/**
* Adds the backend to the list of used backends
* @param string|OC_User_Interface $backend default: database The backend to use for user management
* @return bool
*
* Set the User Authentication Module
*/
public static function useBackend($backend = 'database') {
if ($backend instanceof OC_User_Interface) {
self::$_usedBackends[get_class($backend)] = $backend;
self::getManager()->registerBackend($backend);
} else {
// You'll never know what happens
if (null === $backend OR !is_string($backend)) {
$backend = 'database';
}
// Load backend
switch ($backend) {
case 'database':
case 'mysql':
case 'sqlite':
OC_Log::write('core', 'Adding user backend ' . $backend . '.', OC_Log::DEBUG);
self::$_usedBackends[$backend] = new OC_User_Database();
self::getManager()->registerBackend(self::$_usedBackends[$backend]);
break;
default:
OC_Log::write('core', 'Adding default user backend ' . $backend . '.', OC_Log::DEBUG);
$className = 'OC_USER_' . strToUpper($backend);
self::$_usedBackends[$backend] = new $className();
self::getManager()->registerBackend(self::$_usedBackends[$backend]);
break;
}
}
return true;
}
/**
* remove all used backends
*/
public static function clearBackends() {
self::$_usedBackends = array();
self::getManager()->clearBackends();
}
/**
* setup the configured backends in config.php
*/
public static function setupBackends() {
OC_App::loadApps(array('prelogin'));
$backends = OC_Config::getValue('user_backends', array());
foreach ($backends as $i => $config) {
$class = $config['class'];
$arguments = $config['arguments'];
if (class_exists($class)) {
if (array_search($i, self::$_setupedBackends) === false) {
// make a reflection object
$reflectionObj = new ReflectionClass($class);
// use Reflection to create a new instance, using the $args
$backend = $reflectionObj->newInstanceArgs($arguments);
self::useBackend($backend);
self::$_setupedBackends[] = $i;
} else {
OC_Log::write('core', 'User backend ' . $class . ' already initialized.', OC_Log::DEBUG);
}
} else {
OC_Log::write('core', 'User backend ' . $class . ' not found.', OC_Log::ERROR);
}
}
}
/**
* Create a new user
* @param string $uid The username of the user to create
* @param string $password The password of the new user
* @throws Exception
* @return bool true/false
*
* Creates a new user. Basic checking of username is done in OC_User
* itself, not in its subclasses.
*
* Allowed characters in the username are: "a-z", "A-Z", "0-9" and "_.@-"
*/
public static function createUser($uid, $password) {
return self::getManager()->createUser($uid, $password);
}
/**
* delete a user
* @param string $uid The username of the user to delete
* @return bool
*
* Deletes a user
*/
public static function deleteUser($uid) {
$user = self::getManager()->get($uid);
if ($user) {
$result = $user->delete();
// if delete was successful we clean-up the rest
if ($result) {
// We have to delete the user from all groups
foreach (OC_Group::getUserGroups($uid) as $i) {
OC_Group::removeFromGroup($uid, $i);
}
// Delete the user's keys in preferences
OC_Preferences::deleteUser($uid);
// Delete user files in /data/
OC_Helper::rmdirr(\OC_User::getHome($uid));
// Delete the users entry in the storage table
\OC\Files\Cache\Storage::remove('home::' . $uid);
// Remove it from the Cache
self::getManager()->delete($uid);
}
return true;
} else {
return false;
}
}
/**
* Try to login a user
* @param string $uid The username of the user to log in
* @param string $password The password of the user
* @return boolean|null
*
* Log in a user and regenerate a new session - if the password is ok
*/
public static function login($uid, $password) {
session_regenerate_id(true);
return self::getUserSession()->login($uid, $password);
}
/**
* Try to login a user using the magic cookie (remember login)
*
* @param string $uid The username of the user to log in
* @param string $token
* @return bool
*/
public static function loginWithCookie($uid, $token) {
return self::getUserSession()->loginWithCookie($uid, $token);
}
/**
* Try to login a user, assuming authentication
* has already happened (e.g. via Single Sign On).
*
* Log in a user and regenerate a new session.
*
* @param \OCP\Authentication\IApacheBackend $backend
* @return bool
*/
public static function loginWithApache(\OCP\Authentication\IApacheBackend $backend) {
$uid = $backend->getCurrentUserId();
$run = true;
OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $uid ));
if($uid) {
self::setUserId($uid);
self::setDisplayName($uid);
self::getUserSession()->setLoginName($uid);
OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid, 'password'=>'' ));
return true;
}
return false;
}
/**
* Verify with Apache whether user is authenticated.
*
* @return boolean|null
* true: authenticated
* false: not authenticated
* null: not handled / no backend available
*/
public static function handleApacheAuth() {
$backend = self::findFirstActiveUsedBackend();
if ($backend) {
OC_App::loadApps();
//setup extra user backends
self::setupBackends();
self::unsetMagicInCookie();
return self::loginWithApache($backend);
}
return null;
}
/**
* Sets user id for session and triggers emit
*/
public static function setUserId($uid) {
OC::$session->set('user_id', $uid);
}
/**
* Sets user display name for session
* @param string $uid
* @param null $displayName
* @return bool Whether the display name could get set
*/
public static function setDisplayName($uid, $displayName = null) {
if (is_null($displayName)) {
$displayName = $uid;
}
$user = self::getManager()->get($uid);
if ($user) {
return $user->setDisplayName($displayName);
} else {
return false;
}
}
/**
* Logs the current user out and kills all the session data
*
* Logout, destroys session
*/
public static function logout() {
self::getUserSession()->logout();
}
/**
* Check if the user is logged in
* @return bool
*
* Checks if the user is logged in
*/
public static function isLoggedIn() {
if (\OC::$session->get('user_id') && self::$incognitoMode === false) {
return self::userExists(\OC::$session->get('user_id'));
}
return false;
}
/**
* set incognito mode, e.g. if a user wants to open a public link
* @param bool $status
*/
public static function setIncognitoMode($status) {
self::$incognitoMode = $status;
}
/**
* Supplies an attribute to the logout hyperlink. The default behaviour
* is to return an href with '?logout=true' appended. However, it can
* supply any attribute(s) which are valid for <a>.
*
* @return string with one or more HTML attributes.
*/
public static function getLogoutAttribute() {
$backend = self::findFirstActiveUsedBackend();
if ($backend) {
return $backend->getLogoutAttribute();
}
return 'href="' . link_to('', 'index.php') . '?logout=true&requesttoken=' . OC_Util::callRegister() . '"';
}
/**
* Check if the user is an admin user
* @param string $uid uid of the admin
* @return bool
*/
public static function isAdminUser($uid) {
if (OC_Group::inGroup($uid, 'admin') && self::$incognitoMode === false) {
return true;
}
return false;
}
/**
* get the user id of the user currently logged in.
* @return string uid or false
*/
public static function getUser() {
$uid = OC::$session ? OC::$session->get('user_id') : null;
if (!is_null($uid) && self::$incognitoMode === false) {
return $uid;
} else {
return false;
}
}
/**
* get the display name of the user currently logged in.
* @param string $uid
* @return string uid or false
*/
public static function getDisplayName($uid = null) {
if ($uid) {
$user = self::getManager()->get($uid);
if ($user) {
return $user->getDisplayName();
} else {
return $uid;
}
} else {
$user = self::getUserSession()->getUser();
if ($user) {
return $user->getDisplayName();
} else {
return false;
}
}
}
/**
* Autogenerate a password
* @return string
*
* generates a password
*/
public static function generatePassword() {
return OC_Util::generateRandomBytes(30);
}
/**
* Set password
* @param string $uid The username
* @param string $password The new password
* @param string $recoveryPassword for the encryption app to reset encryption keys
* @return bool
*
* Change the password of a user
*/
public static function setPassword($uid, $password, $recoveryPassword = null) {
$user = self::getManager()->get($uid);
if ($user) {
return $user->setPassword($password, $recoveryPassword);
} else {
return false;
}
}
/**
* Check whether user can change his avatar
* @param string $uid The username
* @return bool
*
* Check whether a specified user can change his avatar
*/
public static function canUserChangeAvatar($uid) {
$user = self::getManager()->get($uid);
if ($user) {
return $user->canChangeAvatar();
} else {
return false;
}
}
/**
* Check whether user can change his password
* @param string $uid The username
* @return bool
*
* Check whether a specified user can change his password
*/
public static function canUserChangePassword($uid) {
$user = self::getManager()->get($uid);
if ($user) {
return $user->canChangePassword();
} else {
return false;
}
}
/**
* Check whether user can change his display name
* @param string $uid The username
* @return bool
*
* Check whether a specified user can change his display name
*/
public static function canUserChangeDisplayName($uid) {
$user = self::getManager()->get($uid);
if ($user) {
return $user->canChangeDisplayName();
} else {
return false;
}
}
/**
* Check if the password is correct
* @param string $uid The username
* @param string $password The password
* @return string|false user id a string on success, false otherwise
*
* Check if the password is correct without logging in the user
* returns the user id or false
*/
public static function checkPassword($uid, $password) {
$manager = self::getManager();
$username = $manager->checkPassword($uid, $password);
if ($username !== false) {
return $username->getUID();
}
return false;
}
/**
* @param string $uid The username
* @return string
*
* returns the path to the users home directory
*/
public static function getHome($uid) {
$user = self::getManager()->get($uid);
if ($user) {
return $user->getHome();
} else {
return OC_Config::getValue('datadirectory', OC::$SERVERROOT . '/data') . '/' . $uid;
}
}
/**
* Get a list of all users
* @return array an array of all uids
*
* Get a list of all users.
* @param string $search
* @param integer $limit
* @param integer $offset
*/
public static function getUsers($search = '', $limit = null, $offset = null) {
$users = self::getManager()->search($search, $limit, $offset);
$uids = array();
foreach ($users as $user) {
$uids[] = $user->getUID();
}
return $uids;
}
/**
* Get a list of all users display name
* @param string $search
* @param int $limit
* @param int $offset
* @return array associative array with all display names (value) and corresponding uids (key)
*
* Get a list of all display names and user ids.
*/
public static function getDisplayNames($search = '', $limit = null, $offset = null) {
$displayNames = array();
$users = self::getManager()->searchDisplayName($search, $limit, $offset);
foreach ($users as $user) {
$displayNames[$user->getUID()] = $user->getDisplayName();
}
return $displayNames;
}
/**
* check if a user exists
* @param string $uid the username
* @return boolean
*/
public static function userExists($uid) {
return self::getManager()->userExists($uid);
}
/**
* disables a user
*
* @param string $uid the user to disable
*/
public static function disableUser($uid) {
$user = self::getManager()->get($uid);
if ($user) {
$user->setEnabled(false);
}
}
/**
* enable a user
*
* @param string $uid
*/
public static function enableUser($uid) {
$user = self::getManager()->get($uid);
if ($user) {
$user->setEnabled(true);
}
}
/**
* checks if a user is enabled
*
* @param string $uid
* @return bool
*/
public static function isEnabled($uid) {
$user = self::getManager()->get($uid);
if ($user) {
return $user->isEnabled();
} else {
return false;
}
}
/**
* Set cookie value to use in next page load
* @param string $username username to be set
* @param string $token
*/
public static function setMagicInCookie($username, $token) {
self::getUserSession()->setMagicInCookie($username, $token);
}
/**
* Remove cookie for "remember username"
*/
public static function unsetMagicInCookie() {
self::getUserSession()->unsetMagicInCookie();
}
/**
* Returns the first active backend from self::$_usedBackends.
* @return OCP\Authentication\IApacheBackend|null if no backend active, otherwise OCP\Authentication\IApacheBackend
*/
private static function findFirstActiveUsedBackend() {
foreach (self::$_usedBackends as $backend) {
if ($backend instanceof OCP\Authentication\IApacheBackend) {
if ($backend->isSessionActive()) {
return $backend;
}
}
}
return null;
}
}