Implement IProvideUserSecretBackend compatibility for per-user encryption
#697
Conversation
summersab
force-pushed
the
IProvideUserSecretBackend
branch
2 times, most recently
from
2835706
to
cd0c669
Compare
|
@blizzz, you look like one of the top contributors to this repo. Is the CI check broken? |
Only partly, it should be green up to and including stable25. We're working on getting it back for 26 and master. |
|
Hey, this is just our yearly reminder that we are still testing this patch in our instance. In fact I just applied this new PR to the newest released nextcloud version and it works perfectly well and is stable enough that we can still decrypt the data from 2.5 years ago when we initially proposed this patch :) We are still eagerly awaiting upstream adoption... |
summersab
force-pushed
the
IProvideUserSecretBackend
branch
from
cd0c669
to
d5e4825
Compare
summersab
force-pushed
the
IProvideUserSecretBackend
branch
from
d5e4825
to
17b1210
Compare
summersab
force-pushed
the
IProvideUserSecretBackend
branch
2 times, most recently
from
becfef3
to
f5de408
Compare
summersab
force-pushed
the
IProvideUserSecretBackend
branch
from
f5de408
to
128a9d3
Compare
|
Any news, when it will be supported, readlly want to use saml for server-side encryption |
Signed-off-by: summersab <[email protected]> perform a little lint cleanup Signed-off-by: summersab <[email protected]> Signed-off-by: Andrew Summers <[email protected]>
blizzz
force-pushed
the
IProvideUserSecretBackend
branch
from
128a9d3
to
6e1548a
Compare
| @@ -608,6 +665,21 @@ private function getAttributeArrayValue($name, array $attributes) { | |||
| return $value; | |||
| } | |||
|
|
|||
| private function getUserSecret($uid, array $attributes) { | |||
There was a problem hiding this comment.
$uid is unused and can be removed.
| @@ -608,6 +665,21 @@ private function getAttributeArrayValue($name, array $attributes) { | |||
| return $value; | |||
| } | |||
|
|
|||
| private function getUserSecret($uid, array $attributes) { | |||
There was a problem hiding this comment.
| private function getUserSecret($uid, array $attributes) { | |
| private function getUserSecret(array $attributes): ?string { |
| $this->initializeHomeDir($uid); | ||
| } | ||
| } | ||
|
|
||
| private function getUserSecretHash($uid) { |
There was a problem hiding this comment.
| private function getUserSecretHash($uid) { | |
| private function getUserSecretHashes($uid): array { |
may return up to ten, should be reflected in the name. Is 10 an arbitrary number, or where does it come from?
| return $data; | ||
| } | ||
|
|
||
| private function checkUserSecretHash($uid, $userSecret) { |
There was a problem hiding this comment.
| private function checkUserSecretHash($uid, $userSecret) { | |
| private function checkUserSecretHash($uid, $userSecret): bool { |
| $data = $this->getUserSecretHash($uid); | ||
| foreach($data as $row) { | ||
| $storedHash = $row['token']; | ||
| if (\OC::$server->getHasher()->verify($userSecret, $storedHash, $newHash)) { |
There was a problem hiding this comment.
please use ' \OCP\Server::get(OCP\Security\IHasher::class)over deprecated and private\OC::$server->getHasher()`. Also on in the other places.
| 'name' => $qb->createNamedParameter('sso_secret_hash'), | ||
| ]); | ||
| } | ||
| return $qb->execute(); |
There was a problem hiding this comment.
| return $qb->execute(); | |
| return $qb->executeStatement() > 0; |
| return false; | ||
| } | ||
|
|
||
| private function updateUserSecretHash($uid, $userSecret, $exists = false) { |
There was a problem hiding this comment.
| private function updateUserSecretHash($uid, $userSecret, $exists = false) { | |
| private function updateUserSecretHash($uid, $userSecret, $exists = false): bool { |
| if ($userSecret !== null) { | ||
| $this->updateUserSecretHash($uid, $userSecret); | ||
| // Emit a post login action to initialize the encryption module with the user secret provided by the idp. | ||
| \OC_Hook::emit('OC_User', 'post_login', ['run' => true, 'uid' => $uid, 'password' => $userSecret, 'isTokenLogin' => false]); |
There was a problem hiding this comment.
please dispatch the typed event \OCP\User\Events\PostLoginEvent instead of deprecated OC_Hook::emit(…).
| $storedHash = $row['token']; | ||
| if (\OC::$server->getHasher()->verify($userSecret, $storedHash, $newHash)) { | ||
| if (!empty($newHash)) { | ||
| $this->updateUserSecretHash($uid, $userSecret, true); |
There was a problem hiding this comment.
mh, the function is said to check the hash, not update it.
This PR is intended to implement the functionality from PR #537. The upstream code changed enough that it was easier to close the original PR and submit a new one.
Now that the
IProvideUserSecretBackendclass has been added to the Nextcloud core with PR nextcloud/server#24837, this PR adds the necessary logic to support per-user SAML provided secrets.