-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathApplication.php
executable file
·159 lines (137 loc) · 5.93 KB
/
Application.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
<?php
declare(strict_types=1);
// SPDX-FileCopyrightText: Pondersource <[email protected]>
// SPDX-License-Identifier: AGPL-3.0-or-later
namespace OCA\mfazones\AppInfo;
use OCP\AppFramework\App;
use OCP\SystemTag\ISystemTag;
use OCP\SystemTag\ISystemTagManager;
use OCA\WorkflowEngine\Manager;
use Psr\Log\LoggerInterface;
use Doctrine\DBAL\Exception;
use OCA\WorkflowEngine\Helper\ScopeContext;
use OCA\Files\Event\LoadAdditionalScriptsEvent;
use OCP\EventDispatcher\IEventDispatcher;
use OCP\WorkflowEngine\IManager;
use OCP\IDBConnection;
class Application extends App {
public const APP_ID = 'mfazones';
public const TAG_NAME = 'mfazone';
/** @var ISystemTagManager */
protected ISystemTagManager $systemTagManager;
/** @var Manager */
protected $manager;
/** @var LoggerInterface */
private $logger;
/** @var IDBConnection */
protected $connection;
public function __construct() {
parent::__construct(self::APP_ID);
// if (!\OCP\App::isEnabled('files_accesscontrol')) {
// throw new Exception("MFA Zone needs files_accesscontrol app to be enabled before installation.");
// }
$container = $this->getContainer();
$server = $container->getServer();
$eventDispatcher = $this->getContainer()->get(IEventDispatcher::class);
$eventDispatcher->addListener(
BeforeUserLoggedInEvent::class,
function ($event) {
// Check if the user has MFA verified
$twoFactorManager = \OC::$server->get(TwoFactorManager::class);
$userManager = \OC::$server->get(IUserManager::class);
$user = $userManager->get($event->getUsername());
$hasMfaEnabled = $twoFactorManager->isTwoFactorAuthenticated($user);
// Redirect users to enable MFA if not already enabled and have 2FA provider
if (!$hasMfaEnabled) {
$providerSet = $twoFactorManager->getProviderSet($user);
if(!empty($loginProviders) && !$providerSet->isProviderMissing()){
$twoFactorManager->prepareTwoFactorLogin($user, false);
}
}
}
);
$this->systemTagManager = $this->getContainer()->get(ISystemTagManager::class);
$this->manager = $this->getContainer()->get(Manager::class);
$this->logger = $this->getContainer()->get(LoggerInterface::class);
$this->connection = $this->getContainer()->get(IDBConnection::class);
$eventDispatcher->addListener(LoadAdditionalScriptsEvent::class, function() {
\OCP\Util::addStyle(self::APP_ID, 'tabview' );
\OCP\Util::addScript(self::APP_ID, 'tabview' );
\OCP\Util::addScript(self::APP_ID, 'plugin' );
$policy = new \OCP\AppFramework\Http\EmptyContentSecurityPolicy();
\OC::$server->getContentSecurityPolicyManager()->addDefaultPolicy($policy);
});
$groupManager = \OC::$server->get(\OCP\IGroupManager::class);
$userSession = \OC::$server->get(\OCP\IUserSession::class);
$user = $userSession->getUser();
// The first time an admin logs in to the server, this will create the tag and flow
if ($groupManager->isAdmin($user->getUID())) {
$this->addTag();
$this->addFlows();
}
}
private function addTag(){
try{
$tags = $this->systemTagManager->getAllTags(
null,
self::TAG_NAME
);
if(count($tags) < 1){
$this->systemTagManager->createTag(self::TAG_NAME, false, false);
}
}catch (Exception $e) {
$this->logger->error('Error when inserting tag on enabling mfazones app', ['exception' => $e]);
}
}
private function addFlows(){
try {
$hash = md5('OCA\WorkflowEngine\Check\MfaVerified::!is::');
$query = $this->connection->getQueryBuilder();
$query->select('id')
->from('flow_checks')
->where($query->expr()->eq('hash', $query->createNamedParameter($hash)));
$result = $query->execute();
if ($row = $result->fetch()) {
$result->closeCursor();
return;
}
$tags = $this->systemTagManager->getAllTags(
null,
self::TAG_NAME
);
$tag = current($tags);
$tagId = $tag->getId();
$scope = new ScopeContext(IManager::SCOPE_ADMIN);
$class = "OCA\\FilesAccessControl\\Operation";
$name = "";
$checks = [
[
"class" => "OCA\WorkflowEngine\Check\MfaVerified",
"operator" => "!is",
"value" => "",
"invalid" => false
],
[
"class" => "OCA\WorkflowEngine\Check\FileSystemTags",
"operator" => "is",
"value" => $tagId,
"invalid" => false
]
// uncomment this code to re-activate admin bypass,
// see https://github.com/pondersource/nextcloud-mfa-awareness/issues/53
// [
// "class" => "OCA\WorkflowEngine\Check\UserGroupMembership",
// "operator" => "!is",
// "value" => "admin",
// "invalid" => false
// ]
];
$operation = "deny";
$entity = "OCA\\WorkflowEngine\\Entity\\File";
$events = [];
$this->manager->addOperation($class, $name, $checks, $operation, $scope, $entity, $events);
} catch (Exception $e) {
$this->logger->error('Error when inserting flow on enabling mfazones app', ['exception' => $e]);
}
}
}