Commit Graph

191 Commits

Author SHA1 Message Date
Arthur Schiwon fae25fa4ab
fix signining in with IdPs other than 1
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-08-24 14:32:57 +02:00
Sascha Markert 96b197206e
Fix displaying of global checkboxes in user_saml settings
Signed-off-by: Sascha Markert <markert@b1-systems.de>
Signed-off-by: Sascha Markert <kaio@kaio.ws>

Update lib/Settings/Admin.php

space  to tabs

Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Sascha Markert <kaio@kaio.ws>
Signed-off-by: Sascha Markert <markert@b1-systems.de>

merge latest commits (#1)

* Stricter check for direct=1 login

Signed-off-by: Carl Schwan <carl@carlschwan.eu>

* Revert "Handle mobile login flow with direct=1"

This reverts commit 86684d6c54.

Signed-off-by: Carl Schwan <carl@carlschwan.eu>

* [tx-robot] updated from transifex

Signed-off-by: Nextcloud bot <bot@nextcloud.com>

Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Co-authored-by: Nextcloud bot <bot@nextcloud.com>
Signed-off-by: Sascha Markert <kaio@kaio.ws>
Signed-off-by: Sascha Markert <markert@b1-systems.de>

Revert "merge latest commits (#1)"

This reverts commit 626686f7afa8b373251e966ad28865483d6b56b1.

Signed-off-by: Sascha Markert <markert@b1-systems.de>
2022-05-24 12:28:25 +02:00
blizzz 3f1c676345
Merge pull request #571 from nextcloud/import-jstimezonedetect
Import jstz.min.js from jstimezonedetect 1.0.7
2022-04-11 12:25:39 +02:00
blizzz 8cc470e182
Merge pull request #588 from nextcloud/bugfix/noid/relaystate
Set proper relaystate url
2022-04-11 12:24:45 +02:00
Daniel Calviño Sánchez 7e2bcefac5 Import jstz.min.js from jstimezonedetect 1.0.7
In Nextcloud 22 jstimezonedetect was removed from the server bundle
(https://github.com/nextcloud/server/pull/25850), so now each app that
uses it needs to ship its own copy. For simplicity, as the app does not
currently use webpack or NPM, the minified file was just added to
"js/vendor".

"jstz.min.js" was copied from
ddc9e04034/dist/jstz.min.js
(which is the same as the one included in
https://registry.npmjs.org/jstimezonedetect/-/jstimezonedetect-1.0.7.tgz).

jstimezonedetect is licenced under the MIT licence.

Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
2022-04-11 10:20:50 +00:00
Julius Härtl df218717c7 Cover UserChangedEvent in unit tests
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-04-11 10:14:20 +00:00
Sebastian Biller b08656ef6c displayname switch to eventdispatcher
Signed-off-by: Sebastian Biller <s.biller@tu-braunschweig.de>
2022-04-11 10:14:20 +00:00
Valdnet 02e8d0375e l10n: Change place of dot
Signed-off-by: Valdnet <47037905+Valdnet@users.noreply.github.com>
2022-04-08 16:59:45 +00:00
Julius Härtl b91b85f417
Set proper relaystate url
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2022-04-08 07:45:59 +02:00
Arthur Schiwon 77b14b6c6f fix old settings present when switching providers
- wrongly used way to set value attribute

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-04-07 20:29:04 +00:00
Arthur Schiwon 97c0594ab0 code style
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-04-07 20:29:04 +00:00
Arthur Schiwon 4c97efc51b fix reading and updated name-id-format selection
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-04-07 20:29:04 +00:00
Arthur Schiwon ee8845252a also migrate sp-x509cert, sp-name-id-format, sp-privateKey
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-04-07 20:29:04 +00:00
Arthur Schiwon 6548abb0f9 makes sloWebServerDecode IdP-sensitive as it should be
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-04-07 20:29:04 +00:00
Arthur Schiwon 7f0986c387 fix settings of first provider are not present on initial load
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-04-07 20:29:04 +00:00
Carl Schwan c51048b566 Minor fixes
Signed-off-by: Carl Schwan <carl@carlschwan.eu>
2022-04-07 20:29:03 +00:00
John Molakvoæ 24a632588c Add regex routes requirement to providerId
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
2022-04-07 20:29:03 +00:00
Arthur Schiwon 7bdad55dc9 add occ commands for config manipulation
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-04-07 20:29:03 +00:00
Arthur Schiwon be6a8e97fe Move SAML configurations to a table of their own
- adds user_saml_configurations table and migrates existing configuration
- Controller methods are added since appconfig endpoints cannot be used
  anymore. THIS IS A BREAKING CHANGE.
- Frontend code is adjusted to use new endpoints.
- security-sloWebServerDecode was changed from global to provider specific
  setting. It being global seemed to be unintended. A migration path is yet
  missing.

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2022-04-07 20:29:03 +00:00
John Molakvoæ 4510f70ff7
cs:fix
Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
2021-12-10 09:28:16 +01:00
Julius Härtl c4cb5cad48
Avoid duplicate attempt to decode guid
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2021-10-21 13:13:01 +02:00
Julius Härtl 763fa83e19
Use effective uid for autoprovisioning new users
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2021-10-21 13:13:01 +02:00
Arthur Schiwon 59bf8dc6fb
use system email address getter if available
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-09-01 15:15:29 +02:00
Lukas Reschke 05a0275b97 Actually replace $retrieveParametersFromServer parameter
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-05-05 13:25:54 +02:00
Lukas Reschke 8afcb434dc Allow setting of "retrieveParametersFromServer"
Some SAML servers require this type of decoding, otherwise the SLO request fails. Ideally the library would perform both verifications (https://github.com/onelogin/php-saml/issues/466), but it seems upstream doesn't want to perform this change.

Until we have considered a better solution for this, this adds a new checkbox that one can configure.

Ref https://github.com/nextcloud/user_saml/issues/403

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-05-04 17:28:58 +02:00
blizzz e37fee7f38
Merge pull request #508 from nextcloud/fix/noid/userids-not-sanitized
sanitize and test user id received from IdP, if original does not match
2021-03-01 14:09:38 +01:00
Lukas Reschke 10cf853b15 Add logging for SLO errors
To make debugging SLO errors easier, this adds logging for any
encountered error in that phase.

This is similar to the logging already done on the ACS handling.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-02-15 19:08:31 +00:00
Arthur Schiwon e9e55a1da1
improve performance by reusing existing sessions
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-01-26 19:03:03 +01:00
Arthur Schiwon b13a9983e2
adjust to recent merged changes
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-01-26 19:03:03 +01:00
Arthur Schiwon a7aabdd71f
introduces a single point of saml attribute interpretations
- solved code duplication on uid mapping attribute determiniation
- a single point for user id normalization
- slightly reduces logic in the Controller

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-01-26 14:32:19 +01:00
Arthur Schiwon 9ed277dc1f
sanitize and test user id received from IdP, if original does not match
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-01-26 14:31:04 +01:00
Arthur Schiwon 9672ed6ca5
make testEncodedObjectGUID more robust against false positives
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2021-01-20 17:05:17 +01:00
Roeland Jago Douma 58f717f91d
Bump doctrine types for 21 support
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-01-12 20:41:40 +01:00
Roeland Jago Douma 7f7def4b7f
Allow customer directlogin text
Some people seem to want to have a custom direct login text. This allows
them to set it. For now only via occ. But maybe some day we also add a
GUI component to it.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2021-01-12 14:44:05 +01:00
Roeland Jago Douma 1c2be57e20
Merge pull request #468 from orandev/patch-1
Fix incorrect key name in "Login flow fix"
2020-11-24 15:25:44 +01:00
Arthur Schiwon 9f53230eb6
fixes provisioning of userids from encoded (objectguid) values
- is more tolerate when decoding, uuid structure is still tested later
- ensures the uid is resolved on getCurrentId()

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-11-24 00:08:16 +01:00
Arthur Schiwon 9bf08a698d
fix missing user_saml.Idp session value which SAMLSettings rely on
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-11-05 22:27:31 +01:00
Arthur Schiwon 31bc57a4e9
redirects to homepage instead showing error on blank page
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-11-02 17:05:18 +01:00
blizzz e34e6d2f9f
Merge pull request #466 from nextcloud/bugfix/log-invalid-user-id
Add checked user id to InvalidArgumentException
2020-10-13 19:33:01 +02:00
blizzz a1cb44131c
Merge pull request #432 from nextcloud/enh/noid/saml-response-url
optional possibility to provide a URL for SLO Response
2020-10-12 10:34:35 +02:00
orandev c318b9421f
Fix incorrect key name in "Login flow fix"
'name' key was put in flowData table, but 'token' key was retrieved from this table, thus triggering the following error:
Undefined index: token at /nextcloud/apps/user_saml/lib/Controller/SAMLController.php#306

Signed-off-by: orandev <63342732+orandev@users.noreply.github.com>
2020-10-09 12:20:10 +02:00
Julius Härtl 4184aa9fa8
Add checked user id to InvalidArgumentException
Signed-off-by: Julius Härtl <jus@bitgrid.net>
2020-10-09 08:39:37 +02:00
Roeland Jago Douma 5c87778134
Fix login flow with SAML
Because of the strict samesite cookies SAML fails with the login flow.
Because the post that comes back is not transfering the proper cookies
to use the same session. Hence the token in use gets lost etc.

Now we store this all (encrypted) in a cookie. So that when we come back
we can restore the proper session.

FAQ:

* Is it elegant?
  Nope!
* Does it work?
  Yes!

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-10-05 15:16:38 +02:00
Roeland Jago Douma 160ad27474
Handle failing SLO
If the SLO throws an error we should catch it. This is so that we do not
show an error page. We should also still logout the current session.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-09-25 09:26:37 +02:00
Arthur Schiwon 2a614e0337
optional possibility to provide a URL for SLO Response
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-09-10 10:14:53 +02:00
Arthur Schiwon 238b578cf1
acs endpoint to always return a RedirectResponse
* the void statements end up in a useless blank page

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2020-09-08 17:01:15 +02:00
Georg Ehrke b4d497bbec
Sabre/DAV 4.0: beforeMethod is now beforeMethod:*
Signed-off-by: Georg Ehrke <developer@georgehrke.com>
2020-09-07 16:15:28 +02:00
Maxime Besson 8c4f9da56d Add occ command to dump metadata for a given provider
Signed-off-by: Maxime Besson <maxime.besson@worteks.com>
2020-08-18 18:41:54 +02:00
Roeland Jago Douma f5304f6757
Make work with posts and cookies again
Requires https://github.com/nextcloud/server/pull/21479 to fully work.
Basically don't save this info in the session (which is lax by default
starting with NC19 but also soon with new chromes and firefox). We now
save it is a cookie that is set to None. This is the best we can do I
think.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2020-07-10 10:01:16 +02:00
Joas Schilling 5f49b6c004
Move to migrations
Signed-off-by: Joas Schilling <coding@schilljs.com>
2020-06-30 21:36:14 +02:00