Merge pull request #518 from nextcloud/backport/508/stable-3.2

[stable-3.2] sanitize and test user id received from IdP, if original does not match

Author: blizzz

appinfo/app.php

@@ -45,6 +45,12 @@
 	$session
 );
 
+$userData = new \OCA\User_SAML\UserData(
+	new \OCA\User_SAML\UserResolver(\OC::$server->getUserManager()),
+	$samlSettings,
+	$config
+);
+
 $userBackend = new \OCA\User_SAML\UserBackend(
 	$config,
 	$urlGenerator,
@@ -53,7 +59,8 @@
 	\OC::$server->getUserManager(),
 	\OC::$server->getGroupManager(),
 	$samlSettings,
-	\OC::$server->getLogger()
+	\OC::$server->getLogger(),
+	$userData
 );
 $userBackend->registerBackends(\OC::$server->getUserManager()->getBackends());
 OC_User::useBackend($userBackend);

lib/Controller/SAMLController.php

@@ -28,6 +28,8 @@
 use OCA\User_SAML\Exceptions\NoUserFoundException;
 use OCA\User_SAML\SAMLSettings;
 use OCA\User_SAML\UserBackend;
+use OCA\User_SAML\UserData;
+use OCA\User_SAML\UserResolver;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\IConfig;
@@ -58,12 +60,14 @@ class SAMLController extends Controller {
 	private $config;
 	/** @var IURLGenerator */
 	private $urlGenerator;
-	/** @var IUserManager */
-	private $userManager;
 	/** @var ILogger */
 	private $logger;
 	/** @var IL10N */
 	private $l;
+	/** @var UserResolver */
+	private $userResolver;
+	/** @var UserData */
+	private $userData;
 	/**
 	 * @var ICrypto
 	 */
@@ -78,94 +82,81 @@ class SAMLController extends Controller {
 	 * @param UserBackend $userBackend
 	 * @param IConfig $config
 	 * @param IURLGenerator $urlGenerator
-	 * @param IUserManager $userManager
 	 * @param ILogger $logger
 	 * @param IL10N $l
 	 */
-	public function __construct($appName,
-								IRequest $request,
-								ISession $session,
-								IUserSession $userSession,
-								SAMLSettings $SAMLSettings,
-								UserBackend $userBackend,
-								IConfig $config,
-								IURLGenerator $urlGenerator,
-								IUserManager $userManager,
-								ILogger $logger,
-								IL10N $l,
-								ICrypto $crypto) {
+	public function __construct(
+		$appName,
+		IRequest $request,
+		ISession $session,
+		IUserSession $userSession,
+		SAMLSettings $SAMLSettings,
+		UserBackend $userBackend,
+		IConfig $config,
+		IURLGenerator $urlGenerator,
+		ILogger $logger,
+		IL10N $l,
+		UserResolver $userResolver,
+		UserData $userData,
+		ICrypto $crypto
+	) {
 		parent::__construct($appName, $request);
 		$this->session = $session;
 		$this->userSession = $userSession;
 		$this->SAMLSettings = $SAMLSettings;
 		$this->userBackend = $userBackend;
 		$this->config = $config;
 		$this->urlGenerator = $urlGenerator;
-		$this->userManager = $userManager;
 		$this->logger = $logger;
 		$this->l = $l;
+		$this->userResolver = $userResolver;
+		$this->userData = $userData;
 		$this->crypto = $crypto;
 	}
 
 	/**
-	 * @param array $auth
 	 * @throws NoUserFoundException
 	 */
-	private function autoprovisionIfPossible(array $auth) {
+	private function autoprovisionIfPossible() {
+		$auth = $this->userData->getAttributes();
 
-		$prefix = $this->SAMLSettings->getPrefix();
-		$uidMapping = $this->config->getAppValue('user_saml', $prefix . 'general-uid_mapping');
-		if(isset($auth[$uidMapping])) {
-			if(is_array($auth[$uidMapping])) {
-				$uid = $auth[$uidMapping][0];
-			} else {
-				$uid = $auth[$uidMapping];
-			}
-
-			// make sure that a valid UID is given
-			if (empty($uid)) {
-				$this->logger->error('Uid "' . $uid . '" is not a valid uid please check your attribute mapping', ['app' => $this->appName]);
-				throw new \InvalidArgumentException('No valid uid given, please check your attribute mapping. Given uid: ' . $uid);
-			}
-
-			$uid = $this->userBackend->testEncodedObjectGUID($uid);
-
-			// if this server acts as a global scale master and the user is not
-			// a local admin of the server we just create the user and continue
-			// no need to update additional attributes
-			$isGsEnabled = $this->config->getSystemValue('gs.enabled', false);
-			$isGsMaster = $this->config->getSystemValue('gss.mode', 'slave') === 'master';
-			$isGsMasterAdmin = in_array($uid, $this->config->getSystemValue('gss.master.admin', []));
-			if ($isGsEnabled && $isGsMaster && !$isGsMasterAdmin) {
-				$this->userBackend->createUserIfNotExists($uid);
-				return;
-			}
-			$userExists = $this->userManager->userExists($uid);
-			$autoProvisioningAllowed = $this->userBackend->autoprovisionAllowed();
-			if($userExists === true) {
-				if($autoProvisioningAllowed) {
-					$this->userBackend->updateAttributes($uid, $auth);
-				}
-				return;
-			}
+		if(!$this->userData->hasUidMappingAttribute()) {
+			throw new NoUserFoundException('IDP parameter for the UID not found. Possible parameters are: ' . json_encode(array_keys($auth)));
+		}
 
-			if(!$userExists && !$autoProvisioningAllowed) {
-				// it is possible that the user was not logged in before and
-				// thus is not known to the original backend. A search can
-				// help with it and make the user known
-				$this->userManager->search($uid);
-				if($this->userManager->userExists($uid)) {
-					return;
-				}
-				throw new NoUserFoundException('Auto provisioning not allowed and user ' . $uid . ' does not exist');
-			} elseif(!$userExists && $autoProvisioningAllowed) {
-				$this->userBackend->createUserIfNotExists($uid, $auth);
+		if ($this->userData->getOriginalUid() === '') {
+			$this->logger->error('Uid is not a valid uid please check your attribute mapping', ['app' => $this->appName]);
+			throw new \InvalidArgumentException('No valid uid given, please check your attribute mapping.');
+		}
+		$uid = $this->userData->getEffectiveUid();
+		$userExists = $uid !== '';
+
+		// if this server acts as a global scale master and the user is not
+		// a local admin of the server we just create the user and continue
+		// no need to update additional attributes
+		$isGsEnabled = $this->config->getSystemValue('gs.enabled', false);
+		$isGsMaster = $this->config->getSystemValue('gss.mode', 'slave') === 'master';
+		$isGsMasterAdmin = in_array($uid, $this->config->getSystemValue('gss.master.admin', []));
+		if ($isGsEnabled && $isGsMaster && !$isGsMasterAdmin) {
+			$this->userBackend->createUserIfNotExists($this->userData->getOriginalUid());
+			return;
+		}
+		$autoProvisioningAllowed = $this->userBackend->autoprovisionAllowed();
+		if($userExists) {
+			if($autoProvisioningAllowed) {
 				$this->userBackend->updateAttributes($uid, $auth);
-				return;
 			}
+			return;
 		}
 
-		throw new NoUserFoundException('IDP parameter for the UID (' . $uidMapping . ') not found. Possible parameters are: ' . json_encode(array_keys($auth)));
+		$uid = $this->userData->getOriginalUid();
+		if(!$userExists && !$autoProvisioningAllowed) {
+			throw new NoUserFoundException('Auto provisioning not allowed and user ' . $uid . ' does not exist');
+		} elseif(!$userExists && $autoProvisioningAllowed) {
+			$this->userBackend->createUserIfNotExists($uid, $auth);
+			$this->userBackend->updateAttributes($uid, $auth);
+			return;
+		}
 	}
 
 	/**
@@ -221,11 +212,9 @@ public function login($idp) {
 				}
 				$this->session->set('user_saml.samlUserData', $_SERVER);
 				try {
-					$this->autoprovisionIfPossible($this->session->get('user_saml.samlUserData'));
-					$user = $this->userManager->get($this->userBackend->getCurrentUserId());
-					if(!($user instanceof IUser)) {
-						throw new NoUserFoundException('User' . $this->userBackend->getCurrentUserId() . ' not valid or not found');
-					}
+					$this->userData->setAttributes($this->session->get('user_saml.samlUserData'));
+					$this->autoprovisionIfPossible();
+					$user = $this->userResolver->findExistingUser($this->userBackend->getCurrentUserId());
 					$user->updateLastLoginTimestamp();
 				} catch (NoUserFoundException $e) {
 					if ($e->getMessage()) {
@@ -342,7 +331,8 @@ public function assertionConsumerService(): Http\RedirectResponse {
 		// Check whether the user actually exists, if not redirect to an error page
 		// explaining the issue.
 		try {
-			$this->autoprovisionIfPossible($auth->getAttributes());
+			$this->userData->setAttributes($auth->getAttributes());
+			$this->autoprovisionIfPossible();
 		} catch (NoUserFoundException $e) {
 			$this->logger->error($e->getMessage(), ['app' => $this->appName]);
 			$response = new Http\RedirectResponse($this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.notProvisioned'));
@@ -358,14 +348,13 @@ public function assertionConsumerService(): Http\RedirectResponse {
 		$this->session->set('user_saml.samlSessionIndex', $auth->getSessionIndex());
 		$this->session->set('user_saml.samlSessionExpiration', $auth->getSessionExpiration());
 		try {
-			$user = $this->userManager->get($this->userBackend->getCurrentUserId());
-			if (!($user instanceof IUser)) {
-				throw new \InvalidArgumentException('User is not valid');
-			}
+			$user = $this->userResolver->findExistingUser($this->userBackend->getCurrentUserId());
 			$firstLogin = $user->updateLastLoginTimestamp();
-			if($firstLogin) {
+			if ($firstLogin) {
 				$this->userBackend->initializeHomeDir($user->getUID());
 			}
+		} catch (NoUserFoundException $e) {
+			throw new \InvalidArgumentException('User "' . $this->userBackend->getCurrentUserId() . '" is not valid');
 		} catch (\Exception $e) {
 			$this->logger->logException($e, ['app' => $this->appName]);
 			$response = new Http\RedirectResponse($this->urlGenerator->linkToRouteAbsolute('user_saml.SAML.notProvisioned'));