Commit graph

107 commits

Author SHA1 Message Date
Michael Schuster
61884d1ada
fix indents, add comment
Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-30 05:35:36 +02:00
Michael Schuster
b52292db92
Windows: Workaround for CredWriteW used by QtKeychain
Saving all client CA's within one credential may result in:
  Error: "Credential size exceeds maximum size of 2560"

Client CA certificates are now being stored in separate slots
within the keychain and are being processed by a queue mechanism.

IMPORTANT TODO:
forgetSensitiveData(): Invoked by "Log out" & "Remove account"

- Remove client CA certs and KEY!
  (uncomment "//deleteKeychainEntries();" )

  Disabled as long as selecting another cert is not supported by the UI.

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-30 04:56:01 +02:00
Roeland Jago Douma
d584bedcb6
Also store the CACertificates of the client side certificate
Else authentication will still fail in setups that have a chain of
certificates supplied.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-27 09:55:41 +02:00
Michael Schuster
dbde585049
Adds SSL client cert storage to webflow + Login Flow v2
The previous commit 50cd6af394 - Build a webflowcredentials
changed:

src/gui/wizard/flow2authcredspage.cpp in line 135 to use WebFlowCredentials
instead of HttpCredentials.
But the WebFlowCredentials class didn't include code to store and load SSL client
certificates and keys from the keychain.

This commit migrates the useful stuff from the old HttpCredentials class
into WebFlowCredentials.

Successfully tested on Windows. Please test on other systems and verify it's safe! :)

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-27 03:32:21 +02:00
Roeland Jago Douma
302ca0e04e
Fix some compiler warnings
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-26 20:41:14 +02:00
Michael Schuster
fd8345ccbe
Login Flow V2: adds re-auth upon logout, improvements
- Implements re-auth upon logout -> login
- Improves UI and security

TODO:
- SSL: Client certificate login is possible at the first time only but missing after relaunch

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-26 20:03:15 +02:00
Michael Schuster
628bab92c4
fix comment typo in webflowcredentials.cpp
Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-26 20:03:15 +02:00
Michael Schuster
8fa55b97b4
Login Flow V2: 1st implementation, cleanup
This is the first draft of the Login Flow V2 authorization method.

See: https://docs.nextcloud.com/server/latest/developer_manual/client_apis/LoginFlow/index.html#login-flow-v2

- Adds the Login Fĺow V2 auth method
- Adds ability to reinitiate a new request via UI

TODO:
- Implement re-auth upon logout -> login
- Improve UI
- SSL: Client certificate login is possible at the first time only but missing after relaunch

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-26 20:03:15 +02:00
Michael Schuster
2742411abd
Login Flow V2: 1st test-implementation
Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-26 20:03:15 +02:00
Roeland Jago Douma
e0a1d78441
Merge pull request #1225 from edent/patch-1
Typo
2019-08-19 15:39:10 +02:00
Yaron Shahrabani
692d885b55
Fixed typo
Chipher -> Cipher
2019-05-12 19:11:33 +03:00
Terence Eden
e64fa74899
Typo
There's no such thing as a "key*h*chain".
2019-04-28 10:03:38 +01:00
Roeland Jago Douma
bb2f179342
Be less verbose with logging
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-15 20:23:24 +01:00
Joda Stößer
9393626ec2
correct app passwords link
Since some versions ago, the path/url for the app password settings is `/settings/user/security#security` instead of `/settings/personal#apppasswords`
2019-02-14 05:26:21 +01:00
Chih-Hsuan Yen
09b0055dc3
Make sure _profile and _page are deleted in the correct order
Inspired by https://github.com/electron/electron/pull/15028

Closes https://github.com/nextcloud/desktop/issues/941
Closes https://github.com/nextcloud/desktop/issues/950
2018-12-19 21:44:54 +08:00
J-P Nurmi
fff64e8aa5 GUI: search'n'replace remaining "Q_DECL_OVERRIDE" with "override" 2018-11-11 11:12:37 +01:00
J-P Nurmi
8e38e2ac86 GUI: run clang-tidy modernize-use-override 2018-11-11 11:08:03 +01:00
J-P Nurmi
fb5ff96ed6 GUI: run clang-tidy modernize-use-nullptr 2018-11-11 10:56:22 +01:00
Roeland Jago Douma
045bba0161
Migrate http auth to webflow
This moves all the basic http auth over to the webflow mechanism.
This thus also makes sure that if the password changes a webflow page
pops up. And thus will directly move them over to apptokens then.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-03 12:37:53 +01:00
Olivier Goffart
40007537ea
OAuth: Remove the timeout
There is no real reason to have a timeout. The connection can stay open
as long as we are not authenticated. The User can still re-open a browser
from the UI at any time.

Issue #6612
2018-09-09 17:57:38 +02:00
Roeland Jago Douma
9f1f99f4db
Add a WebFlowCredentialsAccessManager
Fixes #279

Some setups don't make Qt emit the right signals and the client would
end up in state where it could not do the initial authentications.
This is a similar hack that apparently already was is place for basic
http auth.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 20:59:25 +02:00
Roeland Jago Douma
08abc71acb
gui Q_UNUSED
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-07-02 13:02:15 +02:00
Roeland Jago Douma
ef2d113930
Mark credentials as valid if there is no error
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Roeland Jago Douma
35e8d0437d
Address comments
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Roeland Jago Douma
6809f12e68
Allow the user to sign in again
If the user is signed out (for whatever reason). Show a popup
with the loginflow again.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Roeland Jago Douma
ac1664b525
Actually use webflow credentails
* Detect invalid auth (if the users token is removed for example)
* Properly store and fetch from keychain

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Roeland Jago Douma
6b43d80c01
Start with persisting credentials
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Daniel Nicoletti
a63d34f870 Prepend "nextcloud" for all logging categories
Thus making easier to exclude logging from kio, qt
and only enable "nextcloud.*"
2017-12-28 17:33:10 -02:00
Daniel Nicoletti
c963259bfb Fix URL in dialog that requests password
An URL that had base like "http://localhost/nextcloud/"
would get the last slash '/' removed and then appended
with "index.php..." resulting in
http://localhost/nextcloudindex.php
2017-12-28 10:00:17 -02:00
Roeland Jago Douma
fe4bb52a6d
Merge remote-tracking branch 'oc/master' into oc_up 2017-12-14 10:27:11 +01:00
Olivier Goffart
74672d493d Utility: use QUrlQuery
For QUrl::setQuery is deprecated in Qt5
2017-12-08 16:15:17 +01:00
Olivier Goffart
ee98daf9ea Shibboleth: Upgrade to OAuth2 When the server supports it
If the server support both Shibboleth and OAuth2, upgrades to OAuth2

Issue #6198
2017-12-04 08:09:34 +01:00
Roeland Jago Douma
462353d0ee
Have correct app password link
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2017-11-21 09:17:42 +01:00
Christian Kamm
3ae2071129 DetermineAuth: Remove concept of Unknown #6148
This restores 2.3 behavior. Some servers reply 404 to GETs and PROPFINDs
to the remote.php/webdav/ url and used to work. Being more picky would
break them.
2017-11-14 12:10:35 +01:00
Christian Kamm
9af6e29f42 DetermineAuthType: Adjustments for tight firewalls #6135
With some firewalls we can't GET /remote.php/webdav/. Here we keep the
GET request to detect shibboleth through the redirect pattern but then
use PROPFIND to figure out the http auth method.

Currently we prefer OAuth to Shibboleth to Basic auth.

This also restores the fallback behavior of assuming basic auth
when no auth type can be determined.
2017-11-06 13:09:10 +01:00
Olivier Goffart
a9761a8976 Use qEnvironmentVariable* instead of qgetenv when appropriate
Now that we use Qt5, we should do that. It is slightly more efficient
and declares the intent.
(Modified using clazy)
2017-10-19 13:57:49 +02:00
Christian Kamm
f598ac89ac HttpCreds: Fix retry after wrong password #5989
This is an ugly solution.
2017-10-13 14:24:37 +02:00
Olivier Goffart
0ceb806f1a Test OAuth2
Include a test for PR #6057
2017-09-28 18:38:33 +02:00
Olivier Goffart
1da398e6c6 OAuth: fix compilation with old gcc
We need to used QPointer::data in the signal slot connection

Relates to pr #6065
2017-09-28 10:55:28 +02:00
Olivier Goffart
7af81f7665 OAuth: Fix crash when closing the browser while identifying
To reproduce, log in and click "authorize" on the browser, then close
the browser before the client has replied, (but after redirected to localhost,
i.e. when the client is asking the server for the token)

The problem is that socket can be destroyed so we don't need to answer on a
destroyed socket.
2017-09-26 14:56:57 +02:00
Olivier Goffart
382cc444f0 Httpcreds: Fix double slash in the Request App Password url
Issue #6044
2017-09-23 10:10:40 +02:00
Olivier Goffart
0cec6f08ca OAuth2: Fix double slash in URL
We need to use concatPath to avoid possible double '/' in the URLs if the
account url() ends with '/'.

This has become even more of a problem since commit
d1b8370a4a which was resolving the url after
a redirect where most server actually add a '/' if the url is a folder
2017-09-23 10:10:40 +02:00
Olivier Goffart
35e4fe061d Port to new signal-slot syntax what cannot be done automatically
Some slot were protected or private but needed to be public.
Some needed a static_cast (can't use qOverload because it is in Qt 5.7)

This is not only a partial change.
2017-09-21 14:05:39 +02:00
Olivier Goffart
ff4213b59f Use the Qt5 connection syntax (automated with clazy)
This is motivated by the fact that QMetaObject::noralizeSignature takes 7.35%
CPU of the LargeSyncBench. (Mostly from ABstractNetworkJob::setupConnections and
PropagateUploadFileV1::startNextChunk). It could be fixed by using normalized
signature in the connection statement, but i tought it was a good oportunity
to modernize the code.

This commit only contains calls that were automatically converted with clazy.
2017-09-21 14:05:39 +02:00
Jocelyn Turcotte
a1f1775d15 Move SyncJournalDB to src/common 2017-09-18 14:00:52 +02:00
Christian Kamm
8635b8ac84 Reduce timeout for some admin jobs
The oauth token jobs and the wizard redirect check job shouldn't have
5min timeouts.
2017-09-15 15:25:10 +02:00
Christian Kamm
671599c8b2 Credentials: Use per-account keychain entries #5830
This requires a lot of migration code: the old entries need to be read,
saved to the new locations and then deleted.
2017-09-15 09:29:05 +02:00
Christian Kamm
e05f5fc50d OAuth: Don't use implicit POST bodies
The query args of POST requests become the request body. If there's a
redirect, the redirected url will therefore not contain the query
arguments. Use an explicit request body to make the redirection work.
2017-09-15 09:28:03 +02:00
Christian Kamm
da6250fc1f OAuth: Pass client auth in header instead of url
To play more nicely with redirects.
2017-09-15 09:28:03 +02:00
Christian Kamm
7d075cdcb7 OAuth: Use redirectable jobs for oauth token management 2017-09-15 09:28:03 +02:00