Commit graph

25 commits

Author SHA1 Message Date
Michael Schuster
6ef9f3cc26 Refactoring: Windows workaround for >= 4k (4096 bit) client-cert SSL keys
WebFlowCredentials:
- Remove _clientSslCaKeyWriteQueue and simply use _clientSslKeyChunkBufferPEM
- Store key's sub-chunks in slots with "." (dot) suffix
- Implement deletion of the key chunks in WebFlowCredentials::deleteKeychainEntries
- Remove spaces in log messages
- Improve code readability

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-12-08 02:47:22 +01:00
Michael Schuster
72be80cbd9 Windows: Workaround for storing >= 4k (4096 bit) client-cert SSL keys
With QtKeychain on Windows, storing larger keys in one keychain entry causes the
following error due to limits in the Windows APIs:
  Error: "Credential size exceeds maximum size of 2560"

To avoid overhead on the other platforms and balance code duplication, this
approach puts some read- and write-parts into Windows-only defines.

For reference also see previous fixes:
- https://github.com/nextcloud/desktop/pull/1389
- https://github.com/nextcloud/desktop/pull/1394

This (again) fixes the re-opened issue:
- https://github.com/nextcloud/desktop/issues/863

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-12-08 02:47:22 +01:00
Michael Schuster
877fd7abb9 Fall back to old login flow on GS as this is not yet ready (#2: re-auth)
This commit ensures that the check also occurs on re-authorization in case
the user gets logged out.

See: https://github.com/nextcloud/desktop/pull/1644

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-12-06 21:03:01 +01:00
Michael Schuster
dcc84d3508 Fix remote wipe keychain storage (issue #1592)
The app password for the remote wipe was constantly being written in
WebFlowCredentials::slotFinished to the keychain, leading to unnecessary
write and log overhead on the system.

This fix introduces a check to only store the app password once in
a lifetime of the Account class. Also the method used to store the
password will be renamed from setAppPassword to writeAppPasswordOnce
to be more expressive.

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-11-29 13:53:52 +01:00
Camila San
19491ff85f
Once client gets 401/403 from the server, check if remote wipe was requested.
- When the the users logs because of 401 or 403 errors, it checks if the
server requested the remote wipe. If yes, locally deletes account and folders
connected to the account and notify the server. If no, proceeds to ask the
user to login again.
- The app password is restored in the keychain.
- WIP: The change also includes a test class for RemoteWipe.

Signed-off-by: Camila San <hello@camila.codes>
2019-10-17 20:11:31 +02:00
Dominique Fuchs
f08cc08eb2 Prevented warning regarding operator precedence - enhanced clarity by adding parentheses
Signed-off-by: Dominique Fuchs <32204802+DominiqueFuchs@users.noreply.github.com>
2019-09-09 19:23:36 +02:00
Dominique Fuchs
e3685b951c removed reduntant /* within a comment
Signed-off-by: Dominique Fuchs <32204802+DominiqueFuchs@users.noreply.github.com>
2019-09-09 19:23:35 +02:00
Michael Schuster
61884d1ada
fix indents, add comment
Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-30 05:35:36 +02:00
Michael Schuster
b52292db92
Windows: Workaround for CredWriteW used by QtKeychain
Saving all client CA's within one credential may result in:
  Error: "Credential size exceeds maximum size of 2560"

Client CA certificates are now being stored in separate slots
within the keychain and are being processed by a queue mechanism.

IMPORTANT TODO:
forgetSensitiveData(): Invoked by "Log out" & "Remove account"

- Remove client CA certs and KEY!
  (uncomment "//deleteKeychainEntries();" )

  Disabled as long as selecting another cert is not supported by the UI.

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-30 04:56:01 +02:00
Roeland Jago Douma
d584bedcb6
Also store the CACertificates of the client side certificate
Else authentication will still fail in setups that have a chain of
certificates supplied.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-08-27 09:55:41 +02:00
Michael Schuster
dbde585049
Adds SSL client cert storage to webflow + Login Flow v2
The previous commit 50cd6af394 - Build a webflowcredentials
changed:

src/gui/wizard/flow2authcredspage.cpp in line 135 to use WebFlowCredentials
instead of HttpCredentials.
But the WebFlowCredentials class didn't include code to store and load SSL client
certificates and keys from the keychain.

This commit migrates the useful stuff from the old HttpCredentials class
into WebFlowCredentials.

Successfully tested on Windows. Please test on other systems and verify it's safe! :)

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-27 03:32:21 +02:00
Michael Schuster
fd8345ccbe
Login Flow V2: adds re-auth upon logout, improvements
- Implements re-auth upon logout -> login
- Improves UI and security

TODO:
- SSL: Client certificate login is possible at the first time only but missing after relaunch

Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-26 20:03:15 +02:00
Michael Schuster
628bab92c4
fix comment typo in webflowcredentials.cpp
Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-26 20:03:15 +02:00
Terence Eden
e64fa74899
Typo
There's no such thing as a "key*h*chain".
2019-04-28 10:03:38 +01:00
Roeland Jago Douma
bb2f179342
Be less verbose with logging
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2019-02-15 20:23:24 +01:00
J-P Nurmi
fff64e8aa5 GUI: search'n'replace remaining "Q_DECL_OVERRIDE" with "override" 2018-11-11 11:12:37 +01:00
J-P Nurmi
fb5ff96ed6 GUI: run clang-tidy modernize-use-nullptr 2018-11-11 10:56:22 +01:00
Roeland Jago Douma
045bba0161
Migrate http auth to webflow
This moves all the basic http auth over to the webflow mechanism.
This thus also makes sure that if the password changes a webflow page
pops up. And thus will directly move them over to apptokens then.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-11-03 12:37:53 +01:00
Roeland Jago Douma
9f1f99f4db
Add a WebFlowCredentialsAccessManager
Fixes #279

Some setups don't make Qt emit the right signals and the client would
end up in state where it could not do the initial authentications.
This is a similar hack that apparently already was is place for basic
http auth.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-09-04 20:59:25 +02:00
Roeland Jago Douma
08abc71acb
gui Q_UNUSED
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-07-02 13:02:15 +02:00
Roeland Jago Douma
ef2d113930
Mark credentials as valid if there is no error
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Roeland Jago Douma
35e8d0437d
Address comments
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Roeland Jago Douma
6809f12e68
Allow the user to sign in again
If the user is signed out (for whatever reason). Show a popup
with the loginflow again.

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Roeland Jago Douma
ac1664b525
Actually use webflow credentails
* Detect invalid auth (if the users token is removed for example)
* Properly store and fetch from keychain

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00
Roeland Jago Douma
6b43d80c01
Start with persisting credentials
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
2018-05-02 22:50:48 +02:00