Commit graph

111 commits

Author SHA1 Message Date
Christian Kamm
ee6a48b3dc
Client certs: Store pkcs12 in config, password in keychain
It still reads and writes the old format too, but all newly stored
client certs will be in the new form.

For #6776 because Windows limits credential data to 512 bytes in older
versions.
2020-12-15 10:58:43 +01:00
Christian Kamm
13890c04a7
HttpCreds: Warn in log if keychain-write jobs fail #6776
Also, calling deleteLater() on jobs is unnecessary (they autodelete
after finished()) and deleting the attached QSettings is also
unnecessary because the settings object is parented to the job.
2020-12-15 10:58:36 +01:00
Olivier Goffart
35967fc2d6
OAuth2: Refresh the token without aborting the sync
OAuth2 access token typically only has a token valid for 1 hour.
Before this patch, when the token was timing out during the sync, the
sync was aborted, and the ConnectionValidator was then requesting a new
token, so the sync can be started over.
If the discovery takes longer than the oauth2 validity, this means that
the sync can never proceed, as it would be always restarted from scratch.

With this patch, we try to transparently renew the OAuth2 token and restart
the jobs that failed because the access token was invalid.

Note that some changes were required in the GETFile job because it handled
the error itself and so it was erroring the jobs before its too late.

Issue #6814
2020-12-15 10:58:14 +01:00
Olivier Goffart
53a14c2041
HttpCredentials: initialize all member inline 2020-12-15 10:58:14 +01:00
Kevin Ottens
3427dadaeb
Get rid of FindQt5Keychain.cmake
QtKeychain provides Qt5KeychainConfig.cmake and friends nowadays, so no
need to have a less reliable and outdated find module on our end.

Also this shows that we were including keychain.h in the wrong way and
were not using the link target, so both got fixed as well.

Signed-off-by: Kevin Ottens <kevin.ottens@nextcloud.com>
2020-11-02 13:19:48 +01:00
Michael Schuster
61dc4b9137
Update comments
Everyone uses their private mail, so ensure people can get in touch.

Signed-off-by: Michael Schuster <michael@schuster.ms>
2020-10-15 02:18:52 +02:00
Kevin Ottens
2f8c29082a Enable the modernize-use-equals-default check on clang-tidy
Signed-off-by: Kevin Ottens <kevin.ottens@nextcloud.com>
2020-08-13 14:19:42 +02:00
Stephan Beyer
293be2c2e6 Remove redundant initialization of HttpCredentials::_keychainMigration
The value gets already initialized by default member initialization,
so there is no need to set it again.

Signed-off-by: Stephan Beyer <s-beyer@gmx.net>
2020-07-08 14:08:41 +02:00
Michael Schuster
f4d83d02f6
Cleanup auto pointers and qobject casts, refactor KeychainChunk
Signed-off-by: Michael Schuster <michael@schuster.ms>
2020-07-06 21:51:40 +02:00
Michael Schuster
42eb3388f8
Refactor KeychainChunk to use QEventLoop and add DeleteJob class
- Use QEventLoop for synchronous exec()
- Rename startAwait() to exec()
- Add code for auto deletion
- Add new DeleteJob class
- Cleanup, tweaks

Signed-off-by: Michael Schuster <michael@schuster.ms>
2020-07-06 21:51:40 +02:00
Michael Schuster
18cbbc5052
KeychainChunk: Add synchronous method startAwait()
Awaits completion with no need to connect some slot to the finished() signal first,
inspired by the ProxyAuthHandler class.

Also add:
- Job dtor to safely erase passwords
- textData() method
- New ctor overloads to work with arbitrary keys (without Account ptrs)

Signed-off-by: Michael Schuster <michael@schuster.ms>
2020-07-06 21:51:39 +02:00
Michael Schuster
2a3ef044be
Move KeychainChunk class from gui to libsync
Signed-off-by: Michael Schuster <michael@schuster.ms>
2020-07-06 21:51:39 +02:00
Kevin Ottens
e3e262e42e Use default member init when applicable
This also fixes a couple of warnings at places (out of order init for
instance) and a potential bug in the webflow credentials / qtkeychain
integration.

Signed-off-by: Kevin Ottens <kevin.ottens@nextcloud.com>
2020-06-03 16:10:39 +02:00
Kevin Ottens
712869db9a Use auto to avoiding repeating type names
Signed-off-by: Kevin Ottens <kevin.ottens@nextcloud.com>
2020-05-20 03:54:41 +02:00
Michael Schuster
aa93a04fd6
fix comment typo in httpcredentials.cpp
Signed-off-by: Michael Schuster <michael@schuster.ms>
2019-08-26 20:03:15 +02:00
J-P Nurmi
1af9bf8abc libsync: run clang-tidy modernize-use-nullptr 2018-11-12 18:46:39 +01:00
J-P Nurmi
48acaec66f libsync: search'n'replace "Q_DECL_OVERRIDE" with "override" 2018-11-12 18:39:50 +01:00
Olivier Goffart
3b2c6d2202
OAuth: Fix infinite loop when the refresh token is expired
The server reply with a code 400 when the token is invalid,
the client was understanding this error as a network error, and was retying
again with the same token.

Instead, we must rely on what the json is saying, even if the reply is
not a 200 code.

Issue https://github.com/owncloud/enterprise/issues/2777
2018-09-10 20:22:40 +02:00
Olivier Goffart
7c9ec4a55a
Credentials: Retry fetching from the keychain in case the keychain is still starting
When owncloud is restored, at boot time, it might be started before the
crendential manager. So if we detect an error, wait 10 seconds and hopefully
it'd be loaded by then.

Issues: #4274, #6522
2018-06-07 15:18:40 +02:00
Daniel Nicoletti
a63d34f870 Prepend "nextcloud" for all logging categories
Thus making easier to exclude logging from kio, qt
and only enable "nextcloud.*"
2017-12-28 17:33:10 -02:00
Olivier Goffart
3df65460f5 Remove usage of QString::null
Replaces by "QString()"
2017-12-08 16:15:22 +01:00
Olivier Goffart
753d7addb4 libsync: Fix compilation with TOKEN_AUTH_ONLY
This means we cannot use QtGui in libsync.
So this mostly disable the avatar from the account and the avatarjob

Note that there is one logic change: in ConnectionValidator::slotUserFetched
we do the avatar job even if the user is empty. Otherwise we would end up in
a invalid state. This restore the 2.3.x behavior that was broken in
commit e05d6bfcdc
2017-11-25 12:57:16 +01:00
Christian Kamm
c9d5a9cea2 HttpCreds: Don't create empty client cert keychain entries #5752
This doesn't do anything about deleting the client cert keychain
entries when the whole account is removed though.
2017-11-03 10:28:56 +01:00
Christian Kamm
6ac44f05cd Credentials: Namespace windows cred keys #6125
The application name is prepended to the key. QtKeychain doesn't
do that automatically on the platform.
2017-11-01 17:03:30 +01:00
Olivier Goffart
0cec6f08ca OAuth2: Fix double slash in URL
We need to use concatPath to avoid possible double '/' in the URLs if the
account url() ends with '/'.

This has become even more of a problem since commit
d1b8370a4a which was resolving the url after
a redirect where most server actually add a '/' if the url is a folder
2017-09-23 10:10:40 +02:00
Olivier Goffart
ff4213b59f Use the Qt5 connection syntax (automated with clazy)
This is motivated by the fact that QMetaObject::noralizeSignature takes 7.35%
CPU of the LargeSyncBench. (Mostly from ABstractNetworkJob::setupConnections and
PropagateUploadFileV1::startNextChunk). It could be fixed by using normalized
signature in the connection statement, but i tought it was a good oportunity
to modernize the code.

This commit only contains calls that were automatically converted with clazy.
2017-09-21 14:05:39 +02:00
Olivier Goffart
1218a38f2c Include <QAuthenticator> from code that connect to signal that uses it
The new connection syntax will need that
2017-09-21 14:05:39 +02:00
Jocelyn Turcotte
a1f1775d15 Move SyncJournalDB to src/common 2017-09-18 14:00:52 +02:00
Christian Kamm
8635b8ac84 Reduce timeout for some admin jobs
The oauth token jobs and the wizard redirect check job shouldn't have
5min timeouts.
2017-09-15 15:25:10 +02:00
Christian Kamm
1f57fd0407 HttpCreds: Remove migration code from 1.7 2017-09-15 09:29:05 +02:00
Christian Kamm
671599c8b2 Credentials: Use per-account keychain entries #5830
This requires a lot of migration code: the old entries need to be read,
saved to the new locations and then deleted.
2017-09-15 09:29:05 +02:00
Christian Kamm
e05f5fc50d OAuth: Don't use implicit POST bodies
The query args of POST requests become the request body. If there's a
redirect, the redirected url will therefore not contain the query
arguments. Use an explicit request body to make the redirection work.
2017-09-15 09:28:03 +02:00
Christian Kamm
7d075cdcb7 OAuth: Use redirectable jobs for oauth token management 2017-09-15 09:28:03 +02:00
Helmut K. C. Tessarek
709aa27031 remove qt4 code 2017-09-15 07:11:05 +02:00
Christian Kamm
de5de6284c Use DetermineAuthTypeJob in HttpCredentials
* Move it to networkjobs
* Minor adjustments to its logic
* Fixes redirect handling for oauth/basic http auth check #6003
2017-09-11 19:15:43 +02:00
Jocelyn Turcotte
cf15cbf0b3 Move Utility to a new common static library
Now that csync builds as C++, this will avoid having to implement
functionalities needed by csync mandatorily in csync itself.

This library is built as part of libocsync and symbols exported
through it.
This requires a relicense of Utility as LGPL. All classes moved into
this library from src/libsync will need to be relicensed as well.
2017-09-05 17:25:19 +02:00
Olivier Goffart
6ae88514d8 OAuth: clear refresh token when the server claim not to support oauth
Allow upgrade path when the server removes support for oauth
Relates: https://github.com/owncloud/client/issues/5848#issuecomment-317353049

We also need to force the account to commit the config to the disk,
otherwise we may not register we are no longer using owncloud and we
risk sending the password as the token to the token refresh API call
2017-07-25 12:34:13 +02:00
Olivier Goffart
c043840cb1 OAuth: Fix refresh of token after expiration
Before commit d3b00532b1,
fetchFromKeychain was called everytime we detect that the creds are
invalid (in AccountState::slotInvalidCredentials)
But since that commit, AccountState was calling askFromUser directly,
breaking the refresh of the token.

So I made sure AccountState::slotInvalidCredentials still calls
refreshAccessToken.

Another change that was made was too be sure to clear the cookies
in HttpCredentials::invalidateToken even when we are only clearing the
access_token. That's because the session with a cookie may stay valid
longer than the access_token
2017-07-25 12:34:13 +02:00
Christian Kamm
a5ace5e71d Account/Credentials: Have identical lifetimes
The QNAM may continue to outlive both.

Rename Credentials::getQNAM() to createQNAM() while we're at it - it's
used to make a new QNAM that will subsequently be owned by the Account
object.

See d01065b9a1 for rationale.

Relates to
d40c56eda5
147cf798a6
2017-07-08 13:07:13 +02:00
Christian Kamm
d01065b9a1 Fix crash on account deletion
Calling forgetSensitiveData() on account deletion leads to a timer for
clearQNAMCache() being queued. Then the Account object is deleted. The
Credentials object stays alive for now because it has a deleteLater
deleter.

If the timer calls into a slot on the Credentials object, the _account
pointer will be invalid at this time.

As a workaround, move the target slot to Account - that way it will not
be called as the account object is already destroyed.

However since Account and Credentials are mutually dependent, it would
be much preferable if their lifetimes were linked, avoiding this
category of bugs.

The current behavior was introduced in
d40c56eda5 and I currently don't
understand why - maybe there's another way of dealing with the problem
that existed then.
2017-07-06 14:34:02 +02:00
Olivier Goffart
5100a2daf1 OAuth: cleanup debug messages
- Add category to the all messages (they did not have it was merged right after
the patch to add category everywhere, but this code did not have it.)

- Make sure there is no warnings in the normal flow. (The wizard does a request
without authentication to determine the auth type)
2017-06-13 12:08:24 +02:00
Olivier Goffart
3d93527a8e Authentication with OAuth2
When the OAuth2 app (https://github.com/owncloud/oauth2) is enabled,
We will open a browser and perform the OAuth2 authentication

Issue: #4798 and https://github.com/owncloud/platform/issues/17
2017-06-01 10:39:33 +02:00
Christian Kamm
d3b00532b1 Credentials: Simplify credential flow #5728
And as a side effect: don't ask for user password when we can't
connect to the server in the first place.
2017-05-22 10:52:18 +02:00
Christian Kamm
c8d0f788e0 Apply clang-format 2017-05-17 12:26:27 +02:00
Jocelyn Turcotte
b7553d5bdf Upgrade some qCDebug to qCInfo or qCWarning
Use qCInfo for anything that has general value for support and
development. Use qCWarning for any recoverable error and qCCritical
for anything that could result in data loss or would identify a serious
issue with the code.

Issue #5647
2017-05-11 17:22:59 +02:00
Jocelyn Turcotte
4ad190a558 Use Qt logging categories for logging
This gives more insight about the logs and allow setting fine-tuned
logging rules. The categories are set to only output Info by default
so this allows us to provide more concise logging while keeping the
ability to extract more information for a specific category when
developping or debugging customer issues.

Issue #5647
2017-05-11 17:22:59 +02:00
Christian Kamm
4c1fdf1dee Double check usage of asserts #5429
A few are supposed to be fatal.
2017-02-08 15:15:19 +01:00
Markus Goetz
c6f4f44619 Fix up SSL client certificates #5213 #69 (#5289)
The re-enables the UI, uses Qt API for importing and
stores the certificate/key in the system keychain.
People who had set up client certs need to re-setup the account. This is ok
since it was an undocumented feature anyway.
2017-01-02 08:34:02 +01:00
ckamm
ec7333a4bf Merge pull request #5272 from owncloud/licensefix-pending
License: Adjust license of GPLv2 source files to GPLv2+
2016-11-18 15:14:47 +01:00
Christian Kamm
10644d3568 Move concatUrl and settingsWithGroup to Utility
There was little reason to keep them cluttering Account.
2016-10-25 12:05:28 +02:00