Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

step-up not triggered, 'this operation is forbidden' #90

Closed
michielbdejong opened this issue Oct 31, 2023 · 37 comments
Closed

step-up not triggered, 'this operation is forbidden' #90

michielbdejong opened this issue Oct 31, 2023 · 37 comments
Assignees

Comments

@michielbdejong
Copy link
Member

Split-out from #89 (comment)

@michielbdejong
Copy link
Member Author

This is with commit 21ed0179b4b of the mfazones app, and it looks like neither SUNET/nextcloud-mfazones#10 nor SUNET/nextcloud-mfazones#11 covers this.

#10 provides the step-up when trying to add the MFA requirement (this can be seen in the screencast and also in our new sunet-custom test setup:
Screenshot 2023-11-01 at 16 35 13
But it doesn't deal with inaccessible folders.
And #11 deals with triggering local verification if configured and coming through GSS (I haven't tested this myself yet btw, see #91)

@michielbdejong
Copy link
Member Author

The added tab view is registered through https://github.com/nextcloud/server/blob/master/apps/files/js/filelist.js#L3884
I can probably do something with https://github.com/nextcloud/server/blob/master/apps/files/js/fileactions.js#L122 to add an 'MFA Zone' icon next to the 'share' icon for these inaccessible list entries.

@michielbdejong
Copy link
Member Author

@michielbdejong
Copy link
Member Author

michielbdejong commented Nov 13, 2023

Steps to reproduce:

  • follow the steps from the readme
  • now run docker exec -it sunet-mdb1 mariadb -u sspuser -psspus3r -h sunet-ssp-mdb saml -e "update users set mfa_verified=0;"
  • docker restart sunet-tester
  • on localhost:5800 log in to http://sunet-nc2 as usr1 / pwd1 again
  • in the MFA Checker app, the MFA verified checkbox should now not be checked
  • go to Files, you'll see the 'asdf' folder as grey
  • try to open

Expected

You will see a popup saying 'Enable MFA to enter this MFA Zone'

Actual

  • you will see 'This operation is forbidden'

@michielbdejong
Copy link
Member Author

Not sure how I did this earlier but I'm now seeing the files app is empty on http://sunet-nc2 over http but works OK on https://sunet-nc2 over https.

@yasharpm
Copy link

This is the code snippet that we need. But need to it over a loop with every MFA locked file name:

fileList.fileActions.registerAction({
        name: 'mfa',
        displayName: 'MFA protected',
        type: 1,
        mime: 'all',
        permissions: OC.PERMISSION_NONE,
        iconClass: 'icon-category-security',
        actionHandler: function(fileName, context) {
          OC.dialogs.info('ENABLE MFA to enter this MFA Zone', 'MFA Protected');
        },
        filename: 'asdf'
      });

The outcome looks like this:
image
And when clicks on the MFA button:
image

@michielbdejong
Copy link
Member Author

@yasharpm any progress on the backend service that returns the MFA Zone filenames contained in a given folder?

@yasharpm
Copy link

@michielbdejong Just started to work on this. I'm gonna make sure that we can put our actions on specific files in the list first. Next step would be to retrieve the MFA file list from the backend. Because it might be that we already have the file tags on the list items.

@yasharpm
Copy link

This function is called on the file list with an array of the files for the current folder: FileList.prototype.setFiles. Luckily there is no pagination involved here so we got this part easy.

@yasharpm
Copy link

And in that array of files we have the file id which we can use to query the back-end.

@yasharpm
Copy link

My problem right now is to somehow intercept the call to this function to acquire the list of files and then return the control back to the original setFiles functions. Which I am having trouble to do so.

@yasharpm
Copy link

yasharpm commented Nov 21, 2023

@michielbdejong I am blocked on the above.

const originalSetFiles = fileList.setFiles;

fileList.setFiles = function(filesArray) {
  console.log('FILES ARRAY', filesArray)
  originalSetFiles(filesArray)
}

Is the closest I have come to getting it working. But I am getting this error in js console logs:

jQuery.Deferred exception: this.$fileList is undefined setFiles@http://sunet-nc2/index.php/js/files/merged-index.js?v=b63f613c-0:5664:4
attach/fileList.setFiles@http://sunet-nc2/apps/mfazones/js/plugin.js?v=b63f613c-0:16:25
reloadCallback@http://sunet-nc2/index.php/js/files/merged-index.js?v=b63f613c-0:6433:9

My understanding is that the super function is getting called but it can not resolve this. I am not sure at all though.

@michielbdejong
Copy link
Member Author

That particular problem can probably be solved by binding the setFiles function to the fileList object, using JavaScript function binding: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function/bind

IIUC the problem we're trying to solve here is to know how to set the filename filter in last week's approach.

What if we register the action for all icons, and then run some extra JavaScript to hide the icon for files that are not MFA Zones, and also to change the colour if the current user session is not MFA verified?

@michielbdejong
Copy link
Member Author

As discussed, the second option would get messy when the file list changes and we don't notice. So let's go with the setFiles overwrite option

@yasharpm
Copy link

After a conversation with @michielbdejong we decided to add a plugin to the file dav that would add an additional field to the file properties which would tell us if the file is MFA protected and accessible or not.

Luckily the dav app allows installed apps to register their own plugins by design. Here is the code that refers to the apps.

I am now reading the source for the PluginManager to see what I need to do to make it possible.

@yasharpm
Copy link

Registered a plugin and I am receiving the propfind call and added a random property to files to see how it looks like on the other end. Next stop is that I have to modify the list of requested properties on the JS client side. This one seems easy enough.

@yasharpm
Copy link

I have pushed the changes so far to the issue_90 branch.

@michielbdejong
Copy link
Member Author

@michielbdejong michielbdejong self-assigned this Nov 27, 2023
@michielbdejong
Copy link
Member Author

OK I finally got past #102 and am now able to fully reproduce #90 (comment) on my laptop again.

@michielbdejong
Copy link
Member Author

I see it logging "No read permissions. This might be caused by files_accesscontrol, check your configured rules" server-side for "method":"PROPFIND","url":"/remote.php/dav/files/usr1/asdf" but don't see our own log messages appear yet. Will continue working on this tomorrow!

@michielbdejong
Copy link
Member Author

@michielbdejong
Copy link
Member Author

@michielbdejong
Copy link
Member Author

Should whitelist our property in https://github.com/nextcloud/server/blob/master/core/src/files/client.js

Need to make this change in a the nextcloud source, then build, then add a line to copy it into the dist/ folder in the container https://github.com/pondersource/dev-stock/blob/main/docker/dockerfiles/nextcloud-sunet.Dockerfile#L168

@michielbdejong
Copy link
Member Author

Note to self: I downloaded https://download.nextcloud.com/.customers/server/26.0.7-153512ec/nextcloud-26.0.7-enterprise.zip
to /Users/michiel/gh/nextcloud/enterprise on my laptop for this

@michielbdejong
Copy link
Member Author

michielbdejong commented Dec 14, 2023

In that folder, running:

nvm use 14
npm install
npm run build

But it says it's missing ./src. Will try to check out v26.0.7 in ~/gh/nextcloud/server, nvm use 16, npm install, npm run build, and take it from there.

@michielbdejong
Copy link
Member Author

@michielbdejong
Copy link
Member Author

michielbdejong added a commit that referenced this issue Dec 15, 2023
@michielbdejong
Copy link
Member Author

new dev setup for this:

  • take the main branch of nextcloud-mfa-awareness
  • take the issue_90 branch of mfazones inside that
  • cd servers; ./clean.sh ; ./setup-gss.sh testnet
  • on localhost:5800 / sunet-nc2/index.php/login?direct=1 log in as Admin / !QAZ1qaz to activate the tag and the flow
  • on localhost:5801 / sunet-nc2 log in as usr1 / pwd (SAML)
  • mark the Documents folder as an MFA zone
  • in the web console: document.getElementsByTagName('tr')[1].attributes

@michielbdejong
Copy link
Member Author

michielbdejong commented Dec 20, 2023

I can see <nc:requires-mfa>ponder3source</nc:requires-mfa> in the PROPFIND response. Let's see if I can debug what the client does and whether our patch is correctly applied to it.

@michielbdejong
Copy link
Member Author

it seems the requires-mfa property is present in the PROFIND response body but I'm not sure where the XML parsing is taking place, and whether there is still some filter there, or perhaps it's in a different place. maybe https://www.npmjs.com/package/davclient.js is filtering?

@michielbdejong
Copy link
Member Author

It's very cumbersome to be adding debug statements into NC core JS files, then building patches for them, then building docker images with those patches, then setting up the dev env with those rebuilt images, running the experiment again, and then observing 1 debug value.

I now got a patch that doesn't apply cleanly. Maybe it's because I made changes to package-lock.json. Will either have to try to freshly generate a patch from v26.0.7 or find a better modus operandi.

@michielbdejong
Copy link
Member Author

Now rebuilding v26.0.7, will re-apply 1ecbeda9ec4 when done.

@michielbdejong
Copy link
Member Author

OK, got that working! After 5 weeks ... sorry for the delay! Now I just have to fix:

  • setting the DAV property correctly in our DAV plugin
  • displaying the step-up button based on the data attribute

@michielbdejong
Copy link
Member Author

Hm looks like I have a typo somewhere, will dig into it:
Screenshot 2023-12-21 at 09 09 19

@michielbdejong
Copy link
Member Author

@michielbdejong
Copy link
Member Author

Got past that by using a closure. Next error:
Call to undefined method OCA\\DAV\\Files\\FilesHome::getType()

@michielbdejong
Copy link
Member Author

it works!
the MFA Zone file action is hidden through CSS if the data-mfa-required attribute on the embedding tr is false.
and I made the message different for whether you are MFA verified or not.
only problem is that it doesn't seem to work in the 'shared with you' tab, maybe because the file id is different there?
not sure if I can know the original file id from there! it's not going to work for remote shares anyway.

So maybe all this work went into creating a feature that is not even useful, except for people who had MFA before and disconfigured it. Anyway, for the file owner it works so let's ship it and discuss in the new year.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants