insights into nextcloud’s user management - linux-tage · 2018. 3. 14. · nextcloud gmbh 15 how...
TRANSCRIPT
Nextcloud GmbH 2
What is it about?
Nextcloud GmbH 3
Agenda
● Architectural Overview● Component Specifcs● Use Cases
Nextcloud GmbH 4
What is Nextcloud?
● Secure data● Private clouds● Cross-cloud sharing● Audio & video chat
Architectural Overview
Nextcloud GmbH 6
FrontendController
Architecture
User Manager & User Object
(Security) Middleware
FrontendController
LoginController
FrontendControllers
Database(UserInterface)
User_LDAP(UserInterface)
myCustomBase(UserInterface)
BusinessLogic
Nextcloud GmbH 7
What is a user?
● Loginname(s), UserID, Displaynames– UserID happens to be a custom, but unique string– UserID is immutable
● Set of features (e.g. emails, quota, avatar)● Bound to a backend
Nextcloud GmbH 8
Backend: \OCP\UserInterface ● implementsActions()● deleteUser()● getUsers()● userExists()● getDisplayName● getDisplayNames()● hasUserListings()
● checkPassword()● createUser()● countUsers()● setDisplayName()● setPassword()● getHome()● canChangeAvatar()
Nextcloud GmbH 9
Service: \OCP\IUserManager
● Backend handling (adding, removing, listing)● User checks, retrieval, listing and searches● User auth● User modifcation (create)● Iterating over “seen” users
Nextcloud GmbH 10
User object: \OCP\IUser
● Querying data (uid, display name, email, avatar, directory, quota)
● Manipulation (display name, password, state, quota; deletion)– As proxy for DB APIs or Backend APIs
● Capability detection (canChangeAvatar, -Password, -DisplayName)
Nextcloud GmbH 11
User data in database tables
Database LDAP SAML
User list / mapping users ldap_user_mapping user_saml_users
User features preferences
User profiles accounts
Component Specifcs
Nextcloud GmbH 13
Database backend in a nutshell
● Native, always-on user backend● Managed in Nextcloud● Loginname is case insensitive UserID
Nextcloud GmbH 14
LDAP Backend principles
● up to date, but performing● read-only, but opt-in password change● fne-tuned control per flters and bases● feature detection instead of fngerprinting
– as vendor agnostic as possible
● ofers a Provider for other apps to hook in
Nextcloud GmbH 15
How does an LDAP user go into the cloud
● LDAP confguration must exist● Search op against LDAP returns user record data
– Triggered e.g. on sharing dialogue, users page or login
● If not a known user, create a UserID, map against DN and UUID– Includes UserID collision checks (appends random number in case)
Nextcloud GmbH 16
How does an LDAP user leave the cloud
● We fgure out when a user cannot be read from LDAP– Looping background job
● We don’t know why, though● Everything is kept in place, until manual deletion● occ ldap:
– show-remnants– check-user [--force] $userid
Nextcloud GmbH 17
How LDAP got pluggable write support
● Cheers to Vinicius Brand and his friends at eita
● Channels: IRC (optional), Github
● Feature merged with PR 5321 �
Problem
discuss solution
Code & Review
Win :)
Use Cases
Nextcloud GmbH 19
Access Control
● Apps ofer pages and APIs● Annotations are used to
direct Middleware● No boilerplate code needed● Strict by default
Nextcloud GmbH 20
Auto-completing Users
● An app wants to ofer user to share with or to mention
● → AutoComplete endpoint● core/Controller/
AutoCompleteController.php
Nextcloud GmbH 21
Working with a specifc user
Nextcloud GmbH 22
Working with a set of users
Nextcloud GmbH 23
Working with the current user
● IUserSession instance contains information● … and does some validation● returns IUser or null
Nextcloud GmbH 24
Reacting to Hooks● preLogin, postLogin● preRememberedLogin● logout, postLogout● preCreateUser, postCreateUser● preDelete, postDelete● preSetPassword, postSetPassword● changeUser
● \OC\Hooks\EmitterTrait contains code for listening and emitting
● No public API yet �
Nextcloud GmbH 25
Reacting to Hooks contd.
Nextcloud GmbH 26
Emitting Hooks
Nextcloud GmbH 27
Devop: Provisioning API
● Provides all means of user creation and modifcation
● Base endpoint: https://nextcloud.server/ocs/v2.php/cloud/users[/userid[/action]]
● Similar API for groups, apps
open-collaboration-services.org
Nextcloud GmbH 28
Give an LDAP user admin privileges
Nextcloud GmbH 29
Requiring a second factor for login
● Or is “12E456” secure enough?
● Another token to protect against guessed, brute-forced or stolen paroles
● TOTP and U2F available
Nextcloud GmbH 30
The road to your 2FA Provider
● Create a new app● Impement OCP\Authentication\TwoFactorAuth\IProvider
● Announce in info.xml
Nextcloud GmbH 31
Example: TOTP Challenge
Nextcloud GmbH 32
App passwords● 2FA is available on web login
only● Easy way for third party apps or
devices to use Nextcloud● … and revoke them● Forced with 2FA● token_auth_enforced in confg.php
Nextcloud GmbH 33
Mobile/Desktop application needs access● Obtain an app password via
web login: “Login Flow”● User logs in as normal the frst
time, and can revoke password any time
● If you need userid, request ocs/v2.php/cloud/user subsequentially
App
/login/fow
Login screen
regular login
(loginname + app password)
| denial
Webview
Nextcloud GmbH 34
Reference examples● Android app/Java
– New weblogin fow– https://github.com/nextcloud/android/pull/1148
● Desktop Client/C++– Add weblogin fow for NC > 12– https://github.com/nextcloud/client/pull/75
● IOS/Swift & Objectiv-C– Commit: login fow– https://github.com/nextcloud/ios/commit/64d7c7dbfa6603069bf40100e4430f670c5fd6
Nextcloud GmbH 35
Resources
● Website https://nextcloud.com● Source repositories https://github.com/nextcloud/ ● Developer documentation
https://docs.nextcloud.com/server/13/developer_manual/ ● Forum https://help.nextcloud.com/● IRC #[email protected]
Nextcloud GmbHHauptmannsreute 44A70192 Stuttgart
Germany
nextcloud.com
A safe home for all your data