Owncloud 8.2.1 and Privacyidea

[Sam Marsh]

Hi all,

First post! :) 

I am looking for any pointers into an issue i'm having with Privacyidea and Owncloud. I have configured my Privacyidea server to point to my owncloud realm and that passes the test successfully. I have generated tokens for the users 'sucked in' from owncloud, and tested these and they work also. Ive installed the owncloud 'user_privacyidea' app and configured it to point to my PrivacyIDEA server and also disabled 'check SSL', however whenever i try and authenticate my test user against privacyidea it fails. 

After speaking with Cornelius over email last night, I enabled debug in owncloud and tested again and now i can see the following in the owncloud.log:

{"reqId":"Vo5STH8AAQEAAGnQg3cAAAAs","remoteAddr":"134.225.2.12","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 11:55:56","method":"PROPFIND","url":"\/remote.php\/webdav\/"}

{"reqId":"KtQbrb9wy1MxVwGwfzEq","remoteAddr":"","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 11:56:21","method":"--","url":"--"}

{"reqId":"VSgwPMcwd3oQDlTySNi0","remoteAddr":"","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 11:56:31","method":"--","url":"--"}

{"reqId":"pAdy8rexqxL0Qed110ls","remoteAddr":"","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 11:57:49","method":"--","url":"--"}

{"reqId":"IqOmouxSF1+qTwakMysW","remoteAddr":"","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 11:58:03","method":"--","url":"--"}

{"reqId":"nStAedMfOmaKZAq+e9Ae","remoteAddr":"","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 11:58:08","method":"--","url":"--"}

{"reqId":"bInKSBNyYiI7Jtl4h4hQ","remoteAddr":"","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 11:58:11","method":"--","url":"--"}

Which is perplexing. I have enabled it again via the command line using the owncloud 'occ' tool (and same issue):

root@server:/var/www/owncloud# sudo -u www-data php occ app:disable user_privacyidea

user_privacyidea disabled

root@server:/var/www/owncloud# sudo -u www-data php occ app:enable user_privacyidea

user_privacyidea enabled

I have also used a 'check-code' option within occ which has flagged some items:

root@server:/var/www/owncloud# sudo -u www-data php occ app:check-code user_privacyidea

Analysing /var/www/owncloud/apps/user_privacyidea/appinfo/app.php

 4 errors

    line    6: OCP\Config - Static method of deprecated class must not be called

    line   11: OC_User - Static method of private class must not be called

    line   12: OC_User - Static method of private class must not be called

    line   17: OC_User - Static method of private class must not be called

Analysing /var/www/owncloud/apps/user_privacyidea/adminSettings.php

 1 errors

    line   29: OC_Util - Static method of private class must not be called

Analysing /var/www/owncloud/apps/user_privacyidea/lib/otp_privacyidea.php

 6 errors

    line  174: OCP\Config - Static method of deprecated class must not be called

    line  193: OCP\Config - Static method of deprecated class must not be called

    line  195: OCP\Config - Static method of deprecated class must not be called

    line  196: OCP\Config - Static method of deprecated class must not be called

    line  200: OCP\Config - Static method of deprecated class must not be called

    line  201: OCP\Config - Static method of deprecated class must not be called

Deprecated field available: shipped => false

Migrate the app version to appinfo/info.xml (add <version>0.2</version> to appinfo/info.xml and remove appinfo/version)

App is not compliant

root@server:/var/www/owncloud#

Has anyone experienced this issue? Im pulling my hair out trying to think of where to look next. 

Cheers,

Sam 

@vcolonel

[Sam Marsh]

More specifically im seeing:

{"reqId":"Vo5VaX8AAQEAAGl4vz0AAAAA","remoteAddr":"134.225.2.12","app":"core","message":"Login failed: 'testuser1' (Remote IP: '134.225.2.12')","level":2,"time":"January 07, 2016 12:09:14","method":"POST","url":"\/"}

{"reqId":"Vo5Van8AAQEAAGl4vz4AAAAA","remoteAddr":"134.225.2.12","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 12:09:14","method":"GET","url":"\/index.php\/core\/js\/oc.js?v=f6fbf2b7631919f61016e5b8495eb630"}

{"reqId":"Vo5Van8AAQEAAGl4vz8AAAAA","remoteAddr":"134.225.2.12","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 12:09:14","method":"GET","url":"\/cron.php"} 

[Cornelius Kölbel]

Hi Sam,

I am really sorry for the hassle with owncloud and privacyIDEA.

I think the activation output has some leads.

"line 174: OCP\Config - Static method of deprecated class must not be
called"

"App is not compliant"

The last successful 2F authentication I know of is with owncloud 8.0.9.

As you are running 8.2.1 it sounds like the owncloud API is not
compatible anymore. This is the moment I am pulling MY hair, since
ownlcoud does not comply to semantic versioning (http://semver.org/)
breaking their API with minor version changes.

Obviously the privacyIDEA plugin needs to be adapted to run with version
8.2.1. But honestly I am really not very eager to do so, as I am afraid,
owncloud will break their API with version 8.3 again.

So if anyone is here who likes to program PHP and get involved with
maintaining the privacyIDEA owncloud plugin (which will be probably
necessary with OC 8.3, 8.4...) then this is highly appreciated!

But I personally think owncloud is the most overrated software nowadays
and they lack the necessary mind for security nowadays. owncloud should
take care of two factor authentication themselves by providing a stable
authentication API as many other open source applications do.

Kind regards
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/51b17cb9-2347-42b1-8e19-b33a597a783a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Sam Marsh]

Hmm wonder if its something i'm doing wrong, as i just span up an instance of Owncloud 7.0 in docker and i'm seeing similar issues:

root@94abee8b6400:/var/www/owncloud# sudo -u www-data php occ --version

{"reqId":"568e6eceac717","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 13:57:34","method":"--","url":"--"}

ownCloud version 7.0.12

root@94abee8b6400:/var/www/owncloud# sudo -u www-data php occ app:enable user_privacyidea

{"reqId":"568e6ee32e067","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 13:57:55","method":"--","url":"--"}

user_privacyidea is already enabled

root@94abee8b6400:/var/www/owncloud# 

I also bounced Apache2 after configuring config.php and whilst it isnt showing anything in owncloud.log (god knows why), in /var/log/apache2/error.log i can see:

[Thu Jan 07 14:01:00.951047 2016] [mpm_prefork:notice] [pid 15133] AH00169: caught SIGTERM, shutting down

[Thu Jan 07 14:01:02.126400 2016] [mpm_prefork:notice] [pid 15197] AH00163: Apache/2.4.7 (Ubuntu) PHP/5.5.9-1ubuntu4.14 configured -- resuming normal operations

[Thu Jan 07 14:01:02.126495 2016] [core:notice] [pid 15197] AH00094: Command line: '/usr/sbin/apache2'

[Thu Jan 07 14:01:03.585587 2016] [:error] [pid 15200] [client 192.168.0.81:63068] {"reqId":"568e6f9f8eed6","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 14:01:03","method":"POST","url":"\\/owncloud\\/"}, referer: http://192.168.0.16:8003/owncloud/

[Thu Jan 07 14:01:03.691818 2016] [:error] [pid 15200] [client 192.168.0.81:63068] {"reqId":"568e6f9f8eed6","app":"core","message":"Login failed: 'test1' (Remote IP: '192.168.0.81', X-Forwarded-For: '')","level":2,"time":"January 07, 2016 14:01:03","method":"POST","url":"\\/owncloud\\/"}, referer: http://192.168.0.16:8003/owncloud/

[Thu Jan 07 14:01:03.861168 2016] [:error] [pid 15200] [client 192.168.0.81:63068] {"reqId":"568e6f9fd2397","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 14:01:03","method":"GET","url":"\\/owncloud\\/index.php\\/core\\/js\\/oc.js?v=0f79fab0339c6cfa89e3e07d92eb8950"}, referer: http://192.168.0.16:8003/owncloud/

[Thu Jan 07 14:01:03.982549 2016] [:error] [pid 15200] [client 192.168.0.81:63068] {"reqId":"568e6f9fefdb7","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 14:01:03","method":"POST","url":"\\/owncloud\\/index.php\\/core\\/ajax\\/translations.php"}, referer: http://192.168.0.16:8003/owncloud/

[Thu Jan 07 14:01:04.074056 2016] [:error] [pid 15200] [client 192.168.0.81:63068] {"reqId":"568e6fa0120ea","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 14:01:04","method":"GET","url":"\\/owncloud\\/cron.php"}, referer: http://192.168.0.16:8003/owncloud/

[Thu Jan 07 14:01:04.135851 2016] [:error] [pid 15201] [client 192.168.0.81:63071] {"reqId":"568e6fa02120d","app":"user_privacyidea","message":"privacyIDEA is disabled: ","level":0,"time":"January 07, 2016 14:01:04","method":"POST","url":"\\/owncloud\\/index.php\\/core\\/ajax\\/translations.php"}, referer: http://192.168.0.16:8003/owncloud/

[Sam Marsh]

I also tested on Owncloud 8.0.10 (couldnt get a copy of 8.0.9 and got similar results). All pointing to the same Privacyidea server.

[Cornelius Kölbel]

Hi Sam,

fwiw. I just checked on an owncloud 8.2(.0).
I never enabled the application using the command line tool but from the webui.

It looks like this:



Can you see it this way, too?
Please note, that this plugin is marked "experimental". I am not sure, if your ownCloud instance handles "experimental" in another way.

The privacyIDEA config in ownlcoud looks like this:



Please enable debug in ownCloud. I get such entries:



Kind regards
Cornelius

--
You received this message because you are subscribed to the Google Groups "privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/privacyidea/36f4d2bb-8850-4b83-9ea4-01a13de13f49%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Sam Marsh]

Yeah same - mines identical in terms of configuration, i just get the weird message in the log:

and

and

Heres the output of user_privacyidea app folder also:

root@server:/# ls -la /var/www/owncloud/apps/user_privacyidea/

total 1MB

drwxr-x---  2 www-data www-data 1MB Jan  6 15:26 js

drwxr-x---  2 www-data www-data 1MB Jan  6 15:26 img

drwxr-x---  2 www-data www-data 1MB Jan  6 15:26 appinfo

-rwxr-x---  1 www-data www-data 1MB Jan  6 15:26 adminSettings.php

drwxr-x---  2 www-data www-data 1MB Jan  6 15:26 lib

drwxr-x---  2 www-data www-data 1MB Jan  6 15:26 templates

drwxr-xr-x 22 www-data www-data 1MB Jan  6 15:26 ..

drwxr-x---  7 www-data www-data 1MB Jan  6 16:35 .

root@server:/# ls -la /var/www/owncloud/apps/user_privacyidea/lib/

total 1MB

-rwxr-x--- 1 www-data www-data 1MB Jan  6 15:26 otp_privacyidea.php

-rwxr-x--- 1 www-data www-data 1MB Jan  6 15:26 helper.php

drwxr-x--- 2 www-data www-data 1MB Jan  6 15:26 .

drwxr-x--- 7 www-data www-data 1MB Jan  6 16:35 ..

root@server:/# ls -la /var/www/owncloud/apps/user_privacyidea/appinfo/

total 1MB

-rwxr-x--- 1 www-data www-data 1MB Jan  6 15:26 version

-rwxr-x--- 1 www-data www-data 1MB Jan  6 15:26 info.xml

-rwxr-x--- 1 www-data www-data 1MB Jan  6 15:26 app.php

drwxr-x--- 2 www-data www-data 1MB Jan  6 15:26 .

drwxr-x--- 7 www-data www-data 1MB Jan  6 16:35 ..

root@server:/# ls -la /var/www/owncloud/apps/user_privacyidea/js/

total 1MB

drwxr-x--- 2 www-data www-data 1MB Jan  6 15:26 .

-rwxr-x--- 1 www-data www-data 1MB Jan  6 15:26 adminSettings.js

drwxr-x--- 7 www-data www-data 1MB Jan  6 16:35 ..

Best,

Sam

On Thursday, January 7, 2016 at 2:23:05 PM UTC, Cornelius Kölbel wrote:

Hi Sam,

fwiw. I just checked on an owncloud 8.2(.0).
I never enabled the application using the command line tool but from the webui.

It looks like this:

 

Can you see it this way, too?

Please note, that this plugin is marked "experimental". I am not sure, if your ownCloud instance handles "experimental" in another way.

The privacyIDEA config in ownlcoud looks like this:

Please enable debug in ownCloud. I get such entries:

[Sam Marsh]

It looks like the culprit is app.php going off the error message:

<?php

\OCP\App::registerAdmin('user_privacyidea', 'adminSettings');

OC::$CLASSPATH['OC_User_PRIVACYIDEA'] = 'apps/user_privacyidea/lib/otp_privacyidea.php';

$enabled = OCP\Config::getAppValue('privacyIDEA','enable_privacyidea');

if($enabled === "yes") {

    OCP\Util::writeLog('user_privacyidea', 'privacyIDEA is enabled',

    OCP\Util::DEBUG);

    $usedBackends = OC_User::getUsedBackends();

    OC_User::clearBackends();

    $piBackend = new OC_User_PRIVACYIDEA();

    // register all previously used backend

    $piBackend->registerBackends($usedBackends);

    // register our own user backend

    OC_User::useBackend($piBackend);

} else {

    OCP\Util::writeLog('user_privacyidea', 'privacyIDEA is disabled: '.$enabled, OCP\Util::DEBUG);

}

Im not a developer unfortunately so my skills are being stretched here, but it seems the issue is:

$enabled = OCP\Config::getAppValue('privacyIDEA','enable_privacyidea');

[Sam Marsh]

Had a dig through the Owncloud API to see if it is an issue with the app.php 'check enabled'. The occ command to verify its enabled is:

root@server:/var/www/owncloud# sudo -u www-data php occ config:app:get user_privacyidea enabled

yes

I wonder if that command is returning a different value to app.phps':

[Sam Marsh]

Fixed it  - woohoo.

Modified app.php to use:

if(OCP\App::isEnabled('user_privacyidea')) {

so it looks like:

<?php

\OCP\App::registerAdmin('user_privacyidea', 'adminSettings');

OC::$CLASSPATH['OC_User_PRIVACYIDEA'] = 'apps/user_privacyidea/lib/otp_privacyidea.php';

if(OCP\App::isEnabled('user_privacyidea')) {

[Cornelius Kölbel]

Very cool. Thanks you!

I just closed your pull request, since it does not make sense in the 2.8
branch.
As mentioned, please merge into master.

Thanks a lot!
Cornelius

> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/privacyidea/7b03d7b7-969f-496d-ac51-7dc5b659f801%40googlegroups.com.

[Cornelius Kölbel]

...but what lets me puzzled is, that it worked on other owncloud
installations.
(Here is a running version 8.2, which does definitively not have this
problem)

owncloud != owncloud?

Kind regards
Cornelius

[Sam Marsh]

Yeah - ihni why its returning different, but its definitely that snippet of code that is the smoking gun. I've resubmitted the pull request, although i've never used github / git in anger, so i suspect ive done it wrong again :) Apologies in advance!

[Cornelius Kölbel]

Hi Sam,

no problem. THanks a lot for the code anyway.
You mixed up the branches, but I will put this code in...

Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/74f24446-2c0d-4a74-a5bb-5c273d2db698%40googlegroups.com.

[Sam Marsh]

:) No problem, happy to help with this great project - even if i am a product manager and not a developer :x

mit freundlichen Grüßen,

Sam

[Cornelius Kölbel]

Hi Sam,

I think I just found the original problem:

The code

$enabled = OCP\Config::getAppValue('privacyIDEA','enable_privacyidea');

if($enabled === "yes") {

referred to the privacyIDEA setting of the checkbox
"Use privacyIDEA to authenticate the users."
I.e. even if the App privacyIDEA is enabled, you can disable privacyIDEA
authentication. This was the idea of testing the system.

Your code

if(OCP\App::isEnabled('user_privacyidea')) {

refers to, if the App itself is activate.
But - when OC hits this code - it will always be true, otherwise it
would not be executed.

So the question is, what is saved in your database, when you click the
checkbox "User privacyidea to authenticate the users."

Please take a look at the table "oc_appconfig".

You should see an entry:

appid = "privacyIDEA"
configkey = "enable_privacyidea"
configvalue = "yes"

And I assume that you have something different than configvalue="yes".

Thanks a lot and kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/fcf7d4f6-c21c-4a53-a49f-a134f887365a%40googlegroups.com.