Introduce account modules

[butonic]

This introduces Account Modules using password expiry as an example. Requires owncloud/password_policy#15

[codecov]

Codecov Report

Merging #31547 into master will increase coverage by <.01%.
The diff coverage is 60.68%.

@@             Coverage Diff              @@
##             master   #31547      +/-   ##
============================================
+ Coverage      63.4%    63.4%   +<.01%     
- Complexity    18461    18493      +32     
============================================
  Files          1162     1165       +3     
  Lines         69267    69367     +100     
  Branches       1264     1264              
============================================
+ Hits          43920    43984      +64     
- Misses        24978    25014      +36     
  Partials        369      369

Flag	Coverage Δ	Complexity Δ
#javascript	52.58% <ø> (ø)	0 <ø> (ø)	⬇️
#phpunit	64.65% <60.68%> (-0.01%)	18493 <28> (+32)

Impacted Files	Coverage Δ	Complexity Δ
apps/dav/appinfo/v1/carddav.php	0% <0%> (ø)	0 <0> (ø)	⬇️
apps/dav/appinfo/v1/caldav.php	0% <0%> (ø)	0 <0> (ø)	⬇️
lib/private/legacy/util.php	69.91% <0%> (-0.59%)	246 <0> (+1)
apps/dav/appinfo/v1/webdav.php	0% <0%> (ø)	0 <0> (ø)	⬇️
lib/private/legacy/api.php	41.15% <0%> (-1.05%)	85 <0> (+2)
lib/private/legacy/json.php	8.69% <0%> (-0.83%)	29 <1> (+2)
apps/dav/lib/Server.php	51.42% <100%> (+0.34%)	24 <0> (ø)	⬇️
...e/AppFramework/DependencyInjection/DIContainer.php	73.23% <100%> (+0.54%)	81 <0> (ø)	⬇️
core/Middleware/AccountModuleMiddleware.php	100% <100%> (ø)	10 <10> (?)
lib/private/Server.php	85.02% <100%> (+0.12%)	253 <2> (+2)	⬆️
... and 7 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 70fbb2e...c29a99a. Read the comment docs.

[butonic]

• register login hook to check account modules on webdav and ocs login (move code from password policy to core)
  • no, the app providing the account module has to do this itself, because not all account modules may need to check something based on the postLogin event. That is only the case for the force password expiry. An OptInAccountModule eg does not need the password info of the post login event. It is invoked by the AccountModuleMiddleware. Same for a Force2FAAccountModule.
• add dav plugin reproducing the middleware logic
  • grepped where needsSecondFactor is used ... omg there is not only legacy api.php but also json.php and util.php 😱
  • added account module check there as well 🙄
• add middleware logic to ocs https://github.com/owncloud/core/blob/master/lib/private/legacy/api.php#L333
• how do desktop and mobile clients handle forced password reset?
• should we add a notification that they show the user
  -> password policy, optional, subsequent PR
• requires configuring forcing token based auth for clients
• how should clients be affected if an auth module check fails?
  • login should be denied? then all clients will pop up saying login denied.
    • We must show a message what the user should do now.
    • do the clients automatically sync again if login was denied
    • should we return service unavailable to clients?
• check if we can use a redirect exception instead of IAccountModuleSteps
• store order in db (appconfig witl json string array), when app is enabled add it to the end ... UI in different PR

[PVince81]

@SamuAlfageme see questions about clients ^

[DeepDiver1975]

this will logout all clients of the user - maybe not what we want - 503 might be a better idea

[DeepDiver1975]

code duplication ...... just saying

[butonic]

extracted checkAccountModule($user)

[DeepDiver1975]

whot? wrong PR 😬

[DeepDiver1975]

should not be necessary - DI magic will create it

[DeepDiver1975]

same as above - DI magic ..

[DeepDiver1975]

log?

[butonic]

logged by https://github.com/owncloud/core/pull/31547/files/1079de094343bf6769e158b741f63e0a92b28a2e#diff-81fc557ed3d19729d72efce4e07a71dcR129

[DeepDiver1975]

no fixing - this is legacy - kill it

[butonic]

Too many places where it is still used -> not in this PR. That is why I added a FIXME

[DeepDiver1975]

I know it's being used - my comment was about the need to kill this all instead of trying to fix this

[DeepDiver1975]

copyright missing

[DeepDiver1975]

10.0.10 - 10.0.9 is out

[butonic]

dito

[DeepDiver1975]

copyright

[SamuAlfageme]

@PVince81 @butonic re. client questions - need some basic instructions for trying this PoC out, I'm not quite familiar with password_policy

all addressed, please re review

[DeepDiver1975]

return type will block backport - we can keep it this way but need to modify this on the backport then

[DeepDiver1975]

not thrown ?

[DeepDiver1975]

not thrown ?

[DeepDiver1975]

I moved this to the core server impl

[DeepDiver1975]

no param

[PVince81]

@butonic please backport

[DeepDiver1975]

@butonic please backport

#31883

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.