marius-wieschollek / passwords

A simple, yet feature rich password manager for Nextcloud
GNU Affero General Public License v3.0
215 stars 46 forks source link

[BUG]: Interaction between the "impersonate" plugin and the "password" plugin #631

Closed gerharddaniel closed 9 months ago

gerharddaniel commented 10 months ago

⚠️ This issue respects the following points: ⚠️

Server Information

{
    "version": {
        "server": "27.1.5.2",
        "app": "2023.12.32",
        "lsr": false,
        "php": "8.2.14",
        "cronPhp": "8.2.15"
    },
    "environment": {
        "os": "Linux",
        "architecture": "x86_64",
        "bits": 64,
        "database": "mysql",
        "cron": "cron",
        "proxy": false,
        "sslProxy": true,
        "subdirectory": false
    },
    "services": {
        "images": "imagick",
        "favicons": "bi",
        "previews": "default",
        "security": "hibp",
        "words": "wo4snakes",
        "previewApi": false,
        "faviconApi": false
    },
    "status": {
        "autoBackupRestored": false
    },
    "settings": {
        "channel": "enterprise",
        "nightlies": false,
        "handbook": false,
        "performance": 5
    },
    "encryption": {
        "sse": {
            "SSEv1r1": false,
            "SSEv1r2": true,
            "SSEv2r1": false,
            "SSEv3r1": false,
            "none": false,
            "default": "SSEv1r2"
        },
        "cse": {
            "CSEv1r1": false,
            "none": true,
            "default": "none"
        }
    }
}

Client Information

Browser and Version: firefox 115.6.0esr Client OS and Version: Red Hat Enterprise Linux release 9.3 (Plow)

We have tested it on different clients with different OS, and the result is always the same.

Bug description

Hi,

I'm taking the liberty of contacting you after having requested Nextcloud support for a bug that, for us, is blocking. After investigation, it appears that there is an interraction between the "impersonate" plugin and the "Password" plugin.

Here's the problem: users from an ldap directory and members of the "admin" group cannot assume the identity of a third party (impersonate plugin). This is not the case for local "Nextcloud" accounts and members of the admin group.

This is the message displayed in the browser:

**Internal server error**
The server is unable to execute your request.
If this happens again, please send the technical details below to the server administrator.
The server log file may provide more information.
**Technical details**
Remote address: [192.168.xxx](http://192.168.xxx/).yyy
Request ID: xxxxxxxxxxxx

Then the IP address is then blacklisted for a few minutes.

After deactivating the "Password" plugin, the problem disappears and the "impersonate" function is fully operational. Could you please help us to unblock this situation?

Regards

Steps to reproduce

  1. open nextcloud whith a ldap user member of the "admin" group
  2. Click on "Users"
  3. Select "Impersonate" for a specific user

Expected behavior

Normally, I should have taken the user's identity and have access to his environment (files, ...)

Nextcloud Logs

[index] Erreur: Exception: Call to a member function getDisplayName() on null in file '/var/www/nextcloud/apps/passwords/lib/Services/EnvironmentService.php' line 605 at <<closure>>

0. /var/www/nextcloud/lib/private/AppFramework/App.php line 183
   OC\AppFramework\Http\Dispatcher->dispatch()
1. /var/www/nextcloud/lib/private/Route/Router.php line 315
   OC\AppFramework\App::main()
2. /var/www/nextcloud/lib/base.php line 1068
   OC\Route\Router->match()
3. /var/www/nextcloud/index.php line 38
   OC::handleRequest()

Caused by:

Error: Call to a member function getDisplayName() on null at <<closure>>

 0. /var/www/nextcloud/apps/passwords/lib/Services/EnvironmentService.php line 511
    OCA\Passwords\Services\EnvironmentService->impersonateByUid()
 1. /var/www/nextcloud/apps/passwords/lib/Services/EnvironmentService.php line 377
    OCA\Passwords\Services\EnvironmentService->loadUserFromSession()
 2. /var/www/nextcloud/apps/passwords/lib/Services/EnvironmentService.php line 361
    OCA\Passwords\Services\EnvironmentService->loadUserInformation()
 3. /var/www/nextcloud/apps/passwords/lib/Services/EnvironmentService.php line 185
    OCA\Passwords\Services\EnvironmentService->determineAppMode()
 4. <<closure>>
    OCA\Passwords\Services\EnvironmentService->__construct()
 5. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 84
    ReflectionClass->newInstanceArgs()
 6. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 124
    OC\AppFramework\Utility\SimpleContainer->buildClass()
 7. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 142
    OC\AppFramework\Utility\SimpleContainer->resolve()
 8. /var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php line 494
    OC\AppFramework\Utility\SimpleContainer->query()
 9. /var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php line 466
    OC\AppFramework\DependencyInjection\DIContainer->queryNoFallback()
10. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 97
    OC\AppFramework\DependencyInjection\DIContainer->query()
11. <<closure>>
    OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility\{closure}("*** sensitive parameters replaced ***")
12. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 84
    array_map()
13. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 124
    OC\AppFramework\Utility\SimpleContainer->buildClass()
14. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 142
    OC\AppFramework\Utility\SimpleContainer->resolve()
15. /var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php line 494
    OC\AppFramework\Utility\SimpleContainer->query()
16. /var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php line 466
    OC\AppFramework\DependencyInjection\DIContainer->queryNoFallback()
17. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 97
    OC\AppFramework\DependencyInjection\DIContainer->query()
18. <<closure>>
    OC\AppFramework\Utility\SimpleContainer->OC\AppFramework\Utility\{closure}("*** sensitive parameters replaced ***")
19. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 84
    array_map()
20. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 124
    OC\AppFramework\Utility\SimpleContainer->buildClass()
21. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 142
    OC\AppFramework\Utility\SimpleContainer->resolve()
22. /var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php line 494
    OC\AppFramework\Utility\SimpleContainer->query()
23. /var/www/nextcloud/lib/private/ServerContainer.php line 155
    OC\AppFramework\DependencyInjection\DIContainer->queryNoFallback()
24. /var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php line 65
    OC\ServerContainer->query()
25. /var/www/nextcloud/lib/private/Dashboard/Manager.php line 78
    OC\AppFramework\Utility\SimpleContainer->get()
26. /var/www/nextcloud/lib/private/Dashboard/Manager.php line 141
    OC\Dashboard\Manager->loadLazyPanels()
27. /var/www/nextcloud/apps/dashboard/lib/Controller/DashboardController.php line 101
    OC\Dashboard\Manager->getWidgets()
28. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 230
    OCA\Dashboard\Controller\DashboardController->index()
29. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 137
    OC\AppFramework\Http\Dispatcher->executeController()
30. /var/www/nextcloud/lib/private/AppFramework/App.php line 183
    OC\AppFramework\Http\Dispatcher->dispatch()
31. /var/www/nextcloud/lib/private/Route/Router.php line 315
    OC\AppFramework\App::main()
32. /var/www/nextcloud/lib/base.php line 1068
    OC\Route\Router->match()
33. /var/www/nextcloud/index.php line 38
    OC::handleRequest()

GET /apps/dashboard/
from 192.168.xxx.yyy by User_account at 2024-01-23T14:10:32+00:00

Browser Logs

No response

capri99 commented 10 months ago

Hi, we've got same situation. Nextcloud v. 27.1.5.2, Passwords app 2023.12.32 and one user in LDAP (not all users from LDAP).

I think the problem is related to Dashboard app + Passwords app.

We've seen that the user also is unable to login through the webpage if the default app is "Dashboard", so changing to "Files" is a workaround.

If you add the next line in your config.php file:

'defaultapp' => 'files',

then you can impersonate the user, as the first app opened is "Files app", not "Dashboard app".

Also if you go to Passwords app version 2023.12.31 issue is not reproducible, so Dashboard app works fine, and you can impersonate into a user with default app the Dashboard.

marius-wieschollek commented 10 months ago

I have added a patch for this to the nightly versions

capri99 commented 9 months ago

Thanks for the patch, but patching manually on version 2023.12.32 does not fix the issue of trying to show Dashboard app as default. User "xerencia@XXXXXXXXXX" is a LDAP user.

What I can see is that "admin" user (not LDAP user) can impersonate into a LDAP user and get into his Dashboard fine.

But if I try to do the same with one LDAP user, who impersonates fine into another LDAP user, but cannot get into the Dashboard app, failing with the error shown below:

{"reqId":"S2Q5JL1Ee4Y4eOwEHw2q","level":2,"time":"Feb 05 19:29:29","remoteAddr":"46.222.227.81","user":"xerencia@XXXXXXXXX","app":"passwords","method":"GET","url":"/apps/dashboard/","message":"Login attempt with invalid session for xerencia@XXXXXXXXX","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"27.1.5.2","data":{"app":"passwords"}}
{"reqId":"S2Q5JL1Ee4Y4eOwEHw2q","level":3,"time":"Feb 05 19:29:29","remoteAddr":"46.222.227.81","user":"xerencia@XXXXXXXXX","app":"index","method":"GET","url":"/apps/dashboard/","message":"Exception thrown: Exception","userAgent":"Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"27.1.5.2","exception":{"Exception":"Exception","Message":"Unable to verify user xerencia@XXXXXXXXX","Code":0,"Trace":[{"file":"/var/www/nextcloud/apps/passwords/lib/Services/EnvironmentService.php","line":361,"function":"loadUserInformation","class":"OCA\\Passwords\\Services\\EnvironmentService","type":"->"},{"file":"/var/www/nextcloud/apps/passwords/lib/Services/EnvironmentService.php","line":185,"function":"determineAppMode","class":"OCA\\Passwords\\Services\\EnvironmentService","type":"->"},{"function":"__construct","class":"OCA\\Passwords\\Services\\EnvironmentService","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":84,"function":"newInstanceArgs","class":"ReflectionClass","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":124,"function":"buildClass","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":142,"function":"resolve","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":494,"function":"query","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":466,"function":"queryNoFallback","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":97,"function":"query","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->"},{"function":"OC\\AppFramework\\Utility\\{closure}","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":84,"function":"array_map"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":124,"function":"buildClass","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":142,"function":"resolve","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":494,"function":"query","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":466,"function":"queryNoFallback","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":97,"function":"query","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->"},{"function":"OC\\AppFramework\\Utility\\{closure}","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":84,"function":"array_map"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":124,"function":"buildClass","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":142,"function":"resolve","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/DependencyInjection/DIContainer.php","line":494,"function":"query","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/ServerContainer.php","line":155,"function":"queryNoFallback","class":"OC\\AppFramework\\DependencyInjection\\DIContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Utility/SimpleContainer.php","line":65,"function":"query","class":"OC\\ServerContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/Dashboard/Manager.php","line":78,"function":"get","class":"OC\\AppFramework\\Utility\\SimpleContainer","type":"->"},{"file":"/var/www/nextcloud/lib/private/Dashboard/Manager.php","line":141,"function":"loadLazyPanels","class":"OC\\Dashboard\\Manager","type":"->"},{"file":"/var/www/nextcloud/apps/dashboard/lib/Controller/DashboardController.php","line":101,"function":"getWidgets","class":"OC\\Dashboard\\Manager","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":230,"function":"index","class":"OCA\\Dashboard\\Controller\\DashboardController","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php","line":137,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/AppFramework/App.php","line":183,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/nextcloud/lib/private/Route/Router.php","line":315,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/nextcloud/lib/base.php","line":1068,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/nextcloud/index.php","line":38,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/www/nextcloud/apps/passwords/lib/Services/EnvironmentService.php","Line":398,"CustomMessage":"Exception thrown: Exception"}}
marius-wieschollek commented 9 months ago

I tested this with with the dashboard as default page in any combination of LDAP and non-LDAP users trough the impersonate app. I can't reproduce the error in the current 2024.2.0.

I don't support 2023.12 any longer, but i would publish an update if there is a PR with a solution. So if anyone wants to debug the issue, they can check out the function \OCA\Passwords\Services\EnvironmentService::loadUserFromSession which seems to be where the error happens.