search

nextcloud / user_saml

:lock: App for authenticating Nextcloud users using SAML https://apps.nextcloud.com/apps/user_saml
https://portal.nextcloud.com/article/configuring-single-sign-on-10.html
GNU Affero General Public License v3.0
96 stars 76 forks source link

Authentication fails with server error on NC26 if password policy app is enabled #709

Closed Ma27 closed 1 year ago

Ma27 commented 1 year ago

Steps to reproduce

  1. Install Nextcloud v26 (password policy app v1.16 is also active because of that), user_saml v5.1.2, configure saml auth
  2. Log in via SAML

Expected behaviour

Authentication should work.

Actual behaviour

I get an error 500. And the following error in the phpfpm log:

{
  "Exception": "TypeError",
  "Message": "OCA\\Password_Policy\\ComplianceService::entryControl(): Argument #2 ($password) must be of type string, null given, called in /nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php on line 45",
  "Code": 0,
  "Trace": [
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/apps/password_policy/lib/Listener/BeforeUserLoggedInEventListener.php",
      "line": 45,
      "function": "entryControl",
      "class": "OCA\\Password_Policy\\ComplianceService",
      "type": "->"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/EventDispatcher/ServiceEventListener.php",
      "line": 86,
      "function": "handle",
      "class": "OCA\\Password_Policy\\Listener\\BeforeUserLoggedInEventListener",
      "type": "->"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/3rdparty/symfony/event-dispatcher/EventDispatcher.php",
      "line": 251,
      "function": "__invoke",
      "class": "OC\\EventDispatcher\\ServiceEventListener",
      "type": "->"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/3rdparty/symfony/event-dispatcher/EventDispatcher.php",
      "line": 73,
      "function": "callListeners",
      "class": "Symfony\\Component\\EventDispatcher\\EventDispatcher",
      "type": "->"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/EventDispatcher/EventDispatcher.php",
      "line": 87,
      "function": "dispatch",
      "class": "Symfony\\Component\\EventDispatcher\\EventDispatcher",
      "type": "->"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/EventDispatcher/EventDispatcher.php",
      "line": 99,
      "function": "dispatch",
      "class": "OC\\EventDispatcher\\EventDispatcher",
      "type": "->"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/legacy/OC_User.php",
      "line": 192,
      "function": "dispatchTyped",
      "class": "OC\\EventDispatcher\\EventDispatcher",
      "type": "->"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/private/legacy/OC_User.php",
      "line": 243,
      "function": "loginWithApache",
      "class": "OC_User",
      "type": "::",
      "args": [
        "*** sensitive parameters replaced ***"
      ]
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/base.php",
      "line": 1122,
      "function": "handleApacheAuth",
      "class": "OC_User",
      "type": "::"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/lib/base.php",
      "line": 1044,
      "function": "handleLogin",
      "class": "OC",
      "type": "::"
    },
    {
      "file": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/index.php",
      "line": 36,
      "function": "handleRequest",
      "class": "OC",
      "type": "::"
    }
  ],
  "File": "/nix/store/z8bpxwl8h4ckxvbh91ky4jxr2fgmr0gs-nextcloud-26.0.0/apps/password_policy/lib/ComplianceService.php",
  "Line": 90,
  "CustomMessage": "--"
}

The issue can be solved by deactivating the password policy app. Given Nextcloud doesn't have to deal with passwords here because of SAML it should probably made sure that the app is not touched at all by this.

Server configuration

Operating system: NixOS 22.11

Web server: nginx 1.22

Database: postgresql 15

PHP version: 8.1.16

Nextcloud version: 26.0.0

Where did you install Nextcloud from: NixOS

List of activated apps:

If you have access to your command line run e.g.:
sudo -u www-data php occ app:list
Enabled:
  - activity: 2.18.0
  - calendar: 3.4.3
  - circles: 26.0.0
  - cloud_federation_api: 1.9.0
  - comments: 1.16.0
  - contacts: 4.2.0
  - contactsinteraction: 1.7.0
  - cospend: 1.5.8
  - dashboard: 7.6.0
  - dav: 1.25.0
  - federatedfilesharing: 1.16.0
  - federation: 1.16.0
  - files: 1.21.1
  - files_external: 1.18.0
  - files_pdfviewer: 2.7.0
  - files_rightclick: 1.5.0
  - files_sharing: 1.18.0
  - files_trashbin: 1.16.0
  - files_versions: 1.19.1
  - firstrunwizard: 2.15.0
  - logreader: 2.11.0
  - lookup_server_connector: 1.14.0
  - maps: 1.0.0
  - nextcloud_announcements: 1.15.0
  - notifications: 2.14.0
  - oauth2: 1.14.0
  - photos: 2.2.0
  - privacy: 1.10.0
  - provisioning_api: 1.16.0
  - recommendations: 1.5.0
  - related_resources: 1.1.0-alpha1
  - serverinfo: 1.16.0
  - settings: 1.8.0
  - sharebymail: 1.16.0
  - support: 1.9.0
  - survey_client: 1.14.0
  - systemtags: 1.16.0
  - text: 3.7.2
  - theming: 2.1.1
  - twofactor_backupcodes: 1.15.0
  - updatenotification: 1.16.0
  - user_ldap: 1.16.0
  - user_saml: 5.1.2
  - user_status: 1.6.0
  - viewer: 1.10.0
  - weather_status: 1.6.0
  - workflowengine: 2.8.0
Disabled:
  - admin_audit: 1.16.0
  - bruteforcesettings: 2.6.0
  - encryption: 2.14.0
  - password_policy: 1.16.0 (installed 1.16.0)
  - suspicious_login: 4.4.0
  - twofactor_totp: 8.0.0-alpha.0

Nextcloud configuration:

    "system": {
        "apps_paths": [
            {
                "path": "\/var\/lib\/nextcloud\/nix-apps",
                "url": "\/nix-apps",
                "writable": false
            },
            {
                "path": "\/var\/lib\/nextcloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/lib\/nextcloud\/store-apps",
                "url": "\/store-apps",
                "writable": true
            }
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "skeletondirectory": "",
        "log_type": "syslog",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "pgsql",
        "version": "26.0.0.11",
        "overwrite.cli.url": "http:\/\/localhost",
        "overwriteprotocol": "https",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "loglevel": "1",
        "maintenance": false,
        "logfile": "\/var\/log\/nextcloud.log",
        "log_level": "2",
        "theme": "",
        "app_install_overwrite": [
            "calendar",
            "user_saml",
            "contacts"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "ldapIgnoreNamingRules": false,
        "ldapProviderFactory": "OCA\\User_LDAP\\LDAPProviderFactory",
        "default_phone_region": "DE",
        "memcache.local": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "session_lifetime": 2419200,
        "profile.enabled": false,
        "appstoreenabled": false,
        "memcache": {
            "distributed": "\\OC\\Memcache\\Redis",
            "local": "\\OC\\Memcache\\Redis",
            "locking": "\\OC\\Memcache\\Redis"
        },
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "trusted_domains": [
            "<redacted>"
        ]
    }
}

Client configuration

irrelevant, server issue

Logs

Nextcloud log (data/owncloud.log)

see above

Browser log

n/a

tinhoff commented 1 year ago

Similar issue here after 26 update, but, disable password policy didn't helped (at least not after system tries to issue a new token)

{ "reqId": "0SULpBApVKuVFcILtgcL", "level": 3, "time": "2023-03-23T07:50:15+00:00", "remoteAddr": "10.11.0.101", "user": "*** censored ***", "app": "no app in context", "method": "GET", "url": "/apps/theming/image/background?v=4", "message": "App user_saml threw an error during app.php load: sha1(): Argument #1 ($string) must be of type string, null given", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.44", "version": "26.0.0.11", "exception": { "Exception": "TypeError", "Message": "sha1(): Argument #1 ($string) must be of type string, null given", "Code": 0, "Trace": [ { "file": "/var/www/*** censored ***/lib/private/Authentication/Token/PublicKeyTokenProvider.php", "line": 116, "function": "sha1" }, { "file": "/var/www/*** censored ***/lib/private/Authentication/Token/Manager.php", "line": 69, "function": "generateToken", "class": "OC\\Authentication\\Token\\PublicKeyTokenProvider", "type": "->", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/*** censored ***/lib/private/User/Session.php", "line": 686, "function": "generateToken", "class": "OC\\Authentication\\Token\\Manager", "type": "->", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/*** censored ***/lib/private/legacy/OC_User.php", "line": 194, "function": "createSessionToken", "class": "OC\\User\\Session", "type": "->", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/*** censored ***/lib/private/legacy/OC_User.php", "line": 243, "function": "loginWithApache", "class": "OC_User", "type": "::", "args": [ "*** sensitive parameters replaced ***" ] }, { "file": "/var/www/*** censored ***/apps/user_saml/appinfo/app.php", "line": 88, "function": "handleApacheAuth", "class": "OC_User", "type": "::" }, { "file": "/var/www/*** censored ***/lib/private/legacy/OC_App.php", "line": 316, "args": [ "/var/www/*** censored ***/apps/user_saml/appinfo/app.php" ], "function": "require_once" }, { "file": "/var/www/*** censored ***/lib/private/legacy/OC_App.php", "line": 192, "function": "requireAppFile", "class": "OC_App", "type": "::" }, { "file": "/var/www/*** censored ***/lib/private/legacy/OC_App.php", "line": 141, "function": "loadApp", "class": "OC_App", "type": "::" }, { "file": "/var/www/*** censored ***/lib/base.php", "line": 1028, "function": "loadApps", "class": "OC_App", "type": "::" }, { "file": "/var/www/*** censored ***/index.php", "line": 36, "function": "handleRequest", "class": "OC", "type": "::" } ], "File": "/var/www/*** censored ***/lib/private/Authentication/Token/PublicKeyTokenProvider.php", "Line": 116, "message": "App user_saml threw an error during app.php load: sha1(): Argument #1 ($string) must be of type string, null given", "CustomMessage": "App user_saml threw an error during app.php load: sha1(): Argument #1 ($string) must be of type string, null given" } }

As an interims, I implemented \OCP\Authentication\IProvideUserSecretBackend into UserBackend

Eweol commented 1 year ago

Same problem in docker

JamborJan commented 1 year ago

I had the same problem. I'm using authentication via Azure AD. Disabling the Password policy app helped to temporary solve the problem.

seieric commented 1 year ago

Same here with Nextcloud 26.

I'm using an IdP built with SimpleSAMLphp. I don't have Password policy app enabled, but I encounter the same error.

Here's my backtrace.

#0 /home/x/public_html/cloud.example.net/lib/private/Authentication/Token/PublicKeyTokenProvider.php(116): sha1(NULL)
#1 /home/x/public_html/cloud.example.net/lib/private/Authentication/Token/Manager.php(69): OC\Authentication\Token\PublicKeyTokenProvider->generateToken('d5a0ab987fe4e17...', 'username', 'username', NULL, 'Mozilla/5.0 (Ma...', 0, 0)
#2 /home/x/public_html/cloud.example.net/lib/private/User/Session.php(686): OC\Authentication\Token\Manager->generateToken('d5a0ab987fe4e17...', 'username', 'username', NULL, 'Mozilla/5.0 (Ma...', 0, 0)
#3 /home/x/public_html/cloud.example.net/lib/private/legacy/OC_User.php(194): OC\User\Session->createSessionToken(Object(OC\AppFramework\Http\Request), 'username', 'username', NULL)
#4 /home/x/public_html/cloud.example.net/lib/private/legacy/OC_User.php(243): OC_User::loginWithApache(Object(OCA\User_SAML\UserBackend))
#5 /home/x/public_html/cloud.example.net/lib/base.php(1122): OC_User::handleApacheAuth()
#6 /home/x/public_html/cloud.example.net/lib/base.php(1044): OC::handleLogin(Object(OC\AppFramework\Http\Request))
#7 /home/x/public_html/cloud.example.net/index.php(36): OC::handleRequest()
#8 {main}
seieric commented 1 year ago

I found a solution in the commit(6881d2f) of PublicKeyTokenProvider.php

I just replaced line 116 on PublicKeyTokenProvider.php to

$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $password !== null && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());

And it worked fine.

depuits commented 1 year ago

I found a solution in the commit(6881d2f) of PublicKeyTokenProvider.php

I just replaced line 116 on PublicKeyTokenProvider.php to

$oldTokenMatches = $randomOldToken && $randomOldToken->getPasswordHash() && $password !== null && $this->hasher->verify(sha1($password) . $password, $randomOldToken->getPasswordHash());

And it worked fine.

This fix still needs the password policy app to be disabled.

Eweol commented 1 year ago

thanks above workaround work for me

benedikt-bartscher commented 1 year ago

Same here, reverting https://github.com/nextcloud/server/commit/6881d2f2f15976514cc52d6ea49ff09c5bb81d2b and disabling the password policy app fixed it

crobarcro commented 1 year ago

Using jumpcloud for SAML, same issue, Internal server error after upgrade to 26, disabling the password policy app has so far been sufficient to get it working again for me.

reos-rcrozier commented 1 year ago

The workaround of disabling Password policy has stopped working for me now. Is anyone working on this? I need to know whether I need to disable SAML, or do a full restore from backup, or if a fix will be available soon.

Blackclaws commented 1 year ago

The fix in PublicKeyTokenProvider has landed in the main repo already but it hasn't been released as far as I can tell, therefore you need to manually perform that change as well, should not be needed anymore when 26.0.1 drops.

reos-rcrozier commented 1 year ago

I decided to try modifying the line in PublicKeyTokenProvider.php and it seems to be working for me (Password Policy still disabled).

marekschneider commented 1 year ago

Same for me. The workaround to disable the app stopped working this morning. I implemented the fix in the file and it seems to be working now.

hexxone commented 1 year ago

Yep, the issue started for me this week aswell, after automatically updating to the latest nextcloud container. Unable to log in via SAML at all... Always error 500.

Also had to manually go in the docker container and disable the password_policy app like so:

docker exec -it -u www-data nextcloud /bin/bash
php occ app:disable password_policy

Now I am instantly able to log in again.... But this is only a temporary workaround for me... please release fix soon🙏