Stop synchronisation when behind a captive portal

changelog/unreleased/11533

@@ -0,0 +1,9 @@
+Enhancement: Pause sync when behind a captive portal
+
+When the operating system detects a captive portal, stop all outgoing
+network requests. These requests will fail with an SSL certificate
+mismatch error. When the captive portal is "gone", synchronisation will
+be restarted.
+
+https://github.com/owncloud/client/issues/11533
+https://github.com/owncloud/client/pull/11567

changelog/unreleased/11567

@@ -0,0 +1,6 @@
+Enhancement: Pause synchronization when a captive portal is detected
+
+An encrypted connection to a captive portal will use an unknown certificate, which in turn will caused a dialog to be shown by the client.
+This is now changed: when a captive portal is detected by the OS, the client now shows in the account status that it cannot connect to the server because of a captive portal.
+
+Supported OSses: Windows, Linux (with some network managers)

src/gui/CMakeLists.txt

@@ -42,6 +42,7 @@ set(client_SRCS
     ignorelisteditor.cpp
     lockwatcher.cpp
     logbrowser.cpp
+    networkinformation.cpp
     networksettings.cpp
     ocssharejob.cpp
     openfilemanager.cpp

src/gui/accountsettings.cpp

@@ -30,6 +30,7 @@
 #include "folderwizard/folderwizard.h"
 #include "gui/accountmodalwidget.h"
 #include "gui/models/models.h"
+#include "gui/networkinformation.h"
 #include "gui/qmlutils.h"
 #include "gui/selectivesyncwidget.h"
 #include "gui/spaces/spaceimageprovider.h"
@@ -412,7 +413,7 @@ void AccountSettings::slotEnableCurrentFolder(Folder *folder, bool terminate)
 
 void AccountSettings::slotForceSyncCurrentFolder(Folder *folder)
 {
-    if (Utility::internetConnectionIsMetered() && ConfigFile().pauseSyncWhenMetered()) {
+    if (NetworkInformation::instance()->isMetered() && ConfigFile().pauseSyncWhenMetered()) {
         auto messageBox = new QMessageBox(QMessageBox::Question, tr("Internet connection is metered"),
             tr("Synchronization is paused because the Internet connection is a metered connection"
                "<p>Do you really want to force a Synchronization now?"),
@@ -457,6 +458,7 @@ void AccountSettings::slotAccountStateChanged()
 {
     const AccountState::State state = _accountState->state();
     const AccountPtr account = _accountState->account();
+    qCDebug(lcAccountSettings) << "Account state changed to" << state << "for account" << account;
 
     // in 2023 there should never be credentials encoded in the url, but we never know...
     const auto safeUrl = account->url().adjusted(QUrl::RemoveUserInfo);
@@ -470,9 +472,6 @@ void AccountSettings::slotAccountStateChanged()
                                .arg(Utility::escape(safeUrl.toString()));
 
     switch (state) {
-    case AccountState::PausedDueToMetered:
-        showConnectionLabel(tr("Sync to %1 is paused due to metered internet connection.").arg(server));
-        break;
     case AccountState::Connected: {
         QStringList errors;
         if (account->serverSupportLevel() != Account::ServerSupportLevel::Supported) {
@@ -495,7 +494,13 @@ void AccountSettings::slotAccountStateChanged()
         break;
     }
     case AccountState::Connecting:
-        showConnectionLabel(tr("Connecting to: %1.").arg(server));
+        if (NetworkInformation::instance()->isBehindCaptivePortal()) {
+            showConnectionLabel(tr("Captive portal prevents connections to %1.").arg(server));
+        } else if (NetworkInformation::instance()->isMetered() && ConfigFile().pauseSyncWhenMetered()) {
+            showConnectionLabel(tr("Sync to %1 is paused due to metered internet connection.").arg(server));
+        } else {
+            showConnectionLabel(tr("Connecting to: %1.").arg(server));
+        }
         break;
     case AccountState::ConfigurationError:
         showConnectionLabel(tr("Server configuration error: %1.")

src/gui/accountstate.cpp

@@ -23,6 +23,7 @@
 #include "libsync/creds/abstractcredentials.h"
 #include "libsync/creds/httpcredentials.h"
 
+#include "gui/networkinformation.h"
 #include "gui/quotainfo.h"
 #include "gui/settingsdialog.h"
 #include "gui/spacemigration.h"
@@ -34,7 +35,6 @@
 #include "theme.h"
 
 #include <QFontMetrics>
-#include <QNetworkInformation>
 #include <QRandomGenerator>
 #include <QSettings>
 #include <QTimer>
@@ -113,40 +113,64 @@ AccountState::AccountState(AccountPtr account)
         },
         Qt::QueuedConnection);
 
-    if (QNetworkInformation *qNetInfo = QNetworkInformation::instance()) {
-        connect(qNetInfo, &QNetworkInformation::reachabilityChanged, this, [this](QNetworkInformation::Reachability reachability) {
-            switch (reachability) {
-            case QNetworkInformation::Reachability::Online:
-                [[fallthrough]];
-            case QNetworkInformation::Reachability::Site:
-                [[fallthrough]];
-            case QNetworkInformation::Reachability::Unknown:
-                // the connection might not yet be established
-                QTimer::singleShot(0, this, [this] { checkConnectivity(false); });
-                break;
-            case QNetworkInformation::Reachability::Disconnected:
-                // explicitly set disconnected, this way a successful checkConnectivity call above will trigger a local discover
-                if (state() != State::SignedOut) {
-                    setState(State::Disconnected);
-                }
-                [[fallthrough]];
-            case QNetworkInformation::Reachability::Local:
-                break;
+    connect(NetworkInformation::instance(), &NetworkInformation::reachabilityChanged, this, [this](NetworkInformation::Reachability reachability) {
+        switch (reachability) {
+        case NetworkInformation::Reachability::Online:
+            [[fallthrough]];
+        case NetworkInformation::Reachability::Site:
+            [[fallthrough]];
+        case NetworkInformation::Reachability::Unknown:
+            // the connection might not yet be established
+            QTimer::singleShot(0, this, [this] { checkConnectivity(false); });
+            break;
+        case NetworkInformation::Reachability::Disconnected:
+            // explicitly set disconnected, this way a successful checkConnectivity call above will trigger a local discover
+            if (state() != State::SignedOut) {
+                setState(State::Disconnected);
             }
-        });
+            [[fallthrough]];
+        case NetworkInformation::Reachability::Local:
+            break;
+        }
+    });
 
-        connect(qNetInfo, &QNetworkInformation::isMeteredChanged, this, [this](bool isMetered) {
-            if (ConfigFile().pauseSyncWhenMetered()) {
-                if (state() == State::Connected && isMetered) {
-                    qCInfo(lcAccountState) << "Network switched to a metered connection, setting account state to PausedDueToMetered";
-                    setState(State::PausedDueToMetered);
-                } else if (state() == State::PausedDueToMetered && !isMetered) {
-                    qCInfo(lcAccountState) << "Network switched to a NON-metered connection, setting account state to Connected";
-                    setState(State::Connected);
-                }
+    connect(NetworkInformation::instance(), &NetworkInformation::isMeteredChanged, this, [this](bool isMetered) {
+        if (ConfigFile().pauseSyncWhenMetered()) {
+            if (state() == State::Connected && isMetered) {
+                qCInfo(lcAccountState) << "Network switched to a metered connection, setting account state to PausedDueToMetered";
+                setState(State::Connecting);
+            } else if (state() == State::Connecting && !isMetered) {
+                qCInfo(lcAccountState) << "Network switched to a NON-metered connection, setting account state to Connected";
+                setState(State::Connected);
             }
-        });
+        }
+    });
+
+    connect(NetworkInformation::instance(), &NetworkInformation::isBehindCaptivePortalChanged, this, [this](bool onoff) {
+        if (onoff) {
+            // Block jobs from starting: they will fail because of the captive portal.
+            // Note: this includes the `Drives` jobs started periodically by the `SpacesManager`.
+            _queueGuard.block();
+        } else {
+            // Empty the jobs queue before unblocking it. The client might have been behind a captive
+            // portal for hours, so a whole bunch of jobs might have queued up. If we wouldn't
+            // clear the queue, unleashing all those jobs might look like a DoS attack. Most of them
+            // are also not very useful anymore (e.g. `Drives` jobs), and the important ones (PUT jobs)
+            // will be rescheduled by a directory scan.
+            _account->jobQueue()->clear();
+            _queueGuard.unblock();
+        }
+
+        // A direct connect is not possible, because then the state parameter of `isBehindCaptivePortalChanged`
+        // would become the `verifyServerState` argument to `checkConnectivity`.
+        // The call is also made for when we "go behind" a captive portal. That ensures that not
+        // only the status is set to `Connecting`, but also makes the UI show that syncing is paused.
+        QTimer::singleShot(0, this, [this] { checkConnectivity(false); });
+    });
+    if (NetworkInformation::instance()->isBehindCaptivePortal()) {
+        _queueGuard.block();
     }
+
     // as a fallback and to recover after server issues we also poll
     auto timer = new QTimer(this);
     timer->setInterval(ConnectionValidator::DefaultCallingInterval);
@@ -240,8 +264,11 @@ void AccountState::setState(State state)
             _connectionValidator->deleteLater();
             _connectionValidator.clear();
             checkConnectivity();
-        } else if (_state == Connected && Utility::internetConnectionIsMetered() && ConfigFile().pauseSyncWhenMetered()) {
-            _state = PausedDueToMetered;
+        } else if (_state == Connected) {
+            if ((NetworkInformation::instance()->isMetered() && ConfigFile().pauseSyncWhenMetered())
+                || NetworkInformation::instance()->isBehindCaptivePortal()) {
+                _state = Connecting;
+            }
         }
     }
 
@@ -302,7 +329,7 @@ void AccountState::signIn()
 
 bool AccountState::isConnected() const
 {
-    return _state == Connected || _state == PausedDueToMetered;
+    return _state == Connected;
 }
 
 void AccountState::tagLastSuccessfullETagRequest(const QDateTime &tp)
@@ -364,6 +391,9 @@ void AccountState::checkConnectivity(bool blockJobs)
         this, &AccountState::slotConnectionValidatorResult);
 
     connect(_connectionValidator, &ConnectionValidator::sslErrors, this, [blockJobs, this](const QList<QSslError> &errors) {
+        if (NetworkInformation::instance()->isBehindCaptivePortal()) {
+            return;
+        }
         if (!_tlsDialog) {
             // ignore errors for already accepted certificates
             auto filteredErrors = _account->accessManager()->filterSslErrors(errors);
@@ -479,6 +509,7 @@ void AccountState::slotConnectionValidatorResult(ConnectionValidator::Status sta
         setState(Connected);
         break;
     case ConnectionValidator::Undefined:
+        [[fallthrough]];
     case ConnectionValidator::NotConfigured:
         setState(Disconnected);
         break;
@@ -494,6 +525,7 @@ void AccountState::slotConnectionValidatorResult(ConnectionValidator::Status sta
         setState(NetworkError);
         break;
     case ConnectionValidator::CredentialsWrong:
+        [[fallthrough]];
     case ConnectionValidator::CredentialsNotReady:
         slotInvalidCredentials();
         break;
@@ -511,6 +543,9 @@ void AccountState::slotConnectionValidatorResult(ConnectionValidator::Status sta
     case ConnectionValidator::Timeout:
         setState(NetworkError);
         break;
+    case ConnectionValidator::CaptivePortal:
+        setState(Connecting);
+        break;
     }
 }
 

src/gui/accountstate.h

@@ -82,11 +82,6 @@ class OWNCLOUDGUI_EXPORT AccountState : public QObject
         /// We are currently asking the user for credentials
         AskingCredentials,
 
-        /// We are on a metered internet connection, and the user preference
-        /// is to pause syncing in this case. This state is entered from and
-        /// left to a `Connected` state.
-        PausedDueToMetered,
-
         Connecting
     };
     Q_ENUM(State)

src/gui/application.cpp

@@ -48,8 +48,6 @@
 #include <QMessageBox>
 #include <QPushButton>
 
-#include <QNetworkInformation>
-
 namespace OCC {
 
 Q_LOGGING_CATEGORY(lcApplication, "gui.application", QtInfoMsg)

src/gui/connectionvalidator.cpp

@@ -14,6 +14,7 @@
 #include "gui/connectionvalidator.h"
 #include "gui/clientproxy.h"
 #include "gui/fetchserversettings.h"
+#include "gui/networkinformation.h"
 #include "gui/tlserrordialog.h"
 #include "libsync/account.h"
 #include "libsync/cookiejar.h"
@@ -132,7 +133,7 @@ void ConnectionValidator::slotCheckServerAndAuth()
                 reportResult(Timeout);
                 return;
             case QNetworkReply::SslHandshakeFailedError:
-                reportResult(SslError);
+                reportResult(NetworkInformation::instance()->isBehindCaptivePortal() ? CaptivePortal : SslError);
                 return;
             case QNetworkReply::TooManyRedirectsError:
                 reportResult(MaintenanceMode);
@@ -214,7 +215,7 @@ void ConnectionValidator::slotAuthFailed()
 
     if (job->reply()->error() == QNetworkReply::SslHandshakeFailedError) {
         _errors << job->errorStringParsingBody();
-        stat = SslError;
+        stat = NetworkInformation::instance()->isBehindCaptivePortal() ? CaptivePortal : SslError;
 
     } else if (job->reply()->error() == QNetworkReply::AuthenticationRequiredError || !_account->credentials()->stillValid(job->reply())) {
         qCWarning(lcConnectionValidator) << "******** Password is wrong!" << job->reply()->error() << job;

src/gui/connectionvalidator.h

@@ -101,9 +101,10 @@ class OWNCLOUDGUI_EXPORT ConnectionValidator : public QObject
         ServiceUnavailable, // 503 on authed request
         MaintenanceMode, // maintenance enabled in status.php
         Timeout, // actually also used for other errors on the authed request
-        ClientUnsupported // The server blocks us as an unsupported client
+        ClientUnsupported, // The server blocks us as an unsupported client
+        CaptivePortal, // We're stuck behind a captive portal and (will) get SSL certificate problems
     };
-    Q_ENUM(Status);
+    Q_ENUM(Status)
 
     // How often should the Application ask this object to check for the connection?
     static constexpr auto DefaultCallingInterval = std::chrono::seconds(62);

src/gui/folderman.cpp

@@ -20,6 +20,7 @@
 #include "common/asserts.h"
 #include "configfile.h"
 #include "folder.h"
+#include "gui/networkinformation.h"
 #include "guiutility.h"
 #include "libsync/syncengine.h"
 #include "lockwatcher.h"
@@ -73,7 +74,9 @@ void TrayOverallStatusResult::addResult(Folder *f)
         lastSyncDone = time;
     }
 
-    auto status = f->syncPaused() || f->accountState()->state() == AccountState::PausedDueToMetered ? SyncResult::Paused : f->syncResult().status();
+    auto status = f->syncPaused() || NetworkInformation::instance()->isBehindCaptivePortal() || NetworkInformation::instance()->isMetered()
+        ? SyncResult::Paused
+        : f->syncResult().status();
     if (status == SyncResult::Undefined) {
         status = SyncResult::Problem;
     }

src/gui/folderstatusmodel.cpp

@@ -16,6 +16,7 @@
 #include "account.h"
 #include "accountstate.h"
 #include "folderman.h"
+#include "gui/networkinformation.h"
 #include "gui/quotainfo.h"
 #include "theme.h"
 
@@ -49,7 +50,7 @@ namespace {
         auto status = f->syncResult();
         if (!f->accountState()->isConnected()) {
             status.setStatus(SyncResult::Status::Offline);
-        } else if (f->syncPaused() || f->accountState()->state() == AccountState::PausedDueToMetered) {
+        } else if (f->syncPaused() || NetworkInformation::instance()->isBehindCaptivePortal() || NetworkInformation::instance()->isMetered()) {
             status.setStatus(SyncResult::Status::Paused);
         }
         return QStringLiteral("states/%1").arg(Theme::instance()->syncStateIconName(status));

src/gui/guiutility.cpp

@@ -22,7 +22,6 @@
 #include <QDesktopServices>
 #include <QLoggingCategory>
 #include <QMessageBox>
-#include <QNetworkInformation>
 #include <QQuickWidget>
 #include <QUrlQuery>
 
@@ -96,15 +95,6 @@ QString Utility::vfsFreeSpaceActionText()
     return QCoreApplication::translate("utility", "Free up local space");
 }
 
-bool Utility::internetConnectionIsMetered()
-{
-    if (auto *qNetInfo = QNetworkInformation::instance()) {
-        return qNetInfo->isMetered();
-    }
-
-    return false;
-}
-
 void Utility::markDirectoryAsSyncRoot(const QString &path, const QUuid &accountUuid)
 {
     Q_ASSERT(getDirectorySyncRootMarkings(path).first.isEmpty());

src/gui/guiutility.h

@@ -52,8 +52,6 @@ namespace Utility {
 
     QString socketApiSocketPath();
 
-    bool internetConnectionIsMetered();
-
     OWNCLOUDGUI_EXPORT void markDirectoryAsSyncRoot(const QString &path, const QUuid &accountUuid);
     std::pair<QString, QUuid> getDirectorySyncRootMarkings(const QString &path);
     void unmarkDirectoryAsSyncRoot(const QString &path);