mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
nextcloud/lib/private/connector/sabre/auth.php

152 lines
4.6 KiB
PHP
Raw Normal View History

Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
<?php
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
2015-02-26 13:37:37 +03:00
/**
Update license headers
2015-03-26 13:44:34 +03:00
* @author Arthur Schiwon <blizzz@owncloud.com>
* @author Bart Visscher <bartv@thisnet.nl>
* @author Christian Seiler <christian@iwakd.de>
* @author Jakob Sack <mail@jakobsack.de>
* @author Lukas Reschke <lukas@owncloud.com>
* @author Markus Goetz <markus@woboq.com>
* @author Michael Gapczynski <GapczynskiM@gmail.com>
* @author Morris Jobke <hey@morrisjobke.de>
* @author Robin McCorkell <rmccorkell@karoshi.org.uk>
* @author Thomas Müller <thomas.mueller@tmit.eu>
* @author Vincent Petry <pvince81@owncloud.com>
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
2015-02-26 13:37:37 +03:00
*
Update license headers
2015-03-26 13:44:34 +03:00
* @copyright Copyright (c) 2015, ownCloud, Inc.
* @license AGPL-3.0
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
2015-02-26 13:37:37 +03:00
*
Update license headers
2015-03-26 13:44:34 +03:00
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
2015-02-26 13:37:37 +03:00
*
Update license headers
2015-03-26 13:44:34 +03:00
* This program is distributed in the hope that it will be useful,
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
2015-02-26 13:37:37 +03:00
* but WITHOUT ANY WARRANTY; without even the implied warranty of
Update license headers
2015-03-26 13:44:34 +03:00
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
2015-02-26 13:37:37 +03:00
*
Update license headers
2015-03-26 13:44:34 +03:00
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
Revert "Updating license headers" This reverts commit 6a1a4880f0d556fb090f19a5019fec31916f5c36.
2015-02-26 13:37:37 +03:00
*
*/
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
namespace OC\Connector\Sabre;
Adding exception handling for ServerNotAvailableException - refs #17192
2015-06-29 13:04:41 +03:00
use Exception;
use Sabre\DAV\Auth\Backend\AbstractBasic;
use Sabre\DAV\Exception\NotAuthenticated;
use Sabre\DAV\Exception\ServiceUnavailable;
class Auth extends AbstractBasic {
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
/**
* Whether the user has initially authenticated via DAV
*
* This is required for WebDAV clients that resent the cookies even when the
* account was changed.
*
* @see https://github.com/owncloud/core/issues/13245
*
* @param string $username
* @return bool
*/
protected function isDavAuthenticated($username) {
return !is_null(\OC::$server->getSession()->get(self::DAV_AUTHENTICATED)) &&
\OC::$server->getSession()->get(self::DAV_AUTHENTICATED) === $username;
}
Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
* @param string $username
* @param string $password
Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
* @return bool
*/
adding space between) and {
2012-09-07 17:22:01 +04:00
protected function validateUserPass($username, $password) {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
if (\OC_User::isLoggedIn() &&
$this->isDavAuthenticated(\OC_User::getUser())
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
) {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
\OC_Util::setupFS(\OC_User::getUser());
Close session properly
2015-01-19 18:25:44 +03:00
\OC::$server->getSession()->close();
Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
return true;
Check if user is already logged in for DAV auth, instead of logging in and creating new sessions for every request
2012-07-15 23:17:27 +04:00
} else {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
\OC_Util::setUpFS(); //login hooks may need early access to the filesystem
if(\OC_User::login($username, $password)) {
Adding exception handling for ServerNotAvailableException - refs #17192
2015-06-29 13:04:41 +03:00
// make sure we use ownCloud's internal username here
DAV authentication: use Owncloud's internal user instead of HTTP-supplied one Fixes: #14048, #14104, calendar#712
2015-02-17 01:34:49 +03:00
// and not the HTTP auth supplied one, see issue #14048
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
$ocUser = \OC_User::getUser();
\OC_Util::setUpFS($ocUser);
DAV authentication: use Owncloud's internal user instead of HTTP-supplied one Fixes: #14048, #14104, calendar#712
2015-02-17 01:34:49 +03:00
\OC::$server->getSession()->set(self::DAV_AUTHENTICATED, $ocUser);
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
\OC::$server->getSession()->close();
Check if user is already logged in for DAV auth, instead of logging in and creating new sessions for every request
2012-07-15 23:17:27 +04:00
return true;
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
} else {
\OC::$server->getSession()->close();
Check if user is already logged in for DAV auth, instead of logging in and creating new sessions for every request
2012-07-15 23:17:27 +04:00
return false;
}
Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
}
}
implement getCurrentUser in Sabre Auth Connector, fixes #508
2012-12-13 04:30:34 +04:00
/**
* Returns information about the currently logged in username.
*
* If nobody is currently logged in, this method should return null.
*
* @return string|null
*/
public function getCurrentUser() {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
$user = \OC_User::getUser();
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
if($user && $this->isDavAuthenticated($user)) {
return $user;
implement getCurrentUser in Sabre Auth Connector, fixes #508
2012-12-13 04:30:34 +04:00
}
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
return null;
implement getCurrentUser in Sabre Auth Connector, fixes #508
2012-12-13 04:30:34 +04:00
}
WebDAV Auth Connector: Check if already logged in
2013-07-12 15:42:01 +04:00
/**
Adding exception handling for ServerNotAvailableException - refs #17192
2015-06-29 13:04:41 +03:00
* Override function here. We want to cache authentication cookies
* in the syncing client to avoid HTTP-401 roundtrips.
* If the sync client supplies the cookies, then OC_User::isLoggedIn()
* will return true and we can see this WebDAV request as already authenticated,
* even if there are no HTTP Basic Auth headers.
* In other case, just fallback to the parent implementation.
*
Avoid namespace clash
2015-06-30 16:07:48 +03:00
* @param \Sabre\DAV\Server $server
Adding exception handling for ServerNotAvailableException - refs #17192
2015-06-29 13:04:41 +03:00
* @param string $realm
* @return bool
* @throws ServiceUnavailable
*/
Avoid namespace clash
2015-06-30 16:07:48 +03:00
public function authenticate(\Sabre\DAV\Server $server, $realm) {
code cleanup - remove special case for webdav in handleApacheAuth()
2013-10-02 02:55:35 +04:00
Adding exception handling for ServerNotAvailableException - refs #17192
2015-06-29 13:04:41 +03:00
try {
$result = $this->auth($server, $realm);
return $result;
} catch (NotAuthenticated $e) {
throw $e;
} catch (Exception $e) {
$class = get_class($e);
$msg = $e->getMessage();
throw new ServiceUnavailable("$class: $msg");
}
close the session for all DAV calls right after authentication - no need to write to the session afterwards
2014-03-10 17:40:36 +04:00
}
/**
Avoid namespace clash
2015-06-30 16:07:48 +03:00
* @param \Sabre\DAV\Server $server
close the session for all DAV calls right after authentication - no need to write to the session afterwards
2014-03-10 17:40:36 +04:00
* @param $realm
* @return bool
*/
Avoid namespace clash
2015-06-30 16:07:48 +03:00
private function auth(\Sabre\DAV\Server $server, $realm) {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
if (\OC_User::handleApacheAuth() ||
(\OC_User::isLoggedIn() && is_null(\OC::$server->getSession()->get(self::DAV_AUTHENTICATED)))
Fix WebDAV auth for session authentication only \Sabre\DAV\Auth\Backend\AbstractBasic::authenticate was only calling \OC_Connector_Sabre_Auth::validateUserPass when the response of \Sabre\HTTP\BasicAuth::getUserPass was not null. However, there is a case where the value can be null and the user could be authenticated anyways: The authentication via ownCloud web-interface and then accessing WebDAV resources. This was not possible anymore with this patch because it never reached the code path in this scenario. This patchs allows authenticating with a session without isDavAuthenticated value stored (this is for ugly WebDAV clients that send the cookie in any case) and thus the functionality should work again. To test this go to the admin settings and test if the WebDAV check works fine. Furthermore all the usual stuff (WebDAV / Shibboleth / etc...) needs testing as well.
2015-01-20 11:53:03 +03:00
) {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
$user = \OC_User::getUser();
\OC_Util::setupFS($user);
WebDAV Auth Connector: Check if already logged in
2013-07-12 15:42:01 +04:00
$this->currentUser = $user;
Fix WebDAV auth for session authentication only \Sabre\DAV\Auth\Backend\AbstractBasic::authenticate was only calling \OC_Connector_Sabre_Auth::validateUserPass when the response of \Sabre\HTTP\BasicAuth::getUserPass was not null. However, there is a case where the value can be null and the user could be authenticated anyways: The authentication via ownCloud web-interface and then accessing WebDAV resources. This was not possible anymore with this patch because it never reached the code path in this scenario. This patchs allows authenticating with a session without isDavAuthenticated value stored (this is for ugly WebDAV clients that send the cookie in any case) and thus the functionality should work again. To test this go to the admin settings and test if the WebDAV check works fine. Furthermore all the usual stuff (WebDAV / Shibboleth / etc...) needs testing as well.
2015-01-20 11:53:03 +03:00
\OC::$server->getSession()->close();
there shall be tabs
2013-10-14 16:51:25 +04:00
return true;
WebDAV Auth Connector: Check if already logged in
2013-07-12 15:42:01 +04:00
}
return parent::authenticate($server, $realm);
close the session for all DAV calls right after authentication - no need to write to the session afterwards
2014-03-10 17:40:36 +04:00
}
Whitespace fixes in lib
2012-08-29 10:38:33 +04:00
}