2015-08-11 20:45:07 +03:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* @author Robin McCorkell <rmccorkell@karoshi.org.uk>
|
|
|
|
*
|
|
|
|
* @copyright Copyright (c) 2015, ownCloud, Inc.
|
|
|
|
* @license AGPL-3.0
|
|
|
|
*
|
|
|
|
* This code is free software: you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU Affero General Public License, version 3,
|
|
|
|
* as published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU Affero General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Affero General Public License, version 3,
|
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
namespace OCA\Files_External\Service;
|
|
|
|
|
|
|
|
use \OCP\IConfig;
|
|
|
|
|
|
|
|
use \OCA\Files_External\Lib\Backend\Backend;
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
use \OCA\Files_External\Lib\Auth\AuthMechanism;
|
2015-08-11 20:45:07 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Service class to manage backend definitions
|
|
|
|
*/
|
|
|
|
class BackendService {
|
|
|
|
|
2015-09-17 12:24:19 +03:00
|
|
|
/** Visibility constants for VisibilityTrait */
|
|
|
|
const VISIBILITY_NONE = 0;
|
|
|
|
const VISIBILITY_PERSONAL = 1;
|
|
|
|
const VISIBILITY_ADMIN = 2;
|
|
|
|
//const VISIBILITY_ALIENS = 4;
|
2015-08-11 20:45:07 +03:00
|
|
|
|
2015-09-17 12:24:19 +03:00
|
|
|
const VISIBILITY_DEFAULT = 3; // PERSONAL | ADMIN
|
2015-08-11 20:45:07 +03:00
|
|
|
|
|
|
|
/** Priority constants for PriorityTrait */
|
|
|
|
const PRIORITY_DEFAULT = 100;
|
|
|
|
|
|
|
|
/** @var IConfig */
|
|
|
|
protected $config;
|
|
|
|
|
|
|
|
/** @var bool */
|
|
|
|
private $userMountingAllowed = true;
|
|
|
|
|
|
|
|
/** @var string[] */
|
|
|
|
private $userMountingBackends = [];
|
|
|
|
|
|
|
|
/** @var Backend[] */
|
|
|
|
private $backends = [];
|
|
|
|
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
/** @var AuthMechanism[] */
|
|
|
|
private $authMechanisms = [];
|
|
|
|
|
2015-08-11 20:45:07 +03:00
|
|
|
/**
|
|
|
|
* @param IConfig $config
|
|
|
|
*/
|
|
|
|
public function __construct(
|
|
|
|
IConfig $config
|
|
|
|
) {
|
|
|
|
$this->config = $config;
|
|
|
|
|
|
|
|
// Load config values
|
|
|
|
if ($this->config->getAppValue('files_external', 'allow_user_mounting', 'yes') !== 'yes') {
|
|
|
|
$this->userMountingAllowed = false;
|
|
|
|
}
|
|
|
|
$this->userMountingBackends = explode(',',
|
|
|
|
$this->config->getAppValue('files_external', 'user_mounting_backends', '')
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Register a backend
|
|
|
|
*
|
|
|
|
* @param Backend $backend
|
|
|
|
*/
|
|
|
|
public function registerBackend(Backend $backend) {
|
|
|
|
if (!$this->isAllowedUserBackend($backend)) {
|
2015-09-17 12:24:19 +03:00
|
|
|
$backend->removeVisibility(BackendService::VISIBILITY_PERSONAL);
|
2015-08-11 20:45:07 +03:00
|
|
|
}
|
2015-08-12 22:03:11 +03:00
|
|
|
foreach ($backend->getIdentifierAliases() as $alias) {
|
|
|
|
$this->backends[$alias] = $backend;
|
|
|
|
}
|
2015-08-11 20:45:07 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @param Backend[] $backends
|
|
|
|
*/
|
|
|
|
public function registerBackends(array $backends) {
|
|
|
|
foreach ($backends as $backend) {
|
|
|
|
$this->registerBackend($backend);
|
|
|
|
}
|
|
|
|
}
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
/**
|
|
|
|
* Register an authentication mechanism
|
|
|
|
*
|
|
|
|
* @param AuthMechanism $authMech
|
|
|
|
*/
|
|
|
|
public function registerAuthMechanism(AuthMechanism $authMech) {
|
|
|
|
if (!$this->isAllowedAuthMechanism($authMech)) {
|
2015-09-17 12:24:19 +03:00
|
|
|
$authMech->removeVisibility(BackendService::VISIBILITY_PERSONAL);
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
}
|
2015-08-12 22:03:11 +03:00
|
|
|
foreach ($authMech->getIdentifierAliases() as $alias) {
|
|
|
|
$this->authMechanisms[$alias] = $authMech;
|
|
|
|
}
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @param AuthMechanism[] $mechanisms
|
|
|
|
*/
|
|
|
|
public function registerAuthMechanisms(array $mechanisms) {
|
|
|
|
foreach ($mechanisms as $mechanism) {
|
|
|
|
$this->registerAuthMechanism($mechanism);
|
|
|
|
}
|
|
|
|
}
|
2015-08-11 20:45:07 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Get all backends
|
|
|
|
*
|
|
|
|
* @return Backend[]
|
|
|
|
*/
|
|
|
|
public function getBackends() {
|
2015-08-12 22:03:11 +03:00
|
|
|
// only return real identifiers, no aliases
|
|
|
|
$backends = [];
|
|
|
|
foreach ($this->backends as $backend) {
|
|
|
|
$backends[$backend->getIdentifier()] = $backend;
|
|
|
|
}
|
|
|
|
return $backends;
|
2015-08-11 20:45:07 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get all available backends
|
|
|
|
*
|
|
|
|
* @return Backend[]
|
|
|
|
*/
|
|
|
|
public function getAvailableBackends() {
|
|
|
|
return array_filter($this->getBackends(), function($backend) {
|
2015-08-20 03:03:45 +03:00
|
|
|
return !($backend->checkDependencies());
|
2015-08-11 20:45:07 +03:00
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2015-08-12 22:03:11 +03:00
|
|
|
* @param string $identifier
|
2015-08-11 20:45:07 +03:00
|
|
|
* @return Backend|null
|
|
|
|
*/
|
2015-08-12 22:03:11 +03:00
|
|
|
public function getBackend($identifier) {
|
|
|
|
if (isset($this->backends[$identifier])) {
|
|
|
|
return $this->backends[$identifier];
|
2015-08-11 20:45:07 +03:00
|
|
|
}
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
/**
|
|
|
|
* Get all authentication mechanisms
|
|
|
|
*
|
|
|
|
* @return AuthMechanism[]
|
|
|
|
*/
|
|
|
|
public function getAuthMechanisms() {
|
2015-08-12 22:03:11 +03:00
|
|
|
// only return real identifiers, no aliases
|
|
|
|
$mechanisms = [];
|
|
|
|
foreach ($this->authMechanisms as $mechanism) {
|
|
|
|
$mechanisms[$mechanism->getIdentifier()] = $mechanism;
|
|
|
|
}
|
|
|
|
return $mechanisms;
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Get all authentication mechanisms for schemes
|
|
|
|
*
|
|
|
|
* @param string[] $schemes
|
|
|
|
* @return AuthMechanism[]
|
|
|
|
*/
|
|
|
|
public function getAuthMechanismsByScheme(array $schemes) {
|
|
|
|
return array_filter($this->getAuthMechanisms(), function($authMech) use ($schemes) {
|
|
|
|
return in_array($authMech->getScheme(), $schemes, true);
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2015-08-12 22:03:11 +03:00
|
|
|
* @param string $identifier
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
* @return AuthMechanism|null
|
|
|
|
*/
|
2015-08-12 22:03:11 +03:00
|
|
|
public function getAuthMechanism($identifier) {
|
|
|
|
if (isset($this->authMechanisms[$identifier])) {
|
|
|
|
return $this->authMechanisms[$identifier];
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
}
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
2015-08-11 20:45:07 +03:00
|
|
|
/**
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public function isUserMountingAllowed() {
|
|
|
|
return $this->userMountingAllowed;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Check a backend if a user is allowed to mount it
|
|
|
|
*
|
|
|
|
* @param Backend $backend
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
protected function isAllowedUserBackend(Backend $backend) {
|
|
|
|
if ($this->userMountingAllowed &&
|
2015-08-20 03:03:45 +03:00
|
|
|
array_intersect($backend->getIdentifierAliases(), $this->userMountingBackends)
|
2015-08-11 20:45:07 +03:00
|
|
|
) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
Authentication mechanisms for external storage backends
A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.
This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.
Terminology:
- authentication scheme
Parameter interface for the authentication method. A backend
supporting the 'password' scheme accepts two parameters, 'user' and
'password'.
- authentication mechanism
Specific mechanism implementing a scheme. Basic mechanisms may
forward configuration options directly to the backend, more advanced
ones may lookup parameters or retrieve them from the session
New dropdown selector for external storage configurations to select the
authentication mechanism to be used.
Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.
An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.
When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.
2015-08-12 12:54:03 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Check an authentication mechanism if a user is allowed to use it
|
|
|
|
*
|
|
|
|
* @param AuthMechanism $authMechanism
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
protected function isAllowedAuthMechanism(AuthMechanism $authMechanism) {
|
|
|
|
return true; // not implemented
|
|
|
|
}
|
2015-08-11 20:45:07 +03:00
|
|
|
}
|