mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
nextcloud/lib/private/connector/sabre/auth.php

109 lines
3.0 KiB
PHP
Raw Normal View History

Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
<?php
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
namespace OC\Connector\Sabre;
class Auth extends \Sabre\DAV\Auth\Backend\AbstractBasic {
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
/**
* Whether the user has initially authenticated via DAV
*
* This is required for WebDAV clients that resent the cookies even when the
* account was changed.
*
* @see https://github.com/owncloud/core/issues/13245
*
* @param string $username
* @return bool
*/
protected function isDavAuthenticated($username) {
return !is_null(\OC::$server->getSession()->get(self::DAV_AUTHENTICATED)) &&
\OC::$server->getSession()->get(self::DAV_AUTHENTICATED) === $username;
}
Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
* @param string $username
* @param string $password
Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
* @return bool
*/
adding space between) and {
2012-09-07 17:22:01 +04:00
protected function validateUserPass($username, $password) {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
if (\OC_User::isLoggedIn() &&
$this->isDavAuthenticated(\OC_User::getUser())
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
) {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
\OC_Util::setupFS(\OC_User::getUser());
Close session properly
2015-01-19 18:25:44 +03:00
\OC::$server->getSession()->close();
Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
return true;
Check if user is already logged in for DAV auth, instead of logging in and creating new sessions for every request
2012-07-15 23:17:27 +04:00
} else {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
\OC_Util::setUpFS(); //login hooks may need early access to the filesystem
if(\OC_User::login($username, $password)) {
DAV authentication: use Owncloud's internal user instead of HTTP-supplied one Fixes: #14048, #14104, calendar#712
2015-02-17 01:34:49 +03:00
// make sure we use owncloud's internal username here
// and not the HTTP auth supplied one, see issue #14048
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
$ocUser = \OC_User::getUser();
\OC_Util::setUpFS($ocUser);
DAV authentication: use Owncloud's internal user instead of HTTP-supplied one Fixes: #14048, #14104, calendar#712
2015-02-17 01:34:49 +03:00
\OC::$server->getSession()->set(self::DAV_AUTHENTICATED, $ocUser);
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
\OC::$server->getSession()->close();
Check if user is already logged in for DAV auth, instead of logging in and creating new sessions for every request
2012-07-15 23:17:27 +04:00
return true;
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
} else {
\OC::$server->getSession()->close();
Check if user is already logged in for DAV auth, instead of logging in and creating new sessions for every request
2012-07-15 23:17:27 +04:00
return false;
}
Use SabreDAV authentication Code!
2011-07-20 18:36:36 +04:00
}
}
implement getCurrentUser in Sabre Auth Connector, fixes #508
2012-12-13 04:30:34 +04:00
/**
* Returns information about the currently logged in username.
*
* If nobody is currently logged in, this method should return null.
*
* @return string|null
*/
public function getCurrentUser() {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
$user = \OC_User::getUser();
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
if($user && $this->isDavAuthenticated($user)) {
return $user;
implement getCurrentUser in Sabre Auth Connector, fixes #508
2012-12-13 04:30:34 +04:00
}
Prioritise Basic Auth header over Cookie There are a lot of clients that support multiple WebDAV accounts in the same application. However, they resent all the cookies they received from one of the accounts also to the other one. In the case of ownCloud this means that we will always show the user from the session and not the user that is specified in the basic authentication header. This patch adds a workaround the following way: 1. If the user authenticates via the Sabre Auth Connector add a hint to the session that this was authorized via Basic Auth (this is to prevent logout CSRF) 2. If the request contains this hint and the username specified in the basic auth header differs from the one in the session relogin the user using basic auth Fixes https://github.com/owncloud/core/issues/11400 and https://github.com/owncloud/core/issues/13245 and probably some other issues as well. This requires proper testing also considering LDAP / Shibboleth and whatever instances.
2015-01-16 16:31:02 +03:00
return null;
implement getCurrentUser in Sabre Auth Connector, fixes #508
2012-12-13 04:30:34 +04:00
}
WebDAV Auth Connector: Check if already logged in
2013-07-12 15:42:01 +04:00
/**
* Override function here. We want to cache authentication cookies
* in the syncing client to avoid HTTP-401 roundtrips.
* If the sync client supplies the cookies, then OC_User::isLoggedIn()
* will return true and we can see this WebDAV request as already authenticated,
* even if there are no HTTP Basic Auth headers.
* In other case, just fallback to the parent implementation.
*
Upgrade SabreDAV to 1.8.10 Updating SabreDAV namespaces
2014-01-09 17:25:48 +04:00
* @param \Sabre\DAV\Server $server
Fix all PHPDoc types and variable names, in /lib
2014-05-12 00:51:30 +04:00
* @param $realm
WebDAV Auth Connector: Check if already logged in
2013-07-12 15:42:01 +04:00
* @return bool
*/
Upgrade SabreDAV to 1.8.10 Updating SabreDAV namespaces
2014-01-09 17:25:48 +04:00
public function authenticate(\Sabre\DAV\Server $server, $realm) {
code cleanup - remove special case for webdav in handleApacheAuth()
2013-10-02 02:55:35 +04:00
close the session for all DAV calls right after authentication - no need to write to the session afterwards
2014-03-10 17:40:36 +04:00
$result = $this->auth($server, $realm);
return $result;
}
/**
Upgrade SabreDAV to 1.8.10 Updating SabreDAV namespaces
2014-01-09 17:25:48 +04:00
* @param \Sabre\DAV\Server $server
close the session for all DAV calls right after authentication - no need to write to the session afterwards
2014-03-10 17:40:36 +04:00
* @param $realm
* @return bool
*/
Upgrade SabreDAV to 1.8.10 Updating SabreDAV namespaces
2014-01-09 17:25:48 +04:00
private function auth(\Sabre\DAV\Server $server, $realm) {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
if (\OC_User::handleApacheAuth() ||
(\OC_User::isLoggedIn() && is_null(\OC::$server->getSession()->get(self::DAV_AUTHENTICATED)))
Fix WebDAV auth for session authentication only \Sabre\DAV\Auth\Backend\AbstractBasic::authenticate was only calling \OC_Connector_Sabre_Auth::validateUserPass when the response of \Sabre\HTTP\BasicAuth::getUserPass was not null. However, there is a case where the value can be null and the user could be authenticated anyways: The authentication via ownCloud web-interface and then accessing WebDAV resources. This was not possible anymore with this patch because it never reached the code path in this scenario. This patchs allows authenticating with a session without isDavAuthenticated value stored (this is for ugly WebDAV clients that send the cookie in any case) and thus the functionality should work again. To test this go to the admin settings and test if the WebDAV check works fine. Furthermore all the usual stuff (WebDAV / Shibboleth / etc...) needs testing as well.
2015-01-20 11:53:03 +03:00
) {
Sabre Update to 2.1 - VObject fixes for Sabre\VObject 3.3 - Remove VObject property workarounds - Added prefetching for tags in sabre tags plugin - Moved oc_properties logic to separate PropertyStorage backend (WIP) - Fixed Sabre connector namespaces - Improved files plugin to handle props on-demand - Moved allowed props from server class to files plugin - Fixed tags caching for files that are known to have no tags (less queries) - Added/fixed unit tests for Sabre FilesPlugin, TagsPlugin - Replace OC\Connector\Sabre\Request with direct call to httpRequest->setUrl() - Fix exception detection in DAV client when using Sabre\DAV\Client - Added setETag() on Node instead of using the static FileSystem - Also preload tags/props when depth is infinity
2015-02-12 14:29:01 +03:00
$user = \OC_User::getUser();
\OC_Util::setupFS($user);
WebDAV Auth Connector: Check if already logged in
2013-07-12 15:42:01 +04:00
$this->currentUser = $user;
Fix WebDAV auth for session authentication only \Sabre\DAV\Auth\Backend\AbstractBasic::authenticate was only calling \OC_Connector_Sabre_Auth::validateUserPass when the response of \Sabre\HTTP\BasicAuth::getUserPass was not null. However, there is a case where the value can be null and the user could be authenticated anyways: The authentication via ownCloud web-interface and then accessing WebDAV resources. This was not possible anymore with this patch because it never reached the code path in this scenario. This patchs allows authenticating with a session without isDavAuthenticated value stored (this is for ugly WebDAV clients that send the cookie in any case) and thus the functionality should work again. To test this go to the admin settings and test if the WebDAV check works fine. Furthermore all the usual stuff (WebDAV / Shibboleth / etc...) needs testing as well.
2015-01-20 11:53:03 +03:00
\OC::$server->getSession()->close();
there shall be tabs
2013-10-14 16:51:25 +04:00
return true;
WebDAV Auth Connector: Check if already logged in
2013-07-12 15:42:01 +04:00
}
return parent::authenticate($server, $realm);
close the session for all DAV calls right after authentication - no need to write to the session afterwards
2014-03-10 17:40:36 +04:00
}
Whitespace fixes in lib
2012-08-29 10:38:33 +04:00
}