diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php index 71bec11d21..98e54a222a 100644 --- a/core/templates/layout.user.php +++ b/core/templates/layout.user.php @@ -6,6 +6,8 @@ + + <?php p(!empty($_['application'])?$_['application'].' | ':''); @@ -64,7 +66,7 @@ </li> <?php endforeach; ?> <li> - <a id="logout" href="<?php print_unescaped(link_to('', 'index.php')); ?>?logout=true"> + <a id="logout" <?php print OC_User::getLogoutAttribute(); ?>> <img class="svg" alt="" src="<?php print_unescaped(image_path('', 'actions/logout.svg')); ?>" /> <?php p($l->t('Log out'));?> </a> diff --git a/lib/base.php b/lib/base.php index 036051119d..38e981b369 100644 --- a/lib/base.php +++ b/lib/base.php @@ -489,6 +489,11 @@ class OC { if (isset($_SERVER['PHP_AUTH_USER']) && self::$session->exists('user_id') && $_SERVER['PHP_AUTH_USER'] != self::$session->get('user_id')) { + $sessionUser = self::$session->get('user_id'); + $serverUser = $_SERVER['PHP_AUTH_USER']; + OC_Log::write('core', + "Session user-id doesn't match PHP_AUTH_USER. SESSION[user_id]: $sessionUser; SERVER[PHP_AUTH_USER]: $serverUser.", + OC_Log::WARN); OC_User::logout(); } @@ -740,11 +745,22 @@ class OC { } } + public static function login($params) { + if (OC_User::isLoggedIn()) { + header("Location: " . OC::$WEBROOT . '/'); + exit(); + } + self::handleLogin(); + } + protected static function handleLogin() { OC_App::loadApps(array('prelogin')); $error = array(); + if (OC::tryApacheAuth()) { + + } // remember was checked after last login - if (OC::tryRememberLogin()) { + elseif (OC::tryRememberLogin()) { $error[] = 'invalidcookie'; // Someone wants to log in : } elseif (OC::tryFormLogin()) { @@ -765,6 +781,10 @@ class OC { } } + protected static function tryApacheAuth() { + return OC_User::handleApacheAuth(false); + } + protected static function tryRememberLogin() { if (!isset($_COOKIE["oc_remember_login"]) || !isset($_COOKIE["oc_token"]) diff --git a/lib/connector/sabre/auth.php b/lib/connector/sabre/auth.php index bf3a49593c..9b5663998f 100644 --- a/lib/connector/sabre/auth.php +++ b/lib/connector/sabre/auth.php @@ -72,6 +72,10 @@ class OC_Connector_Sabre_Auth extends Sabre_DAV_Auth_Backend_AbstractBasic { * @return bool */ public function authenticate(Sabre_DAV_Server $server, $realm) { + if (OC_User::handleApacheAuth(true)) { + return true; + } + if (OC_User::isLoggedIn()) { $user = OC_User::getUser(); OC_Util::setupFS($user); diff --git a/lib/public/apachebackend.php b/lib/public/apachebackend.php new file mode 100644 index 0000000000..24e50ab616 --- /dev/null +++ b/lib/public/apachebackend.php @@ -0,0 +1,41 @@ +<?php + +/** + * ownCloud - Apache backend + * + * @author Karl Beecher + * @copyright 2013 Karl Beecher - karl@endocode.com + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE + * License as published by the Free Software Foundation; either + * version 3 of the License, or any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU AFFERO GENERAL PUBLIC LICENSE for more details. + * + * You should have received a copy of the GNU Affero General Public + * License along with this library. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCP; + +interface ApacheBackend { + + /** + * @return Returns whether Apache reports a user is currently logged in. + */ + public function isSessionActive(); + + /** + * Creates an attribute which is added to the logout hyperlink. It can + * supply any attribute(s) which are valid for <a>. + * + * @return String with one or more HTML attributes. + */ + public function getLogoutAttribute(); + +} \ No newline at end of file diff --git a/lib/user.php b/lib/user.php index 15e807088b..e0b58e22c3 100644 --- a/lib/user.php +++ b/lib/user.php @@ -213,6 +213,64 @@ class OC_User { return self::getUserSession()->login($uid, $password); } + /** + * @brief Try to login a user, assuming authentication + * has already happened (e.g. via SSO). + * + * Log in a user and regenerate a new session. + */ + public static function loginWithApache() { + + $uid = $_SERVER["PHP_AUTH_USER"]; + $run = true; + OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $uid )); + + $enabled = self::isEnabled($uid); + if($uid && $enabled) { + session_regenerate_id(true); + self::setUserId($uid); + self::setDisplayName($uid); + OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid, 'password'=>'' )); + return true; + } + return false; + } + + /** + * @brief Verify with Apache whether user is authenticated. + * @note Currently supports only Shibboleth. + * + * @param $isWebdav Is this request done using webdav. + * @return true: authenticated - false: not authenticated + */ + public static function handleApacheAuth($isWebdav = false) { + foreach (self::$_usedBackends as $backend) { + if ($backend instanceof OCP\ApacheBackend) { + if ($backend->isSessionActive()) { + OC_App::loadApps(); + + //setup extra user backends + self::setupBackends(); + self::unsetMagicInCookie(); + + if (self::loginWithApache()) { + if (! $isWebdav) { + $_REQUEST['redirect_url'] = \OC_Request::requestUri(); + OC_Util::redirectToDefaultPage(); + return true; + } + else { + return true; + } + } + } + } + } + + return false; + } + + /** * @brief Sets user id for session and triggers emit */ @@ -259,6 +317,25 @@ class OC_User { return false; } + /** + * Supplies an attribute to the logout hyperlink. The default behaviuour + * is to return an href with '?logout=true' appended. However, it can + * supply any attribute(s) which are valid for <a>. + * + * @return String with one or more HTML attributes. + */ + public static function getLogoutAttribute() { + foreach (self::$_usedBackends as $backend) { + if ($backend instanceof OCP\ApacheBackend) { + if ($backend->isSessionActive()) { + return $backend->getLogoutAttribute(); + } + } + } + + return print_unescaped("href=".link_to('', 'index.php'))."?logout=true"; + } + /** * @brief Check if the user is an admin user * @param string $uid uid of the admin