add KerberosApacheAuth support to files_external

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>

diff --git a/apps/files_external/lib/AppInfo/Application.php b/apps/files_external/lib/AppInfo/Application.php
index 7f6d88633506498024363bb4f21e33a0b51299bb..222116db5eccb8242dd9ab9473e59637f5e8da66 100644 (file)
--- a/apps/files_external/lib/AppInfo/Application.php
+++ b/apps/files_external/lib/AppInfo/Application.php
@@ -31,8 +31,6 @@ namespace OCA\Files_External\AppInfo;
 
 use OCA\Files_External\Config\ConfigAdapter;
 use OCA\Files_External\Config\UserPlaceholderHandler;
-use OCA\Files_External\Listener\GroupDeletedListener;
-use OCA\Files_External\Listener\UserDeletedListener;
 use OCA\Files_External\Lib\Auth\AmazonS3\AccessKey;
 use OCA\Files_External\Lib\Auth\Builtin;
 use OCA\Files_External\Lib\Auth\NullMechanism;
@@ -49,6 +47,7 @@ use OCA\Files_External\Lib\Auth\Password\UserGlobalAuth;
 use OCA\Files_External\Lib\Auth\Password\UserProvided;
 use OCA\Files_External\Lib\Auth\PublicKey\RSA;
 use OCA\Files_External\Lib\Auth\PublicKey\RSAPrivateKey;
+use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth;
 use OCA\Files_External\Lib\Auth\SMB\KerberosAuth;
 use OCA\Files_External\Lib\Backend\AmazonS3;
 use OCA\Files_External\Lib\Backend\DAV;
@@ -62,6 +61,8 @@ use OCA\Files_External\Lib\Backend\SMB_OC;
 use OCA\Files_External\Lib\Backend\Swift;
 use OCA\Files_External\Lib\Config\IAuthMechanismProvider;
 use OCA\Files_External\Lib\Config\IBackendProvider;
+use OCA\Files_External\Listener\GroupDeletedListener;
+use OCA\Files_External\Listener\UserDeletedListener;
 use OCA\Files_External\Service\BackendService;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
@@ -180,6 +181,7 @@ class Application extends App implements IBackendProvider, IAuthMechanismProvide
                        // Specialized mechanisms
                        $container->query(AccessKey::class),
                        $container->query(KerberosAuth::class),
+                       $container->query(KerberosApacheAuth::class),
                ];
        }
 }

diff --git a/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php
new file mode 100644 (file)
index 0000000..6450381
--- /dev/null
+++ b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl>
+ *
+ * @author Robin Appelman <robin@icewind.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Files_External\Lib\Auth\SMB;
+
+use OCA\Files_External\Lib\Auth\AuthMechanism;
+use OCP\Authentication\LoginCredentials\IStore;
+use OCP\IL10N;
+
+class KerberosApacheAuth extends AuthMechanism {
+       /** @var IStore */
+       private $credentialsStore;
+
+       public function __construct(IL10N $l, IStore $credentialsStore) {
+               $this
+                       ->setIdentifier('smb::kerberosapache')
+                       ->setScheme(self::SCHEME_SMB)
+                       ->setText($l->t('Kerberos ticket apache mode'));
+               $this->credentialsStore = $credentialsStore;
+       }
+
+       public function getCredentialsStore(): IStore {
+               return $this->credentialsStore;
+       }
+}

diff --git a/apps/files_external/lib/Lib/Backend/SMB.php b/apps/files_external/lib/Lib/Backend/SMB.php
index 867648824ac1d6fcb5361485a7b2f2860bde4489..99e48b1433d081c17b8e2234b21373827b2618f3 100644 (file)
--- a/apps/files_external/lib/Lib/Backend/SMB.php
+++ b/apps/files_external/lib/Lib/Backend/SMB.php
@@ -24,16 +24,18 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>
  *
  */
+
 namespace OCA\Files_External\Lib\Backend;
 
 use Icewind\SMB\BasicAuth;
+use Icewind\SMB\KerberosApacheAuth;
 use Icewind\SMB\KerberosAuth;
 use OCA\Files_External\Lib\Auth\AuthMechanism;
 use OCA\Files_External\Lib\Auth\Password\Password;
 use OCA\Files_External\Lib\DefinitionParameter;
+use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
 use OCA\Files_External\Lib\LegacyDependencyCheckPolyfill;
 use OCA\Files_External\Lib\StorageConfig;
-
 use OCP\IL10N;
 use OCP\IUser;
 
@@ -69,10 +71,6 @@ class SMB extends Backend {
                        ->setLegacyAuthMechanism($legacyAuth);
        }
 
-       /**
-        * @param StorageConfig $storage
-        * @param IUser $user
-        */
        public function manipulateStorageConfig(StorageConfig &$storage, IUser $user = null) {
                $auth = $storage->getAuthMechanism();
                if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {
@@ -89,6 +87,31 @@ class SMB extends Backend {
                        switch ($auth->getIdentifier()) {
                                case 'smb::kerberos':
                                        $smbAuth = new KerberosAuth();
+                                       break;
+                               case 'smb::kerberosapache':
+                                       $credentialsStore = $auth->getCredentialsStore();
+                                       $kerb_auth = new KerberosApacheAuth();
+                                       if ($kerb_auth->checkTicket()) {
+                                               $kerb_auth->registerApacheKerberosTicket();
+                                               $smbAuth = $kerb_auth;
+                                       } else {
+                                               try {
+                                                       $credentials = $credentialsStore->getLoginCredentials();
+                                                       $user = $credentials->getLoginName();
+                                                       $pass = $credentials->getPassword();
+                                                       if (preg_match('/(.*)@(.*)/', $user, $matches) !== 1) {
+                                                               throw new InsufficientDataForMeaningfulAnswerException('No valid session credentials');
+                                                       }
+                                                       $smbAuth = new BasicAuth(
+                                                               $matches[0],
+                                                               $matches[1],
+                                                               $pass
+                                                       );
+                                               } catch (\Exception $e) {
+                                                       throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
+                                               }
+                                       }
+
                                        break;
                                default:
                                        throw new \InvalidArgumentException('unknown authentication backend');