committags/v6.0.0alpha2ae1f68ac54
Author: Thomas Müller <thomas.mueller@tmit.eu> Date: Thu Aug 22 11:45:27 2013 +0200 fixing undefined variable commit982f327ca1
Author: Thomas Müller <thomas.mueller@tmit.eu> Date: Wed Aug 7 12:00:14 2013 +0200 adding login.php as alternative for index.php/login commitda0d7e1d09
Author: Thomas Müller <thomas.mueller@tmit.eu> Date: Wed Aug 7 11:36:12 2013 +0200 adding a route for web login commit8e2a011604
Author: Karl Beecher <karl@endocode.com> Date: Tue Aug 6 17:00:28 2013 +0200 Login attempt returns true instead of exiting immediately commitfd89d55de9
Author: Karl Beecher <karl@endocode.com> Date: Mon Aug 5 15:31:30 2013 +0200 Further abstraction. This change introduces the ApacheBackend interface for backends that depend on Apache authentication and session management. There are no longer references to specific backends in OC_User. commit469cfd98ae
Author: Karl Beecher <karl@endocode.com> Date: Thu Aug 1 15:46:36 2013 +0200 Make login attempt function protected. commitd803515f19
Author: Karl Beecher <karl@endocode.com> Date: Wed Jul 31 16:00:22 2013 +0200 Amends the login link When using a Shibboleth login, clicking logout displays a message to the user instead of ending the session. commitaa8c1fcea0
Author: Karl Beecher <karl@endocode.com> Date: Tue Jul 30 13:15:59 2013 +0200 Abstract Shibboleth authentication into an Apache authentication method commit69082f2ebc
Author: Karl Beecher <karl@endocode.com> Date: Tue Jul 30 11:22:26 2013 +0200 Convert spaces -> tabs commit5a80861d86
Author: Karl Beecher <karl@endocode.com> Date: Mon Jul 29 17:40:48 2013 +0200 Separate the authentication methods SABRE authentication and base authentication have slightly different workings right now. They should be refactored into a common method later, but time pressure requires us to reinvent the wheel slightly. commitdc20a9f876
Author: Karl Beecher <karl@endocode.com> Date: Mon Jul 29 17:07:07 2013 +0200 Authenicate calls to WebDAV against Shibboleth. When using WebDAV, the OC_Connector_Sabre_Auth::authenticate method is normally called without trying the Shibboleth authentication... thus the session is not established. The method now tries Shib authentication, setting up a session if the user has already authenticated. commit091e4861b2
Author: Karl Beecher <karl@endocode.com> Date: Mon Jul 29 14:04:54 2013 +0200 Sets up the Shibboleth login attempt. commitbae710ec05
Author: Karl Beecher <karl@endocode.com> Date: Mon Jul 29 12:36:44 2013 +0200 Add a method for attempting shibboleth login. If the PHP_AUTH_USER and EPPN environment variables are set, attempt a Shibboleth (passwordless) login. commit667d0710a7
Author: Karl Beecher <karl@endocode.com> Date: Mon Jul 29 11:38:04 2013 +0200 Revert "Adds the apps2 folder with user_shibboleth backend." This reverts commit7abbdb6467
. commit7abbdb6467
Author: Karl Beecher <karl@endocode.com> Date: Mon Jul 29 11:28:06 2013 +0200 Adds the apps2 folder with user_shibboleth backend. Conflicts: core/templates/layout.user.php lib/base.php
@@ -6,6 +6,8 @@ | |||
<!--[if gt IE 9]><html class="ng-csp ie"><![endif]--> | |||
<!--[if !IE]><!--><html class="ng-csp"><!--<![endif]--> | |||
<?php $defaults = new OC_Defaults(); // initialize themable default strings and urls ?> | |||
<head data-user="<?php p($_['user_uid']); ?>" data-requesttoken="<?php p($_['requesttoken']); ?>"> | |||
<title> | |||
<?php p(!empty($_['application'])?$_['application'].' | ':''); | |||
@@ -64,7 +66,7 @@ | |||
</li> | |||
<?php endforeach; ?> | |||
<li> | |||
<a id="logout" href="<?php print_unescaped(link_to('', 'index.php')); ?>?logout=true"> | |||
<a id="logout" <?php print OC_User::getLogoutAttribute(); ?>> | |||
<img class="svg" alt="" src="<?php print_unescaped(image_path('', 'actions/logout.svg')); ?>" /> | |||
<?php p($l->t('Log out'));?> | |||
</a> |
@@ -489,6 +489,11 @@ class OC { | |||
if (isset($_SERVER['PHP_AUTH_USER']) && self::$session->exists('user_id') | |||
&& $_SERVER['PHP_AUTH_USER'] != self::$session->get('user_id')) { | |||
$sessionUser = self::$session->get('user_id'); | |||
$serverUser = $_SERVER['PHP_AUTH_USER']; | |||
OC_Log::write('core', | |||
"Session user-id doesn't match PHP_AUTH_USER. SESSION[user_id]: $sessionUser; SERVER[PHP_AUTH_USER]: $serverUser.", | |||
OC_Log::WARN); | |||
OC_User::logout(); | |||
} | |||
@@ -740,11 +745,22 @@ class OC { | |||
} | |||
} | |||
public static function login($params) { | |||
if (OC_User::isLoggedIn()) { | |||
header("Location: " . OC::$WEBROOT . '/'); | |||
exit(); | |||
} | |||
self::handleLogin(); | |||
} | |||
protected static function handleLogin() { | |||
OC_App::loadApps(array('prelogin')); | |||
$error = array(); | |||
if (OC::tryApacheAuth()) { | |||
} | |||
// remember was checked after last login | |||
if (OC::tryRememberLogin()) { | |||
elseif (OC::tryRememberLogin()) { | |||
$error[] = 'invalidcookie'; | |||
// Someone wants to log in : | |||
} elseif (OC::tryFormLogin()) { | |||
@@ -765,6 +781,10 @@ class OC { | |||
} | |||
} | |||
protected static function tryApacheAuth() { | |||
return OC_User::handleApacheAuth(false); | |||
} | |||
protected static function tryRememberLogin() { | |||
if (!isset($_COOKIE["oc_remember_login"]) | |||
|| !isset($_COOKIE["oc_token"]) |
@@ -72,6 +72,10 @@ class OC_Connector_Sabre_Auth extends Sabre_DAV_Auth_Backend_AbstractBasic { | |||
* @return bool | |||
*/ | |||
public function authenticate(Sabre_DAV_Server $server, $realm) { | |||
if (OC_User::handleApacheAuth(true)) { | |||
return true; | |||
} | |||
if (OC_User::isLoggedIn()) { | |||
$user = OC_User::getUser(); | |||
OC_Util::setupFS($user); |
@@ -0,0 +1,41 @@ | |||
<?php | |||
/** | |||
* ownCloud - Apache backend | |||
* | |||
* @author Karl Beecher | |||
* @copyright 2013 Karl Beecher - karl@endocode.com | |||
* | |||
* This library is free software; you can redistribute it and/or | |||
* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE | |||
* License as published by the Free Software Foundation; either | |||
* version 3 of the License, or any later version. | |||
* | |||
* This library is distributed in the hope that it will be useful, | |||
* but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
* GNU AFFERO GENERAL PUBLIC LICENSE for more details. | |||
* | |||
* You should have received a copy of the GNU Affero General Public | |||
* License along with this library. If not, see <http://www.gnu.org/licenses/>. | |||
* | |||
*/ | |||
namespace OCP; | |||
interface ApacheBackend { | |||
/** | |||
* @return Returns whether Apache reports a user is currently logged in. | |||
*/ | |||
public function isSessionActive(); | |||
/** | |||
* Creates an attribute which is added to the logout hyperlink. It can | |||
* supply any attribute(s) which are valid for <a>. | |||
* | |||
* @return String with one or more HTML attributes. | |||
*/ | |||
public function getLogoutAttribute(); | |||
} |
@@ -213,6 +213,64 @@ class OC_User { | |||
return self::getUserSession()->login($uid, $password); | |||
} | |||
/** | |||
* @brief Try to login a user, assuming authentication | |||
* has already happened (e.g. via SSO). | |||
* | |||
* Log in a user and regenerate a new session. | |||
*/ | |||
public static function loginWithApache() { | |||
$uid = $_SERVER["PHP_AUTH_USER"]; | |||
$run = true; | |||
OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $uid )); | |||
$enabled = self::isEnabled($uid); | |||
if($uid && $enabled) { | |||
session_regenerate_id(true); | |||
self::setUserId($uid); | |||
self::setDisplayName($uid); | |||
OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid, 'password'=>'' )); | |||
return true; | |||
} | |||
return false; | |||
} | |||
/** | |||
* @brief Verify with Apache whether user is authenticated. | |||
* @note Currently supports only Shibboleth. | |||
* | |||
* @param $isWebdav Is this request done using webdav. | |||
* @return true: authenticated - false: not authenticated | |||
*/ | |||
public static function handleApacheAuth($isWebdav = false) { | |||
foreach (self::$_usedBackends as $backend) { | |||
if ($backend instanceof OCP\ApacheBackend) { | |||
if ($backend->isSessionActive()) { | |||
OC_App::loadApps(); | |||
//setup extra user backends | |||
self::setupBackends(); | |||
self::unsetMagicInCookie(); | |||
if (self::loginWithApache()) { | |||
if (! $isWebdav) { | |||
$_REQUEST['redirect_url'] = \OC_Request::requestUri(); | |||
OC_Util::redirectToDefaultPage(); | |||
return true; | |||
} | |||
else { | |||
return true; | |||
} | |||
} | |||
} | |||
} | |||
} | |||
return false; | |||
} | |||
/** | |||
* @brief Sets user id for session and triggers emit | |||
*/ | |||
@@ -259,6 +317,25 @@ class OC_User { | |||
return false; | |||
} | |||
/** | |||
* Supplies an attribute to the logout hyperlink. The default behaviuour | |||
* is to return an href with '?logout=true' appended. However, it can | |||
* supply any attribute(s) which are valid for <a>. | |||
* | |||
* @return String with one or more HTML attributes. | |||
*/ | |||
public static function getLogoutAttribute() { | |||
foreach (self::$_usedBackends as $backend) { | |||
if ($backend instanceof OCP\ApacheBackend) { | |||
if ($backend->isSessionActive()) { | |||
return $backend->getLogoutAttribute(); | |||
} | |||
} | |||
} | |||
return print_unescaped("href=".link_to('', 'index.php'))."?logout=true"; | |||
} | |||
/** | |||
* @brief Check if the user is an admin user | |||
* @param string $uid uid of the admin |