diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2017-05-18 20:09:51 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2017-05-18 20:49:10 +0200 |
commit | df3909a7c360f079d3e47401414a38dc7f3494cf (patch) | |
tree | 05436400229200b893df2e92a6d239d9e1fd1af4 | |
parent | 30552090bccc0d77446d57f5b94ae27ad2d81186 (diff) | |
download | nextcloud-server-df3909a7c360f079d3e47401414a38dc7f3494cf.tar.gz nextcloud-server-df3909a7c360f079d3e47401414a38dc7f3494cf.zip |
Use Bearer backend for SabreDAV
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
-rw-r--r-- | apps/dav/lib/Connector/Sabre/Auth.php | 12 | ||||
-rw-r--r-- | apps/dav/lib/Connector/Sabre/BearerAuth.php | 76 | ||||
-rw-r--r-- | apps/dav/lib/Server.php | 8 | ||||
-rw-r--r-- | apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php | 88 | ||||
-rw-r--r-- | apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php | 24 | ||||
-rw-r--r-- | apps/oauth2/lib/Exceptions/ClientNotFoundException.php | 24 |
6 files changed, 220 insertions, 12 deletions
diff --git a/apps/dav/lib/Connector/Sabre/Auth.php b/apps/dav/lib/Connector/Sabre/Auth.php index 7ddbb70530a..9147e79594c 100644 --- a/apps/dav/lib/Connector/Sabre/Auth.php +++ b/apps/dav/lib/Connector/Sabre/Auth.php @@ -211,18 +211,6 @@ class Auth extends AbstractBasic { private function auth(RequestInterface $request, ResponseInterface $response) { $forcedLogout = false; - $authHeader = $request->getHeader('Authorization'); - if (strpos($authHeader, 'Bearer ') !== false) { - if($this->userSession->tryTokenLogin($this->request)) { - $this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID()); - $user = $this->userSession->getUser()->getUID(); - \OC_Util::setupFS($user); - $this->currentUser = $user; - $this->session->close(); - return [true, $this->principalPrefix . $user]; - } - } - if(!$this->request->passesCSRFCheck() && $this->requiresCSRFCheck()) { // In case of a fail with POST we need to recheck the credentials diff --git a/apps/dav/lib/Connector/Sabre/BearerAuth.php b/apps/dav/lib/Connector/Sabre/BearerAuth.php new file mode 100644 index 00000000000..dd0a1bac292 --- /dev/null +++ b/apps/dav/lib/Connector/Sabre/BearerAuth.php @@ -0,0 +1,76 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\DAV\Connector\Sabre; + +use OCP\IRequest; +use OCP\ISession; +use OCP\IUserSession; +use Sabre\DAV\Auth\Backend\AbstractBearer; + +class BearerAuth extends AbstractBearer { + /** @var IUserSession */ + private $userSession; + /** @var ISession */ + private $session; + /** @var IRequest */ + private $request; + /** @var string */ + private $principalPrefix; + + /** + * @param IUserSession $userSession + * @param ISession $session + * @param string $principalPrefix + * @param IRequest $request + */ + public function __construct(IUserSession $userSession, + ISession $session, + IRequest $request, + $principalPrefix = 'principals/users/') { + $this->userSession = $userSession; + $this->session = $session; + $this->request = $request; + $this->principalPrefix = $principalPrefix; + } + + private function setupUserFs($userId) { + \OC_Util::setupFS($userId); + $this->session->close(); + return $this->principalPrefix . $userId; + } + + /** + * {@inheritdoc} + */ + public function validateBearerToken($bearerToken) { + \OC_Util::setupFS(); + + if(!$this->userSession->isLoggedIn()) { + $this->userSession->tryTokenLogin($this->request); + } + if($this->userSession->isLoggedIn()) { + return $this->setupUserFs($this->userSession->getUser()->getUID()); + } + + return false; + } +} diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php index df5b0ea05b6..994ac04033a 100644 --- a/apps/dav/lib/Server.php +++ b/apps/dav/lib/Server.php @@ -33,6 +33,7 @@ use OCA\DAV\CardDAV\ImageExportPlugin; use OCA\DAV\CardDAV\PhotoCache; use OCA\DAV\Comments\CommentsPlugin; use OCA\DAV\Connector\Sabre\Auth; +use OCA\DAV\Connector\Sabre\BearerAuth; use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin; use OCA\DAV\Connector\Sabre\CommentPropertiesPlugin; use OCA\DAV\Connector\Sabre\CopyEtagHeaderPlugin; @@ -52,6 +53,7 @@ use OCP\SabrePluginEvent; use Sabre\CardDAV\VCFExportPlugin; use Sabre\DAV\Auth\Plugin; use OCA\DAV\Connector\Sabre\TagsPlugin; +use Sabre\HTTP\Auth\Bearer; use SearchDAV\DAV\SearchPlugin; class Server { @@ -100,6 +102,12 @@ class Server { $event = new SabrePluginEvent($this->server); $dispatcher->dispatch('OCA\DAV\Connector\Sabre::authInit', $event); + $bearerAuthBackend = new BearerAuth( + \OC::$server->getUserSession(), + \OC::$server->getSession(), + \OC::$server->getRequest() + ); + $authPlugin->addBackend($bearerAuthBackend); // because we are throwing exceptions this plugin has to be the last one $authPlugin->addBackend($authBackend); diff --git a/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php new file mode 100644 index 00000000000..5eae75eb8e9 --- /dev/null +++ b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php @@ -0,0 +1,88 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\DAV\Tests\unit\Connector\Sabre; + +use OC\Authentication\TwoFactorAuth\Manager; +use OC\Security\Bruteforce\Throttler; +use OC\User\Session; +use OCA\DAV\Connector\Sabre\BearerAuth; +use OCP\IRequest; +use OCP\ISession; +use OCP\IUser; +use OCP\IUserSession; +use Sabre\HTTP\RequestInterface; +use Sabre\HTTP\ResponseInterface; +use Test\TestCase; + +/** + * @group DB + */ +class BearerAuthTest extends TestCase { + /** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */ + private $userSession; + /** @var ISession|\PHPUnit_Framework_MockObject_MockObject */ + private $session; + /** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */ + private $request; + /** @var BearerAuth */ + private $bearerAuth; + + public function setUp() { + parent::setUp(); + + $this->userSession = $this->createMock(\OC\User\Session::class); + $this->session = $this->createMock(ISession::class); + $this->request = $this->createMock(IRequest::class); + + $this->bearerAuth = new BearerAuth( + $this->userSession, + $this->session, + $this->request + ); + } + + public function testValidateBearerTokenNotLoggedIn() { + $this->assertFalse($this->bearerAuth->validateBearerToken('Token')); + } + + public function testValidateBearerToken() { + $this->userSession + ->expects($this->at(0)) + ->method('isLoggedIn') + ->willReturn(false); + $this->userSession + ->expects($this->at(2)) + ->method('isLoggedIn') + ->willReturn(true); + $user = $this->createMock(IUser::class); + $user + ->expects($this->once()) + ->method('getUID') + ->willReturn('admin'); + $this->userSession + ->expects($this->once()) + ->method('getUser') + ->willReturn($user); + + $this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token')); + } +} diff --git a/apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php b/apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php new file mode 100644 index 00000000000..a1eb632a9eb --- /dev/null +++ b/apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php @@ -0,0 +1,24 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Exceptions; + +class AccessTokenNotFoundException extends \Exception {} diff --git a/apps/oauth2/lib/Exceptions/ClientNotFoundException.php b/apps/oauth2/lib/Exceptions/ClientNotFoundException.php new file mode 100644 index 00000000000..b2395c7bc9e --- /dev/null +++ b/apps/oauth2/lib/Exceptions/ClientNotFoundException.php @@ -0,0 +1,24 @@ +<?php +/** + * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\OAuth2\Exceptions; + +class ClientNotFoundException extends \Exception {} |