summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArthur Schiwon <blizzz@arthur-schiwon.de>2021-10-20 22:39:13 +0200
committerRobin Appelman <robin@icewind.nl>2022-01-20 16:08:34 +0100
commita96d46198871f1c77fc160a6da0814c91a57338e (patch)
tree382fa71d700a756ef5a49e481a44ae530a963cf2
parent31af141879d46dfaf2bcbaa32c78433084645dee (diff)
downloadnextcloud-server-a96d46198871f1c77fc160a6da0814c91a57338e.tar.gz
nextcloud-server-a96d46198871f1c77fc160a6da0814c91a57338e.zip
add KerberosApacheAuth support to files_external
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
-rw-r--r--apps/files_external/lib/AppInfo/Application.php6
-rw-r--r--apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php46
-rw-r--r--apps/files_external/lib/Lib/Backend/SMB.php33
3 files changed, 78 insertions, 7 deletions
diff --git a/apps/files_external/lib/AppInfo/Application.php b/apps/files_external/lib/AppInfo/Application.php
index 7f6d8863350..222116db5ec 100644
--- a/apps/files_external/lib/AppInfo/Application.php
+++ b/apps/files_external/lib/AppInfo/Application.php
@@ -31,8 +31,6 @@ namespace OCA\Files_External\AppInfo;
use OCA\Files_External\Config\ConfigAdapter;
use OCA\Files_External\Config\UserPlaceholderHandler;
-use OCA\Files_External\Listener\GroupDeletedListener;
-use OCA\Files_External\Listener\UserDeletedListener;
use OCA\Files_External\Lib\Auth\AmazonS3\AccessKey;
use OCA\Files_External\Lib\Auth\Builtin;
use OCA\Files_External\Lib\Auth\NullMechanism;
@@ -49,6 +47,7 @@ use OCA\Files_External\Lib\Auth\Password\UserGlobalAuth;
use OCA\Files_External\Lib\Auth\Password\UserProvided;
use OCA\Files_External\Lib\Auth\PublicKey\RSA;
use OCA\Files_External\Lib\Auth\PublicKey\RSAPrivateKey;
+use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth;
use OCA\Files_External\Lib\Auth\SMB\KerberosAuth;
use OCA\Files_External\Lib\Backend\AmazonS3;
use OCA\Files_External\Lib\Backend\DAV;
@@ -62,6 +61,8 @@ use OCA\Files_External\Lib\Backend\SMB_OC;
use OCA\Files_External\Lib\Backend\Swift;
use OCA\Files_External\Lib\Config\IAuthMechanismProvider;
use OCA\Files_External\Lib\Config\IBackendProvider;
+use OCA\Files_External\Listener\GroupDeletedListener;
+use OCA\Files_External\Listener\UserDeletedListener;
use OCA\Files_External\Service\BackendService;
use OCP\AppFramework\App;
use OCP\AppFramework\Bootstrap\IBootContext;
@@ -180,6 +181,7 @@ class Application extends App implements IBackendProvider, IAuthMechanismProvide
// Specialized mechanisms
$container->query(AccessKey::class),
$container->query(KerberosAuth::class),
+ $container->query(KerberosApacheAuth::class),
];
}
}
diff --git a/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php
new file mode 100644
index 00000000000..64503810225
--- /dev/null
+++ b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl>
+ *
+ * @author Robin Appelman <robin@icewind.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Files_External\Lib\Auth\SMB;
+
+use OCA\Files_External\Lib\Auth\AuthMechanism;
+use OCP\Authentication\LoginCredentials\IStore;
+use OCP\IL10N;
+
+class KerberosApacheAuth extends AuthMechanism {
+ /** @var IStore */
+ private $credentialsStore;
+
+ public function __construct(IL10N $l, IStore $credentialsStore) {
+ $this
+ ->setIdentifier('smb::kerberosapache')
+ ->setScheme(self::SCHEME_SMB)
+ ->setText($l->t('Kerberos ticket apache mode'));
+ $this->credentialsStore = $credentialsStore;
+ }
+
+ public function getCredentialsStore(): IStore {
+ return $this->credentialsStore;
+ }
+}
diff --git a/apps/files_external/lib/Lib/Backend/SMB.php b/apps/files_external/lib/Lib/Backend/SMB.php
index 867648824ac..99e48b1433d 100644
--- a/apps/files_external/lib/Lib/Backend/SMB.php
+++ b/apps/files_external/lib/Lib/Backend/SMB.php
@@ -24,16 +24,18 @@
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
+
namespace OCA\Files_External\Lib\Backend;
use Icewind\SMB\BasicAuth;
+use Icewind\SMB\KerberosApacheAuth;
use Icewind\SMB\KerberosAuth;
use OCA\Files_External\Lib\Auth\AuthMechanism;
use OCA\Files_External\Lib\Auth\Password\Password;
use OCA\Files_External\Lib\DefinitionParameter;
+use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
use OCA\Files_External\Lib\LegacyDependencyCheckPolyfill;
use OCA\Files_External\Lib\StorageConfig;
-
use OCP\IL10N;
use OCP\IUser;
@@ -69,10 +71,6 @@ class SMB extends Backend {
->setLegacyAuthMechanism($legacyAuth);
}
- /**
- * @param StorageConfig $storage
- * @param IUser $user
- */
public function manipulateStorageConfig(StorageConfig &$storage, IUser $user = null) {
$auth = $storage->getAuthMechanism();
if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {
@@ -90,6 +88,31 @@ class SMB extends Backend {
case 'smb::kerberos':
$smbAuth = new KerberosAuth();
break;
+ case 'smb::kerberosapache':
+ $credentialsStore = $auth->getCredentialsStore();
+ $kerb_auth = new KerberosApacheAuth();
+ if ($kerb_auth->checkTicket()) {
+ $kerb_auth->registerApacheKerberosTicket();
+ $smbAuth = $kerb_auth;
+ } else {
+ try {
+ $credentials = $credentialsStore->getLoginCredentials();
+ $user = $credentials->getLoginName();
+ $pass = $credentials->getPassword();
+ if (preg_match('/(.*)@(.*)/', $user, $matches) !== 1) {
+ throw new InsufficientDataForMeaningfulAnswerException('No valid session credentials');
+ }
+ $smbAuth = new BasicAuth(
+ $matches[0],
+ $matches[1],
+ $pass
+ );
+ } catch (\Exception $e) {
+ throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
+ }
+ }
+
+ break;
default:
throw new \InvalidArgumentException('unknown authentication backend');
}