Merge pull request #5072 from owncloud/apache-auth-master

OC6 Apache Authentication

6 files changed, 170 insertions, 4 deletions

diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index 71bec11d219..fcca43624fe 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -64,7 +64,7 @@
 					</li>
 				<?php endforeach; ?>
 					<li>
-						<a id="logout" href="<?php print_unescaped(link_to('', 'index.php')); ?>?logout=true">
+						<a id="logout" <?php print_unescaped(OC_User::getLogoutAttribute()); ?>>
 							<img class="svg" alt="" src="<?php print_unescaped(image_path('', 'actions/logout.svg')); ?>" />
 							<?php p($l->t('Log out'));?>
 						</a>
diff --git a/core/templates/login.php b/core/templates/login.php
index 06f64d41e39..aca42c84387 100644
--- a/core/templates/login.php
+++ b/core/templates/login.php
@@ -12,6 +12,12 @@
 			<small><?php p($l->t('Please change your password to secure your account again.')); ?></small>
 		</div>
 		<?php endif; ?>
+		<?php if (isset($_['apacheauthfailed']) && ($_['apacheauthfailed'])): ?>
+			<div class="warning">
+				<?php p($l->t('Server side authentication failed!')); ?><br>
+				<small><?php p($l->t('Please contact your administrator.')); ?></small>
+			</div>
+		<?php endif; ?>
 		<p class="infield grouptop">
 			<input type="text" name="user" id="user" placeholder=""
 				   value="<?php p($_['username']); ?>"<?php p($_['user_autofocus'] ? ' autofocus' : ''); ?>
diff --git a/lib/base.php b/lib/base.php
index 42182c21fb0..b0b2dca502f 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -489,6 +489,11 @@ class OC {
 
 		if (isset($_SERVER['PHP_AUTH_USER']) && self::$session->exists('user_id')
 			&& $_SERVER['PHP_AUTH_USER'] != self::$session->get('user_id')) {
+			$sessionUser = self::$session->get('user_id');
+			$serverUser = $_SERVER['PHP_AUTH_USER'];
+			OC_Log::write('core',
+				"Session user-id ($sessionUser) doesn't match SERVER[PHP_AUTH_USER] ($serverUser).",
+				OC_Log::WARN);
 			OC_User::logout();
 		}
 
@@ -743,11 +748,17 @@ class OC {
 	protected static function handleLogin() {
 		OC_App::loadApps(array('prelogin'));
 		$error = array();
+
+		// auth possible via apache module?
+		if (OC::tryApacheAuth()) {
+			$error[] = 'apacheauthfailed';
+		}
 		// remember was checked after last login
-		if (OC::tryRememberLogin()) {
+		elseif (OC::tryRememberLogin()) {
 			$error[] = 'invalidcookie';
-			// Someone wants to log in :
-		} elseif (OC::tryFormLogin()) {
+		}
+		// logon via web form
+		elseif (OC::tryFormLogin()) {
 			$error[] = 'invalidpassword';
 		}
 
@@ -765,6 +776,20 @@ class OC {
 		}
 	}
 
+	protected static function tryApacheAuth() {
+		$return = OC_User::handleApacheAuth();
+
+		// if return is true we are logged in -> redirect to the default page
+		if ($return === true) {
+			$_REQUEST['redirect_url'] = \OC_Request::requestUri();
+			OC_Util::redirectToDefaultPage();
+			exit;
+		}
+
+		// in case $return is null apache based auth is not enabled
+		return is_null($return) ? false : true;
+	}
+
 	protected static function tryRememberLogin() {
 		if (!isset($_COOKIE["oc_remember_login"])
 			|| !isset($_COOKIE["oc_token"])
diff --git a/lib/private/connector/sabre/auth.php b/lib/private/connector/sabre/auth.php
index bf3a49593cb..d2fd74c44f9 100644
--- a/lib/private/connector/sabre/auth.php
+++ b/lib/private/connector/sabre/auth.php
@@ -72,6 +72,11 @@ class OC_Connector_Sabre_Auth extends Sabre_DAV_Auth_Backend_AbstractBasic {
 	  * @return bool
 	  */
 	public function authenticate(Sabre_DAV_Server $server, $realm) {
+
+		if (OC_User::handleApacheAuth()) {
+		    return true;
+		}
+
 		if (OC_User::isLoggedIn()) {
 			$user = OC_User::getUser();
 			OC_Util::setupFS($user);
diff --git a/lib/private/user.php b/lib/private/user.php
index 15e807088b4..04cd06b08bd 100644
--- a/lib/private/user.php
+++ b/lib/private/user.php
@@ -214,6 +214,55 @@ class OC_User {
 	}
 
 	/**
+	 * @brief Try to login a user, assuming authentication
+	 * has already happened (e.g. via Single Sign On).
+	 *
+	 * Log in a user and regenerate a new session.
+	 *
+	 * @param \OCP\Authentication\IApacheBackend $backend
+	 * @return bool
+	 */
+	public static function loginWithApache(\OCP\Authentication\IApacheBackend $backend) {
+
+		$uid = $backend->getCurrentUserId();
+		$run = true;
+		OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $uid ));
+
+		if($uid) {
+			session_regenerate_id(true);
+			self::setUserId($uid);
+			self::setDisplayName($uid);
+			OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid, 'password'=>'' ));
+			return true;
+		}
+		return false;
+	}
+
+	/**
+	 * @brief Verify with Apache whether user is authenticated.
+	 *
+	 * @return boolean|null
+	 *          true: authenticated
+	 *          false: not authenticated
+	 *          null: not handled / no backend available
+	 */
+	public static function handleApacheAuth() {
+		$backend = self::findFirstActiveUsedBackend();
+		if ($backend) {
+			OC_App::loadApps();
+
+			//setup extra user backends
+			self::setupBackends();
+			self::unsetMagicInCookie();
+
+			return self::loginWithApache($backend);
+		}
+
+		return null;
+	}
+
+
+	/**
 	 * @brief Sets user id for session and triggers emit
 	 */
 	public static function setUserId($uid) {
@@ -260,6 +309,22 @@ class OC_User {
 	}
 
 	/**
+	 * Supplies an attribute to the logout hyperlink. The default behaviour
+	 * is to return an href with '?logout=true' appended. However, it can
+	 * supply any attribute(s) which are valid for <a>.
+	 *
+	 * @return string with one or more HTML attributes.
+	 */
+	public static function getLogoutAttribute() {
+		$backend = self::findFirstActiveUsedBackend();
+		if ($backend) {
+			return $backend->getLogoutAttribute();
+		}
+
+		return "href=" . link_to('', 'index.php') . "?logout=true";
+	}
+
+	/**
 	 * @brief Check if the user is an admin user
 	 * @param string $uid uid of the admin
 	 * @return bool
@@ -497,4 +562,20 @@ class OC_User {
 	public static function unsetMagicInCookie() {
 		self::getUserSession()->unsetMagicInCookie();
 	}
+
+	/**
+	 * @brief Returns the first active backend from self::$_usedBackends.
+	 * @return null if no backend active, otherwise OCP\Authentication\IApacheBackend
+	 */
+	private static function findFirstActiveUsedBackend() {
+		foreach (self::$_usedBackends as $backend) {
+			if ($backend instanceof OCP\Authentication\IApacheBackend) {
+				if ($backend->isSessionActive()) {
+					return $backend;
+				}
+			}
+		}
+
+		return null;
+	}
 }
diff --git a/lib/public/authentication/iapachebackend.php b/lib/public/authentication/iapachebackend.php
new file mode 100644
index 00000000000..5376baf525c
--- /dev/null
+++ b/lib/public/authentication/iapachebackend.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * ownCloud - Apache backend
+ *
+ * @author Karl Beecher
+ * @copyright 2013 Karl Beecher - karl@endocode.com
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCP\Authentication;
+
+interface IApacheBackend {
+
+	/**
+	 * In case the user has been authenticated by Apache true is returned.
+	 *
+	 * @return boolean whether Apache reports a user as currently logged in.
+	 */
+	public function isSessionActive();
+
+	/**
+	 * Creates an attribute which is added to the logout hyperlink. It can
+	 * supply any attribute(s) which are valid for <a>.
+	 *
+	 * @return string with one or more HTML attributes.
+	 */
+	public function getLogoutAttribute();
+
+	/**
+	 * Return the id of the current user
+	 * @return string
+	 */
+	public function getCurrentUserId();
+
+}