diff options
| author | Robin McCorkell <rmccorkell@owncloud.com> | 2015-09-13 19:38:22 +0100 |
|---|---|---|
| committer | Robin McCorkell <rmccorkell@owncloud.com> | 2015-09-13 19:38:22 +0100 |
| commit | 0dc71813354407fad8fa1db113d75cad78dfc12f (patch) | |
| tree | b34b739c2035808f08b8d92dac5ff1a40977b6ea /apps/files_external/lib | |
| parent | 2e7d50b7233dd812a0cca8bdc433fbfa41b8b31e (diff) | |
| parent | 442f5269ef229afa09cbe1e06b2a73bb9656e8c4 (diff) | |
| download | nextcloud-server-0dc71813354407fad8fa1db113d75cad78dfc12f.tar.gz nextcloud-server-0dc71813354407fad8fa1db113d75cad78dfc12f.zip | |
Merge pull request #18441 from owncloud/ext-backends.advanced
Migrate advanced external storage backends to new registration API [part 3]
Diffstat (limited to 'apps/files_external/lib')
| -rw-r--r-- | apps/files_external/lib/auth/authmechanism.php | 6 | ||||
| -rw-r--r-- | apps/files_external/lib/auth/openstack/openstack.php | 48 | ||||
| -rw-r--r-- | apps/files_external/lib/auth/openstack/rackspace.php | 46 | ||||
| -rw-r--r-- | apps/files_external/lib/auth/publickey/rsa.php | 80 | ||||
| -rw-r--r-- | apps/files_external/lib/backend/backend.php | 6 | ||||
| -rw-r--r-- | apps/files_external/lib/backend/local.php | 2 | ||||
| -rw-r--r-- | apps/files_external/lib/backend/sftp.php | 1 | ||||
| -rw-r--r-- | apps/files_external/lib/backend/sftp_key.php | 50 | ||||
| -rw-r--r-- | apps/files_external/lib/backend/smb_oc.php | 69 | ||||
| -rw-r--r-- | apps/files_external/lib/backend/swift.php | 60 | ||||
| -rw-r--r-- | apps/files_external/lib/permissionstrait.php | 164 | ||||
| -rw-r--r-- | apps/files_external/lib/sftp.php | 17 | ||||
| -rw-r--r-- | apps/files_external/lib/sftp_key.php | 215 | ||||
| -rw-r--r-- | apps/files_external/lib/smb_oc.php | 126 | ||||
| -rw-r--r-- | apps/files_external/lib/visibilitytrait.php | 136 |
15 files changed, 537 insertions, 489 deletions
diff --git a/apps/files_external/lib/auth/authmechanism.php b/apps/files_external/lib/auth/authmechanism.php index 11d99bb330d..ddc0c6a4dca 100644 --- a/apps/files_external/lib/auth/authmechanism.php +++ b/apps/files_external/lib/auth/authmechanism.php @@ -22,7 +22,7 @@ namespace OCA\Files_External\Lib\Auth; use \OCA\Files_External\Lib\StorageConfig; -use \OCA\Files_External\Lib\VisibilityTrait; +use \OCA\Files_External\Lib\PermissionsTrait; use \OCA\Files_External\Lib\IdentifierTrait; use \OCA\Files_External\Lib\FrontendDefinitionTrait; use \OCA\Files_External\Lib\StorageModifierTrait; @@ -40,7 +40,7 @@ use \OCA\Files_External\Lib\StorageModifierTrait; * scheme, which are provided from the authentication mechanism. * * This class uses the following traits: - * - VisibilityTrait + * - PermissionsTrait * Restrict usage to admin-only/none * - FrontendDefinitionTrait * Specify configuration parameters and other definitions @@ -58,7 +58,7 @@ class AuthMechanism implements \JsonSerializable { const SCHEME_PUBLICKEY = 'publickey'; const SCHEME_OPENSTACK = 'openstack'; - use VisibilityTrait; + use PermissionsTrait; use FrontendDefinitionTrait; use StorageModifierTrait; use IdentifierTrait; diff --git a/apps/files_external/lib/auth/openstack/openstack.php b/apps/files_external/lib/auth/openstack/openstack.php new file mode 100644 index 00000000000..faf356bcf2e --- /dev/null +++ b/apps/files_external/lib/auth/openstack/openstack.php @@ -0,0 +1,48 @@ +<?php +/** + * @author Robin McCorkell <rmccorkell@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OCA\Files_External\Lib\Auth\OpenStack; + +use \OCP\IL10N; +use \OCA\Files_External\Lib\DefinitionParameter; +use \OCA\Files_External\Lib\Auth\AuthMechanism; + +/** + * OpenStack Keystone authentication + */ +class OpenStack extends AuthMechanism { + + public function __construct(IL10N $l) { + $this + ->setIdentifier('openstack::openstack') + ->setScheme(self::SCHEME_OPENSTACK) + ->setText($l->t('OpenStack')) + ->addParameters([ + (new DefinitionParameter('user', $l->t('Username'))), + (new DefinitionParameter('password', $l->t('Password'))) + ->setType(DefinitionParameter::VALUE_PASSWORD), + (new DefinitionParameter('tenant', $l->t('Tenant name'))), + (new DefinitionParameter('url', $l->t('Identity endpoint URL'))), + ]) + ; + } + +} diff --git a/apps/files_external/lib/auth/openstack/rackspace.php b/apps/files_external/lib/auth/openstack/rackspace.php new file mode 100644 index 00000000000..9268f3aad87 --- /dev/null +++ b/apps/files_external/lib/auth/openstack/rackspace.php @@ -0,0 +1,46 @@ +<?php +/** + * @author Robin McCorkell <rmccorkell@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OCA\Files_External\Lib\Auth\OpenStack; + +use \OCP\IL10N; +use \OCA\Files_External\Lib\DefinitionParameter; +use \OCA\Files_External\Lib\Auth\AuthMechanism; + +/** + * Rackspace authentication + */ +class Rackspace extends AuthMechanism { + + public function __construct(IL10N $l) { + $this + ->setIdentifier('openstack::rackspace') + ->setScheme(self::SCHEME_OPENSTACK) + ->setText($l->t('Rackspace')) + ->addParameters([ + (new DefinitionParameter('user', $l->t('Username'))), + (new DefinitionParameter('key', $l->t('API key'))) + ->setType(DefinitionParameter::VALUE_PASSWORD), + ]) + ; + } + +} diff --git a/apps/files_external/lib/auth/publickey/rsa.php b/apps/files_external/lib/auth/publickey/rsa.php new file mode 100644 index 00000000000..f40136dda01 --- /dev/null +++ b/apps/files_external/lib/auth/publickey/rsa.php @@ -0,0 +1,80 @@ +<?php +/** + * @author Robin McCorkell <rmccorkell@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OCA\Files_External\Lib\Auth\PublicKey; + +use \OCP\IL10N; +use \OCA\Files_External\Lib\DefinitionParameter; +use \OCA\Files_External\Lib\Auth\AuthMechanism; +use \OCA\Files_External\Lib\StorageConfig; +use \OCP\IConfig; +use \phpseclib\Crypt\RSA as RSACrypt; + +/** + * RSA public key authentication + */ +class RSA extends AuthMechanism { + + const CREATE_KEY_BITS = 1024; + + /** @var IConfig */ + private $config; + + public function __construct(IL10N $l, IConfig $config) { + $this->config = $config; + + $this + ->setIdentifier('publickey::rsa') + ->setScheme(self::SCHEME_PUBLICKEY) + ->setText($l->t('RSA public key')) + ->addParameters([ + (new DefinitionParameter('user', $l->t('Username'))), + (new DefinitionParameter('public_key', $l->t('Public key'))), + (new DefinitionParameter('private_key', 'private_key')) + ->setType(DefinitionParameter::VALUE_HIDDEN), + ]) + ->setCustomJs('public_key') + ; + } + + public function manipulateStorageConfig(StorageConfig &$storage) { + $auth = new RSACrypt(); + $auth->setPassword($this->config->getSystemValue('secret', '')); + if (!$auth->loadKey($storage->getBackendOption('private_key'))) { + throw new \RuntimeException('unable to load private key'); + } + $storage->setBackendOption('public_key_auth', $auth); + } + + /** + * Generate a keypair + * + * @return array ['privatekey' => $privateKey, 'publickey' => $publicKey] + */ + public function createKey() { + $rsa = new RSACrypt(); + $rsa->setPublicKeyFormat(RSACrypt::PUBLIC_FORMAT_OPENSSH); + $rsa->setPassword($this->config->getSystemValue('secret', '')); + + return $rsa->createKey(self::CREATE_KEY_BITS); + } + +} diff --git a/apps/files_external/lib/backend/backend.php b/apps/files_external/lib/backend/backend.php index 90d5d38ed94..2a2add3ac59 100644 --- a/apps/files_external/lib/backend/backend.php +++ b/apps/files_external/lib/backend/backend.php @@ -22,7 +22,7 @@ namespace OCA\Files_External\Lib\Backend; use \OCA\Files_External\Lib\StorageConfig; -use \OCA\Files_External\Lib\VisibilityTrait; +use \OCA\Files_External\Lib\PermissionsTrait; use \OCA\Files_External\Lib\FrontendDefinitionTrait; use \OCA\Files_External\Lib\PriorityTrait; use \OCA\Files_External\Lib\DependencyTrait; @@ -43,7 +43,7 @@ use \OCA\Files_External\Lib\Auth\AuthMechanism; * scheme, which are provided from the authentication mechanism. * * This class uses the following traits: - * - VisibilityTrait + * - PermissionsTrait * Restrict usage to admin-only/none * - FrontendDefinitionTrait * Specify configuration parameters and other definitions @@ -56,7 +56,7 @@ use \OCA\Files_External\Lib\Auth\AuthMechanism; */ class Backend implements \JsonSerializable { - use VisibilityTrait; + use PermissionsTrait; use FrontendDefinitionTrait; use PriorityTrait; use DependencyTrait; diff --git a/apps/files_external/lib/backend/local.php b/apps/files_external/lib/backend/local.php index a80b437fab7..a6635491b6e 100644 --- a/apps/files_external/lib/backend/local.php +++ b/apps/files_external/lib/backend/local.php @@ -39,7 +39,7 @@ class Local extends Backend { ->addParameters([ (new DefinitionParameter('datadir', $l->t('Location'))), ]) - ->setAllowedVisibility(BackendService::VISIBILITY_ADMIN) + ->setAllowedPermissions(BackendService::USER_PERSONAL, BackendService::PERMISSION_NONE) ->setPriority(BackendService::PRIORITY_DEFAULT + 50) ->addAuthScheme(AuthMechanism::SCHEME_NULL) ->setLegacyAuthMechanism($legacyAuth) diff --git a/apps/files_external/lib/backend/sftp.php b/apps/files_external/lib/backend/sftp.php index dd0f5d8e2e0..c0bcd27c54b 100644 --- a/apps/files_external/lib/backend/sftp.php +++ b/apps/files_external/lib/backend/sftp.php @@ -43,6 +43,7 @@ class SFTP extends Backend { ->setFlag(DefinitionParameter::FLAG_OPTIONAL), ]) ->addAuthScheme(AuthMechanism::SCHEME_PASSWORD) + ->addAuthScheme(AuthMechanism::SCHEME_PUBLICKEY) ->setLegacyAuthMechanism($legacyAuth) ; } diff --git a/apps/files_external/lib/backend/sftp_key.php b/apps/files_external/lib/backend/sftp_key.php new file mode 100644 index 00000000000..6a75172026d --- /dev/null +++ b/apps/files_external/lib/backend/sftp_key.php @@ -0,0 +1,50 @@ +<?php +/** + * @author Robin McCorkell <rmccorkell@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OCA\Files_External\Lib\Backend; + +use \OCP\IL10N; +use \OCA\Files_External\Lib\Backend\Backend; +use \OCA\Files_External\Lib\DefinitionParameter; +use \OCA\Files_External\Lib\Auth\AuthMechanism; +use \OCA\Files_External\Service\BackendService; +use \OCA\Files_External\Lib\Auth\PublicKey\RSA; + +class SFTP_Key extends Backend { + + public function __construct(IL10N $l, RSA $legacyAuth) { + $this + ->setIdentifier('\OC\Files\Storage\SFTP_Key') + ->setStorageClass('\OC\Files\Storage\SFTP') + ->setText($l->t('SFTP with secret key login [DEPRECATED]')) + ->addParameters([ + (new DefinitionParameter('host', $l->t('Host'))), + (new DefinitionParameter('root', $l->t('Remote subfolder'))) + ->setFlag(DefinitionParameter::FLAG_OPTIONAL), + ]) + ->removeAllowedPermission(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE) + ->removeAllowedPermission(BackendService::USER_ADMIN, BackendService::PERMISSION_CREATE) + ->addAuthScheme(AuthMechanism::SCHEME_PUBLICKEY) + ->setLegacyAuthMechanism($legacyAuth) + ; + } + +} diff --git a/apps/files_external/lib/backend/smb_oc.php b/apps/files_external/lib/backend/smb_oc.php new file mode 100644 index 00000000000..3621682fb8f --- /dev/null +++ b/apps/files_external/lib/backend/smb_oc.php @@ -0,0 +1,69 @@ +<?php +/** + * @author Robin McCorkell <rmccorkell@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OCA\Files_External\Lib\Backend; + +use \OCP\IL10N; +use \OCA\Files_External\Lib\Backend\Backend; +use \OCA\Files_External\Lib\DefinitionParameter; +use \OCA\Files_External\Lib\Auth\AuthMechanism; +use \OCA\Files_External\Service\BackendService; +use \OCA\Files_External\Lib\Auth\Password\SessionCredentials; +use \OCA\Files_External\Lib\StorageConfig; + +/** + * Deprecated SMB_OC class - use SMB with the password::sessioncredentials auth mechanism + */ +class SMB_OC extends Backend { + + public function __construct(IL10N $l, SessionCredentials $legacyAuth) { + $this + ->setIdentifier('\OC\Files\Storage\SMB_OC') + ->setStorageClass('\OC\Files\Storage\SMB') + ->setText($l->t('SMB / CIFS using OC login [DEPRECATED]')) + ->addParameters([ + (new DefinitionParameter('host', $l->t('Host'))), + (new DefinitionParameter('username_as_share', $l->t('Username as share'))) + ->setType(DefinitionParameter::VALUE_BOOLEAN), + (new DefinitionParameter('share', $l->t('Share'))) + ->setFlag(DefinitionParameter::FLAG_OPTIONAL), + (new DefinitionParameter('root', $l->t('Remote subfolder'))) + ->setFlag(DefinitionParameter::FLAG_OPTIONAL), + ]) + ->setDependencyCheck('\OC\Files\Storage\SMB::checkDependencies') + ->removeAllowedPermission(BackendService::USER_PERSONAL, BackendService::PERMISSION_CREATE) + ->removeAllowedPermission(BackendService::USER_ADMIN, BackendService::PERMISSION_CREATE) + ->setPriority(BackendService::PRIORITY_DEFAULT - 10) + ->addAuthScheme(AuthMechanism::SCHEME_PASSWORD) + ->setLegacyAuthMechanism($legacyAuth) + ; + } + + public function manipulateStorageConfig(StorageConfig &$storage) { + $username_as_share = ($storage->getBackendOption('username_as_share') === true); + + if ($username_as_share) { + $share = '/' . $storage->getBackendOption('user'); + $storage->setBackendOption('share', $share); + } + } + +} diff --git a/apps/files_external/lib/backend/swift.php b/apps/files_external/lib/backend/swift.php new file mode 100644 index 00000000000..c0ac7c08345 --- /dev/null +++ b/apps/files_external/lib/backend/swift.php @@ -0,0 +1,60 @@ +<?php +/** + * @author Robin McCorkell <rmccorkell@owncloud.com> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OCA\Files_External\Lib\Backend; + +use \OCP\IL10N; +use \OCA\Files_External\Lib\Backend\Backend; +use \OCA\Files_External\Lib\DefinitionParameter; +use \OCA\Files_External\Lib\Auth\AuthMechanism; +use \OCA\Files_External\Service\BackendService; +use \OCA\Files_External\Lib\Auth\OpenStack\OpenStack; +use \OCA\Files_External\Lib\Auth\OpenStack\Rackspace; + +class Swift extends Backend { + + public function __construct(IL10N $l, OpenStack $openstackAuth, Rackspace $rackspaceAuth) { + $this + ->setIdentifier('swift') + ->addIdentifierAlias('\OC\Files\Storage\Swift') // legacy compat + ->setStorageClass('\OC\Files\Storage\Swift') + ->setText($l->t('OpenStack Object Storage')) + ->addParameters([ + (new DefinitionParameter('service_name', $l->t('Service name'))) + ->setFlag(DefinitionParameter::FLAG_OPTIONAL), + (new DefinitionParameter('region', $l->t('Region'))) + ->setFlag(DefinitionParameter::FLAG_OPTIONAL), + (new DefinitionParameter('bucket', $l->t('Bucket'))), + (new DefinitionParameter('timeout', $l->t('Request timeout (seconds)'))) + ->setFlag(DefinitionParameter::FLAG_OPTIONAL), + ]) + ->setDependencyCheck('\OC\Files\Storage\Swift::checkDependencies') + ->addAuthScheme(AuthMechanism::SCHEME_OPENSTACK) + ->setLegacyAuthMechanismCallback(function(array $params) use ($openstackAuth, $rackspaceAuth) { + if (isset($params['options']['key']) && $params['options']['key']) { + return $rackspaceAuth; + } + return $openstackAuth; + }) + ; + } + +} diff --git a/apps/files_external/lib/permissionstrait.php b/apps/files_external/lib/permissionstrait.php new file mode 100644 index 00000000000..8509a01e422 --- /dev/null +++ b/apps/files_external/lib/permissionstrait.php @@ -0,0 +1,164 @@ +<?php +/** + * @author Robin McCorkell <rmccorkell@karoshi.org.uk> + * + * @copyright Copyright (c) 2015, ownCloud, Inc. + * @license AGPL-3.0 + * + * This code is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License, version 3, + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License, version 3, + * along with this program. If not, see <http://www.gnu.org/licenses/> + * + */ + +namespace OCA\Files_External\Lib; + +use \OCA\Files_External\Service\BackendService; + +/** + * Trait to implement backend and auth mechanism permissions + * + * For user type constants, see BackendService::USER_* + * For permission constants, see BackendService::PERMISSION_* + */ +trait PermissionsTrait { + + /** @var array [user type => permissions] */ + protected $permissions = [ + BackendService::USER_PERSONAL => BackendService::PERMISSION_DEFAULT, + BackendService::USER_ADMIN => BackendService::PERMISSION_DEFAULT, + ]; + + /** @var array [user type => allowed permissions] */ + protected $allowedPermissions = [ + BackendService::USER_PERSONAL => BackendService::PERMISSION_DEFAULT, + BackendService::USER_ADMIN => BackendService::PERMISSION_DEFAULT, + ]; + + /** + * @param string $userType + * @return int + */ + public function getPermissions($userType) { + if (isset($this->permissions[$userType])) { + return $this->permissions[$userType]; + } + return BackendService::PERMISSION_NONE; + } + + /** + * Check if the user type has permission + * + * @param string $userType + * @param int $permission + * @return bool + */ + public function isPermitted($userType, $permission) { + if ($this->getPermissions($userType) & $permission) { + return true; + } + return false; + } + + /** + * @param string $userType + * @param int $permissions + * @return self + */ + public function setPermissions($userType, $permissions) { + $this->permissions[$userType] = $permissions; + $this->allowedPermissions[$userType] = + $this->getAllowedPermissions($userType) | $permissions; + return $this; + } + + /** + * @param string $userType + * @param int $permission + * @return self + */ + public function addPermission($userType, $permission) { + return $this->setPermissions($userType, + $this->getPermissions($userType) | $permission + ); + } + + /** + * @param string $userType + * @param int $permission + * @return self + */ + public function removePermission($userType, $permission) { + return $this->setPermissions($userType, + $this->getPermissions($userType) & ~$permission + ); + } + + /** + * @param string $userType + * @return int + */ + public function getAllowedPermissions($userType) { + if (isset($this->allowedPermissions[$userType])) { + return $this->allowedPermissions[$userType]; + } + return BackendService::PERMISSION_NONE; + } + + /** + * Check if the user type has an allowed permission + * + * @param string $userType + * @param int $permission + * @return bool + */ + public function isAllowedPermitted($userType, $permission) { + if ($this->getAllowedPermissions($userType) & $permission) { + return true; + } + return false; + } + + /** + * @param string $userType + * @param int $permissions + * @return self + */ + public function setAllowedPermissions($userType, $permissions) { + $this->allowedPermissions[$userType] = $permissions; + $this->permissions[$userType] = + $this->getPermissions($userType) & $permissions; + return $this; + } + + /** + * @param string $userType + * @param int $permission + * @return self + */ + public function addAllowedPermission($userType, $permission) { + return $this->setAllowedPermissions($userType, + $this->getAllowedPermissions($userType) | $permission + ); + } + + /** + * @param string $userType + * @param int $permission + * @return self + */ + public function removeAllowedPermission($userType, $permission) { + return $this->setAllowedPermissions($userType, + $this->getAllowedPermissions($userType) & ~$permission + ); + } + +} diff --git a/apps/files_external/lib/sftp.php b/apps/files_external/lib/sftp.php index 7f921b5342f..921e7283c66 100644 --- a/apps/files_external/lib/sftp.php +++ b/apps/files_external/lib/sftp.php @@ -40,10 +40,11 @@ use phpseclib\Net\SFTP\Stream; class SFTP extends \OC\Files\Storage\Common { private $host; private $user; - private $password; private $root; private $port = 22; + private $auth; + /** * @var SFTP */ @@ -73,8 +74,15 @@ class SFTP extends \OC\Files\Storage\Common { } $this->user = $params['user']; - $this->password - = isset($params['password']) ? $params['password'] : ''; + + if (isset($params['public_key_auth'])) { + $this->auth = $params['public_key_auth']; + } elseif (isset($params['password'])) { + $this->auth = $params['password']; + } else { + throw new \UnexpectedValueException('no authentication parameters specified'); + } + $this->root = isset($params['root']) ? $this->cleanPath($params['root']) : '/'; @@ -112,7 +120,7 @@ class SFTP extends \OC\Files\Storage\Common { $this->writeHostKeys($hostKeys); } - if (!$this->client->login($this->user, $this->password)) { + if (!$this->client->login($this->user, $this->auth)) { throw new \Exception('Login failed'); } return $this->client; @@ -125,7 +133,6 @@ class SFTP extends \OC\Files\Storage\Common { if ( !isset($this->host) || !isset($this->user) - || !isset($this->password) ) { return false; } diff --git a/apps/files_external/lib/sftp_key.php b/apps/files_external/lib/sftp_key.php deleted file mode 100644 index a193b323678..00000000000 --- a/apps/files_external/lib/sftp_key.php +++ /dev/null @@ -1,215 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Ross Nicoll <jrn@jrn.me.uk> - * - * @copyright Copyright (c) 2015, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ -namespace OC\Files\Storage; - -use phpseclib\Crypt\RSA; - -class SFTP_Key extends \OC\Files\Storage\SFTP { - private $publicKey; - private $privateKey; - - /** - * {@inheritdoc} - */ - public function __construct($params) { - parent::__construct($params); - $this->publicKey = $params['public_key']; - $this->privateKey = $params['private_key']; - } - - /** - * Returns the connection. - * - * @return \phpseclib\Net\SFTP connected client instance - * @throws \Exception when the connection failed - */ - public function getConnection() { - if (!is_null($this->client)) { - return $this->client; - } - - $hostKeys = $this->readHostKeys(); - $this->client = new \phpseclib\Net\SFTP($this->getHost()); - - // The SSH Host Key MUST be verified before login(). - $currentHostKey = $this->client->getServerPublicHostKey(); - if (array_key_exists($this->getHost(), $hostKeys)) { - if ($hostKeys[$this->getHost()] !== $currentHostKey) { - throw new \Exception('Host public key does not match known key'); - } - } else { - $hostKeys[$this->getHost()] = $currentHostKey; - $this->writeHostKeys($hostKeys); - } - - $key = $this->getPrivateKey(); - if (is_null($key)) { - throw new \Exception('Secret key could not be loaded'); - } - if (!$this->client->login($this->getUser(), $key)) { - throw new \Exception('Login failed'); - } - return $this->client; - } - - /** - * Returns the private key to be used for authentication to the remote server. - * - * @return RSA instance or null in case of a failure to load the key. - */ - private function getPrivateKey() { - $key = new RSA(); - $key->setPassword(\OC::$server->getConfig()->getSystemValue('secret', '')); - if (!$key->loadKey($this->privateKey)) { - // Should this exception rather than return null? - return null; - } - return $key; - } - - /** - * Throws an exception if the provided host name/address is invalid (cannot be resolved - * and is not an IPv4 address). - * - * @return true; never returns in case of a problem, this return value is used just to - * make unit tests happy. - */ - public function assertHostAddressValid($hostname) { - // TODO: Should handle IPv6 addresses too - if (!preg_match('/^\d+\.\d+\.\d+\.\d+$/', $hostname) && gethostbyname($hostname) === $hostname) { - // Hostname is not an IPv4 address and cannot be resolved via DNS - throw new \InvalidArgumentException('Cannot resolve hostname.'); - } - return true; - } - - /** - * Throws an exception if the provided port number is invalid (cannot be resolved - * and is not an IPv4 address). - * - * @return true; never returns in case of a problem, this return value is used just to - * make unit tests happy. - */ - public function assertPortNumberValid($port) { - if (!preg_match('/^\d+$/', $port)) { - throw new \InvalidArgumentException('Port number must be a number.'); - } - if ($port < 0 || $port > 65535) { - throw new \InvalidArgumentException('Port number must be between 0 and 65535 inclusive.'); - } - return true; - } - - /** - * Replaces anything that's not an alphanumeric character or "." in a hostname - * with "_", to make it safe for use as part of a file name. - */ - protected function sanitizeHostName($name) { - return preg_replace('/[^\d\w\._]/', '_', $name); - } - - /** - * Replaces anything that's not an alphanumeric character or "_" in a username - * with "_", to make it safe for use as part of a file name. - */ - protected function sanitizeUserName($name) { - return preg_replace('/[^\d\w_]/', '_', $name); - } - - public function test() { - - // FIXME: Use as expression in empty once PHP 5.4 support is dropped - $host = $this->getHost(); - if (empty($host)) { - \OC::$server->getLogger()->warning('Hostname has not been specified'); - return false; - } - // FIXME: Use as expression in empty once PHP 5.4 support is dropped - $user = $this->getUser(); - if (empty($user)) { - \OC::$server->getLogger()->warning('Username has not been specified'); - return false; - } - if (!isset($this->privateKey)) { - \OC::$server->getLogger()->warning('Private key was missing from the request'); - return false; - } - - // Sanity check the host - $hostParts = explode(':', $this->getHost()); - try { - if (count($hostParts) == 1) { - $hostname = $hostParts[0]; - $this->assertHostAddressValid($hostname); - } else if (count($hostParts) == 2) { - $hostname = $hostParts[0]; - $this->assertHostAddressValid($hostname); - $this->assertPortNumberValid($hostParts[1]); - } else { - throw new \Exception('Host connection string is invalid.'); - } - } catch(\Exception $e) { - \OC::$server->getLogger()->warning($e->getMessage()); - return false; - } - - // Validate the key - $key = $this->getPrivateKey(); - if (is_null($key)) { - \OC::$server->getLogger()->warning('Secret key could not be loaded'); - return false; - } - - try { - if ($this->getConnection()->nlist() === false) { - return false; - } - } catch(\Exception $e) { - // We should be throwing a more specific error, so we're not just catching - // Exception here - \OC::$server->getLogger()->warning($e->getMessage()); - return false; - } - - // Save the key somewhere it can easily be extracted later - if (\OC::$server->getUserSession()->getUser()) { - $view = new \OC\Files\View('/'.\OC::$server->getUserSession()->getUser()->getUId().'/files_external/sftp_keys'); - if (!$view->is_dir('')) { - if (!$view->mkdir('')) { - \OC::$server->getLogger()->warning('Could not create secret key directory.'); - return false; - } - } - $key_filename = $this->sanitizeUserName($this->getUser()).'@'.$this->sanitizeHostName($hostname).'.pub'; - $key_file = $view->fopen($key_filename, "w"); - if ($key_file) { - fwrite($key_file, $this->publicKey); - fclose($key_file); - } else { - \OC::$server->getLogger()->warning('Could not write secret key file.'); - } - } - - return true; - } -} diff --git a/apps/files_external/lib/smb_oc.php b/apps/files_external/lib/smb_oc.php deleted file mode 100644 index 547caa5ecbf..00000000000 --- a/apps/files_external/lib/smb_oc.php +++ /dev/null @@ -1,126 +0,0 @@ -<?php -/** - * @author Lukas Reschke <lukas@owncloud.com> - * @author Morris Jobke <hey@morrisjobke.de> - * @author Robin Appelman <icewind@owncloud.com> - * @author Robin McCorkell <rmccorkell@karoshi.org.uk> - * - * @copyright Copyright (c) 2015, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OC\Files\Storage; - - -use Icewind\SMB\Exception\AccessDeniedException; -use Icewind\SMB\Exception\Exception; -use Icewind\SMB\Server; - -class SMB_OC extends SMB { - private $username_as_share; - - /** - * @param array $params - * @throws \Exception - */ - public function __construct($params) { - if (isset($params['host'])) { - $host = $params['host']; - $this->username_as_share = ($params['username_as_share'] === true); - - // dummy credentials, unused, to satisfy constructor - $user = 'foo'; - $password = 'bar'; - if (\OC::$server->getSession()->exists('smb-credentials')) { - $params_auth = json_decode(\OC::$server->getCrypto()->decrypt(\OC::$server->getSession()->get('smb-credentials')), true); - $user = \OC::$server->getSession()->get('loginname'); - $password = $params_auth['password']; - } else { - // assume we are testing from the admin section - } - - $root = isset($params['root']) ? $params['root'] : '/'; - $share = ''; - - if ($this->username_as_share) { - $share = '/' . $user; - } elseif (isset($params['share'])) { - $share = $params['share']; - } else { - throw new \Exception(); - } - parent::__construct(array( - "user" => $user, - "password" => $password, - "host" => $host, - "share" => $share, - "root" => $root - )); - } else { - throw new \Exception(); - } - } - - - /** - * Intercepts the user credentials on login and stores them - * encrypted inside the session if SMB_OC storage is enabled. - * @param array $params - */ - public static function login($params) { - $mountpoints = \OC_Mount_Config::getAbsoluteMountPoints($params['uid']); - $mountpointClasses = array(); - foreach($mountpoints as $mountpoint) { - $mountpointClasses[$mountpoint['class']] = true; - } - if(isset($mountpointClasses['\OC\Files\Storage\SMB_OC'])) { - \OC::$server->getSession()->set('smb-credentials', \OC::$server->getCrypto()->encrypt(json_encode($params))); - } - } - - /** - * @param string $path - * @return boolean - */ - public function isSharable($path) { - return false; - } - - /** - * @param bool $isPersonal - * @return bool - */ - public function test($isPersonal = true) { - if ($isPersonal) { - if ($this->stat('')) { - return true; - } - return false; - } else { - $server = new Server($this->server->getHost(), '', ''); - - try { - $server->listShares(); - return true; - } catch (AccessDeniedException $e) { - // expected due to anonymous login - return true; - } catch (Exception $e) { - return false; - } - } - } -} diff --git a/apps/files_external/lib/visibilitytrait.php b/apps/files_external/lib/visibilitytrait.php deleted file mode 100644 index dfd2d323ca6..00000000000 --- a/apps/files_external/lib/visibilitytrait.php +++ /dev/null @@ -1,136 +0,0 @@ -<?php -/** - * @author Robin McCorkell <rmccorkell@karoshi.org.uk> - * - * @copyright Copyright (c) 2015, ownCloud, Inc. - * @license AGPL-3.0 - * - * This code is free software: you can redistribute it and/or modify - * it under the terms of the GNU Affero General Public License, version 3, - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Affero General Public License for more details. - * - * You should have received a copy of the GNU Affero General Public License, version 3, - * along with this program. If not, see <http://www.gnu.org/licenses/> - * - */ - -namespace OCA\Files_External\Lib; - -use \OCA\Files_External\Service\BackendService; - -/** - * Trait to implement visibility mechanics for a configuration class - * - * The standard visibility defines which users/groups can use or see the - * object. The allowed visibility defines the maximum visibility allowed to be - * set on the object. The standard visibility is often set dynamically by - * stored configuration parameters that can be modified by the administrator, - * while the allowed visibility is set directly by the object and cannot be - * modified by the administrator. - */ -trait VisibilityTrait { - - /** @var int visibility */ - protected $visibility = BackendService::VISIBILITY_DEFAULT; - - /** @var int allowed visibilities */ - protected $allowedVisibility = BackendService::VISIBILITY_DEFAULT; - - /** - * @return int - */ - public function getVisibility() { - return $this->visibility; - } - - /** - * Check if the backend is visible for a user type - * - * @param int $visibility - * @return bool - */ - public function isVisibleFor($visibility) { - if ($this->visibility & $visibility) { - return true; - } - return false; - } - - /** - * @param int $visibility - * @return self - */ - public function setVisibility($visibility) { - $this->visibility = $visibility; - $this->allowedVisibility |= $visibility; - return $this; - } - - /** - * @param int $visibility - * @return self - */ - public function addVisibility($visibility) { - return $this->setVisibility($this->visibility | $visibility); - } - - /** - * @param int $visibility - * @return self - */ - public function removeVisibility($visibility) { - return $this->setVisibility($this->visibility & ~$visibility); - } - - /** - * @return int - */ - public function getAllowedVisibility() { - return $this->allowedVisibility; - } - - /** - * Check if the backend is allowed to be visible for a user type - * - * @param int $allowedVisibility - * @return bool - */ - public function isAllowedVisibleFor($allowedVisibility) { - if ($this->allowedVisibility & $allowedVisibility) { - return true; - } - return false; - } - - /** - * @param int $allowedVisibility - * @return self - */ - public function setAllowedVisibility($allowedVisibility) { - $this->allowedVisibility = $allowedVisibility; - $this->visibility &= $allowedVisibility; - return $this; - } - - /** - * @param int $allowedVisibility - * @return self - */ - public function addAllowedVisibility($allowedVisibility) { - return $this->setAllowedVisibility($this->allowedVisibility | $allowedVisibility); - } - - /** - * @param int $allowedVisibility - * @return self - */ - public function removeAllowedVisibility($allowedVisibility) { - return $this->setAllowedVisibility($this->allowedVisibility & ~$allowedVisibility); - } - -} |