Authentication mechanisms for external storage backends

A backend can now specify generic authentication schemes that it
supports, instead of specifying the parameters for its authentication
method directly. This allows multiple authentication mechanisms to be
implemented for a single scheme, providing altered functionality.

This commit introduces the backend framework for this feature, and so at
this point the UI will be broken as the frontend does not specify the
required information.

Terminology:
 - authentication scheme
    Parameter interface for the authentication method. A backend
    supporting the 'password' scheme accepts two parameters, 'user' and
    'password'.
 - authentication mechanism
    Specific mechanism implementing a scheme. Basic mechanisms may
    forward configuration options directly to the backend, more advanced
    ones may lookup parameters or retrieve them from the session

New dropdown selector for external storage configurations to select the
authentication mechanism to be used.

Authentication mechanisms can have visibilities, just like backends.
The API was extended too to make it easier to add/remove visibilities.
In addition, the concept of 'allowed visibility' has been introduced, so
a backend/auth mechanism can force a maximum visibility level (e.g.
Local storage type) that cannot be overridden by configuration in the
web UI.

An authentication mechanism is a fully instantiated implementation. This
allows an implementation to have dependencies injected into it, e.g. an
\OCP\IDB for database operations.

When a StorageConfig is being prepared for mounting, the authentication
mechanism implementation has manipulateStorage() called,
which inserts the relevant authentication method options into the
storage ready for mounting.

2 files changed, 114 insertions, 0 deletions

diff --git a/apps/files_external/service/backendservice.php b/apps/files_external/service/backendservice.php
index f5859bc7272..c1abbcf2b7c 100644
--- a/apps/files_external/service/backendservice.php
+++ b/apps/files_external/service/backendservice.php
@@ -24,6 +24,7 @@ namespace OCA\Files_External\Service;
 use \OCP\IConfig;
 
 use \OCA\Files_External\Lib\Backend\Backend;
+use \OCA\Files_External\Lib\Auth\AuthMechanism;
 
 /**
  * Service class to manage backend definitions
@@ -53,6 +54,9 @@ class BackendService {
 	/** @var Backend[] */
 	private $backends = [];
 
+	/** @var AuthMechanism[] */
+	private $authMechanisms = [];
+
 	/**
 	 * @param IConfig $config
 	 */
@@ -90,6 +94,26 @@ class BackendService {
 			$this->registerBackend($backend);
 		}
 	}
+	/**
+	 * Register an authentication mechanism
+	 *
+	 * @param AuthMechanism $authMech
+	 */
+	public function registerAuthMechanism(AuthMechanism $authMech) {
+		if (!$this->isAllowedAuthMechanism($authMech)) {
+			$authMech->removeVisibility(BackendService::VISIBILITY_PERSONAL);
+		}
+		$this->authMechanisms[$authMech->getClass()] = $authMech;
+	}
+
+	/**
+	 * @param AuthMechanism[] $mechanisms
+	 */
+	public function registerAuthMechanisms(array $mechanisms) {
+		foreach ($mechanisms as $mechanism) {
+			$this->registerAuthMechanism($mechanism);
+		}
+	}
 
 	/**
 	 * Get all backends
@@ -147,6 +171,63 @@ class BackendService {
 	}
 
 	/**
+	 * Get all authentication mechanisms
+	 *
+	 * @return AuthMechanism[]
+	 */
+	public function getAuthMechanisms() {
+		return $this->authMechanisms;
+	}
+
+	/**
+	 * Get all authentication mechanisms for schemes
+	 *
+	 * @param string[] $schemes
+	 * @return AuthMechanism[]
+	 */
+	public function getAuthMechanismsByScheme(array $schemes) {
+		return array_filter($this->getAuthMechanisms(), function($authMech) use ($schemes) {
+			return in_array($authMech->getScheme(), $schemes, true);
+		});
+	}
+
+	/**
+	 * Get authentication mechanisms visible for $visibleFor
+	 *
+	 * @param int $visibleFor
+	 * @return AuthMechanism[]
+	 */
+	public function getAuthMechanismsVisibleFor($visibleFor) {
+		return array_filter($this->getAuthMechanisms(), function($authMechanism) use ($visibleFor) {
+			return $authMechanism->isVisibleFor($visibleFor);
+		});
+	}
+
+	/**
+	 * Get authentication mechanisms allowed to be visible for $visibleFor
+	 *
+	 * @param int $visibleFor
+	 * @return AuthMechanism[]
+	 */
+	public function getAuthMechanismsAllowedVisibleFor($visibleFor) {
+		return array_filter($this->getAuthMechanisms(), function($authMechanism) use ($visibleFor) {
+			return $authMechanism->isAllowedVisibleFor($visibleFor);
+		});
+	}
+
+
+	/**
+	 * @param string $class
+	 * @return AuthMechanism|null
+	 */
+	public function getAuthMechanism($class) {
+		if (isset($this->authMechanisms[$class])) {
+			return $this->authMechanisms[$class];
+		}
+		return null;
+	}
+
+	/**
 	 * @return bool
 	 */
 	public function isUserMountingAllowed() {
@@ -167,4 +248,14 @@ class BackendService {
 		}
 		return false;
 	}
+
+	/**
+	 * Check an authentication mechanism if a user is allowed to use it
+	 *
+	 * @param AuthMechanism $authMechanism
+	 * @return bool
+	 */
+	protected function isAllowedAuthMechanism(AuthMechanism $authMechanism) {
+		return true; // not implemented
+	}
 }
diff --git a/apps/files_external/service/storagesservice.php b/apps/files_external/service/storagesservice.php
index d3bde0ae96c..b8a1824ba23 100644
--- a/apps/files_external/service/storagesservice.php
+++ b/apps/files_external/service/storagesservice.php
@@ -82,8 +82,22 @@ abstract class StoragesService {
 		$storageOptions
 	) {
 		$backend = $this->backendService->getBackend($storageOptions['class']);
+		if (!$backend) {
+			throw new \UnexpectedValueException('Invalid backend class');
+		}
 		$storageConfig->setBackend($backend);
 
+		if (isset($storageOptions['authMechanism'])) {
+			$authMechanism = $this->backendService->getAuthMechanism($storageOptions['authMechanism']);
+		} else {
+			$authMechanism = $backend->getLegacyAuthMechanism($storageOptions);
+			$storageOptions['authMechanism'] = 'null'; // to make error handling easier
+		}
+		if (!$authMechanism) {
+			throw new \UnexpectedValueException('Invalid authentication mechanism class');
+		}
+		$storageConfig->setAuthMechanism($authMechanism);
+
 		$storageConfig->setBackendOptions($storageOptions['options']);
 		if (isset($storageOptions['mountOptions'])) {
 			$storageConfig->setMountOptions($storageOptions['mountOptions']);
@@ -128,6 +142,7 @@ abstract class StoragesService {
 		 *     - "priority": storage priority
 		 *     - "backend": backend class name
 		 *     - "options": backend-specific options
+		 *     - "authMechanism": authentication mechanism class name
 		 *     - "mountOptions": mount-specific options (ex: disable previews, scanner, etc)
 		 */
 
@@ -257,6 +272,7 @@ abstract class StoragesService {
 		$options = [
 			'id' => $storageConfig->getId(),
 			'class' => $storageConfig->getBackend()->getClass(),
+			'authMechanism' => $storageConfig->getAuthMechanism()->getClass(),
 			'options' => $storageConfig->getBackendOptions(),
 		];
 
@@ -335,6 +351,7 @@ abstract class StoragesService {
 	 *
 	 * @param string $mountPoint storage mount point
 	 * @param string $backendClass backend class name
+	 * @param string $authMechanismClass authentication mechanism class
 	 * @param array $backendOptions backend-specific options
 	 * @param array|null $mountOptions mount-specific options
 	 * @param array|null $applicableUsers users for which to mount the storage
@@ -346,6 +363,7 @@ abstract class StoragesService {
 	public function createStorage(
 		$mountPoint,
 		$backendClass,
+		$authMechanismClass,
 		$backendOptions,
 		$mountOptions = null,
 		$applicableUsers = null,
@@ -356,9 +374,14 @@ abstract class StoragesService {
 		if (!$backend) {
 			throw new \InvalidArgumentException('Unable to get backend for backend class '.$backendClass);
 		}
+		$authMechanism = $this->backendService->getAuthMechanism($authMechanismClass);
+		if (!$authMechanism) {
+			throw new \InvalidArgumentException('Unable to get authentication mechanism for class '.$authMechanismClass);
+		}
 		$newStorage = new StorageConfig();
 		$newStorage->setMountPoint($mountPoint);
 		$newStorage->setBackend($backend);
+		$newStorage->setAuthMechanism($authMechanism);
 		$newStorage->setBackendOptions($backendOptions);
 		if (isset($mountOptions)) {
 			$newStorage->setMountOptions($mountOptions);