aboutsummaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
authorLukas Reschke <lukas@statuscode.ch>2017-05-18 20:09:51 +0200
committerLukas Reschke <lukas@statuscode.ch>2017-05-18 20:49:10 +0200
commitdf3909a7c360f079d3e47401414a38dc7f3494cf (patch)
tree05436400229200b893df2e92a6d239d9e1fd1af4 /apps
parent30552090bccc0d77446d57f5b94ae27ad2d81186 (diff)
downloadnextcloud-server-df3909a7c360f079d3e47401414a38dc7f3494cf.tar.gz
nextcloud-server-df3909a7c360f079d3e47401414a38dc7f3494cf.zip
Use Bearer backend for SabreDAV
Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
Diffstat (limited to 'apps')
-rw-r--r--apps/dav/lib/Connector/Sabre/Auth.php12
-rw-r--r--apps/dav/lib/Connector/Sabre/BearerAuth.php76
-rw-r--r--apps/dav/lib/Server.php8
-rw-r--r--apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php88
-rw-r--r--apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php24
-rw-r--r--apps/oauth2/lib/Exceptions/ClientNotFoundException.php24
6 files changed, 220 insertions, 12 deletions
diff --git a/apps/dav/lib/Connector/Sabre/Auth.php b/apps/dav/lib/Connector/Sabre/Auth.php
index 7ddbb70530a..9147e79594c 100644
--- a/apps/dav/lib/Connector/Sabre/Auth.php
+++ b/apps/dav/lib/Connector/Sabre/Auth.php
@@ -211,18 +211,6 @@ class Auth extends AbstractBasic {
private function auth(RequestInterface $request, ResponseInterface $response) {
$forcedLogout = false;
- $authHeader = $request->getHeader('Authorization');
- if (strpos($authHeader, 'Bearer ') !== false) {
- if($this->userSession->tryTokenLogin($this->request)) {
- $this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
- $user = $this->userSession->getUser()->getUID();
- \OC_Util::setupFS($user);
- $this->currentUser = $user;
- $this->session->close();
- return [true, $this->principalPrefix . $user];
- }
- }
-
if(!$this->request->passesCSRFCheck() &&
$this->requiresCSRFCheck()) {
// In case of a fail with POST we need to recheck the credentials
diff --git a/apps/dav/lib/Connector/Sabre/BearerAuth.php b/apps/dav/lib/Connector/Sabre/BearerAuth.php
new file mode 100644
index 00000000000..dd0a1bac292
--- /dev/null
+++ b/apps/dav/lib/Connector/Sabre/BearerAuth.php
@@ -0,0 +1,76 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\DAV\Connector\Sabre;
+
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\IUserSession;
+use Sabre\DAV\Auth\Backend\AbstractBearer;
+
+class BearerAuth extends AbstractBearer {
+ /** @var IUserSession */
+ private $userSession;
+ /** @var ISession */
+ private $session;
+ /** @var IRequest */
+ private $request;
+ /** @var string */
+ private $principalPrefix;
+
+ /**
+ * @param IUserSession $userSession
+ * @param ISession $session
+ * @param string $principalPrefix
+ * @param IRequest $request
+ */
+ public function __construct(IUserSession $userSession,
+ ISession $session,
+ IRequest $request,
+ $principalPrefix = 'principals/users/') {
+ $this->userSession = $userSession;
+ $this->session = $session;
+ $this->request = $request;
+ $this->principalPrefix = $principalPrefix;
+ }
+
+ private function setupUserFs($userId) {
+ \OC_Util::setupFS($userId);
+ $this->session->close();
+ return $this->principalPrefix . $userId;
+ }
+
+ /**
+ * {@inheritdoc}
+ */
+ public function validateBearerToken($bearerToken) {
+ \OC_Util::setupFS();
+
+ if(!$this->userSession->isLoggedIn()) {
+ $this->userSession->tryTokenLogin($this->request);
+ }
+ if($this->userSession->isLoggedIn()) {
+ return $this->setupUserFs($this->userSession->getUser()->getUID());
+ }
+
+ return false;
+ }
+}
diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php
index df5b0ea05b6..994ac04033a 100644
--- a/apps/dav/lib/Server.php
+++ b/apps/dav/lib/Server.php
@@ -33,6 +33,7 @@ use OCA\DAV\CardDAV\ImageExportPlugin;
use OCA\DAV\CardDAV\PhotoCache;
use OCA\DAV\Comments\CommentsPlugin;
use OCA\DAV\Connector\Sabre\Auth;
+use OCA\DAV\Connector\Sabre\BearerAuth;
use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin;
use OCA\DAV\Connector\Sabre\CommentPropertiesPlugin;
use OCA\DAV\Connector\Sabre\CopyEtagHeaderPlugin;
@@ -52,6 +53,7 @@ use OCP\SabrePluginEvent;
use Sabre\CardDAV\VCFExportPlugin;
use Sabre\DAV\Auth\Plugin;
use OCA\DAV\Connector\Sabre\TagsPlugin;
+use Sabre\HTTP\Auth\Bearer;
use SearchDAV\DAV\SearchPlugin;
class Server {
@@ -100,6 +102,12 @@ class Server {
$event = new SabrePluginEvent($this->server);
$dispatcher->dispatch('OCA\DAV\Connector\Sabre::authInit', $event);
+ $bearerAuthBackend = new BearerAuth(
+ \OC::$server->getUserSession(),
+ \OC::$server->getSession(),
+ \OC::$server->getRequest()
+ );
+ $authPlugin->addBackend($bearerAuthBackend);
// because we are throwing exceptions this plugin has to be the last one
$authPlugin->addBackend($authBackend);
diff --git a/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
new file mode 100644
index 00000000000..5eae75eb8e9
--- /dev/null
+++ b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
@@ -0,0 +1,88 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\DAV\Tests\unit\Connector\Sabre;
+
+use OC\Authentication\TwoFactorAuth\Manager;
+use OC\Security\Bruteforce\Throttler;
+use OC\User\Session;
+use OCA\DAV\Connector\Sabre\BearerAuth;
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\IUser;
+use OCP\IUserSession;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
+use Test\TestCase;
+
+/**
+ * @group DB
+ */
+class BearerAuthTest extends TestCase {
+ /** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
+ private $userSession;
+ /** @var ISession|\PHPUnit_Framework_MockObject_MockObject */
+ private $session;
+ /** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
+ private $request;
+ /** @var BearerAuth */
+ private $bearerAuth;
+
+ public function setUp() {
+ parent::setUp();
+
+ $this->userSession = $this->createMock(\OC\User\Session::class);
+ $this->session = $this->createMock(ISession::class);
+ $this->request = $this->createMock(IRequest::class);
+
+ $this->bearerAuth = new BearerAuth(
+ $this->userSession,
+ $this->session,
+ $this->request
+ );
+ }
+
+ public function testValidateBearerTokenNotLoggedIn() {
+ $this->assertFalse($this->bearerAuth->validateBearerToken('Token'));
+ }
+
+ public function testValidateBearerToken() {
+ $this->userSession
+ ->expects($this->at(0))
+ ->method('isLoggedIn')
+ ->willReturn(false);
+ $this->userSession
+ ->expects($this->at(2))
+ ->method('isLoggedIn')
+ ->willReturn(true);
+ $user = $this->createMock(IUser::class);
+ $user
+ ->expects($this->once())
+ ->method('getUID')
+ ->willReturn('admin');
+ $this->userSession
+ ->expects($this->once())
+ ->method('getUser')
+ ->willReturn($user);
+
+ $this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
+ }
+}
diff --git a/apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php b/apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php
new file mode 100644
index 00000000000..a1eb632a9eb
--- /dev/null
+++ b/apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php
@@ -0,0 +1,24 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Exceptions;
+
+class AccessTokenNotFoundException extends \Exception {}
diff --git a/apps/oauth2/lib/Exceptions/ClientNotFoundException.php b/apps/oauth2/lib/Exceptions/ClientNotFoundException.php
new file mode 100644
index 00000000000..b2395c7bc9e
--- /dev/null
+++ b/apps/oauth2/lib/Exceptions/ClientNotFoundException.php
@@ -0,0 +1,24 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Exceptions;
+
+class ClientNotFoundException extends \Exception {}