From a96d46198871f1c77fc160a6da0814c91a57338e Mon Sep 17 00:00:00 2001
From: Arthur Schiwon <blizzz@arthur-schiwon.de>
Date: Wed, 20 Oct 2021 22:39:13 +0200
Subject: add KerberosApacheAuth support to files_external

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
---
 .../lib/Lib/Auth/SMB/KerberosApacheAuth.php        | 46 ++++++++++++++++++++++
 apps/files_external/lib/Lib/Backend/SMB.php        | 33 +++++++++++++---
 2 files changed, 74 insertions(+), 5 deletions(-)
 create mode 100644 apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php

(limited to 'apps/files_external/lib/Lib')

diff --git a/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php
new file mode 100644
index 00000000000..64503810225
--- /dev/null
+++ b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl>
+ *
+ * @author Robin Appelman <robin@icewind.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Files_External\Lib\Auth\SMB;
+
+use OCA\Files_External\Lib\Auth\AuthMechanism;
+use OCP\Authentication\LoginCredentials\IStore;
+use OCP\IL10N;
+
+class KerberosApacheAuth extends AuthMechanism {
+	/** @var IStore */
+	private $credentialsStore;
+
+	public function __construct(IL10N $l, IStore $credentialsStore) {
+		$this
+			->setIdentifier('smb::kerberosapache')
+			->setScheme(self::SCHEME_SMB)
+			->setText($l->t('Kerberos ticket apache mode'));
+		$this->credentialsStore = $credentialsStore;
+	}
+
+	public function getCredentialsStore(): IStore {
+		return $this->credentialsStore;
+	}
+}
diff --git a/apps/files_external/lib/Lib/Backend/SMB.php b/apps/files_external/lib/Lib/Backend/SMB.php
index 867648824ac..99e48b1433d 100644
--- a/apps/files_external/lib/Lib/Backend/SMB.php
+++ b/apps/files_external/lib/Lib/Backend/SMB.php
@@ -24,16 +24,18 @@
  * along with this program. If not, see <http://www.gnu.org/licenses/>
  *
  */
+
 namespace OCA\Files_External\Lib\Backend;
 
 use Icewind\SMB\BasicAuth;
+use Icewind\SMB\KerberosApacheAuth;
 use Icewind\SMB\KerberosAuth;
 use OCA\Files_External\Lib\Auth\AuthMechanism;
 use OCA\Files_External\Lib\Auth\Password\Password;
 use OCA\Files_External\Lib\DefinitionParameter;
+use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
 use OCA\Files_External\Lib\LegacyDependencyCheckPolyfill;
 use OCA\Files_External\Lib\StorageConfig;
-
 use OCP\IL10N;
 use OCP\IUser;
 
@@ -69,10 +71,6 @@ class SMB extends Backend {
 			->setLegacyAuthMechanism($legacyAuth);
 	}
 
-	/**
-	 * @param StorageConfig $storage
-	 * @param IUser $user
-	 */
 	public function manipulateStorageConfig(StorageConfig &$storage, IUser $user = null) {
 		$auth = $storage->getAuthMechanism();
 		if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {
@@ -89,6 +87,31 @@ class SMB extends Backend {
 			switch ($auth->getIdentifier()) {
 				case 'smb::kerberos':
 					$smbAuth = new KerberosAuth();
+					break;
+				case 'smb::kerberosapache':
+					$credentialsStore = $auth->getCredentialsStore();
+					$kerb_auth = new KerberosApacheAuth();
+					if ($kerb_auth->checkTicket()) {
+						$kerb_auth->registerApacheKerberosTicket();
+						$smbAuth = $kerb_auth;
+					} else {
+						try {
+							$credentials = $credentialsStore->getLoginCredentials();
+							$user = $credentials->getLoginName();
+							$pass = $credentials->getPassword();
+							if (preg_match('/(.*)@(.*)/', $user, $matches) !== 1) {
+								throw new InsufficientDataForMeaningfulAnswerException('No valid session credentials');
+							}
+							$smbAuth = new BasicAuth(
+								$matches[0],
+								$matches[1],
+								$pass
+							);
+						} catch (\Exception $e) {
+							throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
+						}
+					}
+
 					break;
 				default:
 					throw new \InvalidArgumentException('unknown authentication backend');
-- 
cgit v1.2.3