diff options
Diffstat (limited to 'apps/files_external/lib/Lib')
-rw-r--r-- | apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php | 53 | ||||
-rw-r--r-- | apps/files_external/lib/Lib/Backend/SMB.php | 48 |
2 files changed, 96 insertions, 5 deletions
diff --git a/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php new file mode 100644 index 00000000000..88aaa417a87 --- /dev/null +++ b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php @@ -0,0 +1,53 @@ +<?php + +/** + * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl> + * + * @author Robin Appelman <robin@icewind.nl> + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +namespace OCA\Files_External\Lib\Auth\SMB; + +use OCA\Files_External\Lib\Auth\AuthMechanism; +use OCA\Files_External\Lib\DefinitionParameter; +use OCP\Authentication\LoginCredentials\IStore; +use OCP\IL10N; + +class KerberosApacheAuth extends AuthMechanism { + /** @var IStore */ + private $credentialsStore; + + public function __construct(IL10N $l, IStore $credentialsStore) { + $realm = new DefinitionParameter('default_realm', 'Default realm'); + $realm + ->setType(DefinitionParameter::VALUE_TEXT) + ->setFlag(DefinitionParameter::FLAG_OPTIONAL) + ->setTooltip($l->t('Kerberos default realm, defaults to "WORKGROUP"')); + $this + ->setIdentifier('smb::kerberosapache') + ->setScheme(self::SCHEME_SMB) + ->setText($l->t('Kerberos ticket apache mode')) + ->addParameter($realm); + $this->credentialsStore = $credentialsStore; + } + + public function getCredentialsStore(): IStore { + return $this->credentialsStore; + } +} diff --git a/apps/files_external/lib/Lib/Backend/SMB.php b/apps/files_external/lib/Lib/Backend/SMB.php index 867648824ac..57ee866f3c7 100644 --- a/apps/files_external/lib/Lib/Backend/SMB.php +++ b/apps/files_external/lib/Lib/Backend/SMB.php @@ -24,16 +24,19 @@ * along with this program. If not, see <http://www.gnu.org/licenses/> * */ + namespace OCA\Files_External\Lib\Backend; use Icewind\SMB\BasicAuth; +use Icewind\SMB\KerberosApacheAuth; use Icewind\SMB\KerberosAuth; use OCA\Files_External\Lib\Auth\AuthMechanism; use OCA\Files_External\Lib\Auth\Password\Password; +use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth as KerberosApacheAuthMechanism; use OCA\Files_External\Lib\DefinitionParameter; +use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException; use OCA\Files_External\Lib\LegacyDependencyCheckPolyfill; use OCA\Files_External\Lib\StorageConfig; - use OCP\IL10N; use OCP\IUser; @@ -69,10 +72,6 @@ class SMB extends Backend { ->setLegacyAuthMechanism($legacyAuth); } - /** - * @param StorageConfig $storage - * @param IUser $user - */ public function manipulateStorageConfig(StorageConfig &$storage, IUser $user = null) { $auth = $storage->getAuthMechanism(); if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) { @@ -90,6 +89,45 @@ class SMB extends Backend { case 'smb::kerberos': $smbAuth = new KerberosAuth(); break; + case 'smb::kerberosapache': + if (!$auth instanceof KerberosApacheAuthMechanism) { + throw new \InvalidArgumentException('invalid authentication backend'); + } + $credentialsStore = $auth->getCredentialsStore(); + $kerbAuth = new KerberosApacheAuth(); + // check if a kerberos ticket is available, else fallback to session credentials + if ($kerbAuth->checkTicket()) { + $smbAuth = $kerbAuth; + } else { + try { + $credentials = $credentialsStore->getLoginCredentials(); + $user = $credentials->getLoginName(); + $pass = $credentials->getPassword(); + preg_match('/(.*)@(.*)/', $user, $matches); + $realm = $storage->getBackendOption('default_realm'); + if (empty($realm)) { + $realm = 'WORKGROUP'; + } + $userPart = $matches[1]; + $domainPart = $matches[2]; + if (count($matches) === 0) { + $username = $user; + $workgroup = $realm; + } else { + $username = $userPart; + $workgroup = $domainPart; + } + $smbAuth = new BasicAuth( + $username, + $workgroup, + $pass + ); + } catch (\Exception $e) { + throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved'); + } + } + + break; default: throw new \InvalidArgumentException('unknown authentication backend'); } |