2011-07-20 10:36:36 -04:00
|
|
|
<?php
|
2024-05-27 11:39:07 -04:00
|
|
|
|
2015-02-26 05:37:37 -05:00
|
|
|
/**
|
2024-05-27 11:39:07 -04:00
|
|
|
* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
|
|
|
|
|
* SPDX-FileCopyrightText: 2016 ownCloud, Inc.
|
|
|
|
|
* SPDX-License-Identifier: AGPL-3.0-only
|
2015-02-26 05:37:37 -05:00
|
|
|
*/
|
2015-08-30 13:13:01 -04:00
|
|
|
namespace OCA\DAV\Connector\Sabre;
|
2015-02-12 06:29:01 -05:00
|
|
|
|
2015-06-29 06:04:41 -04:00
|
|
|
use Exception;
|
2016-06-17 05:01:35 -04:00
|
|
|
use OC\Authentication\Exceptions\PasswordLoginForbiddenException;
|
2016-06-01 04:42:38 -04:00
|
|
|
use OC\Authentication\TwoFactorAuth\Manager;
|
|
|
|
|
use OC\User\Session;
|
2016-06-17 05:18:27 -04:00
|
|
|
use OCA\DAV\Connector\Sabre\Exception\PasswordLoginForbidden;
|
2023-03-30 09:02:51 -04:00
|
|
|
use OCA\DAV\Connector\Sabre\Exception\TooManyRequests;
|
2024-12-14 04:32:14 -05:00
|
|
|
use OCP\AppFramework\Http;
|
2024-10-10 06:40:31 -04:00
|
|
|
use OCP\Defaults;
|
2016-02-16 07:16:52 -05:00
|
|
|
use OCP\IRequest;
|
2015-10-23 11:26:54 -04:00
|
|
|
use OCP\ISession;
|
2023-08-28 09:50:45 -04:00
|
|
|
use OCP\Security\Bruteforce\IThrottler;
|
2023-03-30 09:02:51 -04:00
|
|
|
use OCP\Security\Bruteforce\MaxDelayReached;
|
2025-01-30 10:56:48 -05:00
|
|
|
use OCP\Server;
|
2022-03-31 09:34:57 -04:00
|
|
|
use Psr\Log\LoggerInterface;
|
2015-06-29 06:04:41 -04:00
|
|
|
use Sabre\DAV\Auth\Backend\AbstractBasic;
|
|
|
|
|
use Sabre\DAV\Exception\NotAuthenticated;
|
|
|
|
|
use Sabre\DAV\Exception\ServiceUnavailable;
|
2015-11-20 07:35:23 -05:00
|
|
|
use Sabre\HTTP\RequestInterface;
|
|
|
|
|
use Sabre\HTTP\ResponseInterface;
|
2015-06-29 06:04:41 -04:00
|
|
|
|
|
|
|
|
class Auth extends AbstractBasic {
|
2020-04-10 10:54:27 -04:00
|
|
|
public const DAV_AUTHENTICATED = 'AUTHENTICATED_TO_DAV_BACKEND';
|
2022-05-05 18:01:08 -04:00
|
|
|
private ?string $currentUser = null;
|
2015-10-23 11:26:54 -04:00
|
|
|
|
2024-10-18 06:04:22 -04:00
|
|
|
public function __construct(
|
|
|
|
|
private ISession $session,
|
2024-12-14 04:32:14 -05:00
|
|
|
private Session $userSession,
|
2024-10-18 06:04:22 -04:00
|
|
|
private IRequest $request,
|
2024-12-14 04:32:14 -05:00
|
|
|
private Manager $twoFactorManager,
|
2024-10-18 06:04:22 -04:00
|
|
|
private IThrottler $throttler,
|
|
|
|
|
string $principalPrefix = 'principals/users/',
|
|
|
|
|
) {
|
2016-01-20 15:08:23 -05:00
|
|
|
$this->principalPrefix = $principalPrefix;
|
2016-06-09 07:53:32 -04:00
|
|
|
|
|
|
|
|
// setup realm
|
2024-10-10 06:40:31 -04:00
|
|
|
$defaults = new Defaults();
|
2023-12-21 22:10:07 -05:00
|
|
|
$this->realm = $defaults->getName() ?: 'Nextcloud';
|
2015-10-23 11:26:54 -04:00
|
|
|
}
|
|
|
|
|
|
2015-01-16 08:31:02 -05:00
|
|
|
/**
|
|
|
|
|
* Whether the user has initially authenticated via DAV
|
|
|
|
|
*
|
|
|
|
|
* This is required for WebDAV clients that resent the cookies even when the
|
|
|
|
|
* account was changed.
|
|
|
|
|
*
|
|
|
|
|
* @see https://github.com/owncloud/core/issues/13245
|
|
|
|
|
*/
|
2022-04-12 08:01:13 -04:00
|
|
|
public function isDavAuthenticated(string $username): bool {
|
2015-10-23 11:26:54 -04:00
|
|
|
return !is_null($this->session->get(self::DAV_AUTHENTICATED))
|
|
|
|
|
&& $this->session->get(self::DAV_AUTHENTICATED) === $username;
|
2015-01-16 08:31:02 -05:00
|
|
|
}
|
|
|
|
|
|
2011-07-20 10:36:36 -04:00
|
|
|
/**
|
|
|
|
|
* Validates a username and password
|
|
|
|
|
*
|
|
|
|
|
* This method should return true or false depending on if login
|
|
|
|
|
* succeeded.
|
|
|
|
|
*
|
2015-01-16 08:31:02 -05:00
|
|
|
* @param string $username
|
|
|
|
|
* @param string $password
|
2011-07-20 10:36:36 -04:00
|
|
|
* @return bool
|
2016-07-20 12:36:15 -04:00
|
|
|
* @throws PasswordLoginForbidden
|
2011-07-20 10:36:36 -04:00
|
|
|
*/
|
2012-09-07 09:22:01 -04:00
|
|
|
protected function validateUserPass($username, $password) {
|
2015-10-23 11:26:54 -04:00
|
|
|
if ($this->userSession->isLoggedIn()
|
|
|
|
|
&& $this->isDavAuthenticated($this->userSession->getUser()->getUID())
|
2015-01-16 08:31:02 -05:00
|
|
|
) {
|
2015-10-23 11:26:54 -04:00
|
|
|
$this->session->close();
|
2011-07-20 10:36:36 -04:00
|
|
|
return true;
|
2012-07-15 15:17:27 -04:00
|
|
|
} else {
|
2016-06-17 05:01:35 -04:00
|
|
|
try {
|
2016-07-20 12:36:15 -04:00
|
|
|
if ($this->userSession->logClientIn($username, $password, $this->request, $this->throttler)) {
|
2016-06-17 05:01:35 -04:00
|
|
|
$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
|
|
|
|
|
$this->session->close();
|
|
|
|
|
return true;
|
|
|
|
|
} else {
|
|
|
|
|
$this->session->close();
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
} catch (PasswordLoginForbiddenException $ex) {
|
2015-10-23 11:26:54 -04:00
|
|
|
$this->session->close();
|
2016-06-17 05:18:27 -04:00
|
|
|
throw new PasswordLoginForbidden();
|
2023-03-30 09:02:51 -04:00
|
|
|
} catch (MaxDelayReached $ex) {
|
|
|
|
|
$this->session->close();
|
|
|
|
|
throw new TooManyRequests();
|
2012-07-15 15:17:27 -04:00
|
|
|
}
|
2011-07-20 10:36:36 -04:00
|
|
|
}
|
|
|
|
|
}
|
2012-12-12 19:30:34 -05:00
|
|
|
|
2013-07-12 07:42:01 -04:00
|
|
|
/**
|
2022-04-12 08:01:13 -04:00
|
|
|
* @return array{bool, string}
|
2015-10-23 11:26:54 -04:00
|
|
|
* @throws NotAuthenticated
|
2015-11-20 07:35:23 -05:00
|
|
|
* @throws ServiceUnavailable
|
2015-06-29 06:04:41 -04:00
|
|
|
*/
|
2020-04-10 10:51:06 -04:00
|
|
|
public function check(RequestInterface $request, ResponseInterface $response) {
|
2015-06-29 06:04:41 -04:00
|
|
|
try {
|
2018-02-13 15:55:24 -05:00
|
|
|
return $this->auth($request, $response);
|
2015-06-29 06:04:41 -04:00
|
|
|
} catch (NotAuthenticated $e) {
|
|
|
|
|
throw $e;
|
|
|
|
|
} catch (Exception $e) {
|
|
|
|
|
$class = get_class($e);
|
|
|
|
|
$msg = $e->getMessage();
|
2025-01-30 10:56:48 -05:00
|
|
|
Server::get(LoggerInterface::class)->error($e->getMessage(), ['exception' => $e]);
|
2015-06-29 06:04:41 -04:00
|
|
|
throw new ServiceUnavailable("$class: $msg");
|
|
|
|
|
}
|
2016-03-23 14:31:17 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Checks whether a CSRF check is required on the request
|
|
|
|
|
*/
|
2022-04-12 08:01:13 -04:00
|
|
|
private function requiresCSRFCheck(): bool {
|
2025-06-30 09:04:05 -04:00
|
|
|
|
2025-03-13 07:04:30 -04:00
|
|
|
$methodsWithoutCsrf = ['GET', 'HEAD', 'OPTIONS'];
|
|
|
|
|
if (in_array($this->request->getMethod(), $methodsWithoutCsrf)) {
|
2016-03-23 14:31:17 -04:00
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-12 00:16:27 -04:00
|
|
|
// Official Nextcloud clients require no checks
|
2016-03-23 14:31:17 -04:00
|
|
|
if ($this->request->isUserAgent([
|
2017-02-10 04:05:24 -05:00
|
|
|
IRequest::USER_AGENT_CLIENT_DESKTOP,
|
|
|
|
|
IRequest::USER_AGENT_CLIENT_ANDROID,
|
|
|
|
|
IRequest::USER_AGENT_CLIENT_IOS,
|
2016-03-23 14:31:17 -04:00
|
|
|
])) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If not logged-in no check is required
|
|
|
|
|
if (!$this->userSession->isLoggedIn()) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// POST always requires a check
|
|
|
|
|
if ($this->request->getMethod() === 'POST') {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If logged-in AND DAV authenticated no check is required
|
|
|
|
|
if ($this->userSession->isLoggedIn()
|
|
|
|
|
&& $this->isDavAuthenticated($this->userSession->getUser()->getUID())) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
2014-03-10 09:40:36 -04:00
|
|
|
|
|
|
|
|
/**
|
2022-04-12 08:01:13 -04:00
|
|
|
* @return array{bool, string}
|
2016-02-16 07:16:52 -05:00
|
|
|
* @throws NotAuthenticated
|
2014-03-10 09:40:36 -04:00
|
|
|
*/
|
2022-04-12 08:01:13 -04:00
|
|
|
private function auth(RequestInterface $request, ResponseInterface $response): array {
|
2016-03-23 14:31:17 -04:00
|
|
|
$forcedLogout = false;
|
2017-05-04 17:46:59 -04:00
|
|
|
|
2016-03-23 14:31:17 -04:00
|
|
|
if (!$this->request->passesCSRFCheck()
|
|
|
|
|
&& $this->requiresCSRFCheck()) {
|
|
|
|
|
// In case of a fail with POST we need to recheck the credentials
|
|
|
|
|
if ($this->request->getMethod() === 'POST') {
|
|
|
|
|
$forcedLogout = true;
|
|
|
|
|
} else {
|
2024-12-14 04:32:14 -05:00
|
|
|
$response->setStatus(Http::STATUS_UNAUTHORIZED);
|
2016-02-16 07:16:52 -05:00
|
|
|
throw new \Sabre\DAV\Exception\NotAuthenticated('CSRF check not passed.');
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-23 14:31:17 -04:00
|
|
|
if ($forcedLogout) {
|
|
|
|
|
$this->userSession->logout();
|
|
|
|
|
} else {
|
2016-08-24 04:42:07 -04:00
|
|
|
if ($this->twoFactorManager->needsSecondFactor($this->userSession->getUser())) {
|
2016-06-01 04:42:38 -04:00
|
|
|
throw new \Sabre\DAV\Exception\NotAuthenticated('2FA challenge not passed.');
|
|
|
|
|
}
|
2018-10-30 17:11:17 -04:00
|
|
|
if (
|
2016-03-23 14:31:17 -04:00
|
|
|
//Fix for broken webdav clients
|
|
|
|
|
($this->userSession->isLoggedIn() && is_null($this->session->get(self::DAV_AUTHENTICATED)))
|
|
|
|
|
//Well behaved clients that only send the cookie are allowed
|
2024-06-27 14:24:35 -04:00
|
|
|
|| ($this->userSession->isLoggedIn() && $this->session->get(self::DAV_AUTHENTICATED) === $this->userSession->getUser()->getUID() && empty($request->getHeader('Authorization')))
|
2018-10-30 17:11:17 -04:00
|
|
|
|| \OC_User::handleApacheAuth()
|
2016-03-23 14:31:17 -04:00
|
|
|
) {
|
2025-07-11 11:07:44 -04:00
|
|
|
$user = $this->userSession->getUser()->getUID();
|
|
|
|
|
$this->currentUser = $user;
|
2016-03-23 14:31:17 -04:00
|
|
|
$this->session->close();
|
2025-07-11 11:07:44 -04:00
|
|
|
return [true, $this->principalPrefix . $user];
|
2016-03-23 14:31:17 -04:00
|
|
|
}
|
2013-07-12 07:42:01 -04:00
|
|
|
}
|
|
|
|
|
|
2016-03-18 18:31:11 -04:00
|
|
|
$data = parent::check($request, $response);
|
|
|
|
|
if ($data[0] === true) {
|
|
|
|
|
$startPos = strrpos($data[1], '/') + 1;
|
|
|
|
|
$user = $this->userSession->getUser()->getUID();
|
|
|
|
|
$data[1] = substr_replace($data[1], $user, $startPos);
|
2024-05-06 14:17:24 -04:00
|
|
|
} elseif (in_array('XMLHttpRequest', explode(',', $request->getHeader('X-Requested-With') ?? ''))) {
|
|
|
|
|
// For ajax requests use dummy auth name to prevent browser popup in case of invalid creditials
|
|
|
|
|
$response->addHeader('WWW-Authenticate', 'DummyBasic realm="' . $this->realm . '"');
|
2024-12-14 04:32:14 -05:00
|
|
|
$response->setStatus(Http::STATUS_UNAUTHORIZED);
|
2024-05-06 14:17:24 -04:00
|
|
|
throw new \Sabre\DAV\Exception\NotAuthenticated('Cannot authenticate over ajax calls');
|
2016-03-18 18:31:11 -04:00
|
|
|
}
|
|
|
|
|
return $data;
|
2014-03-10 09:40:36 -04:00
|
|
|
}
|
2012-08-29 02:38:33 -04:00
|
|
|
}
|
