add KerberosApacheAuth support to files_external

Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
2026-06-10 09:13:19 -04:00 · 2021-10-20 22:39:13 +02:00 · 2021-10-20 22:39:13 +02:00 · 3dc1ed8eff
commit 3dc1ed8eff
parent 92fcdc3509
3 changed files with 78 additions and 7 deletions
--- a/apps/files_external/lib/AppInfo/Application.php
+++ b/apps/files_external/lib/AppInfo/Application.php
@ -31,8 +31,6 @@ namespace OCA\Files_External\AppInfo;

 use OCA\Files_External\Config\ConfigAdapter;
 use OCA\Files_External\Config\UserPlaceholderHandler;
-use OCA\Files_External\Listener\GroupDeletedListener;
-use OCA\Files_External\Listener\UserDeletedListener;
 use OCA\Files_External\Lib\Auth\AmazonS3\AccessKey;
 use OCA\Files_External\Lib\Auth\Builtin;
 use OCA\Files_External\Lib\Auth\NullMechanism;
@ -49,6 +47,7 @@ use OCA\Files_External\Lib\Auth\Password\UserGlobalAuth;
 use OCA\Files_External\Lib\Auth\Password\UserProvided;
 use OCA\Files_External\Lib\Auth\PublicKey\RSA;
 use OCA\Files_External\Lib\Auth\PublicKey\RSAPrivateKey;
+use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth;
 use OCA\Files_External\Lib\Auth\SMB\KerberosAuth;
 use OCA\Files_External\Lib\Backend\AmazonS3;
 use OCA\Files_External\Lib\Backend\DAV;
@ -62,6 +61,8 @@ use OCA\Files_External\Lib\Backend\SMB_OC;
 use OCA\Files_External\Lib\Backend\Swift;
 use OCA\Files_External\Lib\Config\IAuthMechanismProvider;
 use OCA\Files_External\Lib\Config\IBackendProvider;
+use OCA\Files_External\Listener\GroupDeletedListener;
+use OCA\Files_External\Listener\UserDeletedListener;
 use OCA\Files_External\Service\BackendService;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
@ -180,6 +181,7 @@ class Application extends App implements IBackendProvider, IAuthMechanismProvide
 			// Specialized mechanisms
 			$container->query(AccessKey::class),
 			$container->query(KerberosAuth::class),
+			$container->query(KerberosApacheAuth::class),
 		];
 	}
 }
--- a/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php
+++ b/apps/files_external/lib/Lib/Auth/SMB/KerberosApacheAuth.php
@ -0,0 +1,46 @@
+<?php
+
+/**
+ * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl>
+ *
+ * @author Robin Appelman <robin@icewind.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Files_External\Lib\Auth\SMB;
+
+use OCA\Files_External\Lib\Auth\AuthMechanism;
+use OCP\Authentication\LoginCredentials\IStore;
+use OCP\IL10N;
+
+class KerberosApacheAuth extends AuthMechanism {
+	/** @var IStore */
+	private $credentialsStore;
+
+	public function __construct(IL10N $l, IStore $credentialsStore) {
+		$this
+			->setIdentifier('smb::kerberosapache')
+			->setScheme(self::SCHEME_SMB)
+			->setText($l->t('Kerberos ticket apache mode'));
+		$this->credentialsStore = $credentialsStore;
+	}
+
+	public function getCredentialsStore(): IStore {
+		return $this->credentialsStore;
+	}
+}
--- a/apps/files_external/lib/Lib/Backend/SMB.php
+++ b/apps/files_external/lib/Lib/Backend/SMB.php
@ -24,16 +24,18 @@
 * along with this program. If not, see <http://www.gnu.org/licenses/>
 *
 */
+
 namespace OCA\Files_External\Lib\Backend;

 use Icewind\SMB\BasicAuth;
+use Icewind\SMB\KerberosApacheAuth;
 use Icewind\SMB\KerberosAuth;
 use OCA\Files_External\Lib\Auth\AuthMechanism;
 use OCA\Files_External\Lib\Auth\Password\Password;
 use OCA\Files_External\Lib\DefinitionParameter;
+use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
 use OCA\Files_External\Lib\LegacyDependencyCheckPolyfill;
 use OCA\Files_External\Lib\StorageConfig;
-
 use OCP\IL10N;
 use OCP\IUser;

@ -69,10 +71,6 @@ class SMB extends Backend {
 			->setLegacyAuthMechanism($legacyAuth);
 	}

-	/**
-	 * @param StorageConfig $storage
-	 * @param IUser $user
-	 */
 	public function manipulateStorageConfig(StorageConfig &$storage, IUser $user = null) {
 		$auth = $storage->getAuthMechanism();
 		if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {
@ -89,6 +87,31 @@ class SMB extends Backend {
 			switch ($auth->getIdentifier()) {
 				case 'smb::kerberos':
 					$smbAuth = new KerberosAuth();
+					break;
+				case 'smb::kerberosapache':
+					$credentialsStore = $auth->getCredentialsStore();
+					$kerb_auth = new KerberosApacheAuth();
+					if ($kerb_auth->checkTicket()) {
+						$kerb_auth->registerApacheKerberosTicket();
+						$smbAuth = $kerb_auth;
+					} else {
+						try {
+							$credentials = $credentialsStore->getLoginCredentials();
+							$user = $credentials->getLoginName();
+							$pass = $credentials->getPassword();
+							if (preg_match('/(.*)@(.*)/', $user, $matches) !== 1) {
+								throw new InsufficientDataForMeaningfulAnswerException('No valid session credentials');
+							}
+							$smbAuth = new BasicAuth(
+								$matches[0],
+								$matches[1],
+								$pass
+							);
+						} catch (\Exception $e) {
+							throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
+						}
+					}
+
 					break;
 				default:
 					throw new \InvalidArgumentException('unknown authentication backend');