From a7f0e3522586d9c651cc24064bf43a31dfd0d5cc Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 5 Mar 2018 18:44:39 +0100 Subject: [PATCH 1/5] Add sabredav plugin to register environment auth for dav requests Signed-off-by: Robin Appelman --- appinfo/app.php | 6 +++++ lib/AppInfo/Application.php | 24 ++++++++++++++++- lib/DavPlugin.php | 54 +++++++++++++++++++++++++++++++++++++ 3 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 lib/DavPlugin.php diff --git a/appinfo/app.php b/appinfo/app.php index f29ab5b39..74f8aa875 100644 --- a/appinfo/app.php +++ b/appinfo/app.php @@ -81,6 +81,12 @@ return; } +$app = new \OCA\User_SAML\AppInfo\Application(); +$dispatcher = \OC::$server->getEventDispatcher(); +if ($type === 'environment-variable') { + $app->registerDavAuth(); +} + $redirectSituation = false; $user = $userSession->getUser(); diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php index 0a7a2429f..126099df8 100644 --- a/lib/AppInfo/Application.php +++ b/lib/AppInfo/Application.php @@ -21,9 +21,11 @@ namespace OCA\User_SAML\AppInfo; +use OCA\User_SAML\DavPlugin; use OCA\User_SAML\Middleware\OnlyLoggedInMiddleware; use OCP\AppFramework\App; use OCP\AppFramework\IAppContainer; +use OCP\SabrePluginEvent; class Application extends App { public function __construct(array $urlParams = array()) { @@ -33,12 +35,32 @@ public function __construct(array $urlParams = array()) { /** * Middleware */ - $container->registerService('OnlyLoggedInMiddleware', function(IAppContainer $c){ + $container->registerService('OnlyLoggedInMiddleware', function (IAppContainer $c) { return new OnlyLoggedInMiddleware( $c->query('ControllerMethodReflector'), $c->query('ServerContainer')->getUserSession() ); }); + + $container->registerService(DavPlugin::class, function (IAppContainer $c) { + $server = $c->getServer(); + return new DavPlugin( + $server->getSession(), + $server->getConfig(), + $_SERVER + ); + }); + $container->registerMiddleWare('OnlyLoggedInMiddleware'); } + + public function registerDavAuth() { + + $container = $this->getContainer(); + + $dispatcher = $container->getServer()->getEventDispatcher(); + $dispatcher->addListener('OCA\DAV\Connector\Sabre::addPlugin', function (SabrePluginEvent $event) use ($container) { + $event->getServer()->addPlugin($container->query(DavPlugin::class)); + }); + } } diff --git a/lib/DavPlugin.php b/lib/DavPlugin.php new file mode 100644 index 000000000..1545d71cc --- /dev/null +++ b/lib/DavPlugin.php @@ -0,0 +1,54 @@ + + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OCA\User_SAML; + +use OCP\IConfig; +use OCP\ISession; +use Sabre\DAV\Server; +use Sabre\DAV\ServerPlugin; + +class DavPlugin extends ServerPlugin { + private $session; + private $config; + private $auth; + + public function __construct(ISession $session, IConfig $config, array $auth) { + $this->session = $session; + $this->config = $config; + $this->auth = $auth; + } + + + public function initialize(Server $server) { + // before auth + $server->on('beforeMethod', [$this, 'beforeMethod'], 9); + } + + public function beforeMethod() { + if (!$this->session->exists('user_saml.samlUserData')) { + $uidMapping = $this->config->getAppValue('user_saml', 'general-uid_mapping'); + if (isset($this->auth[$uidMapping])) { + $this->session->set('user_saml.samlUserData', $this->auth); + } + } + } +} From 57c0a4d47493b79ad96142e2fc5d201e23a5a642 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 12 Mar 2018 19:07:03 +0100 Subject: [PATCH 2/5] allow anonymous options request Signed-off-by: Robin Appelman --- appinfo/app.php | 5 +---- lib/DavPlugin.php | 25 +++++++++++++++++++++++-- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/appinfo/app.php b/appinfo/app.php index 74f8aa875..57baa188a 100644 --- a/appinfo/app.php +++ b/appinfo/app.php @@ -82,10 +82,7 @@ } $app = new \OCA\User_SAML\AppInfo\Application(); -$dispatcher = \OC::$server->getEventDispatcher(); -if ($type === 'environment-variable') { - $app->registerDavAuth(); -} +$app->registerDavAuth(); $redirectSituation = false; diff --git a/lib/DavPlugin.php b/lib/DavPlugin.php index 1545d71cc..c90c9a687 100644 --- a/lib/DavPlugin.php +++ b/lib/DavPlugin.php @@ -23,13 +23,20 @@ use OCP\IConfig; use OCP\ISession; +use Sabre\DAV\CorePlugin; +use Sabre\DAV\FS\Directory; use Sabre\DAV\Server; use Sabre\DAV\ServerPlugin; +use Sabre\DAV\Tree; +use Sabre\HTTP\RequestInterface; +use Sabre\HTTP\ResponseInterface; class DavPlugin extends ServerPlugin { private $session; private $config; private $auth; + /** @var Server */ + private $server; public function __construct(ISession $session, IConfig $config, array $auth) { $this->session = $session; @@ -41,14 +48,28 @@ public function __construct(ISession $session, IConfig $config, array $auth) { public function initialize(Server $server) { // before auth $server->on('beforeMethod', [$this, 'beforeMethod'], 9); + $this->server = $server; } - public function beforeMethod() { - if (!$this->session->exists('user_saml.samlUserData')) { + public function beforeMethod(RequestInterface $request, ResponseInterface $response) { + if ( + $this->config->getAppValue('user_saml', 'type') === 'environment-variable' && + !$this->session->exists('user_saml.samlUserData') + ) { $uidMapping = $this->config->getAppValue('user_saml', 'general-uid_mapping'); if (isset($this->auth[$uidMapping])) { $this->session->set('user_saml.samlUserData', $this->auth); } } + + if ($request->getMethod() === 'OPTIONS' && $request->getPath() === '') { + /** @var CorePlugin $corePlugin */ + $corePlugin = $this->server->getPlugin('core'); + // setup a fake tree for anonymous access + $this->server->tree = new Tree(new Directory('')); + $corePlugin->httpOptions($request, $response); + $this->server->sapi->sendResponse($response); + return false; + } } } From e123a8b984931fc07fe52b53710b05314f90a125 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 19 Mar 2018 17:45:56 +0100 Subject: [PATCH 3/5] set saml user as dav authenticated Signed-off-by: Robin Appelman --- lib/DavPlugin.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/DavPlugin.php b/lib/DavPlugin.php index c90c9a687..00a98d903 100644 --- a/lib/DavPlugin.php +++ b/lib/DavPlugin.php @@ -21,6 +21,7 @@ namespace OCA\User_SAML; +use OCA\DAV\Connector\Sabre\Auth; use OCP\IConfig; use OCP\ISession; use Sabre\DAV\CorePlugin; @@ -58,6 +59,7 @@ public function beforeMethod(RequestInterface $request, ResponseInterface $respo ) { $uidMapping = $this->config->getAppValue('user_saml', 'general-uid_mapping'); if (isset($this->auth[$uidMapping])) { + $this->session->set(Auth::DAV_AUTHENTICATED, $this->auth[$uidMapping]); $this->session->set('user_saml.samlUserData', $this->auth); } } From b7cab9d7406b170aea446184a25057ab5627a36a Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Wed, 18 Jul 2018 15:14:43 +0200 Subject: [PATCH 4/5] remove anonymous option handling this was moved to core Signed-off-by: Robin Appelman --- lib/DavPlugin.php | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/lib/DavPlugin.php b/lib/DavPlugin.php index 00a98d903..b794b85b5 100644 --- a/lib/DavPlugin.php +++ b/lib/DavPlugin.php @@ -63,15 +63,5 @@ public function beforeMethod(RequestInterface $request, ResponseInterface $respo $this->session->set('user_saml.samlUserData', $this->auth); } } - - if ($request->getMethod() === 'OPTIONS' && $request->getPath() === '') { - /** @var CorePlugin $corePlugin */ - $corePlugin = $this->server->getPlugin('core'); - // setup a fake tree for anonymous access - $this->server->tree = new Tree(new Directory('')); - $corePlugin->httpOptions($request, $response); - $this->server->sapi->sendResponse($response); - return false; - } } } From 847d2e097995ae435b04a1f106a31cff480a5915 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Mon, 26 Nov 2018 11:47:38 +0100 Subject: [PATCH 5/5] fix test Signed-off-by: Robin Appelman --- tests/unit/Controller/SAMLControllerTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/unit/Controller/SAMLControllerTest.php b/tests/unit/Controller/SAMLControllerTest.php index 2ff2a4618..c46fc38dd 100644 --- a/tests/unit/Controller/SAMLControllerTest.php +++ b/tests/unit/Controller/SAMLControllerTest.php @@ -177,7 +177,7 @@ public function testLoginWithEnvVariableAndExistingUser() { ->with('/') ->willReturn('https://nextcloud.com/absolute/'); $this->userBackend - ->expects($this->once()) + ->expects($this->any()) ->method('getCurrentUserId') ->willReturn('MyUid'); /** @var IUser|\PHPUnit_Framework_MockObject_MockObject $user */