%PDF-
%PDF-
Mini Shell
Mini Shell
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2016-2024 Nextcloud GmbH and Nextcloud contributors
* SPDX-FileCopyrightText: 2016 ownCloud, Inc.
* SPDX-License-Identifier: AGPL-3.0-only
*/
namespace OCA\DAV\Connector\Sabre;
use OCP\IRequest;
use OCP\ISession;
use OCP\Security\Bruteforce\IThrottler;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager;
use OCP\Share\IShare;
use Psr\Log\LoggerInterface;
use Sabre\DAV\Auth\Backend\AbstractBasic;
use Sabre\DAV\Exception\NotAuthenticated;
use Sabre\DAV\Exception\NotFound;
use Sabre\DAV\Exception\ServiceUnavailable;
use Sabre\HTTP;
use Sabre\HTTP\RequestInterface;
use Sabre\HTTP\ResponseInterface;
/**
* Class PublicAuth
*
* @package OCA\DAV\Connector
*/
class PublicAuth extends AbstractBasic {
private const BRUTEFORCE_ACTION = 'public_dav_auth';
public const DAV_AUTHENTICATED = 'public_link_authenticated';
private ?IShare $share = null;
private IManager $shareManager;
private ISession $session;
private IRequest $request;
private IThrottler $throttler;
private LoggerInterface $logger;
public function __construct(IRequest $request,
IManager $shareManager,
ISession $session,
IThrottler $throttler,
LoggerInterface $logger) {
$this->request = $request;
$this->shareManager = $shareManager;
$this->session = $session;
$this->throttler = $throttler;
$this->logger = $logger;
// setup realm
$defaults = new \OCP\Defaults();
$this->realm = $defaults->getName();
}
/**
* @param RequestInterface $request
* @param ResponseInterface $response
*
* @return array
* @throws NotAuthenticated
* @throws ServiceUnavailable
*/
public function check(RequestInterface $request, ResponseInterface $response): array {
try {
$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);
$auth = new HTTP\Auth\Basic(
$this->realm,
$request,
$response
);
$userpass = $auth->getCredentials();
// If authentication provided, checking its validity
if ($userpass && !$this->validateUserPass($userpass[0], $userpass[1])) {
return [false, 'Username or password was incorrect'];
}
return $this->checkToken();
} catch (NotAuthenticated $e) {
throw $e;
} catch (\Exception $e) {
$class = get_class($e);
$msg = $e->getMessage();
$this->logger->error($e->getMessage(), ['exception' => $e]);
throw new ServiceUnavailable("$class: $msg");
}
}
/**
* Extract token from request url
* @return string
* @throws NotFound
*/
private function getToken(): string {
$path = $this->request->getPathInfo() ?: '';
// ['', 'dav', 'files', 'token']
$splittedPath = explode('/', $path);
if (count($splittedPath) < 4 || $splittedPath[3] === '') {
throw new NotFound();
}
return $splittedPath[3];
}
/**
* Check token validity
* @return array
* @throws NotFound
* @throws NotAuthenticated
*/
private function checkToken(): array {
$token = $this->getToken();
try {
/** @var IShare $share */
$share = $this->shareManager->getShareByToken($token);
} catch (ShareNotFound $e) {
$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
throw new NotFound();
}
$this->share = $share;
\OC_User::setIncognitoMode(true);
// If already authenticated
if ($this->session->exists(self::DAV_AUTHENTICATED)
&& $this->session->get(self::DAV_AUTHENTICATED) === $share->getId()) {
return [true, $this->principalPrefix . $token];
}
// If the share is protected but user is not authenticated
if ($share->getPassword() !== null) {
$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
throw new NotAuthenticated();
}
return [true, $this->principalPrefix . $token];
}
/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
* @param string $username
* @param string $password
*
* @return bool
* @throws NotAuthenticated
*/
protected function validateUserPass($username, $password) {
$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);
$token = $this->getToken();
try {
$share = $this->shareManager->getShareByToken($token);
} catch (ShareNotFound $e) {
$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
return false;
}
$this->share = $share;
\OC_User::setIncognitoMode(true);
// check if the share is password protected
if ($share->getPassword() !== null) {
if ($share->getShareType() === IShare::TYPE_LINK
|| $share->getShareType() === IShare::TYPE_EMAIL
|| $share->getShareType() === IShare::TYPE_CIRCLE) {
if ($this->shareManager->checkPassword($share, $password)) {
// If not set, set authenticated session cookie
if (!$this->session->exists(self::DAV_AUTHENTICATED)
|| $this->session->get(self::DAV_AUTHENTICATED) !== $share->getId()) {
$this->session->set(self::DAV_AUTHENTICATED, $share->getId());
}
return true;
}
if ($this->session->exists(PublicAuth::DAV_AUTHENTICATED)
&& $this->session->get(PublicAuth::DAV_AUTHENTICATED) === $share->getId()) {
return true;
}
if (in_array('XMLHttpRequest', explode(',', $this->request->getHeader('X-Requested-With')))) {
// do not re-authenticate over ajax, use dummy auth name to prevent browser popup
http_response_code(401);
header('WWW-Authenticate: DummyBasic realm="' . $this->realm . '"');
throw new NotAuthenticated('Cannot authenticate over ajax calls');
}
$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
return false;
} elseif ($share->getShareType() === IShare::TYPE_REMOTE) {
return true;
}
$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
return false;
}
return true;
}
public function getShare(): IShare {
assert($this->share !== null);
return $this->share;
}
}
Zerion Mini Shell 1.0