Use Bearer backend for SabreDAV

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
9 years ago · df3909a7c3
parent 30552090bc
commit df3909a7c3
6 changed files with 220 additions and 12 deletions
--- a/apps/dav/lib/Connector/Sabre/Auth.php
+++ b/apps/dav/lib/Connector/Sabre/Auth.php
@ -211,18 +211,6 @@ class Auth extends AbstractBasic {
 	private function auth(RequestInterface $request, ResponseInterface $response) {
 		$forcedLogout = false;

-		$authHeader = $request->getHeader('Authorization');
-		if (strpos($authHeader, 'Bearer ') !== false) {
-			if($this->userSession->tryTokenLogin($this->request)) {
-				$this->session->set(self::DAV_AUTHENTICATED, $this->userSession->getUser()->getUID());
-				$user = $this->userSession->getUser()->getUID();
-				\OC_Util::setupFS($user);
-				$this->currentUser = $user;
-				$this->session->close();
-				return [true, $this->principalPrefix . $user];
-			}
-		}
-
 		if(!$this->request->passesCSRFCheck() &&
 			$this->requiresCSRFCheck()) {
 			// In case of a fail with POST we need to recheck the credentials
--- a/apps/dav/lib/Connector/Sabre/BearerAuth.php
+++ b/apps/dav/lib/Connector/Sabre/BearerAuth.php
@ -0,0 +1,76 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\DAV\Connector\Sabre;
+
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\IUserSession;
+use Sabre\DAV\Auth\Backend\AbstractBearer;
+
+class BearerAuth extends AbstractBearer {
+	/** @var IUserSession */
+	private $userSession;
+	/** @var ISession */
+	private $session;
+	/** @var IRequest */
+	private $request;
+	/** @var string */
+	private $principalPrefix;
+
+	/**
+	 * @param IUserSession $userSession
+	 * @param ISession $session
+	 * @param string $principalPrefix
+	 * @param IRequest $request
+	 */
+	public function __construct(IUserSession $userSession,
+								ISession $session,
+								IRequest $request,
+								$principalPrefix = 'principals/users/') {
+		$this->userSession = $userSession;
+		$this->session = $session;
+		$this->request = $request;
+		$this->principalPrefix = $principalPrefix;
+	}
+
+	private function setupUserFs($userId) {
+		\OC_Util::setupFS($userId);
+		$this->session->close();
+		return $this->principalPrefix . $userId;
+	}
+
+	/**
+	 * {@inheritdoc}
+	 */
+	public function validateBearerToken($bearerToken) {
+		\OC_Util::setupFS();
+
+		if(!$this->userSession->isLoggedIn()) {
+			$this->userSession->tryTokenLogin($this->request);
+		}
+		if($this->userSession->isLoggedIn()) {
+			return $this->setupUserFs($this->userSession->getUser()->getUID());
+		}
+
+		return false;
+	}
+}
--- a/apps/dav/lib/Server.php
+++ b/apps/dav/lib/Server.php
@ -33,6 +33,7 @@ use OCA\DAV\CardDAV\ImageExportPlugin;
 use OCA\DAV\CardDAV\PhotoCache;
 use OCA\DAV\Comments\CommentsPlugin;
 use OCA\DAV\Connector\Sabre\Auth;
+use OCA\DAV\Connector\Sabre\BearerAuth;
 use OCA\DAV\Connector\Sabre\BlockLegacyClientPlugin;
 use OCA\DAV\Connector\Sabre\CommentPropertiesPlugin;
 use OCA\DAV\Connector\Sabre\CopyEtagHeaderPlugin;
@ -52,6 +53,7 @@ use OCP\SabrePluginEvent;
 use Sabre\CardDAV\VCFExportPlugin;
 use Sabre\DAV\Auth\Plugin;
 use OCA\DAV\Connector\Sabre\TagsPlugin;
+use Sabre\HTTP\Auth\Bearer;
 use SearchDAV\DAV\SearchPlugin;

 class Server {
@ -100,6 +102,12 @@ class Server {
 		$event = new SabrePluginEvent($this->server);
 		$dispatcher->dispatch('OCA\DAV\Connector\Sabre::authInit', $event);

+		$bearerAuthBackend = new BearerAuth(
+			\OC::$server->getUserSession(),
+			\OC::$server->getSession(),
+			\OC::$server->getRequest()
+		);
+		$authPlugin->addBackend($bearerAuthBackend);
 		// because we are throwing exceptions this plugin has to be the last one
 		$authPlugin->addBackend($authBackend);

--- a/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
+++ b/apps/dav/tests/unit/Connector/Sabre/BearerAuthTest.php
@ -0,0 +1,88 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\DAV\Tests\unit\Connector\Sabre;
+
+use OC\Authentication\TwoFactorAuth\Manager;
+use OC\Security\Bruteforce\Throttler;
+use OC\User\Session;
+use OCA\DAV\Connector\Sabre\BearerAuth;
+use OCP\IRequest;
+use OCP\ISession;
+use OCP\IUser;
+use OCP\IUserSession;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
+use Test\TestCase;
+
+/**
+ * @group DB
+ */
+class BearerAuthTest extends TestCase {
+	/** @var IUserSession|\PHPUnit_Framework_MockObject_MockObject */
+	private $userSession;
+	/** @var ISession|\PHPUnit_Framework_MockObject_MockObject */
+	private $session;
+	/** @var IRequest|\PHPUnit_Framework_MockObject_MockObject */
+	private $request;
+	/** @var BearerAuth */
+	private $bearerAuth;
+
+	public function setUp() {
+		parent::setUp();
+
+		$this->userSession = $this->createMock(\OC\User\Session::class);
+		$this->session = $this->createMock(ISession::class);
+		$this->request = $this->createMock(IRequest::class);
+
+		$this->bearerAuth = new BearerAuth(
+			$this->userSession,
+			$this->session,
+			$this->request
+		);
+	}
+
+	public function testValidateBearerTokenNotLoggedIn() {
+		$this->assertFalse($this->bearerAuth->validateBearerToken('Token'));
+	}
+
+	public function testValidateBearerToken() {
+		$this->userSession
+			->expects($this->at(0))
+			->method('isLoggedIn')
+			->willReturn(false);
+		$this->userSession
+			->expects($this->at(2))
+			->method('isLoggedIn')
+			->willReturn(true);
+		$user = $this->createMock(IUser::class);
+		$user
+			->expects($this->once())
+			->method('getUID')
+			->willReturn('admin');
+		$this->userSession
+			->expects($this->once())
+			->method('getUser')
+			->willReturn($user);
+
+		$this->assertSame('principals/users/admin', $this->bearerAuth->validateBearerToken('Token'));
+	}
+}
--- a/apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php
+++ b/apps/oauth2/lib/Exceptions/AccessTokenNotFoundException.php
@ -0,0 +1,24 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Exceptions;
+
+class AccessTokenNotFoundException extends \Exception {}
--- a/apps/oauth2/lib/Exceptions/ClientNotFoundException.php
+++ b/apps/oauth2/lib/Exceptions/ClientNotFoundException.php
@ -0,0 +1,24 @@
+<?php
+/**
+ * @copyright Copyright (c) 2017 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\OAuth2\Exceptions;
+
+class ClientNotFoundException extends \Exception {}