Custom Authentication Mechanisms for WebDAV and APIs

[joneug]

Description

The authentication mechanisms for securing WebDAV and APIs were extended to allow 3rd-party apps to provide additional authentication backends. In the WebDAV interface the dispatching of the OCA\DAV\Connector\Sabre::authInit event was added. For securing the API the interface IAuthModule was added. Apps can register their implementation of this interface in the info.xml file.

Related Issue

#10400

Motivation and Context

This, for example, allows the implementation of Bearer Authentication with OAuth 2.0 (see OAuth 2.0 app).

How Has This Been Tested?

The OAuth2 app's PHPUnit tests have been run on Travis CI with the following configurations:

• PHP versions: 5.6, 7
• Core branches: master
• Databases: PostgreSQL, MySQL, SQLite

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[mention-bot]

@joneug, thanks for your PR! By analyzing the history of the files in this pull request, we identified @DeepDiver1975 to be a potential reviewer.

[CLAassistant]

All committers have signed the CLA.

[DeepDiver1975]

@PhilippSchaffrath @Peter-Prochaska

[DeepDiver1975]

this class already exists in sabre dav - no need to add it here. THX

[guruz]

Linking #24995

[joneug]

@PhilippSchaffrath @DeepDiver1975 @butonic Please review the changes. Looking forward to your ideas.

[joneug]

I think the problem with the build failing in Jenkins is that the OAuth 2.0 app was added as a Submodule which requires additional commands for cloning. Would you like to use submodules or should I include the OAuth 2.0 app's files directly?

[joneug]

The dependencies between the core and the oauth2 app are now fully eliminated.

We need some plugin mechanism to this

I added IAuthModule as suggested.

And classes implementing this interface can be loaded via info.xml - basically just like the TwoFactor plugins

I updated the oauth2 app according to this. The AuthModule class is registered in info.xml under auth-modules.

And within the UserSession instead if calling tryTokenLogin, tryBearerLogin, trySessionLogin ....
We just loop over all registered modules

I added the function tryAuthModuleLogin that implements this loop. I don't see a way of replacing tryTokenLogin with this loop as tokens are not implemented with an app. What do you think?

[joneug]

I changed the title of the PR, because now OAuth 2.0 is fully capsulated in the app and this PR addresses the more general problem of adding 3rd-party authentication backends.

Furthermore, I added the function getUserPassword to the IAuthModule interface in order to be able to trigger the hooks. Where to get the password from should not concern this PR.

As a side note: in the OAuth 2.0 app an empty string is returned because we are not handling any passwords at all. Consequently, only master key encryption is working, but this restriction exists when using Shibboleth, too.

Lastly, I added loading of additional AuthBackends for the webdav interface.

[joneug]

Could you please review the changes?

Additionally, considering a backport to stable9.1 would be nice since the changes are relatively small and there is high interest form our side in using this mechanism for implementing OAuth 2.0 in ownCloud 9.1.

[DeepDiver1975]

please inject appManager as parameter in the ctor

[joneug]

I tried to inject the AppManager, but when changing the registration of UserSession in Server.php (see here) I get the following error:

PHP Fatal error:  Maximum function nesting level of '256' reached

Inside the closure for the registerService function, $appManager = $c->getAppManager(); is called over and over again. Any ideas?

[joneug]

No ideas?

[DeepDiver1975]

okay then let's keep it this way

[DeepDiver1975]

adding a type check?

if ($authModule instanceof IAuthModule) {

[joneug]

Done

[DeepDiver1975]

hmmm ... two tests are failing on oracle ....

23:15:18 There were 2 failures:
23:15:18 
23:15:18 1) Test\Files\External\Service\GlobalStoragesServiceTest::testUpdateStorage with data set #1 (array('mountpoint', 'identifier:\Test\Files\Extern...ackend', 'identifier:\Auth\Mechanism', array('value1', 'value2', 'testPassword'), array('user1', 'user2'), array(), 15))
23:15:18 Failed asserting that two arrays are equal.
23:15:18 --- Expected
23:15:18 +++ Actual
23:15:18 @@ @@
23:15:18  Array (
23:15:18 -    0 => 'user1'
23:15:18 -    1 => 'user2'
23:15:18 +    0 => 'user2'
23:15:18 +    1 => 'user1'
23:15:18  )
23:15:18 
23:15:18 /var/lib/jenkins/workspace/owncloud-core_core_PR-26742-JCGXUYPGPX2CBJQVJBQBPP3QLMW2OPW6JKKJVSVR77ZQ5M6LTFKQ/tests/lib/Files/External/Service/GlobalStoragesServiceTest.php:185
23:15:18 
23:15:18 2) Test\Files\External\Service\GlobalStoragesServiceTest::testUpdateStorage with data set #3 (array('mountpoint', 'identifier:\Test\Files\Extern...ackend', 'identifier:\Auth\Mechanism', array('value1', 'value2', 'testPassword'), array('user1', 'user2'), array('group1', 'group2'), 15))
23:15:18 Failed asserting that two arrays are equal.
23:15:18 --- Expected
23:15:18 +++ Actual
23:15:18 @@ @@
23:15:18  Array (
23:15:18 -    0 => 'user1'
23:15:18 -    1 => 'user2'
23:15:18 +    0 => 'user2'
23:15:18 +    1 => 'user1'
23:15:18  )
23:15:18 

[joneug]

I pulled the changes in master branch and now the Jenkins build was successful. But the travis build failed:

$ sh -c "if [ '$TEST_DAV' = '1' ]; then bash apps/dav/tests/travis/$TC/install.sh; fi"
bash: apps/dav/tests/travis/selenium/install.sh: No such file or directory

The command "sh -c "if [ '$TEST_DAV' = '1' ]; then bash apps/dav/tests/travis/$TC/install.sh; fi"" failed and exited with 127 during .

Are there errors in the build script (see changes of commit cac897b)?

[DeepDiver1975]

I pulled the changes in master branch and now the Jenkins build was successful. But the travis build failed:

I'd say this is unrelated ..... let's merge

[DeepDiver1975]

Thanks a lot! @joneug and your team! Great job!

[joneug]

What do you think about backporting to 9.1?

Additionally, considering a backport to stable9.1 would be nice since the changes are relatively small and there is high interest form our side in using this mechanism for implementing OAuth 2.0 in ownCloud 9.1.

[DeepDiver1975]

What do you think about backporting to 9.1?

@PVince81 what's your opionion? THX

[joneug]

I created a backport in PR #27370.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.