Permalink
Browse files

Finally remove legacy TRANSMIT_CLEAR_PASS parameter.

New option WEBDAV_ACTIVE_ALL to enable webdav automatically for all users.
Fix "Disable WebDAV" for a given repository.
  • Loading branch information...
1 parent 8887e2f commit bd80796897cc6cd39aa6a50fb5ba7042d52aeae2 @cdujeu cdujeu committed Sep 8, 2016
Showing with 96 additions and 180 deletions.
  1. +1 −5 core/src/core/src/pydio/Core/Http/Cli/AuthCliMiddleware.php
  2. +9 −3 core/src/core/src/pydio/Core/Http/Dav/AuthBackendBasic.php
  3. +8 −1 core/src/core/src/pydio/Core/Http/Dav/AuthBackendDigest.php
  4. +1 −2 core/src/core/src/pydio/Core/Http/Dav/DAVServer.php
  5. +5 −15 core/src/core/src/pydio/Core/Services/AuthService.php
  6. +0 −31 core/src/core/src/pydio/Core/Services/RolesService.php
  7. +27 −26 core/src/core/src/pydio/Core/Services/UsersService.php
  8. +1 −1 core/src/plugins/action.share/src/Http/MinisiteAuthMiddleware.php
  9. +1 −6 core/src/plugins/action.share/src/Store/ShareRightsManager.php
  10. +1 −2 core/src/plugins/auth.custom_db/CustomDbAuthDriver.php
  11. +1 −1 core/src/plugins/auth.ftp/FtpAuthDriver.php
  12. +1 −1 core/src/plugins/auth.ldap/LdapAuthDriver.php
  13. +7 −7 core/src/plugins/auth.multi/MultiAuthDriver.php
  14. +4 −4 core/src/plugins/auth.radius/RadiusAuthDriver.php
  15. +5 −22 core/src/plugins/auth.remote/RemoteAuthDriver.php
  16. +1 −1 core/src/plugins/auth.remote/glueCode.php
  17. +2 −2 core/src/plugins/auth.smb/SmbAuthDriver.php
  18. +9 −19 core/src/plugins/auth.sql/SqlAuthDriver.php
  19. +1 −1 core/src/plugins/authfront.cyphered/CypheredAuthFrontend.php
  20. +1 −1 core/src/plugins/authfront.http_basic/BasicHttpAuthFrontend.php
  21. +2 −2 core/src/plugins/authfront.session_login/SessionLoginFrontend.php
  22. +1 −1 core/src/plugins/boot.conf/BootConfLoader.php
  23. +0 −1 core/src/plugins/core.ajaxplorer/ajxp_mixins.xml
  24. +1 −0 core/src/plugins/core.ajaxplorer/manifest.xml
  25. +2 −20 core/src/plugins/core.auth/AbstractAuthDriver.php
  26. +1 −2 core/src/plugins/core.auth/CoreAuthLoader.php
  27. +2 −2 core/src/plugins/core.conf/AbstractConfDriver.php
  28. +1 −1 core/src/plugins/core.ocs/src/Server/Dav/AuthSharingBackend.php
@@ -87,12 +87,8 @@ protected static function authenticateFromCliParameters($options){
if (UsersService::usersEnabled() && !empty($optUser)) {
- $seed = AuthService::generateSeed();
- if ($seed != -1) {
- $optPass = md5(md5($optPass).$seed);
- }
try{
- $loggedUser = AuthService::logUser($optUser, $optPass, isSet($optToken), false, $seed);
+ $loggedUser = AuthService::logUser($optUser, $optPass, isSet($optToken), false);
}catch (LoginException $l){
throw new AuthRequiredException();
}
@@ -82,8 +82,7 @@ public function __construct(ContextInterface $ctx)
*/
protected function validateUserPass($username, $password)
{
- // Warning, this can only work if TRANSMIT_CLEAR_PASS is true;
- return UsersService::checkPassword($username, $password, false, -1);
+ return UsersService::checkPassword($username, $password, false);
}
/**
@@ -114,7 +113,11 @@ public function authenticate(Sabre\DAV\Server $server, $realm)
}
$webdavData = $userObject->getPref("AJXP_WEBDAV_DATA");
- if (empty($webdavData) || !isset($webdavData["ACTIVE"]) || $webdavData["ACTIVE"] !== true) {
+ $active = ConfService::getGlobalConf("WEBDAV_ACTIVE_ALL");
+ if(!empty($webdavData) && isSet($webdavData["ACTIVE"]) && $webdavData["ACTIVE"] === false){
+ $active = false;
+ }
+ if (!$active) {
Logger::warning(__CLASS__, "Login failed", array("user" => $userpass[0], "error" => "WebDAV user not found or disabled"));
throw new Sabre\DAV\Exception\NotAuthenticated();
}
@@ -155,6 +158,9 @@ public function authenticate(Sabre\DAV\Server $server, $realm)
}catch (\Exception $e){
throw new Sabre\DAV\Exception\NotAuthenticated('Error while loading workspace');
}
+ if($repoObject->getContextOption($this->context, "AJXP_WEBDAV_DISABLED", false)){
+ throw new Sabre\DAV\Exception\NotAuthenticated('WebDAV access is disabled for this workspace');
+ }
$this->context->setRepositoryObject($repoObject);
}
@@ -79,7 +79,11 @@ public function getDigestHash($realm, $username)
throw new Sabre\DAV\Exception\NotAuthenticated();
}
$webdavData = $user->getPref("AJXP_WEBDAV_DATA");
- if (empty($webdavData) || !isset($webdavData["ACTIVE"]) || $webdavData["ACTIVE"] !== true || (!isSet($webdavData["PASS"]) && !isset($webdavData["HA1"]) ) ) {
+ $active = ConfService::getGlobalConf("WEBDAV_ACTIVE_ALL");
+ if(!empty($webdavData) && isSet($webdavData["ACTIVE"]) && $webdavData["ACTIVE"] === false){
+ $active = false;
+ }
+ if (!$active || (!isSet($webdavData["PASS"]) && !isset($webdavData["HA1"]) ) ) {
return false;
}
if (isSet($webdavData["HA1"])) {
@@ -140,6 +144,9 @@ public function authenticate(Sabre\DAV\Server $server, $realm)
}catch (\Exception $e){
throw new Sabre\DAV\Exception\NotAuthenticated('Error while loading workspace');
}
+ if($repoObject->getContextOption($this->context, "AJXP_WEBDAV_DISABLED", false)){
+ throw new Sabre\DAV\Exception\NotAuthenticated('WebDAV access is disabled for this workspace');
+ }
$this->context->setRepositoryObject($repoObject);
}
if (ConfService::getContextConf($this->context, "SESSION_SET_CREDENTIALS", "auth")) {
@@ -100,8 +100,7 @@ public static function handleRoute($baseURI, $davRoute){
}
- if((AuthBackendBasic::detectBasicHeader() || ConfService::getGlobalConf("WEBDAV_FORCE_BASIC"))
- && ConfService::getAuthDriverImpl()->getOptionAsBool("TRANSMIT_CLEAR_PASS")){
+ if((AuthBackendBasic::detectBasicHeader() || ConfService::getGlobalConf("WEBDAV_FORCE_BASIC"))){
$authBackend = new AuthBackendBasic(self::$context);
} else {
$authBackend = new AuthBackendDigest(self::$context);
@@ -42,18 +42,7 @@ class AuthService
public static $useSession = true;
private static $currentUser;
public static $bufferedMessage = null;
-
-
- /**
- * Get a unique seed from the current auth driver
- * @static
- * @return int|string
- */
- public static function generateSeed()
- {
- $authDriver = ConfService::getAuthDriverImpl();
- return $authDriver->getSeed(true);
- }
+
/**
* Get the currently logged user object
* @return AbstractUser
@@ -78,11 +67,12 @@ public static function getLoggedUser()
* @param string $pwd The password
* @param bool $bypass_pwd Ignore password or not
* @param bool $cookieLogin Is it a logging from the remember me cookie?
- * @param string $returnSeed The unique seed
* @return UserInterface
* @throws LoginException
+ * @throws \Exception
+ * @throws \Pydio\Core\Exception\UserNotFoundException
*/
- public static function logUser($user_id, $pwd, $bypass_pwd = false, $cookieLogin = false, $returnSeed="")
+ public static function logUser($user_id, $pwd, $bypass_pwd = false, $cookieLogin = false)
{
$user_id = UsersService::filterUserSensitivity($user_id);
$authDriver = ConfService::getAuthDriverImpl();
@@ -100,7 +90,7 @@ public static function logUser($user_id, $pwd, $bypass_pwd = false, $cookieLogin
}
}
if (!$bypass_pwd) {
- if (!UsersService::checkPassword($user_id, $pwd, $cookieLogin, $returnSeed)) {
+ if (!UsersService::checkPassword($user_id, $pwd, $cookieLogin)) {
Logger::warning(__CLASS__, "Login failed", array("user" => InputFilter::sanitize($user_id, InputFilter::SANITIZE_EMAILCHARS), "error" => "Invalid password"));
if ($bruteForceLogin === FALSE) {
throw new LoginException(-4);
@@ -350,36 +350,5 @@ public static function bootSequence()
}
file_put_contents(AJXP_CACHE_DIR . "/admin_counted", "true");
- // Legacy, should never happen
- /*
- $adminCount = UsersService::countAdminUsers();
- if ($adminCount == 0) {
- $authDriver = ConfService::getAuthDriverImpl();
- $adminPass = ADMIN_PASSWORD;
- if (!$authDriver->getOptionAsBool("TRANSMIT_CLEAR_PASS")) {
- $adminPass = md5(ADMIN_PASSWORD);
- }
- $userObject = UsersService::createUser("admin", $adminPass, true);
- if (ADMIN_PASSWORD == INITIAL_ADMIN_PASSWORD) {
- $userObject->setAdmin(true);
- RolesService::updateAdminRights($userObject);
- if (UsersService::changePasswordEnabled()) {
- $userObject->setLock("pass_change");
- }
- $userObject->save("superuser");
- AuthService::updateUser($userObject);
- file_put_contents(AJXP_CACHE_DIR . "/admin_counted", "true");
- throw new PydioException("Warning! User 'admin' was created with the initial password '" . INITIAL_ADMIN_PASSWORD . "'. \\nPlease log in as admin and change the password now!");
- }
- } else if ($adminCount == -1) {
- // Here we may come from a previous version! Check the "admin" user and set its right as admin.
- $adminUser = UsersService::getUserById("admin");
- $adminUser->setAdmin(true);
- $adminUser->save("superuser");
- file_put_contents(AJXP_CACHE_DIR . "/admin_counted", "true");
- throw new PydioException("There is an admin user, but without admin right. Now any user can have the administration rights, \\n your 'admin' user was set with the admin rights. Please check that this suits your security configuration.");
- }
- */
-
}
}
@@ -307,10 +307,10 @@ public static function isReservedUserId($username)
* @param $userId
* @param $userPass
* @param bool $cookieString
- * @param string $returnSeed
* @return bool|void
+ * @throws UserNotFoundException
*/
- public static function checkPassword($userId, $userPass, $cookieString = false, $returnSeed = "")
+ public static function checkPassword($userId, $userPass, $cookieString = false)
{
if (ConfService::getGlobalConf("ALLOW_GUEST_BROWSING", "auth") && $userId == "guest") return true;
$userId = self::filterUserSensitivity($userId);
@@ -320,10 +320,7 @@ public static function checkPassword($userId, $userPass, $cookieString = false,
$res = CookiesHelper::checkCookieString($userObject, $userPass);
return $res;
}
- if (!$authDriver->getOptionAsBool("TRANSMIT_CLEAR_PASS")) {
- if ($authDriver->getSeed(false) != $returnSeed) return false;
- }
- return $authDriver->checkPassword($userId, $userPass, $returnSeed);
+ return $authDriver->checkPassword($userId, $userPass);
}
/**
@@ -346,17 +343,9 @@ public static function updatePassword($userId, $userPass)
Controller::applyHook("user.before_password_change", array($ctx, $userId));
$authDriver->changePassword($userId, $userPass);
Controller::applyHook("user.after_password_change", array($ctx, $userId));
- if ($authDriver->getOptionAsBool("TRANSMIT_CLEAR_PASS")) {
- // We can directly update the HA1 version of the WEBDAV Digest
- $realm = ConfService::getGlobalConf("WEBDAV_DIGESTREALM");
- $ha1 = md5("{$userId}:{$realm}:{$userPass}");
- $zObj = self::getUserById($userId);
- $wData = $zObj->getPref("AJXP_WEBDAV_DATA");
- if (!is_array($wData)) $wData = array();
- $wData["HA1"] = $ha1;
- $zObj->setPref("AJXP_WEBDAV_DATA", $wData);
- $zObj->save();
- }
+
+ self::storeWebdavDigestForUser(self::getUserById($userId), $userPass);
+
Logger::info(__CLASS__, "Update Password", array("user_id" => $userId));
return true;
}
@@ -390,21 +379,33 @@ public static function createUser($userId, $userPass, $isAdmin = false, $isHidde
$user->setHidden(true);
$user->save("superuser");
}
- if ($authDriver->getOptionAsBool("TRANSMIT_CLEAR_PASS")) {
- $realm = ConfService::getGlobalConf("WEBDAV_DIGESTREALM");
- $ha1 = md5("{$userId}:{$realm}:{$userPass}");
- $wData = $user->getPref("AJXP_WEBDAV_DATA");
- if (!is_array($wData)) $wData = array();
- $wData["HA1"] = $ha1;
- $user->setPref("AJXP_WEBDAV_DATA", $wData);
- $user->save();
- }
+
+ self::storeWebdavDigestForUser($user, $userPass);
+
Controller::applyHook("user.after_create", array($localContext, $user));
Logger::info(__CLASS__, "Create User", array("user_id" => $userId));
return $user;
}
/**
+ * Store the HA1 digest for Digest Authentication in WebDAV
+ * @param UserInterface $userObject
+ * @param string $password
+ * @throws UserNotFoundException
+ */
+ private static function storeWebdavDigestForUser($userObject, $password){
+
+ $realm = ConfService::getGlobalConf("WEBDAV_DIGESTREALM");
+ $ha1 = md5("{$userObject->getId()}:{$realm}:{$password}");
+ $wData = $userObject->getPref("AJXP_WEBDAV_DATA");
+ if (!is_array($wData)) $wData = array();
+ $wData["HA1"] = $ha1;
+ $userObject->setPref("AJXP_WEBDAV_DATA", $wData);
+ $userObject->save();
+
+ }
+
+ /**
* Detect the number of admin users
* @static
* @return int|void
@@ -140,7 +140,7 @@ public static function basicHttp($presetLogin, ServerRequestInterface &$requestI
try {
- $loggedUser = AuthService::logUser($presetLogin, $localHttpPassw, false, false, "-1");
+ $loggedUser = AuthService::logUser($presetLogin, $localHttpPassw, false, false);
$requestInterface = $requestInterface->withAttribute("ctx", Context::contextWithObjects($loggedUser, null));
return $responseInterface;
@@ -527,11 +527,6 @@ public function unregisterRemovedUsers($repoId, $newUsers, $newGroups, $watcherN
public function createNewUser($parentUser, $userName, $password, $isHidden, $display){
$confDriver = ConfService::getConfStorageImpl();
- if (ConfService::getAuthDriverImpl()->getOptionAsBool("TRANSMIT_CLEAR_PASS")) {
- $pass = $password;
- } else {
- $pass = md5($password);
- }
if(!$isHidden){
// This is an explicit user creation - check possible limits
Controller::applyHook("user.before_create", array($this->context, $userName, null, false, false));
@@ -545,7 +540,7 @@ public function createNewUser($parentUser, $userName, $password, $isHidden, $dis
}
}
- $userObject = UsersService::createUser($userName, $pass, false, $isHidden);
+ $userObject = UsersService::createUser($userName, $password, false, $isHidden);
$userObject->getPersonalRole()->clearAcls();
$userObject->setParent($parentUser->getId());
$userObject->setGroupPath($parentUser->getGroupPath());
@@ -218,10 +218,9 @@ public function getUserPass($login)
/**
* @param string $login
* @param string $pass
- * @param string $seed
* @return bool
*/
- public function checkPassword($login, $pass, $seed)
+ public function checkPassword($login, $pass)
{
$userStoredPass = $this->getUserPass($login);
if (!$userStoredPass) return false;
@@ -129,7 +129,7 @@ public function testParameters($params)
return "SUCCESS: Could succesfully connect to the FTP server!";
}
- public function checkPassword($login, $pass, $seed)
+ public function checkPassword($login, $pass)
{
require_once($this->getBaseDir() . "/FtpSonWrapper.php");
$wrapper = new \Pydio\Access\Driver\StreamProvider\FTP\FtpSonWrapper();
@@ -563,7 +563,7 @@ public function userExists($login)
return $res;
}
- public function checkPassword($login, $pass, $seed)
+ public function checkPassword($login, $pass)
{
if (empty($pass)) return false;
$entries = $this->getUserEntries($login);
@@ -66,7 +66,6 @@ public function init(ContextInterface $ctx, $options = [])
foreach ($this->driversDef as $def) {
$name = $def["NAME"];
$options = $def["OPTIONS"];
- $options["TRANSMIT_CLEAR_PASS"] = $this->options["TRANSMIT_CLEAR_PASS"];
$options["LOGIN_REDIRECT"] = $this->options["LOGIN_REDIRECT"];
$instance = PluginsService::getInstance($ctx)->getPluginByTypeName("auth", $name);
if (!is_object($instance)) {
@@ -406,15 +405,15 @@ public function userExists($login)
/**
* @param string $login
* @param string $pass
- * @param string $seed
* @return bool
+ * @throws Exception
*/
- public function checkPassword($login, $pass, $seed)
+ public function checkPassword($login, $pass)
{
if ($this->masterSlaveMode) {
if ($this->drivers[$this->masterName]->userExists($login)) {
// check master, and refresh slave if necessary
- if ($this->drivers[$this->masterName]->checkPassword($login, $pass, $seed)) {
+ if ($this->drivers[$this->masterName]->checkPassword($login, $pass)) {
if ($this->getContextualOption(\Pydio\Core\Model\Context::emptyContext(), "CACHE_MASTER_USERS_TO_SLAVE")) {
if ($this->drivers[$this->slaveName]->userExists($login)) {
$this->drivers[$this->slaveName]->changePassword($login, $pass);
@@ -426,27 +425,28 @@ public function checkPassword($login, $pass, $seed)
} else {
if (!$this->getContextualOption(\Pydio\Core\Model\Context::emptyContext(), "CACHE_MASTER_USERS_TO_SLAVE") && $this->drivers[$this->slaveName]->userExists($login)) {
// User may in fact be a SLAVE user
- return $this->drivers[$this->slaveName]->checkPassword($login, $pass, $seed);
+ return $this->drivers[$this->slaveName]->checkPassword($login, $pass);
}
return false;
}
} else {
- $res = $this->drivers[$this->slaveName]->checkPassword($login, $pass, $seed);
+ $res = $this->drivers[$this->slaveName]->checkPassword($login, $pass);
return $res;
}
}
$login = $this->extractRealId($login);
$this->logDebug("check pass " . $login);
if ($this->getCurrentDriver()) {
- return $this->getCurrentDriver()->checkPassword($login, $pass, $seed);
+ return $this->getCurrentDriver()->checkPassword($login, $pass);
} else {
throw new Exception("No driver instanciated in multi driver!");
}
}
/**
* @return bool
+ * @throws Exception
*/
public function usersEditable()
{
Oops, something went wrong.

0 comments on commit bd80796

Please sign in to comment.