/**
* Authenticates the user based on the current request.
*
* If authentication is successful, true must be returned.
* If authentication fails, an exception must be thrown.
*
* @param Sabre_DAV_Server $server
* @param string $realm
* @throws Sabre_DAV_Exception_NotAuthenticated
* @return bool
*/
public function authenticate(Sabre_DAV_Server $server, $realm)
{
$digest = new Sabre_HTTP_DigestAuth();
// Hooking up request and response objects
$digest->setHTTPRequest($server->httpRequest);
$digest->setHTTPResponse($server->httpResponse);
$digest->setRealm($realm);
$digest->init();
$username = $digest->getUsername();
// No username was given
if (!$username) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('No digest authentication headers were found');
}
$hash = $this->getDigestHash($realm, $username);
// If this was false, the user account didn't exist
if ($hash === false || is_null($hash)) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('The supplied username was not on file');
}
if (!is_string($hash)) {
throw new Sabre_DAV_Exception('The returned value from getDigestHash must be a string or null');
}
// If this was false, the password or part of the hash was incorrect.
if (!$digest->validateA1($hash)) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('Incorrect username');
}
$this->currentUser = $username;
return true;
}
/**
* Authenticates the user based on the current request.
*
* If authentication is succesful, true must be returned.
* If authentication fails, an exception must be thrown.
*
* @throws Sabre_DAV_Exception_NotAuthenticated
* @return bool
*/
public function authenticate(Sabre_DAV_Server $server, $realm)
{
$digest = new Sabre_HTTP_DigestAuth();
// Hooking up request and response objects
$digest->setHTTPRequest($server->httpRequest);
$digest->setHTTPResponse($server->httpResponse);
$digest->setRealm($realm);
$digest->init();
$username = $digest->getUsername();
// No username was given
if (!$username) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('No digest authentication headers were found');
}
$userData = $this->getUserInfo($realm, $username);
// If this was false, the user account didn't exist
if ($userData === false) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('The supplied username was not on file');
}
if (!is_array($userData)) {
throw new Sabre_DAV_Exception('The returntype for getUserInfo must be either false or an array');
}
if (!isset($userData['uri']) || !isset($userData['digestHash'])) {
throw new Sabre_DAV_Exception('The returned array from getUserInfo must contain at least a uri and digestHash element');
}
// If this was false, the password or part of the hash was incorrect.
if (!$digest->validateA1($userData['digestHash'])) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('Incorrect username');
}
$this->currentUser = $userData;
return true;
}
/**
* @static
* @throws Exception
* @return User
*/
public static function authenticateDigest()
{
// the following is a fix for Basic Auth in an FastCGI Environment
if (isset($_SERVER['Authorization']) && !empty($_SERVER['Authorization'])) {
$parts = explode(" ", $_SERVER['Authorization']);
$type = array_shift($parts);
$cred = implode(" ", $parts);
if ($type == 'Digest') {
$_SERVER["PHP_AUTH_DIGEST"] = $cred;
}
}
// only digest auth is supported anymore
try {
$auth = new Sabre_HTTP_DigestAuth();
$auth->setRealm("pimcore");
$auth->init();
if ($user = User::getByName($auth->getUsername())) {
if (!$user->isAdmin()) {
throw new Exception("Only admins can access WebDAV");
}
if ($auth->validateA1($user->getPassword())) {
return $user;
}
}
throw new Exception("Authentication required");
} catch (Exception $e) {
$auth->requireLogin();
echo "Authentication required\n";
die;
}
}
public function process()
{
// initialize authentication
$auth = new Sabre_HTTP_DigestAuth();
$auth->setRealm($this->app->config->site->auth_realm);
$auth->init();
// authenticate and get correct user
$email = $auth->getUsername();
$class_name = SwatDBClassMap::get('PinholeAdminUser');
$user = new $class_name();
$user->setDatabase($this->app->db);
if (!$user->loadFromEmail($email) || !$auth->validateA1($user->digest_ha1)) {
$auth->requireLogin();
echo Pinhole::_('Authentication required') . "\n";
exit;
}
// create directory for account and object tree for dav server
$root = new PinholeDavDirectory($this->app, $user);
$tree = new Sabre_DAV_ObjectTree($root);
// create server
$server = new Sabre_DAV_Server($tree);
$server->setBaseUri($this->getDavBaseUri());
// don't save temp files in the database
$tempFilePlugin = new Sabre_DAV_TemporaryFileFilterPlugin($this->getDataDir('dav/temp'));
$server->addPlugin($tempFilePlugin);
// set up lock plugin
$lockBackend = new Sabre_DAV_Locks_Backend_FS($this->getDataDir('dav/locks'));
$lockPlugin = new Sabre_DAV_Locks_Plugin($lockBackend);
$server->addPlugin($lockPlugin);
// also allow regular web browsing
$browserPlugin = new Sabre_DAV_Browser_Plugin(false);
$server->addPlugin($browserPlugin);
// serve it up!
$server->exec();
}
private function getServerTokens($qop = Sabre_HTTP_DigestAuth::QOP_AUTH)
{
$this->auth->requireLogin();
switch ($qop) {
case Sabre_HTTP_DigestAuth::QOP_AUTH:
$qopstr = 'auth';
break;
case Sabre_HTTP_DigestAuth::QOP_AUTHINT:
$qopstr = 'auth-int';
break;
default:
$qopstr = 'auth,auth-int';
break;
}
$test = preg_match('/Digest realm="' . self::REALM . '",qop="' . $qopstr . '",nonce="([0-9a-f]*)",opaque="([0-9a-f]*)"/', $this->response->headers['WWW-Authenticate'], $matches);
$this->assertTrue($test == true, 'The WWW-Authenticate response didn\'t match our pattern. We received: ' . $this->response->headers['WWW-Authenticate']);
$nonce = $matches[1];
$opaque = $matches[2];
// Reset our environment
$this->setUp();
$this->auth->setQOP($qop);
return array($nonce, $opaque);
}
/**
* This method is called before any HTTP method and forces users to be authenticated
*
* @param string $method
* @throws Sabre_DAV_Exception_NotAuthenticated
* @return bool
*/
public function beforeMethod($method)
{
$digest = new Sabre_HTTP_DigestAuth();
// Hooking up request and response objects
$digest->setHTTPRequest($this->server->httpRequest);
$digest->setHTTPResponse($this->server->httpResponse);
$digest->setRealm($this->realm);
$digest->init();
$username = $digest->getUsername();
// No username was given
if (!$username) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('No digest authentication headers were found');
}
// Now checking the backend for the A1 hash
$A1 = $this->authBackend->getDigestHash($username);
// If this was false, the user account didn't exist
if (!$A1) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('The supplied username was not on file');
}
// If this was false, the password or part of the hash was incorrect.
if (!$digest->validateA1($A1)) {
$digest->requireLogin();
throw new Sabre_DAV_Exception_NotAuthenticated('Incorrect username');
}
$this->userName = $username;
$this->userId = $this->authBackend->getUserId($username);
// Eventhooks must return true to continue processing
return true;
}
log_message('error', "Error fetching identities for user '{$userName}': " . $response['Message']);
return null;
}
// Initialize WebDAV authentication
$realm = 'Inventory';
$auth = new Sabre_HTTP_DigestAuth();
$auth->setRealm($realm);
$auth->init();
$userID = null;
$userName = $auth->getUsername();
// Lookup the WebDAV ("a1hash") identity for the given username
$hash = get_a1_hash($userName, $userID);
// Check if the lookup was successful and that the credentials match
if (!$hash || !$auth->validateA1($hash)) {
log_message('info', "WebDAV Authentication failed for user '{$userName}' requesting " . $_SERVER['REQUEST_URI']);
$auth->requireLogin();
echo "Authentication required\n";
exit;
}
// Construct the WebDAV tree and server objects
$rootDirectory = new RootDirectory($userID);
$tree = new Sabre_DAV_ObjectTree($rootDirectory);
$server = new Sabre_DAV_Server($tree);
$server->setBaseUri($config['webdav_url_base_path']);
// Setup the WebDAV locking plugin
$lockBackend = new Sabre_DAV_Locks_Backend_FS('tmp');
$lockPlugin = new Sabre_DAV_Locks_Plugin($lockBackend);
$server->addPlugin($lockPlugin);
log_message('debug', "WebDAV handling " . $_SERVER['REQUEST_METHOD'] . " request for " . $_SERVER['REQUEST_URI']);
// Execute the WebDAV request
$server->exec();
