diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index 71bec11d219b7bfb342a413f76b729f8a8e3095c..fcca43624fe6ad4b4aee8a67935a526952c6a78a 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -64,7 +64,7 @@
</li>
<?php endforeach; ?>
<li>
- <a id="logout" href="<?php print_unescaped(link_to('', 'index.php')); ?>?logout=true">
+ <a id="logout" <?php print_unescaped(OC_User::getLogoutAttribute()); ?>>
<img class="svg" alt="" src="<?php print_unescaped(image_path('', 'actions/logout.svg')); ?>" />
<?php p($l->t('Log out'));?>
</a>
diff --git a/core/templates/login.php b/core/templates/login.php
index 06f64d41e39e24e5efd9490eef5215b664f17cc9..aca42c84387ce44040125cc48bfcda841124bff0 100644
--- a/core/templates/login.php
+++ b/core/templates/login.php
@@ -12,6 +12,12 @@
<small><?php p($l->t('Please change your password to secure your account again.')); ?></small>
</div>
<?php endif; ?>
+ <?php if (isset($_['apacheauthfailed']) && ($_['apacheauthfailed'])): ?>
+ <div class="warning">
+ <?php p($l->t('Server side authentication failed!')); ?><br>
+ <small><?php p($l->t('Please contact your administrator.')); ?></small>
+ </div>
+ <?php endif; ?>
<p class="infield grouptop">
<input type="text" name="user" id="user" placeholder=""
value="<?php p($_['username']); ?>"<?php p($_['user_autofocus'] ? ' autofocus' : ''); ?>
diff --git a/lib/base.php b/lib/base.php
index 42182c21fb04950ee7bc8a29e8728c30edb9bb38..b0b2dca502f80477b02f055c03ed0f897c4a1e8f 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -489,6 +489,11 @@ class OC {
if (isset($_SERVER['PHP_AUTH_USER']) && self::$session->exists('user_id')
&& $_SERVER['PHP_AUTH_USER'] != self::$session->get('user_id')) {
+ $sessionUser = self::$session->get('user_id');
+ $serverUser = $_SERVER['PHP_AUTH_USER'];
+ OC_Log::write('core',
+ "Session user-id ($sessionUser) doesn't match SERVER[PHP_AUTH_USER] ($serverUser).",
+ OC_Log::WARN);
OC_User::logout();
}
@@ -743,11 +748,17 @@ class OC {
protected static function handleLogin() {
OC_App::loadApps(array('prelogin'));
$error = array();
+
+ // auth possible via apache module?
+ if (OC::tryApacheAuth()) {
+ $error[] = 'apacheauthfailed';
+ }
// remember was checked after last login
- if (OC::tryRememberLogin()) {
+ elseif (OC::tryRememberLogin()) {
$error[] = 'invalidcookie';
- // Someone wants to log in :
- } elseif (OC::tryFormLogin()) {
+ }
+ // logon via web form
+ elseif (OC::tryFormLogin()) {
$error[] = 'invalidpassword';
}
@@ -765,6 +776,20 @@ class OC {
}
}
+ protected static function tryApacheAuth() {
+ $return = OC_User::handleApacheAuth();
+
+ // if return is true we are logged in -> redirect to the default page
+ if ($return === true) {
+ $_REQUEST['redirect_url'] = \OC_Request::requestUri();
+ OC_Util::redirectToDefaultPage();
+ exit;
+ }
+
+ // in case $return is null apache based auth is not enabled
+ return is_null($return) ? false : true;
+ }
+
protected static function tryRememberLogin() {
if (!isset($_COOKIE["oc_remember_login"])
|| !isset($_COOKIE["oc_token"])
diff --git a/lib/private/connector/sabre/auth.php b/lib/private/connector/sabre/auth.php
index bf3a49593cbc23419ed2dd404f589bb5b1dd24e8..d2fd74c44f9f2a00f53610ad316d2ecc28379a6f 100644
--- a/lib/private/connector/sabre/auth.php
+++ b/lib/private/connector/sabre/auth.php
@@ -72,6 +72,11 @@ class OC_Connector_Sabre_Auth extends Sabre_DAV_Auth_Backend_AbstractBasic {
* @return bool
*/
public function authenticate(Sabre_DAV_Server $server, $realm) {
+
+ if (OC_User::handleApacheAuth()) {
+ return true;
+ }
+
if (OC_User::isLoggedIn()) {
$user = OC_User::getUser();
OC_Util::setupFS($user);
diff --git a/lib/private/user.php b/lib/private/user.php
index 15e807088b4c8e731116d978f94f74ee4217c65a..04cd06b08bd18f17b6960b209804daa9c4338351 100644
--- a/lib/private/user.php
+++ b/lib/private/user.php
@@ -213,6 +213,55 @@ class OC_User {
return self::getUserSession()->login($uid, $password);
}
+ /**
+ * @brief Try to login a user, assuming authentication
+ * has already happened (e.g. via Single Sign On).
+ *
+ * Log in a user and regenerate a new session.
+ *
+ * @param \OCP\Authentication\IApacheBackend $backend
+ * @return bool
+ */
+ public static function loginWithApache(\OCP\Authentication\IApacheBackend $backend) {
+
+ $uid = $backend->getCurrentUserId();
+ $run = true;
+ OC_Hook::emit( "OC_User", "pre_login", array( "run" => &$run, "uid" => $uid ));
+
+ if($uid) {
+ session_regenerate_id(true);
+ self::setUserId($uid);
+ self::setDisplayName($uid);
+ OC_Hook::emit( "OC_User", "post_login", array( "uid" => $uid, 'password'=>'' ));
+ return true;
+ }
+ return false;
+ }
+
+ /**
+ * @brief Verify with Apache whether user is authenticated.
+ *
+ * @return boolean|null
+ * true: authenticated
+ * false: not authenticated
+ * null: not handled / no backend available
+ */
+ public static function handleApacheAuth() {
+ $backend = self::findFirstActiveUsedBackend();
+ if ($backend) {
+ OC_App::loadApps();
+
+ //setup extra user backends
+ self::setupBackends();
+ self::unsetMagicInCookie();
+
+ return self::loginWithApache($backend);
+ }
+
+ return null;
+ }
+
+
/**
* @brief Sets user id for session and triggers emit
*/
@@ -259,6 +308,22 @@ class OC_User {
return false;
}
+ /**
+ * Supplies an attribute to the logout hyperlink. The default behaviour
+ * is to return an href with '?logout=true' appended. However, it can
+ * supply any attribute(s) which are valid for <a>.
+ *
+ * @return string with one or more HTML attributes.
+ */
+ public static function getLogoutAttribute() {
+ $backend = self::findFirstActiveUsedBackend();
+ if ($backend) {
+ return $backend->getLogoutAttribute();
+ }
+
+ return "href=" . link_to('', 'index.php') . "?logout=true";
+ }
+
/**
* @brief Check if the user is an admin user
* @param string $uid uid of the admin
@@ -497,4 +562,20 @@ class OC_User {
public static function unsetMagicInCookie() {
self::getUserSession()->unsetMagicInCookie();
}
+
+ /**
+ * @brief Returns the first active backend from self::$_usedBackends.
+ * @return null if no backend active, otherwise OCP\Authentication\IApacheBackend
+ */
+ private static function findFirstActiveUsedBackend() {
+ foreach (self::$_usedBackends as $backend) {
+ if ($backend instanceof OCP\Authentication\IApacheBackend) {
+ if ($backend->isSessionActive()) {
+ return $backend;
+ }
+ }
+ }
+
+ return null;
+ }
}
diff --git a/lib/public/authentication/iapachebackend.php b/lib/public/authentication/iapachebackend.php
new file mode 100644
index 0000000000000000000000000000000000000000..5376baf525c8a7fd3c03ee453199653ebb3f0e8b
--- /dev/null
+++ b/lib/public/authentication/iapachebackend.php
@@ -0,0 +1,49 @@
+<?php
+
+/**
+ * ownCloud - Apache backend
+ *
+ * @author Karl Beecher
+ * @copyright 2013 Karl Beecher - karl@endocode.com
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public
+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCP\Authentication;
+
+interface IApacheBackend {
+
+ /**
+ * In case the user has been authenticated by Apache true is returned.
+ *
+ * @return boolean whether Apache reports a user as currently logged in.
+ */
+ public function isSessionActive();
+
+ /**
+ * Creates an attribute which is added to the logout hyperlink. It can
+ * supply any attribute(s) which are valid for <a>.
+ *
+ * @return string with one or more HTML attributes.
+ */
+ public function getLogoutAttribute();
+
+ /**
+ * Return the id of the current user
+ * @return string
+ */
+ public function getCurrentUserId();
+
+}