Merge pull request #29349 from nextcloud/enh/noid/filesext_kerberos_a…

…pache_auth
nextcloud · Jan 20, 2022 · a3dc813 · a3dc813
2 parents 9b5245f + 4fe70de
commit a3dc813
Show file tree

Hide file tree

Showing 25 changed files with 633 additions and 126 deletions.
diff --git a/.github/workflows/smb-kerberos.yml b/.github/workflows/smb-kerberos.yml
@@ -0,0 +1,78 @@
+name: Samba Kerberos SSO
+on:
+  push:
+    branches:
+      - master
+      - stable*
+    paths:
+      - 'apps/files_external/**'
+  pull_request:
+    paths:
+      - 'apps/files_external/**'
+
+jobs:
+  smb-kerberos-tests:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        php-versions: ['7.4', '8.0']
+
+    name: php${{ matrix.php-versions }}-${{ matrix.ftpd }}
+
+    steps:
+      - name: Checkout server
+        uses: actions/checkout@v2
+        with:
+          submodules: true
+      - name: Pull images
+        run: |
+          docker pull icewind1991/samba-krb-test-dc
+          docker pull icewind1991/samba-krb-test-apache
+          docker pull icewind1991/samba-krb-test-client
+      - name: Setup AD-DC
+        run: |
+          mkdir data
+          sudo chown -R 33 data apps config
+          apps/files_external/tests/setup-krb.sh
+      - name: Set up Nextcloud
+        run: |
+          docker exec --user 33 apache ./occ maintenance:install --verbose --database=sqlite --database-name=nextcloud --database-host=127.0.0.1 --database-user=root --database-pass=rootpassword --admin-user admin --admin-pass password
+          docker exec --user 33 apache ./occ config:system:set trusted_domains 1 --value 'httpd.domain.test'
+
+          # setup user_saml
+          docker exec --user 33 apache ./occ app:enable user_saml --force
+          docker exec --user 33 apache ./occ config:app:set user_saml type --value 'environment-variable'
+          docker exec --user 33 apache ./occ config:app:set user_saml general-uid_mapping --value REMOTE_USER
+
+          # setup external storage
+          docker exec --user 33 apache ./occ app:enable files_external --force
+          docker exec --user 33 apache ./occ files_external:create smb smb smb::kerberosapache
+          docker exec --user 33 apache ./occ files_external:config 1 host krb.domain.test
+          docker exec --user 33 apache ./occ files_external:config 1 share netlogon
+          docker exec --user 33 apache ./occ files_external:list
+      - name: Test SSO
+        run: |
+          mkdir cookies
+          chmod 0777 cookies
+
+          DC_IP=$(docker inspect dc --format '{{.NetworkSettings.IPAddress}}')
+          docker run --rm --name client -v $PWD/cookies:/cookies -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client \
+            curl -c /cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/index.php/apps/user_saml/saml/login
+          CONTENT=$(docker run --rm --name client -v $PWD/cookies:/cookies -v /tmp/shared:/shared --dns $DC_IP --hostname client.domain.test icewind1991/samba-krb-test-client \
+            curl -b /cookies/jar -s --negotiate -u testuser@DOMAIN.TEST: --delegation always http://httpd.domain.test/remote.php/webdav/smb/test.txt)
+          echo $CONTENT
+          CONTENT=$(echo $CONTENT | tr -d '[:space:]')
+          [[ $CONTENT == "testfile" ]]
+
+
+  smb-kerberos-summary:
+    runs-on: ubuntu-latest
+    needs: smb-kerberos-tests
+
+    if: always()
+
+    steps:
+      - name: Summary status
+        run: if ${{ needs.smb-kerberos-tests.result != 'success' }}; then exit 1; fi
diff --git a/apps/files_external/3rdparty/.gitignore b/apps/files_external/3rdparty/.gitignore
@@ -5,6 +5,8 @@ icewind/smb/install_libsmbclient.sh
 icewind/smb/Makefile
 icewind/smb/.travis.yml
 icewind/smb/.scrutinizer.yml
+icewind/smb/example-apache-kerberos.php
+icewind/smb/codecov.yml
 icewind/streams/tests
 .github
 .php_cs*

diff --git a/apps/files_external/3rdparty/composer.json b/apps/files_external/3rdparty/composer.json
@@ -9,6 +9,6 @@
 	},
 	"require": {
 		"icewind/streams": "0.7.4",
-		"icewind/smb": "3.4.1"
+		"icewind/smb": "3.5.2"
 	}
 }
diff --git a/apps/files_external/3rdparty/composer.lock b/apps/files_external/3rdparty/composer.lock
diff --git a/apps/files_external/3rdparty/composer/ClassLoader.php b/apps/files_external/3rdparty/composer/ClassLoader.php
@@ -42,30 +42,75 @@
  */
 class ClassLoader
 {
+    /** @var ?string */
     private $vendorDir;
 
     // PSR-4
+    /**
+     * @var array[]
+     * @psalm-var array<string, array<string, int>>
+     */
     private $prefixLengthsPsr4 = array();
+    /**
+     * @var array[]
+     * @psalm-var array<string, array<int, string>>
+     */
     private $prefixDirsPsr4 = array();
+    /**
+     * @var array[]
+     * @psalm-var array<string, string>
+     */
     private $fallbackDirsPsr4 = array();
 
     // PSR-0
+    /**
+     * @var array[]
+     * @psalm-var array<string, array<string, string[]>>
+     */
     private $prefixesPsr0 = array();
+    /**
+     * @var array[]
+     * @psalm-var array<string, string>
+     */
     private $fallbackDirsPsr0 = array();
 
+    /** @var bool */
     private $useIncludePath = false;
+
+    /**
+     * @var string[]
+     * @psalm-var array<string, string>
+     */
     private $classMap = array();
+
+    /** @var bool */
     private $classMapAuthoritative = false;
+
+    /**
+     * @var bool[]
+     * @psalm-var array<string, bool>
+     */
     private $missingClasses = array();
+
+    /** @var ?string */
     private $apcuPrefix;
 
+    /**
+     * @var self[]
+     */
     private static $registeredLoaders = array();
 
+    /**
+     * @param ?string $vendorDir
+     */
     public function __construct($vendorDir = null)
     {
         $this->vendorDir = $vendorDir;
     }
 
+    /**
+     * @return string[]
+     */
     public function getPrefixes()
     {
         if (!empty($this->prefixesPsr0)) {
@@ -75,28 +120,47 @@ public function getPrefixes()
         return array();
     }
 
+    /**
+     * @return array[]
+     * @psalm-return array<string, array<int, string>>
+     */
     public function getPrefixesPsr4()
     {
         return $this->prefixDirsPsr4;
     }
 
+    /**
+     * @return array[]
+     * @psalm-return array<string, string>
+     */
     public function getFallbackDirs()
     {
         return $this->fallbackDirsPsr0;
     }
 
+    /**
+     * @return array[]
+     * @psalm-return array<string, string>
+     */
     public function getFallbackDirsPsr4()
     {
         return $this->fallbackDirsPsr4;
     }
 
+    /**
+     * @return string[] Array of classname => path
+     * @psalm-return array<string, string>
+     */
     public function getClassMap()
     {
         return $this->classMap;
     }
 
     /**
-     * @param array $classMap Class to filename map
+     * @param string[] $classMap Class to filename map
+     * @psalm-param array<string, string> $classMap
+     *
+     * @return void
      */
     public function addClassMap(array $classMap)
     {
@@ -111,9 +175,11 @@ public function addClassMap(array $classMap)
      * Registers a set of PSR-0 directories for a given prefix, either
      * appending or prepending to the ones previously set for this prefix.
      *
-     * @param string       $prefix  The prefix
-     * @param array|string $paths   The PSR-0 root directories
-     * @param bool         $prepend Whether to prepend the directories
+     * @param string          $prefix  The prefix
+     * @param string[]|string $paths   The PSR-0 root directories
+     * @param bool            $prepend Whether to prepend the directories
+     *
+     * @return void
      */
     public function add($prefix, $paths, $prepend = false)
     {
@@ -156,11 +222,13 @@ public function add($prefix, $paths, $prepend = false)
      * Registers a set of PSR-4 directories for a given namespace, either
      * appending or prepending to the ones previously set for this namespace.
      *
-     * @param string       $prefix  The prefix/namespace, with trailing '\\'
-     * @param array|string $paths   The PSR-4 base directories
-     * @param bool         $prepend Whether to prepend the directories
+     * @param string          $prefix  The prefix/namespace, with trailing '\\'
+     * @param string[]|string $paths   The PSR-4 base directories
+     * @param bool            $prepend Whether to prepend the directories
      *
      * @throws \InvalidArgumentException
+     *
+     * @return void
      */
     public function addPsr4($prefix, $paths, $prepend = false)
     {
@@ -204,8 +272,10 @@ public function addPsr4($prefix, $paths, $prepend = false)
      * Registers a set of PSR-0 directories for a given prefix,
      * replacing any others previously set for this prefix.
      *
-     * @param string       $prefix The prefix
-     * @param array|string $paths  The PSR-0 base directories
+     * @param string          $prefix The prefix
+     * @param string[]|string $paths  The PSR-0 base directories
+     *
+     * @return void
      */
     public function set($prefix, $paths)
     {
@@ -220,10 +290,12 @@ public function set($prefix, $paths)
      * Registers a set of PSR-4 directories for a given namespace,
      * replacing any others previously set for this namespace.
      *
-     * @param string       $prefix The prefix/namespace, with trailing '\\'
-     * @param array|string $paths  The PSR-4 base directories
+     * @param string          $prefix The prefix/namespace, with trailing '\\'
+     * @param string[]|string $paths  The PSR-4 base directories
      *
      * @throws \InvalidArgumentException
+     *
+     * @return void
      */
     public function setPsr4($prefix, $paths)
     {
@@ -243,6 +315,8 @@ public function setPsr4($prefix, $paths)
      * Turns on searching the include path for class files.
      *
      * @param bool $useIncludePath
+     *
+     * @return void
      */
     public function setUseIncludePath($useIncludePath)
     {
@@ -265,6 +339,8 @@ public function getUseIncludePath()
      * that have not been registered with the class map.
      *
      * @param bool $classMapAuthoritative
+     *
+     * @return void
      */
     public function setClassMapAuthoritative($classMapAuthoritative)
     {
@@ -285,6 +361,8 @@ public function isClassMapAuthoritative()
      * APCu prefix to use to cache found/not-found classes, if the extension is enabled.
      *
      * @param string|null $apcuPrefix
+     *
+     * @return void
      */
     public function setApcuPrefix($apcuPrefix)
     {
@@ -305,6 +383,8 @@ public function getApcuPrefix()
      * Registers this instance as an autoloader.
      *
      * @param bool $prepend Whether to prepend the autoloader or not
+     *
+     * @return void
      */
     public function register($prepend = false)
     {
@@ -324,6 +404,8 @@ public function register($prepend = false)
 
     /**
      * Unregisters this instance as an autoloader.
+     *
+     * @return void
      */
     public function unregister()
     {
@@ -403,6 +485,11 @@ public static function getRegisteredLoaders()
         return self::$registeredLoaders;
     }
 
+    /**
+     * @param  string       $class
+     * @param  string       $ext
+     * @return string|false
+     */
     private function findFileWithExtension($class, $ext)
     {
         // PSR-4 lookup
@@ -474,6 +561,10 @@ private function findFileWithExtension($class, $ext)
  * Scope isolated include.
  *
  * Prevents access to $this/self from included files.
+ *
+ * @param  string $file
+ * @return void
+ * @private
  */
 function includeFile($file)
 {