nextcloud/apps/files_external/lib/Lib/Backend/SMB.php

<?php

/**
 * SPDX-FileCopyrightText: 2018-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */

namespace OCA\Files_External\Lib\Backend;

use Icewind\SMB\BasicAuth;
use Icewind\SMB\KerberosAuth;
use Icewind\SMB\KerberosTicket;
use Icewind\SMB\Native\NativeServer;
use Icewind\SMB\Wrapped\Server;
use OCA\Files_External\Lib\Auth\AuthMechanism;
use OCA\Files_External\Lib\Auth\Password\Password;
use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth as KerberosApacheAuthMechanism;
use OCA\Files_External\Lib\DefinitionParameter;
use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
use OCA\Files_External\Lib\MissingDependency;
use OCA\Files_External\Lib\Storage\SystemBridge;
use OCA\Files_External\Lib\StorageConfig;
use OCP\IL10N;
use OCP\IUser;

class SMB extends Backend {
	public function __construct(IL10N $l, Password $legacyAuth) {
		$this
			->setIdentifier('smb')
			->addIdentifierAlias('\OC\Files\Storage\SMB')// legacy compat
			->setStorageClass('\OCA\Files_External\Lib\Storage\SMB')
			->setText($l->t('SMB/CIFS'))
			->addParameters([
				new DefinitionParameter('host', $l->t('Host')),
				new DefinitionParameter('share', $l->t('Share')),
				(new DefinitionParameter('root', $l->t('Remote subfolder')))
					->setFlag(DefinitionParameter::FLAG_OPTIONAL),
				(new DefinitionParameter('domain', $l->t('Domain')))
					->setFlag(DefinitionParameter::FLAG_OPTIONAL),
				(new DefinitionParameter('show_hidden', $l->t('Show hidden files')))
					->setType(DefinitionParameter::VALUE_BOOLEAN)
					->setFlag(DefinitionParameter::FLAG_OPTIONAL),
				(new DefinitionParameter('case_sensitive', $l->t('Case sensitive file system')))
					->setType(DefinitionParameter::VALUE_BOOLEAN)
					->setFlag(DefinitionParameter::FLAG_OPTIONAL)
					->setDefaultValue(true)
					->setTooltip($l->t('Disabling it will allow to use a case insensitive file system, but comes with a performance penalty')),
				(new DefinitionParameter('check_acl', $l->t('Verify ACL access when listing files')))
					->setType(DefinitionParameter::VALUE_BOOLEAN)
					->setFlag(DefinitionParameter::FLAG_OPTIONAL)
					->setTooltip($l->t("Check the ACL's of each file or folder inside a directory to filter out items where the account has no read permissions, comes with a performance penalty")),
				(new DefinitionParameter('timeout', $l->t('Timeout')))
					->setType(DefinitionParameter::VALUE_TEXT)
					->setFlag(DefinitionParameter::FLAG_OPTIONAL)
					->setFlag(DefinitionParameter::FLAG_HIDDEN),
			])
			->addAuthScheme(AuthMechanism::SCHEME_PASSWORD)
			->addAuthScheme(AuthMechanism::SCHEME_SMB)
			->setLegacyAuthMechanism($legacyAuth);
	}

	public function manipulateStorageConfig(StorageConfig &$storage, ?IUser $user = null): void {
		$auth = $storage->getAuthMechanism();
		if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {
			if (!is_string($storage->getBackendOption('user')) || !is_string($storage->getBackendOption('password'))) {
				throw new \InvalidArgumentException('user or password is not set');
			}

			$smbAuth = new BasicAuth(
				$storage->getBackendOption('user'),
				$storage->getBackendOption('domain'),
				$storage->getBackendOption('password')
			);
		} else {
			switch ($auth->getIdentifier()) {
				case 'smb::kerberos':
					$smbAuth = new KerberosAuth();
					break;
				case 'smb::kerberosapache':
					if (!$auth instanceof KerberosApacheAuthMechanism) {
						throw new \InvalidArgumentException('invalid authentication backend');
					}
					$credentialsStore = $auth->getCredentialsStore();
					$kerbAuth = new KerberosAuth();
					$kerbAuth->setTicket(KerberosTicket::fromEnv());
					// check if a kerberos ticket is available, else fallback to session credentials
					if ($kerbAuth->getTicket()?->isValid()) {
						$smbAuth = $kerbAuth;
					} else {
						try {
							$credentials = $credentialsStore->getLoginCredentials();
							$loginName = $credentials->getLoginName();
							$pass = $credentials->getPassword();
							preg_match('/(.*)@(.*)/', $loginName, $matches);
							$realm = $storage->getBackendOption('default_realm');
							if (empty($realm)) {
								$realm = 'WORKGROUP';
							}
							if (count($matches) === 0) {
								$username = $loginName;
								$workgroup = $realm;
							} else {
								[, $username, $workgroup] = $matches;
							}
							$smbAuth = new BasicAuth(
								$username,
								$workgroup,
								$pass
							);
						} catch (\Exception) {
							throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
						}
					}

					break;
				default:
					throw new \InvalidArgumentException('unknown authentication backend');
			}
		}

		$storage->setBackendOption('auth', $smbAuth);
	}

	public function checkDependencies(): array {
		$system = \OCP\Server::get(SystemBridge::class);
		if (NativeServer::available($system)) {
			return [];
		} elseif (Server::available($system)) {
			$missing = new MissingDependency('php-smbclient');
			$missing->setOptional(true);
			$missing->setMessage('The php-smbclient library provides improved compatibility and performance for SMB storages.');
			return [$missing];
		} else {
			$missing = new MissingDependency('php-smbclient');
			$missing->setMessage('Either the php-smbclient library (preferred) or the smbclient binary is required for SMB storages.');
			return [$missing, new MissingDependency('smbclient')];
		}
	}
}
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`<?php`
chore: apply new CSFixer rules Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de> # Conflicts: # apps/settings/lib/SetupChecks/PhpOpcacheSetup.php 2025-06-30 09:04:05 -04:00
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-06-06 03:55:47 -04:00			`* SPDX-FileCopyrightText: 2018-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`*/`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`namespace OCA\Files_External\Lib\Backend;`

Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`use Icewind\SMB\BasicAuth;`
			`use Icewind\SMB\KerberosAuth;`
fix(Krb): switch away from deprecated and broken KerberosApacheAuth() Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:08:22 -04:00			`use Icewind\SMB\KerberosTicket;`
feat: add command to check files_external dependencies Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-05-07 12:48:38 -04:00			`use Icewind\SMB\Native\NativeServer;`
			`use Icewind\SMB\Wrapped\Server;`
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use OCA\Files_External\Lib\Auth\AuthMechanism;`
			`use OCA\Files_External\Lib\Auth\Password\Password;`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth as KerberosApacheAuthMechanism;`
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use OCA\Files_External\Lib\DefinitionParameter;`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;`
feat: add command to check files_external dependencies Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-05-07 12:48:38 -04:00			`use OCA\Files_External\Lib\MissingDependency;`
			`use OCA\Files_External\Lib\Storage\SystemBridge;`
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use OCA\Files_External\Lib\StorageConfig;`
			`use OCP\IL10N;`
Introduce 'login credentials' auth mechanism Stores user credentials in the database after user login, uses the new CredentialsManager class 2015-08-24 11:32:44 -04:00			`use OCP\IUser;`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00
			`class SMB extends Backend {`
			`public function __construct(IL10N $l, Password $legacyAuth) {`
			`$this`
			`->setIdentifier('smb')`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`->addIdentifierAlias('\OC\Files\Storage\SMB')// legacy compat`
Fix storage backend class namespaces and move to subdir All classes that were previously \OC\Files\Storage\FooBar are now \OCA\Files_External\Lib\Storage\FooBar 2016-04-13 18:18:07 -04:00			`->setStorageClass('\OCA\Files_External\Lib\Storage\SMB')`
l10n: Spelling unification Spelling unification in Transifex. Signed-off-by: Valdnet 47037905+Valdnet@users.noreply.github.com 2021-04-22 14:07:39 -04:00			`->setText($l->t('SMB/CIFS'))`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`->addParameters([`
Remove unneeded semicolon and parentheses Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-01-26 17:46:40 -05:00			`new DefinitionParameter('host', $l->t('Host')),`
			`new DefinitionParameter('share', $l->t('Share')),`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`(new DefinitionParameter('root', $l->t('Remote subfolder')))`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL),`
Allow domain to be specified for SMB 2015-08-21 05:30:42 -04:00			`(new DefinitionParameter('domain', $l->t('Domain')))`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL),`
add option to show hidden files in SMB shares Note hidden files can mean different things in smb and the option the the files web ui, the webui only counts files starting with '.' as hidden, while smb files can be marked as hidden regardless, any files that are marked as hidden on smb will thus be shown in the webui regardless of the setting in the files app. Fixes #15644 Signed-off-by: Robin Appelman <robin@icewind.nl> 2019-05-23 15:23:56 -04:00			`(new DefinitionParameter('show_hidden', $l->t('Show hidden files')))`
			`->setType(DefinitionParameter::VALUE_BOOLEAN)`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL),`
fix(files_external): on case insensitive system, block case change When a file/directory is renamed to the same name with only case change, the rename fail. We block this kind of rename. The user will have to rename to another name first. Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> 2023-10-23 04:15:46 -04:00			`(new DefinitionParameter('case_sensitive', $l->t('Case sensitive file system')))`
			`->setType(DefinitionParameter::VALUE_BOOLEAN)`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL)`
			`->setDefaultValue(true)`
Correct a typo Signed-off-by: Valdnet <47037905+Valdnet@users.noreply.github.com> 2023-11-26 05:29:50 -05:00			`->setTooltip($l->t('Disabling it will allow to use a case insensitive file system, but comes with a performance penalty')),`
Add option to check share ACL's when listing directories If a file or folder in a directory doesn't have read permissions they will not be shown Note that enabling this option incurs a performance penalty additional requests need to be made to get all the acl. Additionally the acl resolving logic is fairly primitive at the moment and might not work correctly in all setups (it should error to showing the entry) Signed-off-by: Robin Appelman <robin@icewind.nl> 2020-02-10 10:36:03 -05:00			`(new DefinitionParameter('check_acl', $l->t('Verify ACL access when listing files')))`
			`->setType(DefinitionParameter::VALUE_BOOLEAN)`
add tooltip to option Signed-off-by: Robin Appelman <robin@icewind.nl> 2020-04-10 07:20:20 -04:00			`->setFlag(DefinitionParameter::FLAG_OPTIONAL)`
feat: rename users to account or person Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com> 2022-09-21 11:44:32 -04:00			`->setTooltip($l->t("Check the ACL's of each file or folder inside a directory to filter out items where the account has no read permissions, comes with a performance penalty")),`
add (hidden) option to configure smb timeout hidden from ui to prevent clutter ```occ files_external:config <mount> timeout 30``` Signed-off-by: Robin Appelman <robin@icewind.nl> 2019-09-25 07:30:40 -04:00			`(new DefinitionParameter('timeout', $l->t('Timeout')))`
fix(files_external): Convert VALUE_HIDDEN to FLAG_HIDDEN to allow combining VALUE_PASSWORD and FLAG_HIDDEN Signed-off-by: provokateurin <kate@provokateurin.de> 2025-05-05 04:52:28 -04:00			`->setType(DefinitionParameter::VALUE_TEXT)`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL)`
			`->setFlag(DefinitionParameter::FLAG_HIDDEN),`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`])`
			`->addAuthScheme(AuthMechanism::SCHEME_PASSWORD)`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`->addAuthScheme(AuthMechanism::SCHEME_SMB)`
			`->setLegacyAuthMechanism($legacyAuth);`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`}`

style(PHP): code cleanup, no effective changes Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:12:00 -04:00			`public function manipulateStorageConfig(StorageConfig &$storage, ?IUser $user = null): void {`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`$auth = $storage->getAuthMechanism();`
			`if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {`
files_external SMB: throw InvalidArgument when user is not set Signed-off-by: Anderson Luiz Alves <alacn1@gmail.com> 2021-12-03 08:57:00 -05:00			`if (!is_string($storage->getBackendOption('user')) \|\| !is_string($storage->getBackendOption('password'))) {`
			`throw new \InvalidArgumentException('user or password is not set');`
			`}`

Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`$smbAuth = new BasicAuth(`
			`$storage->getBackendOption('user'),`
			`$storage->getBackendOption('domain'),`
			`$storage->getBackendOption('password')`
			`);`
			`} else {`
			`switch ($auth->getIdentifier()) {`
			`case 'smb::kerberos':`
			`$smbAuth = new KerberosAuth();`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`break;`
			`case 'smb::kerberosapache':`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`if (!$auth instanceof KerberosApacheAuthMechanism) {`
			`throw new \InvalidArgumentException('invalid authentication backend');`
			`}`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`$credentialsStore = $auth->getCredentialsStore();`
fix(Krb): switch away from deprecated and broken KerberosApacheAuth() Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:08:22 -04:00			`$kerbAuth = new KerberosAuth();`
			`$kerbAuth->setTicket(KerberosTicket::fromEnv());`
update to release smb lib Signed-off-by: Robin Appelman <robin@icewind.nl> 2021-11-04 10:38:42 -04:00			`// check if a kerberos ticket is available, else fallback to session credentials`
fix(Krb): switch away from deprecated and broken KerberosApacheAuth() Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:08:22 -04:00			`if ($kerbAuth->getTicket()?->isValid()) {`
update to release smb lib Signed-off-by: Robin Appelman <robin@icewind.nl> 2021-11-04 10:38:42 -04:00			`$smbAuth = $kerbAuth;`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`} else {`
			`try {`
			`$credentials = $credentialsStore->getLoginCredentials();`
style(PHP): code cleanup, no effective changes Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:12:00 -04:00			`$loginName = $credentials->getLoginName();`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`$pass = $credentials->getPassword();`
style(PHP): code cleanup, no effective changes Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:12:00 -04:00			`preg_match('/(.)@(.)/', $loginName, $matches);`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`$realm = $storage->getBackendOption('default_realm');`
			`if (empty($realm)) {`
			`$realm = 'WORKGROUP';`
			`}`
			`if (count($matches) === 0) {`
style(PHP): code cleanup, no effective changes Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:12:00 -04:00			`$username = $loginName;`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`$workgroup = $realm;`
			`} else {`
style(PHP): code cleanup, no effective changes Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:12:00 -04:00			`[, $username, $workgroup] = $matches;`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`}`
			`$smbAuth = new BasicAuth(`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`$username,`
			`$workgroup,`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`$pass`
			`);`
style(PHP): code cleanup, no effective changes Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:12:00 -04:00			`} catch (\Exception) {`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');`
			`}`
			`}`

Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`break;`
			`default:`
			`throw new \InvalidArgumentException('unknown authentication backend');`
			`}`
Allow domain to be specified for SMB 2015-08-21 05:30:42 -04:00			`}`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00
			`$storage->setBackendOption('auth', $smbAuth);`
Allow domain to be specified for SMB 2015-08-21 05:30:42 -04:00			`}`
feat: add command to check files_external dependencies Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-05-07 12:48:38 -04:00
style(PHP): code cleanup, no effective changes Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2025-07-10 09:12:00 -04:00			`public function checkDependencies(): array {`
feat: add command to check files_external dependencies Signed-off-by: Robin Appelman <robin@icewind.nl> 2025-05-07 12:48:38 -04:00			`$system = \OCP\Server::get(SystemBridge::class);`
			`if (NativeServer::available($system)) {`
			`return [];`
			`} elseif (Server::available($system)) {`
			`$missing = new MissingDependency('php-smbclient');`
			`$missing->setOptional(true);`
			`$missing->setMessage('The php-smbclient library provides improved compatibility and performance for SMB storages.');`
			`return [$missing];`
			`} else {`
			`$missing = new MissingDependency('php-smbclient');`
			`$missing->setMessage('Either the php-smbclient library (preferred) or the smbclient binary is required for SMB storages.');`
			`return [$missing, new MissingDependency('smbclient')];`
			`}`
			`}`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`}`