nextcloud/apps/files_external/lib/Lib/Backend/SMB.php

<?php
/**
 * SPDX-FileCopyrightText: 2018-2024 Nextcloud GmbH and Nextcloud contributors
 * SPDX-FileCopyrightText: 2016 ownCloud, Inc.
 * SPDX-License-Identifier: AGPL-3.0-only
 */

namespace OCA\Files_External\Lib\Backend;

use Icewind\SMB\BasicAuth;
use Icewind\SMB\KerberosApacheAuth;
use Icewind\SMB\KerberosAuth;
use OCA\Files_External\Lib\Auth\AuthMechanism;
use OCA\Files_External\Lib\Auth\Password\Password;
use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth as KerberosApacheAuthMechanism;
use OCA\Files_External\Lib\DefinitionParameter;
use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;
use OCA\Files_External\Lib\LegacyDependencyCheckPolyfill;
use OCA\Files_External\Lib\StorageConfig;
use OCP\IL10N;
use OCP\IUser;

class SMB extends Backend {
	use LegacyDependencyCheckPolyfill;

	public function __construct(IL10N $l, Password $legacyAuth) {
		$this
			->setIdentifier('smb')
			->addIdentifierAlias('\OC\Files\Storage\SMB')// legacy compat
			->setStorageClass('\OCA\Files_External\Lib\Storage\SMB')
			->setText($l->t('SMB/CIFS'))
			->addParameters([
				new DefinitionParameter('host', $l->t('Host')),
				new DefinitionParameter('share', $l->t('Share')),
				(new DefinitionParameter('root', $l->t('Remote subfolder')))
					->setFlag(DefinitionParameter::FLAG_OPTIONAL),
				(new DefinitionParameter('domain', $l->t('Domain')))
					->setFlag(DefinitionParameter::FLAG_OPTIONAL),
				(new DefinitionParameter('show_hidden', $l->t('Show hidden files')))
					->setType(DefinitionParameter::VALUE_BOOLEAN)
					->setFlag(DefinitionParameter::FLAG_OPTIONAL),
				(new DefinitionParameter('case_sensitive', $l->t('Case sensitive file system')))
					->setType(DefinitionParameter::VALUE_BOOLEAN)
					->setFlag(DefinitionParameter::FLAG_OPTIONAL)
					->setDefaultValue(true)
					->setTooltip($l->t('Disabling it will allow to use a case insensitive file system, but comes with a performance penalty')),
				(new DefinitionParameter('check_acl', $l->t('Verify ACL access when listing files')))
					->setType(DefinitionParameter::VALUE_BOOLEAN)
					->setFlag(DefinitionParameter::FLAG_OPTIONAL)
					->setTooltip($l->t("Check the ACL's of each file or folder inside a directory to filter out items where the account has no read permissions, comes with a performance penalty")),
				(new DefinitionParameter('timeout', $l->t('Timeout')))
					->setType(DefinitionParameter::VALUE_HIDDEN)
					->setFlag(DefinitionParameter::FLAG_OPTIONAL),
			])
			->addAuthScheme(AuthMechanism::SCHEME_PASSWORD)
			->addAuthScheme(AuthMechanism::SCHEME_SMB)
			->setLegacyAuthMechanism($legacyAuth);
	}

	/**
	 * @return void
	 */
	public function manipulateStorageConfig(StorageConfig &$storage, ?IUser $user = null) {
		$auth = $storage->getAuthMechanism();
		if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {
			if (!is_string($storage->getBackendOption('user')) || !is_string($storage->getBackendOption('password'))) {
				throw new \InvalidArgumentException('user or password is not set');
			}

			$smbAuth = new BasicAuth(
				$storage->getBackendOption('user'),
				$storage->getBackendOption('domain'),
				$storage->getBackendOption('password')
			);
		} else {
			switch ($auth->getIdentifier()) {
				case 'smb::kerberos':
					$smbAuth = new KerberosAuth();
					break;
				case 'smb::kerberosapache':
					if (!$auth instanceof KerberosApacheAuthMechanism) {
						throw new \InvalidArgumentException('invalid authentication backend');
					}
					$credentialsStore = $auth->getCredentialsStore();
					$kerbAuth = new KerberosApacheAuth();
					// check if a kerberos ticket is available, else fallback to session credentials
					if ($kerbAuth->checkTicket()) {
						$smbAuth = $kerbAuth;
					} else {
						try {
							$credentials = $credentialsStore->getLoginCredentials();
							$user = $credentials->getLoginName();
							$pass = $credentials->getPassword();
							preg_match('/(.*)@(.*)/', $user, $matches);
							$realm = $storage->getBackendOption('default_realm');
							if (empty($realm)) {
								$realm = 'WORKGROUP';
							}
							if (count($matches) === 0) {
								$username = $user;
								$workgroup = $realm;
							} else {
								$username = $matches[1];
								$workgroup = $matches[2];
							}
							$smbAuth = new BasicAuth(
								$username,
								$workgroup,
								$pass
							);
						} catch (\Exception $e) {
							throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');
						}
					}

					break;
				default:
					throw new \InvalidArgumentException('unknown authentication backend');
			}
		}

		$storage->setBackendOption('auth', $smbAuth);
	}
}
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`<?php`
			`/**`
chore: Add SPDX header Signed-off-by: Andy Scherzinger <info@andy-scherzinger.de> 2024-06-06 03:55:47 -04:00			`* SPDX-FileCopyrightText: 2018-2024 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-FileCopyrightText: 2016 ownCloud, Inc.`
			`* SPDX-License-Identifier: AGPL-3.0-only`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`*/`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`namespace OCA\Files_External\Lib\Backend;`

Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`use Icewind\SMB\BasicAuth;`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`use Icewind\SMB\KerberosApacheAuth;`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`use Icewind\SMB\KerberosAuth;`
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use OCA\Files_External\Lib\Auth\AuthMechanism;`
			`use OCA\Files_External\Lib\Auth\Password\Password;`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`use OCA\Files_External\Lib\Auth\SMB\KerberosApacheAuth as KerberosApacheAuthMechanism;`
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use OCA\Files_External\Lib\DefinitionParameter;`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`use OCA\Files_External\Lib\InsufficientDataForMeaningfulAnswerException;`
Some php-cs fixes * Order the imports * No leading slash on imports * Empty line before namespace * One line per import * Empty after imports * Emmpty line at bottom of file Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl> 2019-11-22 14:52:10 -05:00			`use OCA\Files_External\Lib\LegacyDependencyCheckPolyfill;`
			`use OCA\Files_External\Lib\StorageConfig;`
			`use OCP\IL10N;`
Introduce 'login credentials' auth mechanism Stores user credentials in the database after user login, uses the new CredentialsManager class 2015-08-24 11:32:44 -04:00			`use OCP\IUser;`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00
			`class SMB extends Backend {`
Make checkDependencies a real method Replace ->setDependencyCheck(callable) with a real method checkDependencies(). A polyfill is available for legacy storages. 2015-09-01 05:25:33 -04:00			`use LegacyDependencyCheckPolyfill;`

Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`public function __construct(IL10N $l, Password $legacyAuth) {`
			`$this`
			`->setIdentifier('smb')`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`->addIdentifierAlias('\OC\Files\Storage\SMB')// legacy compat`
Fix storage backend class namespaces and move to subdir All classes that were previously \OC\Files\Storage\FooBar are now \OCA\Files_External\Lib\Storage\FooBar 2016-04-13 18:18:07 -04:00			`->setStorageClass('\OCA\Files_External\Lib\Storage\SMB')`
l10n: Spelling unification Spelling unification in Transifex. Signed-off-by: Valdnet 47037905+Valdnet@users.noreply.github.com 2021-04-22 14:07:39 -04:00			`->setText($l->t('SMB/CIFS'))`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`->addParameters([`
Remove unneeded semicolon and parentheses Signed-off-by: Morris Jobke <hey@morrisjobke.de> 2018-01-26 17:46:40 -05:00			`new DefinitionParameter('host', $l->t('Host')),`
			`new DefinitionParameter('share', $l->t('Share')),`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`(new DefinitionParameter('root', $l->t('Remote subfolder')))`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL),`
Allow domain to be specified for SMB 2015-08-21 05:30:42 -04:00			`(new DefinitionParameter('domain', $l->t('Domain')))`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL),`
add option to show hidden files in SMB shares Note hidden files can mean different things in smb and the option the the files web ui, the webui only counts files starting with '.' as hidden, while smb files can be marked as hidden regardless, any files that are marked as hidden on smb will thus be shown in the webui regardless of the setting in the files app. Fixes #15644 Signed-off-by: Robin Appelman <robin@icewind.nl> 2019-05-23 15:23:56 -04:00			`(new DefinitionParameter('show_hidden', $l->t('Show hidden files')))`
			`->setType(DefinitionParameter::VALUE_BOOLEAN)`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL),`
fix(files_external): on case insensitive system, block case change When a file/directory is renamed to the same name with only case change, the rename fail. We block this kind of rename. The user will have to rename to another name first. Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com> 2023-10-23 04:15:46 -04:00			`(new DefinitionParameter('case_sensitive', $l->t('Case sensitive file system')))`
			`->setType(DefinitionParameter::VALUE_BOOLEAN)`
			`->setFlag(DefinitionParameter::FLAG_OPTIONAL)`
			`->setDefaultValue(true)`
Correct a typo Signed-off-by: Valdnet <47037905+Valdnet@users.noreply.github.com> 2023-11-26 05:29:50 -05:00			`->setTooltip($l->t('Disabling it will allow to use a case insensitive file system, but comes with a performance penalty')),`
Add option to check share ACL's when listing directories If a file or folder in a directory doesn't have read permissions they will not be shown Note that enabling this option incurs a performance penalty additional requests need to be made to get all the acl. Additionally the acl resolving logic is fairly primitive at the moment and might not work correctly in all setups (it should error to showing the entry) Signed-off-by: Robin Appelman <robin@icewind.nl> 2020-02-10 10:36:03 -05:00			`(new DefinitionParameter('check_acl', $l->t('Verify ACL access when listing files')))`
			`->setType(DefinitionParameter::VALUE_BOOLEAN)`
add tooltip to option Signed-off-by: Robin Appelman <robin@icewind.nl> 2020-04-10 07:20:20 -04:00			`->setFlag(DefinitionParameter::FLAG_OPTIONAL)`
feat: rename users to account or person Replace translated text in most locations Signed-off-by: Vincent Petry <vincent@nextcloud.com> 2022-09-21 11:44:32 -04:00			`->setTooltip($l->t("Check the ACL's of each file or folder inside a directory to filter out items where the account has no read permissions, comes with a performance penalty")),`
add (hidden) option to configure smb timeout hidden from ui to prevent clutter ```occ files_external:config <mount> timeout 30``` Signed-off-by: Robin Appelman <robin@icewind.nl> 2019-09-25 07:30:40 -04:00			`(new DefinitionParameter('timeout', $l->t('Timeout')))`
Update apps/files_external/lib/Lib/Backend/SMB.php Co-Authored-By: Daniel Kesselberg <mail@danielkesselberg.de> 2019-09-25 08:59:44 -04:00			`->setType(DefinitionParameter::VALUE_HIDDEN)`
Make timeout a optional parameter Signed-off-by: Daniel Kesselberg <mail@danielkesselberg.de> 2019-11-09 09:18:52 -05:00			`->setFlag(DefinitionParameter::FLAG_OPTIONAL),`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`])`
			`->addAuthScheme(AuthMechanism::SCHEME_PASSWORD)`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`->addAuthScheme(AuthMechanism::SCHEME_SMB)`
			`->setLegacyAuthMechanism($legacyAuth);`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`}`

chore: Improve phpdoc typing to silence psalm errors Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-03-28 12:15:01 -04:00			`/**`
			`* @return void`
			`*/`
fix: Apply new coding standard to all files Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com> 2024-03-28 11:13:19 -04:00			`public function manipulateStorageConfig(StorageConfig &$storage, ?IUser $user = null) {`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`$auth = $storage->getAuthMechanism();`
			`if ($auth->getScheme() === AuthMechanism::SCHEME_PASSWORD) {`
files_external SMB: throw InvalidArgument when user is not set Signed-off-by: Anderson Luiz Alves <alacn1@gmail.com> 2021-12-03 08:57:00 -05:00			`if (!is_string($storage->getBackendOption('user')) \|\| !is_string($storage->getBackendOption('password'))) {`
			`throw new \InvalidArgumentException('user or password is not set');`
			`}`

Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`$smbAuth = new BasicAuth(`
			`$storage->getBackendOption('user'),`
			`$storage->getBackendOption('domain'),`
			`$storage->getBackendOption('password')`
			`);`
			`} else {`
			`switch ($auth->getIdentifier()) {`
			`case 'smb::kerberos':`
			`$smbAuth = new KerberosAuth();`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`break;`
			`case 'smb::kerberosapache':`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`if (!$auth instanceof KerberosApacheAuthMechanism) {`
			`throw new \InvalidArgumentException('invalid authentication backend');`
			`}`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`$credentialsStore = $auth->getCredentialsStore();`
update to release smb lib Signed-off-by: Robin Appelman <robin@icewind.nl> 2021-11-04 10:38:42 -04:00			`$kerbAuth = new KerberosApacheAuth();`
			`// check if a kerberos ticket is available, else fallback to session credentials`
			`if ($kerbAuth->checkTicket()) {`
			`$smbAuth = $kerbAuth;`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`} else {`
			`try {`
			`$credentials = $credentialsStore->getLoginCredentials();`
			`$user = $credentials->getLoginName();`
			`$pass = $credentials->getPassword();`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`preg_match('/(.)@(.)/', $user, $matches);`
			`$realm = $storage->getBackendOption('default_realm');`
			`if (empty($realm)) {`
			`$realm = 'WORKGROUP';`
			`}`
			`if (count($matches) === 0) {`
			`$username = $user;`
			`$workgroup = $realm;`
			`} else {`
Fix php:cs Signed-off-by: Louis Chemineau <louis@chmn.me> 2022-01-26 04:47:16 -05:00			`$username = $matches[1];`
Fix accessing undefined offsets Move this to inside the else clause of the count($matches) Signed-off-by: Carl Schwan <carl@carlschwan.eu> 2022-01-21 07:59:10 -05:00			`$workgroup = $matches[2];`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`}`
			`$smbAuth = new BasicAuth(`
add changes from Sebastian/dassIT and move default_realm to backend - Sebastian added the switch depending on the preg_match result and with it the fall back to login credentials - I turned default_realm to a backend option (was previously suggested as system config key) Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-29 12:27:30 -04:00			`$username,`
			`$workgroup,`
add KerberosApacheAuth support to files_external Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de> 2021-10-20 16:39:13 -04:00			`$pass`
			`);`
			`} catch (\Exception $e) {`
			`throw new InsufficientDataForMeaningfulAnswerException('No session credentials saved');`
			`}`
			`}`

Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00			`break;`
			`default:`
			`throw new \InvalidArgumentException('unknown authentication backend');`
			`}`
Allow domain to be specified for SMB 2015-08-21 05:30:42 -04:00			`}`
Add support for using kerberos ticket to authenticate to smb servers Signed-off-by: Robin Appelman <robin@icewind.nl> 2018-05-28 10:17:19 -04:00
			`$storage->setBackendOption('auth', $smbAuth);`
Allow domain to be specified for SMB 2015-08-21 05:30:42 -04:00			`}`
Migrate SMB external storage to new API 2015-08-12 17:13:27 -04:00			`}`