|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* @copyright Copyright (c) 2018 Robin Appelman <[email protected]> |
|
4
|
|
|
* |
|
5
|
|
|
* @license GNU AGPL version 3 or any later version |
|
6
|
|
|
* |
|
7
|
|
|
* This program is free software: you can redistribute it and/or modify |
|
8
|
|
|
* it under the terms of the GNU Affero General Public License as |
|
9
|
|
|
* published by the Free Software Foundation, either version 3 of the |
|
10
|
|
|
* License, or (at your option) any later version. |
|
11
|
|
|
* |
|
12
|
|
|
* This program is distributed in the hope that it will be useful, |
|
13
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
14
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
15
|
|
|
* GNU Affero General Public License for more details. |
|
16
|
|
|
* |
|
17
|
|
|
* You should have received a copy of the GNU Affero General Public License |
|
18
|
|
|
* along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
19
|
|
|
* |
|
20
|
|
|
*/ |
|
21
|
|
|
|
|
22
|
|
|
namespace Icewind\SMB; |
|
23
|
|
|
|
|
24
|
|
|
use Icewind\SMB\Exception\DependencyException; |
|
25
|
|
|
use Icewind\SMB\Exception\Exception; |
|
26
|
|
|
|
|
27
|
|
|
|
|
28
|
|
|
/** |
|
29
|
|
|
* Use existing kerberos ticket to authenticate and reuse the apache ticket cache (mod_auth_kerb) |
|
30
|
|
|
*/ |
|
31
|
|
|
class KerberosApacheAuth extends KerberosAuth implements IAuth { |
|
32
|
|
|
|
|
33
|
|
|
private $ticketPath = ""; |
|
34
|
|
|
|
|
35
|
|
|
//only working with specific library (mod_auth_kerb, krb5, smbclient) versions |
|
36
|
|
|
private $saveTicketInMemory = false; |
|
37
|
|
|
|
|
38
|
|
|
public function __construct($saveTicketInMemory = false) { |
|
39
|
|
|
|
|
40
|
|
|
$this->saveTicketInMemory = $saveTicketInMemory; |
|
41
|
|
|
$this->registerApacheKerberosTicket(); |
|
42
|
|
|
|
|
43
|
|
|
} |
|
44
|
|
|
|
|
45
|
|
|
private function registerApacheKerberosTicket() { |
|
46
|
|
|
|
|
47
|
|
|
// inspired by https://git.typo3.org/TYPO3CMS/Extensions/fal_cifs.git |
|
48
|
|
|
|
|
49
|
|
|
if (!extension_loaded("krb5")) { |
|
50
|
|
|
|
|
51
|
|
|
// https://pecl.php.net/package/krb5 |
|
52
|
|
|
throw new DependencyException('Ensure php-krb5 is installed.'); |
|
53
|
|
|
} |
|
54
|
|
|
|
|
55
|
|
|
//read apache kerberos ticket cache |
|
56
|
|
|
$cacheFile = getenv("KRB5CCNAME"); |
|
57
|
|
|
if(!$cacheFile) { |
|
58
|
|
|
|
|
59
|
|
|
throw new Exception('No kerberos ticket cache environment variable (KRB5CCNAME) found.'); |
|
60
|
|
|
|
|
61
|
|
|
} |
|
62
|
|
|
|
|
63
|
|
|
$krb5 = new \KRB5CCache(); |
|
64
|
|
|
$krb5->open($cacheFile); |
|
65
|
|
|
if(!$krb5->isValid()) { |
|
66
|
|
|
throw new Exception('Kerberos ticket cache is not valid.'); |
|
67
|
|
|
} |
|
68
|
|
|
|
|
69
|
|
|
|
|
70
|
|
|
if($this->saveTicketInMemory) { |
|
71
|
|
|
putenv("KRB5CCNAME=" . $krb5->getName()); |
|
72
|
|
|
} |
|
73
|
|
|
else { |
|
74
|
|
|
//workaround: smbclient is not working with the original apache ticket cache. |
|
75
|
|
|
$tmpFilename = tempnam("/tmp", "krb5cc_php_"); |
|
76
|
|
|
$tmpCacheFile = "FILE:" . $tmpFilename; |
|
77
|
|
|
$krb5->save($tmpCacheFile); |
|
78
|
|
|
$this->ticketPath = $tmpFilename; |
|
79
|
|
|
putenv("KRB5CCNAME=" . $tmpCacheFile); |
|
80
|
|
|
} |
|
81
|
|
|
|
|
82
|
|
|
} |
|
83
|
|
|
|
|
84
|
|
|
|
|
85
|
|
|
public function __destruct() { |
|
86
|
|
|
|
|
87
|
|
|
if(!empty($this->ticketPath) && file_exists($this->ticketPath) && is_file($this->ticketPath)) { |
|
88
|
|
|
|
|
89
|
|
|
unlink($this->ticketPath); |
|
90
|
|
|
|
|
91
|
|
|
} |
|
92
|
|
|
} |
|
93
|
|
|
|
|
94
|
|
|
} |
|
95
|
|
|
|
icewind1991 /
SMB
