Add Pluggable Auth

author: Hash9 <hash9@users.sourceforge.net> 2006-07-12 22:03:05 +0000
committer: Hash9 <hash9@users.sourceforge.net> 2006-07-12 22:03:05 +0000
commit: da5f92fb847bbde936b4a05df517a0e581648ac6 (patch)
tree: 8d5450c2f6579a31aa9493538396127d43788ccb /auth
parent: 7bbb43727d13cef2b1ff87e915caa4da18794d2b (diff)
download: users-da5f92fb847bbde936b4a05df517a0e581648ac6.tar.gz
users-da5f92fb847bbde936b4a05df517a0e581648ac6.tar.bz2
users-da5f92fb847bbde936b4a05df517a0e581648ac6.zip
3 files changed, 409 insertions, 0 deletions
diff --git a/auth/bit_auth.php b/auth/bit_auth.php
new file mode 100644
index 0000000..4ea625b
--- /dev/null
+++ b/auth/bit_auth.php
@@ -0,0 +1,97 @@
+<?php
+class BitAuth extends BaseAuth {
+
+	function BitAuth() {
+		parent::BaseAuth('bit');
+	}
+
+	function validate($user,$pass,$challenge,$response) {
+		parent::validate($user,$pass,$challenge,$response);
+		global $gBitSystem;
+		global $gBitDb;
+		$ret = SERVER_ERROR;
+		if( empty( $user ) ) {
+			$this->mErrors['login'] = 'User not found';
+		} elseif( empty( $pass ) ) {
+			$this->mErrors['login'] = 'Password incorrect';
+		} else {
+			$loginVal = strtoupper( $user ); // case insensitive login
+			$loginCol = ' UPPER(`'.(strpos( $user, '@' ) ? 'email' : 'login').'`)';
+			// first verify that the user exists
+			$query = "select `email`, `login`, `user_id`, `user_password` from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convert_binary(). " $loginCol = ?";
+			$result = $gBitDb->query( $query, array( $loginVal ) );
+			if( !$result->numRows() ) {
+				$this->mErrors['login'] = 'User not found';
+			} else {
+				$res = $result->fetchRow();
+				$userId = $res['user_id'];
+				$user = $res['login'];
+				// TikiWiki 1.8+ uses this bizarro conglomeration of fields to get the hash. this sucks for many reasons
+				$hash = md5( strtolower($user) . $pass . $res['email']);
+				$hash2 = md5($pass);
+				// next verify the password with 2 hashes methods, the old one (pass)) and the new one (login.pass;email)
+				// TODO - this needs cleaning up - wolff_borg
+				if( !$gBitSystem->isFeatureActive( 'feature_challenge' ) || empty($response) ) {
+					$query = "select `user_id`, `hash` from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convert_binary(). " $loginCol = ? and (`hash`=? or `hash`=?)";
+					if ( $row = $gBitDb->getRow( $query, array( $loginVal, $hash, $hash2 ) ) ) {
+						// auto-update old hashes with simple and standard md5( password )
+						$hashUpdate = '';
+						if( $row['hash'] == $hash ) {
+							$hashUpdate = 'hash=?, ';
+							$bindVars[] = $hash2;
+						}
+						$bindVars[] = $gBitSystem->getUTCTime();
+						$bindVars[] = $userId;
+						$query = "update `".BIT_DB_PREFIX."users_users` set  $hashUpdate `last_login`=`current_login`, `current_login`=? where `user_id`=?";
+						$result = $gBitDb->query($query, $bindVars );
+						$ret=USER_VALID;
+					} else {
+						$ret=PASSWORD_INCORRECT;
+						$this->mErrors[] = 'Password incorrect';
+					}
+				} else {
+					// Use challenge-reponse method
+					// Compare pass against md5(user,challenge,hash)
+					$hash = $gBitDb->getOne("select `hash`  from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convert_binary(). " $loginCol = ?", array( $user ) );
+					if (!isset($_SESSION["challenge"])) {
+						$this->mErrors[] = 'Invalid challenge';
+						$ret=PASSWORD_INCORRECT;
+					}
+					//print("pass: $pass user: $user hash: $hash <br/>");
+					//print("challenge: ".$_SESSION["challenge"]." challenge: $challenge<br/>");
+					//print("response : $response<br/>");
+					if ($response == md5( strtolower($user) . $hash . $_SESSION["challenge"]) ) {
+						$ret = USER_VALID;
+						$this->update_lastlogin( $userId );
+					} else {
+						$this->mErrors[] = 'Invalid challenge';
+						$ret=PASSWORD_INCORRECT;
+					}
+				}
+			}
+			if (!empty($userId)) {
+				$this->mInfo['user_id']=$userId;
+			}
+		}
+		return( $ret );
+	}
+
+	function canManageAuth() {
+		return true;
+	}
+
+	function isSupported() {
+		return true;
+	}
+
+	function createUser(&$userattr) {
+		//$authUserInfo = array( 'login' => $instance->mInfo['login'], 'password' => $instance->mInfo['password'], 'real_name' => $instance->mInfo['real_name'], 'email' => $instance->mInfo['email'] );
+		if (empty($userattr["email"])) {
+			$userattr["email"] = $userattr["login"];
+		}
+		$u = new BitUser();
+		$res = $u->store( $userattr );
+		$this->mErrors = array_merge($this->mErrors,$u->mErrors);
+		return $res;
+	}
+}
+\ No newline at end of file
diff --git a/auth/imap_auth.php b/auth/imap_auth.php
new file mode 100644
index 0000000..951c1fa
--- /dev/null
+++ b/auth/imap_auth.php
@@ -0,0 +1,97 @@
+<?php
+class IMAPAuth extends BaseAuth {
+
+	function IMAPAuth() {
+		parent::BaseAuth('imap');
+	}
+
+	function validate($user,$pass,$challenge,$response) {
+		parent::validate($user,$pass,$challenge,$response);
+		$mailbox = '{' . $this->mConfig['server'];
+		if ($this->mConfig["ssl"]) {
+			$mailbox .= "/ssl";
+			if ($this->mConfig["sslvalidate"]) {
+				$mailbox .= "/validate-cert";
+			} else {
+				$mailbox .= "/novalidate-cert";
+			}
+		}
+		$mailbox .= ':'.$this->mConfig["port"].'}INBOX';
+
+		$imapauth = @imap_open($mailbox,$user , $pass);
+		if (!$imapauth) {
+			$this->mErrors['login']=imap_errors();
+			$ret=USER_NOT_FOUND;
+		} else {
+			$ret=USER_VALID;
+			$this->mInfo["real_name"] = $user;
+			if(empty($this->mConfig["email"])) {
+				$this->mInfo["email"] = $user;
+			} else {
+				$info=array('login'=>$user);
+				$replace_func = create_function('$matches','$info = '.var_export($info,true).';
+							$m = $matches[0];
+							$m = substr($m,1,strlen($m)-2);
+							if(empty($info[$m])) return "";
+							return strtolower($info[$m]);');
+				$this->mInfo["email"] = preg_replace_callback('/%.*?%/',$replace_func,$this->mConfig["email"]);
+			}
+			imap_close($imapauth);
+		}
+		return $ret;
+	}
+
+	function isSupported() {
+		$ret = true;
+		if (!function_exists('imap_open')) {
+			$this->mErrors['support']=tra("IMAP Authentication is not supported as PHP IMAP Extention not loaded.");
+			$ret = false;
+		}
+		return $ret;
+	}
+
+	function createUser(&$userattr) {
+		$this->mErrors['create']=tra("Cannot create users in an IMAP Server.");
+		return false;
+	}
+
+	function canManageAuth() {
+		$this->mErrors[]=tra("Cannot create users in an IMAP Server.");
+		return false;
+	}
+
+	function getSettings() {
+		return array(
+		'users_imap_server' => array(
+			'label' => "IMAP Server",
+			'type' => "text",
+			'note' => "",
+			'default' => '',
+		),
+		'users_imap_ssl' => array(
+			'label' => "Connect Using SSL",
+			'type' => "checkbox",
+			'note' => "",
+			'default' => 'y',
+		),
+		'users_imap_sslvalidate' => array(
+			'label' => "Require SSL Certificate to be valid",
+			'type' => "checkbox",
+			'note' => "",
+			'default' => 'n',
+		),
+		'users_imap_port' => array(
+			'label' => "IMAP Port",
+			'type' => "text",
+			'note' => "",
+			'default' => '993',
+		),
+		'users_imap_email' => array(
+			'label' => "LDAP User E-Mail Address",
+			'type' => "text",
+			'note' => "If empty the login is used.<br />Otherwise all %login% is replaced with the login name, and the result used as the email address.<br />Please remember to include the @ sign",
+			'default' => "%login%@redhat.com",
+		),
+	);
+	}
+}
+\ No newline at end of file
diff --git a/auth/ldap_auth.php b/auth/ldap_auth.php
new file mode 100644
index 0000000..da14bac
--- /dev/null
+++ b/auth/ldap_auth.php
@@ -0,0 +1,215 @@
+<?php
+if (file_exists(UTIL_PKG_PATH."pear/Auth/Auth.php")) {
+	require_once (UTIL_PKG_PATH."pear/Auth/Auth.php");
+} else {
+	@include_once("Auth.php");
+}
+
+class LDAPAuth extends BaseAuth {
+	function LDAPAuth() {
+		parent::BaseAuth('ldap');
+	}
+
+	function validate($user,$pass,$challenge,$response) {
+		parent::validate($user,$pass,$challenge,$response);
+		// set the Auth options
+		$a = new Auth("LDAP", $this->mConfig, "", false, $user, $pass);
+		// check if the login correct
+		$a->login();
+		$ret = '';
+		switch ($a->getStatus()) {
+			case AUTH_LOGIN_OK:
+				$ret=USER_VALID;
+				$ds=ldap_connect($this->mConfig["host"], $this->mConfig["port"]);  // Connects to LDAP Server
+				if ($ds) {
+					$r=ldap_bind($ds, $this->mConfig["adminuser"], $this->mConfig["adminpass"]);
+					if ($r) {
+						$attrs = array("cn", "mail");
+						$sr=ldap_search($ds, $this->mConfig["basedn"], "(".$this->mConfig["userattr"]."=".$user.")", $attrs);  // Search
+						$info = ldap_get_entries($ds, $sr);
+						$this->mInfo["real_name"] = $info[0]["cn"][0];
+						if(empty($this->mConfig["email"])) {
+							if(empty($info[0]["mail"][0])) {
+								$this->mInfo["email"] = $info[0][$this->mConfig["userattr"]][0];
+							} else {
+								$this->mInfo["email"] = $info[0]["mail"][0];
+							}
+						} else {
+							$replace_func = create_function('$matches','$info = '.var_export($info,true).';
+								$m = $matches[0];
+								$m = substr($m,1,strlen($m)-2);
+								if(empty($info[0][$m][0])) return "";
+								return strtolower($info[0][$m][0]);');
+							$this->mInfo["email"] = preg_replace_callback('/%.*?%/',$replace_func,$this->mConfig["email"]);
+						}
+					}
+					ldap_close($ds);
+				}
+				break;
+			case AUTH_USER_NOT_FOUND:
+				$ret=USER_NOT_FOUND;
+				break;
+			case AUTH_WRONG_LOGIN:
+				$ret=PASSWORD_INCORRECT;
+				break;
+			default:
+				$ret=SERVER_ERROR;
+				break;
+		}
+		return $ret;
+	}
+
+	function isSupported() {
+		$ret = true;
+		if (! class_exists("Auth")) {
+			$this->mErrors['support']=tra("LDAP Authentication is not supported as PEAR Package Auth is not availible.");
+			$ret = false;
+		}
+		if (!function_exists('ldap_connect')) {
+			$this->mErrors['support']=tra("LDAP Authentication is not supported as PHP LDAP Extention not loaded.");
+			$ret = false;
+		}
+		return $ret;
+	}
+
+	// create a new user in the Auth directory
+	function createUser(&$userattr) {
+		global $gBitDb;
+		// set additional attributes here
+		if (empty($userattr["email"])) {
+			$userattr["email"] = $gBitDb->getOne("select `email` from `".BIT_DB_PREFIX."users_users` where `login`=?", array($userattr["login"]));
+		}
+		// set the Auth options
+		$a = new Auth("LDAP", $this->mConfig);
+		// check if the login correct
+		if ($a->addUser($userattr["login"], $userattr["password"], $userattr) === true) {
+			return true;
+		} else {
+			// otherwise use the error status given back
+			$this->mErrors['create'] = $a->getStatus();
+			return false;
+		}
+	}
+
+	function canManageAuth() {
+		return true;
+	}
+
+	function getSettings() {
+		global $gBitUser;
+		$listHash = array();
+		$groups = $gBitUser->getAllGroups($listHash);
+		$groups=$groups['data'];
+		$groupsD =array();
+		foreach ($groups as $g) {
+			$groupsD[$g['group_id']]= "{$g['group_name']} ( {$g['group_desc']} )";
+		}
+		$groups = $groupsD;
+		return array(
+		'users_ldap_host' => array(
+			'label' => "LDAP Host",
+			'type' => "text",
+			'note' => "",
+			'default' => 'localhost',
+		),
+		'users_ldap_port' => array(
+			'label' => "LDAP Port",
+			'type' => "text",
+			'note' => "",
+			'default' => '389',
+		),
+		'users_ldap_basedn' => array(
+			'label' => "LDAP Base DN",
+			'type' => "text",
+			'note' => "",
+			'default' => '',
+		),
+		'users_ldap_userdn' => array(
+			'label' => "LDAP User DN",
+			'type' => "text",
+			'note' => "",
+		'default' => '',
+		),
+		'users_ldap_userattr' => array(
+			'label' => "LDAP User Attribute",
+			'type' => "text",
+			'note' => "",
+			'default' => 'uid',
+		),
+		'users_ldap_email' => array(
+			'label' => "LDAP User E-Mail Address",
+			'type' => "text",
+			'note' => "If empty the attribute \"mail\" is used, if it not set for a user, <em>LDAP User Attribute</em> is used instead.<br />Otherwise all %<em>feilds</em>% are replaced with the first value from the ldap attribute of the same name, and the result used as the email address.<br />Please remember to include the @ sign",
+			'default' => '',
+		),
+		'users_ldap_useroc' => array(
+			'label' => "LDAP User OC",
+			'type' => "text",
+			'note' => "",
+		'default' => 'inetOrgPerson',
+		),
+		'users_ldap_groupdn' => array(
+			'label' => "LDAP Group DN",
+			'type' => "text",
+			'note' => "",
+			'default' => '',
+		),
+		'users_ldap_groupattr' => array(
+			'label' => "LDAP Group Atribute",
+			'type' => "text",
+			'note' => "",
+			'default' => 'cn',
+		),
+		'users_ldap_groupoc' => array(
+			'label' => "LDAP Group OC",
+			'type' => "text",
+			'note' => "",
+			'default' => 'groupOfUniqueNames',
+		),
+		'users_ldap_memberattr' => array(
+			'label' => "LDAP Member Attribute",
+			'type' => "text",
+			'note' => "",
+			'default' => 'uniqueMember',
+		),
+		'users_ldap_memberisdn' => array(
+			'label' => "LDAP Member Is DN",
+			'type' => "text",
+			'note' => "",
+			'default' => '',
+		),
+		'users_ldap_adminuser' => array(
+			'label' => "LDAP Admin User",
+			'type' => "text",
+			'note' => "",
+			'default' => '',
+		),
+		'users_ldap_adminpass' => array(
+			'label' => "LDAP Admin Pwd",
+			'type' => "password",
+			'note' => "",
+			'default' => '',
+		),
+		'users_ldap_scope' => array(
+			'label' => "LDAP Scope",
+			'type' => "option",
+			'note' => "",
+			'default' => 'sub',
+			'options' => array(
+				'sub' => "Sub",
+				'one' => "One",
+				'base' => "Base",
+			),
+		),
+		'users_ldap_group' => array(
+			'label' => "LDAP Group",
+			'type' => "option",
+			'note' => "",
+			'default' => '3',
+			'options' => $groups,
+		),
+	);
+	}
+}
+
+?>
+\ No newline at end of file
author	Hash9 <hash9@users.sourceforge.net>	2006-07-12 22:03:05 +0000
committer	Hash9 <hash9@users.sourceforge.net>	2006-07-12 22:03:05 +0000
commit	da5f92fb847bbde936b4a05df517a0e581648ac6 (patch)
tree	8d5450c2f6579a31aa9493538396127d43788ccb /auth
parent	7bbb43727d13cef2b1ff87e915caa4da18794d2b (diff)
download	users-da5f92fb847bbde936b4a05df517a0e581648ac6.tar.gz users-da5f92fb847bbde936b4a05df517a0e581648ac6.tar.bz2 users-da5f92fb847bbde936b4a05df517a0e581648ac6.zip