search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
A more efficient query for GET including sub-collections.
[davical.git] / inc / HTTPAuthSession.php
blobf2a4e26723ebcbc83a5e623e13a467506a3b0d63
1 <?php
2 /**
3 * A Class for handling HTTP Authentication
4 *
5 * @package davical
6 * @subpackage HTTPAuthSession
7 * @author Andrew McMillan <andrew@catalyst.net.nz>
8 * @copyright Catalyst .Net Ltd
9 * @license http://gnu.org/copyleft/gpl.html GNU GPL v2
10 */
11
12 /**
13 * A Class for handling a session using HTTP Basic Authentication
14 *
15 * @package davical
16 */
17 class HTTPAuthSession {
18 /**#@+
19 * @access private
20 */
21
22 /**
23 * User ID number
24 * @var user_no int
25 */
26 public $user_no;
27
28 /**
29 * User e-mail
30 * @var email string
31 */
32 public $email;
33
34 /**
35 * User full name
36 * @var fullname string
37 */
38 public $fullname;
39
40 /**
41 * Group rights
42 * @var groups array
43 */
44 public $groups;
45 /**#@-*/
46
47 /**
48 * The constructor, which just calls the type supplied or configured
49 */
50 function HTTPAuthSession() {
51 global $c;
52
53 if ( ! empty($_SERVER['PHP_AUTH_DIGEST'])) {
54 $this->DigestAuthSession();
55 }
56 else if ( isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER["AUTHORIZATION"]) ) {
57 $this->BasicAuthSession();
58 }
59 else if ( isset($c->http_auth_mode) && $c->http_auth_mode == "Digest" ) {
60 $this->DigestAuthSession();
61 }
62 else {
63 $this->BasicAuthSession();
64 }
65 }
66
67 /**
68 * Authorisation failed, so we send some headers to say so.
69 *
70 * @param string $auth_header The WWW-Authenticate header details.
71 */
72 function AuthFailedResponse( $auth_header = "" ) {
73 global $c;
74 if ( $auth_header == "" ) {
75 $auth_realm = $c->system_name;
76 if ( isset($c->per_principal_realm) && $c->per_principal_realm && !empty($_SERVER['PATH_INFO']) ) {
77 $principal_name = preg_replace( '{^/(.*?)/.*$}', '$1', $_SERVER['PATH_INFO']);
78 if ( $principal_name != $_SERVER['PATH_INFO'] ) {
79 $auth_realm .= ' - ' . $principal_name;
80 }
81 }
82 dbg_error_log( "HTTPAuth", ":AuthFailedResponse Requesting authentication in the '%s' realm", $auth_realm );
83 $auth_header = sprintf( 'WWW-Authenticate: Basic realm="%s"', $auth_realm );
84 }
85
86 header('HTTP/1.1 401 Unauthorized', true, 401 );
87 header('Content-type: text/plain; ; charset="utf-8"' );
88 header( $auth_header );
89 echo 'Please log in for access to this system.';
90 dbg_error_log( "HTTPAuth", ":Session: User is not authorised: %s ", $_SERVER['REMOTE_ADDR'] );
91 @ob_flush(); exit(0);
92 }
93
94
95 /**
96 * Handle Basic HTTP Authentication (not secure unless https)
97 */
98 function BasicAuthSession() {
99 global $c;
100
101 /**
102 * Get HTTP Auth to work with PHP+FastCGI
103 */
104 if ( !isset($_SERVER['AUTHORIZATION']) && isset($_SERVER['HTTP_AUTHORIZATION']) && !empty($_SERVER['HTTP_AUTHORIZATION']))
105 $_SERVER['AUTHORIZATION'] = $_SERVER['HTTP_AUTHORIZATION'];
106 if (isset($_SERVER['AUTHORIZATION']) && !empty($_SERVER['AUTHORIZATION'])) {
107 list ($type, $cred) = split (" ", $_SERVER['AUTHORIZATION']);
108 if ($type == 'Basic') {
109 list ($user, $pass) = explode (":", base64_decode($cred));
110 $_SERVER['PHP_AUTH_USER'] = $user;
111 $_SERVER['PHP_AUTH_PW'] = $pass;
112 }
113 }
114 else if ( isset($c->authenticate_hook['server_auth_type'])
115 && isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {
116 if ( ( is_array($c->authenticate_hook['server_auth_type'])
117 && in_array($_SERVER['AUTH_TYPE'], $c->authenticate_hook['server_auth_type']) )
118 ||
119 ( !is_array($c->authenticate_hook['server_auth_type'])
120 && $c->authenticate_hook['server_auth_type'] == $_SERVER['AUTH_TYPE'] )
121 ) {
122 /**
123 * The authentication has happened in the server, and we should accept it.
124 */
125 $_SERVER['PHP_AUTH_USER'] = $_SERVER['REMOTE_USER'];
126 $_SERVER['PHP_AUTH_PW'] = 'Externally Authenticated';
127 if ( ! isset($c->authenticate_hook['call']) ) {
128 /**
129 * Since we still need to get the user's details from somewhere. We change the default
130 * authentication hook to auth_external which simply retrieves a user row from the DB
131 * and does no password checking.
132 */
133 $c->authenticate_hook['call'] = 'auth_external';
134 }
135 }
136 }
137
138
139 /**
140 * Fall through to the normal PHP authentication variables.
141 */
142 if ( isset($_SERVER['PHP_AUTH_USER']) ) {
143 if ( $p = $this->CheckPassword( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
144 if ( isset($p->active) && !isset($p->user_active) ) {
145 trace_bug('Some authentication failed to return a dav_principal record and needs fixing.');
146 $p->user_active = $p->active;
147 }
148
149 /**
150 * Maybe some external authentication didn't return false for an inactive
151 * user, so we'll be pedantic here.
152 */
153 if ( $p->user_active ) {
154 $this->AssignSessionDetails($p);
155 return;
156 }
157 }
158 }
159
160 if ( isset($c->allow_unauthenticated) && $c->allow_unauthenticated ) {
161 $this->AssignSessionDetails('unauthenticated');
162 $this->logged_in = false;
163 return;
164 }
165
166 $this->AuthFailedResponse();
167 // Does not return
168 }
169
170
171 /**
172 * Handle Digest HTTP Authentication (no passwords were harmed in this transaction!)
173 *
174 * Note that this will not actually work, unless we can either:
175 * (A) store the password plain text in the database
176 * (B) store an md5( username || realm || password ) in the database
177 *
178 * The problem is that potentially means that the administrator can collect the sorts
179 * of things people use as passwords. I believe this is quite a bad idea. In scenario (B)
180 * while they cannot see the password itself, they can see a hash which only varies when
181 * the password varies, so can see when two users have the same password, or can use
182 * some of the reverse lookup sites to attempt to reverse the hash. I think this is a
183 * less bad idea, but not ideal. Probably better than running Basic auth of HTTP though!
184 */
185 function DigestAuthSession() {
186 global $c;
187
188 $realm = $c->system_name;
189 $opaque = $realm;
190 if ( isset($_SERVER['HTTP_USER_AGENT']) ) $opaque .= $_SERVER['HTTP_USER_AGENT'];
191 if ( isset($_SERVER['REMOTE_ADDR']) ) $opaque .= $_SERVER['REMOTE_ADDR'];
192 $opaque = sha1($opaque);
193
194 if ( ! empty($_SERVER['PHP_AUTH_DIGEST'])) {
195 // analyze the PHP_AUTH_DIGEST variable
196 if ( $data = $this->ParseDigestHeader($_SERVER['PHP_AUTH_DIGEST']) ) {
197
198 if ( $data['uri'] != $_SERVER['REQUEST_URI'] ) {
199 dbg_error_log( "ERROR", " DigestAuth: WTF! URI is '%s' and request URI is '%s'!?!" );
200 $this->AuthFailedResponse();
201 // Does not return
202 }
203
204 // generate the valid response
205 $test_user = new Principal('username', $data['username']);
206
207 if ( preg_match( '{\*(Digest)?\*(.*)}', $test_user->password, $matches ) ) {
208 if ( $matches[1] == 'Digest' )
209 $A1 = $matches[2];
210 else {
211 // dbg_error_log( "HTTPAuth", "Constructing A1 from md5(%s:%s:%s)", $data['username'], $realm, $matches[2] );
212 $A1 = md5($data['username'] . ':' . $realm . ':' . $matches[2]);
213 }
214 $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
215 $auth_string = $A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2;
216 // dbg_error_log( "HTTPAuth", "DigestAuthString: %s", $auth_string);
217 $valid_response = md5($auth_string);
218 // dbg_error_log( "HTTPAuth", "DigestResponse: %s", $valid_response);
219
220 if ( $data['response'] == $valid_response ) {
221 $this->AssignSessionDetails($test_user);
222 // dbg_error_log( "HTTPAuth", "Success!!!" );
223 return;
224 }
225 }
226 else {
227 // Their account is not configured for Digest auth so we need to use Basic.
228 $this->AuthFailedResponse();
229 // Does not return
230 }
231 }
232 }
233
234 $nonce = sha1(uniqid('',true));
235 $authheader = sprintf('WWW-Authenticate: Digest realm="%s", qop="auth", nonce="%s", opaque="%s", algorithm="MD5"',
236 $realm, $nonce, $opaque );
237 dbg_error_log( "HTTPAuth", $authheader );
238 $this->AuthFailedResponse( $authheader );
239 // Does not return
240 }
241
242
243 /**
244 * Parse the HTTP Digest Auth Header
245 * - largely sourced from the PHP documentation
246 */
247 function ParseDigestHeader($auth_header) {
248 // protect against missing data
249 $needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
250 $data = array();
251
252 preg_match_all('{(\w+)="([^"]+)"}', $auth_header, $matches, PREG_SET_ORDER);
253 foreach ($matches as $m) {
254 // dbg_error_log( "HTTPAuth", 'Match: "%s"', $m[0] );
255 $data[$m[1]] = $m[2];
256 unset($needed_parts[$m[1]]);
257 dbg_error_log( "HTTPAuth", 'Received: %s: %s', $m[1], $m[2] );
258 }
259
260 preg_match_all('{(\w+)=([^" ,]+)}', $auth_header, $matches, PREG_SET_ORDER);
261 foreach ($matches as $m) {
262 // dbg_error_log( "HTTPAuth", 'Match: "%s"', $m[0] );
263 $data[$m[1]] = $m[2];
264 unset($needed_parts[$m[1]]);
265 dbg_error_log( "HTTPAuth", 'Received: %s: %s', $m[1], $m[2] );
266 }
267
268
269 @dbg_error_log( "HTTPAuth", 'Received: nonce: %s, nc: %s, cnonce: %s, qop: %s, username: %s, uri: %s, response: %s',
270 $data['nonce'], $data['nc'], $data['cnonce'], $data['qop'], $data['username'], $data['uri'], $data['response']
271 );
272 return $needed_parts ? false : $data;
273 }
274
275
276 /**
277 * CheckPassword does all of the password checking and
278 * returns a user record object, or false if it all ends in tears.
279 */
280 function CheckPassword( $username, $password ) {
281 global $c;
282
283 if(isset($c->login_append_domain_if_missing) && $c->login_append_domain_if_missing && !preg_match('/@/',$username))
284 $username.='@'.$c->domain_name;
285
286 if ( !isset($c->authenticate_hook) || !isset($c->authenticate_hook['call'])
287 || !function_exists($c->authenticate_hook['call'])
288 || (isset($c->authenticate_hook['optional']) && $c->authenticate_hook['optional']) )
289 {
290 if ( $principal = new Principal('username', $username) ) {
291 if ( isset($c->dbg['password']) ) dbg_error_log( "password", ":CheckPassword: Name:%s, Pass:%s, File:%s, Active:%s", $username, $password, $principal->password, ($principal->user_active?'Yes':'No') );
292 if ( $principal->user_active && session_validate_password( $password, $principal->password ) ) {
293 return $principal;
294 }
295 }
296 }
297
298 if ( isset($c->authenticate_hook) && isset($c->authenticate_hook['call']) && function_exists($c->authenticate_hook['call']) ) {
299 /**
300 * The authenticate hook needs to:
301 * - Accept a username / password
302 * - Confirm the username / password are correct
303 * - Create (or update) a 'usr' record in our database
304 * - Return the 'usr' record as an object
305 * - Return === false when authentication fails
306 *
307 * It can expect that:
308 * - Configuration data will be in $c->authenticate_hook['config'], which might be an array, or whatever is needed.
309 */
310 $principal = call_user_func( $c->authenticate_hook['call'], $username, $password );
311 if ( $principal !== false && !($principal instanceof Principal) ) {
312 $principal = new Principal('username', $username);
313 }
314 return $principal;
315 }
316
317 return false;
318 }
319
320
321 /**
322 * Checks whether a user is allowed to do something.
323 *
324 * The check is performed to see if the user has that role.
325 *
326 * @param string $whatever The role we want to know if the user has.
327 * @return boolean Whether or not the user has the specified role.
328 */
329 function AllowedTo ( $whatever ) {
330 return ( isset($this->logged_in) && $this->logged_in && isset($this->roles[$whatever]) && $this->roles[$whatever] );
331 }
332
333
334 /**
335 * Internal function used to get the user's roles from the database.
336 */
337 function GetRoles () {
338 $this->roles = array();
339 $qry = new AwlQuery( 'SELECT role_name FROM role_member m join roles r ON r.role_no = m.role_no WHERE user_no = :user_no ',
340 array( ':user_no' => $this->user_no) );
341 if ( $qry->Exec('BasicAuth') && $qry->rows() > 0 ) {
342 while( $role = $qry->Fetch() ) {
343 $this->roles[$role->role_name] = true;
344 }
345 }
346 }
347
348
349 /**
350 * Internal function used to assign the session details to a user's new session.
351 * @param object $u The user+session object we (probably) read from the database.
352 */
353 function AssignSessionDetails( $principal ) {
354 if ( is_string($principal) ) $principal = new Principal('username',$principal);
355 if ( get_class($principal) != 'Principal' ) {
356 $principal = new Principal('username',$principal->username);
357 }
358
359 // Assign each field in the selected record to the object
360 foreach( $principal AS $k => $v ) {
361 $this->{$k} = $v;
362 }
363 if ( !get_class($principal) == 'Principal' ) {
364 throw new Exception('HTTPAuthSession::AssignSessionDetails could not find a Principal object');
365 }
366 $this->username = $principal->username();
367 $this->user_no = $principal->user_no();
368 $this->principal_id = $principal->principal_id();
369 $this->email = $principal->email();
370 $this->dav_name = $principal->dav_name();
371 $this->principal = $principal;
372
373 $this->GetRoles();
374 $this->logged_in = true;
375 if ( function_exists("awl_set_locale") && isset($this->locale) && $this->locale != "" ) {
376 awl_set_locale($this->locale);
377 }
378 }
379
380
381 }
382
DAViCal CalDAV & CardDAV Server