lib/authlib.php

   1 <?php
   2
   3 // This file is part of Moodle - http://moodle.org/
   4 //
   5 // Moodle is free software: you can redistribute it and/or modify
   6 // it under the terms of the GNU General Public License as published by
   7 // the Free Software Foundation, either version 3 of the License, or
   8 // (at your option) any later version.
   9 //
  10 // Moodle is distributed in the hope that it will be useful,
  11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13 // GNU General Public License for more details.
  14 //
  15 // You should have received a copy of the GNU General Public License
  16 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  17
  18 /**
  19  * Multiple plugin authentication Support library
  20  *
  21  * 2006-08-28  File created, AUTH return values defined.
  22  *
  23  * @package    core
  24  * @subpackage auth
  25  * @copyright  1999 onwards Martin Dougiamas  http://dougiamas.com
  26  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  27  */
  28
  29 defined('MOODLE_INTERNAL') || die();
  30
  31 /**
  32  * Returned when the login was successful.
  33  */
  34 define('AUTH_OK',     0);
  35
  36 /**
  37  * Returned when the login was unsuccessful.
  38  */
  39 define('AUTH_FAIL',   1);
  40
  41 /**
  42  * Returned when the login was denied (a reason for AUTH_FAIL).
  43  */
  44 define('AUTH_DENIED', 2);
  45
  46 /**
  47  * Returned when some error occurred (a reason for AUTH_FAIL).
  48  */
  49 define('AUTH_ERROR',  4);
  50
  51 /**
  52  * Authentication - error codes for user confirm
  53  */
  54 define('AUTH_CONFIRM_FAIL', 0);
  55 define('AUTH_CONFIRM_OK', 1);
  56 define('AUTH_CONFIRM_ALREADY', 2);
  57 define('AUTH_CONFIRM_ERROR', 3);
  58
  59 # MDL-14055
  60 define('AUTH_REMOVEUSER_KEEP', 0);
  61 define('AUTH_REMOVEUSER_SUSPEND', 1);
  62 define('AUTH_REMOVEUSER_FULLDELETE', 2);
  63
  64 /** Login attempt successful. */
  65 define('AUTH_LOGIN_OK', 0);
  66
  67 /** Can not login because user does not exist. */
  68 define('AUTH_LOGIN_NOUSER', 1);
  69
  70 /** Can not login because user is suspended. */
  71 define('AUTH_LOGIN_SUSPENDED', 2);
  72
  73 /** Can not login, most probably password did not match. */
  74 define('AUTH_LOGIN_FAILED', 3);
  75
  76 /** Can not login because user is locked out. */
  77 define('AUTH_LOGIN_LOCKOUT', 4);
  78
  79
  80 /**
  81  * Abstract authentication plugin.
  82  *
  83  * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  84  * @package moodlecore
  85  */
  86 class auth_plugin_base {
  87
  88     /**
  89      * The configuration details for the plugin.
  90      * @var object
  91      */
  92     var $config;
  93
  94     /**
  95      * Authentication plugin type - the same as db field.
  96      * @var string
  97      */
  98     var $authtype;
  99     /*
 100      * The fields we can lock and update from/to external authentication backends
 101      * @var array
 102      */
 103     var $userfields = array(
 104         'firstname',
 105         'lastname',
 106         'email',
 107         'city',
 108         'country',
 109         'lang',
 110         'description',
 111         'url',
 112         'idnumber',
 113         'institution',
 114         'department',
 115         'phone1',
 116         'phone2',
 117         'address'
 118     );
 119
 120     /**
 121      * Moodle custom fields to sync with.
 122      * @var array()
 123      */
 124     var $customfields = null;
 125
 126     /**
 127      * This is the primary method that is used by the authenticate_user_login()
 128      * function in moodlelib.php.
 129      *
 130      * This method should return a boolean indicating
 131      * whether or not the username and password authenticate successfully.
 132      *
 133      * Returns true if the username and password work and false if they are
 134      * wrong or don't exist.
 135      *
 136      * @param string $username The username (with system magic quotes)
 137      * @param string $password The password (with system magic quotes)
 138      *
 139      * @return bool Authentication success or failure.
 140      */
 141     function user_login($username, $password) {
 142         print_error('mustbeoveride', 'debug', '', 'user_login()' );
 143     }
 144
 145     /**
 146      * Returns true if this authentication plugin can change the users'
 147      * password.
 148      *
 149      * @return bool
 150      */
 151     function can_change_password() {
 152         //override if needed
 153         return false;
 154     }
 155
 156     /**
 157      * Returns the URL for changing the users' passwords, or empty if the default
 158      * URL can be used.
 159      *
 160      * This method is used if can_change_password() returns true.
 161      * This method is called only when user is logged in, it may use global $USER.
 162      *
 163      * @return moodle_url url of the profile page or null if standard used
 164      */
 165     function change_password_url() {
 166         //override if needed
 167         return null;
 168     }
 169
 170     /**
 171      * Returns true if this authentication plugin can edit the users'
 172      * profile.
 173      *
 174      * @return bool
 175      */
 176     function can_edit_profile() {
 177         //override if needed
 178         return true;
 179     }
 180
 181     /**
 182      * Returns the URL for editing the users' profile, or empty if the default
 183      * URL can be used.
 184      *
 185      * This method is used if can_edit_profile() returns true.
 186      * This method is called only when user is logged in, it may use global $USER.
 187      *
 188      * @return moodle_url url of the profile page or null if standard used
 189      */
 190     function edit_profile_url() {
 191         //override if needed
 192         return null;
 193     }
 194
 195     /**
 196      * Returns true if this authentication plugin is "internal".
 197      *
 198      * Internal plugins use password hashes from Moodle user table for authentication.
 199      *
 200      * @return bool
 201      */
 202     function is_internal() {
 203         //override if needed
 204         return true;
 205     }
 206
 207     /**
 208      * Indicates if password hashes should be stored in local moodle database.
 209      * @return bool true means md5 password hash stored in user table, false means flag 'not_cached' stored there instead
 210      */
 211     function prevent_local_passwords() {
 212         return !$this->is_internal();
 213     }
 214
 215     /**
 216      * Indicates if moodle should automatically update internal user
 217      * records with data from external sources using the information
 218      * from get_userinfo() method.
 219      *
 220      * @return bool true means automatically copy data from ext to user table
 221      */
 222     function is_synchronised_with_external() {
 223         return !$this->is_internal();
 224     }
 225
 226     /**
 227      * Updates the user's password.
 228      *
 229      * In previous versions of Moodle, the function
 230      * auth_user_update_password accepted a username as the first parameter. The
 231      * revised function expects a user object.
 232      *
 233      * @param  object  $user        User table object
 234      * @param  string  $newpassword Plaintext password
 235      *
 236      * @return bool                  True on success
 237      */
 238     function user_update_password($user, $newpassword) {
 239         //override if needed
 240         return true;
 241     }
 242
 243     /**
 244      * Called when the user record is updated.
 245      * Modifies user in external database. It takes olduser (before changes) and newuser (after changes)
 246      * compares information saved modified information to external db.
 247      *
 248      * @param mixed $olduser     Userobject before modifications    (without system magic quotes)
 249      * @param mixed $newuser     Userobject new modified userobject (without system magic quotes)
 250      * @return boolean true if updated or update ignored; false if error
 251      *
 252      */
 253     function user_update($olduser, $newuser) {
 254         //override if needed
 255         return true;
 256     }
 257
 258     /**
 259      * User delete requested - internal user record is mared as deleted already, username not present anymore.
 260      *
 261      * Do any action in external database.
 262      *
 263      * @param object $user       Userobject before delete    (without system magic quotes)
 264      * @return void
 265      */
 266     function user_delete($olduser) {
 267         //override if needed
 268         return;
 269     }
 270
 271     /**
 272      * Returns true if plugin allows resetting of internal password.
 273      *
 274      * @return bool
 275      */
 276     function can_reset_password() {
 277         //override if needed
 278         return false;
 279     }
 280
 281     /**
 282      * Returns true if plugin allows resetting of internal password.
 283      *
 284      * @return bool
 285      */
 286     function can_signup() {
 287         //override if needed
 288         return false;
 289     }
 290
 291     /**
 292      * Sign up a new user ready for confirmation.
 293      * Password is passed in plaintext.
 294      *
 295      * @param object $user new user object
 296      * @param boolean $notify print notice with link and terminate
 297      */
 298     function user_signup($user, $notify=true) {
 299         //override when can signup
 300         print_error('mustbeoveride', 'debug', '', 'user_signup()' );
 301     }
 302
 303     /**
 304      * Return a form to capture user details for account creation.
 305      * This is used in /login/signup.php.
 306      * @return moodle_form A form which edits a record from the user table.
 307      */
 308     function signup_form() {
 309         global $CFG;
 310
 311         require_once($CFG->dirroot.'/login/signup_form.php');
 312         return new login_signup_form(null, null, 'post', '', array('autocomplete'=>'on'));
 313     }
 314
 315     /**
 316      * Returns true if plugin allows confirming of new users.
 317      *
 318      * @return bool
 319      */
 320     function can_confirm() {
 321         //override if needed
 322         return false;
 323     }
 324
 325     /**
 326      * Confirm the new user as registered.
 327      *
 328      * @param string $username
 329      * @param string $confirmsecret
 330      */
 331     function user_confirm($username, $confirmsecret) {
 332         //override when can confirm
 333         print_error('mustbeoveride', 'debug', '', 'user_confirm()' );
 334     }
 335
 336     /**
 337      * Checks if user exists in external db
 338      *
 339      * @param string $username (with system magic quotes)
 340      * @return bool
 341      */
 342     function user_exists($username) {
 343         //override if needed
 344         return false;
 345     }
 346
 347     /**
 348      * return number of days to user password expires
 349      *
 350      * If userpassword does not expire it should return 0. If password is already expired
 351      * it should return negative value.
 352      *
 353      * @param mixed $username username (with system magic quotes)
 354      * @return integer
 355      */
 356     function password_expire($username) {
 357         return 0;
 358     }
 359     /**
 360      * Sync roles for this user - usually creator
 361      *
 362      * @param $user object user object (without system magic quotes)
 363      */
 364     function sync_roles($user) {
 365         //override if needed
 366     }
 367
 368     /**
 369      * Read user information from external database and returns it as array().
 370      * Function should return all information available. If you are saving
 371      * this information to moodle user-table you should honour synchronisation flags
 372      *
 373      * @param string $username username
 374      *
 375      * @return mixed array with no magic quotes or false on error
 376      */
 377     function get_userinfo($username) {
 378         //override if needed
 379         return array();
 380     }
 381
 382     /**
 383      * Prints a form for configuring this authentication plugin.
 384      *
 385      * This function is called from admin/auth.php, and outputs a full page with
 386      * a form for configuring this plugin.
 387      *
 388      * @param object $config
 389      * @param object $err
 390      * @param array $user_fields
 391      */
 392     function config_form($config, $err, $user_fields) {
 393         //override if needed
 394     }
 395
 396     /**
 397      * A chance to validate form data, and last chance to
 398      * do stuff before it is inserted in config_plugin
 399      * @param object object with submitted configuration settings (without system magic quotes)
 400      * @param array $err array of error messages
 401      */
 402      function validate_form($form, &$err) {
 403         //override if needed
 404     }
 405
 406     /**
 407      * Processes and stores configuration data for this authentication plugin.
 408      *
 409      * @param object object with submitted configuration settings (without system magic quotes)
 410      */
 411     function process_config($config) {
 412         //override if needed
 413         return true;
 414     }
 415
 416     /**
 417      * Hook for overriding behaviour of login page.
 418      * This method is called from login/index.php page for all enabled auth plugins.
 419      *
 420      * @global object
 421      * @global object
 422      */
 423     function loginpage_hook() {
 424         global $frm;  // can be used to override submitted login form
 425         global $user; // can be used to replace authenticate_user_login()
 426
 427         //override if needed
 428     }
 429
 430     /**
 431      * Post authentication hook.
 432      * This method is called from authenticate_user_login() for all enabled auth plugins.
 433      *
 434      * @param object $user user object, later used for $USER
 435      * @param string $username (with system magic quotes)
 436      * @param string $password plain text password (with system magic quotes)
 437      */
 438     function user_authenticated_hook(&$user, $username, $password) {
 439         //override if needed
 440     }
 441
 442     /**
 443      * Pre logout hook.
 444      * This method is called from require_logout() for all enabled auth plugins,
 445      *
 446      * @global object
 447      */
 448     function prelogout_hook() {
 449         global $USER; // use $USER->auth to find the plugin used for login
 450
 451         //override if needed
 452     }
 453
 454     /**
 455      * Hook for overriding behaviour of logout page.
 456      * This method is called from login/logout.php page for all enabled auth plugins.
 457      *
 458      * @global object
 459      * @global string
 460      */
 461     function logoutpage_hook() {
 462         global $USER;     // use $USER->auth to find the plugin used for login
 463         global $redirect; // can be used to override redirect after logout
 464
 465         //override if needed
 466     }
 467
 468     /**
 469      * Hook called before timing out of database session.
 470      * This is useful for SSO and MNET.
 471      *
 472      * @param object $user
 473      * @param string $sid session id
 474      * @param int $timecreated start of session
 475      * @param int $timemodified user last seen
 476      * @return bool true means do not timeout session yet
 477      */
 478     function ignore_timeout_hook($user, $sid, $timecreated, $timemodified) {
 479         return false;
 480     }
 481
 482     /**
 483      * Return the properly translated human-friendly title of this auth plugin
 484      *
 485      * @todo Document this function
 486      */
 487     function get_title() {
 488         return get_string('pluginname', "auth_{$this->authtype}");
 489     }
 490
 491     /**
 492      * Get the auth description (from core or own auth lang files)
 493      *
 494      * @return string The description
 495      */
 496     function get_description() {
 497         $authdescription = get_string("auth_{$this->authtype}description", "auth_{$this->authtype}");
 498         return $authdescription;
 499     }
 500
 501     /**
 502      * Returns whether or not the captcha element is enabled, and the admin settings fulfil its requirements.
 503      *
 504      * @abstract Implement in child classes
 505      * @return bool
 506      */
 507     function is_captcha_enabled() {
 508         return false;
 509     }
 510
 511     /**
 512      * Returns whether or not this authentication plugin can be manually set
 513      * for users, for example, when bulk uploading users.
 514      *
 515      * This should be overriden by authentication plugins where setting the
 516      * authentication method manually is allowed.
 517      *
 518      * @return bool
 519      * @since 2.6
 520      */
 521     function can_be_manually_set() {
 522         // Override if needed.
 523         return false;
 524     }
 525
 526     /**
 527      * Returns a list of potential IdPs that this authentication plugin supports.
 528      * This is used to provide links on the login page.
 529      *
 530      * @param string $wantsurl the relative url fragment the user wants to get to.  You can use this to compose a returnurl, for example
 531      *
 532      * @return array like:
 533      *              array(
 534      *                  array(
 535      *                      'url' => 'http://someurl',
 536      *                      'icon' => new pix_icon(...),
 537      *                      'name' => get_string('somename', 'auth_yourplugin'),
 538      *                 ),
 539      *             )
 540      */
 541     function loginpage_idp_list($wantsurl) {
 542         return array();
 543     }
 544
 545     /**
 546      * Return custom user profile fields.
 547      *
 548      * @return array list of custom fields.
 549      */
 550     public function get_custom_user_profile_fields() {
 551         global $DB;
 552         // If already retrieved then return.
 553         if (!is_null($this->customfields)) {
 554             return $this->customfields;
 555         }
 556
 557         $this->customfields = array();
 558         if ($proffields = $DB->get_records('user_info_field')) {
 559             foreach ($proffields as $proffield) {
 560                 $this->customfields[] = 'profile_field_'.$proffield->shortname;
 561             }
 562         }
 563         unset($proffields);
 564
 565         return $this->customfields;
 566     }
 567 }
 568
 569 /**
 570  * Verify if user is locked out.
 571  *
 572  * @param stdClass $user
 573  * @return bool true if user locked out
 574  */
 575 function login_is_lockedout($user) {
 576     global $CFG;
 577
 578     if ($user->mnethostid != $CFG->mnet_localhost_id) {
 579         return false;
 580     }
 581     if (isguestuser($user)) {
 582         return false;
 583     }
 584
 585     if (empty($CFG->lockoutthreshold)) {
 586         // Lockout not enabled.
 587         return false;
 588     }
 589
 590     if (get_user_preferences('login_lockout_ignored', 0, $user)) {
 591         // This preference may be used for accounts that must not be locked out.
 592         return false;
 593     }
 594
 595     $locked = get_user_preferences('login_lockout', 0, $user);
 596     if (!$locked) {
 597         return false;
 598     }
 599
 600     if (empty($CFG->lockoutduration)) {
 601         // Locked out forever.
 602         return true;
 603     }
 604
 605     if (time() - $locked < $CFG->lockoutduration) {
 606         return true;
 607     }
 608
 609     login_unlock_account($user);
 610
 611     return false;
 612 }
 613
 614 /**
 615  * To be called after valid user login.
 616  * @param stdClass $user
 617  */
 618 function login_attempt_valid($user) {
 619     global $CFG;
 620
 621     // Note: user_loggedin event is triggered in complete_user_login().
 622
 623     if ($user->mnethostid != $CFG->mnet_localhost_id) {
 624         return;
 625     }
 626     if (isguestuser($user)) {
 627         return;
 628     }
 629
 630     // Always unlock here, there might be some race conditions or leftovers when switching threshold.
 631     login_unlock_account($user);
 632 }
 633
 634 /**
 635  * To be called after failed user login.
 636  * @param stdClass $user
 637  */
 638 function login_attempt_failed($user) {
 639     global $CFG;
 640
 641     if ($user->mnethostid != $CFG->mnet_localhost_id) {
 642         return;
 643     }
 644     if (isguestuser($user)) {
 645         return;
 646     }
 647
 648     if (empty($CFG->lockoutthreshold)) {
 649         // No threshold means no lockout.
 650         // Always unlock here, there might be some race conditions or leftovers when switching threshold.
 651         login_unlock_account($user);
 652         return;
 653     }
 654
 655     $count = get_user_preferences('login_failed_count', 0, $user);
 656     $last = get_user_preferences('login_failed_last', 0, $user);
 657
 658     if (!empty($CFG->lockoutwindow) and time() - $last > $CFG->lockoutwindow) {
 659         $count = 0;
 660     }
 661
 662     $count = $count+1;
 663
 664     set_user_preference('login_failed_count', $count, $user);
 665     set_user_preference('login_failed_last', time(), $user);
 666
 667     if ($count >= $CFG->lockoutthreshold) {
 668         login_lock_account($user);
 669     }
 670 }
 671
 672 /**
 673  * Lockout user and send notification email.
 674  *
 675  * @param stdClass $user
 676  */
 677 function login_lock_account($user) {
 678     global $CFG, $SESSION;
 679
 680     if ($user->mnethostid != $CFG->mnet_localhost_id) {
 681         return;
 682     }
 683     if (isguestuser($user)) {
 684         return;
 685     }
 686
 687     if (get_user_preferences('login_lockout_ignored', 0, $user)) {
 688         // This user can not be locked out.
 689         return;
 690     }
 691
 692     $alreadylockedout = get_user_preferences('login_lockout', 0, $user);
 693
 694     set_user_preference('login_lockout', time(), $user);
 695
 696     if ($alreadylockedout == 0) {
 697         $secret = random_string(15);
 698         set_user_preference('login_lockout_secret', $secret, $user);
 699
 700         // Some nasty hackery to get strings and dates localised for target user.
 701         $sessionlang = isset($SESSION->lang) ? $SESSION->lang : null;
 702         if (get_string_manager()->translation_exists($user->lang, false)) {
 703             $SESSION->lang = $user->lang;
 704             moodle_setlocale();
 705         }
 706
 707         $site = get_site();
 708         $supportuser = core_user::get_support_user();
 709
 710         $data = new stdClass();
 711         $data->firstname = $user->firstname;
 712         $data->lastname  = $user->lastname;
 713         $data->username  = $user->username;
 714         $data->sitename  = format_string($site->fullname);
 715         $data->link      = $CFG->wwwroot.'/login/unlock_account.php?u='.$user->id.'&s='.$secret;
 716         $data->admin     = generate_email_signoff();
 717
 718         $message = get_string('lockoutemailbody', 'admin', $data);
 719         $subject = get_string('lockoutemailsubject', 'admin', format_string($site->fullname));
 720
 721         if ($message) {
 722             // Directly email rather than using the messaging system to ensure its not routed to a popup or jabber.
 723             email_to_user($user, $supportuser, $subject, $message);
 724         }
 725
 726         if ($SESSION->lang !== $sessionlang) {
 727             $SESSION->lang = $sessionlang;
 728             moodle_setlocale();
 729         }
 730     }
 731 }
 732
 733 /**
 734  * Unlock user account and reset timers.
 735  *
 736  * @param stdClass $user
 737  */
 738 function login_unlock_account($user) {
 739     unset_user_preference('login_lockout', $user);
 740     unset_user_preference('login_failed_count', $user);
 741     unset_user_preference('login_failed_last', $user);
 742
 743     // Note: do not clear the lockout secret because user might click on the link repeatedly.
 744 }