mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-12-22 06:30:59 +01:00
move auth classes to Api\Auth, only Sql is currently tested!
This commit is contained in:
parent
6f0728cd9d
commit
b95727bb6f
@ -158,8 +158,7 @@ class Ldap
|
||||
// enable the caching in the session, done by the accounts class extending this class.
|
||||
$this->use_session_cache = true;
|
||||
|
||||
$this->ldap = new Api\Ldap(true);
|
||||
$this->ds = $this->ldap->ldapConnect($this->frontend->config['ldap_host'],
|
||||
$this->ds = Api\Ldap::factory(true, $this->frontend->config['ldap_host'],
|
||||
$this->frontend->config['ldap_root_dn'],$this->frontend->config['ldap_root_pw']);
|
||||
|
||||
$this->user_context = $this->frontend->config['ldap_context'];
|
||||
@ -1207,7 +1206,7 @@ class Ldap
|
||||
*/
|
||||
function __wakeup()
|
||||
{
|
||||
$this->ds = $this->ldap->ldapConnect($this->frontend->config['ldap_host'],
|
||||
$this->ds = Api\Ldap::factory(true, $this->frontend->config['ldap_host'],
|
||||
$this->frontend->config['ldap_root_dn'],$this->frontend->config['ldap_root_pw']);
|
||||
}
|
||||
}
|
||||
|
781
api/src/Auth.php
Normal file
781
api/src/Auth.php
Normal file
@ -0,0 +1,781 @@
|
||||
<?php
|
||||
/**
|
||||
* EGroupware API - Authentication
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||
* @author Miles Lott <milos@groupwhere.org>
|
||||
* @copyright 2004 by Miles Lott <milos@groupwhere.org>
|
||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||
* @package api
|
||||
* @subpackage auth
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api;
|
||||
|
||||
// explicit import classes still in phpgwapi
|
||||
use egw; // invalidate_session_cache
|
||||
|
||||
// allow to set an application depending authentication type (eg. for syncml, groupdav, ...)
|
||||
if (isset($GLOBALS['egw_info']['server']['auth_type_'.$GLOBALS['egw_info']['flags']['currentapp']]) &&
|
||||
$GLOBALS['egw_info']['server']['auth_type_'.$GLOBALS['egw_info']['flags']['currentapp']])
|
||||
{
|
||||
$GLOBALS['egw_info']['server']['auth_type'] = $GLOBALS['egw_info']['server']['auth_type_'.$GLOBALS['egw_info']['flags']['currentapp']];
|
||||
}
|
||||
if(empty($GLOBALS['egw_info']['server']['auth_type']))
|
||||
{
|
||||
$GLOBALS['egw_info']['server']['auth_type'] = 'sql';
|
||||
}
|
||||
//error_log('using auth_type='.$GLOBALS['egw_info']['server']['auth_type'].', currentapp='.$GLOBALS['egw_info']['flags']['currentapp']);
|
||||
|
||||
/**
|
||||
* Authentication, password hashing and crypt functions
|
||||
*
|
||||
* Many functions based on code from Frank Thomas <frank@thomas-alfeld.de>
|
||||
* which can be seen at http://www.thomas-alfeld.de/frank/
|
||||
*
|
||||
* Other functions from class.common.inc.php originally from phpGroupWare
|
||||
*/
|
||||
class Auth
|
||||
{
|
||||
static $error;
|
||||
|
||||
/**
|
||||
* Holds instance of backend
|
||||
*
|
||||
* @var auth_backend
|
||||
*/
|
||||
private $backend;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*
|
||||
* @throws Exception\AssertionFailed if backend is not an Auth\Backend
|
||||
*/
|
||||
function __construct()
|
||||
{
|
||||
$this->backend = self::backend();
|
||||
}
|
||||
|
||||
/**
|
||||
* Instanciate a backend
|
||||
*
|
||||
* @param Backend $type =null
|
||||
*/
|
||||
static function backend($type=null)
|
||||
{
|
||||
if (is_null($type)) $type = $GLOBALS['egw_info']['server']['auth_type'];
|
||||
|
||||
$backend_class = __CLASS__.'\\'.ucfirst($type);
|
||||
|
||||
// try old location / name, if not found
|
||||
if (!class_exists($backend_class))
|
||||
{
|
||||
$backend_class = 'auth_'.$type;
|
||||
}
|
||||
$backend = new $backend_class;
|
||||
|
||||
if (!($backend instanceof Auth\Backend))
|
||||
{
|
||||
throw new Exception\AssertionFailed("Auth backend class $backend_class is NO EGroupware\\Api\Auth\\Backend!");
|
||||
}
|
||||
return $backend;
|
||||
}
|
||||
|
||||
/**
|
||||
* check if users are supposed to change their password every x sdays, then check if password is of old age
|
||||
* or the devil-admin reset the users password and forced the user to change his password on next login.
|
||||
*
|
||||
* @param string& $message =null on return false: message why password needs to be changed
|
||||
* @return boolean true: all good, false: password change required, null: password expires in N days
|
||||
*/
|
||||
static function check_password_change(&$message=null)
|
||||
{
|
||||
// dont check anything for anonymous sessions/ users that are flagged as anonymous
|
||||
if (is_object($GLOBALS['egw']->session) && $GLOBALS['egw']->session->session_flags == 'A') return true;
|
||||
|
||||
// some statics (and initialisation to make information and timecalculation a) more readable in conditions b) persistent per request
|
||||
// if user has to be warned about an upcomming passwordchange, remember for the session, that he was informed
|
||||
static $UserKnowsAboutPwdChange=null;
|
||||
if (is_null($UserKnowsAboutPwdChange)) $UserKnowsAboutPwdChange =& Cache::getSession('phpgwapi','auth_UserKnowsAboutPwdChange');
|
||||
|
||||
// retrieve the timestamp regarding the last change of the password from auth system and store it with the session
|
||||
static $alpwchange_val=null;
|
||||
static $pwdTsChecked=null;
|
||||
if (is_null($pwdTsChecked) && is_null($alpwchange_val) || (string)$alpwchange_val === '0')
|
||||
{
|
||||
$alpwchange_val =& Cache::getSession('phpgwapi','auth_alpwchange_val'); // set that one with the session stored value
|
||||
// initalize statics - better readability of conditions
|
||||
if (is_null($alpwchange_val) || (string)$alpwchange_val === '0')
|
||||
{
|
||||
$backend = self::backend();
|
||||
// this may change behavior, as it should detect forced PasswordChanges from your Authentication System too.
|
||||
// on the other side, if your auth system does not require an forcedPasswordChange, you will not be asked.
|
||||
if (method_exists($backend,'getLastPwdChange'))
|
||||
{
|
||||
$alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw']->session->account_lid);
|
||||
$pwdTsChecked = true;
|
||||
}
|
||||
// if your authsystem does not provide that information, its likely, that you cannot change your password there,
|
||||
// thus checking for expiration, is not needed
|
||||
if ($alpwchange_val === false)
|
||||
{
|
||||
$alpwchange_val = null;
|
||||
}
|
||||
//error_log(__METHOD__.__LINE__.'#'.$alpwchange_val.'# is null:'.is_null($alpwchange_val).'# is empty:'.empty($alpwchange_val).'# is set:'.isset($alpwchange_val));
|
||||
}
|
||||
}
|
||||
static $passwordAgeBorder=null;
|
||||
static $daysLeftUntilChangeReq=null;
|
||||
|
||||
// if neither timestamp isset return true, nothing to do (exept this means the password is too old)
|
||||
if (is_null($alpwchange_val) &&
|
||||
empty($GLOBALS['egw_info']['server']['change_pwd_every_x_days']))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
if (is_null($passwordAgeBorder) && $GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
|
||||
{
|
||||
$passwordAgeBorder = (DateTime::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400));
|
||||
}
|
||||
if (is_null($daysLeftUntilChangeReq) && $GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'])
|
||||
{
|
||||
// maxage - passwordage = days left until change is required
|
||||
$daysLeftUntilChangeReq = ($GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - ((DateTime::to('now','ts')-($alpwchange_val?$alpwchange_val:0))/86400));
|
||||
}
|
||||
if ($alpwchange_val == 0 || // admin requested password change
|
||||
$passwordAgeBorder > $alpwchange_val || // change password every N days policy requests change
|
||||
// user should be warned N days in advance about change and is not yet
|
||||
$GLOBALS['egw_info']['server']['change_pwd_every_x_days'] &&
|
||||
$GLOBALS['egw_info']['user']['apps']['preferences'] &&
|
||||
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] &&
|
||||
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] > $daysLeftUntilChangeReq &&
|
||||
$UserKnowsAboutPwdChange !== true)
|
||||
{
|
||||
if ($alpwchange_val == 0)
|
||||
{
|
||||
$message = lang('An admin required that you must change your password upon login.');
|
||||
}
|
||||
elseif ($passwordAgeBorder > $alpwchange_val && $alpwchange_val > 0)
|
||||
{
|
||||
error_log(__METHOD__.' Password of '.$GLOBALS['egw_info']['user']['account_lid'].' ('.$GLOBALS['egw_info']['user']['account_fullname'].') is of old age.'.array2string(array(
|
||||
'ts'=> $alpwchange_val,
|
||||
'date'=>DateTime::to($alpwchange_val))));
|
||||
$message = lang('It has been more then %1 days since you changed your password',$GLOBALS['egw_info']['server']['change_pwd_every_x_days']);
|
||||
}
|
||||
else
|
||||
{
|
||||
// login page does not inform user about passwords about to expire
|
||||
if ($GLOBALS['egw_info']['flags']['currentapp'] != 'login' &&
|
||||
($GLOBALS['egw_info']['flags']['currentapp'] != 'home' ||
|
||||
strpos($_SERVER['SCRIPT_NAME'], '/home/') !== false))
|
||||
{
|
||||
$UserKnowsAboutPwdChange = true;
|
||||
}
|
||||
$message = lang('Your password is about to expire in %1 days, you may change your password now',round($daysLeftUntilChangeReq));
|
||||
// user has no rights to change password --> do NOT warn, as only forced check ignores rights
|
||||
if ($GLOBALS['egw']->acl->check('nopasswordchange', 1, 'preferences')) return true;
|
||||
return null;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* fetch the last pwd change for the user
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @return mixed false or shadowlastchange*24*3600
|
||||
*/
|
||||
function getLastPwdChange($username)
|
||||
{
|
||||
if (method_exists($this->backend,'getLastPwdChange'))
|
||||
{
|
||||
return $this->backend->getLastPwdChange($username);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* changes account_lastpwd_change in ldap datababse
|
||||
*
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
|
||||
* @param int $lastpwdchange must be a unixtimestamp
|
||||
* @return boolean true if account_lastpwd_change successful changed, false otherwise
|
||||
*/
|
||||
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
|
||||
{
|
||||
if (method_exists($this->backend,'setLastPwdChange'))
|
||||
{
|
||||
return $this->backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* password authentication against password stored in sql datababse
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
{
|
||||
return $this->backend->authenticate($username, $passwd, $passwd_type);
|
||||
}
|
||||
|
||||
/**
|
||||
* Calls crackcheck to enforce password strength (if configured) and changes password
|
||||
*
|
||||
* @param string $old_passwd must be cleartext
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @throws Exception\WrongUserinput if configured password strength is not meat
|
||||
* @throws Exception from backends having extra requirements
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
if (($err = self::crackcheck($new_passwd,null,null,null,$account_id)))
|
||||
{
|
||||
throw new Exception\WrongUserinput($err);
|
||||
}
|
||||
if (($ret = $this->backend->change_password($old_passwd, $new_passwd, $account_id)))
|
||||
{
|
||||
if ($account_id == $GLOBALS['egw']->session->account_id)
|
||||
{
|
||||
// need to change current users password in session
|
||||
Cache::setSession('phpgwapi', 'password', base64_encode($new_passwd));
|
||||
$GLOBALS['egw_info']['user']['passwd'] = $new_passwd;
|
||||
$GLOBALS['egw_info']['user']['account_lastpwd_change'] = DateTime::to('now','ts');
|
||||
// invalidate EGroupware session, as password is stored in egw_info in session
|
||||
egw::invalidate_session_cache();
|
||||
}
|
||||
Accounts::cache_invalidate($account_id);
|
||||
// run changepwasswd hook
|
||||
$GLOBALS['hook_values'] = array(
|
||||
'account_id' => $account_id,
|
||||
'account_lid' => accounts::id2name($account_id),
|
||||
'old_passwd' => $old_passwd,
|
||||
'new_passwd' => $new_passwd,
|
||||
);
|
||||
$GLOBALS['egw']->hooks->process($GLOBALS['hook_values']+array(
|
||||
'location' => 'changepassword'
|
||||
),False,True); // called for every app now, not only enabled ones)
|
||||
}
|
||||
return $ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* return a random string of letters [0-9a-zA-Z] of size $size
|
||||
*
|
||||
* @param $size int-size of random string to return
|
||||
*/
|
||||
static function randomstring($size)
|
||||
{
|
||||
static $random_char = array(
|
||||
'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f',
|
||||
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
|
||||
'w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L',
|
||||
'M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'
|
||||
);
|
||||
|
||||
$s = '';
|
||||
for ($i=0; $i<$size; $i++)
|
||||
{
|
||||
$s .= $random_char[mt_rand(1,61)];
|
||||
}
|
||||
return $s;
|
||||
}
|
||||
|
||||
/**
|
||||
* encrypt password
|
||||
*
|
||||
* uses the encryption type set in setup and calls the appropriate encryption functions
|
||||
*
|
||||
* @param $password password to encrypt
|
||||
*/
|
||||
static function encrypt_password($password,$sql=False)
|
||||
{
|
||||
if($sql)
|
||||
{
|
||||
return self::encrypt_sql($password);
|
||||
}
|
||||
return self::encrypt_ldap($password);
|
||||
}
|
||||
|
||||
/**
|
||||
* compares an encrypted password
|
||||
*
|
||||
* encryption type set in setup and calls the appropriate encryption functions
|
||||
*
|
||||
* @param string $cleartext cleartext password
|
||||
* @param string $encrypted encrypted password, can have a {hash} prefix, which overrides $type
|
||||
* @param string $type_in type of encryption
|
||||
* @param string $username used as optional key of encryption for md5_hmac
|
||||
* @param string &$type =null on return detected type of hash
|
||||
* @return boolean
|
||||
*/
|
||||
static function compare_password($cleartext, $encrypted, $type_in, $username='', &$type=null)
|
||||
{
|
||||
// allow to specify the hash type to prefix the hash, to easy migrate passwords from ldap
|
||||
$type = $type_in;
|
||||
$saved_enc = $encrypted;
|
||||
$matches = null;
|
||||
if (preg_match('/^\\{([a-z_5]+)\\}(.+)$/i',$encrypted,$matches))
|
||||
{
|
||||
$type = strtolower($matches[1]);
|
||||
$encrypted = $matches[2];
|
||||
|
||||
switch($type) // some hashs are specially "packed" in ldap
|
||||
{
|
||||
case 'md5':
|
||||
$encrypted = implode('',unpack('H*',base64_decode($encrypted)));
|
||||
break;
|
||||
case 'plain':
|
||||
case 'crypt':
|
||||
// nothing to do
|
||||
break;
|
||||
default:
|
||||
$encrypted = $saved_enc;
|
||||
break;
|
||||
}
|
||||
}
|
||||
elseif($encrypted[0] == '$')
|
||||
{
|
||||
$type = 'crypt';
|
||||
}
|
||||
|
||||
switch($type)
|
||||
{
|
||||
case 'plain':
|
||||
$ret = $cleartext === $encrypted;
|
||||
break;
|
||||
case 'smd5':
|
||||
$ret = self::smd5_compare($cleartext,$encrypted);
|
||||
break;
|
||||
case 'sha':
|
||||
$ret = self::sha_compare($cleartext,$encrypted);
|
||||
break;
|
||||
case 'ssha':
|
||||
$ret = self::ssha_compare($cleartext,$encrypted);
|
||||
break;
|
||||
case 'crypt':
|
||||
case 'des':
|
||||
case 'md5_crypt':
|
||||
case 'blowish_crypt': // was for some time a typo in setup
|
||||
case 'blowfish_crypt':
|
||||
case 'ext_crypt':
|
||||
case 'sha256_crypt':
|
||||
case 'sha512_crypt':
|
||||
$ret = self::crypt_compare($cleartext, $encrypted, $type);
|
||||
break;
|
||||
case 'md5_hmac':
|
||||
$ret = self::md5_hmac_compare($cleartext,$encrypted,$username);
|
||||
break;
|
||||
default:
|
||||
$type = 'md5';
|
||||
// fall through
|
||||
case 'md5':
|
||||
$ret = md5($cleartext) === $encrypted;
|
||||
break;
|
||||
}
|
||||
//error_log(__METHOD__."('$cleartext', '$encrypted', '$type_in', '$username') type='$type' returning ".array2string($ret));
|
||||
return $ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parameters used for crypt: const name, salt prefix, len of random salt, postfix
|
||||
*
|
||||
* @var array
|
||||
*/
|
||||
static $crypt_params = array( //
|
||||
'crypt' => array('CRYPT_STD_DES', '', 2, ''),
|
||||
'ext_crypt' => array('CRYPT_EXT_DES', '_J9..', 4, ''),
|
||||
'md5_crypt' => array('CRYPT_MD5', '$1$', 8, '$'),
|
||||
//'old_blowfish_crypt' => array('CRYPT_BLOWFISH', '$2$', 13, ''), // old blowfish hash not in line with php.net docu, but could be in use
|
||||
'blowfish_crypt' => array('CRYPT_BLOWFISH', '$2a$12$', 22, ''), // $2a$12$ = 2^12 = 4096 rounds
|
||||
'sha256_crypt' => array('CRYPT_SHA256', '$5$', 16, '$'), // no "round=N$" --> default of 5000 rounds
|
||||
'sha512_crypt' => array('CRYPT_SHA512', '$6$', 16, '$'), // no "round=N$" --> default of 5000 rounds
|
||||
);
|
||||
|
||||
/**
|
||||
* compare crypted passwords for authentication whether des,ext_des,md5, or blowfish crypt
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value / hash (from database)
|
||||
* @param string &$type detected crypt type on return
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function crypt_compare($form_val, $db_val, &$type)
|
||||
{
|
||||
// detect type of hash by salt part of $db_val
|
||||
list($first, $dollar, $salt, $salt2) = explode('$', $db_val);
|
||||
foreach(self::$crypt_params as $type => $params)
|
||||
{
|
||||
list(,$prefix, $random, $postfix) = $params;
|
||||
list(,$d) = explode('$', $prefix);
|
||||
if ($dollar === $d || !$dollar && ($first[0] === $prefix[0] || $first[0] !== '_' && !$prefix))
|
||||
{
|
||||
$len = !$postfix ? strlen($prefix)+$random : strlen($prefix.$salt.$postfix);
|
||||
// sha(256|512) might contain options, explicit $rounds=N$ prefix in salt
|
||||
if (($type == 'sha256_crypt' || $type == 'sha512_crypt') && substr($salt, 0, 7) === 'rounds=')
|
||||
{
|
||||
$len += strlen($salt2)+1;
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
$full_salt = substr($db_val, 0, $len);
|
||||
$new_hash = crypt($form_val, $full_salt);
|
||||
//error_log(__METHOD__."('$form_val', '$db_val') type=$type --> len=$len --> salt='$full_salt' --> new_hash='$new_hash' returning ".array2string($db_val === $new_hash));
|
||||
|
||||
return $db_val === $new_hash;
|
||||
}
|
||||
|
||||
/**
|
||||
* encrypt password for ldap
|
||||
*
|
||||
* uses the encryption type set in setup and calls the appropriate encryption functions
|
||||
*
|
||||
* @param string $password password to encrypt
|
||||
* @param string $type =null default to $GLOBALS['egw_info']['server']['ldap_encryption_type']
|
||||
* @return string
|
||||
*/
|
||||
static function encrypt_ldap($password, $type=null)
|
||||
{
|
||||
if (is_null($type)) $type = $GLOBALS['egw_info']['server']['ldap_encryption_type'];
|
||||
|
||||
$salt = '';
|
||||
switch(strtolower($type))
|
||||
{
|
||||
default: // eg. setup >> config never saved
|
||||
case 'des':
|
||||
case 'blowish_crypt': // was for some time a typo in setup
|
||||
$type = $type == 'blowish_crypt' ? 'blowfish_crypt' : 'crypt';
|
||||
// fall through
|
||||
case 'crypt':
|
||||
case 'sha256_crypt':
|
||||
case 'sha512_crypt':
|
||||
case 'blowfish_crypt':
|
||||
case 'md5_crypt':
|
||||
case 'ext_crypt':
|
||||
list($const, $prefix, $len, $postfix) = self::$crypt_params[$type];
|
||||
if(defined($const) && constant($const) == 1)
|
||||
{
|
||||
$salt = $prefix.self::randomstring($len).$postfix;
|
||||
$e_password = '{crypt}'.crypt($password, $salt);
|
||||
break;
|
||||
}
|
||||
self::$error = 'no '.str_replace('_', ' ', $type);
|
||||
$e_password = false;
|
||||
break;
|
||||
case 'md5':
|
||||
/* New method taken from the openldap-software list as recommended by
|
||||
* Kervin L. Pierre" <kervin@blueprint-tech.com>
|
||||
*/
|
||||
$e_password = '{md5}' . base64_encode(pack("H*",md5($password)));
|
||||
break;
|
||||
case 'smd5':
|
||||
$salt = self::randomstring(16);
|
||||
$hash = md5($password . $salt, true);
|
||||
$e_password = '{SMD5}' . base64_encode($hash . $salt);
|
||||
break;
|
||||
case 'sha':
|
||||
$e_password = '{SHA}' . base64_encode(sha1($password,true));
|
||||
break;
|
||||
case 'ssha':
|
||||
$salt = self::randomstring(16);
|
||||
$hash = sha1($password . $salt, true);
|
||||
$e_password = '{SSHA}' . base64_encode($hash . $salt);
|
||||
break;
|
||||
case 'plain':
|
||||
// if plain no type is prepended
|
||||
$e_password = $password;
|
||||
break;
|
||||
}
|
||||
//error_log(__METHOD__."('$password', ".array2string($type).") returning ".array2string($e_password).(self::$error ? ' error='.self::$error : ''));
|
||||
return $e_password;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a password for storage in the accounts table
|
||||
*
|
||||
* @param string $password
|
||||
* @param string $type =null default $GLOBALS['egw_info']['server']['sql_encryption_type']
|
||||
* @return string hash
|
||||
*/
|
||||
static function encrypt_sql($password, $type=null)
|
||||
{
|
||||
/* Grab configured type, or default to md5() (old method) */
|
||||
if (is_null($type))
|
||||
{
|
||||
$type = @$GLOBALS['egw_info']['server']['sql_encryption_type'] ?
|
||||
strtolower($GLOBALS['egw_info']['server']['sql_encryption_type']) : 'md5';
|
||||
}
|
||||
switch($type)
|
||||
{
|
||||
case 'plain':
|
||||
// since md5 is the default, type plain must be prepended, for eGroupware to understand
|
||||
$e_password = '{PLAIN}'.$password;
|
||||
break;
|
||||
|
||||
case 'md5':
|
||||
/* This is the old standard for password storage in SQL */
|
||||
$e_password = md5($password);
|
||||
break;
|
||||
|
||||
// all other types are identical to ldap, so no need to doublicate the code here
|
||||
case 'des':
|
||||
case 'blowish_crypt': // was for some time a typo in setup
|
||||
case 'crypt':
|
||||
case 'sha256_crypt':
|
||||
case 'sha512_crypt':
|
||||
case 'blowfish_crypt':
|
||||
case 'md5_crypt':
|
||||
case 'ext_crypt':
|
||||
case 'smd5':
|
||||
case 'sha':
|
||||
case 'ssha':
|
||||
$e_password = self::encrypt_ldap($password, $type);
|
||||
break;
|
||||
|
||||
default:
|
||||
self::$error = 'no valid encryption available';
|
||||
$e_password = false;
|
||||
break;
|
||||
}
|
||||
//error_log(__METHOD__."('$password') using '$type' returning ".array2string($e_password).(self::$error ? ' error='.self::$error : ''));
|
||||
return $e_password;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get available password hashes sorted by securest first
|
||||
*
|
||||
* @param string &$securest =null on return securest available hash
|
||||
* @return array hash => label
|
||||
*/
|
||||
public static function passwdhashes(&$securest=null)
|
||||
{
|
||||
$hashes = array();
|
||||
|
||||
/* Check for available crypt methods based on what is defined by php */
|
||||
if(defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH == 1)
|
||||
{
|
||||
$hashes['blowfish_crypt'] = 'blowfish_crypt';
|
||||
}
|
||||
if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1)
|
||||
{
|
||||
$hashes['sha512_crypt'] = 'sha512_crypt';
|
||||
}
|
||||
if(defined('CRYPT_SHA256') && CRYPT_SHA256 == 1)
|
||||
{
|
||||
$hashes['sha256_crypt'] = 'sha256_crypt';
|
||||
}
|
||||
if(defined('CRYPT_MD5') && CRYPT_MD5 == 1)
|
||||
{
|
||||
$hashes['md5_crypt'] = 'md5_crypt';
|
||||
}
|
||||
if(defined('CRYPT_EXT_DES') && CRYPT_EXT_DES == 1)
|
||||
{
|
||||
$hashes['ext_crypt'] = 'ext_crypt';
|
||||
}
|
||||
$hashes += array(
|
||||
'ssha' => 'ssha',
|
||||
'smd5' => 'smd5',
|
||||
'sha' => 'sha',
|
||||
);
|
||||
if(@defined('CRYPT_STD_DES') && CRYPT_STD_DES == 1)
|
||||
{
|
||||
$hashes['crypt'] = 'crypt';
|
||||
}
|
||||
|
||||
$hashes += array(
|
||||
'md5' => 'md5',
|
||||
'plain' => 'plain',
|
||||
);
|
||||
|
||||
// mark the securest algorithm for the user
|
||||
list($securest) = each($hashes); reset($hashes);
|
||||
$hashes[$securest] .= ' ('.lang('securest').')';
|
||||
|
||||
return $hashes;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a given password is "safe"
|
||||
*
|
||||
* @link http://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
|
||||
* In contrary to whats documented in above link, windows seems to treet numbers as delimiters too.
|
||||
*
|
||||
* Windows compatible check is $reqstrength=3, $minlength=7, $forbid_name=true
|
||||
*
|
||||
* @param string $passwd
|
||||
* @param int $reqstrength =null defaults to whatever set in config for "force_pwd_strength"
|
||||
* @param int $minlength =null defaults to whatever set in config for "check_save_passwd"
|
||||
* @param string $forbid_name =null if "yes" username or full-name split by delimiters AND longer then 3 chars are
|
||||
* forbidden to be included in password, default to whatever set in config for "passwd_forbid_name"
|
||||
* @param array|int $account =null array with account_lid and account_fullname or account_id for $forbid_name check
|
||||
* @return mixed false if password is considered "safe" (or no requirements) or a string $message if "unsafe"
|
||||
*/
|
||||
static function crackcheck($passwd, $reqstrength=null, $minlength=null, $forbid_name=null, $account=null)
|
||||
{
|
||||
if (!isset($reqstrength)) $reqstrength = $GLOBALS['egw_info']['server']['force_pwd_strength'];
|
||||
if (!isset($minlength)) $minlength = $GLOBALS['egw_info']['server']['force_pwd_length'];
|
||||
if (!isset($forbid_name)) $forbid_name = $GLOBALS['egw_info']['server']['passwd_forbid_name'];
|
||||
|
||||
// load preferences translations, as changepassword get's called from admin too
|
||||
Translation::add_app('preferences');
|
||||
|
||||
// check for and if necessary convert old values True and 5 to new separate values for length and char-classes
|
||||
if ($GLOBALS['egw_info']['server']['check_save_passwd'] || $reqstrength == 5)
|
||||
{
|
||||
if (!isset($reqstrength) || $reqstrength == 5)
|
||||
{
|
||||
Config::save_value('force_pwd_strength', $reqstrength=4, 'phpgwapi');
|
||||
}
|
||||
if (!isset($minlength))
|
||||
{
|
||||
Config::save_value('force_pwd_length', $minlength=7, 'phpgwapi');
|
||||
}
|
||||
Config::save_value('check_save_passwd', null, 'phpgwapi');
|
||||
}
|
||||
|
||||
$errors = array();
|
||||
|
||||
if ($minlength && strlen($passwd) < $minlength)
|
||||
{
|
||||
$errors[] = lang('password must have at least %1 characters', $minlength);
|
||||
}
|
||||
|
||||
if ($forbid_name === 'yes')
|
||||
{
|
||||
if (!$account || !is_array($account) && !($account = $GLOBALS['egw']->accounts->read($account)))
|
||||
{
|
||||
throw new Exception\WrongParameter('crackcheck(..., forbid_name=true, account) requires account-data!');
|
||||
}
|
||||
$parts = preg_split("/[,._ \t0-9-]+/", $account['account_fullname'].','.$account['account_lid']);
|
||||
foreach($parts as $part)
|
||||
{
|
||||
if (strlen($part) > 2 && stripos($passwd, $part) !== false)
|
||||
{
|
||||
$errors[] = lang('password contains with "%1" a parts of your user- or full-name (3 or more characters long)', $part);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($reqstrength)
|
||||
{
|
||||
$missing = array();
|
||||
if (!preg_match('/(.*\d.*){'. ($non=1). ',}/',$passwd))
|
||||
{
|
||||
$missing[] = lang('numbers');
|
||||
}
|
||||
if (!preg_match('/(.*[[:upper:]].*){'. ($nou=1). ',}/',$passwd))
|
||||
{
|
||||
$missing[] = lang('uppercase letters');
|
||||
}
|
||||
if (!preg_match('/(.*[[:lower:]].*){'. ($nol=1). ',}/',$passwd))
|
||||
{
|
||||
$missing[] = lang('lowercase letters');
|
||||
}
|
||||
if (!preg_match('/['.preg_quote('~!@#$%^&*_-+=`|\(){}[]:;"\'<>,.?/', '/').']/', $passwd))
|
||||
{
|
||||
$missing[] = lang('special characters');
|
||||
}
|
||||
if (4 - count($missing) < $reqstrength)
|
||||
{
|
||||
$errors[] = lang('password contains only %1 of required %2 character classes: no %3',
|
||||
4-count($missing), $reqstrength, implode(', ', $missing));
|
||||
}
|
||||
}
|
||||
if ($errors)
|
||||
{
|
||||
return lang('Your password does not have required strength:').
|
||||
"<br/>\n- ".implode("<br/>\n- ", $errors);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* compare SMD5-encrypted passwords for authentication
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value (from database)
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function smd5_compare($form_val,$db_val)
|
||||
{
|
||||
/* Start with the first char after {SMD5} */
|
||||
$hash = base64_decode(substr($db_val,6));
|
||||
|
||||
/* SMD5 hashes are 16 bytes long */
|
||||
$orig_hash = cut_bytes($hash, 0, 16); // binary string need to use cut_bytes, not mb_substr(,,'utf-8')!
|
||||
$salt = cut_bytes($hash, 16);
|
||||
|
||||
$new_hash = md5($form_val . $salt,true);
|
||||
//echo '<br> DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash);
|
||||
|
||||
return strcmp($orig_hash,$new_hash) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* compare SHA-encrypted passwords for authentication
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value (from database)
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function sha_compare($form_val,$db_val)
|
||||
{
|
||||
/* Start with the first char after {SHA} */
|
||||
$hash = base64_decode(substr($db_val,5));
|
||||
$new_hash = sha1($form_val,true);
|
||||
//echo '<br> DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash);
|
||||
|
||||
return strcmp($hash,$new_hash) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* compare SSHA-encrypted passwords for authentication
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value (from database)
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function ssha_compare($form_val,$db_val)
|
||||
{
|
||||
/* Start with the first char after {SSHA} */
|
||||
$hash = base64_decode(substr($db_val, 6));
|
||||
|
||||
// SHA-1 hashes are 160 bits long
|
||||
$orig_hash = cut_bytes($hash, 0, 20); // binary string need to use cut_bytes, not mb_substr(,,'utf-8')!
|
||||
$salt = cut_bytes($hash, 20);
|
||||
$new_hash = sha1($form_val . $salt,true);
|
||||
|
||||
//error_log(__METHOD__."('$form_val', '$db_val') hash='$hash', orig_hash='$orig_hash', salt='$salt', new_hash='$new_hash' returning ".array2string(strcmp($orig_hash,$new_hash) == 0));
|
||||
return strcmp($orig_hash,$new_hash) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* compare md5_hmac-encrypted passwords for authentication (see RFC2104)
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value (from database)
|
||||
* @param string $_key key for md5_hmac-encryption (username for imported smf users)
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function md5_hmac_compare($form_val,$db_val,$_key)
|
||||
{
|
||||
$key = str_pad(strlen($_key) <= 64 ? $_key : pack('H*', md5($_key)), 64, chr(0x00));
|
||||
$md5_hmac = md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)). $form_val)));
|
||||
|
||||
return strcmp($md5_hmac,$db_val) == 0;
|
||||
}
|
||||
}
|
@ -19,10 +19,14 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
/**
|
||||
* Authentication agains a ADS Server
|
||||
*/
|
||||
class auth_ads implements auth_backend
|
||||
class Ads implements Backend
|
||||
{
|
||||
var $previous_login = -1;
|
||||
|
||||
@ -44,7 +48,7 @@ class auth_ads implements auth_backend
|
||||
// harden ldap auth, by removing \000 bytes, causing passwords to be not empty by php, but empty to c libaries
|
||||
$passwd = str_replace("\000", '', $_passwd);
|
||||
|
||||
$adldap = accounts_ads::get_adldap();
|
||||
$adldap = Api\Accounts\Ads::get_adldap();
|
||||
// bind with username@ads_domain, only if a non-empty password given, in case anonymous search is enabled
|
||||
if(empty($passwd) || !$adldap->authenticate($username, $passwd))
|
||||
{
|
||||
@ -97,7 +101,7 @@ class auth_ads implements auth_backend
|
||||
}
|
||||
if ($GLOBALS['egw_info']['server']['auto_create_acct'])
|
||||
{
|
||||
$GLOBALS['auto_create_acct']['account_id'] = accounts_ads::sid2account_id($allValues[0]['objectsid'][0]);
|
||||
$GLOBALS['auto_create_acct']['account_id'] = Api\Accounts\Ads::sid2account_id($allValues[0]['objectsid'][0]);
|
||||
|
||||
// create a global array with all availible info about that account
|
||||
foreach(array(
|
||||
@ -107,7 +111,7 @@ class auth_ads implements auth_backend
|
||||
) as $ldap_name => $acct_name)
|
||||
{
|
||||
$GLOBALS['auto_create_acct'][$acct_name] =
|
||||
translation::convert($allValues[0][$ldap_name][0],'utf-8');
|
||||
Api\Translation::convert($allValues[0][$ldap_name][0],'utf-8');
|
||||
}
|
||||
//error_log(__METHOD__."() \$GLOBALS[auto_create_acct]=".array2string($GLOBALS['auto_create_acct']));
|
||||
return True;
|
||||
@ -130,7 +134,7 @@ class auth_ads implements auth_backend
|
||||
static function getLastPwdChange($username)
|
||||
{
|
||||
$ret = false;
|
||||
if (($adldap = accounts_ads::get_adldap()) &&
|
||||
if (($adldap = Api\Accounts\Ads::get_adldap()) &&
|
||||
($data = $adldap->user()->info($username, array('pwdlastset'))))
|
||||
{
|
||||
$ret = !$data[0]['pwdlastset'][0] ? $data[0]['pwdlastset'][0] :
|
||||
@ -154,7 +158,7 @@ class auth_ads implements auth_backend
|
||||
static function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL, $return_mod=false)
|
||||
{
|
||||
unset($passwd); // not used but required by function signature
|
||||
if (!($adldap = accounts_ads::get_adldap())) return false;
|
||||
if (!($adldap = Api\Accounts\Ads::get_adldap())) return false;
|
||||
|
||||
if ($lastpwdchange)
|
||||
{
|
||||
@ -172,13 +176,13 @@ class auth_ads implements auth_backend
|
||||
}
|
||||
if ($lastpwdchange && $lastpwdchange != -1)
|
||||
{
|
||||
$lastpwdchange = accounts_ads::convertUnixTimeToWindowsTime($lastpwdchange);
|
||||
$lastpwdchange = Api\Accounts\Ads::convertUnixTimeToWindowsTime($lastpwdchange);
|
||||
}
|
||||
$mod = array('pwdlastset' => $lastpwdchange);
|
||||
if ($return_mod) return $mod;
|
||||
|
||||
$ret = false;
|
||||
if ($account_id && ($username = accounts::id2name($account_id, 'account_lid')) &&
|
||||
if ($account_id && ($username = Api\Accounts::id2name($account_id, 'account_lid')) &&
|
||||
($data = $adldap->user()->info($username, array('pwdlastset'))))
|
||||
{
|
||||
$ret = ldap_modify($adldap->getLdapConnection(), $data[0]['dn'], $mod);
|
||||
@ -194,19 +198,19 @@ class auth_ads implements auth_backend
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
* @throws egw_exception_wrong_userinput
|
||||
* @throws Api\Exception_wrong_userinput
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
if (!($adldap = accounts_ads::get_adldap()))
|
||||
if (!($adldap = Api\Accounts\Ads::get_adldap()))
|
||||
{
|
||||
error_log(__METHOD__."(\$old_passwd, \$new_passwd, $account_id) accounts_ads::get_adldap() returned false");
|
||||
error_log(__METHOD__."(\$old_passwd, \$new_passwd, $account_id) Api\Accounts\Ads::get_adldap() returned false");
|
||||
return false;
|
||||
}
|
||||
|
||||
if (!($adldap->getUseSSL() || $adldap->getUseTLS()))
|
||||
{
|
||||
throw new egw_exception(lang('Failed to change password.').' '.lang('Active directory requires SSL or TLS to change passwords!'));
|
||||
throw new Api\Exception(lang('Failed to change password.').' '.lang('Active directory requires SSL or TLS to change passwords!'));
|
||||
}
|
||||
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
@ -234,7 +238,7 @@ class auth_ads implements auth_backend
|
||||
}
|
||||
catch (Exception $e) {
|
||||
// as we cant detect what the problem is, we do a password strength check and throw it's message, if it fails
|
||||
$error = auth::crackcheck($new_passwd,
|
||||
$error = Api\Auth::crackcheck($new_passwd,
|
||||
// if admin has nothing configured use windows default of 3 char classes, 7 chars min and name-part-check
|
||||
$GLOBALS['egw_info']['server']['force_pwd_strength'] ? $GLOBALS['egw_info']['server']['force_pwd_strength'] : 3,
|
||||
$GLOBALS['egw_info']['server']['force_pwd_length'] ? $GLOBALS['egw_info']['server']['force_pwd_length'] : 7,
|
||||
@ -245,7 +249,7 @@ class auth_ads implements auth_backend
|
||||
'Server is unwilling to perform.' => lang('Server is unwilling to perform.'),
|
||||
'Your password might not match the password policy.' => lang('Your password might not match the password policy.'),
|
||||
));
|
||||
throw new egw_exception('<p>'.lang('Failed to change password.')."</p>\n".$msg.($error ? "\n<p>".$error."</p>\n" : ''));
|
||||
throw new Api\Exception('<p>'.lang('Failed to change password.')."</p>\n".$msg.($error ? "\n<p>".$error."</p>\n" : ''));
|
||||
}
|
||||
return false;
|
||||
}
|
40
api/src/Auth/Backend.php
Normal file
40
api/src/Auth/Backend.php
Normal file
@ -0,0 +1,40 @@
|
||||
<?php
|
||||
/**
|
||||
* EGroupware API - Authentication backend interface
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||
* @package api
|
||||
* @subpackage authentication
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
/**
|
||||
* Interface for authentication backend
|
||||
*/
|
||||
interface Backend
|
||||
{
|
||||
/**
|
||||
* password authentication against password stored in sql datababse
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text');
|
||||
|
||||
/**
|
||||
* changes password in sql datababse
|
||||
*
|
||||
* @param string $old_passwd must be cleartext
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @throws Exception to give a verbose error, why changing password failed
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0);
|
||||
}
|
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/**
|
||||
* eGroupWare API - Authentication from CAS
|
||||
* EGroupware API - Authentication from CAS
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||
@ -9,10 +9,15 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
use EGroupware\Api;
|
||||
use phpCAS;
|
||||
|
||||
/**
|
||||
* eGroupWare API - Authentication based on CAS (Central Authetication Service)
|
||||
* Authentication based on CAS (Central Authetication Service)
|
||||
*/
|
||||
class auth_cas implements auth_backend
|
||||
class Cas implements Backend
|
||||
{
|
||||
var $previous_login = -1;
|
||||
|
||||
@ -21,7 +26,7 @@ class auth_cas implements auth_backend
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
@ -43,7 +48,7 @@ class auth_cas implements auth_backend
|
||||
'gidnumber' => 'primary_group',
|
||||
) as $ldap_name => $acct_name)
|
||||
{
|
||||
$GLOBALS['auto_create_acct'][$acct_name] = $GLOBALS['egw']->translation->convert($allValues[0][$ldap_name][0],'utf-8');
|
||||
$GLOBALS['auto_create_acct'][$acct_name] = Api\Translation::convert($allValues[0][$ldap_name][0],'utf-8');
|
||||
}
|
||||
return True;
|
||||
}
|
||||
@ -57,7 +62,7 @@ class auth_cas implements auth_backend
|
||||
*
|
||||
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id=0 account id of user whose passwd should be changed
|
||||
* @param int $account_id =0 account id of user whose passwd should be changed
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
@ -6,39 +6,46 @@
|
||||
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||
* @package api
|
||||
* @subpackage authentication
|
||||
* @subpackage auth
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
/**
|
||||
* Authentication agains a LDAP Server with fallback to SQL
|
||||
*
|
||||
* For other fallback types, simply change auth backends in constructor call
|
||||
*/
|
||||
class auth_fallback implements auth_backend
|
||||
class Fallback implements Backend
|
||||
{
|
||||
/**
|
||||
* Primary auth backend
|
||||
*
|
||||
* @var auth_backend
|
||||
* @var Backend
|
||||
*/
|
||||
private $primary_backend;
|
||||
|
||||
/**
|
||||
* Fallback auth backend
|
||||
*
|
||||
* @var auth_backend
|
||||
* @var Backend
|
||||
*/
|
||||
private $fallback_backend;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*
|
||||
* @param string $primary ='ldap'
|
||||
* @param string $fallback ='sql'
|
||||
*/
|
||||
function __construct($primary='auth_ldap',$fallback='auth_sql')
|
||||
function __construct($primary='ldap',$fallback='sql')
|
||||
{
|
||||
$this->primary_backend = new $primary;
|
||||
$this->primary_backend = Api\Auth::backend(str_replace('auth_', '', $primary));
|
||||
|
||||
$this->fallback_backend = new $fallback;
|
||||
$this->fallback_backend = Api\Auth::backend(str_replace('auth_', '', $fallback));
|
||||
}
|
||||
|
||||
/**
|
||||
@ -52,14 +59,14 @@ class auth_fallback implements auth_backend
|
||||
{
|
||||
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
|
||||
{
|
||||
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
|
||||
Api\Cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
|
||||
// check if fallback has correct password, if not update it
|
||||
if (($account_id = $GLOBALS['egw']->accounts->name2id($username)) &&
|
||||
!$this->fallback_backend->authenticate($username,$passwd, $passwd_type))
|
||||
{
|
||||
$backup_currentapp = $GLOBALS['egw_info']['flags']['currentapp'];
|
||||
$GLOBALS['egw_info']['flags']['currentapp'] = 'admin'; // otherwise
|
||||
$ret = $this->fallback_backend->change_password('', $passwd, $account_id);
|
||||
$this->fallback_backend->change_password('', $passwd, $account_id);
|
||||
$GLOBALS['egw_info']['flags']['currentapp'] = $backup_currentapp;
|
||||
//error_log(__METHOD__."('$username', \$passwd) updated password for #$account_id on fallback ".($ret ? 'successfull' : 'failed!'));
|
||||
}
|
||||
@ -67,7 +74,7 @@ class auth_fallback implements auth_backend
|
||||
}
|
||||
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
|
||||
{
|
||||
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
|
||||
Api\Cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
@ -88,7 +95,6 @@ class auth_fallback implements auth_backend
|
||||
{
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
{
|
||||
$admin = False;
|
||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||
}
|
||||
@ -96,7 +102,7 @@ class auth_fallback implements auth_backend
|
||||
{
|
||||
$username = $GLOBALS['egw']->accounts->id2name($account_id);
|
||||
}
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
if (Api\Cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
if (($ret = $this->primary_backend->change_password($old_passwd, $new_passwd, $account_id)))
|
||||
{
|
||||
@ -108,7 +114,7 @@ class auth_fallback implements auth_backend
|
||||
{
|
||||
$ret = $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
|
||||
}
|
||||
//error_log(__METHOD__."('$old_passwd', '$new_passwd', $account_id) username='$username', backend=".egw_cache::getInstance(__CLASS__,'backend_used-'.$username)." returning ".array2string($ret));
|
||||
//error_log(__METHOD__."('$old_passwd', '$new_passwd', $account_id) username='$username', backend=".Api\Cache::getInstance(__CLASS__,'backend_used-'.$username)." returning ".array2string($ret));
|
||||
return $ret;
|
||||
}
|
||||
|
||||
@ -120,11 +126,17 @@ class auth_fallback implements auth_backend
|
||||
*/
|
||||
function getLastPwdChange($username)
|
||||
{
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
if (Api\Cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
if (method_exists($this->primary_backend,'getLastPwdChange')) return $this->primary_backend->getLastPwdChange($username);
|
||||
if (method_exists($this->primary_backend,'getLastPwdChange'))
|
||||
{
|
||||
return $this->primary_backend->getLastPwdChange($username);
|
||||
}
|
||||
}
|
||||
if (method_exists($this->fallback_backend,'getLastPwdChange'))
|
||||
{
|
||||
return $this->fallback_backend->getLastPwdChange($username);
|
||||
}
|
||||
if (method_exists($this->fallback_backend,'getLastPwdChange')) return $this->fallback_backend->getLastPwdChange($username);
|
||||
return false;
|
||||
}
|
||||
|
||||
@ -140,7 +152,6 @@ class auth_fallback implements auth_backend
|
||||
{
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
{
|
||||
$admin = False;
|
||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||
}
|
||||
@ -148,11 +159,17 @@ class auth_fallback implements auth_backend
|
||||
{
|
||||
$username = $GLOBALS['egw']->accounts->id2name($account_id);
|
||||
}
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
if (Api\Cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
if (method_exists($this->primary_backend,'setLastPwdChange')) return $this->primary_backend->setLastPwdChange($username);
|
||||
if (method_exists($this->primary_backend,'setLastPwdChange'))
|
||||
{
|
||||
return $this->primary_backend->setLastPwdChange($username);
|
||||
}
|
||||
}
|
||||
if (method_exists($this->fallback_backend,'setLastPwdChange'))
|
||||
{
|
||||
return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
|
||||
}
|
||||
if (method_exists($this->fallback_backend,'setLastPwdChange')) return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
|
||||
return false;
|
||||
}
|
||||
}
|
29
api/src/Auth/Fallbackmail2sql.php
Normal file
29
api/src/Auth/Fallbackmail2sql.php
Normal file
@ -0,0 +1,29 @@
|
||||
<?php
|
||||
/**
|
||||
* EGroupware API - Mail Authentication with fallback to SQL
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||
* @package api
|
||||
* @subpackage auth
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
/**
|
||||
* Authentication agains a mail Server with fallback to SQL
|
||||
*
|
||||
* For other fallback types, simply change auth backends in constructor call
|
||||
*/
|
||||
class Fallbackmail2sql extends Fallback
|
||||
{
|
||||
/**
|
||||
* Constructor
|
||||
*/
|
||||
function __construct($primary='mail', $fallback='sql')
|
||||
{
|
||||
parent::__construct($primary, $fallback);
|
||||
}
|
||||
}
|
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/**
|
||||
* eGroupWare API - Authentication based on HTTP auth
|
||||
* EGroupware API - Authentication based on HTTP auth
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @author Dan Kuykendall <seek3r@phpgroupware.org>
|
||||
@ -8,14 +8,16 @@
|
||||
* Copyright (C) 2000, 2001 Dan Kuykendall
|
||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||
* @package api
|
||||
* @subpackage authentication
|
||||
* @subpackage auth
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
/**
|
||||
* Authentication based on HTTP auth
|
||||
*/
|
||||
class auth_http implements auth_backend
|
||||
class Http implements Backend
|
||||
{
|
||||
var $previous_login = -1;
|
||||
|
||||
@ -24,19 +26,14 @@ class auth_http implements auth_backend
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
{
|
||||
if (isset($_SERVER['PHP_AUTH_USER']))
|
||||
{
|
||||
return True;
|
||||
}
|
||||
else
|
||||
{
|
||||
return False;
|
||||
}
|
||||
unset($username, $passwd, $passwd_type); // not used, but required by interface
|
||||
|
||||
return isset($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_USER'] === $username;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -49,6 +46,8 @@ class auth_http implements auth_backend
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
unset($old_passwd, $new_passwd, $account_id); // not used, but required by interface
|
||||
|
||||
return False;
|
||||
}
|
||||
}
|
@ -19,10 +19,14 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
/**
|
||||
* Authentication agains a LDAP Server
|
||||
*/
|
||||
class auth_ldap implements auth_backend
|
||||
class Ldap implements Backend
|
||||
{
|
||||
var $previous_login = -1;
|
||||
/**
|
||||
@ -44,25 +48,24 @@ class auth_ldap implements auth_backend
|
||||
unset($passwd_type); // not used by required by function signature
|
||||
|
||||
// allow non-ascii in username & password
|
||||
$username = translation::convert($_username,translation::charset(),'utf-8');
|
||||
$username = Api\Translation::convert($_username,Api\Translation::charset(),'utf-8');
|
||||
// harden ldap auth, by removing \000 bytes, causing passwords to be not empty by php, but empty to c libaries
|
||||
$passwd = str_replace("\000", '', translation::convert($_passwd,translation::charset(),'utf-8'));
|
||||
$passwd = str_replace("\000", '', Api\Translation::convert($_passwd,Api\Translation::charset(),'utf-8'));
|
||||
|
||||
if(!$ldap = common::ldapConnect())
|
||||
{
|
||||
return False;
|
||||
// Login with the LDAP Admin. User to find the User DN.
|
||||
try {
|
||||
$ldap = Api\Ldap::factory();
|
||||
}
|
||||
|
||||
/* Login with the LDAP Admin. User to find the User DN. */
|
||||
if(!@ldap_bind($ldap, $GLOBALS['egw_info']['server']['ldap_root_dn'], $GLOBALS['egw_info']['server']['ldap_root_pw']))
|
||||
catch(Api\Exception\NoPermission $e)
|
||||
{
|
||||
unset($e);
|
||||
if ($this->debug) error_log(__METHOD__."('$username',\$password) can NOT bind with ldap_root_dn to search!");
|
||||
return False;
|
||||
}
|
||||
/* find the dn for this uid, the uid is not always in the dn */
|
||||
$attributes = array('uid','dn','givenName','sn','mail','uidNumber','shadowExpire','homeDirectory');
|
||||
|
||||
$filter = str_replace(array('%user','%domain'),array(ldap::quote($username),$GLOBALS['egw_info']['user']['domain']),
|
||||
$filter = str_replace(array('%user','%domain'),array(Api\Ldap::quote($username),$GLOBALS['egw_info']['user']['domain']),
|
||||
$GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)');
|
||||
|
||||
if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap')
|
||||
@ -114,7 +117,7 @@ class auth_ldap implements auth_backend
|
||||
) as $ldap_name => $acct_name)
|
||||
{
|
||||
$GLOBALS['auto_create_acct'][$acct_name] =
|
||||
translation::convert($allValues[0][$ldap_name][0],'utf-8');
|
||||
Api\Translation::convert($allValues[0][$ldap_name][0],'utf-8');
|
||||
}
|
||||
$ret = true;
|
||||
}
|
||||
@ -141,8 +144,8 @@ class auth_ldap implements auth_backend
|
||||
if (($sri = ldap_search($ldap, $userDN,"(objectclass=*)", array('userPassword'))) &&
|
||||
($values = ldap_get_entries($ldap, $sri)) && isset($values[0]['userpassword'][0]) &&
|
||||
($type = preg_match('/^{(.+)}/',$values[0]['userpassword'][0],$matches) ? strtolower($matches[1]) : 'plain') &&
|
||||
// for crypt use auth::crypt_compare to detect correct sub-type, strlen("{crypt}")=7
|
||||
($type != 'crypt' || auth::crypt_compare($passwd, substr($values[0]['userpassword'][0], 7), $type)) &&
|
||||
// for crypt use Api\Auth::crypt_compare to detect correct sub-type, strlen("{crypt}")=7
|
||||
($type != 'crypt' || Api\Auth::crypt_compare($passwd, substr($values[0]['userpassword'][0], 7), $type)) &&
|
||||
in_array($type, explode(',',strtolower($GLOBALS['egw_info']['server']['pwd_migration_types']))))
|
||||
{
|
||||
$this->change_password($passwd, $passwd, $allValues[0]['uidnumber'][0], false);
|
||||
@ -165,23 +168,21 @@ class auth_ldap implements auth_backend
|
||||
function getLastPwdChange($_username)
|
||||
{
|
||||
// allow non-ascii in username & password
|
||||
$username = translation::convert($_username,translation::charset(),'utf-8');
|
||||
$username = Api\Translation::convert($_username,Api\Translation::charset(),'utf-8');
|
||||
|
||||
if(!$ldap = common::ldapConnect())
|
||||
{
|
||||
return False;
|
||||
// Login with the LDAP Admin. User to find the User DN.
|
||||
try {
|
||||
$ldap = Api\Ldap::factory();
|
||||
}
|
||||
|
||||
/* Login with the LDAP Admin. User to find the User DN. */
|
||||
if(!@ldap_bind($ldap, $GLOBALS['egw_info']['server']['ldap_root_dn'], $GLOBALS['egw_info']['server']['ldap_root_pw']))
|
||||
{
|
||||
catch (Api\Exception\NoPermission $ex) {
|
||||
unset($ex);
|
||||
if ($this->debug) error_log(__METHOD__."('$username') can NOT bind with ldap_root_dn to search!");
|
||||
return false;
|
||||
}
|
||||
/* find the dn for this uid, the uid is not always in the dn */
|
||||
$attributes = array('uid','dn','shadowexpire','shadowlastchange');
|
||||
|
||||
$filter = str_replace(array('%user','%domain'),array(ldap::quote($username),$GLOBALS['egw_info']['user']['domain']),
|
||||
$filter = str_replace(array('%user','%domain'),array(Api\Ldap::quote($username),$GLOBALS['egw_info']['user']['domain']),
|
||||
$GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)');
|
||||
|
||||
if ($GLOBALS['egw_info']['server']['account_repository'] == 'ldap')
|
||||
@ -236,15 +237,15 @@ class auth_ldap implements auth_backend
|
||||
}
|
||||
else
|
||||
{
|
||||
$username = translation::convert($GLOBALS['egw']->accounts->id2name($account_id),
|
||||
translation::charset(),'utf-8');
|
||||
$username = Api\Translation::convert($GLOBALS['egw']->accounts->id2name($account_id),
|
||||
Api\Translation::charset(),'utf-8');
|
||||
}
|
||||
//echo "<p>auth_ldap::change_password('$old_passwd','$new_passwd',$account_id) username='$username'</p>\n";
|
||||
//echo "<p>auth_Api\Ldap::change_password('$old_passwd','$new_passwd',$account_id) username='$username'</p>\n";
|
||||
|
||||
$filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),
|
||||
$GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)');
|
||||
|
||||
$ds = common::ldapConnect();
|
||||
$ds = Api\Ldap::factory();
|
||||
$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
|
||||
$allValues = ldap_get_entries($ds, $sri);
|
||||
|
||||
@ -254,14 +255,14 @@ class auth_ldap implements auth_backend
|
||||
|
||||
if(!$admin && $passwd) // if old password given (not called by admin) --> bind as that user to change the pw
|
||||
{
|
||||
$ds = common::ldapConnect('',$dn,$passwd);
|
||||
$ds = Api\Ldap::factory('', $dn, $passwd);
|
||||
}
|
||||
if (!@ldap_modify($ds, $dn, $entry))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
// using time() is sufficient to represent the current time, we do not need the timestamp written to the storage
|
||||
if (!$admin) egw_cache::setSession('phpgwapi','auth_alpwchange_val',(is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange));
|
||||
if (!$admin) Api\Cache::setSession('phpgwapi','auth_alpwchange_val',(is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange));
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -285,19 +286,19 @@ class auth_ldap implements auth_backend
|
||||
}
|
||||
else
|
||||
{
|
||||
$username = translation::convert($GLOBALS['egw']->accounts->id2name($account_id),
|
||||
translation::charset(),'utf-8');
|
||||
$username = Api\Translation::convert($GLOBALS['egw']->accounts->id2name($account_id),
|
||||
Api\Translation::charset(),'utf-8');
|
||||
}
|
||||
if ($this->debug) error_log(__METHOD__."('$old_passwd','$new_passwd',$account_id, $update_lastchange) username='$username'");
|
||||
|
||||
$filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),
|
||||
$GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)');
|
||||
|
||||
$ds = $ds_admin = common::ldapConnect();
|
||||
$ds = $ds_admin = Api\Ldap::factory();
|
||||
$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
|
||||
$allValues = ldap_get_entries($ds, $sri);
|
||||
|
||||
$entry['userpassword'] = auth::encrypt_password($new_passwd);
|
||||
$entry['userpassword'] = Api\Auth::encrypt_password($new_passwd);
|
||||
if ($update_lastchange)
|
||||
{
|
||||
$entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
|
||||
@ -307,11 +308,10 @@ class auth_ldap implements auth_backend
|
||||
|
||||
if($old_passwd) // if old password given (not called by admin) --> bind as that user to change the pw
|
||||
{
|
||||
$user_ds = new ldap(true); // true throw exceptions in case of error
|
||||
try {
|
||||
$ds = $user_ds->ldapConnect('',$dn,$old_passwd);
|
||||
$ds = Api\Ldap\factory('',$dn,$old_passwd);
|
||||
}
|
||||
catch (egw_exception_no_permission $e) {
|
||||
catch (Api\Exception\NoPermission $e) {
|
||||
unset($e);
|
||||
return false; // wrong old user password
|
||||
}
|
||||
@ -325,7 +325,7 @@ class auth_ldap implements auth_backend
|
||||
if($old_passwd) // if old password given (not called by admin) update the password in the session
|
||||
{
|
||||
// using time() is sufficient to represent the current time, we do not need the timestamp written to the storage
|
||||
egw_cache::setSession('phpgwapi','auth_alpwchange_val',time());
|
||||
Api\Cache::setSession('phpgwapi','auth_alpwchange_val',time());
|
||||
}
|
||||
return $entry['userpassword'];
|
||||
}
|
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/**
|
||||
* eGroupWare API - Authentication agains mail server
|
||||
* EGroupware API - Authentication agains mail server
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @author Dan Kuykendall <seek3r@phpgroupware.org>
|
||||
@ -11,10 +11,14 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
use Horde_Imap_Client_Socket, Horde_Imap_Client_Exception;
|
||||
|
||||
/**
|
||||
* Authentication agains mail server
|
||||
*/
|
||||
class auth_mail implements auth_backend
|
||||
class Mail implements Backend
|
||||
{
|
||||
var $previous_login = -1;
|
||||
|
@ -11,21 +11,25 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
/**
|
||||
* Auth from NIS
|
||||
*/
|
||||
class auth_nis implements auth_backend
|
||||
class Nis implements Backend
|
||||
{
|
||||
/**
|
||||
* password authentication
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
{
|
||||
unset($passwd_type); // not used but required by interface
|
||||
|
||||
$domain = yp_get_default_domain();
|
||||
if(!empty($GLOBALS['egw_info']['server']['nis_domain']))
|
||||
{
|
||||
@ -56,11 +60,13 @@ class auth_nis implements auth_backend
|
||||
*
|
||||
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id=0 account id of user whose passwd should be changed
|
||||
* @param int $account_id =0 account id of user whose passwd should be changed
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
unset($old_passwd, $new_passwd, $account_id); // not used but required by interface
|
||||
|
||||
// can't change passwords unless server runs as root (bad idea)
|
||||
return( False );
|
||||
}
|
@ -9,6 +9,11 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
// explicitly import classes still in phpgwapi
|
||||
use common; // email_address
|
||||
|
||||
/**
|
||||
* Auth from PAM
|
||||
*
|
||||
@ -16,18 +21,20 @@
|
||||
*
|
||||
* To read full name from password file PHP's posix extension is needed (sometimes in package php_process)
|
||||
*/
|
||||
class auth_pam implements auth_backend
|
||||
class Pam implements Backend
|
||||
{
|
||||
/**
|
||||
* password authentication
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
{
|
||||
unset($passwd_type); // not used but required by interface
|
||||
|
||||
if (pam_auth($username, get_magic_quotes_gpc() ? stripslashes($passwd) : $passwd))
|
||||
{
|
||||
// for new accounts read full name from password file and pass it to EGroupware
|
||||
@ -60,11 +67,13 @@ class auth_pam implements auth_backend
|
||||
*
|
||||
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id=0 account id of user whose passwd should be changed
|
||||
* @param int $account_id =0 account id of user whose passwd should be changed
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
unset($old_passwd, $new_passwd, $account_id); // not used but required by interface
|
||||
|
||||
// deny password changes.
|
||||
return False;
|
||||
}
|
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/**
|
||||
* eGroupWare API - Authentication from SQL
|
||||
* EGroupware API - Authentication from SQL
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||
@ -13,6 +13,10 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
/**
|
||||
* eGroupWare API - Authentication based on SQL table of accounts
|
||||
*
|
||||
@ -21,12 +25,12 @@
|
||||
*
|
||||
* Massive code cleanup and added password migration by Cornelius Weiss <egw@von-und-zu-weiss.de
|
||||
*/
|
||||
class auth_sql implements auth_backend
|
||||
class Sql implements Backend
|
||||
{
|
||||
/**
|
||||
* Reference to the global db object
|
||||
*
|
||||
* @var egw_db
|
||||
* @var Api\Db
|
||||
*/
|
||||
var $db;
|
||||
var $table = 'egw_accounts';
|
||||
@ -45,7 +49,7 @@ class auth_sql implements auth_backend
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
@ -58,7 +62,7 @@ class auth_sql implements auth_backend
|
||||
);
|
||||
if (!$GLOBALS['egw_info']['server']['case_sensitive_username']) // = is case sensitiv eg. on postgres, but not on mysql!
|
||||
{
|
||||
$where[] = 'account_lid '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote($username);
|
||||
$where[] = 'account_lid '.$this->db->capabilities[Api\Db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote($username);
|
||||
unset($where['account_lid']);
|
||||
}
|
||||
if($passwd_type == 'text')
|
||||
@ -69,7 +73,8 @@ class auth_sql implements auth_backend
|
||||
{
|
||||
return false;
|
||||
}
|
||||
if(!($match = auth::compare_password($passwd, $row['account_pwd'], $this->type, strtolower($username), $type)) ||
|
||||
$type = null;
|
||||
if(!($match = Api\Auth::compare_password($passwd, $row['account_pwd'], $this->type, strtolower($username), $type)) ||
|
||||
$type != $this->type && in_array($type, explode(',',strtolower($GLOBALS['egw_info']['server']['pwd_migration_types']))))
|
||||
{
|
||||
// do we have to migrate an old password ?
|
||||
@ -79,7 +84,7 @@ class auth_sql implements auth_backend
|
||||
{
|
||||
foreach(explode(',', $GLOBALS['egw_info']['server']['pwd_migration_types']) as $type)
|
||||
{
|
||||
if(($match = auth::compare_password($passwd,$row['account_pwd'],$type,strtolower($username))))
|
||||
if(($match = Api\Auth::compare_password($passwd,$row['account_pwd'],$type,strtolower($username))))
|
||||
{
|
||||
break;
|
||||
}
|
||||
@ -87,7 +92,7 @@ class auth_sql implements auth_backend
|
||||
}
|
||||
if ($match)
|
||||
{
|
||||
$encrypted_passwd = auth::encrypt_sql($passwd);
|
||||
$encrypted_passwd = Api\Auth::encrypt_sql($passwd);
|
||||
$this->_update_passwd($encrypted_passwd,$passwd,$row['account_id'],false,true);
|
||||
}
|
||||
}
|
||||
@ -126,7 +131,7 @@ class auth_sql implements auth_backend
|
||||
);
|
||||
if (!$GLOBALS['egw_info']['server']['case_sensitive_username']) // = is case sensitiv eg. on postgres, but not on mysql!
|
||||
{
|
||||
$where[] = 'account_lid '.$this->db->capabilities[egw_db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote($username);
|
||||
$where[] = 'account_lid '.$this->db->capabilities[Api\Db::CAPABILITY_CASE_INSENSITIV_LIKE].' '.$this->db->quote($username);
|
||||
unset($where['account_lid']);
|
||||
}
|
||||
if (!($row = $this->db->select($this->table,'account_lid,account_lastpwd_change',$where,__LINE__,__FILE__)->fetch()) ||
|
||||
@ -145,10 +150,10 @@ class auth_sql implements auth_backend
|
||||
*
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
|
||||
* @param int $lastpwdchange must be a unixtimestamp
|
||||
* @param int $_lastpwdchange =null must be a unixtimestamp
|
||||
* @return boolean true if account_lastpwd_change successful changed, false otherwise
|
||||
*/
|
||||
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
|
||||
function setLastPwdChange($account_id=0, $passwd=NULL, $_lastpwdchange=NULL)
|
||||
{
|
||||
$admin = True;
|
||||
// Don't allow password changes for other accounts when using XML-RPC
|
||||
@ -172,11 +177,11 @@ class auth_sql implements auth_backend
|
||||
return false; // account not found
|
||||
}
|
||||
// Check the passwd to make sure this is legal
|
||||
if(!$admin && !auth::compare_password($passwd,$pw,$this->type,strtolower($username)))
|
||||
if(!$admin && !Api\Auth::compare_password($passwd,$pw,$this->type,strtolower($username)))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
$lastpwdchange = (is_null($lastpwdchange) || $lastpwdchange<0 ? time():$lastpwdchange);
|
||||
$lastpwdchange = (is_null($_lastpwdchange) || $_lastpwdchange < 0 ? time() : $_lastpwdchange);
|
||||
$this->db->update($this->table,array(
|
||||
'account_lastpwd_change' => $lastpwdchange,
|
||||
),array(
|
||||
@ -184,7 +189,7 @@ class auth_sql implements auth_backend
|
||||
),__LINE__,__FILE__);
|
||||
|
||||
if(!$this->db->affected_rows()) return false;
|
||||
if (!$admin) egw_cache::setSession('phpgwapi','auth_alpwchange_val',$lastpwdchange);
|
||||
if (!$admin) Api\Cache::setSession('phpgwapi', 'auth_alpwchange_val', $lastpwdchange);
|
||||
return true;
|
||||
}
|
||||
|
||||
@ -219,13 +224,13 @@ class auth_sql implements auth_backend
|
||||
return false; // account not found
|
||||
}
|
||||
// Check the old_passwd to make sure this is legal
|
||||
if(!$admin && !auth::compare_password($old_passwd,$pw,$this->type,strtolower($username)))
|
||||
if(!$admin && !Api\Auth::compare_password($old_passwd,$pw,$this->type,strtolower($username)))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
// old password ok, or admin called the function from the admin application (no old passwd available).
|
||||
return $this->_update_passwd(auth::encrypt_sql($new_passwd),$new_passwd,$account_id,$admin);
|
||||
return $this->_update_passwd(Api\Auth::encrypt_sql($new_passwd),$new_passwd,$account_id,$admin);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -234,12 +239,14 @@ class auth_sql implements auth_backend
|
||||
* @param string $encrypted_passwd
|
||||
* @param string $new_passwd cleartext
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @param boolean $admin=false called by admin, if not update password in the session
|
||||
* @param boolean $update_lastpw_change=true
|
||||
* @param boolean $admin =false called by admin, if not update password in the session
|
||||
* @param boolean $update_lastpw_change =true
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
private function _update_passwd($encrypted_passwd,$new_passwd,$account_id,$admin=false,$update_lastpw_change=true)
|
||||
{
|
||||
unset($new_passwd); // not used, but required by function signature
|
||||
|
||||
$update = array('account_pwd' => $encrypted_passwd);
|
||||
if ($update_lastpw_change) $update['account_lastpwd_change'] = time();
|
||||
|
||||
@ -252,7 +259,7 @@ class auth_sql implements auth_backend
|
||||
|
||||
if(!$admin)
|
||||
{
|
||||
egw_cache::setSession('phpgwapi','auth_alpwchange_val',$update['account_lastpwd_change']);
|
||||
Api\Cache::setSession('phpgwapi','auth_alpwchange_val',$update['account_lastpwd_change']);
|
||||
}
|
||||
return true;
|
||||
}
|
@ -10,6 +10,10 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
namespace EGroupware\Api\Auth;
|
||||
|
||||
use EGroupware\Api;
|
||||
|
||||
/**
|
||||
* Authentication based on SQL table and X.509 certificates
|
||||
*
|
||||
@ -22,24 +26,24 @@ class auth_sqlssl extends auth_sql
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type='text' 'text' for cleartext passwords (default)
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
{
|
||||
unset($passwd_type); // not used but required by interface
|
||||
|
||||
$local_debug = False;
|
||||
|
||||
if($local_debug)
|
||||
{
|
||||
echo "<b>Debug SQL: uid - $username passwd - $passwd</b>";
|
||||
}
|
||||
$this->db->select($this->table,'account_lid,account_pwd',array(
|
||||
if (!($row = $this->db->select($this->table,'account_lid,account_pwd',array(
|
||||
'account_lid' => $username,
|
||||
'account_status' => 'A',
|
||||
'account_type' => 'u',
|
||||
),__LINE__,__FILE__);
|
||||
|
||||
if (!$this->db->next_record() || $GLOBALS['egw_info']['server']['case_sensitive_username'] && $this->db->f('account_lid') != $username)
|
||||
),__LINE__,__FILE__)->fetch()) || $GLOBALS['egw_info']['server']['case_sensitive_username'] && $row['account_lid'] != $username)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
@ -50,8 +54,24 @@ class auth_sqlssl extends auth_sql
|
||||
if(!isset($_SERVER['SSL_CLIENT_S_DN']))
|
||||
{
|
||||
# if we're not doing SSL authentication, behave like auth_sql
|
||||
return auth::compare_password($passwd,$this->db->f('account_pwd'),$this->type,strtolower($username));
|
||||
return Api\Auth::compare_password($passwd, $row['account_pwd'], 'md5', strtolower($username));
|
||||
}
|
||||
return True;
|
||||
}
|
||||
|
||||
/**
|
||||
* changes password
|
||||
*
|
||||
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id =0 account id of user whose passwd should be changed
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
unset($old_passwd, $new_passwd, $account_id); // not used but required by interface
|
||||
|
||||
// deny password changes.
|
||||
return False;
|
||||
}
|
||||
}
|
@ -325,23 +325,20 @@ class Ldap
|
||||
*/
|
||||
function connect($admin = false)
|
||||
{
|
||||
// if egw object does not yet exists (eg. in sharing), we have to use our own ldap instance!
|
||||
$ldap = isset($GLOBALS['egw']) && is_a($GLOBALS['egw']->ldap, 'ldap') ? $GLOBALS['egw']->ldap : new ldap();
|
||||
|
||||
if ($admin)
|
||||
{
|
||||
$this->ds = $ldap->ldapConnect();
|
||||
$this->ds = Api\Ldap::factory();
|
||||
}
|
||||
// if ldap is NOT the contact repository, we only do accounts and need to use the account-data
|
||||
elseif (substr($GLOBALS['egw_info']['server']['contact_repository'],-4) != 'ldap') // not (ldap or sql-ldap)
|
||||
{
|
||||
$this->ldap_config['ldap_contact_host'] = $this->ldap_config['ldap_host'];
|
||||
$this->allContactsDN = $this->ldap_config['ldap_context'];
|
||||
$this->ds = $ldap->ldapConnect();
|
||||
$this->ds = Api\Ldap::factory();
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->ds = $ldap->ldapConnect(
|
||||
$this->ds = Api\Ldap::factory(true,
|
||||
$this->ldap_config['ldap_contact_host'],
|
||||
$GLOBALS['egw_info']['user']['account_dn'],
|
||||
$GLOBALS['egw_info']['user']['passwd']
|
||||
|
@ -12,15 +12,12 @@
|
||||
|
||||
namespace EGroupware\Api;
|
||||
|
||||
// explicitly reference classes still in phpgwapi
|
||||
use auth;
|
||||
|
||||
/**
|
||||
* Class supplying methods to prevent successful CSRF by requesting a random token,
|
||||
* stored on server and validated when request get posted.
|
||||
*
|
||||
* CSRF token generation used openssl_random_pseudo_bytes, if available, otherwise
|
||||
* mt_rand based auth::randomstring is used.
|
||||
* mt_rand based Auth::randomstring is used.
|
||||
*
|
||||
* CSRF tokens are stored (incl. optional purpose) in user session.
|
||||
*
|
||||
@ -41,10 +38,10 @@ class Csrf
|
||||
{
|
||||
throw new egw_exception_wrong_parameter(__METHOD__.'(NULL) $_purspose must NOT be NULL!');
|
||||
}
|
||||
// generate random token (using oppenssl if available otherwise mt_rand based auth::randomstring)
|
||||
// generate random token (using oppenssl if available otherwise mt_rand based Auth::randomstring)
|
||||
$token = function_exists('openssl_random_pseudo_bytes') ?
|
||||
base64_encode(openssl_random_pseudo_bytes(64)) :
|
||||
auth::randomstring(64);
|
||||
Auth::randomstring(64);
|
||||
|
||||
// store it in session for later validation
|
||||
Cache::setSession(__CLASS__, $token, $_purpose);
|
||||
|
@ -25,6 +25,8 @@ namespace EGroupware\Api;
|
||||
* If multiple (space-separated) ldap hosts or urls are given, try them in order and
|
||||
* move first successful one to first place in session, to try not working ones
|
||||
* only once per session.
|
||||
*
|
||||
* Use Api\Ldap::factory($resource=true, $host='', $dn='', $passwd='') to open only a single connection.
|
||||
*/
|
||||
class Ldap
|
||||
{
|
||||
@ -60,6 +62,40 @@ class Ldap
|
||||
$this->restoreSessionData();
|
||||
}
|
||||
|
||||
/**
|
||||
* Connections created with factory method
|
||||
*
|
||||
* @var array
|
||||
*/
|
||||
protected static $connections = array();
|
||||
|
||||
/**
|
||||
* Connect to ldap server and return a handle or Api\Ldap object
|
||||
*
|
||||
* Use this factory method to open only a single connection to LDAP server!
|
||||
*
|
||||
* @param boolean $ressource =true true: return LDAP ressource for ldap_*-methods,
|
||||
* false: return connected instances of this Api\Ldap class
|
||||
* @param string $host ='' ldap host, default $GLOBALS['egw_info']['server']['ldap_host']
|
||||
* @param string $dn ='' ldap dn, default $GLOBALS['egw_info']['server']['ldap_root_dn']
|
||||
* @param string $passwd ='' ldap pw, default $GLOBALS['egw_info']['server']['ldap_root_pw']
|
||||
* @return resource|Ldap resource from ldap_connect() or false on error
|
||||
* @throws Exception\AssertingFailed 'LDAP support unavailable!' (no ldap extension)
|
||||
* @throws Exception\NoPermission if bind fails
|
||||
*/
|
||||
public static function factory($ressource=true, $host='', $dn='', $passwd='')
|
||||
{
|
||||
$key = md5($host.':'.$dn.':'.$passwd);
|
||||
|
||||
if (!isset(self::$connections[$key]))
|
||||
{
|
||||
self::$connections[$key] = new Ldap(true);
|
||||
|
||||
self::$connections[$key]->ldapConnect($host, $dn, $passwd);
|
||||
}
|
||||
return $ressource ? self::$connections[$key]->ds : self::$connections[$key];
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns information about connected ldap server
|
||||
*
|
||||
@ -121,11 +157,12 @@ class Ldap
|
||||
* move first successful one to first place in session, to try not working ones
|
||||
* only once per session.
|
||||
*
|
||||
* @param $host ='' ldap host, default $GLOBALS['egw_info']['server']['ldap_host']
|
||||
* @param $dn ='' ldap dn, default $GLOBALS['egw_info']['server']['ldap_root_dn']
|
||||
* @param $passwd ='' ldap pw, default $GLOBALS['egw_info']['server']['ldap_root_pw']
|
||||
* @param string $host ='' ldap host, default $GLOBALS['egw_info']['server']['ldap_host']
|
||||
* @param string $dn ='' ldap dn, default $GLOBALS['egw_info']['server']['ldap_root_dn']
|
||||
* @param string $passwd ='' ldap pw, default $GLOBALS['egw_info']['server']['ldap_root_pw']
|
||||
* @return resource|boolean resource from ldap_connect() or false on error
|
||||
* @throws Exception\AssertingFailed 'LDAP support unavailable!' (no ldap extension)
|
||||
* @throws Exception\NoPermission if bind fails
|
||||
*/
|
||||
function ldapConnect($host='', $dn='', $passwd='')
|
||||
{
|
||||
|
@ -24,10 +24,8 @@ namespace EGroupware\Api;
|
||||
|
||||
// explicitly reference classes still in phpgwapi
|
||||
use egw_mailer;
|
||||
use common; // randomstring
|
||||
use egw_digest_auth; // egw_digest_auth::parse_digest
|
||||
use html; // html::$ua_mobile
|
||||
use auth; // check_password_change
|
||||
|
||||
/**
|
||||
* Create, verifies or destroys an EGroupware session
|
||||
@ -230,7 +228,7 @@ class Session
|
||||
}
|
||||
if (!isset($GLOBALS['egw_info']['server']['install_id']))
|
||||
{
|
||||
$GLOBALS['egw_info']['server']['install_id'] = md5(common::randomstring(15));
|
||||
$GLOBALS['egw_info']['server']['install_id'] = md5(Auth::randomstring(15));
|
||||
}
|
||||
if (!isset($GLOBALS['egw_info']['server']['max_history']))
|
||||
{
|
||||
@ -511,7 +509,7 @@ class Session
|
||||
if (self::ERROR_LOG_DEBUG) error_log(__METHOD__."($this->login,$this->passwd,$this->passwd_type,$no_session,$auth_check) UNSUCCESSFULL ($this->reason)");
|
||||
return false;
|
||||
}
|
||||
if ($fail_on_forced_password_change && auth::check_password_change($this->reason) === false)
|
||||
if ($fail_on_forced_password_change && Auth::check_password_change($this->reason) === false)
|
||||
{
|
||||
$this->cd_reason = self::CD_FORCE_PASSWORD_CHANGE;
|
||||
return false;
|
||||
@ -550,7 +548,7 @@ class Session
|
||||
}
|
||||
$this->sessionid = session_id();
|
||||
}
|
||||
$this->kp3 = common::randomstring(24);
|
||||
$this->kp3 = Auth::randomstring(24);
|
||||
|
||||
$GLOBALS['egw_info']['user'] = $this->read_repositories();
|
||||
if ($GLOBALS['egw']->accounts->is_expired($GLOBALS['egw_info']['user']))
|
||||
|
@ -1,6 +1,6 @@
|
||||
<?php
|
||||
/**
|
||||
* eGroupWare API - Authentication baseclass
|
||||
* EGroupware API - Authentication
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||
@ -12,150 +12,15 @@
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
// allow to set an application depending authentication type (eg. for syncml, groupdav, ...)
|
||||
if (isset($GLOBALS['egw_info']['server']['auth_type_'.$GLOBALS['egw_info']['flags']['currentapp']]) &&
|
||||
$GLOBALS['egw_info']['server']['auth_type_'.$GLOBALS['egw_info']['flags']['currentapp']])
|
||||
{
|
||||
$GLOBALS['egw_info']['server']['auth_type'] = $GLOBALS['egw_info']['server']['auth_type_'.$GLOBALS['egw_info']['flags']['currentapp']];
|
||||
}
|
||||
if(empty($GLOBALS['egw_info']['server']['auth_type']))
|
||||
{
|
||||
$GLOBALS['egw_info']['server']['auth_type'] = 'sql';
|
||||
}
|
||||
//error_log('using auth_type='.$GLOBALS['egw_info']['server']['auth_type'].', currentapp='.$GLOBALS['egw_info']['flags']['currentapp']);
|
||||
use EGroupware\Api;
|
||||
|
||||
/**
|
||||
* eGroupWare API - Authentication baseclass, password auth and crypt functions
|
||||
* Authentication
|
||||
*
|
||||
* Many functions based on code from Frank Thomas <frank@thomas-alfeld.de>
|
||||
* which can be seen at http://www.thomas-alfeld.de/frank/
|
||||
*
|
||||
* Other functions from class.common.inc.php originally from phpGroupWare
|
||||
* @deprecated use Api\Auth
|
||||
*/
|
||||
class auth
|
||||
class auth extends Api\Auth
|
||||
{
|
||||
static $error;
|
||||
|
||||
/**
|
||||
* Holds instance of backend
|
||||
*
|
||||
* @var auth_backend
|
||||
*/
|
||||
private $backend;
|
||||
|
||||
function __construct()
|
||||
{
|
||||
$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
|
||||
|
||||
$this->backend = new $backend_class;
|
||||
|
||||
if (!($this->backend instanceof auth_backend))
|
||||
{
|
||||
throw new egw_exception_assertion_failed("Auth backend class $backend_class is NO auth_backend!");
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* check if users are supposed to change their password every x sdays, then check if password is of old age
|
||||
* or the devil-admin reset the users password and forced the user to change his password on next login.
|
||||
*
|
||||
* @param string& $message =null on return false: message why password needs to be changed
|
||||
* @return boolean true: all good, false: password change required, null: password expires in N days
|
||||
*/
|
||||
static function check_password_change(&$message=null)
|
||||
{
|
||||
// dont check anything for anonymous sessions/ users that are flagged as anonymous
|
||||
if (is_object($GLOBALS['egw']->session) && $GLOBALS['egw']->session->session_flags == 'A') return true;
|
||||
|
||||
// some statics (and initialisation to make information and timecalculation a) more readable in conditions b) persistent per request
|
||||
// if user has to be warned about an upcomming passwordchange, remember for the session, that he was informed
|
||||
static $UserKnowsAboutPwdChange=null;
|
||||
if (is_null($UserKnowsAboutPwdChange)) $UserKnowsAboutPwdChange =& egw_cache::getSession('phpgwapi','auth_UserKnowsAboutPwdChange');
|
||||
|
||||
// retrieve the timestamp regarding the last change of the password from auth system and store it with the session
|
||||
static $alpwchange_val=null;
|
||||
static $pwdTsChecked=null;
|
||||
if (is_null($pwdTsChecked) && is_null($alpwchange_val) || (string)$alpwchange_val === '0')
|
||||
{
|
||||
$alpwchange_val =& egw_cache::getSession('phpgwapi','auth_alpwchange_val'); // set that one with the session stored value
|
||||
// initalize statics - better readability of conditions
|
||||
if (is_null($alpwchange_val) || (string)$alpwchange_val === '0')
|
||||
{
|
||||
$backend_class = 'auth_'.$GLOBALS['egw_info']['server']['auth_type'];
|
||||
$backend = new $backend_class;
|
||||
// this may change behavior, as it should detect forced PasswordChanges from your Authentication System too.
|
||||
// on the other side, if your auth system does not require an forcedPasswordChange, you will not be asked.
|
||||
if (method_exists($backend,'getLastPwdChange'))
|
||||
{
|
||||
$alpwchange_val = $backend->getLastPwdChange($GLOBALS['egw']->session->account_lid);
|
||||
$pwdTsChecked = true;
|
||||
}
|
||||
// if your authsystem does not provide that information, its likely, that you cannot change your password there,
|
||||
// thus checking for expiration, is not needed
|
||||
if ($alpwchange_val === false)
|
||||
{
|
||||
$alpwchange_val = null;
|
||||
}
|
||||
//error_log(__METHOD__.__LINE__.'#'.$alpwchange_val.'# is null:'.is_null($alpwchange_val).'# is empty:'.empty($alpwchange_val).'# is set:'.isset($alpwchange_val));
|
||||
}
|
||||
}
|
||||
static $passwordAgeBorder=null;
|
||||
static $daysLeftUntilChangeReq=null;
|
||||
|
||||
// if neither timestamp isset return true, nothing to do (exept this means the password is too old)
|
||||
if (is_null($alpwchange_val) &&
|
||||
empty($GLOBALS['egw_info']['server']['change_pwd_every_x_days']))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
if (is_null($passwordAgeBorder) && $GLOBALS['egw_info']['server']['change_pwd_every_x_days'])
|
||||
{
|
||||
$passwordAgeBorder = (egw_time::to('now','ts')-($GLOBALS['egw_info']['server']['change_pwd_every_x_days']*86400));
|
||||
}
|
||||
if (is_null($daysLeftUntilChangeReq) && $GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'])
|
||||
{
|
||||
// maxage - passwordage = days left until change is required
|
||||
$daysLeftUntilChangeReq = ($GLOBALS['egw_info']['server']['change_pwd_every_x_days'] - ((egw_time::to('now','ts')-($alpwchange_val?$alpwchange_val:0))/86400));
|
||||
}
|
||||
if ($alpwchange_val == 0 || // admin requested password change
|
||||
$passwordAgeBorder > $alpwchange_val || // change password every N days policy requests change
|
||||
// user should be warned N days in advance about change and is not yet
|
||||
$GLOBALS['egw_info']['server']['change_pwd_every_x_days'] &&
|
||||
$GLOBALS['egw_info']['user']['apps']['preferences'] &&
|
||||
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] &&
|
||||
$GLOBALS['egw_info']['server']['warn_about_upcoming_pwd_change'] > $daysLeftUntilChangeReq &&
|
||||
$UserKnowsAboutPwdChange !== true)
|
||||
{
|
||||
if ($alpwchange_val == 0)
|
||||
{
|
||||
$message = lang('An admin required that you must change your password upon login.');
|
||||
}
|
||||
elseif ($passwordAgeBorder > $alpwchange_val && $alpwchange_val > 0)
|
||||
{
|
||||
error_log(__METHOD__.' Password of '.$GLOBALS['egw_info']['user']['account_lid'].' ('.$GLOBALS['egw_info']['user']['account_fullname'].') is of old age.'.array2string(array(
|
||||
'ts'=> $alpwchange_val,
|
||||
'date'=>egw_time::to($alpwchange_val))));
|
||||
$message = lang('It has been more then %1 days since you changed your password',$GLOBALS['egw_info']['server']['change_pwd_every_x_days']);
|
||||
}
|
||||
else
|
||||
{
|
||||
// login page does not inform user about passwords about to expire
|
||||
if ($GLOBALS['egw_info']['flags']['currentapp'] != 'login' &&
|
||||
($GLOBALS['egw_info']['flags']['currentapp'] != 'home' ||
|
||||
strpos($_SERVER['SCRIPT_NAME'], '/home/') !== false))
|
||||
{
|
||||
$UserKnowsAboutPwdChange = true;
|
||||
}
|
||||
$message = lang('Your password is about to expire in %1 days, you may change your password now',round($daysLeftUntilChangeReq));
|
||||
// user has no rights to change password --> do NOT warn, as only forced check ignores rights
|
||||
if ($GLOBALS['egw']->acl->check('nopasswordchange', 1, 'preferences')) return true;
|
||||
return null;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Retired password check method called all over the place
|
||||
*
|
||||
@ -165,621 +30,14 @@ class auth
|
||||
{
|
||||
return true; // no change
|
||||
}
|
||||
|
||||
/**
|
||||
* fetch the last pwd change for the user
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @return mixed false or shadowlastchange*24*3600
|
||||
*/
|
||||
function getLastPwdChange($username)
|
||||
{
|
||||
if (method_exists($this->backend,'getLastPwdChange')) return $this->backend->getLastPwdChange($username);
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* changes account_lastpwd_change in ldap datababse
|
||||
*
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
|
||||
* @param int $lastpwdchange must be a unixtimestamp
|
||||
* @return boolean true if account_lastpwd_change successful changed, false otherwise
|
||||
*/
|
||||
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
|
||||
{
|
||||
if (method_exists($this->backend,'setLastPwdChange')) return $this->backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* password authentication against password stored in sql datababse
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
{
|
||||
return $this->backend->authenticate($username, $passwd, $passwd_type);
|
||||
}
|
||||
|
||||
/**
|
||||
* Calls crackcheck to enforce password strength (if configured) and changes password
|
||||
*
|
||||
* @param string $old_passwd must be cleartext
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @throws egw_exception_wrong_userinput if configured password strength is not meat
|
||||
* @throws Exception from backends having extra requirements
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
if (($err = self::crackcheck($new_passwd,null,null,null,$account_id)))
|
||||
{
|
||||
throw new egw_exception_wrong_userinput($err);
|
||||
}
|
||||
if (($ret = $this->backend->change_password($old_passwd, $new_passwd, $account_id)))
|
||||
{
|
||||
if ($account_id == $GLOBALS['egw']->session->account_id)
|
||||
{
|
||||
// need to change current users password in session
|
||||
egw_cache::setSession('phpgwapi', 'password', base64_encode($new_passwd));
|
||||
$GLOBALS['egw_info']['user']['passwd'] = $new_passwd;
|
||||
$GLOBALS['egw_info']['user']['account_lastpwd_change'] = egw_time::to('now','ts');
|
||||
// invalidate EGroupware session, as password is stored in egw_info in session
|
||||
egw::invalidate_session_cache();
|
||||
}
|
||||
accounts::cache_invalidate($account_id);
|
||||
// run changepwasswd hook
|
||||
$GLOBALS['hook_values'] = array(
|
||||
'account_id' => $account_id,
|
||||
'account_lid' => accounts::id2name($account_id),
|
||||
'old_passwd' => $old_passwd,
|
||||
'new_passwd' => $new_passwd,
|
||||
);
|
||||
$GLOBALS['egw']->hooks->process($GLOBALS['hook_values']+array(
|
||||
'location' => 'changepassword'
|
||||
),False,True); // called for every app now, not only enabled ones)
|
||||
}
|
||||
return $ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* return a random string of letters [0-9a-zA-Z] of size $size
|
||||
*
|
||||
* @param $size int-size of random string to return
|
||||
*/
|
||||
static function randomstring($size)
|
||||
{
|
||||
static $random_char = array(
|
||||
'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f',
|
||||
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
|
||||
'w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L',
|
||||
'M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'
|
||||
);
|
||||
|
||||
$s = '';
|
||||
for ($i=0; $i<$size; $i++)
|
||||
{
|
||||
$s .= $random_char[mt_rand(1,61)];
|
||||
}
|
||||
return $s;
|
||||
}
|
||||
|
||||
/**
|
||||
* encrypt password
|
||||
*
|
||||
* uses the encryption type set in setup and calls the appropriate encryption functions
|
||||
*
|
||||
* @param $password password to encrypt
|
||||
*/
|
||||
static function encrypt_password($password,$sql=False)
|
||||
{
|
||||
if($sql)
|
||||
{
|
||||
return self::encrypt_sql($password);
|
||||
}
|
||||
return self::encrypt_ldap($password);
|
||||
}
|
||||
|
||||
/**
|
||||
* compares an encrypted password
|
||||
*
|
||||
* encryption type set in setup and calls the appropriate encryption functions
|
||||
*
|
||||
* @param string $cleartext cleartext password
|
||||
* @param string $encrypted encrypted password, can have a {hash} prefix, which overrides $type
|
||||
* @param string $type_in type of encryption
|
||||
* @param string $username used as optional key of encryption for md5_hmac
|
||||
* @param string &$type =null on return detected type of hash
|
||||
* @return boolean
|
||||
*/
|
||||
static function compare_password($cleartext, $encrypted, $type_in, $username='', &$type=null)
|
||||
{
|
||||
// allow to specify the hash type to prefix the hash, to easy migrate passwords from ldap
|
||||
$type = $type_in;
|
||||
$saved_enc = $encrypted;
|
||||
$matches = null;
|
||||
if (preg_match('/^\\{([a-z_5]+)\\}(.+)$/i',$encrypted,$matches))
|
||||
{
|
||||
$type = strtolower($matches[1]);
|
||||
$encrypted = $matches[2];
|
||||
|
||||
switch($type) // some hashs are specially "packed" in ldap
|
||||
{
|
||||
case 'md5':
|
||||
$encrypted = implode('',unpack('H*',base64_decode($encrypted)));
|
||||
break;
|
||||
case 'plain':
|
||||
case 'crypt':
|
||||
// nothing to do
|
||||
break;
|
||||
default:
|
||||
$encrypted = $saved_enc;
|
||||
break;
|
||||
}
|
||||
}
|
||||
elseif($encrypted[0] == '$')
|
||||
{
|
||||
$type = 'crypt';
|
||||
}
|
||||
|
||||
switch($type)
|
||||
{
|
||||
case 'plain':
|
||||
$ret = $cleartext === $encrypted;
|
||||
break;
|
||||
case 'smd5':
|
||||
$ret = self::smd5_compare($cleartext,$encrypted);
|
||||
break;
|
||||
case 'sha':
|
||||
$ret = self::sha_compare($cleartext,$encrypted);
|
||||
break;
|
||||
case 'ssha':
|
||||
$ret = self::ssha_compare($cleartext,$encrypted);
|
||||
break;
|
||||
case 'crypt':
|
||||
case 'des':
|
||||
case 'md5_crypt':
|
||||
case 'blowish_crypt': // was for some time a typo in setup
|
||||
case 'blowfish_crypt':
|
||||
case 'ext_crypt':
|
||||
case 'sha256_crypt':
|
||||
case 'sha512_crypt':
|
||||
$ret = self::crypt_compare($cleartext, $encrypted, $type);
|
||||
break;
|
||||
case 'md5_hmac':
|
||||
$ret = self::md5_hmac_compare($cleartext,$encrypted,$username);
|
||||
break;
|
||||
default:
|
||||
$type = 'md5';
|
||||
// fall through
|
||||
case 'md5':
|
||||
$ret = md5($cleartext) === $encrypted;
|
||||
break;
|
||||
}
|
||||
//error_log(__METHOD__."('$cleartext', '$encrypted', '$type_in', '$username') type='$type' returning ".array2string($ret));
|
||||
return $ret;
|
||||
}
|
||||
|
||||
/**
|
||||
* Parameters used for crypt: const name, salt prefix, len of random salt, postfix
|
||||
*
|
||||
* @var array
|
||||
*/
|
||||
static $crypt_params = array( //
|
||||
'crypt' => array('CRYPT_STD_DES', '', 2, ''),
|
||||
'ext_crypt' => array('CRYPT_EXT_DES', '_J9..', 4, ''),
|
||||
'md5_crypt' => array('CRYPT_MD5', '$1$', 8, '$'),
|
||||
//'old_blowfish_crypt' => array('CRYPT_BLOWFISH', '$2$', 13, ''), // old blowfish hash not in line with php.net docu, but could be in use
|
||||
'blowfish_crypt' => array('CRYPT_BLOWFISH', '$2a$12$', 22, ''), // $2a$12$ = 2^12 = 4096 rounds
|
||||
'sha256_crypt' => array('CRYPT_SHA256', '$5$', 16, '$'), // no "round=N$" --> default of 5000 rounds
|
||||
'sha512_crypt' => array('CRYPT_SHA512', '$6$', 16, '$'), // no "round=N$" --> default of 5000 rounds
|
||||
);
|
||||
|
||||
/**
|
||||
* compare crypted passwords for authentication whether des,ext_des,md5, or blowfish crypt
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value / hash (from database)
|
||||
* @param string &$type detected crypt type on return
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function crypt_compare($form_val, $db_val, &$type)
|
||||
{
|
||||
// detect type of hash by salt part of $db_val
|
||||
list($first, $dollar, $salt, $salt2) = explode('$', $db_val);
|
||||
foreach(self::$crypt_params as $type => $params)
|
||||
{
|
||||
list(,$prefix, $random, $postfix) = $params;
|
||||
list(,$d) = explode('$', $prefix);
|
||||
if ($dollar === $d || !$dollar && ($first[0] === $prefix[0] || $first[0] !== '_' && !$prefix))
|
||||
{
|
||||
$len = !$postfix ? strlen($prefix)+$random : strlen($prefix.$salt.$postfix);
|
||||
// sha(256|512) might contain options, explicit $rounds=N$ prefix in salt
|
||||
if (($type == 'sha256_crypt' || $type == 'sha512_crypt') && substr($salt, 0, 7) === 'rounds=')
|
||||
{
|
||||
$len += strlen($salt2)+1;
|
||||
}
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
$full_salt = substr($db_val, 0, $len);
|
||||
$new_hash = crypt($form_val, $full_salt);
|
||||
//error_log(__METHOD__."('$form_val', '$db_val') type=$type --> len=$len --> salt='$full_salt' --> new_hash='$new_hash' returning ".array2string($db_val === $new_hash));
|
||||
|
||||
return $db_val === $new_hash;
|
||||
}
|
||||
|
||||
/**
|
||||
* encrypt password for ldap
|
||||
*
|
||||
* uses the encryption type set in setup and calls the appropriate encryption functions
|
||||
*
|
||||
* @param string $password password to encrypt
|
||||
* @param string $type =null default to $GLOBALS['egw_info']['server']['ldap_encryption_type']
|
||||
* @return string
|
||||
*/
|
||||
static function encrypt_ldap($password, $type=null)
|
||||
{
|
||||
if (is_null($type)) $type = $GLOBALS['egw_info']['server']['ldap_encryption_type'];
|
||||
|
||||
$salt = '';
|
||||
switch(strtolower($type))
|
||||
{
|
||||
default: // eg. setup >> config never saved
|
||||
case 'des':
|
||||
case 'blowish_crypt': // was for some time a typo in setup
|
||||
$type = $type == 'blowish_crypt' ? 'blowfish_crypt' : 'crypt';
|
||||
// fall through
|
||||
case 'crypt':
|
||||
case 'sha256_crypt':
|
||||
case 'sha512_crypt':
|
||||
case 'blowfish_crypt':
|
||||
case 'md5_crypt':
|
||||
case 'ext_crypt':
|
||||
list($const, $prefix, $len, $postfix) = self::$crypt_params[$type];
|
||||
if(defined($const) && constant($const) == 1)
|
||||
{
|
||||
$salt = $prefix.self::randomstring($len).$postfix;
|
||||
$e_password = '{crypt}'.crypt($password, $salt);
|
||||
break;
|
||||
}
|
||||
self::$error = 'no '.str_replace('_', ' ', $type);
|
||||
$e_password = false;
|
||||
break;
|
||||
case 'md5':
|
||||
/* New method taken from the openldap-software list as recommended by
|
||||
* Kervin L. Pierre" <kervin@blueprint-tech.com>
|
||||
*/
|
||||
$e_password = '{md5}' . base64_encode(pack("H*",md5($password)));
|
||||
break;
|
||||
case 'smd5':
|
||||
$salt = self::randomstring(16);
|
||||
$hash = md5($password . $salt, true);
|
||||
$e_password = '{SMD5}' . base64_encode($hash . $salt);
|
||||
break;
|
||||
case 'sha':
|
||||
$e_password = '{SHA}' . base64_encode(sha1($password,true));
|
||||
break;
|
||||
case 'ssha':
|
||||
$salt = self::randomstring(16);
|
||||
$hash = sha1($password . $salt, true);
|
||||
$e_password = '{SSHA}' . base64_encode($hash . $salt);
|
||||
break;
|
||||
case 'plain':
|
||||
// if plain no type is prepended
|
||||
$e_password = $password;
|
||||
break;
|
||||
}
|
||||
//error_log(__METHOD__."('$password', ".array2string($type).") returning ".array2string($e_password).(self::$error ? ' error='.self::$error : ''));
|
||||
return $e_password;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a password for storage in the accounts table
|
||||
*
|
||||
* @param string $password
|
||||
* @param string $type =null default $GLOBALS['egw_info']['server']['sql_encryption_type']
|
||||
* @return string hash
|
||||
*/
|
||||
static function encrypt_sql($password, $type=null)
|
||||
{
|
||||
/* Grab configured type, or default to md5() (old method) */
|
||||
if (is_null($type))
|
||||
{
|
||||
$type = @$GLOBALS['egw_info']['server']['sql_encryption_type'] ?
|
||||
strtolower($GLOBALS['egw_info']['server']['sql_encryption_type']) : 'md5';
|
||||
}
|
||||
switch($type)
|
||||
{
|
||||
case 'plain':
|
||||
// since md5 is the default, type plain must be prepended, for eGroupware to understand
|
||||
$e_password = '{PLAIN}'.$password;
|
||||
break;
|
||||
|
||||
case 'md5':
|
||||
/* This is the old standard for password storage in SQL */
|
||||
$e_password = md5($password);
|
||||
break;
|
||||
|
||||
// all other types are identical to ldap, so no need to doublicate the code here
|
||||
case 'des':
|
||||
case 'blowish_crypt': // was for some time a typo in setup
|
||||
case 'crypt':
|
||||
case 'sha256_crypt':
|
||||
case 'sha512_crypt':
|
||||
case 'blowfish_crypt':
|
||||
case 'md5_crypt':
|
||||
case 'ext_crypt':
|
||||
case 'smd5':
|
||||
case 'sha':
|
||||
case 'ssha':
|
||||
$e_password = self::encrypt_ldap($password, $type);
|
||||
break;
|
||||
|
||||
default:
|
||||
self::$error = 'no valid encryption available';
|
||||
$e_password = false;
|
||||
break;
|
||||
}
|
||||
//error_log(__METHOD__."('$password') using '$type' returning ".array2string($e_password).(self::$error ? ' error='.self::$error : ''));
|
||||
return $e_password;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get available password hashes sorted by securest first
|
||||
*
|
||||
* @param string &$securest =null on return securest available hash
|
||||
* @return array hash => label
|
||||
*/
|
||||
public static function passwdhashes(&$securest=null)
|
||||
{
|
||||
$hashes = array();
|
||||
|
||||
/* Check for available crypt methods based on what is defined by php */
|
||||
if(defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH == 1)
|
||||
{
|
||||
$hashes['blowfish_crypt'] = 'blowfish_crypt';
|
||||
}
|
||||
if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1)
|
||||
{
|
||||
$hashes['sha512_crypt'] = 'sha512_crypt';
|
||||
}
|
||||
if(defined('CRYPT_SHA256') && CRYPT_SHA256 == 1)
|
||||
{
|
||||
$hashes['sha256_crypt'] = 'sha256_crypt';
|
||||
}
|
||||
if(defined('CRYPT_MD5') && CRYPT_MD5 == 1)
|
||||
{
|
||||
$hashes['md5_crypt'] = 'md5_crypt';
|
||||
}
|
||||
if(defined('CRYPT_EXT_DES') && CRYPT_EXT_DES == 1)
|
||||
{
|
||||
$hashes['ext_crypt'] = 'ext_crypt';
|
||||
}
|
||||
$hashes += array(
|
||||
'ssha' => 'ssha',
|
||||
'smd5' => 'smd5',
|
||||
'sha' => 'sha',
|
||||
);
|
||||
if(@defined('CRYPT_STD_DES') && CRYPT_STD_DES == 1)
|
||||
{
|
||||
$hashes['crypt'] = 'crypt';
|
||||
}
|
||||
|
||||
$hashes += array(
|
||||
'md5' => 'md5',
|
||||
'plain' => 'plain',
|
||||
);
|
||||
|
||||
// mark the securest algorithm for the user
|
||||
list($securest) = each($hashes); reset($hashes);
|
||||
$hashes[$securest] .= ' ('.lang('securest').')';
|
||||
|
||||
return $hashes;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a given password is "safe"
|
||||
*
|
||||
* @link http://technet.microsoft.com/en-us/library/cc786468(v=ws.10).aspx
|
||||
* In contrary to whats documented in above link, windows seems to treet numbers as delimiters too.
|
||||
*
|
||||
* Windows compatible check is $reqstrength=3, $minlength=7, $forbid_name=true
|
||||
*
|
||||
* @param string $passwd
|
||||
* @param int $reqstrength =null defaults to whatever set in config for "force_pwd_strength"
|
||||
* @param int $minlength =null defaults to whatever set in config for "check_save_passwd"
|
||||
* @param string $forbid_name =null if "yes" username or full-name split by delimiters AND longer then 3 chars are
|
||||
* forbidden to be included in password, default to whatever set in config for "passwd_forbid_name"
|
||||
* @param array|int $account =null array with account_lid and account_fullname or account_id for $forbid_name check
|
||||
* @return mixed false if password is considered "safe" (or no requirements) or a string $message if "unsafe"
|
||||
*/
|
||||
static function crackcheck($passwd, $reqstrength=null, $minlength=null, $forbid_name=null, $account=null)
|
||||
{
|
||||
if (!isset($reqstrength)) $reqstrength = $GLOBALS['egw_info']['server']['force_pwd_strength'];
|
||||
if (!isset($minlength)) $minlength = $GLOBALS['egw_info']['server']['force_pwd_length'];
|
||||
if (!isset($forbid_name)) $forbid_name = $GLOBALS['egw_info']['server']['passwd_forbid_name'];
|
||||
|
||||
// load preferences translations, as changepassword get's called from admin too
|
||||
translation::add_app('preferences');
|
||||
|
||||
// check for and if necessary convert old values True and 5 to new separate values for length and char-classes
|
||||
if ($GLOBALS['egw_info']['server']['check_save_passwd'] || $reqstrength == 5)
|
||||
{
|
||||
if (!isset($reqstrength) || $reqstrength == 5)
|
||||
{
|
||||
config::save_value('force_pwd_strength', $reqstrength=4, 'phpgwapi');
|
||||
}
|
||||
if (!isset($minlength))
|
||||
{
|
||||
config::save_value('force_pwd_length', $minlength=7, 'phpgwapi');
|
||||
}
|
||||
config::save_value('check_save_passwd', null, 'phpgwapi');
|
||||
}
|
||||
|
||||
$errors = array();
|
||||
|
||||
if ($minlength && strlen($passwd) < $minlength)
|
||||
{
|
||||
$errors[] = lang('password must have at least %1 characters', $minlength);
|
||||
}
|
||||
|
||||
if ($forbid_name === 'yes')
|
||||
{
|
||||
if (!$account || !is_array($account) && !($account = $GLOBALS['egw']->accounts->read($account)))
|
||||
{
|
||||
throw new egw_exception_wrong_parameter('crackcheck(..., forbid_name=true, account) requires account-data!');
|
||||
}
|
||||
$parts = preg_split("/[,._ \t0-9-]+/", $account['account_fullname'].','.$account['account_lid']);
|
||||
foreach($parts as $part)
|
||||
{
|
||||
if (strlen($part) > 2 && stripos($passwd, $part) !== false)
|
||||
{
|
||||
$errors[] = lang('password contains with "%1" a parts of your user- or full-name (3 or more characters long)', $part);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($reqstrength)
|
||||
{
|
||||
$missing = array();
|
||||
if (!preg_match('/(.*\d.*){'. ($non=1). ',}/',$passwd))
|
||||
{
|
||||
$missing[] = lang('numbers');
|
||||
}
|
||||
if (!preg_match('/(.*[[:upper:]].*){'. ($nou=1). ',}/',$passwd))
|
||||
{
|
||||
$missing[] = lang('uppercase letters');
|
||||
}
|
||||
if (!preg_match('/(.*[[:lower:]].*){'. ($nol=1). ',}/',$passwd))
|
||||
{
|
||||
$missing[] = lang('lowercase letters');
|
||||
}
|
||||
if (!preg_match('/['.preg_quote('~!@#$%^&*_-+=`|\(){}[]:;"\'<>,.?/', '/').']/', $passwd))
|
||||
{
|
||||
$missing[] = lang('special characters');
|
||||
}
|
||||
if (4 - count($missing) < $reqstrength)
|
||||
{
|
||||
$errors[] = lang('password contains only %1 of required %2 character classes: no %3',
|
||||
4-count($missing), $reqstrength, implode(', ', $missing));
|
||||
}
|
||||
}
|
||||
if ($errors)
|
||||
{
|
||||
return lang('Your password does not have required strength:').
|
||||
"<br/>\n- ".implode("<br/>\n- ", $errors);
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* compare SMD5-encrypted passwords for authentication
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value (from database)
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function smd5_compare($form_val,$db_val)
|
||||
{
|
||||
/* Start with the first char after {SMD5} */
|
||||
$hash = base64_decode(substr($db_val,6));
|
||||
|
||||
/* SMD5 hashes are 16 bytes long */
|
||||
$orig_hash = cut_bytes($hash, 0, 16); // binary string need to use cut_bytes, not mb_substr(,,'utf-8')!
|
||||
$salt = cut_bytes($hash, 16);
|
||||
|
||||
$new_hash = md5($form_val . $salt,true);
|
||||
//echo '<br> DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash);
|
||||
|
||||
return strcmp($orig_hash,$new_hash) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* compare SHA-encrypted passwords for authentication
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value (from database)
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function sha_compare($form_val,$db_val)
|
||||
{
|
||||
/* Start with the first char after {SHA} */
|
||||
$hash = base64_decode(substr($db_val,5));
|
||||
$new_hash = sha1($form_val,true);
|
||||
//echo '<br> DB: ' . base64_encode($orig_hash) . '<br>FORM: ' . base64_encode($new_hash);
|
||||
|
||||
return strcmp($hash,$new_hash) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* compare SSHA-encrypted passwords for authentication
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value (from database)
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function ssha_compare($form_val,$db_val)
|
||||
{
|
||||
/* Start with the first char after {SSHA} */
|
||||
$hash = base64_decode(substr($db_val, 6));
|
||||
|
||||
// SHA-1 hashes are 160 bits long
|
||||
$orig_hash = cut_bytes($hash, 0, 20); // binary string need to use cut_bytes, not mb_substr(,,'utf-8')!
|
||||
$salt = cut_bytes($hash, 20);
|
||||
$new_hash = sha1($form_val . $salt,true);
|
||||
|
||||
//error_log(__METHOD__."('$form_val', '$db_val') hash='$hash', orig_hash='$orig_hash', salt='$salt', new_hash='$new_hash' returning ".array2string(strcmp($orig_hash,$new_hash) == 0));
|
||||
return strcmp($orig_hash,$new_hash) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* compare md5_hmac-encrypted passwords for authentication (see RFC2104)
|
||||
*
|
||||
* @param string $form_val user input value for comparison
|
||||
* @param string $db_val stored value (from database)
|
||||
* @param string $_key key for md5_hmac-encryption (username for imported smf users)
|
||||
* @return boolean True on successful comparison
|
||||
*/
|
||||
static function md5_hmac_compare($form_val,$db_val,$_key)
|
||||
{
|
||||
$key = str_pad(strlen($_key) <= 64 ? $_key : pack('H*', md5($_key)), 64, chr(0x00));
|
||||
$md5_hmac = md5(($key ^ str_repeat(chr(0x5c), 64)) . pack('H*', md5(($key ^ str_repeat(chr(0x36), 64)). $form_val)));
|
||||
|
||||
return strcmp($md5_hmac,$db_val) == 0;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Interface for authentication backend
|
||||
* @deprecated use Api\Auth\Backend
|
||||
*/
|
||||
interface auth_backend
|
||||
{
|
||||
/**
|
||||
* password authentication against password stored in sql datababse
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @param string $passwd_type ='text' 'text' for cleartext passwords (default)
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text');
|
||||
interface auth_backend extends Api\Auth\Backend {}
|
||||
|
||||
/**
|
||||
* changes password in sql datababse
|
||||
*
|
||||
* @param string $old_passwd must be cleartext
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @throws Exception to give a verbose error, why changing password failed
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0);
|
||||
}
|
||||
/**
|
||||
* @deprecated use Api\Auth\Fallback
|
||||
*/
|
||||
class auth_fallback extends Api\Auth\Fallback {}
|
||||
|
@ -1,139 +0,0 @@
|
||||
<?php
|
||||
/**
|
||||
* eGroupWare API - mail Authentication with fallback to SQL
|
||||
*
|
||||
* @link http://www.egroupware.org
|
||||
* @author Ralf Becker <ralfbecker@outdoor-training.de>
|
||||
* @license http://opensource.org/licenses/lgpl-license.php LGPL - GNU Lesser General Public License
|
||||
* @package api
|
||||
* @subpackage authentication
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
/**
|
||||
* Authentication agains a mail Server with fallback to SQL
|
||||
*
|
||||
* For other fallback types, simply change auth backends in constructor call
|
||||
*/
|
||||
class auth_fallbackmail2sql implements auth_backend
|
||||
{
|
||||
/**
|
||||
* Primary auth backend
|
||||
*
|
||||
* @var auth_backend
|
||||
*/
|
||||
private $primary_backend;
|
||||
|
||||
/**
|
||||
* Fallback auth backend
|
||||
*
|
||||
* @var auth_backend
|
||||
*/
|
||||
private $fallback_backend;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*/
|
||||
function __construct($primary='auth_mail',$fallback='auth_sql')
|
||||
{
|
||||
$this->primary_backend = new $primary;
|
||||
|
||||
$this->fallback_backend = new $fallback;
|
||||
}
|
||||
|
||||
/**
|
||||
* authentication against LDAP with fallback to SQL
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @param string $passwd corresponding password
|
||||
* @return boolean true if successful authenticated, false otherwise
|
||||
*/
|
||||
function authenticate($username, $passwd, $passwd_type='text')
|
||||
{
|
||||
if ($this->primary_backend->authenticate($username, $passwd, $passwd_type))
|
||||
{
|
||||
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'primary');
|
||||
return true;
|
||||
}
|
||||
if ($this->fallback_backend->authenticate($username,$passwd, $passwd_type))
|
||||
{
|
||||
egw_cache::setInstance(__CLASS__,'backend_used-'.$username,'fallback');
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* changes password in LDAP
|
||||
*
|
||||
* If $old_passwd is given, the password change is done binded as user and NOT with the
|
||||
* "root" dn given in the configurations.
|
||||
*
|
||||
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||
* @param string $new_passwd must be cleartext
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @return boolean true if password successful changed, false otherwise
|
||||
*/
|
||||
function change_password($old_passwd, $new_passwd, $account_id=0)
|
||||
{
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
{
|
||||
$admin = False;
|
||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$username = $GLOBALS['egw']->accounts->id2name($account_id);
|
||||
}
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return false;
|
||||
}
|
||||
return $this->fallback_backend->change_password($old_passwd, $new_passwd, $account_id);
|
||||
}
|
||||
|
||||
/**
|
||||
* fetch the last pwd change for the user
|
||||
*
|
||||
* @param string $username username of account to authenticate
|
||||
* @return mixed false or account_lastpwd_change
|
||||
*/
|
||||
function getLastPwdChange($username)
|
||||
{
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return false;
|
||||
}
|
||||
if (method_exists($this->fallback_backend,'getLastPwdChange')) return $this->fallback_backend->getLastPwdChange($username);
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* changes account_lastpwd_change in sql datababse
|
||||
*
|
||||
* @param int $account_id account id of user whose passwd should be changed
|
||||
* @param string $passwd must be cleartext, usually not used, but may be used to authenticate as user to do the change -> ldap
|
||||
* @param int $lastpwdchange must be a unixtimestamp
|
||||
* @return boolean true if account_lastpwd_change successful changed, false otherwise
|
||||
*/
|
||||
function setLastPwdChange($account_id=0, $passwd=NULL, $lastpwdchange=NULL)
|
||||
{
|
||||
if(!$account_id || $GLOBALS['egw_info']['flags']['currentapp'] == 'login')
|
||||
{
|
||||
$admin = False;
|
||||
$account_id = $GLOBALS['egw_info']['user']['account_id'];
|
||||
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||
}
|
||||
else
|
||||
{
|
||||
$username = $GLOBALS['egw']->accounts->id2name($account_id);
|
||||
}
|
||||
if (egw_cache::getInstance(__CLASS__,'backend_used-'.$username) == 'primary')
|
||||
{
|
||||
return false;
|
||||
}
|
||||
if (method_exists($this->fallback_backend,'setLastPwdChange')) return $this->fallback_backend->setLastPwdChange($account_id, $passwd, $lastpwdchange);
|
||||
return false;
|
||||
}
|
||||
}
|
@ -250,16 +250,16 @@ class common
|
||||
/**
|
||||
* connect to the ldap server and return a handle
|
||||
*
|
||||
* @deprecated use Api\Ldap::ldapConnect()
|
||||
* @param $host ldap host
|
||||
* @param $dn ldap_root_dn
|
||||
* @param $passwd ldap_root_pw
|
||||
* @deprecated use Api\Ldap::factory(true, $host, $dn, $passwd)
|
||||
* @param string $host ='' ldap host
|
||||
* @param string $dn ='' ldap_root_dn
|
||||
* @param string $passwd ='' ldap_root_pw
|
||||
* @return resource
|
||||
*/
|
||||
static function ldapConnect($host='', $dn='', $passwd='')
|
||||
{
|
||||
// use Lars new ldap class
|
||||
return $GLOBALS['egw']->ldap->ldapConnect($host,$dn,$passwd);
|
||||
return Api\Ldap::factory(true, $host, $dn, $passwd);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -287,22 +287,11 @@ class common
|
||||
* return a random string of size $size
|
||||
*
|
||||
* @param $size int-size of random string to return
|
||||
* @deprecated use Api\Auth::randomstring($size)
|
||||
*/
|
||||
static function randomstring($size)
|
||||
{
|
||||
static $random_char = array(
|
||||
'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f',
|
||||
'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
|
||||
'w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L',
|
||||
'M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z'
|
||||
);
|
||||
|
||||
$s = '';
|
||||
for ($i=0; $i < $size; $i++)
|
||||
{
|
||||
$s .= $random_char[mt_rand(0,count($random_char)-1)];
|
||||
}
|
||||
return $s;
|
||||
return Api\Auth::randomstring($size);
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -668,8 +668,9 @@ class egw_minimal
|
||||
'framework' => true, // special handling in __get()
|
||||
'template' => 'Template',
|
||||
// classes moved to new api dir
|
||||
'session' => 'EGroupware\Api\Session',
|
||||
'ldap' => 'EGroupware\Api\Ldap',
|
||||
'session' => 'EGroupware\\Api\\Session',
|
||||
'ldap' => true,
|
||||
'auth' => 'EGroupware\\Api\\Auth',
|
||||
);
|
||||
|
||||
/**
|
||||
@ -716,6 +717,8 @@ class egw_minimal
|
||||
return null;
|
||||
}
|
||||
return $this->template = new Template($tpl_dir);
|
||||
case 'ldap':
|
||||
return $this->ldap = Api\Ldap::factory(false);
|
||||
default:
|
||||
$class = isset(self::$sub_objects[$name]) ? self::$sub_objects[$name] : $name;
|
||||
break;
|
||||
|
@ -812,17 +812,12 @@ class setup_cmd_ldap extends setup_cmd
|
||||
{
|
||||
throw new Api\Exception\WrongUserInput(lang('You need to specify a password!'));
|
||||
}
|
||||
$this->test_ldap = new ldap();
|
||||
|
||||
$error_rep = error_reporting();
|
||||
error_reporting($error_rep & ~E_WARNING); // switch warnings of, in case they are on
|
||||
ob_start();
|
||||
$ds = $this->test_ldap->ldapConnect($host,$dn,$pw);
|
||||
ob_end_clean();
|
||||
error_reporting($error_rep);
|
||||
|
||||
if (!$ds)
|
||||
{
|
||||
try {
|
||||
$this->test_ldap = Api\Ldap::factory(false, $host, $dn, $pw);
|
||||
}
|
||||
catch (Api\Exception\NoPermission $e) {
|
||||
_egw_log_exception($e);
|
||||
throw new Api\Exception\WrongUserInput(lang('Can not connect to LDAP server on host %1 using DN %2!',
|
||||
$host,$dn).($this->test_ldap->ds ? ' ('.ldap_error($this->test_ldap->ds).')' : ''));
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user