/**
 * Authenticates the user if authentication headers are present
 *
 * Our handling of the speedlimit here requires some explanation ...
 * Atompub clients will usually try to do everything without logging in first.
 * Since that would mean that we can't provide feeds for drafts, items with
 * special permissions, etc. we ask them to log in (PLG_RET_AUTH_FAILED).
 * That, however, means that every request from an Atompub client will count
 * as one failed login attempt. So doing a couple of requests in quick
 * succession will surely get the client blocked. Therefore
 * - a request without any login credentials counts as one failed login attempt
 * - a request with wrong login credentials counts as two failed login attempts
 * - if, after a successful login, we have only one failed attempt on record,
 *   we reset the speedlimit
 * This still ensures that
 * - repeated failed logins (without or with invalid credentials) will cause the
 *   client to be blocked eventually
 * - this can not be used for dictionary attacks
 *
 */
function WS_authenticate()
{
    global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
    $uid = '';
    $username = '';
    $password = '';
    $status = -1;
    if (isset($_SERVER['PHP_AUTH_USER'])) {
        $username = COM_applyBasicFilter($_SERVER['PHP_AUTH_USER']);
        $password = $_SERVER['PHP_AUTH_PW'];
        if ($WS_VERBOSE) {
            COM_errorLog("WS: Attempting to log in user '{$username}'");
        }
        /** this does not work! *******************************************************
        
            } elseif (!empty($_SERVER['HTTP_X_WSSE']) &&
                    (strpos($_SERVER['HTTP_X_WSSE'], 'UsernameToken') !== false)) {
        
                // this is loosely based on a code snippet taken from Elgg (elgg.org)
        
                $wsse = str_replace('UsernameToken', '', $_SERVER['HTTP_X_WSSE']);
                $wsse = explode(',', $wsse);
        
                $username = '';
                $pwdigest = '';
                $created = '';
                $nonce = '';
        
                foreach ($wsse as $element) {
                    $element = explode('=', $element);
                    $key = array_shift($element);
                    if (count($element) == 1) {
                        $val = $element[0];
                    } else {
                        $val = implode('=', $element);
                    }
                    $key = trim($key);
                    $val = trim($val, "\x22\x27");
                    if ($key == 'Username') {
                        $username = COM_applyBasicFilter($val);
                    } elseif ($key == 'PasswordDigest') {
                        $pwdigest = $val;
                    } elseif ($key == 'Created') {
                        $created = $val;
                    } elseif ($key == 'Nonce') {
                        $nonce = $val;
                    }
                }
        
                if (!empty($username) && !empty($pwdigest) && !empty($created) &&
                        !empty($nonce)) {
        
                    $uname = DB_escapeString($username);
                    $pwd = DB_getItem($_TABLES['users'], 'passwd',
                                      "username = '******'");
                    // ... and here we would need the _unencrypted_ password
        
                    if (!empty($pwd)) {
                        $mydigest = pack('H*', sha1($nonce . $created . $pwd));
                        $mydigest = base64_encode($mydigest);
        
                        if ($pwdigest == $mydigest) {
                            $password = $pwd;
                        }
                    }
                }
        
                if ($WS_VERBOSE) {
                    COM_errorLog("WS: Attempting to log in user '$username' (via WSSE)");
                }
        
        ******************************************************************************/
    } elseif (!empty($_SERVER['REMOTE_USER'])) {
        /* PHP installed as CGI may not have access to authorization headers of
         * Apache. In that case, use .htaccess to store the auth header as
         * explained at
         * http://wiki.geeklog.net/wiki/index.php/Webservices_API#Authentication
         */
        list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']);
        list($username, $password) = explode(':', base64_decode($auth_data));
        $username = COM_applyBasicFilter($username);
        if ($WS_VERBOSE) {
            COM_errorLog("WS: Attempting to log in user '{$username}' (via \$_SERVER['REMOTE_USER'])");
        }
    } else {
        if ($WS_VERBOSE) {
            COM_errorLog("WS: No login given");
        }
        // fallthrough (see below)
    }
    COM_clearSpeedlimit($_CONF['login_speedlimit'], 'wsauth');
    if (COM_checkSpeedlimit('wsauth', $_CONF['login_attempts']) > 0) {
        WS_error(PLG_RET_PERMISSION_DENIED, 'Speed Limit exceeded');
    }
    if (!empty($username) && !empty($password)) {
        if ($_CONF['user_login_method']['3rdparty']) {
            // remote users will have to use username@servicename
            $u = explode('@', $username);
            if (count($u) > 1) {
                $sv = $u[count($u) - 1];
                if (!empty($sv)) {
                    $modules = SEC_collectRemoteAuthenticationModules();
                    foreach ($modules as $smod) {
                        if (strcasecmp($sv, $smod) == 0) {
                            array_pop($u);
                            // drop the service name
                            $uname = implode('@', $u);
                            $status = SEC_remoteAuthentication($uname, $password, $smod, $uid);
                            break;
                        }
                    }
                }
            }
        }
        if ($status == -1 && $_CONF['user_login_method']['standard']) {
            $status = SEC_authenticate($username, $password, $uid);
        }
    }
    if ($status == USER_ACCOUNT_ACTIVE) {
        $_USER = SESS_getUserDataFromId($uid);
        PLG_loginUser($_USER['uid']);
        // Global array of groups current user belongs to
        $_GROUPS = SEC_getUserGroups($_USER['uid']);
        // Global array of current user permissions [read,edit]
        $_RIGHTS = explode(',', SEC_getUserPermissions());
        if ($_CONF['restrict_webservices']) {
            if (!SEC_hasRights('webservices.atompub')) {
                COM_updateSpeedlimit('wsauth');
                if ($WS_VERBOSE) {
                    COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) does not have permission to use the webservices");
                }
                // reset user, groups, and rights, just in case ...
                $_USER = array();
                $_GROUPS = array();
                $_RIGHTS = array();
                WS_error(PLG_RET_AUTH_FAILED);
            }
        }
        if ($WS_VERBOSE) {
            COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) successfully logged in");
        }
        // if there were less than 2 failed login attempts, reset speedlimit
        if (COM_checkSpeedlimit('wsauth', 2) == 0) {
            if ($WS_VERBOSE) {
                COM_errorLog("WS: Successful login - resetting speedlimit");
            }
            COM_resetSpeedlimit('wsauth');
        }
    } else {
        COM_updateSpeedlimit('wsauth');
        if (!empty($username) && !empty($password)) {
            COM_updateSpeedlimit('wsauth');
            if ($WS_VERBOSE) {
                COM_errorLog("WS: Wrong login credentials - counting as 2 failed attempts");
            }
        } elseif ($WS_VERBOSE) {
            COM_errorLog("WS: Empty login credentials - counting as 1 failed attempt");
        }
        WS_error(PLG_RET_AUTH_FAILED);
    }
}
Beispiel #2
0
/* Authenticate the user IF credentials are present */
WS_authenticate();
/**
* Global array of groups current user belongs to
*/
if (!COM_isAnonUser()) {
    $_GROUPS = SEC_getUserGroups($_USER['uid']);
} else {
    $_GROUPS = SEC_getUserGroups(1);
}
/**
* Global array of current user permissions [read,edit]
*/
$_RIGHTS = explode(',', SEC_getUserPermissions());
switch ($_SERVER['REQUEST_METHOD']) {
    case 'POST':
        WS_post();
        break;
    case 'PUT':
        WS_put();
        break;
    case 'GET':
        WS_get();
        break;
    case 'DELETE':
        WS_delete();
        break;
    default:
        WS_error(PLG_RET_ERROR);
}
WS_writeSync();
Beispiel #3
0
/**
 * Authenticates the user if authentication headers are present
 *
 * Our handling of the speedlimit here requires some explanation ...
 * Atompub clients will usually try to do everything without logging in first.
 * Since that would mean that we can't provide feeds for drafts, items with
 * special permissions, etc. we ask them to log in (PLG_RET_AUTH_FAILED).
 * That, however, means that every request from an Atompub client will count
 * as one failed login attempt. So doing a couple of requests in quick
 * succession will surely get the client blocked. Therefore
 * - a request without any login credentials counts as one failed login attempt
 * - a request with wrong login credentials counts as two failed login attempts
 * - if, after a successful login, we have only one failed attempt on record,
 *   we reset the speedlimit
 * This still ensures that
 * - repeated failed logins (without or with invalid credentials) will cause the
 *   client to be blocked eventually
 * - this can not be used for dictionary attacks
 *
 */
function WS_authenticate()
{
    global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
    $uid = '';
    $username = '';
    $password = '';
    $status = -1;
    if (isset($_SERVER['PHP_AUTH_USER'])) {
        $username = $_SERVER['PHP_AUTH_USER'];
        $password = $_SERVER['PHP_AUTH_PW'];
        $username = COM_applyFilter($username);
        $password = COM_applyFilter($password);
        if ($WS_VERBOSE) {
            COM_errorLog("WS: Attempting to log in user '{$username}'");
        }
    } elseif (!empty($_SERVER['REMOTE_USER'])) {
        /* PHP installed as CGI may not have access to authorization headers of
         * Apache. In that case, use .htaccess to store the auth header
         */
        list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']);
        list($username, $password) = explode(':', base64_decode($auth_data));
        $username = COM_applyFilter($username);
        $password = COM_applyFilter($password);
        if ($WS_VERBOSE) {
            COM_errorLog("WS: Attempting to log in user '{$username}' (via \$_SERVER['REMOTE_USER'])");
        }
    } else {
        if ($WS_VERBOSE) {
            COM_errorLog("WS: No login given");
        }
        // fallthrough (see below)
    }
    COM_clearSpeedlimit($_CONF['login_speedlimit'], 'wsauth');
    if (COM_checkSpeedlimit('wsauth', $_CONF['login_attempts']) > 0) {
        WS_error(PLG_RET_PERMISSION_DENIED, 'Speed Limit exceeded');
    }
    if (!empty($username) && !empty($password)) {
        if ($_CONF['user_login_method']['3rdparty']) {
            // remote users will have to use username@servicename
            $u = explode('@', $username);
            if (count($u) > 1) {
                $sv = $u[count($u) - 1];
                if (!empty($sv)) {
                    $modules = SEC_collectRemoteAuthenticationModules();
                    foreach ($modules as $smod) {
                        if (strcasecmp($sv, $smod) == 0) {
                            array_pop($u);
                            // drop the service name
                            $uname = implode('@', $u);
                            $status = SEC_remoteAuthentication($uname, $password, $smod, $uid);
                            break;
                        }
                    }
                }
            }
        }
        if ($status == -1 && $_CONF['user_login_method']['standard']) {
            $status = SEC_authenticate($username, $password, $uid);
        }
    }
    if ($status == USER_ACCOUNT_ACTIVE) {
        $_USER = SESS_getUserDataFromId($uid);
        PLG_loginUser($_USER['uid']);
        // Global array of groups current user belongs to
        $_GROUPS = SEC_getUserGroups($_USER['uid']);
        // Global array of current user permissions [read,edit]
        $_RIGHTS = explode(',', SEC_getUserPermissions());
        if ($_CONF['restrict_webservices']) {
            if (!SEC_hasRights('webservices.atompub')) {
                COM_updateSpeedlimit('wsauth');
                if ($WS_VERBOSE) {
                    COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) does not have permission to use the webservices");
                }
                // reset user, groups, and rights, just in case ...
                $_USER = array();
                $_GROUPS = array();
                $_RIGHTS = array();
                WS_error(PLG_RET_AUTH_FAILED);
            }
        }
        if ($WS_VERBOSE) {
            COM_errorLog("WS: User '{$_USER['username']}' ({$_USER['uid']}) successfully logged in");
        }
        // if there were less than 2 failed login attempts, reset speedlimit
        if (COM_checkSpeedlimit('wsauth', 2) == 0) {
            if ($WS_VERBOSE) {
                COM_errorLog("WS: Successful login - resetting speedlimit");
            }
            COM_resetSpeedlimit('wsauth');
        }
    } else {
        COM_updateSpeedlimit('wsauth');
        if (!empty($username) && !empty($password)) {
            COM_updateSpeedlimit('wsauth');
            if ($WS_VERBOSE) {
                COM_errorLog("WS: Wrong login credentials - counting as 2 failed attempts");
            }
        } elseif ($WS_VERBOSE) {
            COM_errorLog("WS: Empty login credentials - counting as 1 failed attempt");
        }
        WS_error(PLG_RET_AUTH_FAILED);
    }
}