function test_cryptPassword()
{
foreach ($this->passes as $method => $hash) {
$info = "testing method {$method}";
$this->signal('failinfo', $info);
$this->assertEqual(auth_cryptPassword('foo' . $method, $method, 'abcdefgh'), $hash);
}
}
function test_verifySelf()
{
foreach ($this->passes as $method => $hash) {
$info = "testing method {$method}";
$this->signal('failinfo', $info);
$hash = auth_cryptPassword('foo' . $method, $method);
$this->assertTrue(auth_verifyPassword('foo' . $method, $hash));
}
}
/**
* Updates the user info in the database
*
* Update a user data structure in the database according changes
* given in an array. The user name can only be changes if it didn't
* exists already. If the new user name exists the update procedure
* will be aborted. The database keeps unchanged.
*
* The database connection has already to be established for this
* function to work. Otherwise it will return 'false'.
*
* The password will be crypted if necessary.
*
* @param $changes array of items to change as pairs of item and value
* @param $uid user id of dataset to change, must be unique in DB
* @return true on success or false on error
*
* @author Matthias Grimm <*****@*****.**>
*/
function _updateUserInfo($changes, $uid)
{
$sql = $this->cnf['updateUser'] . " ";
$cnt = 0;
$err = 0;
if ($this->dbcon) {
foreach ($changes as $item => $value) {
if ($item == 'user') {
if ($this->_getUserID($changes['user'])) {
$err = 1;
/* new username already exists */
break;
/* abort update */
}
if ($cnt++ > 0) {
$sql .= ", ";
}
$sql .= str_replace('%{user}', $value, $this->cnf['UpdateLogin']);
} else {
if ($item == 'name') {
if ($cnt++ > 0) {
$sql .= ", ";
}
$sql .= str_replace('%{name}', $value, $this->cnf['UpdateName']);
} else {
if ($item == 'pass') {
if (!$this->cnf['forwardClearPass']) {
$value = auth_cryptPassword($value);
}
if ($cnt++ > 0) {
$sql .= ", ";
}
$sql .= str_replace('%{pass}', $value, $this->cnf['UpdatePass']);
} else {
if ($item == 'mail') {
if ($cnt++ > 0) {
$sql .= ", ";
}
$sql .= str_replace('%{email}', $value, $this->cnf['UpdateEmail']);
}
}
}
}
}
if ($err == 0) {
if ($cnt > 0) {
$sql .= " " . str_replace('%{uid}', $uid, $this->cnf['UpdateTarget']);
if (get_class($this) == 'auth_mysql') {
$sql .= " LIMIT 1";
}
//some PgSQL inheritance comp.
$this->_modifyDB($sql);
}
return true;
}
}
return false;
}
/**
* Modify user data
*
* @author Chris Smith <*****@*****.**>
* @param $user nick of the user to be changed
* @param $changes array of field/value pairs to be changed (password will be clear text)
* @return bool
*/
function modifyUser($user, $changes)
{
global $conf;
global $ACT;
global $INFO;
global $config_cascade;
// sanity checks, user must already exist and there must be something to change
if (($userinfo = $this->getUserData($user)) === false) {
return false;
}
if (!is_array($changes) || !count($changes)) {
return true;
}
// update userinfo with new data, remembering to encrypt any password
$newuser = $user;
foreach ($changes as $field => $value) {
if ($field == 'user') {
$newuser = $value;
continue;
}
if ($field == 'pass') {
$value = auth_cryptPassword($value);
}
$userinfo[$field] = $value;
}
$groups = join(',', $userinfo['grps']);
$userline = join(':', array($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $groups)) . "\n";
if (!$this->deleteUsers(array($user))) {
msg('Unable to modify user data. Please inform the Wiki-Admin', -1);
return false;
}
if (!io_saveFile($config_cascade['plainauth.users']['default'], $userline, true)) {
msg('There was an error modifying your user data. You should register again.', -1);
// FIXME, user has been deleted but not recreated, should force a logout and redirect to login page
$ACT == 'register';
return false;
}
$this->users[$newuser] = $userinfo;
return true;
}
/**
* Modify user data
*
* @author Chris Smith <*****@*****.**>
* @param string $user nick of the user to be changed
* @param array $changes array of field/value pairs to be changed (password will be clear text)
* @return bool
*/
public function modifyUser($user, $changes)
{
global $ACT;
global $config_cascade;
// sanity checks, user must already exist and there must be something to change
if (($userinfo = $this->getUserData($user)) === false) {
msg($this->getLang('usernotexists'), -1);
return false;
}
if (!is_array($changes) || !count($changes)) {
return true;
}
// update userinfo with new data, remembering to encrypt any password
$newuser = $user;
foreach ($changes as $field => $value) {
if ($field == 'user') {
$newuser = $value;
continue;
}
if ($field == 'pass') {
$value = auth_cryptPassword($value);
}
$userinfo[$field] = $value;
}
$userline = $this->_createUserLine($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $userinfo['grps']);
if (!$this->deleteUsers(array($user))) {
msg($this->getLang('writefail'), -1);
return false;
}
if (!io_saveFile($config_cascade['plainauth.users']['default'], $userline, true)) {
msg('There was an error modifying your user data. You should register again.', -1);
// FIXME, user has been deleted but not recreated, should force a logout and redirect to login page
// Should replace the delete/save hybrid modify with an atomic io_replaceInFile
$ACT = 'register';
return false;
}
$this->users[$newuser] = $userinfo;
return true;
}
/**
* Modify user data
*
* @param string $user nick of the user to be changed
* @param array $changes array of field/value pairs to be changed (password will be clear text)
* @return bool
*/
public function modifyUser($user, $changes)
{
// secure everything in transaction
$this->pdo->beginTransaction();
$olddata = $this->getUserData($user);
$oldgroups = $olddata['grps'];
unset($olddata['grps']);
// changing the user name?
if (isset($changes['user'])) {
if ($this->getUserData($changes['user'], false)) {
goto FAIL;
}
$params = $olddata;
$params['newlogin'] = $changes['user'];
$ok = $this->_query($this->getConf('update-user-login'), $params);
if ($ok === false) {
goto FAIL;
}
}
// changing the password?
if (isset($changes['pass'])) {
$params = $olddata;
$params['clear'] = $changes['pass'];
$params['hash'] = auth_cryptPassword($changes['pass']);
$ok = $this->_query($this->getConf('update-user-pass'), $params);
if ($ok === false) {
goto FAIL;
}
}
// changing info?
if (isset($changes['mail']) || isset($changes['name'])) {
$params = $olddata;
if (isset($changes['mail'])) {
$params['mail'] = $changes['mail'];
}
if (isset($changes['name'])) {
$params['name'] = $changes['name'];
}
$ok = $this->_query($this->getConf('update-user-info'), $params);
if ($ok === false) {
goto FAIL;
}
}
// changing groups?
if (isset($changes['grps'])) {
$allgroups = $this->_selectGroups();
// remove membership for previous groups
foreach ($oldgroups as $group) {
if (!in_array($group, $changes['grps']) && isset($allgroups[$group])) {
$ok = $this->_leaveGroup($olddata, $allgroups[$group]);
if ($ok === false) {
goto FAIL;
}
}
}
// create all new groups that are missing
$added = 0;
foreach ($changes['grps'] as $group) {
if (!isset($allgroups[$group])) {
$ok = $this->addGroup($group);
if ($ok === false) {
goto FAIL;
}
$added++;
}
}
// reload group info
if ($added > 0) {
$allgroups = $this->_selectGroups();
}
// add membership for new groups
foreach ($changes['grps'] as $group) {
if (!in_array($group, $oldgroups)) {
$ok = $this->_joinGroup($olddata, $allgroups[$group]);
if ($ok === false) {
goto FAIL;
}
}
}
}
$this->pdo->commit();
return true;
// something went wrong, rollback
FAIL:
$this->pdo->rollBack();
$this->_debug('Transaction rolled back', 0, __LINE__);
msg($this->getLang('writefail'), -1);
return false;
// return error
}
/**
* Verifies a cleartext password against a crypted hash
*
* The method and salt used for the crypted hash is determined automatically
* then the clear text password is crypted using the same method. If both hashs
* match true is is returned else false
*
* @author Andreas Gohr <*****@*****.**>
* @return bool
*/
function auth_verifyPassword($clear, $crypt)
{
$method = '';
$salt = '';
//determine the used method and salt
$len = strlen($crypt);
if (preg_match('/^\\$1\\$([^\\$]{0,8})\\$/', $crypt, $m)) {
$method = 'smd5';
$salt = $m[1];
} elseif (preg_match('/^\\$apr1\\$([^\\$]{0,8})\\$/', $crypt, $m)) {
$method = 'apr1';
$salt = $m[1];
} elseif (substr($crypt, 0, 6) == '{SSHA}') {
$method = 'ssha';
$salt = substr(base64_decode(substr($crypt, 6)), 20);
} elseif ($len == 32) {
$method = 'md5';
} elseif ($len == 40) {
$method = 'sha1';
} elseif ($len == 16) {
$method = 'mysql';
} elseif ($len == 41 && $crypt[0] == '*') {
$method = 'my411';
} elseif ($len == 34) {
$method = 'kmd5';
$salt = $crypt;
} else {
$method = 'crypt';
$salt = substr($crypt, 0, 2);
}
//crypt and compare
if (auth_cryptPassword($clear, $method, $salt) === $crypt) {
return true;
}
return false;
}
function test_bcrypt_self()
{
$hash = auth_cryptPassword('foobcrypt', 'bcrypt');
$this->assertTrue(auth_verifyPassword('foobcrypt', $hash));
}
/**
* Modify user data
*
* @author Chris Smith <*****@*****.**>
* @param string $user nick of the user to be changed
* @param array $changes array of field/value pairs to be changed (password will be clear text)
* @return bool
*/
public function modifyUser($user, $changes)
{
global $ACT;
global $config_cascade;
// sanity checks, user must already exist and there must be something to change
if (($userinfo = $this->getUserData($user)) === false) {
msg($this->getLang('usernotexists'), -1);
return false;
}
// don't modify protected users
if (!empty($userinfo['protected'])) {
msg(sprintf($this->getLang('protected'), hsc($user)), -1);
return false;
}
if (!is_array($changes) || !count($changes)) {
return true;
}
// update userinfo with new data, remembering to encrypt any password
$newuser = $user;
foreach ($changes as $field => $value) {
if ($field == 'user') {
$newuser = $value;
continue;
}
if ($field == 'pass') {
$value = auth_cryptPassword($value);
}
$userinfo[$field] = $value;
}
$userline = $this->_createUserLine($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $userinfo['grps']);
if (!io_replaceInFile($config_cascade['plainauth.users']['default'], '/^' . $user . ':/', $userline, true)) {
msg('There was an error modifying your user data. You may need to register again.', -1);
// FIXME, io functions should be fail-safe so existing data isn't lost
$ACT = 'register';
return false;
}
$this->users[$newuser] = $userinfo;
return true;
}
/**
* Verifies a cleartext password against a crypted hash
*
* The method and salt used for the crypted hash is determined automatically
* then the clear text password is crypted using the same method. If both hashs
* match true is is returned else false
*
* @author Andreas Gohr <*****@*****.**>
* @return bool
*/
function auth_verifyPassword($clear, $crypt)
{
$method = '';
$salt = '';
// determine the used method and salt
$len = strlen($crypt);
if (substr($crypt, 0, 3) == '$1$') {
$method = 'smd5';
$salt = substr($crypt, 3, 8);
} elseif (substr($crypt, 0, 6) == '{SSHA}') {
$method = 'ssha';
$salt = substr(base64_decode(substr($crypt, 6)), 20);
} elseif ($len == 32) {
$method = 'md5';
} elseif ($len == 40) {
$method = 'sha1';
} elseif ($len == 16) {
$method = 'mysql';
} elseif ($len == 41 && $crypt[0] == '*') {
$method = 'my411';
} else {
$method = 'crypt';
$salt = substr($crypt, 0, 2);
}
// crypt and compare
if (auth_cryptPassword($clear, $method, $salt) === $crypt) {
return true;
}
return false;
}
/**
* Just checks against the $forum_user variable
*/
function trustExternal($user, $pass, $sticky = false)
{
global $USERINFO;
global $conf;
global $lang;
global $pun_user;
global $pun_config;
global $cookie_name;
$sticky ? $sticky = true : ($sticky = false);
//sanity check
// someone used the login form
if (!empty($user)) {
if ($this->checkPass($user, $pass)) {
$expire = $sticky ? time() + 31536000 : 0;
$uinfo = $this->getUserData($user);
pun_setcookie($uinfo['id'], auth_cryptPassword($pass), $expire);
$pun_user = array();
$pun_user['password'] = auth_cryptPassword($pass);
$pun_user['username'] = $user;
$pun_user['realname'] = $uinfo['name'];
$pun_user['email'] = $uinfo['mail'];
$pun_user['g_title'] = $uinfo['group'];
} else {
//invalid credentials - log off
msg($lang['badlogin'], -1);
auth_logoff();
return false;
}
}
if (isset($pun_user) && !$pun_user['is_guest']) {
// okay we're logged in - set the globals
$USERINFO['pass'] = $pun_user['password'];
$USERINFO['name'] = $pun_user['realname'];
$USERINFO['mail'] = $pun_user['email'];
$USERINFO['grps'] = array($pun_user['g_title']);
if ($pun_user['is_admmod']) {
$USERINFO['grps'][] = 'admin';
}
$_SERVER['REMOTE_USER'] = $pun_user['username'];
$_SESSION[DOKU_COOKIE]['auth']['user'] = $pun_user['username'];
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
return true;
}
// to be sure
auth_logoff();
$USERINFO['grps'] = array();
return false;
}
