/** * Returns a specific principal, specified by it's path. * * @param string $path * @return array */ public function getPrincipalByPath($path) { list($prefix, $user) = DAV\URLUtil::splitPath($path); if ($prefix != 'principals') { throw new DAV\Exception\NotFound('Invalid principal prefix path ' . $prefix); } if ($this->_auth->hasCapability('list') && !$this->_auth->exists($user) && $user != '-system-') { throw new DAV\Exception\NotFound('User ' . $user . ' does not exist'); } return $this->_getUserInfo($user); }
/** * Set authentication credentials in the Horde session. * * @return boolean True on success, false on failure. */ protected function _setAuth() { global $registry; if ($registry->isAuthenticated(array('app' => $this->_app, 'notransparent' => true))) { return true; } /* Grab the current language before we destroy the session. */ $language = $registry->preferredLang(); /* Destroy any existing session on login and make sure to use a * new session ID, to avoid session fixation issues. */ if (($userId = $registry->getAuth()) === false) { $GLOBALS['session']->clean(); $userId = $this->getCredential('userId'); } $credentials = $this->getCredential('credentials'); try { list(, $credentials) = $this->runHook($userId, $credentials, 'postauthenticate'); } catch (Horde_Auth_Exception $e) { return false; } $registry->setAuth($userId, $credentials, array('app' => $this->_app, 'change' => $this->getCredential('change'), 'language' => $language)); /* Only set the view mode on initial authentication */ if (!$GLOBALS['session']->exists('horde', 'view')) { $this->_setView(); } if ($this->_base && isset($GLOBALS['notification']) && ($expire = $this->_base->getCredential('expire'))) { $toexpire = ($expire - time()) / 86400; $GLOBALS['notification']->push(sprintf(Horde_Core_Translation::ngettext("%d day until your password expires.", "%d days until your password expires.", $toexpire), $toexpire), 'horde.warning'); } return true; }
/** * Authenticate to Horde * * @param string $username The username to authenticate as (as passed by * the device). * @param string $password The password * @param string $domain The user domain (unused in this driver). * * @return mixed Boolean true on success, boolean false on credential * failure or Horde_ActiveSync::AUTH_REASON_* * constant on policy failure. */ public function authenticate($username, $password, $domain = null) { global $injector, $conf; $this->_logger->info(sprintf('[%s] Horde_Core_ActiveSync_Driver::authenticate() attempt for %s', $this->_pid, $username)); // First try transparent/X509. Happens for authtype == 'cert' || 'basic_cert' if ($conf['activesync']['auth']['type'] != 'basic') { if (!$this->_auth->transparent()) { $injector->getInstance('Horde_Log_Logger')->notice(sprintf('Login failed ActiveSync client certificate for user %s.', $username)); return false; } if ($username != $GLOBALS['registry']->getAuth()) { $injector->getInstance('Horde_Log_Logger')->notice(sprintf('Access granted based on transparent authentication of user %s, but ActiveSync client is requesting access for %s.', $GLOBALS['registry']->getAuth(), $username)); $GLOBALS['registry']->clearAuth(); return false; } $this->_logger->info(sprintf('Access granted based on transparent authentication for %s. Client certificate name: %s', $GLOBALS['registry']->getAuth(), $username)); } // Now check Basic. Happens for authtype == 'basic' || 'basic_cert' if ($conf['activesync']['auth']['type'] != 'cert' && !$this->_auth->authenticate($username, array('password' => $password))) { $injector->getInstance('Horde_Log_Logger')->notice(sprintf('Login failed from ActiveSync client for user %s.', $username)); return false; } // Get the username from the registry so we capture it after any // hooks were run on it. $username = $GLOBALS['registry']->getAuth(); $perms = $injector->getInstance('Horde_Perms'); if ($perms->exists('horde:activesync')) { // Check permissions to ActiveSync if (!$this->_getPolicyValue('activesync', $perms->getPermissions('horde:activesync', $username))) { $this->_logger->info(sprintf("Access denied for user %s per policy settings.", $username)); return Horde_ActiveSync::AUTH_REASON_USER_DENIED; } } return parent::authenticate($username, $password, $domain); }
/** * Constructs a new Login authentication object. * * @param array $params Optional parameters: * <pre> * 'location' - (string) Location of the su binary. * DEFAULT: /bin/su * </pre> */ public function __construct(array $params = array()) { if (empty($params['location'])) { $params['location'] = '/bin/su'; } parent::__construct($params); }
/** * Constructor. * * @param array $params Configuration parameters: * <pre> * 'client' - (Horde_Http_Client) [REQUIRED] TODO * 'url' - (string) [REQUIRED] TODO * </pre> * * @throws InvalidArgumentException */ public function __construct(array $params = array()) { if (!isset($params['url']) || !isset($params['client'])) { throw new InvalidArgumentException(); } parent::__construct($params); }
/** * Constructor. * * @param array $params Parameters: * <pre> * 'kolab' - (Horde_Kolab_Session) [REQUIRED] TODO * </pre> * * @throws InvalidArgumentException */ public function __construct(array $params = array()) { if (!isset($params['kolab'])) { throw new InvalidArgumentException('Missing kolab parameter.'); } parent::__construct($params); }
/** * Constructor. * * @param array $params Optional parameters: * - admin_password: (string) The password of the administrator. * DEFAULT: null * - admin_user: (string) The name of a user with admin privileges. * DEFAULT: null * - hostspec: (string) The hostname or IP address of the server. * DEFAULT: 'localhost' * - port: (integer) The server port to which we will connect. * IMAP is generally 143, while IMAP-SSL is generally 993. * DEFAULT: Encryption port default * - secure: (string) The encryption to use. Either 'none', 'ssl', or * 'tls'. * DEFAULT: 'none' * - userhierarchy: (string) The hierarchy where user mailboxes are * stored (UTF-8). * DEFAULT: 'user.' */ public function __construct(array $params = array()) { $params = array_merge(array('admin_password' => null, 'admin_user' => null, 'hostspec' => '', 'port' => null, 'secure' => 'none', 'userhierarchy' => 'user.'), $params); parent::__construct($params); if (!empty($this->_params['admin_user'])) { $this->_capabilities = array_merge($this->_capabilities, array('add' => true, 'list' => true, 'remove' => true)); } }
/** * Constructor. * * @param array $params Optional parameters: * <pre> * 'hostspec' - (string) The hostname or IP address of the FTP server. * DEFAULT: 'localhost' * 'port' - (integer) The server port to connect to. * DEFAULT: 21 * </pre> * * @throws Horde_Auth_Exception */ public function __construct(array $params = array()) { if (!Horde_Util::extensionExists('ftp')) { throw new Horde_Auth_Exception(__CLASS__ . ': Required FTP extension not found. Compile PHP with the --enable-ftp switch.'); } $params = array_merge(array('hostspec' => 'localhost', 'port' => 21), $params); parent::__construct($params); }
/** * Constructor. * * @param array $params Parameters: * <pre> * 'password_header' - (string) Name of the header holding the password of * the logged in user. * 'password_holder' - (string) Where the hordeauth password is stored. * 'password_preference' - (string) Name of the Horde preference holding * the password of the logged in user. * 'username_header' - (string) [REQUIRED] Name of the header holding the * username of the logged in user. * </pre> * * @throws InvalidArgumentException */ public function __construct(array $params = array()) { if (!isset($params['username_header'])) { throw new InvalidArgumentException('Missing username_header parameter.'); } $params = array_merge(array('password_header' => '', 'password_holder' => '', 'password_preference' => ''), $params); parent::__construct($params); }
/** * Constructor. * * @param array $params Parameters: * <pre> * 'domain' - (string) [REQUIRED] The domain name to authenticate with. * 'group' - Group name that the user must be a member of. * DEFAULT: none * 'hostspec' - (string) [REQUIRED] IP, DNS Name, or NetBios name of the * SMB server to authenticate with. * 'smbclient_path' - (string) [REQUIRED] The location of the smbclient * utility. * </pre> * * @throws InvalidArgumentException */ public function __construct(array $params = array()) { foreach (array('hostspec', 'domain', 'smbclient_path') as $val) { if (empty($params[$val])) { throw new InvalidArgumentException('Missing ' . $val . ' parameter.'); } } parent::__construct($params); }
/** * Constructor. * * @param array $params Required parameters: * <pre> * 'admin_driver' - (Horde_Auth_Base) The admin driver. * 'auth_driver' - (Horde_Auth_Base) The auth driver. * </pre> * * @throws InvalidArgumentException */ public function __construct(array $params = array()) { foreach (array('admin_driver', 'auth_driver') as $val) { if (!isset($params[$val])) { throw new InvalidArgumentException('Missing ' . $val . ' parameter.'); } } parent::__construct($params); }
/** * Constructor. * * @param array $params Optional parameters: * <pre> * 'app' - (string) The name of the authenticating application. * DEFAULT: horde * 'service' - (string) The name of the SASL service to use when * authenticating. * DEFAULT: php * </pre> * * @throws Horde_Auth_Exception */ public function __construct(array $params = array()) { if (!Horde_Util::extensionExists('sasl')) { throw new Horde_Auth_Exception('Horde_Auth_Peclsasl:: requires the sasl PECL extension to be loaded.'); } $params = array_merge(array('app' => 'horde', 'service' => 'php'), $params); parent::__construct($params); sasl_server_init($this->_params['app']); }
/** * Constructor. * * @param array $params Optional Parameters: * <pre> * 'blocks' - (array) CIDR masks which are allowed access. * </pre> */ public function __construct(array $params = array()) { if (empty($params['blocks'])) { $params['blocks'] = array(); } elseif (!is_array($params['blocks'])) { $params['blocks'] = array($params['blocks']); } parent::__construct($params); }
/** * Constructor. * * @param array $params Optional parameters: * <pre> * 'service' - (string) The name of the PAM service to use when * authenticating. * DEFAULT: php * </pre> * * @throws Horde_Auth_Exception */ public function __construct(array $params = array()) { if (!Horde_Util::extensionExists('pam')) { throw new Horde_Auth_Exception('PAM authentication is not available.'); } if (!empty($params['service'])) { ini_set('pam.servicename', $params['service']); } parent::__construct($params); }
/** * Constructor. * * @param array $params Parameters: * <pre> * 'domain' - (string) [REQUIRED] The domain name to authenticate with. * 'group' - Group name that the user must be a member of. * DEFAULT: none * 'hostspec' - (string) [REQUIRED] IP, DNS Name, or NetBios name of the * SMB server to authenticate with. * </pre> * * @throws Horde_Auth_Exception * @throws InvalidArgumentException */ public function __construct(array $params = array()) { if (!Horde_Util::extensionExists('smbauth')) { throw new Horde_Auth_Exception(__CLASS__ . ': Required smbauth extension not found.'); } foreach (array('domain', 'hostspec') as $val) { if (empty($params[$val])) { throw new InvalidArgumentException('Missing ' . $val . ' parameter.'); } } $params = array_merge(array('group' => null), $params); parent::__construct($params); }
/** * Constructor. * * @param array $params Connection parameters. * <pre> * 'host' - (string) [REQUIRED] The RADIUS host to use (IP address or * fully qualified hostname). * 'method' - (string) [REQUIRED] The RADIUS method to use for validating * the request. * Either: 'PAP', 'CHAP_MD5', 'MSCHAPv1', or 'MSCHAPv2'. * ** CURRENTLY, only 'PAP' is supported. ** * 'nas' - (string) The RADIUS NAS identifier to use. * DEFAULT: The value of $_SERVER['HTTP_HOST'] or, if not * defined, then 'localhost'. * 'port' - (integer) The port to use on the RADIUS server. * DEFAULT: Whatever the local system identifies as the * 'radius' UDP port * 'retries' - (integer) The maximum number of repeated requests to make * before giving up. * DEFAULT: 3 * 'secret' - (string) [REQUIRED] The RADIUS shared secret string for the * host. The RADIUS protocol ignores all but the leading 128 * bytes of the shared secret. * 'suffix' - (string) The domain name to add to unqualified user names. * DEFAULT: NONE * 'timeout' - (integer) The timeout for receiving replies from the server * (in seconds). * DEFAULT: 3 * </pre> * * @throws InvalidArgumentException */ public function __construct(array $params = array()) { if (!Horde_Util::extensionExists('radius')) { throw new Horde_Auth_Exception(__CLASS__ . ': requires the radius PECL extension to be loaded.'); } foreach (array('host', 'secret', 'method') as $val) { if (!isset($params[$val])) { throw new InvalidArgumentException('Missing ' . $val . ' parameter.'); } } $params = array_merge(array('nas' => isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost', 'port' => 0, 'retries' => 3, 'suffix' => '', 'timeout' => 3), $params); parent::__construct($params); }
/** * Constructor. * * @param array $params Required parameters: * <pre> * 'basedn' - (string) [REQUIRED] The base DN for the LDAP server. * 'filter' - (string) The LDAP formatted search filter to search for * users. This setting overrides the 'objectclass' parameter. * 'ldap' - (Horde_Ldap) [REQUIRED] Horde LDAP object. * 'objectclass - (string|array): The objectclass filter used to search * for users. Either a single or an array of objectclasses. * 'uid' - (string) [REQUIRED] The username search key. * </pre> * * @throws Horde_Auth_Exception * @throws InvalidArgumentException */ public function __construct(array $params = array()) { foreach (array('basedn', 'ldap', 'uid') as $val) { if (!isset($params[$val])) { throw new InvalidArgumentException(__CLASS__ . ': Missing ' . $val . ' parameter.'); } } if (!empty($params['ad'])) { $this->_capabilities['resetpassword'] = false; } $this->_ldap = $params['ldap']; unset($params['ldap']); parent::__construct($params); }
/** * Constructor. * * @param array $params Optional parameters: * <pre> * 'encryption' - (string) Kind of passwords in the .htpasswd file. * Either 'crypt-des' (standard crypted htpasswd entries) * [DEFAULT] or 'aprmd5'. This information is used if * you want to directly authenticate users with this * driver, instead of relying on transparent auth. * 'htpasswd_file' - (string) TODO * </pre> */ public function __construct(array $params = array()) { $params = array_merge(array('encryption' => 'crypt-des'), $params); parent::__construct($params); if (!empty($this->_params['htpasswd_file'])) { $users = file($this->_params['htpasswd_file']); if (is_array($users)) { // Enable the list users capability. $this->_capabilities['list'] = true; foreach ($users as $line) { list($user, $pass) = explode(':', $line, 2); $this->_users[trim($user)] = trim($pass); } } } }
/** * Constructor * * @param array $params Parameters: * 'db' - (Horde_Db_Adapter) [REQUIRED] Database object. * <pre> * 'encryption' - (string) The encryption to use to store the password in * the table (e.g. plain, crypt, md5-hex, md5-base64, smd5, * sha, ssha, aprmd5). * DEFAULT: 'md5-hex' * 'hard_expiration_field' - (string) The name of the field containing a * date after which the account is no longer * valid and the user will not be able to log in * at all. * DEFAULT: none * 'password_field' - (string) The name of the password field in the auth * table. * DEFAULT: 'user_pass' * 'show_encryption' - (boolean) Whether or not to prepend the encryption * in the password field. * DEFAULT: false * 'soft_expiration_field' - (string) The name of the field containing a * date after which the system will request the * user change his or her password. * DEFAULT: none * 'table' - (string) The name of the SQL table to use in 'database'. * DEFAULT: 'horde_users' * 'username_field' - (string) The name of the username field in the auth * table. * DEFAULT: 'user_uid' * </pre> * * @throws InvalidArgumentException */ public function __construct(array $params = array()) { if (!isset($params['db'])) { throw new InvalidArgumentException('Missing db parameter.'); } $this->_db = $params['db']; unset($params['db']); $params = array_merge(array('encryption' => 'md5-hex', 'password_field' => 'user_pass', 'show_encryption' => false, 'table' => 'horde_users', 'username_field' => 'user_uid', 'soft_expiration_field' => null, 'soft_expiration_window' => null, 'hard_expiration_field' => null, 'hard_expiration_window' => null), $params); parent::__construct($params); /* Only allow limits when there is a storage configured */ if (empty($params['soft_expiration_field']) && $params['soft_expiration_window'] > 0) { throw new InvalidArgumentException('You cannot set [soft_expiration_window] without [soft_expiration_field].'); } if ($params['hard_expiration_field'] == '' && $params['hard_expiration_window'] > 0) { throw new InvalidArgumentException('You cannot set [hard_expiration_window] without [hard_expiration_field].'); } }
/** * Validates a username and password * * This method should return true or false depending on if login * succeeded. * * @param string $username * @param string $password * @return bool */ protected function validateUserPass($username, $password) { return $this->_auth->authenticate($username, array('password' => $password)); }
public function authenticate(Horde_Auth_Base $auth, $username = '******', $password = '******') { $this->assertTrue($auth->authenticate($username, array('password' => $password))); $params = array('driver' => 'Mock', 'username' => $username, 'password' => $password); return $this->prepareEmptyKolabStorage($params); }
/** * Constructor. * * @param array $params Parameters: * - password: (string) If available, the password to use for the session. * DEFAULT: no password used. * - username_field: (string) Name of the $_SERVER field that * the username can be found in. DEFAULT: 'SSL_CLIENT_S_DN_EMAILADDRESS'. * - certificate_field: (string) Name of the $_SERVER field that contains * the full certificate. DEFAULT: 'SSL_CLIENT_CERT' * - ignore_purpose: (boolean) If true, will ignore any usage restrictions * on the presented client certificate. I.e., if openssl_x509_checkpurpose * returns false, authentication may still proceed. DEFAULT: false - ONLY * ENABLE THIS IF YOU KNOW WHY YOU ARE DOING SO. * - filter: (array) An array where the keys are field names and the * values are the values those certificate fields MUST * match to be considered valid. Keys in the format of * fieldone:fieldtwo will be taken as parent:child. * DEFAULT: no additionachecks applied. * * @throws InvalidArgumentException */ public function __construct(array $params = array()) { $params = array_merge(array('password' => false, 'username_field' => 'SSL_CLIENT_S_DN_CN', 'certificate_field' => 'SSL_CLIENT_CERT', 'ignore_purpose' => true, 'filter' => array()), $params); parent::__construct($params); }
/** */ public function getError($msg = false) { return $this->_base->getError($msg); }
/** * Constructor. * * @param array $params Optional parameters: * <pre> * 'password' - (string) The password to record in the user's credentials. * DEFAULT: none * 'requestuser' - (boolean) If true, allow username to be passed by GET, * POST or cookie. * DEFAULT: No * 'username' - (string) The username to authenticate everyone as. * DEFAULT: 'horde_user' * </pre> */ public function __construct(array $params = array()) { $params = array_merge(array('password' => '', 'requestuser' => false, 'username' => 'horde_user'), $params); parent::__construct($params); }
/** * Queries the current Auth object to find out if it supports the given * capability. * * @param string $capability The capability to test for. * * @return boolean Whether or not the capability is supported. */ public function hasCapability($capability) { if ($this->_params['lock']) { switch ($capability) { case 'add': case 'update': case 'resetpassword': case 'remove': return true; } } return parent::hasCapability($capability); }