/**
* Checks RSA configuration and creates warnings if necessary.
*
* @param array $warnings Warnings
* @return void
* @see t3lib_BEfunc::displayWarningMessages()
*/
public function displayWarningMessages_postProcess(array &$warnings)
{
$backend = tx_rsaauth_backendfactory::getBackend();
if ($backend instanceof tx_rsaauth_cmdline_backend) {
// Not using the PHP extension!
$warnings['rsaauth_cmdline'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_using_cmdline');
// Check the path
$extconf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rsaauth']);
$path = trim($extconf['temporaryDirectory']);
if ($path == '') {
// Path is empty
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_empty_directory');
} elseif (!t3lib_div::isAbsPath($path)) {
// Path is not absolute
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_directory_not_absolute');
} elseif (!@is_dir($path)) {
// Path does not represent a directory
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_directory_not_exist');
} elseif (!@is_writable($path)) {
// Directory is not writable
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_directory_not_writable');
} elseif (substr($path, 0, strlen(PATH_site)) == PATH_site) {
// Directory is inside the site root
$warnings['rsaauth'] = $GLOBALS['LANG']->sL('LLL:EXT:rsaauth/hooks/locallang.xml:hook_directory_inside_siteroot');
}
}
}
/**
* Hooks to the felogin extension to provide additional code for FE login
*
* @return array 0 => onSubmit function, 1 => extra fields and required files
*/
public function loginFormHook()
{
$result = array(0 => '', 1 => '');
if ($GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'] == 'rsa') {
$backend = tx_rsaauth_backendfactory::getBackend();
if ($backend) {
$result[0] = 'tx_rsaauth_feencrypt(this);';
$javascriptPath = t3lib_extMgm::siteRelPath('rsaauth') . 'resources/';
$files = array('jsbn/jsbn.js', 'jsbn/prng4.js', 'jsbn/rng.js', 'jsbn/rsa.js', 'jsbn/base64.js', 'rsaauth_min.js');
foreach ($files as $file) {
$result[1] .= '<script type="text/javascript" src="' . t3lib_div::getIndpEnv('TYPO3_SITE_URL') . $javascriptPath . $file . '"></script>';
}
// Generate a new key pair
$keyPair = $backend->createNewKeyPair();
// Save private key
$storage = tx_rsaauth_storagefactory::getStorage();
/* @var $storage tx_rsaauth_abstract_storage */
$storage->put($keyPair->getPrivateKey());
// Add RSA hidden fields
$result[1] .= '<input type="hidden" id="rsa_n" name="n" value="' . htmlspecialchars($keyPair->getPublicKeyModulus()) . '" />';
$result[1] .= '<input type="hidden" id="rsa_e" name="e" value="' . sprintf('%x', $keyPair->getExponent()) . '" />';
}
}
return $result;
}
/**
* Obtains a backend. This function will return a non-abstract class, which
* is derieved from the tx_rsaauth_abstract_backend. Applications should
* not use anoy methods that are not declared in the tx_rsaauth_abstract_backend.
*
* @return tx_rsaauth_abstract_backend A backend
*/
public static function getBackend()
{
if (!self::$initialized) {
// Backend does not exist yet. Create it.
foreach (self::$availableBackends as $backend) {
$backendObject = t3lib_div::getUserObj($backend);
// Check that it is derieved from the proper base class
if ($backendObject instanceof tx_rsaauth_abstract_backend) {
/* @var $backendObject tx_rsaauth_abstract_backend */
if ($backendObject->isAvailable()) {
// The backend is available, save it and stop the loop
self::$selectedBackend = $backendObject;
self::$initialized = true;
break;
}
// Attempt to force destruction of the object
unset($backend);
}
}
}
return self::$selectedBackend;
}
/**
* Adds RSA-specific JavaScript and returns a form tag
*
* @return string Form tag
*/
public function getLoginFormTag(array $params, SC_index &$pObj)
{
$form = null;
if ($pObj->loginSecurityLevel == 'rsa') {
// If we can get the backend, we can proceed
$backend = tx_rsaauth_backendfactory::getBackend();
if (!is_null($backend)) {
// Add form tag
$form = '<form action="index.php" method="post" name="loginform" onsubmit="tx_rsaauth_encrypt();">';
// Generate a new key pair
$keyPair = $backend->createNewKeyPair();
// Save private key
$storage = tx_rsaauth_storagefactory::getStorage();
/* @var $storage tx_rsaauth_abstract_storage */
$storage->put($keyPair->getPrivateKey());
// Add RSA hidden fields
$form .= '<input type="hidden" id="rsa_n" name="n" value="' . htmlspecialchars($keyPair->getPublicKeyModulus()) . '" />';
$form .= '<input type="hidden" id="rsa_e" name="e" value="' . sprintf('%x', $keyPair->getExponent()) . '" />';
}
}
return $form;
}
/**
* Initializes the service.
*
* @return boolean
*/
public function init()
{
$available = parent::init();
if ($available) {
// Get the backend
$this->backend = tx_rsaauth_backendfactory::getBackend();
if (is_null($this->backend)) {
$available = false;
}
}
return $available;
}
/**
* Decrypts the password for auto-login on confirmation or invitation acceptation
*
* @param array $dataArray: table row containing the password to be decrypted
* @param array $row: incoming data containing the auto-login private key
* @return void
*/
public function decryptPasswordForAutoLogin(array &$dataArray, array $row)
{
if (isset($row['auto_login_key'])) {
$privateKey = $row['auto_login_key'];
if ($privateKey !== '') {
$password = $dataArray['tx_srfeuserregister_password'];
if ($password != '') {
$backend = tx_rsaauth_backendfactory::getBackend();
if (is_object($backend) && $backend->isAvailable()) {
$decryptedPassword = $backend->decrypt($privateKey, $password);
if ($decryptedPassword) {
$dataArray['password'] = $decryptedPassword;
} else {
// Failed to decrypt auto login password
$message = $GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_decrypt_auto_login_failed');
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
}
} else {
// Required RSA auth backend not available
// Should not happen: checked in tx_srfeuserregister_pi1_base::checkRequirements
}
}
}
}
}
/**
* Method adds a further authUser method.
*
* Will return one of following authentication status codes:
* - 0 - authentication failure
* - 100 - just go on. User is not authenticated but there is still no reason to stop
* - 200 - the service was able to authenticate the user
*
* @param array Array containing FE user data of the logged user.
* @return integer authentication statuscode, one of 0,100 and 200
*/
public function authUser(array $user)
{
$OK = 100;
$validPasswd = FALSE;
if ($this->pObj->security_level == 'rsa' && t3lib_extMgm::isLoaded('rsaauth')) {
require_once t3lib_extMgm::extPath('rsaauth') . 'sv1/backends/class.tx_rsaauth_backendfactory.php';
require_once t3lib_extMgm::extPath('rsaauth') . 'sv1/storage/class.tx_rsaauth_storagefactory.php';
$backend = tx_rsaauth_backendfactory::getBackend();
$storage = tx_rsaauth_storagefactory::getStorage();
// Preprocess the password
$password = $this->login['uident'];
$key = $storage->get();
if ($key != NULL && substr($password, 0, 4) == 'rsa:') {
// Decode password and pass to parent
$decryptedPassword = $backend->decrypt($key, substr($password, 4));
$this->login['uident_text'] = $decryptedPassword;
}
}
if ($this->login['uident'] && $this->login['uname']) {
if (!empty($this->login['uident_text'])) {
$validPasswd = $this->compareUident($user, $this->login);
}
if (!$validPasswd && (intval($this->extConf['onlyAuthService']) || $this->authenticationFailed)) {
// Failed login attempt (wrong password) - no delegation to further services
$this->writeLog(TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'', $this->login['uname']);
$OK = 0;
} else {
if (!$validPasswd) {
// Failed login attempt (wrong password)
$this->writeLog("Login-attempt from %s, username '%s', password not accepted!", $this->authInfo['REMOTE_ADDR'], $this->login['uname']);
} else {
if ($validPasswd && $user['lockToDomain'] && strcasecmp($user['lockToDomain'], $this->authInfo['HTTP_HOST'])) {
// Lock domain didn't match, so error:
$this->writeLog("Login-attempt from %s, username '%s', locked domain '%s' did not match '%s'!", $this->authInfo['REMOTE_ADDR'], $this->login['uname'], $user['lockToDomain'], $this->authInfo['HTTP_HOST']);
$OK = 0;
} else {
if ($validPasswd) {
$this->writeLog(TYPO3_MODE . ' Authentication successful for username \'%s\'', $this->login['uname']);
$OK = 200;
}
}
}
}
}
return $OK;
}
/**
* Decrypts fields that were encrypted for transmission
*
* @param array $row: incoming data array that may contain encrypted fields
* @return boolean TRUE if decryption was successful
*/
public function decryptIncomingFields(array &$row)
{
$success = TRUE;
$fields = array('password', 'password_again');
$incomingFieldSet = FALSE;
foreach ($fields as $field) {
if (isset($row[$field])) {
$incomingFieldSet = TRUE;
break;
}
}
if ($incomingFieldSet) {
switch ($this->getTransmissionSecurityLevel()) {
case 'rsa':
// Get services from rsaauth
// Can't simply use the authentication service because we have two fields to decrypt
$backend = tx_rsaauth_backendfactory::getBackend();
$storage = tx_rsaauth_storagefactory::getStorage();
/* @var $storage tx_rsaauth_abstract_storage */
if (is_object($backend) && is_object($storage)) {
$key = $storage->get();
if ($key != NULL) {
foreach ($fields as $field) {
if (isset($row[$field]) && $row[$field] != '') {
if (substr($row[$field], 0, 4) == 'rsa:') {
// Decode password
$result = $backend->decrypt($key, substr($row[$field], 4));
if ($result) {
$row[$field] = $result;
} else {
// RSA auth service failed to process incoming password
// May happen if the key is wrong
// May happen if multiple instance of rsaauth on same page
$success = FALSE;
$message = $GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_rsaauth_process_incoming_password_failed');
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
}
}
}
}
// Remove the key
$storage->put(NULL);
} else {
// RSA auth service failed to retrieve private key
// May happen if the key was already removed
$success = FALSE;
$message = $GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_rsaauth_retrieve_private_key_failed');
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
}
} else {
// Required RSA auth backend not available
// Should not happen: checked in tx_srfeuserregister_pi1_base::checkRequirements
$success = FALSE;
$message = $GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_rsaauth_backend_not_available');
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
}
break;
case 'normal':
default:
// Nothing to decrypt
break;
}
}
return $success;
}
protected function checkRequirements()
{
$content = '';
// Check if all required extensions are available
if (is_array($GLOBALS['TYPO3_CONF_VARS']['EXTCONF'][$this->extKey]['constraints']['depends'])) {
$requiredExtensions = array_diff(array_keys($GLOBALS['TYPO3_CONF_VARS']['EXTCONF'][$this->extKey]['constraints']['depends']), array('php', 'typo3'));
foreach ($requiredExtensions as $requiredExtension) {
if (!t3lib_extMgm::isLoaded($requiredExtension)) {
$message = sprintf($GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_required_extension_missing'), $requiredExtension);
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
$content .= sprintf($GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_check_requirements_frontend'), $message);
}
}
}
// Check if front end login security level is correctly set
$supportedTransmissionSecurityLevels = $GLOBALS['TYPO3_CONF_VARS']['EXTCONF'][$this->extKey]['loginSecurityLevels'];
if (!in_array($GLOBALS['TYPO3_CONF_VARS']['FE']['loginSecurityLevel'], $supportedTransmissionSecurityLevels)) {
$message = $GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_login_security_level');
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
$content .= sprintf($GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_check_requirements_frontend'), $message);
} else {
// Check if salted passwords are enabled in front end
if (t3lib_extMgm::isLoaded('saltedpasswords')) {
if (!tx_saltedpasswords_div::isUsageEnabled('FE')) {
$message = $GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_salted_passwords_disabled');
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
$content .= sprintf($GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_check_requirements_frontend'), $message);
} else {
// Check if we can get a salting instance
$objSalt = tx_saltedpasswords_salts_factory::getSaltingInstance(NULL);
if (!is_object($objSalt)) {
// Could not get a salting instance from saltedpasswords
$message = $GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_salted_passwords_no_instance');
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
$content .= sprintf($GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_check_requirements_frontend'), $message);
}
}
}
// Check if we can get a backend from rsaauth
if (t3lib_extMgm::isLoaded('rsaauth')) {
// rsaauth in TYPO3 4.5 misses autoload
if (!class_exists('tx_rsaauth_backendfactory')) {
require_once t3lib_extMgm::extPath('rsaauth') . 'sv1/backends/class.tx_rsaauth_backendfactory.php';
require_once t3lib_extMgm::extPath('rsaauth') . 'sv1/storage/class.tx_rsaauth_storagefactory.php';
}
$backend = tx_rsaauth_backendfactory::getBackend();
$storage = tx_rsaauth_storagefactory::getStorage();
if (!is_object($backend) || !$backend->isAvailable() || !is_object($storage)) {
// Required RSA auth backend not available
$message = $GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_rsaauth_backend_not_available');
t3lib_div::sysLog($message, $this->extKey, t3lib_div::SYSLOG_SEVERITY_ERROR);
$content .= sprintf($GLOBALS['TSFE']->sL('LLL:EXT:' . $this->extKey . '/pi1/locallang.xml:internal_check_requirements_frontend'), $message);
}
}
}
return $content;
}
