/**
* @param $auth
*/
public static function initAuthenticationFromCookie(\Piwik\Auth $auth, $activateCookieAuth)
{
if (self::isModuleIsAPI() && !$activateCookieAuth) {
return;
}
$authCookieName = Config::getInstance()->General['login_cookie_name'];
$authCookieExpiry = 0;
$authCookiePath = Config::getInstance()->General['login_cookie_path'];
$authCookie = new Cookie($authCookieName, $authCookieExpiry, $authCookiePath);
$defaultLogin = '******';
$defaultTokenAuth = 'anonymous';
if ($authCookie->isCookieFound()) {
$defaultLogin = $authCookie->get('login');
$defaultTokenAuth = $authCookie->get('token_auth');
}
$auth->setLogin($defaultLogin);
$auth->setTokenAuth($defaultTokenAuth);
$storage = new Storage($defaultLogin);
if (!$storage->isActive()) {
return;
}
$secret = $storage->getSecret();
$cookieSecret = $authCookie->get('auth_code');
if ($cookieSecret == SessionInitializer::getHashTokenAuth($defaultLogin, $secret)) {
$googleAuth = new PHPGangsta\GoogleAuthenticator();
$auth->setAuthCode($googleAuth->getCode($secret));
$auth->validateAuthCode();
}
}
/**
* Loads the access levels for the current user.
*
* Calls the authentication method to try to log the user in the system.
* If the user credentials are not correct we don't load anything.
* If the login/password is correct the user is either the SuperUser or a normal user.
* We load the access levels for this user for all the websites.
*
* @param null|Auth $auth Auth adapter
* @return bool true on success, false if reloading access failed (when auth object wasn't specified and user is not enforced to be Super User)
*/
public function reloadAccess(Auth $auth = null)
{
$this->resetSites();
if (isset($auth)) {
$this->auth = $auth;
}
if ($this->hasSuperUserAccess()) {
$this->makeSureLoginNameIsSet();
return true;
}
$this->token_auth = null;
$this->login = null;
// if the Auth wasn't set, we may be in the special case of setSuperUser(), otherwise we fail TODO: docs + review
if ($this->auth === null) {
return false;
}
// access = array ( idsite => accessIdSite, idsite2 => accessIdSite2)
$result = $this->auth->authenticate();
if (!$result->wasAuthenticationSuccessful()) {
return false;
}
$this->login = $result->getIdentity();
$this->token_auth = $result->getTokenAuth();
// case the superUser is logged in
if ($result->hasSuperUserAccess()) {
$this->setSuperUserAccess(true);
}
return true;
}
private function assertAccessReloadedAndRestored($expectedTokenToBeReloaded)
{
$this->access->expects($this->exactly(2))->method('reloadAccess');
// verify access reloaded
$this->auth->expects($this->at(0))->method('setLogin')->with($this->equalTo(null));
$this->auth->expects($this->at(1))->method('setTokenAuth')->with($this->equalTo($expectedTokenToBeReloaded));
$this->auth->expects($this->at(2))->method('authenticate')->will($this->returnValue(new AuthResult(AuthResult::SUCCESS, 'login1', $expectedTokenToBeReloaded)));
// verify access restored
$this->auth->expects($this->at(3))->method('setLogin')->with($this->equalTo(null));
$this->auth->expects($this->at(4))->method('setTokenAuth')->with($this->equalTo($tokenRestored = $this->userAuthToken));
$this->auth->expects($this->at(5))->method('authenticate')->will($this->returnValue(new AuthResult(AuthResult::SUCCESS, 'login', $this->userAuthToken)));
}
/**
* @param $auth
*/
public static function initAuthenticationFromCookie(\Piwik\Auth $auth, $activateCookieAuth)
{
if (self::isModuleIsAPI() && !$activateCookieAuth) {
return;
}
$authCookieName = Config::getInstance()->General['login_cookie_name'];
$authCookieExpiry = 0;
$authCookiePath = Config::getInstance()->General['login_cookie_path'];
$authCookie = new Cookie($authCookieName, $authCookieExpiry, $authCookiePath);
$defaultLogin = '******';
$defaultTokenAuth = 'anonymous';
if ($authCookie->isCookieFound()) {
$defaultLogin = $authCookie->get('login');
$defaultTokenAuth = $authCookie->get('token_auth');
}
$auth->setLogin($defaultLogin);
$auth->setTokenAuth($defaultTokenAuth);
}
/**
* Loads the access levels for the current user.
*
* Calls the authentication method to try to log the user in the system.
* If the user credentials are not correct we don't load anything.
* If the login/password is correct the user is either the SuperUser or a normal user.
* We load the access levels for this user for all the websites.
*
* @param null|Auth $auth Auth adapter
* @return bool true on success, false if reloading access failed (when auth object wasn't specified and user is not enforced to be Super User)
*/
public function reloadAccess(Auth $auth = null)
{
if (!is_null($auth)) {
$this->auth = $auth;
}
// if the Auth wasn't set, we may be in the special case of setSuperUser(), otherwise we fail
if (is_null($this->auth)) {
if ($this->hasSuperUserAccess()) {
return $this->reloadAccessSuperUser();
}
}
if ($this->hasSuperUserAccess()) {
return $this->reloadAccessSuperUser();
}
// if the Auth wasn't set, we may be in the special case of setSuperUser(), otherwise we fail TODO: docs + review
if ($this->auth === null) {
return false;
}
// access = array ( idsite => accessIdSite, idsite2 => accessIdSite2)
$result = $this->auth->authenticate();
if (!$result->wasAuthenticationSuccessful()) {
return false;
}
$this->login = $result->getIdentity();
$this->token_auth = $result->getTokenAuth();
// case the superUser is logged in
if ($result->hasSuperUserAccess()) {
return $this->reloadAccessSuperUser();
}
// in case multiple calls to API using different tokens, we ensure we reset it as not SU
$this->setSuperUserAccess(false);
// we join with site in case there are rows in access for an idsite that doesn't exist anymore
// (backward compatibility ; before we deleted the site without deleting rows in _access table)
$accessRaw = $this->getRawSitesWithSomeViewAccess($this->login);
foreach ($accessRaw as $access) {
$this->idsitesByAccess[$access['access']][] = $access['idsite'];
}
return true;
}
/**
* Authenticates the user.
*
* Derived classes can override this method to customize authentication logic or impose
* extra requirements on the user trying to login.
*
* @param AuthInterface $auth The Auth implementation to use when authenticating.
* @return AuthResult
*/
protected function doAuthenticateSession(AuthInterface $auth)
{
Piwik::postEvent('Login.authenticate', array($auth->getLogin()));
return $auth->authenticate();
}
/**
* Authenticates the user.
*
* Derived classes can override this method to customize authentication logic or impose
* extra requirements on the user trying to login.
*
* @param AuthInterface $auth The Auth implementation to use when authenticating.
* @return AuthResult
*/
protected function doAuthenticateSession(AuthInterface $auth)
{
$login = $auth->getLogin();
$tokenAuthSecret = null;
try {
$tokenAuthSecret = $auth->getTokenAuthSecret();
} catch (Exception $ex) {
Log::debug("SessionInitializer::doAuthenticateSession: token_auth secret for %s not available before user" . " is authenticated.", $login);
}
$tokenAuth = empty($tokenAuthSecret) ? null : $this->usersManagerAPI->getTokenAuth($login, $tokenAuthSecret);
/**
* @deprecated Create a custom SessionInitializer instead.
*/
Piwik::postEvent('Login.authenticate', array($auth->getLogin(), $tokenAuth));
return $auth->authenticate();
}
private static function initAuthenticationFromCookie(\Piwik\Auth $auth, $activateCookieAuth)
{
$authCookieName = Config::getInstance()->General['login_cookie_name'];
$authCookieExpiry = 0;
$authCookiePath = Config::getInstance()->General['login_cookie_path'];
$authCookie = new Cookie($authCookieName, $authCookieExpiry, $authCookiePath);
if ($authCookie->isCookieFound()) {
$login = $authCookie->get('login');
$tokenAuth = $authCookie->get('token_auth');
\Piwik\Log::debug("Login [" . $login . "] from browser token");
$auth->setLogin($login);
$auth->setTokenAuth($tokenAuth);
return true;
} else {
return false;
}
}
