/**
* Auth Decryption has changed from Weatherwax to Binky
*/
private function auth_decrypt($pass, $secret)
{
if (function_exists('auth_decrypt')) {
// Binky
return auth_decrypt($pass, $secret);
} else {
if (function_exists('PMA_blowfish_decrypt')) {
// Weatherwax
return PMA_blowfish_decrypt($pass, $secret);
} else {
$this->debugClass->runtimeException("No decryption method found");
}
}
}
/**
* Decrypt the given string with the cookie salt
*
* @param string $data
* @return string
*/
public function decrypt($data)
{
$data = base64_decode($data);
if (function_exists('auth_decrypt')) {
return auth_decrypt($data, auth_cookiesalt());
// since binky
} else {
return PMA_blowfish_decrypt($data, auth_cookiesalt());
// deprecated
}
}
/**
* This tries to login the user based on the sent auth credentials
*
* The authentication works like this: if a username was given
* a new login is assumed and user/password are checked. If they
* are correct the password is encrypted with blowfish and stored
* together with the username in a cookie - the same info is stored
* in the session, too. Additonally a browserID is stored in the
* session.
*
* If no username was given the cookie is checked: if the username,
* crypted password and browserID match between session and cookie
* no further testing is done and the user is accepted
*
* If a cookie was found but no session info was availabe the
* blowfish encrypted password from the cookie is decrypted and
* together with username rechecked by calling this function again.
*
* On a successful login $_SERVER[REMOTE_USER] and $USERINFO
* are set.
*
* @author Andreas Gohr <*****@*****.**>
*
* @param string $user Username
* @param string $pass Cleartext Password
* @param bool $sticky Cookie should not expire
* @param bool $silent Don't show error on bad auth
* @return bool true on successful auth
*/
function auth_login($user, $pass, $sticky = false, $silent = false)
{
global $USERINFO;
global $conf;
global $lang;
/* @var DokuWiki_Auth_Plugin $auth */
global $auth;
/* @var Input $INPUT */
global $INPUT;
$sticky ? $sticky = true : ($sticky = false);
//sanity check
if (!$auth) {
return false;
}
if (!empty($user)) {
//usual login
if (!empty($pass) && $auth->checkPass($user, $pass)) {
// make logininfo globally available
$INPUT->server->set('REMOTE_USER', $user);
$secret = auth_cookiesalt(!$sticky, true);
//bind non-sticky to session
auth_setCookie($user, auth_encrypt($pass, $secret), $sticky);
return true;
} else {
//invalid credentials - log off
if (!$silent) {
msg($lang['badlogin'], -1);
}
auth_logoff();
return false;
}
} else {
// read cookie information
list($user, $sticky, $pass) = auth_getCookie();
if ($user && $pass) {
// we got a cookie - see if we can trust it
// get session info
$session = $_SESSION[DOKU_COOKIE]['auth'];
if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == sha1($pass) && $session['buid'] == auth_browseruid()) {
// he has session, cookie and browser right - let him in
$INPUT->server->set('REMOTE_USER', $user);
$USERINFO = $session['info'];
//FIXME move all references to session
return true;
}
// no we don't trust it yet - recheck pass but silent
$secret = auth_cookiesalt(!$sticky, true);
//bind non-sticky to session
$pass = auth_decrypt($pass, $secret);
return auth_login($user, $pass, $sticky, true);
}
}
//just to be sure
auth_logoff(true);
return false;
}
/**
* Definition of the function modifyUser in order to modify the password
*
* @param string $user nick of the user to be changed
* @param array $changes array of field/value pairs to be changed (password will be clear text)
* @return bool true on success, false on error
*/
function modifyUser($user, $changes)
{
// open the connection to the ldap
if (!$this->_openLDAP()) {
$this->_debug('LDAP cannot connect: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
return false;
}
// find the information about the user, in particular the "dn"
$info = $this->getUserData($user, true);
if (empty($info['dn'])) {
$this->_debug('LDAP cannot find your user dn', 0, __LINE__, __FILE__);
return false;
}
$dn = $info['dn'];
// find the old password of the user
list($loginuser, $loginsticky, $loginpass) = auth_getCookie();
if ($loginuser !== null) {
// the user is currently logged in
$secret = auth_cookiesalt(!$loginsticky, true);
$pass = auth_decrypt($loginpass, $secret);
// bind with the ldap
if (!@ldap_bind($this->con, $dn, $pass)) {
$this->_debug('LDAP user bind failed: ' . htmlspecialchars($dn) . ': ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
return false;
}
} elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
// we are changing the password on behalf of the user (eg: forgotten password)
// bind with the superuser ldap
if (!@ldap_bind($this->con, $this->getConf('binddn'), conf_decodeString($this->getConf('bindpw')))) {
$this->_debug('LDAP bind as superuser: '******'pass']);
// change the password
if (!@ldap_mod_replace($this->con, $dn, array('userpassword' => $hash))) {
$this->_debug('LDAP mod replace failed: ' . htmlspecialchars($dn) . ': ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
return false;
}
return true;
}
/**
* Return user info
*
* Returns info about the given user needs to contain
* at least these fields:
*
* name string full name of the user
* mail string email addres of the user
* grps array list of groups the user is in
*
* This LDAP specific function returns the following
* addional fields:
*
* dn string distinguished name (DN)
* uid string Posix User ID
* inbind bool for internal use - avoid loop in binding
*
* @author Andreas Gohr <*****@*****.**>
* @author Trouble
* @author Dan Allen <*****@*****.**>
* @author <*****@*****.**>
* @author Stephane Chazelas <*****@*****.**>
*
* @param string $user
* @param bool $inbind authldap specific, true if in bind phase
* @return array containing user data or false
*/
public function getUserData($user, $inbind = false)
{
global $conf;
if (!$this->_openLDAP()) {
return false;
}
// force superuser bind if wanted and not bound as superuser yet
if ($this->getConf('binddn') && $this->getConf('bindpw') && $this->bound < 2) {
// use superuser credentials
if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))) {
$this->_debug('LDAP bind as superuser: '******'user'] = $user;
$info['server'] = $this->getConf('server');
//get info for given user
$base = $this->_makeFilter($this->getConf('usertree'), $info);
if ($this->getConf('userfilter')) {
$filter = $this->_makeFilter($this->getConf('userfilter'), $info);
} else {
$filter = "(ObjectClass=*)";
}
$sr = $this->_ldapsearch($this->con, $base, $filter, $this->getConf('userscope'));
$result = @ldap_get_entries($this->con, $sr);
$this->_debug('LDAP user search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
$this->_debug('LDAP search at: ' . htmlspecialchars($base . ' ' . $filter), 0, __LINE__, __FILE__);
// Don't accept more or less than one response
if (!is_array($result) || $result['count'] != 1) {
return false;
//user not found
}
$user_result = $result[0];
ldap_free_result($sr);
// general user info
$info['dn'] = $user_result['dn'];
$info['gid'] = $user_result['gidnumber'][0];
$info['mail'] = $user_result['mail'][0];
$info['name'] = $user_result['cn'][0];
$info['grps'] = array();
// overwrite if other attribs are specified.
if (is_array($this->getConf('mapping'))) {
foreach ($this->getConf('mapping') as $localkey => $key) {
if (is_array($key)) {
// use regexp to clean up user_result
list($key, $regexp) = each($key);
if ($user_result[$key]) {
foreach ($user_result[$key] as $grpkey => $grp) {
if ($grpkey !== 'count' && preg_match($regexp, $grp, $match)) {
if ($localkey == 'grps') {
$info[$localkey][] = $match[1];
} else {
$info[$localkey] = $match[1];
}
}
}
}
} else {
$info[$localkey] = $user_result[$key][0];
}
}
}
$user_result = array_merge($info, $user_result);
//get groups for given user if grouptree is given
if ($this->getConf('grouptree') || $this->getConf('groupfilter')) {
$base = $this->_makeFilter($this->getConf('grouptree'), $user_result);
$filter = $this->_makeFilter($this->getConf('groupfilter'), $user_result);
$sr = $this->_ldapsearch($this->con, $base, $filter, $this->getConf('groupscope'), array($this->getConf('groupkey')));
$this->_debug('LDAP group search: ' . htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
$this->_debug('LDAP search at: ' . htmlspecialchars($base . ' ' . $filter), 0, __LINE__, __FILE__);
if (!$sr) {
msg("LDAP: Reading group memberships failed", -1);
return false;
}
$result = ldap_get_entries($this->con, $sr);
ldap_free_result($sr);
if (is_array($result)) {
foreach ($result as $grp) {
if (!empty($grp[$this->getConf('groupkey')][0])) {
$this->_debug('LDAP usergroup: ' . htmlspecialchars($grp[$this->getConf('groupkey')][0]), 0, __LINE__, __FILE__);
$info['grps'][] = $grp[$this->getConf('groupkey')][0];
}
}
}
}
// always add the default group to the list of groups
if (!$info['grps'] or !in_array($conf['defaultgroup'], $info['grps'])) {
$info['grps'][] = $conf['defaultgroup'];
}
return $info;
}
function testDeEncrypt()
{
$data = "OnA28asdfäakgß*+!\"+*";
$secret = "oeaf1öasdöflk§";
$this->assertEquals($data, auth_decrypt(auth_encrypt($data, $secret), $secret));
}
