/**
* Perform a user authorization
* @global array $profile
*/
function authorize_mode()
{
global $profile;
// this is a user session
user_session();
// the user needs refresh urls in their session to access this mode
if (!isset($_SESSION['post_auth_url']) || !isset($_SESSION['cancel_auth_url'])) {
error_500('You may not access this mode directly.');
}
// try to get the digest headers - what a PITA!
if (function_exists('apache_request_headers') && ini_get('safe_mode') == false) {
$arh = apache_request_headers();
$hdr = isset($arh['Authorization']) ? $arh['Authorization'] : null;
} elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) {
$hdr = $_SERVER['PHP_AUTH_DIGEST'];
} elseif (isset($_SERVER['HTTP_AUTHORIZATION'])) {
$hdr = $_SERVER['HTTP_AUTHORIZATION'];
} elseif (isset($_ENV['PHP_AUTH_DIGEST'])) {
$hdr = $_ENV['PHP_AUTH_DIGEST'];
} elseif (isset($_SERVER['Authorization'])) {
$hdr = $_SERVER['Authorization'];
} elseif (isset($_REQUEST['auth'])) {
$hdr = stripslashes(urldecode($_REQUEST['auth']));
} else {
$hdr = null;
}
debug('Authorization header: ' . $hdr);
$digest = substr($hdr, 0, 7) == 'Digest ' ? substr($hdr, strpos($hdr, ' ') + 1) : $hdr;
$stale = false;
// is the user trying to log in?
if (!is_null($digest) && $profile['authorized'] === false) {
debug('Digest headers: ' . $digest);
$hdr = array();
// decode the Digest authorization headers
preg_match_all('/(\\w+)=(?:"([^"]+)"|([^\\s,]+))/', $digest, $mtx, PREG_SET_ORDER);
foreach ($mtx as $m) {
$hdr[$m[1]] = $m[2] ? $m[2] : $m[3];
}
debug($hdr, 'Parsed digest headers:');
if (!isset($_SESSION['failures'])) {
$_SESSION['failures'] = 0;
}
if (isset($_SESSION['uniqid']) && $hdr['nonce'] != $_SESSION['uniqid']) {
$stale = true;
}
if (isset($_SESSION['uniqid'])) {
unset($_SESSION['uniqid']);
}
/*******************************************************************
START MULTI USER PHPMYOPENID ADDED BY BEN DODSON
*******************************************************************/
$phpmyopenid = $profile;
$config = './config/' . strtolower($hdr['username']) . '.php';
if (file_exists($config)) {
require $config;
}
$profile = array_merge($phpmyopenid, $profile);
/*******************************************************************
END MULTI USER PHPMYOPENID ADDED BY BEN DODSON
*******************************************************************/
if ($profile['auth_username'] == $hdr['username'] && !$stale) {
// the entity body should always be null in this case
$entity_body = '';
$a1 = strtolower($profile['auth_password']);
$a2 = $hdr['qop'] == 'auth-int' ? md5(implode(':', array($_SERVER['REQUEST_METHOD'], $hdr['uri'], md5($entity_body)))) : md5(implode(':', array($_SERVER['REQUEST_METHOD'], $hdr['uri'])));
$ok = md5(implode(':', array($a1, $hdr['nonce'], $hdr['nc'], $hdr['cnonce'], $hdr['qop'], $a2)));
// successful login!
if ($hdr['response'] == $ok) {
debug('Authentication successful');
debug('User session is: ' . session_id());
$_SESSION['auth_username'] = $hdr['username'];
$_SESSION['auth_url'] = $profile['idp_url'];
$profile['authorized'] = true;
// return to the refresh url if they get in
wrap_redirect($_SESSION['post_auth_url']);
// failed login
} else {
$_SESSION['failures']++;
debug('Login failed: ' . $hdr['response'] . ' != ' . $ok);
debug('Fail count: ' . $_SESSION['failures']);
}
} elseif ($profile['auth_username'] != $hdr['username']) {
$_SESSION['failures']++;
debug('Bad username: '******'username']);
debug('Fail count: ' . $_SESSION['failures']);
}
// does this make too many failures?
if (strcmp(hexdec($hdr['nc']), 4) > 0 || $_SESSION['failures'] > 4) {
debug('Too many password failures');
error_get($_SESSION['cancel_auth_url'], 'Too many password failures. Double check your authorization realm. You must restart your browser to try again.');
}
} elseif (isset($_SESSION['uniqid']) && is_null($digest) && $profile['authorized'] === false) {
unset($_SESSION['uniqid']);
error_500('Missing expected authorization header.');
}
// if we get this far the user is not authorized, so send the headers
$uid = uniqid(mt_rand(1, 9));
$_SESSION['uniqid'] = $uid;
debug('Prompting user to log in. Stale? ' . $stale);
header('HTTP/1.0 401 Unauthorized');
header(sprintf('WWW-Authenticate: Digest qop="auth-int, auth", realm="%s", domain="%s", nonce="%s", opaque="%s", stale="%s", algorithm="MD5"', $profile['auth_realm'], $profile['auth_domain'], $uid, md5($profile['auth_realm']), $stale ? 'true' : 'false'));
$q = strpos($_SESSION['cancel_auth_url'], '?') ? '&' : '?';
wrap_refresh($_SESSION['cancel_auth_url'] . $q . 'openid.mode=cancel');
}
/**
* Perform a user authorization
* @global array $profile
*/
function authorize_mode()
{
global $profile;
global $USERNAME;
global $IDENTITY;
// this is a user session
// the user needs refresh urls in their session to access this mode
if (!isset($_SESSION['post_auth_url']) || !isset($_SESSION['cancel_auth_url'])) {
error_500('You may not access this mode directly.');
}
$profile['idp_url'] = $IDENTITY;
if (isset($_SERVER['PHP_AUTH_USER']) && $profile['authorized'] === false && $_SERVER['PHP_AUTH_USER'] == $USERNAME) {
if (OCP\User::checkPassword($USERNAME, $_SERVER['PHP_AUTH_PW'])) {
// successful login!
// return to the refresh url if they get in
$_SESSION['openid_auth'] = true;
$_SESSION['openid_user'] = $USERNAME;
wrap_redirect($_SESSION['post_auth_url']);
// failed login
} else {
$_SESSION['failures']++;
debug('Login failed');
debug('Fail count: ' . $_SESSION['failures']);
}
}
// if we get this far the user is not authorized, so send the headers
$uid = uniqid(mt_rand(1, 9));
$_SESSION['uniqid'] = $uid;
// debug('Prompting user to log in. Stale? ' . $stale);
header('HTTP/1.0 401 Unauthorized');
// header(sprintf('WWW-Authenticate: Digest qop="auth-int, auth", realm="%s", domain="%s", nonce="%s", opaque="%s", stale="%s", algorithm="MD5"', $profile['auth_realm'], $profile['auth_domain'], $uid, md5($profile['auth_realm']), $stale ? 'true' : 'false'));
header('WWW-Authenticate: Basic realm="ownCloud"');
$q = strpos($_SESSION['cancel_auth_url'], '?') ? '&' : '?';
wrap_refresh($_SESSION['cancel_auth_url'] . $q . 'openid.mode=cancel');
// die('401 Unauthorized');
}
/**
* Allow a user to perform a static logout
* @global array $profile
*/
function logout_mode()
{
global $profile;
user_session();
if (!$profile['authorized']) {
wrap_html('You were not logged in');
}
$_SESSION = array();
session_destroy();
debug('User session destroyed.');
header('HTTP/1.0 401 Unauthorized');
wrap_refresh($profile['idp_url']);
}
