/** * Perform a user authorization * @global array $profile */ function authorize_mode() { global $profile; // this is a user session user_session(); // the user needs refresh urls in their session to access this mode if (!isset($_SESSION['post_auth_url']) || !isset($_SESSION['cancel_auth_url'])) { error_500('You may not access this mode directly.'); } // try to get the digest headers - what a PITA! if (function_exists('apache_request_headers') && ini_get('safe_mode') == false) { $arh = apache_request_headers(); $hdr = isset($arh['Authorization']) ? $arh['Authorization'] : null; } elseif (isset($_SERVER['PHP_AUTH_DIGEST'])) { $hdr = $_SERVER['PHP_AUTH_DIGEST']; } elseif (isset($_SERVER['HTTP_AUTHORIZATION'])) { $hdr = $_SERVER['HTTP_AUTHORIZATION']; } elseif (isset($_ENV['PHP_AUTH_DIGEST'])) { $hdr = $_ENV['PHP_AUTH_DIGEST']; } elseif (isset($_SERVER['Authorization'])) { $hdr = $_SERVER['Authorization']; } elseif (isset($_REQUEST['auth'])) { $hdr = stripslashes(urldecode($_REQUEST['auth'])); } else { $hdr = null; } debug('Authorization header: ' . $hdr); $digest = substr($hdr, 0, 7) == 'Digest ' ? substr($hdr, strpos($hdr, ' ') + 1) : $hdr; $stale = false; // is the user trying to log in? if (!is_null($digest) && $profile['authorized'] === false) { debug('Digest headers: ' . $digest); $hdr = array(); // decode the Digest authorization headers preg_match_all('/(\\w+)=(?:"([^"]+)"|([^\\s,]+))/', $digest, $mtx, PREG_SET_ORDER); foreach ($mtx as $m) { $hdr[$m[1]] = $m[2] ? $m[2] : $m[3]; } debug($hdr, 'Parsed digest headers:'); if (!isset($_SESSION['failures'])) { $_SESSION['failures'] = 0; } if (isset($_SESSION['uniqid']) && $hdr['nonce'] != $_SESSION['uniqid']) { $stale = true; } if (isset($_SESSION['uniqid'])) { unset($_SESSION['uniqid']); } /******************************************************************* START MULTI USER PHPMYOPENID ADDED BY BEN DODSON *******************************************************************/ $phpmyopenid = $profile; $config = './config/' . strtolower($hdr['username']) . '.php'; if (file_exists($config)) { require $config; } $profile = array_merge($phpmyopenid, $profile); /******************************************************************* END MULTI USER PHPMYOPENID ADDED BY BEN DODSON *******************************************************************/ if ($profile['auth_username'] == $hdr['username'] && !$stale) { // the entity body should always be null in this case $entity_body = ''; $a1 = strtolower($profile['auth_password']); $a2 = $hdr['qop'] == 'auth-int' ? md5(implode(':', array($_SERVER['REQUEST_METHOD'], $hdr['uri'], md5($entity_body)))) : md5(implode(':', array($_SERVER['REQUEST_METHOD'], $hdr['uri']))); $ok = md5(implode(':', array($a1, $hdr['nonce'], $hdr['nc'], $hdr['cnonce'], $hdr['qop'], $a2))); // successful login! if ($hdr['response'] == $ok) { debug('Authentication successful'); debug('User session is: ' . session_id()); $_SESSION['auth_username'] = $hdr['username']; $_SESSION['auth_url'] = $profile['idp_url']; $profile['authorized'] = true; // return to the refresh url if they get in wrap_redirect($_SESSION['post_auth_url']); // failed login } else { $_SESSION['failures']++; debug('Login failed: ' . $hdr['response'] . ' != ' . $ok); debug('Fail count: ' . $_SESSION['failures']); } } elseif ($profile['auth_username'] != $hdr['username']) { $_SESSION['failures']++; debug('Bad username: '******'username']); debug('Fail count: ' . $_SESSION['failures']); } // does this make too many failures? if (strcmp(hexdec($hdr['nc']), 4) > 0 || $_SESSION['failures'] > 4) { debug('Too many password failures'); error_get($_SESSION['cancel_auth_url'], 'Too many password failures. Double check your authorization realm. You must restart your browser to try again.'); } } elseif (isset($_SESSION['uniqid']) && is_null($digest) && $profile['authorized'] === false) { unset($_SESSION['uniqid']); error_500('Missing expected authorization header.'); } // if we get this far the user is not authorized, so send the headers $uid = uniqid(mt_rand(1, 9)); $_SESSION['uniqid'] = $uid; debug('Prompting user to log in. Stale? ' . $stale); header('HTTP/1.0 401 Unauthorized'); header(sprintf('WWW-Authenticate: Digest qop="auth-int, auth", realm="%s", domain="%s", nonce="%s", opaque="%s", stale="%s", algorithm="MD5"', $profile['auth_realm'], $profile['auth_domain'], $uid, md5($profile['auth_realm']), $stale ? 'true' : 'false')); $q = strpos($_SESSION['cancel_auth_url'], '?') ? '&' : '?'; wrap_refresh($_SESSION['cancel_auth_url'] . $q . 'openid.mode=cancel'); }
/** * Perform a user authorization * @global array $profile */ function authorize_mode() { global $profile; global $USERNAME; global $IDENTITY; // this is a user session // the user needs refresh urls in their session to access this mode if (!isset($_SESSION['post_auth_url']) || !isset($_SESSION['cancel_auth_url'])) { error_500('You may not access this mode directly.'); } $profile['idp_url'] = $IDENTITY; if (isset($_SERVER['PHP_AUTH_USER']) && $profile['authorized'] === false && $_SERVER['PHP_AUTH_USER'] == $USERNAME) { if (OCP\User::checkPassword($USERNAME, $_SERVER['PHP_AUTH_PW'])) { // successful login! // return to the refresh url if they get in $_SESSION['openid_auth'] = true; $_SESSION['openid_user'] = $USERNAME; wrap_redirect($_SESSION['post_auth_url']); // failed login } else { $_SESSION['failures']++; debug('Login failed'); debug('Fail count: ' . $_SESSION['failures']); } } // if we get this far the user is not authorized, so send the headers $uid = uniqid(mt_rand(1, 9)); $_SESSION['uniqid'] = $uid; // debug('Prompting user to log in. Stale? ' . $stale); header('HTTP/1.0 401 Unauthorized'); // header(sprintf('WWW-Authenticate: Digest qop="auth-int, auth", realm="%s", domain="%s", nonce="%s", opaque="%s", stale="%s", algorithm="MD5"', $profile['auth_realm'], $profile['auth_domain'], $uid, md5($profile['auth_realm']), $stale ? 'true' : 'false')); header('WWW-Authenticate: Basic realm="ownCloud"'); $q = strpos($_SESSION['cancel_auth_url'], '?') ? '&' : '?'; wrap_refresh($_SESSION['cancel_auth_url'] . $q . 'openid.mode=cancel'); // die('401 Unauthorized'); }
/** * Allow a user to perform a static logout * @global array $profile */ function logout_mode() { global $profile; user_session(); if (!$profile['authorized']) { wrap_html('You were not logged in'); } $_SESSION = array(); session_destroy(); debug('User session destroyed.'); header('HTTP/1.0 401 Unauthorized'); wrap_refresh($profile['idp_url']); }