private function _getYubikeyPublicId($yubikey) { $authAdapter = new Monkeys_Auth_Adapter_Yubikey(array('api_id' => $this->_config->yubikey->api_id, 'api_key' => $this->_config->yubikey->api_key), null, $yubikey); // do not go through Zend_Auth::getInstance() to avoid losing the session if // the yubikey is invalid $result = $authAdapter->authenticate($authAdapter); if ($result->isValid()) { $parts = Yubico_Auth::parsePasswordOTP($yubikey); return $parts['prefix']; } $logger = Zend_Registry::get('logger'); $logger->log("Invalid authentication: " . implode(' - ', $result->getMessages()), Zend_Log::DEBUG); $authOptions = $authAdapter->getOptions(); if ($yubi = @$authOptions['yubiClient']) { $logger->log("Yubi request was: " . $yubi->getlastQuery(), Zend_Log::DEBUG); } return false; }
/** * In CID we chose from the beginning not to use SET NAMES, and instead leave the charset encodings configurations * to remain in the database server side (my.cnf). * * CID's strings are UTF8. If character_set_client is not UTF8 but latin1 for example (unfortunatly that's the common case), non-latin1 * characters will appear garbled when manually browsing the db, but they should show OK in CID's web pages. * * When authenticating below, we use MySQL's MD5 function. From my tests, it looks like the argument of this function * gets automatically converted to the charset of that field. Sorta like if we had implicitly MD5(CONVERT(arg using charset)). * When the tables are build during setup, the charset of string fields are set accordingly to the my.cnf directives * character-set-server and collation-server. * If those directives don't match character_set_client, the conversion inside MD5 will in fact transform the string, and we'll * get the MD5 of a different string than what we had intended (well, only if the string contains non-latin1 characters). * For this reason we have to override that conversion, converting to the charset specified in character_set_client, as shown below. * * @return Zend_Auth_Result */ public function authenticate($identity, $password, $isOpenId = false, Zend_View $view = null, $bypassMarkSuccessfullLogin = false) { $config = Zend_Registry::get('config'); $useYubikey = false; if ($isOpenId) { if (!Zend_OpenId::normalize($identity)) { return false; } if (!($this->_user = $this->getUserWithOpenId($identity))) { return false; } $cn = $this->_user->username; } else { $cn = $identity; $this->_user = $this->getUserWithUsername($identity, false, $view); } if ($this->_user && $config->yubikey->enabled && ($this->_user->auth_type == Users_Model_User::AUTH_YUBIKEY || $config->yubikey->force)) { $parts = Yubico_Auth::parsePasswordOTP($password); if (!$parts || $this->_user->yubikey_publicid != $parts['prefix']) { return false; } $useYubikey = true; } $config = Zend_Registry::get('config'); $ldapConfig = $config->ldap; if ($useYubikey) { if (!@$config->yubikey->api_id || !@$config->yubikey->api_key) { throw new Zend_Exception('Admin must set the yubikey configuration options before attempting to log in using this method'); } $authAdapter = new Monkeys_Auth_Adapter_Yubikey(array('api_id' => $config->yubikey->api_id, 'api_key' => $config->yubikey->api_key), $identity, $password); } else { if ($ldapConfig->enabled) { $ldapOptions = $ldapConfig->toArray(); $ldapOptions['accountCanonicalForm'] = Zend_Ldap::ACCTNAME_FORM_USERNAME; unset($ldapOptions['enabled']); unset($ldapOptions['admin']); unset($ldapOptions['fields']); unset($ldapOptions['keepRecordsSynced']); unset($ldapOptions['canChangePassword']); unset($ldapOptions['passwordHashing']); // we'll try to bind directly as the user to be authenticated, so we're unsetting // the LDAP admin credentials unset($ldapOptions['username']); unset($ldapOptions['password']); $username = "******"; $authAdapter = new Zend_Auth_Adapter_Ldap(array('server1' => $ldapOptions), $username, $password); } else { $db = $this->getAdapter(); $result = $db->query("SHOW VARIABLES LIKE 'character_set_client'")->fetch(); $clientCharset = $result['Value']; if ($isOpenId) { $authAdapter = new Zend_Auth_Adapter_DbTable($db, 'users', 'openid', 'password', 'MD5(CONCAT(CONVERT(openid using ' . $clientCharset . '), CONVERT(? using ' . $clientCharset . ')))'); } else { $authAdapter = new Zend_Auth_Adapter_DbTable($db, 'users', 'username', 'password', 'MD5(CONCAT(CONVERT(openid using ' . $clientCharset . '), CONVERT(? using ' . $clientCharset . ')))'); } $authAdapter->setIdentity($identity); $authAdapter->setCredential($password); } } $auth = Zend_Auth::getInstance(); $result = $auth->authenticate($authAdapter); if ($result->isValid()) { if (!$isOpenId) { try { $this->_user = $this->getUserWithUsername($identity, true, $view); } catch (Exception $e) { // avoid leaving in the session an empty user object Zend_Auth::getInstance()->clearIdentity(); Zend_Session::forgetMe(); throw $e; } } if (!$bypassMarkSuccessfullLogin) { $this->_user->markSuccessfullLogin(); } $this->_user->save(); $auth->getStorage()->write($this->_user); Zend_Registry::set('user', $this->_user); return true; } // this is ugly, logging should be done in the controller, not here $logger = Zend_Registry::get('logger'); $logger->log("Invalid authentication: " . implode(' - ', $result->getMessages()), Zend_Log::DEBUG); if (is_a($authAdapter, 'Monkeys_Auth_Adapter_Yubikey')) { $authOptions = $authAdapter->getOptions(); if ($yubi = @$authOptions['yubiClient']) { $logger->log("Yubi request was: " . $yubi->getlastQuery(), Zend_Log::DEBUG); } } return false; }