public function test_plugin()
{
global $DB, $CFG;
$this->resetAfterTest(false);
// NOTE: It is strongly discouraged to create new tables in advanced_testcase classes,
// but there is no other simple way to test ext database enrol sync, so let's
// disable transactions are try to cleanup after the tests.
$this->preventResetByRollback();
$this->init_auth_database();
/** @var auth_plugin_db $auth */
$auth = get_auth_plugin('db');
$authdb = $auth->db_init();
// Test adodb may access the table.
$user1 = (object) array('name' => 'u1', 'pass' => 'heslo', 'email' => '*****@*****.**');
$user1->id = $DB->insert_record('auth_db_users', $user1);
$sql = "SELECT * FROM {$auth->config->table}";
$rs = $authdb->Execute($sql);
$this->assertInstanceOf('ADORecordSet', $rs);
$this->assertFalse($rs->EOF);
$fields = $rs->FetchRow();
$this->assertTrue(is_array($fields));
$this->assertTrue($rs->EOF);
$rs->Close();
$authdb->Close();
// Test bulk user account creation.
$user2 = (object) array('name' => 'u2', 'pass' => 'heslo', 'email' => '*****@*****.**');
$user2->id = $DB->insert_record('auth_db_users', $user2);
$user3 = (object) array('name' => 'admin', 'pass' => 'heslo', 'email' => '*****@*****.**');
// Should be skipped.
$user3->id = $DB->insert_record('auth_db_users', $user3);
$this->assertCount(2, $DB->get_records('user'));
$trace = new null_progress_trace();
$auth->sync_users($trace, false);
$this->assertEquals(4, $DB->count_records('user'));
$u1 = $DB->get_record('user', array('username' => $user1->name, 'auth' => 'db'));
$this->assertSame($user1->email, $u1->email);
$u2 = $DB->get_record('user', array('username' => $user2->name, 'auth' => 'db'));
$this->assertSame($user2->email, $u2->email);
$admin = $DB->get_record('user', array('username' => 'admin', 'auth' => 'manual'));
$this->assertNotEmpty($admin);
// Test sync updates.
$user2b = clone $user2;
$user2b->email = '*****@*****.**';
$DB->update_record('auth_db_users', $user2b);
$auth->sync_users($trace, false);
$this->assertEquals(4, $DB->count_records('user'));
$u2 = $DB->get_record('user', array('username' => $user2->name));
$this->assertSame($user2->email, $u2->email);
$auth->sync_users($trace, true);
$this->assertEquals(4, $DB->count_records('user'));
$u2 = $DB->get_record('user', array('username' => $user2->name));
$this->assertSame($user2->email, $u2->email);
set_config('field_updatelocal_email', 'onlogin', 'auth/db');
$auth->config->field_updatelocal_email = 'onlogin';
$auth->sync_users($trace, false);
$this->assertEquals(4, $DB->count_records('user'));
$u2 = $DB->get_record('user', array('username' => $user2->name));
$this->assertSame($user2->email, $u2->email);
$auth->sync_users($trace, true);
$this->assertEquals(4, $DB->count_records('user'));
$u2 = $DB->get_record('user', array('username' => $user2->name));
$this->assertSame($user2b->email, $u2->email);
// Test sync deletes and suspends.
$DB->delete_records('auth_db_users', array('id' => $user2->id));
$this->assertCount(2, $DB->get_records('auth_db_users'));
unset($user2);
unset($user2b);
$auth->sync_users($trace, false);
$this->assertEquals(4, $DB->count_records('user'));
$this->assertEquals(0, $DB->count_records('user', array('deleted' => 1)));
$this->assertEquals(0, $DB->count_records('user', array('suspended' => 1)));
set_config('removeuser', AUTH_REMOVEUSER_SUSPEND, 'auth/db');
$auth->config->removeuser = AUTH_REMOVEUSER_SUSPEND;
$auth->sync_users($trace, false);
$this->assertEquals(4, $DB->count_records('user'));
$this->assertEquals(0, $DB->count_records('user', array('deleted' => 1)));
$this->assertEquals(1, $DB->count_records('user', array('suspended' => 1)));
$user2 = (object) array('name' => 'u2', 'pass' => 'heslo', 'email' => '*****@*****.**');
$user2->id = $DB->insert_record('auth_db_users', $user2);
$auth->sync_users($trace, false);
$this->assertEquals(4, $DB->count_records('user'));
$this->assertEquals(0, $DB->count_records('user', array('deleted' => 1)));
$this->assertEquals(0, $DB->count_records('user', array('suspended' => 1)));
$DB->delete_records('auth_db_users', array('id' => $user2->id));
set_config('removeuser', AUTH_REMOVEUSER_FULLDELETE, 'auth/db');
$auth->config->removeuser = AUTH_REMOVEUSER_FULLDELETE;
$auth->sync_users($trace, false);
$this->assertEquals(4, $DB->count_records('user'));
$this->assertEquals(1, $DB->count_records('user', array('deleted' => 1)));
$this->assertEquals(0, $DB->count_records('user', array('suspended' => 1)));
$user2 = (object) array('name' => 'u2', 'pass' => 'heslo', 'email' => '*****@*****.**');
$user2->id = $DB->insert_record('auth_db_users', $user2);
$auth->sync_users($trace, false);
$this->assertEquals(5, $DB->count_records('user'));
$this->assertEquals(1, $DB->count_records('user', array('deleted' => 1)));
$this->assertEquals(0, $DB->count_records('user', array('suspended' => 1)));
// Test user_login().
$user3 = (object) array('name' => 'u3', 'pass' => 'heslo', 'email' => '*****@*****.**');
$user3->id = $DB->insert_record('auth_db_users', $user3);
$this->assertFalse($auth->user_login('u4', 'heslo'));
$this->assertTrue($auth->user_login('u1', 'heslo'));
$this->assertFalse($DB->record_exists('user', array('username' => 'u3', 'auth' => 'db')));
$this->assertTrue($auth->user_login('u3', 'heslo'));
$this->assertFalse($DB->record_exists('user', array('username' => 'u3', 'auth' => 'db')));
set_config('passtype', 'md5', 'auth/db');
$auth->config->passtype = 'md5';
$user3->pass = md5('heslo');
$DB->update_record('auth_db_users', $user3);
$this->assertTrue($auth->user_login('u3', 'heslo'));
set_config('passtype', 'sh1', 'auth/db');
$auth->config->passtype = 'sha1';
$user3->pass = sha1('heslo');
$DB->update_record('auth_db_users', $user3);
$this->assertTrue($auth->user_login('u3', 'heslo'));
set_config('passtype', 'internal', 'auth/db');
$auth->config->passtype = 'internal';
create_user_record('u3', 'heslo', 'db');
$this->assertTrue($auth->user_login('u3', 'heslo'));
$DB->delete_records('auth_db_users', array('id' => $user3->id));
set_config('removeuser', AUTH_REMOVEUSER_KEEP, 'auth/db');
$auth->config->removeuser = AUTH_REMOVEUSER_KEEP;
$this->assertTrue($auth->user_login('u3', 'heslo'));
set_config('removeuser', AUTH_REMOVEUSER_SUSPEND, 'auth/db');
$auth->config->removeuser = AUTH_REMOVEUSER_SUSPEND;
$this->assertFalse($auth->user_login('u3', 'heslo'));
set_config('removeuser', AUTH_REMOVEUSER_FULLDELETE, 'auth/db');
$auth->config->removeuser = AUTH_REMOVEUSER_FULLDELETE;
$this->assertFalse($auth->user_login('u3', 'heslo'));
set_config('passtype', 'sh1', 'auth/db');
$auth->config->passtype = 'sha1';
$this->assertFalse($auth->user_login('u3', 'heslo'));
// Test login create and update.
$user4 = (object) array('name' => 'u4', 'pass' => 'heslo', 'email' => '*****@*****.**');
$user4->id = $DB->insert_record('auth_db_users', $user4);
set_config('passtype', 'plaintext', 'auth/db');
$auth->config->passtype = 'plaintext';
$iuser4 = create_user_record('u4', 'heslo', 'db');
$this->assertNotEmpty($iuser4);
$this->assertSame($user4->name, $iuser4->username);
$this->assertSame($user4->email, $iuser4->email);
$this->assertSame('db', $iuser4->auth);
$this->assertSame($CFG->mnet_localhost_id, $iuser4->mnethostid);
$user4b = clone $user4;
$user4b->email = '*****@*****.**';
$DB->update_record('auth_db_users', $user4b);
set_config('field_updatelocal_email', 'oncreate', 'auth/db');
$auth->config->field_updatelocal_email = 'oncreate';
update_user_record('u4');
$iuser4 = $DB->get_record('user', array('id' => $iuser4->id));
$this->assertSame($user4->email, $iuser4->email);
set_config('field_updatelocal_email', 'onlogin', 'auth/db');
$auth->config->field_updatelocal_email = 'onlogin';
update_user_record('u4');
$iuser4 = $DB->get_record('user', array('id' => $iuser4->id));
$this->assertSame($user4b->email, $iuser4->email);
// Test user_exists()
$this->assertTrue($auth->user_exists('u1'));
$this->assertTrue($auth->user_exists('admin'));
$this->assertFalse($auth->user_exists('u3'));
$this->assertTrue($auth->user_exists('u4'));
$this->cleanup_auth_database();
}
function local_ombieltoken_authenticate_user($username)
{
global $CFG, $DB;
$authsenabled = get_enabled_auth_plugins();
$authplugin = get_auth_plugin('cosign');
if ($username) {
$user = get_complete_user_data('username', $username, $CFG->mnet_localhost_id);
} else {
$user = get_complete_user_data('username', auth_plugin_cosign::get_cosign_username(), $CFG->mnet_localhost_id);
}
if ($user) {
if ($user->auth !== 'cosign') {
// Invalid auth - we only allow cosign users in this token generator
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
return false;
}
if (!empty($user->suspended)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
} else {
// check if there's a deleted record (cheaply)
if ($DB->get_field('user', 'id', array('username' => $username, 'deleted' => 1))) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Deleted Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
}
return false;
}
$user = update_user_record($username);
return $user;
}
/**
* Given a username and password, this function looks them
* up using the currently selected authentication mechanism,
* and if the authentication is successful, it returns a
* valid $user object from the 'user' table.
*
* Uses auth_ functions from the currently active auth module
*
* After authenticate_user_login() returns success, you will need to
* log that the user has logged in, and call complete_user_login() to set
* the session up.
*
* @uses $CFG
* @param string $username User's username (with system magic quotes)
* @param string $password User's password (with system magic quotes)
* @return user|flase A {@link $USER} object or false if error
*/
function authenticate_user_login($username, $password)
{
global $CFG;
$authsenabled = get_enabled_auth_plugins();
if ($user = get_complete_user_data('username', $username)) {
$auth = empty($user->auth) ? 'manual' : $user->auth;
// use manual if auth not set
if ($auth == 'nologin' or !is_enabled_auth($auth)) {
add_to_log(0, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Disabled Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
$auths = array($auth);
} else {
// check if there's a deleted record (cheaply)
if (get_field('user', 'id', 'username', $username, 'deleted', 1, '')) {
error_log('[client ' . $_SERVER['REMOTE_ADDR'] . "] {$CFG->wwwroot} Deleted Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
$auths = $authsenabled;
$user = new object();
$user->id = 0;
// User does not exist
}
foreach ($auths as $auth) {
$authplugin = get_auth_plugin($auth);
// on auth fail fall through to the next plugin
if (!$authplugin->user_login($username, $password)) {
continue;
}
// successful authentication
if ($user->id) {
// User already exists in database
if (empty($user->auth)) {
// For some reason auth isn't set yet
set_field('user', 'auth', $auth, 'username', $username);
$user->auth = $auth;
}
if (empty($user->firstaccess)) {
//prevent firstaccess from remaining 0 for manual account that never required confirmation
set_field('user', 'firstaccess', $user->timemodified, 'id', $user->id);
$user->firstaccess = $user->timemodified;
}
update_internal_user_password($user, $password);
// just in case salt or encoding were changed (magic quotes too one day)
if (!$authplugin->is_internal()) {
// update user record from external DB
$user = update_user_record($username, get_auth_plugin($user->auth));
}
} else {
// if user not found, create him
$user = create_user_record($username, $password, $auth);
}
$authplugin->sync_roles($user);
foreach ($authsenabled as $hau) {
$hauth = get_auth_plugin($hau);
$hauth->user_authenticated_hook($user, $username, $password);
}
/// Log in to a second system if necessary
/// NOTICE: /sso/ will be moved to auth and deprecated soon; use user_authenticated_hook() instead
if (!empty($CFG->sso)) {
include_once $CFG->dirroot . '/sso/' . $CFG->sso . '/lib.php';
if (function_exists('sso_user_login')) {
if (!sso_user_login($username, $password)) {
// Perform the signon process
notify('Second sign-on failed');
}
}
}
if ($user->id === 0) {
return false;
}
return $user;
}
// failed if all the plugins have failed
add_to_log(0, 'login', 'error', 'index.php', $username);
if (debugging('', DEBUG_ALL)) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Failed Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
}
return false;
}
/**
* Authenticates a user against the chosen authentication mechanism
*
* Given a username and password, this function looks them
* up using the currently selected authentication mechanism,
* and if the authentication is successful, it returns a
* valid $user object from the 'user' table.
*
* Uses auth_ functions from the currently active auth module
*
* After authenticate_user_login() returns success, you will need to
* log that the user has logged in, and call complete_user_login() to set
* the session up.
*
* Note: this function works only with non-mnet accounts!
*
* @param string $username User's username
* @param string $password User's password
* @return user|flase A {@link $USER} object or false if error
*/
function authenticate_user_login($username, $password)
{
global $CFG, $DB;
$authsenabled = get_enabled_auth_plugins();
if ($user = get_complete_user_data('username', $username, $CFG->mnet_localhost_id)) {
$auth = empty($user->auth) ? 'manual' : $user->auth;
// use manual if auth not set
if (!empty($user->suspended)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
if ($auth == 'nologin' or !is_enabled_auth($auth)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Disabled Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
$auths = array($auth);
} else {
// check if there's a deleted record (cheaply)
if ($DB->get_field('user', 'id', array('username' => $username, 'deleted' => 1))) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Deleted Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
// User does not exist
$auths = $authsenabled;
$user = new stdClass();
$user->id = 0;
}
foreach ($auths as $auth) {
$authplugin = get_auth_plugin($auth);
// on auth fail fall through to the next plugin
if (!$authplugin->user_login($username, $password)) {
continue;
}
// successful authentication
if ($user->id) {
// User already exists in database
if (empty($user->auth)) {
// For some reason auth isn't set yet
$DB->set_field('user', 'auth', $auth, array('username' => $username));
$user->auth = $auth;
}
if (empty($user->firstaccess)) {
//prevent firstaccess from remaining 0 for manual account that never required confirmation
$DB->set_field('user', 'firstaccess', $user->timemodified, array('id' => $user->id));
$user->firstaccess = $user->timemodified;
}
update_internal_user_password($user, $password);
// just in case salt or encoding were changed (magic quotes too one day)
if ($authplugin->is_synchronised_with_external()) {
// update user record from external DB
$user = update_user_record($username);
}
} else {
// if user not found, create him
$user = create_user_record($username, $password, $auth);
}
$authplugin->sync_roles($user);
foreach ($authsenabled as $hau) {
$hauth = get_auth_plugin($hau);
$hauth->user_authenticated_hook($user, $username, $password);
}
if (empty($user->id)) {
return false;
}
if (!empty($user->suspended)) {
// just in case some auth plugin suspended account
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
return $user;
}
// failed if all the plugins have failed
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
if (debugging('', DEBUG_ALL)) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Failed Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
}
return false;
}
/**
* Authenticates a user against the chosen authentication mechanism
*
* Given a username and password, this function looks them
* up using the currently selected authentication mechanism,
* and if the authentication is successful, it returns a
* valid $user object from the 'user' table.
*
* Uses auth_ functions from the currently active auth module
*
* After authenticate_user_login() returns success, you will need to
* log that the user has logged in, and call complete_user_login() to set
* the session up.
*
* Note: this function works only with non-mnet accounts!
*
* @param string $username User's username
* @param string $password User's password
* @param bool $ignorelockout useful when guessing is prevented by other mechanism such as captcha or SSO
* @param int $failurereason login failure reason, can be used in renderers (it may disclose if account exists)
* @return stdClass|false A {@link $USER} object or false if error
*/
function authenticate_user_login($username, $password, $ignorelockout = false, &$failurereason = null)
{
global $CFG, $DB;
require_once "{$CFG->libdir}/authlib.php";
$authsenabled = get_enabled_auth_plugins();
if ($user = get_complete_user_data('username', $username, $CFG->mnet_localhost_id)) {
// Use manual if auth not set.
$auth = empty($user->auth) ? 'manual' : $user->auth;
if (!empty($user->suspended)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_SUSPENDED;
return false;
}
if ($auth == 'nologin' or !is_enabled_auth($auth)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Disabled Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
// Legacy way to suspend user.
$failurereason = AUTH_LOGIN_SUSPENDED;
return false;
}
$auths = array($auth);
} else {
// Check if there's a deleted record (cheaply), this should not happen because we mangle usernames in delete_user().
if ($DB->get_field('user', 'id', array('username' => $username, 'mnethostid' => $CFG->mnet_localhost_id, 'deleted' => 1))) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Deleted Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_NOUSER;
return false;
}
// Do not try to authenticate non-existent accounts when user creation is not disabled.
if (!empty($CFG->authpreventaccountcreation)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Unknown user, can not create new accounts: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_NOUSER;
return false;
}
// User does not exist.
$auths = $authsenabled;
$user = new stdClass();
$user->id = 0;
}
if ($ignorelockout) {
// Some other mechanism protects against brute force password guessing, for example login form might include reCAPTCHA
// or this function is called from a SSO script.
} else {
if ($user->id) {
// Verify login lockout after other ways that may prevent user login.
if (login_is_lockedout($user)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Login lockout: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_LOCKOUT;
return false;
}
} else {
// We can not lockout non-existing accounts.
}
}
foreach ($auths as $auth) {
$authplugin = get_auth_plugin($auth);
// On auth fail fall through to the next plugin.
if (!$authplugin->user_login($username, $password)) {
continue;
}
// Successful authentication.
if ($user->id) {
// User already exists in database.
if (empty($user->auth)) {
// For some reason auth isn't set yet.
$DB->set_field('user', 'auth', $auth, array('username' => $username));
$user->auth = $auth;
}
// If the existing hash is using an out-of-date algorithm (or the legacy md5 algorithm), then we should update to
// the current hash algorithm while we have access to the user's password.
update_internal_user_password($user, $password);
if ($authplugin->is_synchronised_with_external()) {
// Update user record from external DB.
$user = update_user_record($username);
}
} else {
// Create account, we verified above that user creation is allowed.
$user = create_user_record($username, $password, $auth);
}
$authplugin->sync_roles($user);
foreach ($authsenabled as $hau) {
$hauth = get_auth_plugin($hau);
$hauth->user_authenticated_hook($user, $username, $password);
}
if (empty($user->id)) {
$failurereason = AUTH_LOGIN_NOUSER;
return false;
}
if (!empty($user->suspended)) {
// Just in case some auth plugin suspended account.
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Suspended Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
$failurereason = AUTH_LOGIN_SUSPENDED;
return false;
}
login_attempt_valid($user);
$failurereason = AUTH_LOGIN_OK;
return $user;
}
// Failed if all the plugins have failed.
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
if (debugging('', DEBUG_ALL)) {
error_log('[client ' . getremoteaddr() . "] {$CFG->wwwroot} Failed Login: {$username} " . $_SERVER['HTTP_USER_AGENT']);
}
if ($user->id) {
login_attempt_failed($user);
$failurereason = AUTH_LOGIN_FAILED;
} else {
$failurereason = AUTH_LOGIN_NOUSER;
}
return false;
}
/**
* Copied from moodlelib:authenticate_user_login()
*
* WHY? because I need to hard code the plugins to auth_saml, and this user
* may be set to any number of other types of login method
*
* First of all - make sure that they aren't nologin - we don't mess with that!
*
*
* Given a username and password, this function looks them
* up using the currently selected authentication mechanism,
* and if the authentication is successful, it returns a
* valid $user object from the 'user' table.
*
* Uses auth_ functions from the currently active auth module
*
* After authenticate_user_login() returns success, you will need to
* log that the user has logged in, and call complete_user_login() to set
* the session up.
*
* @uses $CFG
* @param string $username User's username (with system magic quotes)
* @param string $password User's password (with system magic quotes)
* @return user|flase A {@link $USER} object or false if error
*/
function auth_onelogin_saml_authenticate_user_login($username, $password)
{
global $CFG, $DB;
// ensure that only saml auth module is chosen
$authsenabled = get_enabled_auth_plugins();
if ($user = get_complete_user_data('username', $username)) {
# print_error(htmlspecialchars(print_r($user, true)));
$auth = empty($user->auth) ? 'manual' : $user->auth;
// use manual if auth not set
if ($auth == 'nologin' or !is_enabled_auth($auth)) {
add_to_log(0, 'login', 'error', 'index.php', $username);
print_error('[client ' . getremoteaddr() . "] {$CFG->wwwroot} ---> DISABLED LOGIN: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
} else {
// check if there's a deleted record (cheaply)
$query_conditions['username'] = $username;
$query_conditions['deleted'] = 1;
if ($DB->get_field('user', 'id', $query_conditions)) {
print_error('[client ' . $_SERVER['REMOTE_ADDR'] . "] {$CFG->wwwroot} ---> DELETED LOGIN: {$username} " . $_SERVER['HTTP_USER_AGENT']);
return false;
}
$auths = $authsenabled;
$user = new object();
$user->id = 0;
// User does not exist
}
// hard code SAML
$auths = array('onelogin_saml');
foreach ($auths as $auth) {
$authplugin = get_auth_plugin($auth);
// on auth fail fall through to the next plugin
if (!$authplugin->user_login($username, $password)) {
continue;
}
// successful authentication
if (!$user->id) {
// if user not found, create him
$user = create_user_record($username, $password, $auth);
## myDebugger("Attempted new user creation because user did not exist. Result is...<br /><br />".htmlspecialchars(print_r($user, true)));
}
if ($user->id) {
// User already exists in database
if (empty($user->auth)) {
// For some reason auth isn't set yet
$query_conditions['username'] = $username;
$DB->set_field('user', 'auth', $auth, $query_conditions);
$user->auth = $auth;
}
if (empty($user->firstaccess)) {
//prevent firstaccess from remaining 0 for manual account that never required confirmation
$query_conditions['id'] = $user->id;
$DB->set_field('user', 'firstaccess', $user->timemodified, $query_conditions);
$user->firstaccess = $user->timemodified;
}
if (empty($user->email) && stristr($username, "@")) {
$query_conditions['id'] = $user->id;
$DB->set_field('user', 'email', $username, $query_conditions);
$user->email = $username;
}
if (empty($user->firstname)) {
$query_conditions['id'] = $user->id;
$DB->set_field('user', 'firstname', $username, $query_conditions);
$user->firstname = $username;
}
// we don't want to upset the existing authentication schema for the user
// update_internal_user_password($user, $password); // just in case salt or encoding were changed (magic quotes too one day)
// update user record from external DB
if (!$authplugin->is_internal()) {
# myDebugger("Authplugin not internal: updating from external source...");
$user = update_user_record($username, get_auth_plugin($user->auth));
}
}
$authplugin->sync_roles($user);
foreach ($authsenabled as $hau) {
$hauth = get_auth_plugin($hau);
$hauth->user_authenticated_hook($user, $username, $password);
}
if ($user->id === 0) {
print_error("Failed to create user with the following details... <br /> <pre>" . htmlspecialchars(print_r($user, true)) . "</pre>");
return false;
}
return $user;
}
// failed if all the plugins have failed
add_to_log(0, 'login', 'error', 'index.php', $username);
//if (myDebugger('', DEBUG_ALL)) {
print_error('[client ' . getremoteaddr() . "] {$CFG->wwwroot} ---> FAILED LOGIN: {$username} " . $_SERVER['HTTP_USER_AGENT']);
//}
return false;
}
/**
* Authenticates a user against the chosen authentication mechanism
*
* Given a username and password, this function looks them
* up using the currently selected authentication mechanism,
* and if the authentication is successful, it returns a
* valid $user object from the 'user' table.
*
* Uses auth_ functions from the currently active auth module
*
* After authenticate_user_login() returns success, you will need to
* log that the user has logged in, and call complete_user_login() to set
* the session up.
*
* Note: this function works only with non-mnet accounts!
*
* @param string $username User's username
* @param string $password User's password
* @return user|flase A {@link $USER} object or false if error
*/
function authenticate_user_login($username, $password) {
global $CFG, $DB;
$authsenabled = get_enabled_auth_plugins();
if ($user = get_complete_user_data('username', $username, $CFG->mnet_localhost_id)) {
$auth = empty($user->auth) ? 'manual' : $user->auth; // use manual if auth not set
if (!empty($user->suspended)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client '.getremoteaddr()."] $CFG->wwwroot Suspended Login: $username ".$_SERVER['HTTP_USER_AGENT']);
return false;
}
if ($auth=='nologin' or !is_enabled_auth($auth)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client '.getremoteaddr()."] $CFG->wwwroot Disabled Login: $username ".$_SERVER['HTTP_USER_AGENT']);
return false;
}
$auths = array($auth);
} else {
// Check if there's a deleted record (cheaply), this should not happen because we mangle usernames in delete_user().
if ($DB->get_field('user', 'id', array('username'=>$username, 'mnethostid'=>$CFG->mnet_localhost_id, 'deleted'=>1))) {
error_log('[client '.getremoteaddr()."] $CFG->wwwroot Deleted Login: $username ".$_SERVER['HTTP_USER_AGENT']);
return false;
}
// Do not try to authenticate non-existent accounts when user creation is not disabled.
if (!empty($CFG->authpreventaccountcreation)) {
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client '.getremoteaddr()."] $CFG->wwwroot Unknown user, can not create new accounts: $username ".$_SERVER['HTTP_USER_AGENT']);
return false;
}
// User does not exist
$auths = $authsenabled;
$user = new stdClass();
$user->id = 0;
}
foreach ($auths as $auth) {
$authplugin = get_auth_plugin($auth);
// on auth fail fall through to the next plugin
if (!$authplugin->user_login($username, $password)) {
continue;
}
// successful authentication
if ($user->id) { // User already exists in database
if (empty($user->auth)) { // For some reason auth isn't set yet
$DB->set_field('user', 'auth', $auth, array('username'=>$username));
$user->auth = $auth;
}
update_internal_user_password($user, $password); // just in case salt or encoding were changed (magic quotes too one day)
if ($authplugin->is_synchronised_with_external()) { // update user record from external DB
$user = update_user_record($username);
}
} else {
// Create account, we verified above that user creation is allowed.
$user = create_user_record($username, $password, $auth);
}
$authplugin->sync_roles($user);
foreach ($authsenabled as $hau) {
$hauth = get_auth_plugin($hau);
$hauth->user_authenticated_hook($user, $username, $password);
}
if (empty($user->id)) {
return false;
}
if (!empty($user->suspended)) {
// just in case some auth plugin suspended account
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
error_log('[client '.getremoteaddr()."] $CFG->wwwroot Suspended Login: $username ".$_SERVER['HTTP_USER_AGENT']);
return false;
}
return $user;
}
// failed if all the plugins have failed
add_to_log(SITEID, 'login', 'error', 'index.php', $username);
if (debugging('', DEBUG_ALL)) {
error_log('[client '.getremoteaddr()."] $CFG->wwwroot Failed Login: $username ".$_SERVER['HTTP_USER_AGENT']);
}
return false;
}