public function authenticate(Sabre\DAV\Server $server, $realm) { //AJXP_Logger::debug("Try authentication on $realm", $server); try { $success = parent::authenticate($server, $realm); } catch (Exception $e) { $success = 0; $errmsg = $e->getMessage(); if ($errmsg != "No digest authentication headers were found") { $success = false; } } if ($success) { $res = AuthService::logUser($this->currentUser, null, true); if ($res < 1) { throw new Sabre\DAV\Exception\NotAuthenticated(); } $this->updateCurrentUserRights(AuthService::getLoggedUser()); if (ConfService::getCoreConf("SESSION_SET_CREDENTIALS", "auth")) { $webdavData = AuthService::getLoggedUser()->getPref("AJXP_WEBDAV_DATA"); AJXP_Safe::storeCredentials($this->currentUser, $this->_decodePassword($webdavData["PASS"], $this->currentUser)); } } else { if ($success === false) { AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => $this->currentUser, "error" => "Invalid WebDAV user or password")); } throw new Sabre\DAV\Exception\NotAuthenticated($errmsg); } ConfService::switchRootDir($this->repositoryId); return true; }
public function authenticate(Sabre\DAV\Server $server, $realm) { $auth = new Sabre\HTTP\BasicAuth(); $auth->setHTTPRequest($server->httpRequest); $auth->setHTTPResponse($server->httpResponse); $auth->setRealm($realm); $userpass = $auth->getUserPass(); if (!$userpass) { $auth->requireLogin(); throw new Sabre\DAV\Exception\NotAuthenticated('No basic authentication headers were found'); } // Authenticates the user //AJXP_Logger::info(__CLASS__,"authenticate",$userpass[0]); $confDriver = ConfService::getConfStorageImpl(); $userObject = $confDriver->createUserObject($userpass[0]); $webdavData = $userObject->getPref("AJXP_WEBDAV_DATA"); if (empty($webdavData) || !isset($webdavData["ACTIVE"]) || $webdavData["ACTIVE"] !== true) { AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => $userpass[0], "error" => "WebDAV user not found or disabled")); throw new Sabre\DAV\Exception\NotAuthenticated(); } // check if there are cached credentials. prevents excessive authentication calls to external // auth mechanism. $cachedPasswordValid = 0; $secret = defined("AJXP_SECRET_KEY") ? AJXP_SECRET_KEY : "CDAFx¨op#"; $encryptedPass = md5($userpass[1] . $secret . date('YmdHi')); if (isset($webdavData["TMP_PASS"]) && $encryptedPass == $webdavData["TMP_PASS"]) { $cachedPasswordValid = true; //AJXP_Logger::debug("Using Cached Password"); } if (!$cachedPasswordValid && !$this->validateUserPass($userpass[0], $userpass[1])) { AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => $userpass[0], "error" => "Invalid WebDAV user or password")); $auth->requireLogin(); throw new Sabre\DAV\Exception\NotAuthenticated('Username or password does not match'); } $this->currentUser = $userpass[0]; $res = AuthService::logUser($this->currentUser, $userpass[1], true); if ($res < 1) { throw new Sabre\DAV\Exception\NotAuthenticated(); } $this->updateCurrentUserRights(AuthService::getLoggedUser()); if (ConfService::getCoreConf("SESSION_SET_CREDENTIALS", "auth")) { AJXP_Safe::storeCredentials($this->currentUser, $userpass[1]); } if (isset($this->repositoryId) && ConfService::getRepositoryById($this->repositoryId)->getOption("AJXP_WEBDAV_DISABLED") === true) { throw new Sabre\DAV\Exception\NotAuthenticated('You are not allowed to access this workspace'); } ConfService::switchRootDir($this->repositoryId); // the method used here will invalidate the cached password every minute on the minute if (!$cachedPasswordValid) { $webdavData["TMP_PASS"] = $encryptedPass; $userObject->setPref("AJXP_WEBDAV_DATA", $webdavData); $userObject->save("user"); AuthService::updateUser($userObject); } return true; }
public function checkPassword($login, $password, $seed) { //Our default value. $passwordVerified = false; try { //Send the request. $result = $this->apiCall('POST', 'session', array("login" => $login, "password" => $password)); //Check the returned status. switch ($result->status) { //Proper login. case 201: //Check the user is not blocked. if ($result->body->state !== 'active') { AJXP_Logger::warning(__CLASS__ . '.checkPassword.201', 'Blocked user attempted login [' . $login . ']', ""); } else { $passwordVerified = true; AJXP_Safe::storeCredentials($login, $result->body->private_token); $_SESSION['Auth.GitLab.RemoteAdmin'] = $result->body->is_admin === true; } break; //Proper failure. //Proper failure. case 401: AJXP_Logger::info(__CLASS__ . '.checkPassword.401', 'Not authorized for login [' . $login . ']', ""); break; //We're not sure. //We're not sure. default: AJXP_Logger::info(__CLASS__ . '.checkPassword.###', 'Unknown status code. ' . var_export($result, true), ""); break; } } catch (Exception $e) { AJXP_Logger::error(__CLASS__ . '.checkPassword.ex', $e->getMessage(), ""); } return $passwordVerified; }
/** * Log the user from its credentials * @static * @param string $user_id The user id * @param string $pwd The password * @param bool $bypass_pwd Ignore password or not * @param bool $cookieLogin Is it a logging from the remember me cookie? * @param string $returnSeed The unique seed * @return int */ public static function logUser($user_id, $pwd, $bypass_pwd = false, $cookieLogin = false, $returnSeed = "") { $user_id = self::filterUserSensitivity($user_id); if ($cookieLogin && !isset($_COOKIE["AjaXplorer-remember"])) { return -5; // SILENT IGNORE } if ($cookieLogin) { list($user_id, $pwd) = explode(":", $_COOKIE["AjaXplorer-remember"]); } $confDriver = ConfService::getConfStorageImpl(); if ($user_id == null) { if (self::$useSession) { if (isset($_SESSION["AJXP_USER"]) && is_object($_SESSION["AJXP_USER"])) { /** * @var AbstractAjxpUser $u */ $u = $_SESSION["AJXP_USER"]; if ($u->reloadRolesIfRequired()) { ConfService::getInstance()->invalidateLoadedRepositories(); self::$bufferedMessage = AJXP_XMLWriter::reloadRepositoryList(false); $_SESSION["AJXP_USER"] = $u; } return 1; } } else { if (isset(self::$currentUser) && is_object(self::$currentUser)) { return 1; } } if (ConfService::getCoreConf("ALLOW_GUEST_BROWSING", "auth") && !isset($_SESSION["CURRENT_MINISITE"])) { $authDriver = ConfService::getAuthDriverImpl(); if (!$authDriver->userExists("guest")) { self::createUser("guest", ""); $guest = $confDriver->createUserObject("guest"); $guest->save("superuser"); } self::logUser("guest", null); return 1; } return -1; } $authDriver = ConfService::getAuthDriverImpl(); // CHECK USER PASSWORD HERE! $loginAttempt = self::getBruteForceLoginArray(); $bruteForceLogin = self::checkBruteForceLogin($loginAttempt); self::setBruteForceLoginArray($loginAttempt); if (!$authDriver->userExists($user_id)) { AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => AJXP_Utils::sanitize($user_id, AJXP_SANITIZE_EMAILCHARS), "error" => "Invalid user")); if ($bruteForceLogin === FALSE) { return -4; } else { return -1; } } if (!$bypass_pwd) { if (!self::checkPassword($user_id, $pwd, $cookieLogin, $returnSeed)) { AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => AJXP_Utils::sanitize($user_id, AJXP_SANITIZE_EMAILCHARS), "error" => "Invalid password")); if ($bruteForceLogin === FALSE) { return -4; } else { if ($cookieLogin) { return -5; } return -1; } } } // Successful login attempt unset($loginAttempt[$_SERVER["REMOTE_ADDR"]]); self::setBruteForceLoginArray($loginAttempt); // Setting session credentials if asked in config if (ConfService::getCoreConf("SESSION_SET_CREDENTIALS", "auth")) { list($authId, $authPwd) = $authDriver->filterCredentials($user_id, $pwd); AJXP_Safe::storeCredentials($authId, $authPwd); } $user = $confDriver->createUserObject($user_id); if ($user->getLock() == "logout") { AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => AJXP_Utils::sanitize($user_id, AJXP_SANITIZE_EMAILCHARS), "error" => "Locked user")); return -1; } if (AuthService::$useSession && ConfService::getCoreConf("ALLOW_GUEST_BROWSING", "auth")) { ConfService::getInstance()->invalidateLoadedRepositories(); } if ($authDriver->isAjxpAdmin($user_id)) { $user->setAdmin(true); } if (self::$useSession) { $_SESSION["AJXP_USER"] = $user; } else { self::$currentUser = $user; } if ($user->isAdmin()) { $user = self::updateAdminRights($user); self::updateUser($user); } if ($authDriver->autoCreateUser() && !$user->storageExists()) { $user->save("superuser"); // make sure update rights now } AJXP_Logger::info(__CLASS__, "Log In", array("context" => self::$useSession ? "WebUI" : "API")); return 1; }