public function authenticate(Sabre\DAV\Server $server, $realm)
{
//AJXP_Logger::debug("Try authentication on $realm", $server);
try {
$success = parent::authenticate($server, $realm);
} catch (Exception $e) {
$success = 0;
$errmsg = $e->getMessage();
if ($errmsg != "No digest authentication headers were found") {
$success = false;
}
}
if ($success) {
$res = AuthService::logUser($this->currentUser, null, true);
if ($res < 1) {
throw new Sabre\DAV\Exception\NotAuthenticated();
}
$this->updateCurrentUserRights(AuthService::getLoggedUser());
if (ConfService::getCoreConf("SESSION_SET_CREDENTIALS", "auth")) {
$webdavData = AuthService::getLoggedUser()->getPref("AJXP_WEBDAV_DATA");
AJXP_Safe::storeCredentials($this->currentUser, $this->_decodePassword($webdavData["PASS"], $this->currentUser));
}
} else {
if ($success === false) {
AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => $this->currentUser, "error" => "Invalid WebDAV user or password"));
}
throw new Sabre\DAV\Exception\NotAuthenticated($errmsg);
}
ConfService::switchRootDir($this->repositoryId);
return true;
}
public function authenticate(Sabre\DAV\Server $server, $realm)
{
$auth = new Sabre\HTTP\BasicAuth();
$auth->setHTTPRequest($server->httpRequest);
$auth->setHTTPResponse($server->httpResponse);
$auth->setRealm($realm);
$userpass = $auth->getUserPass();
if (!$userpass) {
$auth->requireLogin();
throw new Sabre\DAV\Exception\NotAuthenticated('No basic authentication headers were found');
}
// Authenticates the user
//AJXP_Logger::info(__CLASS__,"authenticate",$userpass[0]);
$confDriver = ConfService::getConfStorageImpl();
$userObject = $confDriver->createUserObject($userpass[0]);
$webdavData = $userObject->getPref("AJXP_WEBDAV_DATA");
if (empty($webdavData) || !isset($webdavData["ACTIVE"]) || $webdavData["ACTIVE"] !== true) {
AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => $userpass[0], "error" => "WebDAV user not found or disabled"));
throw new Sabre\DAV\Exception\NotAuthenticated();
}
// check if there are cached credentials. prevents excessive authentication calls to external
// auth mechanism.
$cachedPasswordValid = 0;
$secret = defined("AJXP_SECRET_KEY") ? AJXP_SECRET_KEY : "CDAFx¨op#";
$encryptedPass = md5($userpass[1] . $secret . date('YmdHi'));
if (isset($webdavData["TMP_PASS"]) && $encryptedPass == $webdavData["TMP_PASS"]) {
$cachedPasswordValid = true;
//AJXP_Logger::debug("Using Cached Password");
}
if (!$cachedPasswordValid && !$this->validateUserPass($userpass[0], $userpass[1])) {
AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => $userpass[0], "error" => "Invalid WebDAV user or password"));
$auth->requireLogin();
throw new Sabre\DAV\Exception\NotAuthenticated('Username or password does not match');
}
$this->currentUser = $userpass[0];
$res = AuthService::logUser($this->currentUser, $userpass[1], true);
if ($res < 1) {
throw new Sabre\DAV\Exception\NotAuthenticated();
}
$this->updateCurrentUserRights(AuthService::getLoggedUser());
if (ConfService::getCoreConf("SESSION_SET_CREDENTIALS", "auth")) {
AJXP_Safe::storeCredentials($this->currentUser, $userpass[1]);
}
if (isset($this->repositoryId) && ConfService::getRepositoryById($this->repositoryId)->getOption("AJXP_WEBDAV_DISABLED") === true) {
throw new Sabre\DAV\Exception\NotAuthenticated('You are not allowed to access this workspace');
}
ConfService::switchRootDir($this->repositoryId);
// the method used here will invalidate the cached password every minute on the minute
if (!$cachedPasswordValid) {
$webdavData["TMP_PASS"] = $encryptedPass;
$userObject->setPref("AJXP_WEBDAV_DATA", $webdavData);
$userObject->save("user");
AuthService::updateUser($userObject);
}
return true;
}
public function checkPassword($login, $password, $seed)
{
//Our default value.
$passwordVerified = false;
try {
//Send the request.
$result = $this->apiCall('POST', 'session', array("login" => $login, "password" => $password));
//Check the returned status.
switch ($result->status) {
//Proper login.
case 201:
//Check the user is not blocked.
if ($result->body->state !== 'active') {
AJXP_Logger::warning(__CLASS__ . '.checkPassword.201', 'Blocked user attempted login [' . $login . ']', "");
} else {
$passwordVerified = true;
AJXP_Safe::storeCredentials($login, $result->body->private_token);
$_SESSION['Auth.GitLab.RemoteAdmin'] = $result->body->is_admin === true;
}
break;
//Proper failure.
//Proper failure.
case 401:
AJXP_Logger::info(__CLASS__ . '.checkPassword.401', 'Not authorized for login [' . $login . ']', "");
break;
//We're not sure.
//We're not sure.
default:
AJXP_Logger::info(__CLASS__ . '.checkPassword.###', 'Unknown status code. ' . var_export($result, true), "");
break;
}
} catch (Exception $e) {
AJXP_Logger::error(__CLASS__ . '.checkPassword.ex', $e->getMessage(), "");
}
return $passwordVerified;
}
/**
* Log the user from its credentials
* @static
* @param string $user_id The user id
* @param string $pwd The password
* @param bool $bypass_pwd Ignore password or not
* @param bool $cookieLogin Is it a logging from the remember me cookie?
* @param string $returnSeed The unique seed
* @return int
*/
public static function logUser($user_id, $pwd, $bypass_pwd = false, $cookieLogin = false, $returnSeed = "")
{
$user_id = self::filterUserSensitivity($user_id);
if ($cookieLogin && !isset($_COOKIE["AjaXplorer-remember"])) {
return -5;
// SILENT IGNORE
}
if ($cookieLogin) {
list($user_id, $pwd) = explode(":", $_COOKIE["AjaXplorer-remember"]);
}
$confDriver = ConfService::getConfStorageImpl();
if ($user_id == null) {
if (self::$useSession) {
if (isset($_SESSION["AJXP_USER"]) && is_object($_SESSION["AJXP_USER"])) {
/**
* @var AbstractAjxpUser $u
*/
$u = $_SESSION["AJXP_USER"];
if ($u->reloadRolesIfRequired()) {
ConfService::getInstance()->invalidateLoadedRepositories();
self::$bufferedMessage = AJXP_XMLWriter::reloadRepositoryList(false);
$_SESSION["AJXP_USER"] = $u;
}
return 1;
}
} else {
if (isset(self::$currentUser) && is_object(self::$currentUser)) {
return 1;
}
}
if (ConfService::getCoreConf("ALLOW_GUEST_BROWSING", "auth") && !isset($_SESSION["CURRENT_MINISITE"])) {
$authDriver = ConfService::getAuthDriverImpl();
if (!$authDriver->userExists("guest")) {
self::createUser("guest", "");
$guest = $confDriver->createUserObject("guest");
$guest->save("superuser");
}
self::logUser("guest", null);
return 1;
}
return -1;
}
$authDriver = ConfService::getAuthDriverImpl();
// CHECK USER PASSWORD HERE!
$loginAttempt = self::getBruteForceLoginArray();
$bruteForceLogin = self::checkBruteForceLogin($loginAttempt);
self::setBruteForceLoginArray($loginAttempt);
if (!$authDriver->userExists($user_id)) {
AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => AJXP_Utils::sanitize($user_id, AJXP_SANITIZE_EMAILCHARS), "error" => "Invalid user"));
if ($bruteForceLogin === FALSE) {
return -4;
} else {
return -1;
}
}
if (!$bypass_pwd) {
if (!self::checkPassword($user_id, $pwd, $cookieLogin, $returnSeed)) {
AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => AJXP_Utils::sanitize($user_id, AJXP_SANITIZE_EMAILCHARS), "error" => "Invalid password"));
if ($bruteForceLogin === FALSE) {
return -4;
} else {
if ($cookieLogin) {
return -5;
}
return -1;
}
}
}
// Successful login attempt
unset($loginAttempt[$_SERVER["REMOTE_ADDR"]]);
self::setBruteForceLoginArray($loginAttempt);
// Setting session credentials if asked in config
if (ConfService::getCoreConf("SESSION_SET_CREDENTIALS", "auth")) {
list($authId, $authPwd) = $authDriver->filterCredentials($user_id, $pwd);
AJXP_Safe::storeCredentials($authId, $authPwd);
}
$user = $confDriver->createUserObject($user_id);
if ($user->getLock() == "logout") {
AJXP_Logger::warning(__CLASS__, "Login failed", array("user" => AJXP_Utils::sanitize($user_id, AJXP_SANITIZE_EMAILCHARS), "error" => "Locked user"));
return -1;
}
if (AuthService::$useSession && ConfService::getCoreConf("ALLOW_GUEST_BROWSING", "auth")) {
ConfService::getInstance()->invalidateLoadedRepositories();
}
if ($authDriver->isAjxpAdmin($user_id)) {
$user->setAdmin(true);
}
if (self::$useSession) {
$_SESSION["AJXP_USER"] = $user;
} else {
self::$currentUser = $user;
}
if ($user->isAdmin()) {
$user = self::updateAdminRights($user);
self::updateUser($user);
}
if ($authDriver->autoCreateUser() && !$user->storageExists()) {
$user->save("superuser");
// make sure update rights now
}
AJXP_Logger::info(__CLASS__, "Log In", array("context" => self::$useSession ? "WebUI" : "API"));
return 1;
}
