function update($input)
{
global $plugin_controller;
// is an update possible/requested?
$local = $this->_local;
// save this, parent::update() may change it
if (!parent::update($input)) {
return false;
}
// nothing changed or an error caught by parent
$this->_local = $local;
// restore original, more error checking to come
// attempt to load the plugin
$auth_plugin = $plugin_controller->load('auth', $input);
// @TODO: throw an error in plugin controller instead of returning null
if (is_null($auth_plugin)) {
$this->_error = true;
msg('Cannot load Auth Plugin "' . $input . '"', -1);
return false;
}
// verify proper instantiation (is this really a plugin?) @TODO use instanceof? implement interface?
if (is_object($auth_plugin) && !method_exists($auth_plugin, 'getPluginName')) {
$this->_error = true;
msg('Cannot create Auth Plugin "' . $input . '"', -1);
return false;
}
// did we change the auth type? logout
global $conf;
if ($conf['authtype'] != $input) {
msg('Authentication system changed. Please re-login.');
auth_logoff();
}
$this->_local = $input;
return true;
}
/**
* Check if a user is allowed to login into the wiki by using the config values "allowed_usernames" and
* "allowed_usergroups". If the user has no permission to login, the logout action is triggered and a info message
* is displayed.
*
* @param Doku_Event $event The event object by reference
* @param mixed $param The parameters passed to register_hook when this handler was registered
*/
public function handle_auth_acl_check(Doku_Event &$event, $param)
{
$user = $event->data['user'];
$groups = $event->data['groups'];
if ($user != '') {
$isAllowed = false;
if ($this->getConf('allowed_usernames')) {
$allowedUserNames = explode(',', $this->getConf('allowed_usernames'));
$isAllowed = in_array($user, $allowedUserNames);
}
if ($this->getConf('allowed_usergroups')) {
$allowedUserGroups = explode(',', $this->getConf('allowed_usergroups'));
foreach ($allowedUserGroups as $allowedUserGroup) {
if (in_array($allowedUserGroup, $groups)) {
$isAllowed = true;
break;
}
}
}
if (!$isAllowed) {
msg($this->getLang('nopermission'));
auth_logoff();
}
}
}
/**
* This tries to login the user based on the sent auth credentials
*
* The authentication works like this: if a username was given
* a new login is assumed and user/password are checked. If they
* are correct the password is encrypted with blowfish and stored
* together with the username in a cookie - the same info is stored
* in the session, too. Additonally a browserID is stored in the
* session.
*
* If no username was given the cookie is checked: if the username,
* crypted password and browserID match between session and cookie
* no further testing is done and the user is accepted
*
* If a cookie was found but no session info was availabe the
* blowfish encrypted password from the cookie is decrypted and
* together with username rechecked by calling this function again.
*
* On a successful login $_SERVER[REMOTE_USER] and $USERINFO
* are set.
*
* @author Andreas Gohr <*****@*****.**>
*
* @param string $user Username
* @param string $pass Cleartext Password
* @param bool $sticky Cookie should not expire
* @param bool $silent Don't show error on bad auth
* @return bool true on successful auth
*/
function auth_login($user, $pass, $sticky = false, $silent = false)
{
global $USERINFO;
global $conf;
global $lang;
/* @var auth_basic $auth */
global $auth;
$sticky ? $sticky = true : ($sticky = false);
//sanity check
if (!$auth) {
return false;
}
if (!empty($user)) {
//usual login
if ($auth->checkPass($user, $pass)) {
// make logininfo globally available
$_SERVER['REMOTE_USER'] = $user;
$secret = auth_cookiesalt(!$sticky);
//bind non-sticky to session
auth_setCookie($user, PMA_blowfish_encrypt($pass, $secret), $sticky);
return true;
} else {
//invalid credentials - log off
if (!$silent) {
msg($lang['badlogin'], -1);
}
auth_logoff();
return false;
}
} else {
// read cookie information
list($user, $sticky, $pass) = auth_getCookie();
if ($user && $pass) {
// we got a cookie - see if we can trust it
// get session info
$session = $_SESSION[DOKU_COOKIE]['auth'];
if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == sha1($pass) && $session['buid'] == auth_browseruid()) {
// he has session, cookie and browser right - let him in
$_SERVER['REMOTE_USER'] = $user;
$USERINFO = $session['info'];
//FIXME move all references to session
return true;
}
// no we don't trust it yet - recheck pass but silent
$secret = auth_cookiesalt(!$sticky);
//bind non-sticky to session
$pass = PMA_blowfish_decrypt($pass, $secret);
return auth_login($user, $pass, $sticky, true);
}
}
//just to be sure
auth_logoff(true);
return false;
}
/**
* Delete the current logged-in user
*
* @return bool true on success, false on any error
*/
function auth_deleteprofile()
{
global $conf;
global $lang;
/* @var DokuWiki_Auth_Plugin $auth */
global $auth;
/* @var Input $INPUT */
global $INPUT;
if (!$INPUT->post->bool('delete')) {
return false;
}
if (!checkSecurityToken()) {
return false;
}
// action prevented or auth module disallows
if (!actionOK('profile_delete') || !$auth->canDo('delUser')) {
msg($lang['profnodelete'], -1);
return false;
}
if (!$INPUT->post->bool('confirm_delete')) {
msg($lang['profconfdeletemissing'], -1);
return false;
}
if ($conf['profileconfirm']) {
if (!$auth->checkPass($INPUT->server->str('REMOTE_USER'), $INPUT->post->str('oldpass'))) {
msg($lang['badpassconfirm'], -1);
return false;
}
}
$deleted[] = $INPUT->server->str('REMOTE_USER');
if ($auth->triggerUserMod('delete', array($deleted))) {
// force and immediate logout including removing the sticky cookie
auth_logoff();
return true;
}
return false;
}
/**
* Handle 'login', 'logout'
*
* @author Andreas Gohr <*****@*****.**>
*/
function act_auth($act)
{
global $ID;
global $INFO;
//already logged in?
if (isset($_SERVER['REMOTE_USER']) && $act == 'login') {
return 'show';
}
//handle logout
if ($act == 'logout') {
$lockedby = checklock($ID);
//page still locked?
if ($lockedby == $_SERVER['REMOTE_USER']) {
unlock($ID);
}
//try to unlock
// do the logout stuff
auth_logoff();
// rebuild info array
$INFO = pageinfo();
act_redirect($ID, 'login');
}
return $act;
}
/**
* Log off
*
* @return int
*/
function logoff()
{
global $conf;
global $auth;
if (!$conf['useacl']) {
return 0;
}
if (!$auth) {
return 0;
}
auth_logoff();
return 1;
}
/**
* {@inheritdoc}
*/
public function trustExternal($user, $pass, $sticky = false)
{
// Attempt to authenticate using the login credentials.
if (!empty($user) && !empty($pass)) {
if (is_integer($user = $this->authenticateUser($user, $pass))) {
switch ($user) {
case 1001:
msg($this->getLang('LOGIN_ERROR_INVALID_CONNECTION'));
break;
case 1002:
msg($this->getLang('LOGIN_ERROR_INVALID_CREDENTIALS'));
break;
case 1003:
msg($this->getLang('LOGIN_ERROR_NO_MAIN_CHARACTER_SET'));
break;
case 1004:
msg($this->getLang('LOGIN_ERROR_MAIN_CHARACTER_UNAUTHORIZED'));
break;
default:
msg($this->getLang('LOGIN_ERROR_UNKNOWN'));
break;
}
auth_logoff();
return false;
}
$this->setSession($user['characterName'], $user['userEmail'], $user['userIsSuperuser']);
return true;
}
// Do not continue if there is no session.
if (!isset($_SESSION[DOKU_COOKIE]['auth']['info'])) {
auth_logoff();
return false;
}
// Attempt to authenticate using the session.
$character = $_SESSION[DOKU_COOKIE]['auth']['info']['name'];
$email = $_SESSION[DOKU_COOKIE]['auth']['info']['mail'];
if (!empty($character) && !empty($email)) {
if (is_integer($user = $this->authenticateSession($character, $email))) {
switch ($user) {
case 1001:
msg($this->getLang('LOGIN_ERROR_INVALID_CONNECTION'));
break;
case 1002:
msg($this->getLang('LOGIN_ERROR_INVALID_CREDENTIALS'));
break;
case 1003:
msg($this->getLang('LOGIN_ERROR_NO_MAIN_CHARACTER_SET'));
break;
case 1004:
msg($this->getLang('LOGIN_ERROR_MAIN_CHARACTER_UNAUTHORIZED'));
break;
default:
msg($this->getLang('LOGIN_ERROR_UNKNOWN'));
break;
}
auth_logoff();
return false;
}
$this->setSession($user['characterName'], $user['userEmail'], in_array('Superuser', $user['userRoles']));
return true;
}
auth_logoff();
return false;
}
/**
* Handle 'login', 'logout'
*
* @author Andreas Gohr <*****@*****.**>
*/
function act_auth($act)
{
global $ID;
global $INFO;
//already logged in?
if ($_SERVER['REMOTE_USER'] && $act == 'login') {
header("Location: " . wl($ID, '', true));
exit;
}
//handle logout
if ($act == 'logout') {
$lockedby = checklock($ID);
//page still locked?
if ($lockedby == $_SERVER['REMOTE_USER']) {
unlock($ID);
}
//try to unlock
// do the logout stuff
auth_logoff();
// rebuild info array
$INFO = pageinfo();
return 'login';
}
return $act;
}
/**
* Handle 'login', 'logout'
*
* @author Andreas Gohr <*****@*****.**>
*
* @param string $act action command
* @return string action command
*/
function act_auth($act)
{
global $ID;
global $INFO;
/* @var Input $INPUT */
global $INPUT;
//already logged in?
if ($INPUT->server->has('REMOTE_USER') && $act == 'login') {
return 'show';
}
//handle logout
if ($act == 'logout') {
$lockedby = checklock($ID);
//page still locked?
if ($lockedby == $INPUT->server->str('REMOTE_USER')) {
unlock($ID);
//try to unlock
}
// do the logout stuff
auth_logoff();
// rebuild info array
$INFO = pageinfo();
act_redirect($ID, 'login');
}
return $act;
}
/**
* {@inheritdoc}
* @see DokuWiki_Auth_Plugin::trustExternal()
*/
public function trustExternal()
{
$this->debug('Checking for DokuWiki session...');
if ($this->getConf(self::CONF_USE_DOKUWIKI_SESSION) && ($userInfo = $this->loadUserInfoFromSession()) !== null) {
$this->log('Loaded user from DokuWiki session');
return;
}
$sessionVarName = $this->getConf(self::CONF_VAR_SHIB_SESSION_ID);
$this->debug(sprintf("Checking for Shibboleth session [%s] ...", $sessionVarName));
if ($this->getShibVar($sessionVarName)) {
$this->log('Shibboleth session found, trying to authenticate user...');
$userId = $this->getShibVar($this->getConf(self::CONF_VAR_REMOTE_USER));
if ($userId) {
$this->setUserId($userId);
$this->setUserDisplayName($this->retrieveUserDisplayName());
$this->setUserMail($this->retrieveUserMail());
$this->setUserGroups($this->retrieveUserGroups());
$this->saveUserInfoToSession();
$this->saveGlobalUserInfo();
$this->_saveUserInfo();
$this->log('Loaded user from environment');
return true;
}
}
auth_logoff();
return false;
}
/**
* This tries to login the user based on the sent auth credentials
*
* The authentication works like this: if a username was given
* a new login is assumed and user/password are checked. If they
* are correct the password is encrypted with blowfish and stored
* together with the username in a cookie - the same info is stored
* in the session, too. Additonally a browserID is stored in the
* session.
*
* If no username was given the cookie is checked: if the username,
* crypted password and browserID match between session and cookie
* no further testing is done and the user is accepted
*
* If a cookie was found but no session info was availabe the
* blowfish encrypted password from the cookie is decrypted and
* together with username rechecked by calling this function again.
*
* On a successful login $_SERVER[REMOTE_USER] and $USERINFO
* are set.
*
* @author Andreas Gohr <*****@*****.**>
*
* @param string $user Username
* @param string $pass Cleartext Password
* @param bool $sticky Cookie should not expire
* @param bool $silent Don't show error on bad auth
* @return bool true on successful auth
*/
function auth_login($user, $pass, $sticky = false, $silent = false)
{
global $USERINFO;
global $conf;
global $lang;
global $auth;
$sticky ? $sticky = true : ($sticky = false);
//sanity check
if (!empty($user)) {
//usual login
if ($auth->checkPass($user, $pass)) {
// make logininfo globally available
$_SERVER['REMOTE_USER'] = $user;
$USERINFO = $auth->getUserData($user);
// set cookie
$pass = PMA_blowfish_encrypt($pass, auth_cookiesalt());
$cookie = base64_encode("{$user}|{$sticky}|{$pass}");
if ($sticky) {
$time = time() + 60 * 60 * 24 * 365;
}
//one year
setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL);
// set session
$_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
$_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
$_SESSION[DOKU_COOKIE]['auth']['time'] = time();
return true;
} else {
//invalid credentials - log off
if (!$silent) {
msg($lang['badlogin'], -1);
}
auth_logoff();
return false;
}
} else {
// read cookie information
$cookie = base64_decode($_COOKIE[DOKU_COOKIE]);
list($user, $sticky, $pass) = split('\\|', $cookie, 3);
// get session info
$session = $_SESSION[DOKU_COOKIE]['auth'];
if ($user && $pass) {
// we got a cookie - see if we can trust it
if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == $pass && $session['buid'] == auth_browseruid()) {
// he has session, cookie and browser right - let him in
$_SERVER['REMOTE_USER'] = $user;
$USERINFO = $session['info'];
//FIXME move all references to session
return true;
}
// no we don't trust it yet - recheck pass but silent
$pass = PMA_blowfish_decrypt($pass, auth_cookiesalt());
return auth_login($user, $pass, $sticky, true);
}
}
//just to be sure
auth_logoff();
return false;
}
function handle_caslogout()
{
auth_logoff();
}
/**
* Just checks against the $forum_user variable
*/
function trustExternal($user, $pass, $sticky = false)
{
global $USERINFO;
global $conf;
global $lang;
global $pun_user;
global $pun_config;
global $cookie_name;
$sticky ? $sticky = true : ($sticky = false);
//sanity check
// someone used the login form
if (!empty($user)) {
if ($this->checkPass($user, $pass)) {
$expire = $sticky ? time() + 31536000 : 0;
$uinfo = $this->getUserData($user);
pun_setcookie($uinfo['id'], auth_cryptPassword($pass), $expire);
$pun_user = array();
$pun_user['password'] = auth_cryptPassword($pass);
$pun_user['username'] = $user;
$pun_user['realname'] = $uinfo['name'];
$pun_user['email'] = $uinfo['mail'];
$pun_user['g_title'] = $uinfo['group'];
} else {
//invalid credentials - log off
msg($lang['badlogin'], -1);
auth_logoff();
return false;
}
}
if (isset($pun_user) && !$pun_user['is_guest']) {
// okay we're logged in - set the globals
$USERINFO['pass'] = $pun_user['password'];
$USERINFO['name'] = $pun_user['realname'];
$USERINFO['mail'] = $pun_user['email'];
$USERINFO['grps'] = array($pun_user['g_title']);
if ($pun_user['is_admmod']) {
$USERINFO['grps'][] = 'admin';
}
$_SERVER['REMOTE_USER'] = $pun_user['username'];
$_SESSION[DOKU_COOKIE]['auth']['user'] = $pun_user['username'];
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
return true;
}
// to be sure
auth_logoff();
$USERINFO['grps'] = array();
return false;
}
