/**
* Returns a specific principal, specified by it's path.
*
* @param string $path
* @return array
*/
public function getPrincipalByPath($path)
{
list($prefix, $user) = DAV\URLUtil::splitPath($path);
if ($prefix != 'principals') {
throw new DAV\Exception\NotFound('Invalid principal prefix path ' . $prefix);
}
if ($this->_auth->hasCapability('list') && !$this->_auth->exists($user) && $user != '-system-') {
throw new DAV\Exception\NotFound('User ' . $user . ' does not exist');
}
return $this->_getUserInfo($user);
}
/**
* Set authentication credentials in the Horde session.
*
* @return boolean True on success, false on failure.
*/
protected function _setAuth()
{
global $registry;
if ($registry->isAuthenticated(array('app' => $this->_app, 'notransparent' => true))) {
return true;
}
/* Grab the current language before we destroy the session. */
$language = $registry->preferredLang();
/* Destroy any existing session on login and make sure to use a
* new session ID, to avoid session fixation issues. */
if (($userId = $registry->getAuth()) === false) {
$GLOBALS['session']->clean();
$userId = $this->getCredential('userId');
}
$credentials = $this->getCredential('credentials');
try {
list(, $credentials) = $this->runHook($userId, $credentials, 'postauthenticate');
} catch (Horde_Auth_Exception $e) {
return false;
}
$registry->setAuth($userId, $credentials, array('app' => $this->_app, 'change' => $this->getCredential('change'), 'language' => $language));
/* Only set the view mode on initial authentication */
if (!$GLOBALS['session']->exists('horde', 'view')) {
$this->_setView();
}
if ($this->_base && isset($GLOBALS['notification']) && ($expire = $this->_base->getCredential('expire'))) {
$toexpire = ($expire - time()) / 86400;
$GLOBALS['notification']->push(sprintf(Horde_Core_Translation::ngettext("%d day until your password expires.", "%d days until your password expires.", $toexpire), $toexpire), 'horde.warning');
}
return true;
}
/**
* Authenticate to Horde
*
* @param string $username The username to authenticate as (as passed by
* the device).
* @param string $password The password
* @param string $domain The user domain (unused in this driver).
*
* @return mixed Boolean true on success, boolean false on credential
* failure or Horde_ActiveSync::AUTH_REASON_*
* constant on policy failure.
*/
public function authenticate($username, $password, $domain = null)
{
global $injector, $conf;
$this->_logger->info(sprintf('[%s] Horde_Core_ActiveSync_Driver::authenticate() attempt for %s', $this->_pid, $username));
// First try transparent/X509. Happens for authtype == 'cert' || 'basic_cert'
if ($conf['activesync']['auth']['type'] != 'basic') {
if (!$this->_auth->transparent()) {
$injector->getInstance('Horde_Log_Logger')->notice(sprintf('Login failed ActiveSync client certificate for user %s.', $username));
return false;
}
if ($username != $GLOBALS['registry']->getAuth()) {
$injector->getInstance('Horde_Log_Logger')->notice(sprintf('Access granted based on transparent authentication of user %s, but ActiveSync client is requesting access for %s.', $GLOBALS['registry']->getAuth(), $username));
$GLOBALS['registry']->clearAuth();
return false;
}
$this->_logger->info(sprintf('Access granted based on transparent authentication for %s. Client certificate name: %s', $GLOBALS['registry']->getAuth(), $username));
}
// Now check Basic. Happens for authtype == 'basic' || 'basic_cert'
if ($conf['activesync']['auth']['type'] != 'cert' && !$this->_auth->authenticate($username, array('password' => $password))) {
$injector->getInstance('Horde_Log_Logger')->notice(sprintf('Login failed from ActiveSync client for user %s.', $username));
return false;
}
// Get the username from the registry so we capture it after any
// hooks were run on it.
$username = $GLOBALS['registry']->getAuth();
$perms = $injector->getInstance('Horde_Perms');
if ($perms->exists('horde:activesync')) {
// Check permissions to ActiveSync
if (!$this->_getPolicyValue('activesync', $perms->getPermissions('horde:activesync', $username))) {
$this->_logger->info(sprintf("Access denied for user %s per policy settings.", $username));
return Horde_ActiveSync::AUTH_REASON_USER_DENIED;
}
}
return parent::authenticate($username, $password, $domain);
}
/**
* Constructs a new Login authentication object.
*
* @param array $params Optional parameters:
* <pre>
* 'location' - (string) Location of the su binary.
* DEFAULT: /bin/su
* </pre>
*/
public function __construct(array $params = array())
{
if (empty($params['location'])) {
$params['location'] = '/bin/su';
}
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Configuration parameters:
* <pre>
* 'client' - (Horde_Http_Client) [REQUIRED] TODO
* 'url' - (string) [REQUIRED] TODO
* </pre>
*
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
if (!isset($params['url']) || !isset($params['client'])) {
throw new InvalidArgumentException();
}
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Parameters:
* <pre>
* 'kolab' - (Horde_Kolab_Session) [REQUIRED] TODO
* </pre>
*
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
if (!isset($params['kolab'])) {
throw new InvalidArgumentException('Missing kolab parameter.');
}
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Optional parameters:
* - admin_password: (string) The password of the administrator.
* DEFAULT: null
* - admin_user: (string) The name of a user with admin privileges.
* DEFAULT: null
* - hostspec: (string) The hostname or IP address of the server.
* DEFAULT: 'localhost'
* - port: (integer) The server port to which we will connect.
* IMAP is generally 143, while IMAP-SSL is generally 993.
* DEFAULT: Encryption port default
* - secure: (string) The encryption to use. Either 'none', 'ssl', or
* 'tls'.
* DEFAULT: 'none'
* - userhierarchy: (string) The hierarchy where user mailboxes are
* stored (UTF-8).
* DEFAULT: 'user.'
*/
public function __construct(array $params = array())
{
$params = array_merge(array('admin_password' => null, 'admin_user' => null, 'hostspec' => '', 'port' => null, 'secure' => 'none', 'userhierarchy' => 'user.'), $params);
parent::__construct($params);
if (!empty($this->_params['admin_user'])) {
$this->_capabilities = array_merge($this->_capabilities, array('add' => true, 'list' => true, 'remove' => true));
}
}
/**
* Constructor.
*
* @param array $params Optional parameters:
* <pre>
* 'hostspec' - (string) The hostname or IP address of the FTP server.
* DEFAULT: 'localhost'
* 'port' - (integer) The server port to connect to.
* DEFAULT: 21
* </pre>
*
* @throws Horde_Auth_Exception
*/
public function __construct(array $params = array())
{
if (!Horde_Util::extensionExists('ftp')) {
throw new Horde_Auth_Exception(__CLASS__ . ': Required FTP extension not found. Compile PHP with the --enable-ftp switch.');
}
$params = array_merge(array('hostspec' => 'localhost', 'port' => 21), $params);
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Parameters:
* <pre>
* 'password_header' - (string) Name of the header holding the password of
* the logged in user.
* 'password_holder' - (string) Where the hordeauth password is stored.
* 'password_preference' - (string) Name of the Horde preference holding
* the password of the logged in user.
* 'username_header' - (string) [REQUIRED] Name of the header holding the
* username of the logged in user.
* </pre>
*
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
if (!isset($params['username_header'])) {
throw new InvalidArgumentException('Missing username_header parameter.');
}
$params = array_merge(array('password_header' => '', 'password_holder' => '', 'password_preference' => ''), $params);
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Parameters:
* <pre>
* 'domain' - (string) [REQUIRED] The domain name to authenticate with.
* 'group' - Group name that the user must be a member of.
* DEFAULT: none
* 'hostspec' - (string) [REQUIRED] IP, DNS Name, or NetBios name of the
* SMB server to authenticate with.
* 'smbclient_path' - (string) [REQUIRED] The location of the smbclient
* utility.
* </pre>
*
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
foreach (array('hostspec', 'domain', 'smbclient_path') as $val) {
if (empty($params[$val])) {
throw new InvalidArgumentException('Missing ' . $val . ' parameter.');
}
}
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Required parameters:
* <pre>
* 'admin_driver' - (Horde_Auth_Base) The admin driver.
* 'auth_driver' - (Horde_Auth_Base) The auth driver.
* </pre>
*
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
foreach (array('admin_driver', 'auth_driver') as $val) {
if (!isset($params[$val])) {
throw new InvalidArgumentException('Missing ' . $val . ' parameter.');
}
}
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Optional parameters:
* <pre>
* 'app' - (string) The name of the authenticating application.
* DEFAULT: horde
* 'service' - (string) The name of the SASL service to use when
* authenticating.
* DEFAULT: php
* </pre>
*
* @throws Horde_Auth_Exception
*/
public function __construct(array $params = array())
{
if (!Horde_Util::extensionExists('sasl')) {
throw new Horde_Auth_Exception('Horde_Auth_Peclsasl:: requires the sasl PECL extension to be loaded.');
}
$params = array_merge(array('app' => 'horde', 'service' => 'php'), $params);
parent::__construct($params);
sasl_server_init($this->_params['app']);
}
/**
* Constructor.
*
* @param array $params Optional Parameters:
* <pre>
* 'blocks' - (array) CIDR masks which are allowed access.
* </pre>
*/
public function __construct(array $params = array())
{
if (empty($params['blocks'])) {
$params['blocks'] = array();
} elseif (!is_array($params['blocks'])) {
$params['blocks'] = array($params['blocks']);
}
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Optional parameters:
* <pre>
* 'service' - (string) The name of the PAM service to use when
* authenticating.
* DEFAULT: php
* </pre>
*
* @throws Horde_Auth_Exception
*/
public function __construct(array $params = array())
{
if (!Horde_Util::extensionExists('pam')) {
throw new Horde_Auth_Exception('PAM authentication is not available.');
}
if (!empty($params['service'])) {
ini_set('pam.servicename', $params['service']);
}
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Parameters:
* <pre>
* 'domain' - (string) [REQUIRED] The domain name to authenticate with.
* 'group' - Group name that the user must be a member of.
* DEFAULT: none
* 'hostspec' - (string) [REQUIRED] IP, DNS Name, or NetBios name of the
* SMB server to authenticate with.
* </pre>
*
* @throws Horde_Auth_Exception
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
if (!Horde_Util::extensionExists('smbauth')) {
throw new Horde_Auth_Exception(__CLASS__ . ': Required smbauth extension not found.');
}
foreach (array('domain', 'hostspec') as $val) {
if (empty($params[$val])) {
throw new InvalidArgumentException('Missing ' . $val . ' parameter.');
}
}
$params = array_merge(array('group' => null), $params);
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Connection parameters.
* <pre>
* 'host' - (string) [REQUIRED] The RADIUS host to use (IP address or
* fully qualified hostname).
* 'method' - (string) [REQUIRED] The RADIUS method to use for validating
* the request.
* Either: 'PAP', 'CHAP_MD5', 'MSCHAPv1', or 'MSCHAPv2'.
* ** CURRENTLY, only 'PAP' is supported. **
* 'nas' - (string) The RADIUS NAS identifier to use.
* DEFAULT: The value of $_SERVER['HTTP_HOST'] or, if not
* defined, then 'localhost'.
* 'port' - (integer) The port to use on the RADIUS server.
* DEFAULT: Whatever the local system identifies as the
* 'radius' UDP port
* 'retries' - (integer) The maximum number of repeated requests to make
* before giving up.
* DEFAULT: 3
* 'secret' - (string) [REQUIRED] The RADIUS shared secret string for the
* host. The RADIUS protocol ignores all but the leading 128
* bytes of the shared secret.
* 'suffix' - (string) The domain name to add to unqualified user names.
* DEFAULT: NONE
* 'timeout' - (integer) The timeout for receiving replies from the server
* (in seconds).
* DEFAULT: 3
* </pre>
*
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
if (!Horde_Util::extensionExists('radius')) {
throw new Horde_Auth_Exception(__CLASS__ . ': requires the radius PECL extension to be loaded.');
}
foreach (array('host', 'secret', 'method') as $val) {
if (!isset($params[$val])) {
throw new InvalidArgumentException('Missing ' . $val . ' parameter.');
}
}
$params = array_merge(array('nas' => isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : 'localhost', 'port' => 0, 'retries' => 3, 'suffix' => '', 'timeout' => 3), $params);
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Required parameters:
* <pre>
* 'basedn' - (string) [REQUIRED] The base DN for the LDAP server.
* 'filter' - (string) The LDAP formatted search filter to search for
* users. This setting overrides the 'objectclass' parameter.
* 'ldap' - (Horde_Ldap) [REQUIRED] Horde LDAP object.
* 'objectclass - (string|array): The objectclass filter used to search
* for users. Either a single or an array of objectclasses.
* 'uid' - (string) [REQUIRED] The username search key.
* </pre>
*
* @throws Horde_Auth_Exception
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
foreach (array('basedn', 'ldap', 'uid') as $val) {
if (!isset($params[$val])) {
throw new InvalidArgumentException(__CLASS__ . ': Missing ' . $val . ' parameter.');
}
}
if (!empty($params['ad'])) {
$this->_capabilities['resetpassword'] = false;
}
$this->_ldap = $params['ldap'];
unset($params['ldap']);
parent::__construct($params);
}
/**
* Constructor.
*
* @param array $params Optional parameters:
* <pre>
* 'encryption' - (string) Kind of passwords in the .htpasswd file.
* Either 'crypt-des' (standard crypted htpasswd entries)
* [DEFAULT] or 'aprmd5'. This information is used if
* you want to directly authenticate users with this
* driver, instead of relying on transparent auth.
* 'htpasswd_file' - (string) TODO
* </pre>
*/
public function __construct(array $params = array())
{
$params = array_merge(array('encryption' => 'crypt-des'), $params);
parent::__construct($params);
if (!empty($this->_params['htpasswd_file'])) {
$users = file($this->_params['htpasswd_file']);
if (is_array($users)) {
// Enable the list users capability.
$this->_capabilities['list'] = true;
foreach ($users as $line) {
list($user, $pass) = explode(':', $line, 2);
$this->_users[trim($user)] = trim($pass);
}
}
}
}
/**
* Constructor
*
* @param array $params Parameters:
* 'db' - (Horde_Db_Adapter) [REQUIRED] Database object.
* <pre>
* 'encryption' - (string) The encryption to use to store the password in
* the table (e.g. plain, crypt, md5-hex, md5-base64, smd5,
* sha, ssha, aprmd5).
* DEFAULT: 'md5-hex'
* 'hard_expiration_field' - (string) The name of the field containing a
* date after which the account is no longer
* valid and the user will not be able to log in
* at all.
* DEFAULT: none
* 'password_field' - (string) The name of the password field in the auth
* table.
* DEFAULT: 'user_pass'
* 'show_encryption' - (boolean) Whether or not to prepend the encryption
* in the password field.
* DEFAULT: false
* 'soft_expiration_field' - (string) The name of the field containing a
* date after which the system will request the
* user change his or her password.
* DEFAULT: none
* 'table' - (string) The name of the SQL table to use in 'database'.
* DEFAULT: 'horde_users'
* 'username_field' - (string) The name of the username field in the auth
* table.
* DEFAULT: 'user_uid'
* </pre>
*
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
if (!isset($params['db'])) {
throw new InvalidArgumentException('Missing db parameter.');
}
$this->_db = $params['db'];
unset($params['db']);
$params = array_merge(array('encryption' => 'md5-hex', 'password_field' => 'user_pass', 'show_encryption' => false, 'table' => 'horde_users', 'username_field' => 'user_uid', 'soft_expiration_field' => null, 'soft_expiration_window' => null, 'hard_expiration_field' => null, 'hard_expiration_window' => null), $params);
parent::__construct($params);
/* Only allow limits when there is a storage configured */
if (empty($params['soft_expiration_field']) && $params['soft_expiration_window'] > 0) {
throw new InvalidArgumentException('You cannot set [soft_expiration_window] without [soft_expiration_field].');
}
if ($params['hard_expiration_field'] == '' && $params['hard_expiration_window'] > 0) {
throw new InvalidArgumentException('You cannot set [hard_expiration_window] without [hard_expiration_field].');
}
}
/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
* @param string $username
* @param string $password
* @return bool
*/
protected function validateUserPass($username, $password)
{
return $this->_auth->authenticate($username, array('password' => $password));
}
public function authenticate(Horde_Auth_Base $auth, $username = '******', $password = '******')
{
$this->assertTrue($auth->authenticate($username, array('password' => $password)));
$params = array('driver' => 'Mock', 'username' => $username, 'password' => $password);
return $this->prepareEmptyKolabStorage($params);
}
/**
* Constructor.
*
* @param array $params Parameters:
* - password: (string) If available, the password to use for the session.
* DEFAULT: no password used.
* - username_field: (string) Name of the $_SERVER field that
* the username can be found in. DEFAULT: 'SSL_CLIENT_S_DN_EMAILADDRESS'.
* - certificate_field: (string) Name of the $_SERVER field that contains
* the full certificate. DEFAULT: 'SSL_CLIENT_CERT'
* - ignore_purpose: (boolean) If true, will ignore any usage restrictions
* on the presented client certificate. I.e., if openssl_x509_checkpurpose
* returns false, authentication may still proceed. DEFAULT: false - ONLY
* ENABLE THIS IF YOU KNOW WHY YOU ARE DOING SO.
* - filter: (array) An array where the keys are field names and the
* values are the values those certificate fields MUST
* match to be considered valid. Keys in the format of
* fieldone:fieldtwo will be taken as parent:child.
* DEFAULT: no additionachecks applied.
*
* @throws InvalidArgumentException
*/
public function __construct(array $params = array())
{
$params = array_merge(array('password' => false, 'username_field' => 'SSL_CLIENT_S_DN_CN', 'certificate_field' => 'SSL_CLIENT_CERT', 'ignore_purpose' => true, 'filter' => array()), $params);
parent::__construct($params);
}
/**
*/
public function getError($msg = false)
{
return $this->_base->getError($msg);
}
/**
* Constructor.
*
* @param array $params Optional parameters:
* <pre>
* 'password' - (string) The password to record in the user's credentials.
* DEFAULT: none
* 'requestuser' - (boolean) If true, allow username to be passed by GET,
* POST or cookie.
* DEFAULT: No
* 'username' - (string) The username to authenticate everyone as.
* DEFAULT: 'horde_user'
* </pre>
*/
public function __construct(array $params = array())
{
$params = array_merge(array('password' => '', 'requestuser' => false, 'username' => 'horde_user'), $params);
parent::__construct($params);
}
/**
* Queries the current Auth object to find out if it supports the given
* capability.
*
* @param string $capability The capability to test for.
*
* @return boolean Whether or not the capability is supported.
*/
public function hasCapability($capability)
{
if ($this->_params['lock']) {
switch ($capability) {
case 'add':
case 'update':
case 'resetpassword':
case 'remove':
return true;
}
}
return parent::hasCapability($capability);
}
