/** * Validate the username and password. * We use a timing attack resistant approach. * * @param string $username Username. * @param string $password Password. * @return bool */ protected function validateUserPass($username, $password) { $database = $this->database; $statement = $database->prepare('SELECT digesta1 FROM users WHERE username = :username'); $statement->execute(['username' => $username]); $digest = $statement->fetch($database::FETCH_COLUMN, 0); return User::checkPassword($password, $digest); }
/** * @tags installation configuration database sqlite authentication administration */ function case_create_administrator_profile() { $this->given($configuration = new Configuration($this->helper->configuration('configuration.json', ['database' => ['dsn' => $this->helper->sqlite(), 'username' => '', 'password' => '']])), $database = CUT::createDatabase($configuration), $login = Server::ADMINISTRATOR_LOGIN, $email = '*****@*****.**', $password = '******')->when($result = CUT::createAdministratorProfile($configuration, $database, $email, $password))->then->boolean($result)->isTrue(); $this->when($result = $database->query('SELECT * FROM principals', $database::FETCH_CLASS, 'StdClass'))->then->array($collection = iterator_to_array($result))->hasSize(3)->let($tuple = $collection[0])->string($tuple->id)->isEqualTo('1')->string($tuple->uri)->isEqualTo('principals/' . $login)->string($tuple->email)->isEqualTo($email)->string($tuple->displayname)->isEqualTo('Administrator')->let($tuple = $collection[1])->string($tuple->id)->isEqualTo('2')->string($tuple->uri)->isEqualTo('principals/' . $login . '/calendar-proxy-read')->variable($tuple->email)->isNull()->variable($tuple->displayname)->isNull()->let($tuple = $collection[2])->string($tuple->id)->isEqualTo('3')->string($tuple->uri)->isEqualTo('principals/' . $login . '/calendar-proxy-write')->variable($tuple->email)->isNull()->variable($tuple->displayname)->isNull()->when($result = $database->query('SELECT * FROM users', $database::FETCH_CLASS, 'StdClass'))->then->array($collection = iterator_to_array($result))->hasSize(1)->let($tuple = $collection[0])->string($tuple->username)->isEqualTo($login)->string($tuple->digesta1)->boolean(User::checkPassword($password, $tuple->digesta1))->isTrue(); }
/** * Create the administrator profile. * * @param Configuration $configuration * @param PDO $database * @param string $email Administrator's email. * @param string $password Administrator's password. * @return bool * @throw Exception\Installation */ static function createAdministratorProfile(Configuration $configuration, PDO $database, $email, $password) { $login = Server::ADMINISTRATOR_LOGIN; if (false === static::checkLogin($login)) { throw new Exception\Installation('Login is invalid.', 13); } if (false === static::checkEmail($email . $email)) { throw new Exception\Installation('Email is invalid.', 14); } if (false === static::checkPassword($password . $password)) { throw new Exception\Installation('Password is invalid.', 15); } $digest = User::hashPassword($password); try { $statement = $database->prepare('INSERT INTO principals (uri, email, displayname) ' . 'VALUES (:uri, :email, :displayname)'); $statement->execute(['uri' => 'principals/' . $login, 'email' => $email, 'displayname' => 'Administrator']); $statement->execute(['uri' => 'principals/' . $login . '/calendar-proxy-read', 'email' => null, 'displayname' => null]); $statement->execute(['uri' => 'principals/' . $login . '/calendar-proxy-write', 'email' => null, 'displayname' => null]); $statement = $database->prepare('INSERT INTO users (username, digesta1) ' . 'VALUES (:username, :digest)'); $statement->execute(['username' => $login, 'digest' => $digest]); } catch (PDOException $exception) { throw new Exception\Installation('An error occured while creating the administrator profile.', 16, null, $exception); } return true; }
/** * Triggered by a `PROPPATCH` or a `MKCOL`. The goal is to respectively * update or create the user in the database. * * @param string $path Path. * @param SabreDav\PropPatch $propPatch The `PROPPATCH` object. * @return void */ function propPatch($path, SabreDav\PropPatch $propPatch) { $username = substr($path, strlen('principals/')); $database = $this->database; $propPatch->handle(['{http://sabredav.org/ns}password'], function ($properties) use($username, $database) { $statement = $database->prepare('REPLACE INTO users (username, digesta1) ' . 'VALUES (:username, :digest)'); $password = Plugin::hashPassword($properties['{http://sabredav.org/ns}password']); return $statement->execute(['username' => $username, 'digest' => $password]); }); }