private function _getYubikeyPublicId($yubikey)
{
$authAdapter = new Monkeys_Auth_Adapter_Yubikey(array('api_id' => $this->_config->yubikey->api_id, 'api_key' => $this->_config->yubikey->api_key), null, $yubikey);
// do not go through Zend_Auth::getInstance() to avoid losing the session if
// the yubikey is invalid
$result = $authAdapter->authenticate($authAdapter);
if ($result->isValid()) {
$parts = Yubico_Auth::parsePasswordOTP($yubikey);
return $parts['prefix'];
}
$logger = Zend_Registry::get('logger');
$logger->log("Invalid authentication: " . implode(' - ', $result->getMessages()), Zend_Log::DEBUG);
$authOptions = $authAdapter->getOptions();
if ($yubi = @$authOptions['yubiClient']) {
$logger->log("Yubi request was: " . $yubi->getlastQuery(), Zend_Log::DEBUG);
}
return false;
}
/**
* In CID we chose from the beginning not to use SET NAMES, and instead leave the charset encodings configurations
* to remain in the database server side (my.cnf).
*
* CID's strings are UTF8. If character_set_client is not UTF8 but latin1 for example (unfortunatly that's the common case), non-latin1
* characters will appear garbled when manually browsing the db, but they should show OK in CID's web pages.
*
* When authenticating below, we use MySQL's MD5 function. From my tests, it looks like the argument of this function
* gets automatically converted to the charset of that field. Sorta like if we had implicitly MD5(CONVERT(arg using charset)).
* When the tables are build during setup, the charset of string fields are set accordingly to the my.cnf directives
* character-set-server and collation-server.
* If those directives don't match character_set_client, the conversion inside MD5 will in fact transform the string, and we'll
* get the MD5 of a different string than what we had intended (well, only if the string contains non-latin1 characters).
* For this reason we have to override that conversion, converting to the charset specified in character_set_client, as shown below.
*
* @return Zend_Auth_Result
*/
public function authenticate($identity, $password, $isOpenId = false, Zend_View $view = null, $bypassMarkSuccessfullLogin = false)
{
$config = Zend_Registry::get('config');
$useYubikey = false;
if ($isOpenId) {
if (!Zend_OpenId::normalize($identity)) {
return false;
}
if (!($this->_user = $this->getUserWithOpenId($identity))) {
return false;
}
$cn = $this->_user->username;
} else {
$cn = $identity;
$this->_user = $this->getUserWithUsername($identity, false, $view);
}
if ($this->_user && $config->yubikey->enabled && ($this->_user->auth_type == Users_Model_User::AUTH_YUBIKEY || $config->yubikey->force)) {
$parts = Yubico_Auth::parsePasswordOTP($password);
if (!$parts || $this->_user->yubikey_publicid != $parts['prefix']) {
return false;
}
$useYubikey = true;
}
$config = Zend_Registry::get('config');
$ldapConfig = $config->ldap;
if ($useYubikey) {
if (!@$config->yubikey->api_id || !@$config->yubikey->api_key) {
throw new Zend_Exception('Admin must set the yubikey configuration options before attempting to log in using this method');
}
$authAdapter = new Monkeys_Auth_Adapter_Yubikey(array('api_id' => $config->yubikey->api_id, 'api_key' => $config->yubikey->api_key), $identity, $password);
} else {
if ($ldapConfig->enabled) {
$ldapOptions = $ldapConfig->toArray();
$ldapOptions['accountCanonicalForm'] = Zend_Ldap::ACCTNAME_FORM_USERNAME;
unset($ldapOptions['enabled']);
unset($ldapOptions['admin']);
unset($ldapOptions['fields']);
unset($ldapOptions['keepRecordsSynced']);
unset($ldapOptions['canChangePassword']);
unset($ldapOptions['passwordHashing']);
// we'll try to bind directly as the user to be authenticated, so we're unsetting
// the LDAP admin credentials
unset($ldapOptions['username']);
unset($ldapOptions['password']);
$username = "******";
$authAdapter = new Zend_Auth_Adapter_Ldap(array('server1' => $ldapOptions), $username, $password);
} else {
$db = $this->getAdapter();
$result = $db->query("SHOW VARIABLES LIKE 'character_set_client'")->fetch();
$clientCharset = $result['Value'];
if ($isOpenId) {
$authAdapter = new Zend_Auth_Adapter_DbTable($db, 'users', 'openid', 'password', 'MD5(CONCAT(CONVERT(openid using ' . $clientCharset . '), CONVERT(? using ' . $clientCharset . ')))');
} else {
$authAdapter = new Zend_Auth_Adapter_DbTable($db, 'users', 'username', 'password', 'MD5(CONCAT(CONVERT(openid using ' . $clientCharset . '), CONVERT(? using ' . $clientCharset . ')))');
}
$authAdapter->setIdentity($identity);
$authAdapter->setCredential($password);
}
}
$auth = Zend_Auth::getInstance();
$result = $auth->authenticate($authAdapter);
if ($result->isValid()) {
if (!$isOpenId) {
try {
$this->_user = $this->getUserWithUsername($identity, true, $view);
} catch (Exception $e) {
// avoid leaving in the session an empty user object
Zend_Auth::getInstance()->clearIdentity();
Zend_Session::forgetMe();
throw $e;
}
}
if (!$bypassMarkSuccessfullLogin) {
$this->_user->markSuccessfullLogin();
}
$this->_user->save();
$auth->getStorage()->write($this->_user);
Zend_Registry::set('user', $this->_user);
return true;
}
// this is ugly, logging should be done in the controller, not here
$logger = Zend_Registry::get('logger');
$logger->log("Invalid authentication: " . implode(' - ', $result->getMessages()), Zend_Log::DEBUG);
if (is_a($authAdapter, 'Monkeys_Auth_Adapter_Yubikey')) {
$authOptions = $authAdapter->getOptions();
if ($yubi = @$authOptions['yubiClient']) {
$logger->log("Yubi request was: " . $yubi->getlastQuery(), Zend_Log::DEBUG);
}
}
return false;
}
