public function handle_dokuwiki_started(Doku_Event &$event, $param)
{
// is the incoming IP already anonymized by the webserver?
if ($_SERVER['REMOTE_ADDR'] == '127.0.0.1') {
// try to use the session ID as identifier
$ses = session_id();
if (!$ses) {
// no session running, randomize
$ses = mt_rand();
}
$uid = md5($ses);
} else {
// Use IP + Browser Data
$uid = md5(auth_browseruid());
}
// build pseudo IPv6 (local)
$ip = 'fe80:' . substr($uid, 0, 4) . ':' . substr($uid, 4, 4) . ':' . substr($uid, 8, 4) . ':' . substr($uid, 12, 4) . ':' . substr($uid, 16, 4) . ':' . substr($uid, 20, 4) . ':' . substr($uid, 24, 4);
// reset server variables
$_SERVER['REMOTE_ADDR'] = $ip;
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
unset($_SERVER['HTTP_X_FORWARDED_FOR']);
}
if (isset($_SERVER['HTTP_X_REAL_IP'])) {
unset($_SERVER['HTTP_X_REAL_IP']);
}
// reset dokuwiki INFO variable
global $INFO;
if (!$_SERVER['REMOTE_USER']) {
$INFO['client'] = $ip;
}
}
/**
* regression test to ensure correct browser id on IE9.
*
* IE9 send different HTTP_ACCEPT_LANGUAGE header on ajax request.
*/
function testIE9JsVsDefault()
{
// javascript request
$_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)';
$_SERVER['HTTP_ACCEPT_ENCODING'] = 'gzip, deflate';
$_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'de';
unset($_SERVER['HTTP_ACCEPT_CHARSET']);
$javascriptId = auth_browseruid();
// default request
$_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)';
$_SERVER['HTTP_ACCEPT_ENCODING'] = 'gzip, deflate';
$_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'de-DE';
$normalId = auth_browseruid();
$this->assertEquals($normalId, $javascriptId);
}
/**
* Set the authentication cookie and add user identification data to the session
*
* @param string $user username
* @param string $pass encrypted password
* @param bool $sticky whether or not the cookie will last beyond the session
* @return bool
*/
function auth_setCookie($user, $pass, $sticky)
{
global $conf;
/* @var auth_basic $auth */
global $auth;
global $USERINFO;
if (!$auth) {
return false;
}
$USERINFO = $auth->getUserData($user);
// set cookie
$cookie = base64_encode($user) . '|' . (int) $sticky . '|' . base64_encode($pass);
$cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
$time = $sticky ? time() + 60 * 60 * 24 * 365 : 0;
//one year
if (version_compare(PHP_VERSION, '5.2.0', '>')) {
setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', $conf['securecookie'] && is_ssl(), true);
} else {
setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', $conf['securecookie'] && is_ssl());
}
// set session
$_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
$_SESSION[DOKU_COOKIE]['auth']['pass'] = sha1($pass);
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
$_SESSION[DOKU_COOKIE]['auth']['time'] = time();
return true;
}
/**
* Build a semi-secret fixed string identifying the current page and user
*
* This string is always the same for the current user when editing the same
* page revision, but only for one day. Editing a page before midnight and saving
* after midnight will result in a failed CAPTCHA once, but makes sure it can
* not be reused which is especially important for the registration form where the
* $ID usually won't change.
*
* @return string
*/
public function _fixedIdent()
{
global $ID;
$lm = @filemtime(wikiFN($ID));
$td = date('Y-m-d');
return auth_browseruid() . auth_cookiesalt() . $ID . $lm . $td;
}
/**
* saves user data to Session and cookies
*/
function set_session($user, $pass, $dn)
{
global $conf;
$rand = rand();
$_SESSION['ldapab']['username'] = $user;
$_SESSION['ldapab']['binddn'] = $dn;
$_SESSION['ldapab']['password'] = $pass;
$_SESSION['ldapab']['browserid'] = auth_browseruid();
// (re)set the persistent auth cookie
if ($user == '') {
setcookie('ldapabauth', '', time() + 60 * 60 * 24 * 365);
} elseif (!empty($_REQUEST['remember'])) {
$cookie = serialize(array($user, $pass));
$cookie = x_Encrypt($cookie, get_cookie_secret());
$cookie = base64_encode($cookie);
setcookie('ldapabauth', $cookie, time() + 60 * 60 * 24 * 365);
}
}
/**
* Do all authentication [ OPTIONAL ]
*
* Set $this->cando['external'] = true when implemented
*
* If this function is implemented it will be used to
* authenticate a user - all other DokuWiki internals
* will not be used for authenticating, thus
* implementing the checkPass() function is not needed
* anymore.
*
* The function can be used to authenticate against third
* party cookies or Apache auth mechanisms and replaces
* the auth_login() function
*
* The function will be called with or without a set
* username. If the Username is given it was called
* from the login form and the given credentials might
* need to be checked. If no username was given it
* the function needs to check if the user is logged in
* by other means (cookie, environment).
*
* The function needs to set some globals needed by
* DokuWiki like auth_login() does.
*
* @see auth_login()
*
* @param string $user Username
* @param string $pass Cleartext Password
* @param bool $sticky Cookie should not expire
* @return bool true on successful auth
*/
function trustExternal($user, $pass, $sticky = false)
{
global $USERINFO;
global $conf;
global $lang;
// global $auth;
global $ACT;
$sticky ? $sticky = true : ($sticky = false);
//sanity check
// if (!$auth) return false;
$uid = '';
$username = '';
$password = '';
$email = '';
$checked = false;
if (!empty($user)) {
list($uid, $username, $password, $email) = $this->_uc_user_login($user, $pass);
setcookie($this->cnf['cookie'], '', -86400);
if ($uid > 0) {
$_SERVER['REMOTE_USER'] = $username;
$user_info = $this->_uc_get_user_full($uid, 1);
$this->_uc_setcookie($this->cnf['cookie'], uc_authcode($uid . "\t" . $user_info['password'] . "\t" . $this->_convert_charset($username), 'ENCODE'));
$synlogin = uc_user_synlogin($uid);
// echo uc_user_synlogin($uid);
// echo does not send the output correctly, but function msg() can store the messages in session and output them even the page refreshes.
msg($synlogin, 0);
$checked = true;
} else {
if (!$silent) {
$msg = '';
switch ($login_uid) {
case -1:
$msg = '用户名不存在或者被删除';
break;
case -2:
default:
$msg = $lang['badlogin'];
break;
}
msg($msg, -1);
}
// auth_logoff();
// return false;
$checked = false;
}
} else {
$cookie = $_COOKIE[$this->cnf['cookie']];
if (!empty($cookie)) {
// use password check instead of username check.
list($uid, $password, $username) = explode("\t", uc_authcode($cookie, 'DECODE'));
$username = $this->_convert_charset($username, 0);
if ($password && $uid && $username) {
// get session info
$session = $_SESSION[DOKU_COOKIE]['auth'];
if (isset($session) && $session['user'] == $username && $session['pass'] == $password && $session['buid'] == auth_browseruid()) {
$user_info = $session['info'];
$checked = true;
} else {
$user_info = $this->_uc_get_user_full($uid, 1);
if ($uid == $user_info['uid'] && $password == $user_info['password']) {
// he has logged in from other uc apps
$checked = true;
}
}
}
}
}
if ($checked == true) {
$_SERVER['REMOTE_USER'] = $username;
$USERINFO = $user_info;
//FIXME move all references to session
$_SESSION[DOKU_COOKIE]['auth']['user'] = $username;
$_SESSION[DOKU_COOKIE]['auth']['pass'] = $password;
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
$_SESSION[DOKU_COOKIE]['auth']['info'] = $user_info;
$_SESSION[DOKU_COOKIE]['auth']['time'] = time();
} else {
// auth_logoff();
// return false;
}
return $checked;
}
/**
* @param array $session cookie auth session
*
* @return bool
*/
public function validBrowserID($session)
{
return $session['buid'] == auth_browseruid();
}
/**
* Checks the session to see if the user is already logged in
*
* If not logged in, redirects to SAML provider
*/
public function trustExternal($user, $pass, $sticky = false)
{
global $USERINFO;
global $ID;
global $ACT;
global $conf;
// trust session info, no need to recheck
if (isset($_SESSION[DOKU_COOKIE]['auth']) && $_SESSION[DOKU_COOKIE]['auth']['buid'] == auth_browseruid() && isset($_SESSION[DOKU_COOKIE]['auth']['user'])) {
$_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user'];
$USERINFO = $_SESSION[DOKU_COOKIE]['auth']['info'];
return true;
}
if (!isset($_POST['SAMLResponse']) && ($ACT == 'login' || get_doku_pref('adfs_autologin', 0))) {
// Initiate SAML auth request
$authrequest = new SamlAuthRequest($this->settings);
$url = $authrequest->create();
$_SESSION['adfs_redirect'] = wl($ID, '', true, '&');
// remember current page
send_redirect($url);
} elseif (isset($_POST['SAMLResponse'])) {
// consume SAML response
$samlresponse = new SamlResponse($this->settings, $_POST['SAMLResponse']);
try {
if ($samlresponse->is_valid()) {
$_SERVER['REMOTE_USER'] = $samlresponse->get_attribute('login');
$USERINFO['user'] = $_SERVER['REMOTE_USER'];
$USERINFO['name'] = $samlresponse->get_attribute('fullname');
$USERINFO['mail'] = $samlresponse->get_attribute('email');
$USERINFO['grps'] = (array) $samlresponse->get_attribute('groups');
$USERINFO['grps'][] = $conf['defaultgroup'];
$USERINFO['grps'] = array_map(array($this, 'cleanGroup'), $USERINFO['grps']);
$_SESSION[DOKU_COOKIE]['auth']['user'] = $_SERVER['REMOTE_USER'];
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
# cache login
// cache user data
$changes = array('name' => $USERINFO['name'], 'mail' => $USERINFO['mail'], 'grps' => $USERINFO['grps']);
if ($this->triggerUserMod('modify', array($user, $changes)) === false) {
$this->triggerUserMod('create', array($user, "nil", $USERINFO['name'], $USERINFO['mail'], $USERINFO['grps']));
}
// successful login
if (isset($_SESSION['adfs_redirect'])) {
$go = $_SESSION['adfs_redirect'];
unset($_SESSION['adfs_redirect']);
} else {
$go = wl($ID, '', true, '&');
}
set_doku_pref('adfs_autologin', 1);
send_redirect($go);
// decouple the history from POST
return true;
} else {
$this->logOff();
msg('The SAML response signature was invalid.', -1);
return false;
}
} catch (Exception $e) {
$this->logOff();
msg('Invalid SAML response: ' . hsc($e->getMessage()), -1);
return false;
}
}
// no login happened
return false;
}
/**
* @param array $data
* @param string $service
*/
protected function setUserSession($data, $service)
{
global $USERINFO;
global $conf;
// set up groups
if (!is_array($data['grps'])) {
$data['grps'] = array();
}
$data['grps'][] = $this->cleanGroup($service);
$data['grps'] = array_unique($data['grps']);
$USERINFO = $data;
$_SERVER['REMOTE_USER'] = $data['user'];
$_SESSION[DOKU_COOKIE]['auth']['user'] = $data['user'];
$_SESSION[DOKU_COOKIE]['auth']['pass'] = $data['pass'];
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
$_SESSION[DOKU_COOKIE]['auth']['time'] = time();
$_SESSION[DOKU_COOKIE]['auth']['oauth'] = $service;
}
/**
* Set the authentication cookie and add user identification data to the session
*
* @param string $user username
* @param string $pass encrypted password
* @param bool $sticky whether or not the cookie will last beyond the session
*/
function auth_setCookie($user, $pass, $sticky)
{
global $conf;
global $auth;
global $USERINFO;
$USERINFO = $auth->getUserData($user);
// set cookie
$cookie = base64_encode("{$user}|{$sticky}|{$pass}");
if ($sticky) {
$time = time() + 60 * 60 * 24 * 365;
}
//one year
if (version_compare(PHP_VERSION, '5.2.0', '>')) {
setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL, '', $conf['securecookie'] && is_ssl(), true);
} else {
setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL, '', $conf['securecookie'] && is_ssl());
}
// set session
$_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
$_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
$_SESSION[DOKU_COOKIE]['auth']['time'] = time();
}
/**
* This tries to login the user based on the sent auth credentials
*
* The authentication works like this: if a username was given
* a new login is assumed and user/password are checked. If they
* are correct the password is encrypted with blowfish and stored
* together with the username in a cookie - the same info is stored
* in the session, too. Additonally a browserID is stored in the
* session.
*
* If no username was given the cookie is checked: if the username,
* crypted password and browserID match between session and cookie
* no further testing is done and the user is accepted
*
* If a cookie was found but no session info was availabe the
* blowfish encrypted password from the cookie is decrypted and
* together with username rechecked by calling this function again.
*
* On a successful login $_SERVER[REMOTE_USER] and $USERINFO
* are set.
*
* @author Andreas Gohr <*****@*****.**>
*
* @param string $user Username
* @param string $pass Cleartext Password
* @param bool $sticky Cookie should not expire
* @param bool $silent Don't show error on bad auth
* @return bool true on successful auth
*/
function auth_login($user, $pass, $sticky = false, $silent = false)
{
global $USERINFO;
global $conf;
global $lang;
global $auth;
$sticky ? $sticky = true : ($sticky = false);
//sanity check
if (!empty($user)) {
//usual login
if ($auth->checkPass($user, $pass)) {
// make logininfo globally available
$_SERVER['REMOTE_USER'] = $user;
$USERINFO = $auth->getUserData($user);
// set cookie
$pass = PMA_blowfish_encrypt($pass, auth_cookiesalt());
$cookie = base64_encode("{$user}|{$sticky}|{$pass}");
if ($sticky) {
$time = time() + 60 * 60 * 24 * 365;
}
//one year
setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL);
// set session
$_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
$_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
$_SESSION[DOKU_COOKIE]['auth']['time'] = time();
return true;
} else {
//invalid credentials - log off
if (!$silent) {
msg($lang['badlogin'], -1);
}
auth_logoff();
return false;
}
} else {
// read cookie information
$cookie = base64_decode($_COOKIE[DOKU_COOKIE]);
list($user, $sticky, $pass) = split('\\|', $cookie, 3);
// get session info
$session = $_SESSION[DOKU_COOKIE]['auth'];
if ($user && $pass) {
// we got a cookie - see if we can trust it
if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == $pass && $session['buid'] == auth_browseruid()) {
// he has session, cookie and browser right - let him in
$_SERVER['REMOTE_USER'] = $user;
$USERINFO = $session['info'];
//FIXME move all references to session
return true;
}
// no we don't trust it yet - recheck pass but silent
$pass = PMA_blowfish_decrypt($pass, auth_cookiesalt());
return auth_login($user, $pass, $sticky, true);
}
}
//just to be sure
auth_logoff();
return false;
}
/**
* Constructor
*
* Heavily modified from the original auth_mysql
* constructor written by Matthias Grimm.
*
* @author Alex Shepherd <*****@*****.**>
**/
function auth_drupal7()
{
global $conf;
$this->cnf = $conf['auth']['mysql'];
if (method_exists($this, 'auth_basic')) {
parent::auth_basic();
}
if (!function_exists('mysql_connect')) {
if ($this->cnf['debug']) {
msg("MySQL err: PHP MySQL extension not found.", -1, __LINE__, __FILE__);
}
$this->success = false;
return;
}
global $USERINFO;
$this->cando['addUser'] = false;
$this->cando['delUser'] = false;
$this->cando['modLogin'] = false;
$this->cando['modGroups'] = $this->cando['modLogin'];
$this->cando['getUsers'] = true;
$this->cando['getUserCount'] = true;
// Try to log user in using Drupal's session cookie
$sesscookie = false;
$cookies = $_COOKIE;
foreach ($cookies as $cookie => $value) {
// Find a likely Drupal cookie
if (substr($cookie, 0, 4) == 'SESS' && strlen($cookie) == 36) {
$sesscookie = $value;
}
// Now find the session in the Drupal database
if ($this->_openDB()) {
$sql = $conf['SQLFindSession'];
$sql = str_replace('%{sessioncookie}', $sesscookie, $sql);
$result = $this->_queryDB($sql);
if ($result !== false) {
if ($result[0]['name']) {
$uid = $result[0]['uid'];
$USERINFO['name'] = $result[0]['name'];
$USERINFO['mail'] = $result[0]['name'];
$USERINFO['pass'] = '';
$USERINFO['grps'] = array();
// Now do groups
// $sql = "SELECT r.name FROM users_roles u INNER JOIN
// role r WHERE u.uid='%{uid}' && u.rid=r.rid";
$sql = $conf['SQLFindRoles'];
$sql = str_replace('%{uid}', $uid, $sql);
$result = $this->_queryDB($sql);
if ($result !== false) {
foreach ($result as $key => $val) {
foreach ($val as $k => $v) {
$USERINFO['grps'][] = $v;
}
}
}
// Now set up session variables
$_SERVER['REMOTE_USER'] = $result[0]['name'];
$_SESSION[DOKU_COOKIE]['auth']['user'] = $USERINFO['name'];
$_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
$_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
break;
} else {
// Could not find session data. Ignore cookie.
continue;
}
}
$this->_closeDB();
} else {
msg("Database Connection Failed. Please check your configuration.", -1, __LINE__, __FILE__);
$this->success = false;
}
}
// If DOKU_COOKIE session is ok, pass to trustExternal
if ($_SESSION[DOKU_COOKIE]['auth']['user'] != '') {
$this->cando['external'] = true;
}
}
/**
* Build a semi-secret fixed string identifying the current page and user
*
* This string is always the same for the current user when editing the same
* page revision.
*/
function _fixedIdent()
{
global $ID;
$lm = @filemtime(wikiFN($ID));
return auth_browseruid() . auth_cookiesalt() . $ID . $lm;
}
