public function handle_dokuwiki_started(Doku_Event &$event, $param) { // is the incoming IP already anonymized by the webserver? if ($_SERVER['REMOTE_ADDR'] == '127.0.0.1') { // try to use the session ID as identifier $ses = session_id(); if (!$ses) { // no session running, randomize $ses = mt_rand(); } $uid = md5($ses); } else { // Use IP + Browser Data $uid = md5(auth_browseruid()); } // build pseudo IPv6 (local) $ip = 'fe80:' . substr($uid, 0, 4) . ':' . substr($uid, 4, 4) . ':' . substr($uid, 8, 4) . ':' . substr($uid, 12, 4) . ':' . substr($uid, 16, 4) . ':' . substr($uid, 20, 4) . ':' . substr($uid, 24, 4); // reset server variables $_SERVER['REMOTE_ADDR'] = $ip; if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { unset($_SERVER['HTTP_X_FORWARDED_FOR']); } if (isset($_SERVER['HTTP_X_REAL_IP'])) { unset($_SERVER['HTTP_X_REAL_IP']); } // reset dokuwiki INFO variable global $INFO; if (!$_SERVER['REMOTE_USER']) { $INFO['client'] = $ip; } }
/** * regression test to ensure correct browser id on IE9. * * IE9 send different HTTP_ACCEPT_LANGUAGE header on ajax request. */ function testIE9JsVsDefault() { // javascript request $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'; $_SERVER['HTTP_ACCEPT_ENCODING'] = 'gzip, deflate'; $_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'de'; unset($_SERVER['HTTP_ACCEPT_CHARSET']); $javascriptId = auth_browseruid(); // default request $_SERVER['HTTP_USER_AGENT'] = 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)'; $_SERVER['HTTP_ACCEPT_ENCODING'] = 'gzip, deflate'; $_SERVER['HTTP_ACCEPT_LANGUAGE'] = 'de-DE'; $normalId = auth_browseruid(); $this->assertEquals($normalId, $javascriptId); }
/** * Set the authentication cookie and add user identification data to the session * * @param string $user username * @param string $pass encrypted password * @param bool $sticky whether or not the cookie will last beyond the session * @return bool */ function auth_setCookie($user, $pass, $sticky) { global $conf; /* @var auth_basic $auth */ global $auth; global $USERINFO; if (!$auth) { return false; } $USERINFO = $auth->getUserData($user); // set cookie $cookie = base64_encode($user) . '|' . (int) $sticky . '|' . base64_encode($pass); $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; $time = $sticky ? time() + 60 * 60 * 24 * 365 : 0; //one year if (version_compare(PHP_VERSION, '5.2.0', '>')) { setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', $conf['securecookie'] && is_ssl(), true); } else { setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', $conf['securecookie'] && is_ssl()); } // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; $_SESSION[DOKU_COOKIE]['auth']['pass'] = sha1($pass); $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); return true; }
/** * Build a semi-secret fixed string identifying the current page and user * * This string is always the same for the current user when editing the same * page revision, but only for one day. Editing a page before midnight and saving * after midnight will result in a failed CAPTCHA once, but makes sure it can * not be reused which is especially important for the registration form where the * $ID usually won't change. * * @return string */ public function _fixedIdent() { global $ID; $lm = @filemtime(wikiFN($ID)); $td = date('Y-m-d'); return auth_browseruid() . auth_cookiesalt() . $ID . $lm . $td; }
/** * saves user data to Session and cookies */ function set_session($user, $pass, $dn) { global $conf; $rand = rand(); $_SESSION['ldapab']['username'] = $user; $_SESSION['ldapab']['binddn'] = $dn; $_SESSION['ldapab']['password'] = $pass; $_SESSION['ldapab']['browserid'] = auth_browseruid(); // (re)set the persistent auth cookie if ($user == '') { setcookie('ldapabauth', '', time() + 60 * 60 * 24 * 365); } elseif (!empty($_REQUEST['remember'])) { $cookie = serialize(array($user, $pass)); $cookie = x_Encrypt($cookie, get_cookie_secret()); $cookie = base64_encode($cookie); setcookie('ldapabauth', $cookie, time() + 60 * 60 * 24 * 365); } }
/** * Do all authentication [ OPTIONAL ] * * Set $this->cando['external'] = true when implemented * * If this function is implemented it will be used to * authenticate a user - all other DokuWiki internals * will not be used for authenticating, thus * implementing the checkPass() function is not needed * anymore. * * The function can be used to authenticate against third * party cookies or Apache auth mechanisms and replaces * the auth_login() function * * The function will be called with or without a set * username. If the Username is given it was called * from the login form and the given credentials might * need to be checked. If no username was given it * the function needs to check if the user is logged in * by other means (cookie, environment). * * The function needs to set some globals needed by * DokuWiki like auth_login() does. * * @see auth_login() * * @param string $user Username * @param string $pass Cleartext Password * @param bool $sticky Cookie should not expire * @return bool true on successful auth */ function trustExternal($user, $pass, $sticky = false) { global $USERINFO; global $conf; global $lang; // global $auth; global $ACT; $sticky ? $sticky = true : ($sticky = false); //sanity check // if (!$auth) return false; $uid = ''; $username = ''; $password = ''; $email = ''; $checked = false; if (!empty($user)) { list($uid, $username, $password, $email) = $this->_uc_user_login($user, $pass); setcookie($this->cnf['cookie'], '', -86400); if ($uid > 0) { $_SERVER['REMOTE_USER'] = $username; $user_info = $this->_uc_get_user_full($uid, 1); $this->_uc_setcookie($this->cnf['cookie'], uc_authcode($uid . "\t" . $user_info['password'] . "\t" . $this->_convert_charset($username), 'ENCODE')); $synlogin = uc_user_synlogin($uid); // echo uc_user_synlogin($uid); // echo does not send the output correctly, but function msg() can store the messages in session and output them even the page refreshes. msg($synlogin, 0); $checked = true; } else { if (!$silent) { $msg = ''; switch ($login_uid) { case -1: $msg = '用户名不存在或者被删除'; break; case -2: default: $msg = $lang['badlogin']; break; } msg($msg, -1); } // auth_logoff(); // return false; $checked = false; } } else { $cookie = $_COOKIE[$this->cnf['cookie']]; if (!empty($cookie)) { // use password check instead of username check. list($uid, $password, $username) = explode("\t", uc_authcode($cookie, 'DECODE')); $username = $this->_convert_charset($username, 0); if ($password && $uid && $username) { // get session info $session = $_SESSION[DOKU_COOKIE]['auth']; if (isset($session) && $session['user'] == $username && $session['pass'] == $password && $session['buid'] == auth_browseruid()) { $user_info = $session['info']; $checked = true; } else { $user_info = $this->_uc_get_user_full($uid, 1); if ($uid == $user_info['uid'] && $password == $user_info['password']) { // he has logged in from other uc apps $checked = true; } } } } } if ($checked == true) { $_SERVER['REMOTE_USER'] = $username; $USERINFO = $user_info; //FIXME move all references to session $_SESSION[DOKU_COOKIE]['auth']['user'] = $username; $_SESSION[DOKU_COOKIE]['auth']['pass'] = $password; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $user_info; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); } else { // auth_logoff(); // return false; } return $checked; }
/** * @param array $session cookie auth session * * @return bool */ public function validBrowserID($session) { return $session['buid'] == auth_browseruid(); }
/** * Checks the session to see if the user is already logged in * * If not logged in, redirects to SAML provider */ public function trustExternal($user, $pass, $sticky = false) { global $USERINFO; global $ID; global $ACT; global $conf; // trust session info, no need to recheck if (isset($_SESSION[DOKU_COOKIE]['auth']) && $_SESSION[DOKU_COOKIE]['auth']['buid'] == auth_browseruid() && isset($_SESSION[DOKU_COOKIE]['auth']['user'])) { $_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user']; $USERINFO = $_SESSION[DOKU_COOKIE]['auth']['info']; return true; } if (!isset($_POST['SAMLResponse']) && ($ACT == 'login' || get_doku_pref('adfs_autologin', 0))) { // Initiate SAML auth request $authrequest = new SamlAuthRequest($this->settings); $url = $authrequest->create(); $_SESSION['adfs_redirect'] = wl($ID, '', true, '&'); // remember current page send_redirect($url); } elseif (isset($_POST['SAMLResponse'])) { // consume SAML response $samlresponse = new SamlResponse($this->settings, $_POST['SAMLResponse']); try { if ($samlresponse->is_valid()) { $_SERVER['REMOTE_USER'] = $samlresponse->get_attribute('login'); $USERINFO['user'] = $_SERVER['REMOTE_USER']; $USERINFO['name'] = $samlresponse->get_attribute('fullname'); $USERINFO['mail'] = $samlresponse->get_attribute('email'); $USERINFO['grps'] = (array) $samlresponse->get_attribute('groups'); $USERINFO['grps'][] = $conf['defaultgroup']; $USERINFO['grps'] = array_map(array($this, 'cleanGroup'), $USERINFO['grps']); $_SESSION[DOKU_COOKIE]['auth']['user'] = $_SERVER['REMOTE_USER']; $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); # cache login // cache user data $changes = array('name' => $USERINFO['name'], 'mail' => $USERINFO['mail'], 'grps' => $USERINFO['grps']); if ($this->triggerUserMod('modify', array($user, $changes)) === false) { $this->triggerUserMod('create', array($user, "nil", $USERINFO['name'], $USERINFO['mail'], $USERINFO['grps'])); } // successful login if (isset($_SESSION['adfs_redirect'])) { $go = $_SESSION['adfs_redirect']; unset($_SESSION['adfs_redirect']); } else { $go = wl($ID, '', true, '&'); } set_doku_pref('adfs_autologin', 1); send_redirect($go); // decouple the history from POST return true; } else { $this->logOff(); msg('The SAML response signature was invalid.', -1); return false; } } catch (Exception $e) { $this->logOff(); msg('Invalid SAML response: ' . hsc($e->getMessage()), -1); return false; } } // no login happened return false; }
/** * @param array $data * @param string $service */ protected function setUserSession($data, $service) { global $USERINFO; global $conf; // set up groups if (!is_array($data['grps'])) { $data['grps'] = array(); } $data['grps'][] = $this->cleanGroup($service); $data['grps'] = array_unique($data['grps']); $USERINFO = $data; $_SERVER['REMOTE_USER'] = $data['user']; $_SESSION[DOKU_COOKIE]['auth']['user'] = $data['user']; $_SESSION[DOKU_COOKIE]['auth']['pass'] = $data['pass']; $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); $_SESSION[DOKU_COOKIE]['auth']['oauth'] = $service; }
/** * Set the authentication cookie and add user identification data to the session * * @param string $user username * @param string $pass encrypted password * @param bool $sticky whether or not the cookie will last beyond the session */ function auth_setCookie($user, $pass, $sticky) { global $conf; global $auth; global $USERINFO; $USERINFO = $auth->getUserData($user); // set cookie $cookie = base64_encode("{$user}|{$sticky}|{$pass}"); if ($sticky) { $time = time() + 60 * 60 * 24 * 365; } //one year if (version_compare(PHP_VERSION, '5.2.0', '>')) { setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL, '', $conf['securecookie'] && is_ssl(), true); } else { setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL, '', $conf['securecookie'] && is_ssl()); } // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); }
/** * This tries to login the user based on the sent auth credentials * * The authentication works like this: if a username was given * a new login is assumed and user/password are checked. If they * are correct the password is encrypted with blowfish and stored * together with the username in a cookie - the same info is stored * in the session, too. Additonally a browserID is stored in the * session. * * If no username was given the cookie is checked: if the username, * crypted password and browserID match between session and cookie * no further testing is done and the user is accepted * * If a cookie was found but no session info was availabe the * blowfish encrypted password from the cookie is decrypted and * together with username rechecked by calling this function again. * * On a successful login $_SERVER[REMOTE_USER] and $USERINFO * are set. * * @author Andreas Gohr <*****@*****.**> * * @param string $user Username * @param string $pass Cleartext Password * @param bool $sticky Cookie should not expire * @param bool $silent Don't show error on bad auth * @return bool true on successful auth */ function auth_login($user, $pass, $sticky = false, $silent = false) { global $USERINFO; global $conf; global $lang; global $auth; $sticky ? $sticky = true : ($sticky = false); //sanity check if (!empty($user)) { //usual login if ($auth->checkPass($user, $pass)) { // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; $USERINFO = $auth->getUserData($user); // set cookie $pass = PMA_blowfish_encrypt($pass, auth_cookiesalt()); $cookie = base64_encode("{$user}|{$sticky}|{$pass}"); if ($sticky) { $time = time() + 60 * 60 * 24 * 365; } //one year setcookie(DOKU_COOKIE, $cookie, $time, DOKU_REL); // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); return true; } else { //invalid credentials - log off if (!$silent) { msg($lang['badlogin'], -1); } auth_logoff(); return false; } } else { // read cookie information $cookie = base64_decode($_COOKIE[DOKU_COOKIE]); list($user, $sticky, $pass) = split('\\|', $cookie, 3); // get session info $session = $_SESSION[DOKU_COOKIE]['auth']; if ($user && $pass) { // we got a cookie - see if we can trust it if (isset($session) && $auth->useSessionCache($user) && $session['time'] >= time() - $conf['auth_security_timeout'] && $session['user'] == $user && $session['pass'] == $pass && $session['buid'] == auth_browseruid()) { // he has session, cookie and browser right - let him in $_SERVER['REMOTE_USER'] = $user; $USERINFO = $session['info']; //FIXME move all references to session return true; } // no we don't trust it yet - recheck pass but silent $pass = PMA_blowfish_decrypt($pass, auth_cookiesalt()); return auth_login($user, $pass, $sticky, true); } } //just to be sure auth_logoff(); return false; }
/** * Constructor * * Heavily modified from the original auth_mysql * constructor written by Matthias Grimm. * * @author Alex Shepherd <*****@*****.**> **/ function auth_drupal7() { global $conf; $this->cnf = $conf['auth']['mysql']; if (method_exists($this, 'auth_basic')) { parent::auth_basic(); } if (!function_exists('mysql_connect')) { if ($this->cnf['debug']) { msg("MySQL err: PHP MySQL extension not found.", -1, __LINE__, __FILE__); } $this->success = false; return; } global $USERINFO; $this->cando['addUser'] = false; $this->cando['delUser'] = false; $this->cando['modLogin'] = false; $this->cando['modGroups'] = $this->cando['modLogin']; $this->cando['getUsers'] = true; $this->cando['getUserCount'] = true; // Try to log user in using Drupal's session cookie $sesscookie = false; $cookies = $_COOKIE; foreach ($cookies as $cookie => $value) { // Find a likely Drupal cookie if (substr($cookie, 0, 4) == 'SESS' && strlen($cookie) == 36) { $sesscookie = $value; } // Now find the session in the Drupal database if ($this->_openDB()) { $sql = $conf['SQLFindSession']; $sql = str_replace('%{sessioncookie}', $sesscookie, $sql); $result = $this->_queryDB($sql); if ($result !== false) { if ($result[0]['name']) { $uid = $result[0]['uid']; $USERINFO['name'] = $result[0]['name']; $USERINFO['mail'] = $result[0]['name']; $USERINFO['pass'] = ''; $USERINFO['grps'] = array(); // Now do groups // $sql = "SELECT r.name FROM users_roles u INNER JOIN // role r WHERE u.uid='%{uid}' && u.rid=r.rid"; $sql = $conf['SQLFindRoles']; $sql = str_replace('%{uid}', $uid, $sql); $result = $this->_queryDB($sql); if ($result !== false) { foreach ($result as $key => $val) { foreach ($val as $k => $v) { $USERINFO['grps'][] = $v; } } } // Now set up session variables $_SERVER['REMOTE_USER'] = $result[0]['name']; $_SESSION[DOKU_COOKIE]['auth']['user'] = $USERINFO['name']; $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; break; } else { // Could not find session data. Ignore cookie. continue; } } $this->_closeDB(); } else { msg("Database Connection Failed. Please check your configuration.", -1, __LINE__, __FILE__); $this->success = false; } } // If DOKU_COOKIE session is ok, pass to trustExternal if ($_SESSION[DOKU_COOKIE]['auth']['user'] != '') { $this->cando['external'] = true; } }
/** * Build a semi-secret fixed string identifying the current page and user * * This string is always the same for the current user when editing the same * page revision. */ function _fixedIdent() { global $ID; $lm = @filemtime(wikiFN($ID)); return auth_browseruid() . auth_cookiesalt() . $ID . $lm; }