/**
* Find out if a set of login credentials are valid. Only supports
* htpasswd files with DES passwords right now.
*
* @param string $userId The userId to check.
* @param array $credentials An array of login credentials. For IMAP,
* this must contain a password entry.
*
* @throws Horde_Auth_Exception
*/
protected function _authenticate($userId, $credentials)
{
if (empty($credentials['password']) || empty($this->_users[$userId])) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
$hash = Horde_Auth::getCryptedPassword($credentials['password'], $this->_users[$userId], $this->_params['encryption'], !empty($this->_params['show_encryption']));
if ($hash != $this->_users[$userId]) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
}
/**
* Factory for ActiveSync Auth object.
*
* @return Horde_Core_ActiveSync_Auth
*/
protected function _getAuth()
{
global $conf, $injector;
$params = array('base_driver' => $injector->getInstance('Horde_Core_Factory_Auth')->create());
if ($conf['activesync']['auth']['type'] != 'basic') {
$x_params = $conf['activesync']['auth']['params'];
$x_params['default_user'] = $GLOBALS['registry']->getAuth();
$x_params['logger'] = $this->_injector->getInstance('Horde_Log_Logger');
$params['transparent_driver'] = Horde_Auth::factory('Horde_Core_Auth_X509', $x_params);
}
$obj = new Horde_Core_ActiveSync_Auth($params);
return $obj;
}
/**
* Asks for the administrator settings.
*
* @return string The administrator name.
*/
protected function _configAuth(Horde_Variables $vars)
{
$vars->auth__driver = 'sql';
$vars->auth__params__driverconfig = 'horde';
while (true) {
$admin_user = $this->_cli->prompt('Specify a user name for the administrator account:');
if (empty($admin_user)) {
$this->_cli->writeln($this->_cli->red('An administration user is required'));
continue;
}
$admin_pass = $this->_cli->passwordPrompt('Specify a password for the administrator account:');
if (empty($admin_pass)) {
$this->_cli->writeln($this->_cli->red('An administrator password is required'));
continue;
}
$params = array('db' => $GLOBALS['injector']->getInstance('Horde_Db_Adapter'), 'encryption' => isset($GLOBALS['conf']['auth']['params']['encryption']) ? $GLOBALS['conf']['auth']['params']['encryption'] : 'ssha');
$auth = Horde_Auth::factory('sql', $params);
try {
$exists = $auth->exists($admin_user);
} catch (Horde_Exception $e) {
$this->_cli->message('An error occured while trying to list the users. Error messages:', 'cli.error');
$this->_cli->writeln($e->getMessage());
return;
}
try {
if ($exists) {
if ($this->_cli->prompt('This user exists already, do you want to update his password?', array('y' => 'Yes', 'n' => 'No'), 'y') == 'y') {
$auth->updateUser($admin_user, $admin_user, array('password' => $admin_pass));
} else {
break;
}
} else {
$auth->addUser($admin_user, array('password' => $admin_pass));
}
} catch (Horde_Exception $e) {
$this->_cli->message('An error occured while adding or updating the administrator. Error messages:', 'cli.error');
$this->_cli->writeln($e->getMessage());
return;
}
break;
}
return $admin_user;
}
/**
* Return the Horde_Auth_Imap instance that uses IMP configuration.
*
* @return Horde_Auth_Imap The singleton instance.
* @throws IMP_Exception
*/
public function create(Horde_Injector $injector)
{
global $injector, $registry;
$admin = $injector->getInstance('IMP_Factory_Imap')->create()->config->admin;
if (!$admin) {
throw new IMP_Exception('Admin access not enabled.');
}
$params = $registry->callByPackage('imp', 'server');
if (is_null($params)) {
throw new IMP_Exception('No server parameters found.');
}
$params_map = array('password' => 'admin_password', 'user' => 'admin_user', 'userhierarchy' => 'userhierarchy');
foreach ($admin as $key => $val) {
if (isset($params_map[$key])) {
$params[$params_map[$key]] = $val;
}
}
$params['default_user'] = $registry->getAuth();
$params['logger'] = $injector->getInstance('Horde_Log_Logger');
return Horde_Auth::factory('Imap', $params);
}
/**
* Compare an encrypted password to a plaintext string to see if
* they match.
*
* @param string $encrypted The crypted password to compare against.
* @param string $plaintext The plaintext password to verify.
*
* @return boolean True if matched, false otherwise.
*/
protected function _comparePasswords($encrypted, $plaintext)
{
return $encrypted == Horde_Auth::getCryptedPassword($plaintext, $encrypted, $this->_params['encryption'], $this->_params['show_encryption']);
}
/**
* Logs a user view.
*
* @param string $id Username
*
* @return boolean True, if the view was logged, false if the mesage was aleredy seen
*/
function logView($id)
{
if (!$GLOBALS['registry']->isAuthenticated() || Horde_Auth::getAUth() == $id) {
return false;
}
/* We already read this user? */
if (isset($_COOKIE['folks_viewed_user']) && strpos($_COOKIE['folks_viewed_user'], $id . ':') !== false) {
return false;
}
/* Remember when we see a user */
if (!isset($_COOKIE['folks_viewed_user'])) {
$_COOKIE['folks_viewed_user'] = $id . ':';
} else {
$_COOKIE['folks_viewed_user'] .= $id . ':';
}
setcookie('folks_viewed_user', $_COOKIE['folks_viewed_user'], $_SERVER['REQUEST_TIME'] + 22896000, $GLOBALS['conf']['cookie']['path'], $GLOBALS['conf']['cookie']['domain'], $GLOBALS['conf']['use_ssl'] == 1 ? 1 : 0);
return $this->_logView($id);
}
/**
* @param string $backend_key Backend key.
*/
private function _changePassword($backend_key)
{
global $conf, $injector, $notification, $registry;
// Check for users that cannot change their passwords.
if (in_array($this->_userid, $conf['user']['refused'])) {
$notification->push(sprintf(_("You can't change password for user %s"), $userid), 'horde.error');
return;
}
// We must be passed the old (current) password.
if (!isset($this->_vars->oldpassword)) {
$notification->push(_("You must give your current password"), 'horde.warning');
return;
}
if (!isset($this->_vars->newpassword0)) {
$notification->push(_("You must give your new password"), 'horde.warning');
return;
}
if (!isset($this->_vars->newpassword1)) {
$notification->push(_("You must verify your new password"), 'horde.warning');
return;
}
if ($this->_vars->newpassword0 != $this->_vars->newpassword1) {
$notification->push(_("Your new passwords didn't match"), 'horde.warning');
return;
}
if ($this->_vars->newpassword0 == $this->_vars->oldpassword) {
$notification->push(_("Your new password must be different from your current password"), 'horde.warning');
return;
}
$b_ptr = $this->_backends[$backend_key];
try {
Horde_Auth::checkPasswordPolicy($this->_vars->newpassword0, isset($b_ptr['policy']) ? $b_ptr['policy'] : array());
} catch (Horde_Auth_Exception $e) {
$notification->push($e, 'horde.warning');
return;
}
// Do some simple strength tests, if enabled in the config file.
if (!empty($conf['password']['strengthtests'])) {
try {
Horde_Auth::checkPasswordSimilarity($this->_vars->newpassword0, array($this->_userid, $this->_vars->oldpassword));
} catch (Horde_Auth_Exception $e) {
$notification->push($e, 'horde.warning');
return;
}
}
try {
$driver = $injector->getInstance('Passwd_Factory_Driver')->create($backend_key);
} catch (Passwd_Exception $e) {
Horde::log($e);
$notification->push(_("Password module is not properly configured"), 'horde.error');
return;
}
try {
$driver->changePassword($this->_userid, $this->_vars->oldpassword, $this->_vars->newpassword0);
} catch (Exception $e) {
$notification->push(sprintf(_("Failure in changing password for %s: %s"), $b_ptr['name'], $e->getMessage()), 'horde.error');
return;
}
$notification->push(sprintf(_("Password changed on %s."), $b_ptr['name']), 'horde.success');
try {
Horde::callHook('password_changed', array($this->_userid, $this->_vars->oldpassword, $this->_vars->newpassword0), 'passwd');
} catch (Horde_Exception_HookNotSet $e) {
}
if (!empty($b_ptr['logout'])) {
$logout_url = $registry->getLogoutUrl(array('msg' => _("Your password has been succesfully changed. You need to re-login to the system with your new password."), 'reason' => Horde_Auth::REASON_MESSAGE));
$registry->clearAuth();
$logout_url->redirect();
}
if ($this->_vars->return_to) {
$url = new Horde_Url($return_to);
$url->redirect();
}
}
/**
* Salt and hash the password.
*
* @param string $password The password.
*
* @return string The salted hashed password.
*/
protected function hashPassword($password)
{
$type = isset($this->server->params['hashtype']) ? $this->server->params['hashtype'] : 'ssha';
return Horde_Auth::getCryptedPassword($password, '', $type, true);
}
/**
* Creates a user in the backend.
*
* @param array $info The user information to save.
*
* @return array The user information.
* @throws Vilma_Exception
*/
protected function _createUser($info)
{
// Bind with appropriate dn to give update access.
$res = ldap_bind($this->_ldap, $this->_params['ldap']['binddn'], $this->_params['ldap']['bindpw']);
if (!$res) {
throw new Vilma_Exception(_("Unable to bind to the LDAP server. Check authentication credentials."));
}
// Prepare data.
$entry['cn'] = $info['user_full_name'];
// sn is not used operationally but we make an effort to be
// something sensical. No guarantees, though.
$entry['sn'] = array_pop(explode(' ', $info['user_full_name']));
$entry['mail'] = $info['user_name'] . '@' . $info['domain'];
// uid must match mail or SMTP auth fails.
$entry['uid'] = $entry['mail'];
$entry['homeDirectory'] = '/srv/vhost/mail/' . $info['domain'] . '/' . $info['user_name'];
$entry['qmailUID'] = $entry['qmailGID'] = 8;
$entry['objectclass'] = array('top', 'person', 'organizationalPerson', 'inetOrgPerson', 'hordePerson', 'qmailUser');
$entry['accountstatus'] = $info['user_enabled'];
// FIXME: Allow choice of hash
$entry['userPassword'] = Horde_Auth::getCryptedPassword($info['password'], '', 'ssha', true);
// Stir in any site-local custom LDAP attributes.
try {
$entry = Horde::callHook('getLDAPAttrs', array($entry), 'vilma');
} catch (Horde_Exception_HookNotSet $e) {
}
$rdn = 'mail=' . $entry['mail'];
$dn = $rdn . ',' . $this->_params['ldap']['basedn'];
$res = @ldap_add($this->_ldap, $dn, $entry);
if ($res === false) {
throw new Vilma_Exception(sprintf(_("Error adding account to LDAP: %s"), @ldap_error($this->_ldap)));
}
return $dn;
}
/**
* Authentication handler
*
* On failure, Horde_Auth_Exception should pass a message string (if any)
* in the message field, and the Horde_Auth::REASON_* constant in the code
* field (defaults to Horde_Auth::REASON_MESSAGE).
*
* @param string $userID The userID to check.
* @param array $credentials An array of login credentials.
*
* @throws Horde_Auth_Exception
*/
protected function _authenticate($userID, $credentials)
{
$um = $this->_mappers->create('Dolcore_Rdo_UserMapper');
if ($this->exists($userID) == false) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
$user = $um->findOne(array('nickname' => $userID));
$pass = Horde_Auth::getCryptedPassword($credentials['password'], substr($credentials['password'], 0, 2), 'crypt', false);
if ($pass != $user->passwort) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
return true;
}
/**
* Reset a user's password. Used for example when the user does not
* remember the existing password.
*
* @param string $user_id The user id for which to reset the password.
*
* @return string The new password on success.
* @throws Horde_Auth_Exception
*/
public function resetPassword($user_id)
{
/* Get a new random password. */
$password = Horde_Auth::genRandomPassword() . '/';
$this->updateUser($user_id, $user_id, array('userPassword' => $password));
return $password;
}
/**
*/
public function authResetPassword($userId)
{
/* Get a new random password. */
$password = Horde_Auth::genRandomPassword();
/* Update password in DB. */
require_once __DIR__ . '/base.php';
$result = $GLOBALS['folks_driver']->changePassword($password, $userId);
if ($result instanceof PEAR_Error) {
throw new Horde_Auth_Exception($result);
}
return $password;
}
/**
* Update a set of authentication credentials.
*
* @param string $oldID The old userId.
* @param string $newID The new userId. [NOT SUPPORTED]
* @param array $credentials The new credentials
*
* @throws Horde_Auth_Exception
*/
public function updateUser($oldID, $newID, $credentials)
{
if (!empty($this->_params['domain_field']) && $this->_params['domain_field'] != 'none') {
list($name, $domain) = explode('@', $oldID);
/* Build the SQL query with domain. */
$query = sprintf('UPDATE %s SET %s = ? WHERE %s = ? and %s = ?', $this->_params['table'], $this->_params['password_field'], $this->_params['username_field'], $this->_params['domain_field']);
$values = array(Horde_Auth::getCryptedPassword($credentials['password'], '', $this->_params['encryption'], $this->_params['show_encryption']), $name, $domain);
} else {
/* Build the SQL query. */
$query = sprintf('UPDATE %s SET %s = ? WHERE %s = ?', $this->_params['table'], $this->_params['password_field'], $this->_params['username_field']);
$values = array(Horde_Auth::getCryptedPassword($credentials['password'], '', $this->_params['encryption'], $this->_params['show_encryption']), $oldID);
}
try {
$this->_db->update($query, $values);
} catch (Horde_Db_Exception $e) {
throw new Horde_Auth_Exception($e);
}
}
/**
* @dataProvider getCredentials
*/
public function testGetCryptedPassword($encryption, $password, $salt, $show_encryption = false)
{
$this->assertEquals($password, Horde_Auth::getCryptedPassword('foobar', $password, $encryption, $show_encryption));
}
/**
* Reset a user's password. Used for example when the user does not
* remember the existing password.
*
* @param string $userId The user id for which to reset the password.
*
* @return string The new password on success.
* @throws Horde_Auth_Exception
*/
public function resetPassword($userId)
{
if (!empty($this->_params['ad'])) {
throw new Horde_Auth_Exception(__CLASS__ . ': Updating users is not supported for Active Directory.');
}
/* Search for the user's full DN. */
try {
$dn = $this->_ldap->findUserDN($userId);
} catch (Horde_Exception_Ldap $e) {
throw new Horde_Auth_Exception($e);
}
/* Get a new random password. */
$password = Horde_Auth::genRandomPassword();
/* Encrypt the new password */
$entry = array('userpassword' => Horde_Auth::getCryptedPassword($password, '', $this->_params['encryption'], 'true'));
/* Set the lastchange field */
$shadow = $this->_lookupShadow($dn);
if ($shadow['shadowlastchange']) {
$entry['shadowlastchange'] = floor(time() / 86400);
}
/* Update user entry. */
try {
$this->_ldap->modify($dn, array('replace' => $entry));
} catch (Horde_Ldap_Exception $e) {
throw new Horde_Auth_Exception($e);
}
return $password;
}
/**
* Resets a user's password. Used for example when the user does not
* remember the existing password.
*
* @param string $userId The user id for which to reset the password.
*
* @return string The new password on success.
* @throws Horde_Auth_Exception
*/
public function resetPassword($userId)
{
/* Get a new random password. */
$password = Horde_Auth::genRandomPassword();
/* Build the SQL query. */
$query = str_replace(array('\\L', '\\P'), array($this->_db->quote($userId), $this->_db->quote(Horde_Auth::getCryptedPassword($password, '', $this->_params['encryption'], $this->_params['show_encryption']))), $this->_params['query_resetpassword']);
try {
$this->_db->update($query);
} catch (Horde_Db_Exception $e) {
throw new Horde_Auth_Exception($e);
}
return $password;
}
/**
* Encrypts a password.
*
* @param string $plaintext A plaintext password.
*
* @return string The encrypted password.
*/
protected function _encryptPassword($plaintext)
{
return Horde_Auth::getCryptedPassword($plaintext, '', $this->_params['encryption'], $this->_params['show_encryption']);
}
