/**
* authentication
*
* @param string $_username
* @param string $_password
*/
public function authenticate($_username, $_password)
{
$authResult = Tinebase_Auth::getInstance()->authenticate($_username, $_password);
if ($authResult->isValid()) {
$accountsController = Tinebase_User::getInstance();
try {
$account = $accountsController->getFullUserByLoginName($authResult->getIdentity());
} catch (Tinebase_Exception_NotFound $e) {
echo 'account ' . $authResult->getIdentity() . ' not found in account storage' . "\n";
exit;
}
Tinebase_Core::set('currentAccount', $account);
$ipAddress = '127.0.0.1';
$account->setLoginTime($ipAddress);
Tinebase_AccessLog::getInstance()->create(new Tinebase_Model_AccessLog(array('sessionid' => 'cli call', 'login_name' => $authResult->getIdentity(), 'ip' => $ipAddress, 'li' => Tinebase_DateTime::now()->get(Tinebase_Record_Abstract::ISO8601LONG), 'lo' => Tinebase_DateTime::now()->get(Tinebase_Record_Abstract::ISO8601LONG), 'result' => $authResult->getCode(), 'account_id' => Tinebase_Core::getUser()->getId(), 'clienttype' => 'TineCli')));
} else {
echo "Wrong username and/or password.\n";
exit;
}
}
/**
* factory function to return a selected authentication backend class
*
* @param string $type
* @return Tinebase_Auth_Interface
* @throws Tinebase_Exception_InvalidArgument
*/
public static function factory($_type)
{
switch ($_type) {
case Tinebase_Auth::LDAP:
$options = array('ldap' => Tinebase_Auth::getBackendConfiguration());
//only pass ldap options without e.g. sql options
$instance = new Tinebase_Auth_Ldap($options);
break;
case Tinebase_Auth::SQL:
$instance = new Tinebase_Auth_Sql(Tinebase_Core::getDb(), SQL_TABLE_PREFIX . 'accounts', 'login_name', 'password', 'MD5(?)');
break;
case Tinebase_Auth::IMAP:
$options = array(Tinebase_Auth::getBackendConfiguration());
$instance = new Tinebase_Auth_Imap($options);
break;
default:
throw new Tinebase_Exception_InvalidArgument('Unknown authentication backend');
break;
}
return $instance;
}
/**
* Getter for {@see $_backendConfiguration}
*
* @param boolean $_getConfiguredBackend
* @return mixed [If {@param $_key} is set then only the specified option is returned, otherwise the whole options hash]
*/
public static function getBackendConfiguration($_key = null, $_default = null)
{
//lazy loading for $_backendConfiguration
if (!isset(self::$_backendConfiguration)) {
if (Tinebase_Application::getInstance()->isInstalled('Tinebase')) {
$rawBackendConfiguration = Tinebase_Config::getInstance()->get(Tinebase_Config::AUTHENTICATIONBACKEND, new Tinebase_Config_Struct())->toArray();
} else {
$rawBackendConfiguration = array();
}
self::$_backendConfiguration = is_array($rawBackendConfiguration) ? $rawBackendConfiguration : Zend_Json::decode($rawBackendConfiguration);
if (!empty(self::$_backendConfiguration['password'])) {
Tinebase_Core::getLogger()->getFormatter()->addReplacement(self::$_backendConfiguration['password']);
}
}
if (isset($_key)) {
return isset(self::$_backendConfiguration[$_key]) || array_key_exists($_key, self::$_backendConfiguration) ? self::$_backendConfiguration[$_key] : $_default;
} else {
return self::$_backendConfiguration;
}
}
/**
* @return string The short account domain name
*/
protected function _getAccountDomainNameShort()
{
return Tinebase_Auth::getBackendConfiguration('accountDomainNameShort', NULL);
}
/**
* send lost password mail
*
* @param string $_username
* @return bool
*
* @todo add more texts to mail views & translate mails
*/
public function sendLostPasswordMail($_username)
{
// get full user
$fullAccount = Tinebase_User::getInstance()->getFullUserByLoginName($_username);
// generate new password
$newPassword = $this->generatePassword();
// save new password in user
Tinebase_Auth::getInstance()->setPassword($_username, $newPassword, $newPassword);
// send lost password mail
$mail = new Tinebase_Mail('UTF-8');
$mail->setSubject("New password for Tine 2.0");
// get name from user
//$recipientName = $fullAccount->accountFirstName." ".$fullAccount->accountLastName;
$recipientName = $fullAccount->accountFullName;
// get email from user
$recipientEmail = $fullAccount->accountEmailAddress;
// get plain and html message from views
//-- translate text and insert correct link
$view = new Zend_View();
$view->setScriptPath(dirname(dirname(__FILE__)) . DIRECTORY_SEPARATOR . 'views');
$view->mailTextWelcome = "We generated a new password for you ...";
$view->newPassword = $newPassword;
$messagePlain = $view->render('lostpwMailPlain.php');
$mail->setBodyText($messagePlain);
$messageHtml = $view->render('lostpwMailHtml.php');
if ($messageHtml !== NULL) {
$mail->setBodyHtml($messageHtml);
}
$mail->addHeader('X-MailGenerator', 'Tine 2.0');
$mail->setFrom('*****@*****.**', 'Tine 2.0 Webmaster');
if (!empty($recipientEmail)) {
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' send lost password email to ' . $recipientEmail);
}
$mail->addTo($recipientEmail, $recipientName);
$mail->send();
return true;
}
return false;
}
/**
* try to reset password
*/
public function testResetPassword()
{
$userArray = $this->testSaveAccount();
$this->_json->resetPassword($userArray, 'password', false);
$authResult = Tinebase_Auth::getInstance()->authenticate($this->objects['user']->accountLoginName, 'password');
$this->assertTrue($authResult->isValid());
}
/**
*
* get auth provider data
*
* @return array
*
* @todo get this from config table instead of file!
*/
protected function _getAuthProviderData()
{
$result = Tinebase_Auth::getBackendConfigurationWithDefaults(Setup_Core::get(Setup_Core::CHECKDB));
$result['backend'] = Setup_Core::get(Setup_Core::CHECKDB) ? Tinebase_Auth::getConfiguredBackend() : Tinebase_Auth::SQL;
return $result;
}
/**
* try to reset password
*
*/
public function testResetPassword()
{
$this->_json->resetPassword($this->objects['user']->toArray(), 'password', FALSE);
$authResult = Tinebase_Auth::getInstance()->authenticate($this->objects['user']->accountLoginName, 'password');
$this->assertTrue($authResult->isValid());
}
/**
* change user password
*
* @param string $_oldPassword
* @param string $_newPassword
* @throws Tinebase_Exception_AccessDenied
* @throws Tinebase_Exception_InvalidArgument
*/
public function changePassword($_oldPassword, $_newPassword)
{
if (!Tinebase_Config::getInstance()->get(Tinebase_Config::PASSWORD_CHANGE, TRUE)) {
throw new Tinebase_Exception_AccessDenied('Password change not allowed.');
}
$loginName = Tinebase_Core::getUser()->accountLoginName;
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . " change password for {$loginName}");
}
if (!Tinebase_Auth::getInstance()->isValidPassword($loginName, $_oldPassword)) {
throw new Tinebase_Exception_InvalidArgument('Old password is wrong.');
}
Tinebase_User::getInstance()->setPassword(Tinebase_Core::getUser(), $_newPassword, true, false);
}
/**
* testInstallAdminAccountOptions
*/
public function testInstallAdminAccountOptions()
{
$this->_uninstallAllApplications();
$this->_uit->installApplications(array('Tinebase'), array('adminLoginName' => 'phpunit-admin', 'adminPassword' => 'phpunit-password'));
$adminUser = Tinebase_User::getInstance()->getFullUserByLoginName('phpunit-admin');
$this->assertTrue($adminUser instanceof Tinebase_Model_User);
$this->assertNull(Tinebase_Auth::getBackendConfiguration('adminLoginName'));
$this->assertNull(Tinebase_Auth::getBackendConfiguration('adminPassword'));
$this->assertNull(Tinebase_Auth::getBackendConfiguration('adminConfirmation'));
// cleanup
$this->_uninstallAllApplications();
}
/**
* change user password
*
* @param string $_oldPassword
* @param string $_newPassword
* @throws Tinebase_Exception_AccessDenied
* @throws Tinebase_Exception_InvalidArgument
*/
public function changePassword($_oldPassword, $_newPassword)
{
//error_log(print_r(Tinebase_Core::getUser()->toArray(), true));
// check config setting
if (!Tinebase_User::getBackendConfiguration('changepw', true)) {
throw new Tinebase_Exception_AccessDenied('Password change not allowed.');
}
$loginName = Tinebase_Core::getUser()->accountLoginName;
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . " change password for {$loginName}");
}
if (!Tinebase_Auth::getInstance()->isValidPassword($loginName, $_oldPassword)) {
throw new Tinebase_Exception_InvalidArgument('Old password is wrong.');
}
Tinebase_User::getInstance()->setPassword(Tinebase_Core::getUser(), $_newPassword, true, false);
}
/**
* @see 0011366: support privacyIdea authentication
*/
public function testSecondFactor()
{
$result = Tinebase_Auth::validateSecondFactor('phil', 'phil', array('active' => true, 'provider' => 'Mock', 'url' => 'https://localhost/validate/check'));
$this->assertEquals(Tinebase_Auth::SUCCESS, $result);
}
/**
* returns TRUE if user has to change his/her password (compare sambaSAM->pwdMustChange with Tinebase_DateTime::now())
*
* TODO switch check AUTH backend?
*
* @return boolean
*/
public function mustChangePassword()
{
switch (Tinebase_User::getConfiguredBackend()) {
case Tinebase_User::ACTIVEDIRECTORY:
return $this->_sambaSamPasswordChangeNeeded();
break;
case Tinebase_User::LDAP:
return $this->_sambaSamPasswordChangeNeeded();
break;
default:
if (Tinebase_Auth::getConfiguredBackend() === Tinebase_Auth::SQL) {
return $this->_sqlPasswordChangeNeeded();
} else {
// no pw change needed for non-sql auth backends
return false;
}
break;
}
}
/**
* Getter for {@see $_backendConfiguration}
*
* @param boolean $_getConfiguredBackend
* @return mixed [If {@param $_key} is set then only the specified option is returned, otherwise the whole options hash]
*/
public static function getBackendConfiguration($_key = null, $_default = null)
{
//lazy loading for $_backendConfiguration
if (!isset(self::$_backendConfiguration)) {
if (Setup_Controller::getInstance()->isInstalled('Tinebase')) {
$rawBackendConfiguration = Tinebase_Config::getInstance()->getConfig(Tinebase_Config::AUTHENTICATIONBACKEND, null, array())->value;
} else {
$rawBackendConfiguration = array();
}
self::$_backendConfiguration = is_array($rawBackendConfiguration) ? $rawBackendConfiguration : Zend_Json::decode($rawBackendConfiguration);
}
if (isset($_key)) {
return array_key_exists($_key, self::$_backendConfiguration) ? self::$_backendConfiguration[$_key] : $_default;
} else {
return self::$_backendConfiguration;
}
}
/**
* test imap authentication
*/
public function testImapAuth()
{
// use imap config for the auth config
$imapConfig = Tinebase_Config::getInstance()->get(Tinebase_Config::IMAP, new Tinebase_Config_Struct())->toArray();
if (empty($imapConfig)) {
$this->markTestSkipped('No IMAP config found.');
}
$authConfig = array('host' => $imapConfig['host'], 'port' => $imapConfig['port'], 'ssl' => $imapConfig['ssl'], 'domain' => $imapConfig['domain']);
Tinebase_Auth::setBackendType(Tinebase_Auth::IMAP);
Tinebase_Auth::setBackendConfiguration($authConfig);
Tinebase_Auth::saveBackendConfiguration();
Tinebase_Auth::getInstance()->setBackend();
$this->assertEquals(Tinebase_Auth::IMAP, Tinebase_Auth::getConfiguredBackend());
$testCredentials = TestServer::getInstance()->getTestCredentials();
// valid authentication
$authResult = Tinebase_Auth::getInstance()->authenticate($testCredentials['username'], $testCredentials['password']);
$this->assertTrue($authResult->isValid());
// invalid authentication
$authResult = Tinebase_Auth::getInstance()->authenticate($testCredentials['username'], 'some pw');
$this->assertFalse($authResult->isValid());
$this->assertEquals(Tinebase_Auth::FAILURE_CREDENTIAL_INVALID, $authResult->getCode());
$this->assertEquals(array('Invalid credentials for user ' . $this->_getEmailAddress(), ''), $authResult->getMessages());
}
/**
* update to 2.6
* - move authentication storage configuration from config.inc.php to config db table
*
*/
public function update_5()
{
$config = Setup_Controller::getInstance()->getConfigData();
if (!empty($config['authentication'])) {
if (empty($config['authentication']['backend'])) {
$config['authentication']['backend'] = 'Sql';
}
$backendType = ucfirst($config['authentication']['backend']);
Tinebase_Auth::setBackendType($backendType);
//add default config settings
$defaultConfig = Tinebase_Auth::getBackendConfigurationDefaults($backendType);
Tinebase_Auth::setBackendConfiguration($defaultConfig);
//override default settings with config.inc.php settings
if (!empty($config['authentication'][$config['authentication']['backend']])) {
if (Tinebase_Core::isLogLevel(Zend_Log::DEBUG)) {
Tinebase_Core::getLogger()->debug(__METHOD__ . '::' . __LINE__ . ' Setting config: ' . print_r($config['authentication'][$config['authentication']['backend']], TRUE));
}
Tinebase_Auth::setBackendConfiguration($config['authentication'][$config['authentication']['backend']]);
}
Tinebase_Auth::saveBackendConfiguration();
}
$this->setApplicationVersion('Tinebase', '2.6');
}
/**
* get anonymous registry
*
* @return array
*/
protected function _getAnonymousRegistryData()
{
$locale = Tinebase_Core::get('locale');
$tbFrontendHttp = new Tinebase_Frontend_Http();
// default credentials
if (isset(Tinebase_Core::getConfig()->login)) {
$loginConfig = Tinebase_Core::getConfig()->login;
$defaultUsername = isset($loginConfig->username) ? $loginConfig->username : '';
$defaultPassword = isset($loginConfig->password) ? $loginConfig->password : '';
} else {
$defaultUsername = '';
$defaultPassword = '';
}
$symbols = Zend_Locale::getTranslationList('symbols', $locale);
$registryData = array('modSsl' => Tinebase_Auth::getConfiguredBackend() == Tinebase_Auth::MODSSL, 'serviceMap' => $tbFrontendHttp->getServiceMap(), 'locale' => array('locale' => $locale->toString(), 'language' => Zend_Locale::getTranslation($locale->getLanguage(), 'language', $locale), 'region' => Zend_Locale::getTranslation($locale->getRegion(), 'country', $locale)), 'version' => array('buildType' => TINE20_BUILDTYPE, 'codeName' => TINE20_CODENAME, 'packageString' => TINE20_PACKAGESTRING, 'releaseTime' => TINE20_RELEASETIME, 'filesHash' => TINE20_BUILDTYPE != 'DEVELOPMENT' ? $tbFrontendHttp->getJsCssHash() : null), 'defaultUsername' => $defaultUsername, 'defaultPassword' => $defaultPassword, 'denySurveys' => Tinebase_Core::getConfig()->denySurveys, 'titlePostfix' => Tinebase_Config::getInstance()->get(Tinebase_Config::PAGETITLEPOSTFIX), 'redirectUrl' => Tinebase_Config::getInstance()->get(Tinebase_Config::REDIRECTURL), 'helpUrl' => Tinebase_Core::getConfig()->helpUrl, 'maxFileUploadSize' => Tinebase_Helper::convertToBytes(ini_get('upload_max_filesize')), 'maxPostSize' => Tinebase_Helper::convertToBytes(ini_get('post_max_size')), 'thousandSeparator' => $symbols['group'], 'decimalSeparator' => $symbols['decimal'], 'filesystemAvailable' => Tinebase_Core::isFilesystemAvailable());
if (Tinebase_Core::isLogLevel(Zend_Log::TRACE)) {
Tinebase_Core::getLogger()->trace(__METHOD__ . '::' . __LINE__ . ' Anonymous registry: ' . print_r($registryData, TRUE));
}
return $registryData;
}
/**
* validate is authentication was successful, user object is available and user is not expired
*
* @param Zend_Auth_Result $authResult
* @param Tinebase_Model_AccessLog $accessLog
* @return boolean|Tinebase_Model_FullUser
*/
protected function _validateAuthResult(Zend_Auth_Result $authResult, Tinebase_Model_AccessLog $accessLog)
{
// authentication failed
if ($accessLog->result !== Tinebase_Auth::SUCCESS) {
$this->_loginFailed($authResult, $accessLog);
return false;
}
// try to retrieve user from accounts backend
$user = $this->_getLoginUser($authResult->getIdentity(), $accessLog);
if ($accessLog->result !== Tinebase_Auth::SUCCESS || !$user) {
if ($user) {
$accessLog->account_id = $user->getId();
}
$this->_loginFailed($authResult, $accessLog);
return false;
}
// check if user is expired or blocked
$this->_checkUserStatus($user, $accessLog);
if ($accessLog->result !== Tinebase_Auth::SUCCESS) {
$this->_loginFailed($authResult, $accessLog);
return false;
}
// 2nd factor
$secondFactorConfig = Tinebase_Config::getInstance()->get(Tinebase_Config::AUTHENTICATIONSECONDFACTOR);
if ($secondFactorConfig && $secondFactorConfig->active && $accessLog->clienttype === 'JSON-RPC') {
$context = $this->getRequestContext();
if (Tinebase_Auth::validateSecondFactor($user->accountLoginName, $context['otp'], $secondFactorConfig->toArray()) !== Tinebase_Auth::SUCCESS) {
$authResult = new Zend_Auth_Result(Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID, $user->accountLoginName, array('Second factor authentication failed.'));
$accessLog->result = Tinebase_Auth::FAILURE;
$this->_loginFailed($authResult, $accessLog);
return false;
}
}
return $user;
}
/**
* authenticate user by username and password
*
* @param string $username the username
* @param string $password the password
* @return array
*/
public function authenticate($username, $password)
{
$authResult = Tinebase_Auth::getInstance()->authenticate($username, $password);
if ($authResult->isValid()) {
$response = array('status' => 'success', 'msg' => 'authentication succseed');
} else {
$response = array('status' => 'fail', 'msg' => 'authentication failed');
}
return $response;
}
/**
* test imap authentication
*/
public function testImapAuth()
{
// use imap config for the auth config
$imapConfig = Tinebase_Config::getInstance()->getConfigAsArray(Tinebase_Config::IMAP);
if (empty($imapConfig)) {
$this->markTestSkipped('No IMAP config found.');
}
$authConfig = array('host' => $imapConfig['host'], 'port' => $imapConfig['port'], 'ssl' => $imapConfig['ssl'], 'domain' => $imapConfig['domain']);
Tinebase_Auth::setBackendType(Tinebase_Auth::IMAP);
Tinebase_Auth::setBackendConfiguration($authConfig);
Tinebase_Auth::saveBackendConfiguration();
Tinebase_Auth::getInstance()->setBackend();
$this->assertEquals(Tinebase_Auth::IMAP, Tinebase_Auth::getConfiguredBackend());
$testConfig = Zend_Registry::get('testConfig');
// valid authentication
$authResult = Tinebase_Auth::getInstance()->authenticate($testConfig->username, $testConfig->password);
$this->assertTrue($authResult->isValid());
// invalid authentication
$authResult = Tinebase_Auth::getInstance()->authenticate($testConfig->username, 'some pw');
$this->assertFalse($authResult->isValid());
$this->assertEquals(Tinebase_Auth::FAILURE_CREDENTIAL_INVALID, $authResult->getCode());
if ($testConfig->email) {
$this->assertEquals(array('Invalid credentials for user ' . $testConfig->email, ''), $authResult->getMessages());
}
}
