source: tags/2.0.2/lib/Auth_File.inc.php @ 312

<?php
/**
 * The Auth_File:: class provides a htpasswd file implementation for
 * authentication.
 *
 * @author  Quinn Comendant <quinn@strangecode.com>
 * @version 1.2
 */
 
// Usage example:
// $auth = new Auth_File();
// $auth->setParam(array(
//     'htpasswd_file' => COMMON_BASE . '/global/site_users.htpasswd',
//     'login_timeout' => 21600,
//     'idle_timeout' => 3600,
//     'login_url' => '/login.php'
// ));

// Available encryption types for class Auth_SQL.
define('AUTH_ENCRYPT_MD5', 'md5');
define('AUTH_ENCRYPT_CRYPT', 'crypt');
define('AUTH_ENCRYPT_SHA1', 'sha1');
define('AUTH_ENCRYPT_PLAINTEXT', 'plaintext');

class Auth_File {

    var $_auth = '';
    var $_sess = '_auth_';
    var $_params = array();
    var $_default_params = array(
        
        // Full path to htpasswd file.
        'htpasswd_file' => null,

        // The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above.
        'encryption_type' => AUTH_ENCRYPT_CRYPT,

        // The URL to the login script.
        'login_url' => '/',

        // The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire.
        // This applies to admins and users. In seconds. 21600 seconds = 6 hours.
        'login_timeout' => 21600,

        // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire.
        // This applies to admins and users. In seconds. 3600 seconds = 1 hour.
        'idle_timeout' => 3600,

        // An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers.
        'trusted_networks' => array(),
    );

    // Associative array of usernames to hashed passwords.
    var $_users = array();

    /**
     * Constructs a new htpasswd authentication object.
     *
     * @access public
     *
     * @param optional array $params  A hash containing parameters.
     */
    function Auth_File($auth_name=null)
    {
        if (isset($auth_name)) {
            $this->_auth = $auth_name;
            $this->_sess .= $auth_name;
        }
        
        if (!isset($_SESSION[$this->_sess])) {
            $this->clearAuth();
        }

        // Initialize default parameters.
        $this->setParam($this->_default_params);
    }

    /**
     * Set the params of an auth object.
     *
     * @param  array $params   Array of parameter keys and value to set.
     * @return bool true on success, false on failure
     */
    function setParam($params)
    {
        if (isset($params) && is_array($params)) {
            // Merge new parameters with old overriding only those passed.
            $this->_params = array_merge($this->_params, $params);
        }
    }

    /**
     * Return the value of a parameter, if it exists.
     *
     * @access public
     * @param string $param        Which parameter to return.
     * @return mixed               Configured parameter value.
     */
    function getParam($param)
    {
        if (isset($this->_params[$param])) {
            return $this->_params[$param];
        } else {
            App::logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);
            return null;
        }
    }

    /**
     * Clear any authentication tokens in the current session. A.K.A. logout.
     *
     * @access public
     */
    function clearAuth()
    {
        $_SESSION[$this->_sess] = array('authenticated' => false);
    }


    /**
     * Sets a variable into a registered auth session.
     *
     * @access public
     * @param mixed $key      Which value to set.
     * @param mixed $val      Value to set variable to.
     */
    function setVal($key, $val)
    {
        if (!isset($_SESSION[$this->_sess]['user_data'])) {
            $_SESSION[$this->_sess]['user_data'] = array();
        }
        $_SESSION[$this->_sess]['user_data'][$key] = $val;
    }

    /**
     * Returns a specified value from a registered auth session.
     *
     * @access public
     * @param mixed $key      Which value to return.
     * @param mixed $default  Value to return if key not found in user_data.
     * @return mixed          Value stored in session.
     */
    function getVal($key, $default='')
    {
        if (isset($_SESSION[$this->_sess][$key])) {
            return $_SESSION[$this->_sess][$key];
        } else if (isset($_SESSION[$this->_sess]['user_data'][$key])) {
            return $_SESSION[$this->_sess]['user_data'][$key];
        } else {
            return $default;
        }
    }
    /**
     * Find out if a set of login credentials are valid. Only supports
     * htpasswd files with DES passwords right now.
     *
     * @access public
     *
     * @param string $username      The username to check.
     * @param array $password      The password to compare to username.
     *
     * @return boolean  Whether or not the credentials are valid.
     */
    function authenticate($username, $password)
    {
        if ('' == trim($password)) {
            App::logMsg(_("No password provided for authentication."), LOG_INFO, __FILE__, __LINE__);
            return false;
        }
        
        // Load users file.
        $this->_loadHTPasswdFile();

        if (!isset($this->_users[$username])) {
            App::logMsg(_("User ID provided does not exist."), LOG_INFO, __FILE__, __LINE__);
            return false;
        }

        if ($this->_encrypt($password, $this->_users[$username]) != $this->_users[$username]) {
            App::logMsg(sprintf('Authentication failed for user %s', $username), LOG_INFO, __FILE__, __LINE__);
            return false;
        }
        
        // Authentication successful!
        return true;
    }

    /**
     * If user passes authentication create authenticated session.
     *
     * @access public
     *
     * @param string $username     The username to check.
     * @param array $password     The password to compare to username.
     *
     * @return boolean  Whether or not the credentials are valid.
     */
    function login($username, $password)
    {
        $username = strtolower(trim($username));

        $this->clearAuth();

        if (!$this->authenticate($username, $password)) {
            // No login: failed authentication!
            return false;
        }
        
        $_SESSION[$this->_sess] = array(
            'authenticated' => true,
            'username' => $username,
            'login_datetime' => date('Y-m-d H:i:s'),
            'last_access_datetime' => date('Y-m-d H:i:s'),
            'remote_ip' => getRemoteAddr()
        );

        // We're logged-in!
        return true;
    }

    /**
     * Test if user has a currently logged-in session.
     *  - authentication flag set to true
     *  - username not empty
     *  - total logged-in time is not greater than login_timeout
     *  - idle time is not greater than idle_timeout
     *  - remote address is the same as the login remote address.
     *
     * @access public
     */
    function isLoggedIn()
    {
        // Some users will access from networks with a changing IP number (i.e. behind a proxy server). These users must be allowed entry by adding their IP to the list of trusted_networks.
        if (isset($_SESSION[$this->_sess]['username']) && $trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) {
            $user_in_trusted_network = true;
            App::logMsg(sprintf('User %s accessing from trusted network %s', $_SESSION[$this->_sess]['username'], $trusted_net), LOG_DEBUG, __FILE__, __LINE__);
        } else if (isset($_SESSION[$this->_sess]['username']) && preg_match('/proxy.aol.com$/i', getRemoteAddr(true))) {
            $user_in_trusted_network = true;
            App::logMsg(sprintf('User %s accessing from trusted network proxy.aol.com', $_SESSION[$this->_sess]['username']), LOG_DEBUG, __FILE__, __LINE__);
        } else {
            $user_in_trusted_network = false;
        }

        // Test login with information stored in session. Skip IP matching for users from trusted networks.
        if (isset($_SESSION[$this->_sess])
            && true === $_SESSION[$this->_sess]['authenticated']
            && !empty($_SESSION[$this->_sess]['username'])
            && strtotime($_SESSION[$this->_sess]['login_datetime']) > time() - $this->_params['login_timeout']
            && strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - $this->_params['idle_timeout']
            && ($_SESSION[$this->_sess]['remote_ip'] == getRemoteAddr() || $user_in_trusted_network)
        ) {
            // User is authenticated!
            $_SESSION[$this->_sess]['last_access_datetime'] = date('Y-m-d H:i:s');
            return true;
        } else if (isset($_SESSION[$this->_sess]) && true === $_SESSION[$this->_sess]['authenticated']) {
            if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - 43200) {
                // Only raise message if last session is less than 12 hours old.
                App::raiseMsg(_("Your session has closed. You need to log-in again."), MSG_NOTICE, __FILE__, __LINE__);
            }

            // Log the reason for login expiration.
            $expire_reasons = array();
            if (empty($_SESSION[$this->_sess]['username'])) {
                $expire_reasons[] = 'username not found';
            }
            if (strtotime($_SESSION[$this->_sess]['login_datetime']) <= time() - $this->_params['login_timeout']) {
                $expire_reasons[] = 'login_timeout expired';
            }
            if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) <= time() - $this->_params['idle_timeout']) {
                $expire_reasons[] = 'idle_timeout expired';
            }
            if ($_SESSION[$this->_sess]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {
                $expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION[$this->_sess]['remote_ip'], getRemoteAddr());
            }
            App::logMsg(sprintf('User %s session expired: %s', $_SESSION[$this->_sess]['username'], join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__);
        }

        return false;
    }

    /**
     * Redirect user to login page if they are not logged in.
     *
     * @param string $message The text description of a message to raise.
     * @param int    $type    The type of message: MSG_NOTICE,
     *                        MSG_SUCCESS, MSG_WARNING, or MSG_ERR.
     * @param string $file    __FILE__.
     * @param string $line    __LINE__.
     * @access public
     */
    function requireLogin($message='', $type=MSG_NOTICE, $file=null, $line=null)
    {
        if (!$this->isLoggedIn()) {
            // Display message for requiring login. (RaiseMsg will ignore empty strings.)
            App::raiseMsg($message, $type, $file, $line);

            // Login scripts must have the same 'login' tag for boomerangURL verification/manipulation.
            App::setBoomerangURL(absoluteMe(), 'login');
            App::dieURL($this->_params['login_url']);
        }
    }
    
    /*
    * Reads the configured htpasswd file into the _users array.
    *
    * @access   public
    * @return   false on error, true on success.
    * @author   Quinn Comendant <quinn@strangecode.com>
    * @version  1.0
    * @since    18 Apr 2006 18:17:48
    */
    function _loadHTPasswdFile()
    {
        static $users = null;
        
        if (!file_exists($this->_params['htpasswd_file'])) {
            App::logMsg(sprintf('htpasswd file missing or not specified: %s', $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
            return false;
        }
        
        if (!isset($users)) {
            if (false === ($users = file($this->_params['htpasswd_file']))) {
                App::logMsg(sprintf(_("Could not read htpasswd file: %s"), $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
                return false;
            }
        }

        if (is_array($users)) {
            foreach ($users as $u) {
                list($user, $pass) = explode(':', $u, 2);
                $this->_users[trim($user)] = trim($pass);
            }
            return true;
        }
        return false;
    }

    /**
     * Hash a given password according to the configured encryption
     * type.
     *
     * @param string $password              The password to encrypt.
     * @param string $encrypted_password    The currently encrypted password to use as salt, if needed.
     *
     * @return string  The hashed password.
     */
    function _encrypt($password, $encrypted_password=null)
    {
        switch ($this->_params['encryption_type']) {
        case AUTH_ENCRYPT_PLAINTEXT :
            return $password;
            break;

        case AUTH_ENCRYPT_SHA1 :
            return sha1($password);
            break;

        case AUTH_ENCRYPT_MD5 :
            return md5($password);
            break;

        case AUTH_ENCRYPT_CRYPT :
        default :
            return crypt($password, $encrypted_password);
            break;
        }
    }

} // end class
?>