Context Navigation

← Previous Revision
Next Revision →
Normal
Revision Log

Auth_File.inc.php

Last change on this file was 690, checked in by anonymous, 5 years ago
Remove App's 'ssl_domain' and 'ssl_enabled' parameters; determine SSL usage by detecting the presence of HTTPS env var (or HTTP_X_FORWARDED_PROTO). Update Session parameters for greater logevity and security. Add 'session_dir' to store site-specific sess_* files with a longer gc_maxlifetime duration.
File size: 14.4 KB

Rev	Line
[1]	1	<?php
	2	/**
[362]	3	* The Strangecode Codebase - a general application development framework for PHP
	4	* For details visit the project site: <http://trac.strangecode.com/codebase/>
[396]	5	* Copyright 2001-2012 Strangecode, LLC
[468]	6	*
[362]	7	* This file is part of The Strangecode Codebase.
	8	*
	9	* The Strangecode Codebase is free software: you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as published by the
	11	* Free Software Foundation, either version 3 of the License, or (at your option)
	12	* any later version.
[468]	13	*
[362]	14	* The Strangecode Codebase is distributed in the hope that it will be useful, but
	15	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	16	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
	17	* details.
[468]	18	*
[362]	19	* You should have received a copy of the GNU General Public License along with
	20	* The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
	21	*/
	22
[468]	23	/*
[136]	24	* Auth_File.inc.php
	25	*
	26	* The Auth_File class provides a htpasswd file implementation for
[1]	27	* authentication.
	28	*
	29	* @author Quinn Comendant <quinn@strangecode.com>
[103]	30	* @version 1.2
[1]	31	*/
[468]	32
[103]	33	// Usage example:
	34	// $auth = new Auth_File();
	35	// $auth->setParam(array(
	36	// 'htpasswd_file' => COMMON_BASE . '/global/site_users.htpasswd',
	37	// 'login_timeout' => 21600,
	38	// 'idle_timeout' => 3600,
	39	// 'login_url' => '/login.php'
	40	// ));
[65]	41
[502]	42	class Auth_File
	43	{
[65]	44
[468]	45	// Available encryption types for class Auth_File.
	46	const ENCRYPT_MD5 = 'md5';
	47	const ENCRYPT_CRYPT = 'crypt';
	48	const ENCRYPT_SHA1 = 'sha1';
	49	const ENCRYPT_PLAINTEXT = 'plaintext';
	50
[136]	51	// Namespace of this auth object.
[484]	52	protected $_ns;
[468]	53
[136]	54	// Parameters to be specified by setParam().
[484]	55	protected $_params = array();
	56	protected $_default_params = array(
[468]	57
[103]	58	// Full path to htpasswd file.
	59	'htpasswd_file' => null,
	60
[468]	61	// The type of encryption to use for passwords stored in the db_table. Use one of the self::ENCRYPT_* types specified above.
	62	'encryption_type' => self::ENCRYPT_CRYPT,
[103]	63
	64	// The URL to the login script.
	65	'login_url' => '/',
	66
	67	// The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire.
	68	// This applies to admins and users. In seconds. 21600 seconds = 6 hours.
	69	'login_timeout' => 21600,
	70
	71	// The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire.
	72	// This applies to admins and users. In seconds. 3600 seconds = 1 hour.
	73	'idle_timeout' => 3600,
	74
	75	// An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers.
	76	'trusted_networks' => array(),
[1]	77	);
[103]	78
	79	// Associative array of usernames to hashed passwords.
[484]	80	protected $_users = array();
[1]	81
[468]	82	/*
	83	* Constructs a new htpasswd authentication object.
	84	*
	85	* @access public
	86	*
	87	* @param optional array $params A hash containing parameters.
	88	*/
	89	public function __construct($namespace='')
[1]	90	{
[154]	91	$this->_ns = $namespace;
[1]	92
[103]	93	// Initialize default parameters.
	94	$this->setParam($this->_default_params);
[1]	95	}
	96
[468]	97	/*
	98	* Set the params of an auth object.
	99	*
	100	* @param array $params Array of parameter keys and value to set.
	101	* @return bool true on success, false on failure
	102	*/
	103	public function setParam($params)
[65]	104	{
	105	if (isset($params) && is_array($params)) {
	106	// Merge new parameters with old overriding only those passed.
	107	$this->_params = array_merge($this->_params, $params);
	108	}
	109	}
	110
[468]	111	/*
	112	* Return the value of a parameter, if it exists.
	113	*
	114	* @access public
	115	* @param string $param Which parameter to return.
	116	* @return mixed Configured parameter value.
	117	*/
	118	public function getParam($param)
[65]	119	{
[468]	120	$app = &App::getInstance();
	121
[478]	122	if (array_key_exists($param, $this->_params)) {
[65]	123	return $this->_params[$param];
	124	} else {
[146]	125	$app->logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);
[65]	126	return null;
	127	}
	128	}
	129
[468]	130	/*
	131	* Clear any authentication tokens in the current session. A.K.A. logout.
	132	*
	133	* @access public
	134	*/
	135	public function clear()
[65]	136	{
[611]	137	$app =& App::getInstance();
	138
[154]	139	$_SESSION['_auth_file'][$this->_ns] = array('authenticated' => false);
[611]	140
	141	$app->logMsg(sprintf('Cleared %s auth', $this->_ns), LOG_DEBUG, __FILE__, __LINE__);
[65]	142	}
	143
[468]	144	/*
	145	* Sets a variable into a registered auth session.
	146	*
	147	* @access public
	148	* @param mixed $key Which value to set.
	149	* @param mixed $val Value to set variable to.
	150	*/
	151	public function set($key, $val)
[103]	152	{
[154]	153	if (!isset($_SESSION['_auth_file'][$this->_ns]['user_data'])) {
	154	$_SESSION['_auth_file'][$this->_ns]['user_data'] = array();
[103]	155	}
[154]	156	$_SESSION['_auth_file'][$this->_ns]['user_data'][$key] = $val;
[103]	157	}
	158
[468]	159	/*
	160	* Returns a specified value from a registered auth session.
	161	*
	162	* @access public
	163	* @param mixed $key Which value to return.
	164	* @param mixed $default Value to return if key not found in user_data.
	165	* @return mixed Value stored in session.
	166	*/
	167	public function get($key, $default='')
[103]	168	{
[154]	169	if (isset($_SESSION['_auth_file'][$this->_ns][$key])) {
	170	return $_SESSION['_auth_file'][$this->_ns][$key];
	171	} else if (isset($_SESSION['_auth_file'][$this->_ns]['user_data'][$key])) {
	172	return $_SESSION['_auth_file'][$this->_ns]['user_data'][$key];
[103]	173	} else {
	174	return $default;
	175	}
	176	}
[468]	177
	178	/*
	179	* Find out if a set of login credentials are valid. Only supports
	180	* htpasswd files with DES passwords right now.
	181	*
	182	* @access public
	183	*
	184	* @param string $username The username to check.
	185	* @param array $password The password to compare to username.
	186	*
	187	* @return boolean Whether or not the credentials are valid.
	188	*/
	189	public function authenticate($username, $password)
[1]	190	{
[468]	191	$app = &App::getInstance();
	192
[65]	193	if ('' == trim($password)) {
[136]	194	$app->logMsg(_("No password provided for authentication."), LOG_INFO, __FILE__, __LINE__);
[1]	195	return false;
	196	}
[468]	197
[103]	198	// Load users file.
	199	$this->_loadHTPasswdFile();
[1]	200
[65]	201	if (!isset($this->_users[$username])) {
[136]	202	$app->logMsg(_("User ID provided does not exist."), LOG_INFO, __FILE__, __LINE__);
[1]	203	return false;
	204	}
	205
[103]	206	if ($this->_encrypt($password, $this->_users[$username]) != $this->_users[$username]) {
[136]	207	$app->logMsg(sprintf('Authentication failed for user %s', $username), LOG_INFO, __FILE__, __LINE__);
[1]	208	return false;
	209	}
[468]	210
[103]	211	// Authentication successful!
	212	return true;
[1]	213	}
	214
[468]	215	/*
	216	* If user passes authentication create authenticated session.
	217	*
	218	* @access public
	219	*
	220	* @param string $username The username to check.
	221	* @param array $password The password to compare to username.
	222	*
	223	* @return boolean Whether or not the credentials are valid.
	224	*/
	225	public function login($username, $password)
[1]	226	{
[247]	227	$username = mb_strtolower(trim($username));
[42]	228
[149]	229	$this->clear();
[1]	230
[103]	231	if (!$this->authenticate($username, $password)) {
	232	// No login: failed authentication!
	233	return false;
[1]	234	}
[468]	235
[154]	236	$_SESSION['_auth_file'][$this->_ns] = array(
[103]	237	'authenticated' => true,
	238	'username' => $username,
	239	'login_datetime' => date('Y-m-d H:i:s'),
	240	'last_access_datetime' => date('Y-m-d H:i:s'),
	241	'remote_ip' => getRemoteAddr()
	242	);
	243
	244	// We're logged-in!
	245	return true;
[1]	246	}
	247
[468]	248	/*
	249	* Test if user has a currently logged-in session.
	250	* - authentication flag set to true
	251	* - username not empty
	252	* - total logged-in time is not greater than login_timeout
	253	* - idle time is not greater than idle_timeout
	254	* - remote address is the same as the login remote address.
	255	*
	256	* @access public
	257	*/
	258	public function isLoggedIn()
[1]	259	{
[468]	260	$app = &App::getInstance();
	261
[103]	262	// Some users will access from networks with a changing IP number (i.e. behind a proxy server). These users must be allowed entry by adding their IP to the list of trusted_networks.
	263	if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) {
	264	$user_in_trusted_network = true;
[154]	265	$app->logMsg(sprintf('User %s accessing from trusted network %s', $_SESSION['_auth_file'][$this->_ns]['username'], $trusted_net), LOG_DEBUG, __FILE__, __LINE__);
[103]	266	} else {
	267	$user_in_trusted_network = false;
	268	}
	269
	270	// Test login with information stored in session. Skip IP matching for users from trusted networks.
[154]	271	if (isset($_SESSION['_auth_file'][$this->_ns])
[468]	272	&& true === $_SESSION['_auth_file'][$this->_ns]['authenticated']
	273	&& !empty($_SESSION['_auth_file'][$this->_ns]['username'])
	274	&& strtotime($_SESSION['_auth_file'][$this->_ns]['login_datetime']) > time() - $this->_params['login_timeout']
	275	&& strtotime($_SESSION['_auth_file'][$this->_ns]['last_access_datetime']) > time() - $this->_params['idle_timeout']
	276	&& ($_SESSION['_auth_file'][$this->_ns]['remote_ip'] == getRemoteAddr() \|\| $user_in_trusted_network)
[103]	277	) {
	278	// User is authenticated!
[154]	279	$_SESSION['_auth_file'][$this->_ns]['last_access_datetime'] = date('Y-m-d H:i:s');
[103]	280	return true;
[154]	281	} else if (isset($_SESSION['_auth_file'][$this->_ns]) && true === $_SESSION['_auth_file'][$this->_ns]['authenticated']) {
	282	if (strtotime($_SESSION['_auth_file'][$this->_ns]['last_access_datetime']) > time() - 43200) {
[103]	283	// Only raise message if last session is less than 12 hours old.
[136]	284	$app->raiseMsg(_("Your session has closed. You need to log-in again."), MSG_NOTICE, __FILE__, __LINE__);
[1]	285	}
[103]	286
	287	// Log the reason for login expiration.
	288	$expire_reasons = array();
[154]	289	if (empty($_SESSION['_auth_file'][$this->_ns]['username'])) {
[103]	290	$expire_reasons[] = 'username not found';
	291	}
[154]	292	if (strtotime($_SESSION['_auth_file'][$this->_ns]['login_datetime']) <= time() - $this->_params['login_timeout']) {
[103]	293	$expire_reasons[] = 'login_timeout expired';
	294	}
[154]	295	if (strtotime($_SESSION['_auth_file'][$this->_ns]['last_access_datetime']) <= time() - $this->_params['idle_timeout']) {
[103]	296	$expire_reasons[] = 'idle_timeout expired';
	297	}
[154]	298	if ($_SESSION['_auth_file'][$this->_ns]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {
	299	$expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION['_auth_file'][$this->_ns]['remote_ip'], getRemoteAddr());
[103]	300	}
[154]	301	$app->logMsg(sprintf('User %s session expired: %s', $_SESSION['_auth_file'][$this->_ns]['username'], join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__);
[1]	302	}
[103]	303
[1]	304	return false;
	305	}
	306
[468]	307	/*
	308	* Redirect user to login page if they are not logged in.
	309	*
	310	* @param string $message The text description of a message to raise.
	311	* @param int $type The type of message: MSG_NOTICE,
	312	* MSG_SUCCESS, MSG_WARNING, or MSG_ERR.
	313	* @param string $file __FILE__.
	314	* @param string $line __LINE__.
	315	* @access public
	316	*/
	317	public function requireLogin($message='', $type=MSG_NOTICE, $file=null, $line=null)
[66]	318	{
[468]	319	$app = &App::getInstance();
	320
[66]	321	if (!$this->isLoggedIn()) {
[103]	322	// Display message for requiring login. (RaiseMsg will ignore empty strings.)
[136]	323	$app->raiseMsg($message, $type, $file, $line);
[66]	324
	325	// Login scripts must have the same 'login' tag for boomerangURL verification/manipulation.
[690]	326	$app->setBoomerangURL(getenv('REQUEST_URI'), 'login');
[136]	327	$app->dieURL($this->_params['login_url']);
[66]	328	}
	329	}
[468]	330
	331	/*
	332	* Wrapper function for compatibility with lib/Lock.inc.php.
	333	*
	334	* @param string $username Username to return.
	335	* @return string Username, or false if none found.
	336	*/
	337	public function getUsername($username) {
[209]	338	if ('' != $username) {
	339	return $username;
	340	} else {
	341	return false;
	342	}
	343	}
	344
[103]	345	/*
	346	* Reads the configured htpasswd file into the _users array.
	347	*
	348	* @access public
	349	* @return false on error, true on success.
	350	* @author Quinn Comendant <quinn@strangecode.com>
	351	* @version 1.0
	352	* @since 18 Apr 2006 18:17:48
	353	*/
[484]	354	protected function _loadHTPasswdFile()
[103]	355	{
[468]	356	$app = &App::getInstance();
	357
[103]	358	static $users = null;
[468]	359
[103]	360	if (!file_exists($this->_params['htpasswd_file'])) {
[136]	361	$app->logMsg(sprintf('htpasswd file missing or not specified: %s', $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
[103]	362	return false;
	363	}
[468]	364
[103]	365	if (!isset($users)) {
	366	if (false === ($users = file($this->_params['htpasswd_file']))) {
[141]	367	$app->logMsg(sprintf('Could not read htpasswd file: %s', $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
[103]	368	return false;
	369	}
	370	}
[66]	371
[103]	372	if (is_array($users)) {
	373	foreach ($users as $u) {
	374	list($user, $pass) = explode(':', $u, 2);
	375	$this->_users[trim($user)] = trim($pass);
	376	}
	377	return true;
	378	}
	379	return false;
	380	}
	381
[468]	382	/*
	383	* Hash a given password according to the configured encryption
	384	* type.
	385	*
	386	* @param string $password The password to encrypt.
	387	* @param string $encrypted_password The currently encrypted password to use as salt, if needed.
	388	*
	389	* @return string The hashed password.
	390	*/
[484]	391	protected function _encrypt($password, $encrypted_password=null)
[1]	392	{
	393	switch ($this->_params['encryption_type']) {
[468]	394	case self::ENCRYPT_PLAINTEXT :
[65]	395	return $password;
[1]	396	break;
	397
[468]	398	case self::ENCRYPT_SHA1 :
[65]	399	return sha1($password);
	400	break;
[1]	401
[468]	402	case self::ENCRYPT_MD5 :
[65]	403	return md5($password);
[1]	404	break;
[65]	405
[468]	406	case self::ENCRYPT_CRYPT :
[42]	407	default :
[65]	408	return crypt($password, $encrypted_password);
	409	break;
[1]	410	}
	411	}
	412
[65]	413	} // end class

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: trunk/lib/Auth_File.inc.php

Download in other formats: