Context Navigation

source: trunk/lib/Auth_File.inc.php @ 103

Last change on this file since 103 was 103, checked in by scdev, 18 years ago
Q - Cleaned up Auth_File to work more like Auth_SQL, and fixed a few bugs here and there.
File size: 12.8 KB

Line
1	<?php
2	/**
3	* The Auth_File:: class provides a htpasswd file implementation for
4	* authentication.
5	*
6	* @author Quinn Comendant <quinn@strangecode.com>
7	* @version 1.2
8	*/
9
10	// Usage example:
11	// $auth = new Auth_File();
12	// $auth->setParam(array(
13	// 'htpasswd_file' => COMMON_BASE . '/global/site_users.htpasswd',
14	// 'login_timeout' => 21600,
15	// 'idle_timeout' => 3600,
16	// 'login_url' => '/login.php'
17	// ));
18
19	// Available encryption types for class Auth_SQL.
20	define('AUTH_ENCRYPT_MD5', 'md5');
21	define('AUTH_ENCRYPT_CRYPT', 'crypt');
22	define('AUTH_ENCRYPT_SHA1', 'sha1');
23	define('AUTH_ENCRYPT_PLAINTEXT', 'plaintext');
24
25	class Auth_File {
26
27	var $_auth = '';
28	var $_sess = '_auth_';
29	var $_params = array();
30	var $_default_params = array(
31
32	// Full path to htpasswd file.
33	'htpasswd_file' => null,
34
35	// The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above.
36	'encryption_type' => AUTH_ENCRYPT_CRYPT,
37
38	// The URL to the login script.
39	'login_url' => '/',
40
41	// The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire.
42	// This applies to admins and users. In seconds. 21600 seconds = 6 hours.
43	'login_timeout' => 21600,
44
45	// The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire.
46	// This applies to admins and users. In seconds. 3600 seconds = 1 hour.
47	'idle_timeout' => 3600,
48
49	// An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers.
50	'trusted_networks' => array(),
51	);
52
53	// Associative array of usernames to hashed passwords.
54	var $_users = array();
55
56	/**
57	* Constructs a new htpasswd authentication object.
58	*
59	* @access public
60	*
61	* @param optional array $params A hash containing parameters.
62	*/
63	function Auth_File($auth_name=null)
64	{
65	if (isset($auth_name)) {
66	$this->_auth = $auth_name;
67	$this->_sess .= $auth_name;
68	}
69
70	// Initialize default parameters.
71	$this->setParam($this->_default_params);
72	}
73
74	/**
75	* Set the params of an auth object.
76	*
77	* @param array $params Array of parameter keys and value to set.
78	* @return bool true on success, false on failure
79	*/
80	function setParam($params)
81	{
82	if (isset($params) && is_array($params)) {
83	// Merge new parameters with old overriding only those passed.
84	$this->_params = array_merge($this->_params, $params);
85	}
86	}
87
88	/**
89	* Return the value of a parameter, if it exists.
90	*
91	* @access public
92	* @param string $param Which parameter to return.
93	* @return mixed Configured parameter value.
94	*/
95	function getParam($param)
96	{
97	if (isset($this->_params[$param])) {
98	return $this->_params[$param];
99	} else {
100	App::logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);
101	return null;
102	}
103	}
104
105	/**
106	* Clear any authentication tokens in the current session. A.K.A. logout.
107	*
108	* @access public
109	*/
110	function clearAuth()
111	{
112	$_SESSION[$this->_sess] = array('authenticated' => false);
113	}
114
115
116	/**
117	* Sets a variable into a registered auth session.
118	*
119	* @access public
120	* @param mixed $key Which value to set.
121	* @param mixed $val Value to set variable to.
122	*/
123	function setVal($key, $val)
124	{
125	if (!isset($_SESSION[$this->_sess]['user_data'])) {
126	$_SESSION[$this->_sess]['user_data'] = array();
127	}
128	$_SESSION[$this->_sess]['user_data'][$key] = $val;
129	}
130
131	/**
132	* Returns a specified value from a registered auth session.
133	*
134	* @access public
135	* @param mixed $key Which value to return.
136	* @param mixed $default Value to return if key not found in user_data.
137	* @return mixed Value stored in session.
138	*/
139	function getVal($key, $default='')
140	{
141	if (isset($_SESSION[$this->_sess][$key])) {
142	return $_SESSION[$this->_sess][$key];
143	} else if (isset($_SESSION[$this->_sess]['user_data'][$key])) {
144	return $_SESSION[$this->_sess]['user_data'][$key];
145	} else {
146	return $default;
147	}
148	}
149	/**
150	* Find out if a set of login credentials are valid. Only supports
151	* htpasswd files with DES passwords right now.
152	*
153	* @access public
154	*
155	* @param string $username The username to check.
156	* @param array $password The password to compare to username.
157	*
158	* @return boolean Whether or not the credentials are valid.
159	*/
160	function authenticate($username, $password)
161	{
162	if ('' == trim($password)) {
163	App::logMsg(_("No password provided for authentication."), LOG_INFO, __FILE__, __LINE__);
164	return false;
165	}
166
167	// Load users file.
168	$this->_loadHTPasswdFile();
169
170	if (!isset($this->_users[$username])) {
171	App::logMsg(_("User ID provided does not exist."), LOG_INFO, __FILE__, __LINE__);
172	return false;
173	}
174
175	if ($this->_encrypt($password, $this->_users[$username]) != $this->_users[$username]) {
176	App::logMsg(sprintf('Authentication failed for user %s', $username), LOG_INFO, __FILE__, __LINE__);
177	return false;
178	}
179
180	// Authentication successful!
181	return true;
182	}
183
184	/**
185	* If user passes authentication create authenticated session.
186	*
187	* @access public
188	*
189	* @param string $username The username to check.
190	* @param array $password The password to compare to username.
191	*
192	* @return boolean Whether or not the credentials are valid.
193	*/
194	function login($username, $password)
195	{
196	$username = strtolower(trim($username));
197
198	$this->clearAuth();
199
200	if (!$this->authenticate($username, $password)) {
201	// No login: failed authentication!
202	return false;
203	}
204
205	$_SESSION[$this->_sess] = array(
206	'authenticated' => true,
207	'username' => $username,
208	'login_datetime' => date('Y-m-d H:i:s'),
209	'last_access_datetime' => date('Y-m-d H:i:s'),
210	'remote_ip' => getRemoteAddr()
211	);
212
213	// We're logged-in!
214	return true;
215	}
216
217	/**
218	* Test if user has a currently logged-in session.
219	* - authentication flag set to true
220	* - username not empty
221	* - total logged-in time is not greater than login_timeout
222	* - idle time is not greater than idle_timeout
223	* - remote address is the same as the login remote address.
224	*
225	* @access public
226	*/
227	function isLoggedIn()
228	{
229	// Some users will access from networks with a changing IP number (i.e. behind a proxy server). These users must be allowed entry by adding their IP to the list of trusted_networks.
230	if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) {
231	$user_in_trusted_network = true;
232	App::logMsg(sprintf('User %s accessing from trusted network %s', $_SESSION[$this->_sess]['username'], $trusted_net), LOG_DEBUG, __FILE__, __LINE__);
233	} else if (preg_match('/proxy.aol.com$/i', getRemoteAddr(true))) {
234	$user_in_trusted_network = true;
235	App::logMsg(sprintf('User %s accessing from trusted network proxy.aol.com', $_SESSION[$this->_sess]['username']), LOG_DEBUG, __FILE__, __LINE__);
236	} else {
237	$user_in_trusted_network = false;
238	}
239
240	// Test login with information stored in session. Skip IP matching for users from trusted networks.
241	if (isset($_SESSION[$this->_sess])
242	&& true === $_SESSION[$this->_sess]['authenticated']
243	&& !empty($_SESSION[$this->_sess]['username'])
244	&& strtotime($_SESSION[$this->_sess]['login_datetime']) > time() - $this->_params['login_timeout']
245	&& strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - $this->_params['idle_timeout']
246	&& ($_SESSION[$this->_sess]['remote_ip'] == getRemoteAddr() \|\| $user_in_trusted_network)
247	) {
248	// User is authenticated!
249	$_SESSION[$this->_sess]['last_access_datetime'] = date('Y-m-d H:i:s');
250	return true;
251	} else if (isset($_SESSION[$this->_sess]) && true === $_SESSION[$this->_sess]['authenticated']) {
252	if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - 43200) {
253	// Only raise message if last session is less than 12 hours old.
254	App::raiseMsg(_("Your session has closed. You need to log-in again."), MSG_NOTICE, __FILE__, __LINE__);
255	}
256
257	// Log the reason for login expiration.
258	$expire_reasons = array();
259	if (empty($_SESSION[$this->_sess]['username'])) {
260	$expire_reasons[] = 'username not found';
261	}
262	if (strtotime($_SESSION[$this->_sess]['login_datetime']) <= time() - $this->_params['login_timeout']) {
263	$expire_reasons[] = 'login_timeout expired';
264	}
265	if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) <= time() - $this->_params['idle_timeout']) {
266	$expire_reasons[] = 'idle_timeout expired';
267	}
268	if ($_SESSION[$this->_sess]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {
269	$expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION[$this->_sess]['remote_ip'], getRemoteAddr());
270	}
271	App::logMsg(sprintf('User %s session expired: %s', $_SESSION[$this->_sess]['username'], join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__);
272	}
273
274	return false;
275	}
276
277	/**
278	* Redirect user to login page if they are not logged in.
279	*
280	* @param string $message The text description of a message to raise.
281	* @param int $type The type of message: MSG_NOTICE,
282	* MSG_SUCCESS, MSG_WARNING, or MSG_ERR.
283	* @param string $file __FILE__.
284	* @param string $line __LINE__.
285	* @access public
286	*/
287	function requireLogin($message='', $type=MSG_NOTICE, $file=null, $line=null)
288	{
289	if (!$this->isLoggedIn()) {
290	// Display message for requiring login. (RaiseMsg will ignore empty strings.)
291	App::raiseMsg($message, $type, $file, $line);
292
293	// Login scripts must have the same 'login' tag for boomerangURL verification/manipulation.
294	App::setBoomerangURL(absoluteMe(), 'login');
295	App::dieURL($this->_params['login_url']);
296	}
297	}
298
299	/*
300	* Reads the configured htpasswd file into the _users array.
301	*
302	* @access public
303	* @return false on error, true on success.
304	* @author Quinn Comendant <quinn@strangecode.com>
305	* @version 1.0
306	* @since 18 Apr 2006 18:17:48
307	*/
308	function _loadHTPasswdFile()
309	{
310	static $users = null;
311
312	if (!file_exists($this->_params['htpasswd_file'])) {
313	App::logMsg(sprintf('htpasswd file missing or not specified: %s', $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
314	return false;
315	}
316
317	if (!isset($users)) {
318	if (false === ($users = file($this->_params['htpasswd_file']))) {
319	App::logMsg(sprintf(_("Could not read htpasswd file: %s"), $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
320	return false;
321	}
322	}
323
324	if (is_array($users)) {
325	foreach ($users as $u) {
326	list($user, $pass) = explode(':', $u, 2);
327	$this->_users[trim($user)] = trim($pass);
328	}
329	return true;
330	}
331	return false;
332	}
333
334	/**
335	* Hash a given password according to the configured encryption
336	* type.
337	*
338	* @param string $password The password to encrypt.
339	* @param string $encrypted_password The currently encrypted password to use as salt, if needed.
340	*
341	* @return string The hashed password.
342	*/
343	function _encrypt($password, $encrypted_password=null)
344	{
345	switch ($this->_params['encryption_type']) {
346	case AUTH_ENCRYPT_PLAINTEXT :
347	return $password;
348	break;
349
350	case AUTH_ENCRYPT_SHA1 :
351	return sha1($password);
352	break;
353
354	case AUTH_ENCRYPT_MD5 :
355	return md5($password);
356	break;
357
358	case AUTH_ENCRYPT_CRYPT :
359	default :
360	return crypt($password, $encrypted_password);
361	break;
362	}
363	}
364
365	} // end class
366	?>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: