Changeset 103 for trunk/lib/Auth_File.inc.php

Timestamp:

Apr 19, 2006 3:14:28 AM (18 years ago)

Author:

scdev

Message:

Q - Cleaned up Auth_File to work more like Auth_SQL, and fixed a few bugs here and there.

File:

• trunk/lib/Auth_File.inc.php (modified) (10 diffs)

trunk/lib/Auth_File.inc.php

@@ -5 +5 @@
  *
  * @author  Quinn Comendant <quinn@strangecode.com>
- * @version 1.1
+ * @version 1.2
  */
+ 
+// Usage example:
+// $auth = new Auth_File();
+// $auth->setParam(array(
+//     'htpasswd_file' => COMMON_BASE . '/global/site_users.htpasswd',
+//     'login_timeout' => 21600,
+//     'idle_timeout' => 3600,
+//     'login_url' => '/login.php'
+// ));
 
 // Available encryption types for class Auth_SQL.
@@ -16 +25 @@
 class Auth_File {
 
-    var $_params = array(
+    var $_auth = '';
+    var $_sess = '_auth_';
+    var $_params = array();
+    var $_default_params = array(
+        
+        // Full path to htpasswd file.
+        'htpasswd_file' => null,
+
+        // The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above.
         'encryption_type' => AUTH_ENCRYPT_CRYPT,
-        'htpasswd_file' => null,
-        'login_timeout' => 21600, // 6 hours.
-        'idle_timeout' => 3600, // 1 hour.
-        'login_url' => '/login.php',
+
+        // The URL to the login script.
+        'login_url' => '/',
+
+        // The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire.
+        // This applies to admins and users. In seconds. 21600 seconds = 6 hours.
+        'login_timeout' => 21600,
+
+        // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire.
+        // This applies to admins and users. In seconds. 3600 seconds = 1 hour.
+        'idle_timeout' => 3600,
+
+        // An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers.
+        'trusted_networks' => array(),
     );
+
+    // Associative array of usernames to hashed passwords.
     var $_users = array();
 
@@ -32 +61 @@
      * @param optional array $params  A hash containing parameters.
      */
-    function Auth_File($params = array())
-    {
-        $this->_params = array_merge($this->_params, $params);
-
-        if (!empty($this->_params['htpasswd_file'])) {
-            if (false === ($users = file($this->_params['htpasswd_file']))) {
-                App::logMsg(sprintf(_("Could not read htpasswd file: %s"), $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
-            }
-            if (is_array($users)) {
-                foreach ($users as $line) {
-                    list($user, $pass) = explode(':', $line, 2);
-                    $this->_users[trim($user)] = trim($pass);
-                }
-            }
-        }
+    function Auth_File($auth_name=null)
+    {
+        if (isset($auth_name)) {
+            $this->_auth = $auth_name;
+            $this->_sess .= $auth_name;
+        }
+
+        // Initialize default parameters.
+        $this->setParam($this->_default_params);
     }
 
@@ -87 +110 @@
     function clearAuth()
     {
-        $_SESSION['_auth_file'] = array('authenticated' => false);
-    }
-
+        $_SESSION[$this->_sess] = array('authenticated' => false);
+    }
+
+
+    /**
+     * Sets a variable into a registered auth session.
+     *
+     * @access public
+     * @param mixed $key      Which value to set.
+     * @param mixed $val      Value to set variable to.
+     */
+    function setVal($key, $val)
+    {
+        if (!isset($_SESSION[$this->_sess]['user_data'])) {
+            $_SESSION[$this->_sess]['user_data'] = array();
+        }
+        $_SESSION[$this->_sess]['user_data'][$key] = $val;
+    }
+
+    /**
+     * Returns a specified value from a registered auth session.
+     *
+     * @access public
+     * @param mixed $key      Which value to return.
+     * @param mixed $default  Value to return if key not found in user_data.
+     * @return mixed          Value stored in session.
+     */
+    function getVal($key, $default='')
+    {
+        if (isset($_SESSION[$this->_sess][$key])) {
+            return $_SESSION[$this->_sess][$key];
+        } else if (isset($_SESSION[$this->_sess]['user_data'][$key])) {
+            return $_SESSION[$this->_sess]['user_data'][$key];
+        } else {
+            return $default;
+        }
+    }
     /**
      * Find out if a set of login credentials are valid. Only supports
@@ -104 +161 @@
     {
         if ('' == trim($password)) {
-            App::logMsg(_("No password provided for htpasswd authentication."), LOG_INFO, __FILE__, __LINE__);
-            return false;
-        }
+            App::logMsg(_("No password provided for authentication."), LOG_INFO, __FILE__, __LINE__);
+            return false;
+        }
+        
+        // Load users file.
+        $this->_loadHTPasswdFile();
 
         if (!isset($this->_users[$username])) {
@@ -113 +173 @@
         }
 
-        if ($this->_encrypt($password, $this->_users[$username]) == $this->_users[$username]) {
-            return true;
-        } else {
+        if ($this->_encrypt($password, $this->_users[$username]) != $this->_users[$username]) {
             App::logMsg(sprintf('Authentication failed for user %s', $username), LOG_INFO, __FILE__, __LINE__);
             return false;
         }
+        
+        // Authentication successful!
+        return true;
     }
 
@@ -137 +198 @@
         $this->clearAuth();
 
-        if ($this->authenticate($username, $password)) {
-            $_SESSION['_auth_file'] = array(
-                'authenticated' => true,
-                'username' => $username,
-                'login_datetime' => date('Y-m-d H:i:s'),
-                'last_access_datetime' => date('Y-m-d H:i:s'),
-                'remote_addr' => getRemoteAddr()
-            );
-            return true;
-        }
-        return false;
+        if (!$this->authenticate($username, $password)) {
+            // No login: failed authentication!
+            return false;
+        }
+        
+        $_SESSION[$this->_sess] = array(
+            'authenticated' => true,
+            'username' => $username,
+            'login_datetime' => date('Y-m-d H:i:s'),
+            'last_access_datetime' => date('Y-m-d H:i:s'),
+            'remote_ip' => getRemoteAddr()
+        );
+
+        // We're logged-in!
+        return true;
     }
 
@@ -162 +227 @@
     function isLoggedIn()
     {
-        if (isset($_SESSION['_auth_file'])) {
-            if (true === $_SESSION['_auth_file']['authenticated']
-            && !empty($_SESSION['_auth_file']['username'])
-            && strtotime($_SESSION['_auth_file']['login_datetime']) > time() - $this->_params['login_timeout']
-            && strtotime($_SESSION['_auth_file']['last_access_datetime']) > time() - $this->_params['idle_timeout']
-            && $_SESSION['_auth_file']['remote_addr'] == getRemoteAddr()
-            ) {
-                $_SESSION['_auth_file']['last_access_datetime'] = date('Y-m-d H:i:s');
-                return true;
-            } else if (true === $_SESSION['_auth_file']['authenticated']) {
+        // Some users will access from networks with a changing IP number (i.e. behind a proxy server). These users must be allowed entry by adding their IP to the list of trusted_networks.
+        if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) {
+            $user_in_trusted_network = true;
+            App::logMsg(sprintf('User %s accessing from trusted network %s', $_SESSION[$this->_sess]['username'], $trusted_net), LOG_DEBUG, __FILE__, __LINE__);
+        } else if (preg_match('/proxy.aol.com$/i', getRemoteAddr(true))) {
+            $user_in_trusted_network = true;
+            App::logMsg(sprintf('User %s accessing from trusted network proxy.aol.com', $_SESSION[$this->_sess]['username']), LOG_DEBUG, __FILE__, __LINE__);
+        } else {
+            $user_in_trusted_network = false;
+        }
+
+        // Test login with information stored in session. Skip IP matching for users from trusted networks.
+        if (isset($_SESSION[$this->_sess])
+            && true === $_SESSION[$this->_sess]['authenticated']
+            && !empty($_SESSION[$this->_sess]['username'])
+            && strtotime($_SESSION[$this->_sess]['login_datetime']) > time() - $this->_params['login_timeout']
+            && strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - $this->_params['idle_timeout']
+            && ($_SESSION[$this->_sess]['remote_ip'] == getRemoteAddr() || $user_in_trusted_network)
+        ) {
+            // User is authenticated!
+            $_SESSION[$this->_sess]['last_access_datetime'] = date('Y-m-d H:i:s');
+            return true;
+        } else if (isset($_SESSION[$this->_sess]) && true === $_SESSION[$this->_sess]['authenticated']) {
+            if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - 43200) {
+                // Only raise message if last session is less than 12 hours old.
                 App::raiseMsg(_("Your session has closed. You need to log-in again."), MSG_NOTICE, __FILE__, __LINE__);
-                $this->clearAuth();
-                return false;
-            }
-        }
+            }
+
+            // Log the reason for login expiration.
+            $expire_reasons = array();
+            if (empty($_SESSION[$this->_sess]['username'])) {
+                $expire_reasons[] = 'username not found';
+            }
+            if (strtotime($_SESSION[$this->_sess]['login_datetime']) <= time() - $this->_params['login_timeout']) {
+                $expire_reasons[] = 'login_timeout expired';
+            }
+            if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) <= time() - $this->_params['idle_timeout']) {
+                $expire_reasons[] = 'idle_timeout expired';
+            }
+            if ($_SESSION[$this->_sess]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {
+                $expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION[$this->_sess]['remote_ip'], getRemoteAddr());
+            }
+            App::logMsg(sprintf('User %s session expired: %s', $_SESSION[$this->_sess]['username'], join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__);
+        }
+
         return false;
     }
@@ -193 +288 @@
     {
         if (!$this->isLoggedIn()) {
-            // Display message for requiring login.
+            // Display message for requiring login. (RaiseMsg will ignore empty strings.)
             App::raiseMsg($message, $type, $file, $line);
 
@@ -200 +295 @@
             App::dieURL($this->_params['login_url']);
         }
+    }
+    
+    /*
+    * Reads the configured htpasswd file into the _users array.
+    *
+    * @access   public
+    * @return   false on error, true on success.
+    * @author   Quinn Comendant <quinn@strangecode.com>
+    * @version  1.0
+    * @since    18 Apr 2006 18:17:48
+    */
+    function _loadHTPasswdFile()
+    {
+        static $users = null;
+        
+        if (!file_exists($this->_params['htpasswd_file'])) {
+            App::logMsg(sprintf('htpasswd file missing or not specified: %s', $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
+            return false;
+        }
+        
+        if (!isset($users)) {
+            if (false === ($users = file($this->_params['htpasswd_file']))) {
+                App::logMsg(sprintf(_("Could not read htpasswd file: %s"), $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);
+                return false;
+            }
+        }
+
+        if (is_array($users)) {
+            foreach ($users as $u) {
+                list($user, $pass) = explode(':', $u, 2);
+                $this->_users[trim($user)] = trim($pass);
+            }
+            return true;
+        }
+        return false;
     }