Changeset 439 for branches/eli_branch/lib/Auth_File.inc.php
- Timestamp:
- Nov 30, 2013 7:30:44 PM (11 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/eli_branch/lib/Auth_File.inc.php
r396 r439 4 4 * For details visit the project site: <http://trac.strangecode.com/codebase/> 5 5 * Copyright 2001-2012 Strangecode, LLC 6 * 6 * 7 7 * This file is part of The Strangecode Codebase. 8 8 * … … 11 11 * Free Software Foundation, either version 3 of the License, or (at your option) 12 12 * any later version. 13 * 13 * 14 14 * The Strangecode Codebase is distributed in the hope that it will be useful, but 15 15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 16 16 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more 17 17 * details. 18 * 18 * 19 19 * You should have received a copy of the GNU General Public License along with 20 20 * The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>. … … 30 30 * @version 1.2 31 31 */ 32 32 33 33 // Usage example: 34 34 // $auth = new Auth_File(); … … 47 47 48 48 class Auth_File { 49 49 50 50 // Namespace of this auth object. 51 var$_ns;52 51 private $_ns; 52 53 53 // Parameters to be specified by setParam(). 54 var $_params = array(); 55 var $_default_params = array( 56 57 // Full path to htpasswd file. 58 'htpasswd_file' => null, 59 60 // The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above. 61 'encryption_type' => AUTH_ENCRYPT_CRYPT, 62 63 // The URL to the login script. 64 'login_url' => '/', 65 66 // The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire. 67 // This applies to admins and users. In seconds. 21600 seconds = 6 hours. 68 'login_timeout' => 21600, 69 70 // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire. 71 // This applies to admins and users. In seconds. 3600 seconds = 1 hour. 72 'idle_timeout' => 3600, 73 74 // An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers. 75 'trusted_networks' => array(), 76 ); 54 private $_params = array(); 55 private $_default_params = array( 56 57 // Full path to htpasswd file. 58 'htpasswd_file' => null, 59 60 // The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above. 61 'encryption_type' => AUTH_ENCRYPT_CRYPT, 62 63 // The URL to the login script. 64 'login_url' => '/', 65 66 // The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire. 67 // This applies to admins and users. In seconds. 21600 seconds = 6 hours. 68 'login_timeout' => 21600, 69 70 // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire. 71 // This applies to admins and users. In seconds. 3600 seconds = 1 hour. 72 'idle_timeout' => 3600, 73 74 // An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers. 75 'trusted_networks' => array(), ); 77 76 78 77 // Associative array of usernames to hashed passwords. 79 var$_users = array();78 private $_users = array(); 80 79 81 80 /** … … 86 85 * @param optional array $params A hash containing parameters. 87 86 */ 88 function Auth_File($namespace='') 89 { 90 $this->_ns = $namespace; 87 public function __construct($namespace = '') { 88 $this -> _ns = $namespace; 91 89 92 90 // Initialize default parameters. 93 $this ->setParam($this->_default_params);91 $this -> setParam($this -> _default_params); 94 92 } 95 93 … … 100 98 * @return bool true on success, false on failure 101 99 */ 102 function setParam($params) 103 { 100 public function setParam($params) { 104 101 if (isset($params) && is_array($params)) { 105 102 // Merge new parameters with old overriding only those passed. 106 $this ->_params = array_merge($this->_params, $params);103 $this -> _params = array_merge($this -> _params, $params); 107 104 } 108 105 } … … 115 112 * @return mixed Configured parameter value. 116 113 */ 117 function getParam($param) 118 { 119 $app =& App::getInstance(); 120 121 if (isset($this->_params[$param])) { 122 return $this->_params[$param]; 114 public function getParam($param) { 115 $app = &App::getInstance(); 116 117 if (isset($this -> _params[$param])) { 118 return $this -> _params[$param]; 123 119 } else { 124 $app ->logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);120 $app -> logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__); 125 121 return null; 126 122 } … … 132 128 * @access public 133 129 */ 134 function clear() 135 { 136 $_SESSION['_auth_file'][$this->_ns] = array('authenticated' => false); 137 } 138 130 public function clear() { 131 $_SESSION['_auth_file'][$this -> _ns] = array('authenticated' => false); 132 } 139 133 140 134 /** … … 145 139 * @param mixed $val Value to set variable to. 146 140 */ 147 function set($key, $val) 148 { 149 if (!isset($_SESSION['_auth_file'][$this->_ns]['user_data'])) { 150 $_SESSION['_auth_file'][$this->_ns]['user_data'] = array(); 151 } 152 $_SESSION['_auth_file'][$this->_ns]['user_data'][$key] = $val; 141 public function set($key, $val) { 142 if (!isset($_SESSION['_auth_file'][$this -> _ns]['user_data'])) { 143 $_SESSION['_auth_file'][$this -> _ns]['user_data'] = array(); 144 } 145 $_SESSION['_auth_file'][$this -> _ns]['user_data'][$key] = $val; 153 146 } 154 147 … … 161 154 * @return mixed Value stored in session. 162 155 */ 163 function get($key, $default='') 164 { 165 if (isset($_SESSION['_auth_file'][$this->_ns][$key])) { 166 return $_SESSION['_auth_file'][$this->_ns][$key]; 167 } else if (isset($_SESSION['_auth_file'][$this->_ns]['user_data'][$key])) { 168 return $_SESSION['_auth_file'][$this->_ns]['user_data'][$key]; 156 public function get($key, $default = '') { 157 if (isset($_SESSION['_auth_file'][$this -> _ns][$key])) { 158 return $_SESSION['_auth_file'][$this -> _ns][$key]; 159 } else if (isset($_SESSION['_auth_file'][$this -> _ns]['user_data'][$key])) { 160 return $_SESSION['_auth_file'][$this -> _ns]['user_data'][$key]; 169 161 } else { 170 162 return $default; 171 163 } 172 164 } 165 173 166 /** 174 167 * Find out if a set of login credentials are valid. Only supports … … 182 175 * @return boolean Whether or not the credentials are valid. 183 176 */ 184 function authenticate($username, $password) 185 { 186 $app =& App::getInstance(); 187 177 public function authenticate($username, $password) { 178 $app = &App::getInstance(); 179 188 180 if ('' == trim($password)) { 189 $app ->logMsg(_("No password provided for authentication."), LOG_INFO, __FILE__, __LINE__);190 return false; 191 } 192 181 $app -> logMsg(_("No password provided for authentication."), LOG_INFO, __FILE__, __LINE__); 182 return false; 183 } 184 193 185 // Load users file. 194 $this ->_loadHTPasswdFile();195 196 if (!isset($this ->_users[$username])) {197 $app ->logMsg(_("User ID provided does not exist."), LOG_INFO, __FILE__, __LINE__);198 return false; 199 } 200 201 if ($this ->_encrypt($password, $this->_users[$username]) != $this->_users[$username]) {202 $app ->logMsg(sprintf('Authentication failed for user %s', $username), LOG_INFO, __FILE__, __LINE__);203 return false; 204 } 205 186 $this -> _loadHTPasswdFile(); 187 188 if (!isset($this -> _users[$username])) { 189 $app -> logMsg(_("User ID provided does not exist."), LOG_INFO, __FILE__, __LINE__); 190 return false; 191 } 192 193 if ($this -> _encrypt($password, $this -> _users[$username]) != $this -> _users[$username]) { 194 $app -> logMsg(sprintf('Authentication failed for user %s', $username), LOG_INFO, __FILE__, __LINE__); 195 return false; 196 } 197 206 198 // Authentication successful! 207 199 return true; … … 218 210 * @return boolean Whether or not the credentials are valid. 219 211 */ 220 function login($username, $password) 221 { 212 public function login($username, $password) { 222 213 $username = mb_strtolower(trim($username)); 223 214 224 $this ->clear();225 226 if (!$this ->authenticate($username, $password)) {215 $this -> clear(); 216 217 if (!$this -> authenticate($username, $password)) { 227 218 // No login: failed authentication! 228 219 return false; 229 220 } 230 231 $_SESSION['_auth_file'][$this->_ns] = array( 232 'authenticated' => true, 233 'username' => $username, 234 'login_datetime' => date('Y-m-d H:i:s'), 235 'last_access_datetime' => date('Y-m-d H:i:s'), 236 'remote_ip' => getRemoteAddr() 237 ); 221 222 $_SESSION['_auth_file'][$this -> _ns] = array('authenticated' => true, 'username' => $username, 'login_datetime' => date('Y-m-d H:i:s'), 'last_access_datetime' => date('Y-m-d H:i:s'), 'remote_ip' => getRemoteAddr()); 238 223 239 224 // We're logged-in! … … 251 236 * @access public 252 237 */ 253 function isLoggedIn() 254 { 255 $app =& App::getInstance(); 256 238 public function isLoggedIn() { 239 $app = &App::getInstance(); 240 257 241 // Some users will access from networks with a changing IP number (i.e. behind a proxy server). These users must be allowed entry by adding their IP to the list of trusted_networks. 258 if ($trusted_net = ipInRange(getRemoteAddr(), $this ->_params['trusted_networks'])) {242 if ($trusted_net = ipInRange(getRemoteAddr(), $this -> _params['trusted_networks'])) { 259 243 $user_in_trusted_network = true; 260 $app ->logMsg(sprintf('User %s accessing from trusted network %s', $_SESSION['_auth_file'][$this->_ns]['username'], $trusted_net), LOG_DEBUG, __FILE__, __LINE__);244 $app -> logMsg(sprintf('User %s accessing from trusted network %s', $_SESSION['_auth_file'][$this -> _ns]['username'], $trusted_net), LOG_DEBUG, __FILE__, __LINE__); 261 245 } else if (preg_match('/proxy.aol.com$/i', getRemoteAddr(true))) { 262 246 $user_in_trusted_network = true; 263 $app ->logMsg(sprintf('User %s accessing from trusted network proxy.aol.com', $_SESSION['_auth_file'][$this->_ns]['username']), LOG_DEBUG, __FILE__, __LINE__);247 $app -> logMsg(sprintf('User %s accessing from trusted network proxy.aol.com', $_SESSION['_auth_file'][$this -> _ns]['username']), LOG_DEBUG, __FILE__, __LINE__); 264 248 } else { 265 249 $user_in_trusted_network = false; … … 267 251 268 252 // Test login with information stored in session. Skip IP matching for users from trusted networks. 269 if (isset($_SESSION['_auth_file'][$this->_ns]) 270 && true === $_SESSION['_auth_file'][$this->_ns]['authenticated'] 271 && !empty($_SESSION['_auth_file'][$this->_ns]['username']) 272 && strtotime($_SESSION['_auth_file'][$this->_ns]['login_datetime']) > time() - $this->_params['login_timeout'] 273 && strtotime($_SESSION['_auth_file'][$this->_ns]['last_access_datetime']) > time() - $this->_params['idle_timeout'] 274 && ($_SESSION['_auth_file'][$this->_ns]['remote_ip'] == getRemoteAddr() || $user_in_trusted_network) 275 ) { 253 if (isset($_SESSION['_auth_file'][$this -> _ns]) && true === $_SESSION['_auth_file'][$this -> _ns]['authenticated'] && !empty($_SESSION['_auth_file'][$this -> _ns]['username']) && strtotime($_SESSION['_auth_file'][$this -> _ns]['login_datetime']) > time() - $this -> _params['login_timeout'] && strtotime($_SESSION['_auth_file'][$this -> _ns]['last_access_datetime']) > time() - $this -> _params['idle_timeout'] && ($_SESSION['_auth_file'][$this -> _ns]['remote_ip'] == getRemoteAddr() || $user_in_trusted_network)) { 276 254 // User is authenticated! 277 $_SESSION['_auth_file'][$this ->_ns]['last_access_datetime'] = date('Y-m-d H:i:s');255 $_SESSION['_auth_file'][$this -> _ns]['last_access_datetime'] = date('Y-m-d H:i:s'); 278 256 return true; 279 } else if (isset($_SESSION['_auth_file'][$this ->_ns]) && true === $_SESSION['_auth_file'][$this->_ns]['authenticated']) {280 if (strtotime($_SESSION['_auth_file'][$this ->_ns]['last_access_datetime']) > time() - 43200) {257 } else if (isset($_SESSION['_auth_file'][$this -> _ns]) && true === $_SESSION['_auth_file'][$this -> _ns]['authenticated']) { 258 if (strtotime($_SESSION['_auth_file'][$this -> _ns]['last_access_datetime']) > time() - 43200) { 281 259 // Only raise message if last session is less than 12 hours old. 282 $app ->raiseMsg(_("Your session has closed. You need to log-in again."), MSG_NOTICE, __FILE__, __LINE__);260 $app -> raiseMsg(_("Your session has closed. You need to log-in again."), MSG_NOTICE, __FILE__, __LINE__); 283 261 } 284 262 285 263 // Log the reason for login expiration. 286 264 $expire_reasons = array(); 287 if (empty($_SESSION['_auth_file'][$this ->_ns]['username'])) {265 if (empty($_SESSION['_auth_file'][$this -> _ns]['username'])) { 288 266 $expire_reasons[] = 'username not found'; 289 267 } 290 if (strtotime($_SESSION['_auth_file'][$this ->_ns]['login_datetime']) <= time() - $this->_params['login_timeout']) {268 if (strtotime($_SESSION['_auth_file'][$this -> _ns]['login_datetime']) <= time() - $this -> _params['login_timeout']) { 291 269 $expire_reasons[] = 'login_timeout expired'; 292 270 } 293 if (strtotime($_SESSION['_auth_file'][$this ->_ns]['last_access_datetime']) <= time() - $this->_params['idle_timeout']) {271 if (strtotime($_SESSION['_auth_file'][$this -> _ns]['last_access_datetime']) <= time() - $this -> _params['idle_timeout']) { 294 272 $expire_reasons[] = 'idle_timeout expired'; 295 273 } 296 if ($_SESSION['_auth_file'][$this ->_ns]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {297 $expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION['_auth_file'][$this ->_ns]['remote_ip'], getRemoteAddr());298 } 299 $app ->logMsg(sprintf('User %s session expired: %s', $_SESSION['_auth_file'][$this->_ns]['username'], join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__);274 if ($_SESSION['_auth_file'][$this -> _ns]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) { 275 $expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION['_auth_file'][$this -> _ns]['remote_ip'], getRemoteAddr()); 276 } 277 $app -> logMsg(sprintf('User %s session expired: %s', $_SESSION['_auth_file'][$this -> _ns]['username'], join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__); 300 278 } 301 279 … … 313 291 * @access public 314 292 */ 315 function requireLogin($message='', $type=MSG_NOTICE, $file=null, $line=null) 316 { 317 $app =& App::getInstance(); 318 319 if (!$this->isLoggedIn()) { 293 public function requireLogin($message = '', $type = MSG_NOTICE, $file = null, $line = null) { 294 $app = &App::getInstance(); 295 296 if (!$this -> isLoggedIn()) { 320 297 // Display message for requiring login. (RaiseMsg will ignore empty strings.) 321 $app ->raiseMsg($message, $type, $file, $line);298 $app -> raiseMsg($message, $type, $file, $line); 322 299 323 300 // Login scripts must have the same 'login' tag for boomerangURL verification/manipulation. 324 $app ->setBoomerangURL(absoluteMe(), 'login');325 $app ->dieURL($this->_params['login_url']);326 } 327 } 328 301 $app -> setBoomerangURL(absoluteMe(), 'login'); 302 $app -> dieURL($this -> _params['login_url']); 303 } 304 } 305 329 306 /** 330 307 * Wrapper function for compatibility with lib/Lock.inc.php. … … 333 310 * @return string Username, or false if none found. 334 311 */ 335 function getUsername($username) 336 { 312 public function getUsername($username) { 337 313 if ('' != $username) { 338 314 return $username; … … 343 319 344 320 /* 345 * Reads the configured htpasswd file into the _users array. 346 * 347 * @access public 348 * @return false on error, true on success. 349 * @author Quinn Comendant <quinn@strangecode.com> 350 * @version 1.0 351 * @since 18 Apr 2006 18:17:48 352 */ 353 function _loadHTPasswdFile() 354 { 355 $app =& App::getInstance(); 356 321 * Reads the configured htpasswd file into the _users array. 322 * 323 * @access public 324 * @return false on error, true on success. 325 * @author Quinn Comendant <quinn@strangecode.com> 326 * @version 1.0 327 * @since 18 Apr 2006 18:17:48 328 */ 329 private function _loadHTPasswdFile() { 330 $app = &App::getInstance(); 331 357 332 static $users = null; 358 359 if (!file_exists($this ->_params['htpasswd_file'])) {360 $app ->logMsg(sprintf('htpasswd file missing or not specified: %s', $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);361 return false; 362 } 363 333 334 if (!file_exists($this -> _params['htpasswd_file'])) { 335 $app -> logMsg(sprintf('htpasswd file missing or not specified: %s', $this -> _params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__); 336 return false; 337 } 338 364 339 if (!isset($users)) { 365 if (false === ($users = file($this ->_params['htpasswd_file']))) {366 $app ->logMsg(sprintf('Could not read htpasswd file: %s', $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__);340 if (false === ($users = file($this -> _params['htpasswd_file']))) { 341 $app -> logMsg(sprintf('Could not read htpasswd file: %s', $this -> _params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__); 367 342 return false; 368 343 } … … 372 347 foreach ($users as $u) { 373 348 list($user, $pass) = explode(':', $u, 2); 374 $this ->_users[trim($user)] = trim($pass);349 $this -> _users[trim($user)] = trim($pass); 375 350 } 376 351 return true; … … 388 363 * @return string The hashed password. 389 364 */ 390 function _encrypt($password, $encrypted_password=null) 391 { 365 private function _encrypt($password, $encrypted_password = null) { 392 366 switch ($this->_params['encryption_type']) { 393 case AUTH_ENCRYPT_PLAINTEXT :394 return $password;395 break;396 397 case AUTH_ENCRYPT_SHA1 :398 return sha1($password);399 break;400 401 case AUTH_ENCRYPT_MD5 :402 return md5($password);403 break;404 405 case AUTH_ENCRYPT_CRYPT :406 default :407 return crypt($password, $encrypted_password);408 break;367 case AUTH_ENCRYPT_PLAINTEXT : 368 return $password; 369 break; 370 371 case AUTH_ENCRYPT_SHA1 : 372 return sha1($password); 373 break; 374 375 case AUTH_ENCRYPT_MD5 : 376 return md5($password); 377 break; 378 379 case AUTH_ENCRYPT_CRYPT : 380 default : 381 return crypt($password, $encrypted_password); 382 break; 409 383 } 410 384 } 411 385 412 386 } // end class 413 ?>
Note: See TracChangeset
for help on using the changeset viewer.