66 if ( ! empty($_SERVER[
'PHP_AUTH_DIGEST'])) {
69 else if ( isset($_SERVER[
'PHP_AUTH_USER']) || isset($_SERVER[
"AUTHORIZATION"]) ) {
72 else if ( isset($c->http_auth_mode) && $c->http_auth_mode ==
"Digest" ) {
87 if ( $auth_header ==
"" ) {
88 $auth_realm = $c->system_name;
89 if ( isset($c->per_principal_realm) && $c->per_principal_realm && !empty($_SERVER[
'PATH_INFO']) ) {
90 $principal_name = preg_replace(
'{^/(.*?)/.*$}',
'$1', $_SERVER[
'PATH_INFO']);
91 if ( $principal_name != $_SERVER[
'PATH_INFO'] ) {
92 $auth_realm .=
' - ' . $principal_name;
95 dbg_error_log(
"HTTPAuth",
":AuthFailedResponse Requesting authentication in the '%s' realm", $auth_realm );
96 $auth_header = sprintf(
'WWW-Authenticate: Basic realm="%s"', $auth_realm );
99 header(
'HTTP/1.1 401 Unauthorized',
true, 401 );
100 header(
'Content-type: text/plain; ; charset="utf-8"' );
101 header( $auth_header );
102 echo
'Please log in for access to this system.';
103 if ( isset($_SERVER[
'PHP_AUTH_USER']) ) {
104 dbg_error_log(
"ERROR",
"authentication failure for user '%s' from host [%s]", $_SERVER[
'PHP_AUTH_USER'], $_SERVER[
'REMOTE_ADDR'] );
106 dbg_error_log(
"HTTPAuth",
":Session: User is not authorised: %s ", $_SERVER[
'REMOTE_ADDR'] );
108 @ob_flush(); exit(0);
121 if ( !isset($_SERVER[
'AUTHORIZATION']) && isset($_SERVER[
'HTTP_AUTHORIZATION']) && !empty($_SERVER[
'HTTP_AUTHORIZATION']))
122 $_SERVER[
'AUTHORIZATION'] = $_SERVER[
'HTTP_AUTHORIZATION'];
123 if (isset($_SERVER[
'AUTHORIZATION']) && !empty($_SERVER[
'AUTHORIZATION'])) {
124 list ($type, $cred) = explode(
" ", $_SERVER[
'AUTHORIZATION']);
125 if ($type ==
'Basic') {
126 list ($user, $pass) = explode(
":", base64_decode($cred), 2);
127 $_SERVER[
'PHP_AUTH_USER'] = $user;
128 $_SERVER[
'PHP_AUTH_PW'] = $pass;
131 else if ( isset($c->authenticate_hook[
'server_auth_type'])
132 && ( ( isset($_SERVER[
"REMOTE_USER"]) && !empty($_SERVER[
"REMOTE_USER"]) ) ||
133 ( isset($_SERVER[
"REDIRECT_REMOTE_USER"]) && !empty($_SERVER[
"REDIRECT_REMOTE_USER"]) ) ) ) {
134 if ( ( is_array($c->authenticate_hook[
'server_auth_type'])
135 && in_array( strtolower($_SERVER[
'AUTH_TYPE']), array_map(
'strtolower', $c->authenticate_hook[
'server_auth_type'])) )
137 ( !is_array($c->authenticate_hook[
'server_auth_type'])
138 && strtolower($c->authenticate_hook[
'server_auth_type']) == strtolower($_SERVER[
'AUTH_TYPE']) )
143 if (isset($_SERVER[
"REMOTE_USER"]))
144 $_SERVER[
'PHP_AUTH_USER'] = $_SERVER[
'REMOTE_USER'];
146 $_SERVER[
'PHP_AUTH_USER'] = $_SERVER[
'REDIRECT_REMOTE_USER'];
147 $_SERVER[
'PHP_AUTH_PW'] =
'Externally Authenticated';
148 if ( ! isset($c->authenticate_hook[
'call']) ) {
154 $c->authenticate_hook[
'call'] =
'auth_external';
163 if ( isset($_SERVER[
'PHP_AUTH_USER']) ) {
164 if ( $p = $this->
CheckPassword( $_SERVER[
'PHP_AUTH_USER'], $_SERVER[
'PHP_AUTH_PW'] ) ) {
165 if ( isset($p->active) && !isset($p->user_active) ) {
166 trace_bug(
'Some authentication failed to return a dav_principal record and needs fixing.');
167 $p->user_active = $p->active;
174 if ( $p->user_active ) {
181 if ( isset($c->allow_unauthenticated) && $c->allow_unauthenticated ) {
183 $this->logged_in =
false;
209 $realm = $c->system_name;
211 if ( isset($_SERVER[
'HTTP_USER_AGENT']) ) $opaque .= $_SERVER[
'HTTP_USER_AGENT'];
212 if ( isset($_SERVER[
'REMOTE_ADDR']) ) $opaque .= $_SERVER[
'REMOTE_ADDR'];
213 $opaque = sha1($opaque);
215 if ( ! empty($_SERVER[
'PHP_AUTH_DIGEST'])) {
219 if ( $data[
'uri'] != $_SERVER[
'REQUEST_URI'] ) {
220 dbg_error_log(
"ERROR",
" DigestAuth: WTF! URI is '%s' and request URI is '%s'!?!" );
226 $test_user =
new Principal(
'username', $data[
'username']);
228 if ( preg_match(
'{\*(Digest)?\*(.*)}', $test_user->password, $matches ) ) {
229 if ( $matches[1] ==
'Digest' )
233 $A1 = md5($data[
'username'] .
':' . $realm .
':' . $matches[2]);
235 $A2 = md5($_SERVER[
'REQUEST_METHOD'].
':'.$data[
'uri']);
236 $auth_string = $A1.
':'.$data[
'nonce'].
':'.$data[
'nc'].
':'.$data[
'cnonce'].
':'.$data[
'qop'].
':'.$A2;
238 $valid_response = md5($auth_string);
241 if ( $data[
'response'] == $valid_response ) {
255 $nonce = sha1(uniqid(
'',
true));
256 $authheader = sprintf(
'WWW-Authenticate: Digest realm="%s", qop="auth", nonce="%s", opaque="%s", algorithm="MD5"',
257 $realm, $nonce, $opaque );
258 dbg_error_log(
"HTTPAuth", $authheader );
270 $needed_parts = array(
'nonce'=>1,
'nc'=>1,
'cnonce'=>1,
'qop'=>1,
'username'=>1,
'uri'=>1,
'response'=>1);
273 preg_match_all(
'{(\w+)="([^"]+)"}', $auth_header, $matches, PREG_SET_ORDER);
274 foreach ($matches as $m) {
276 $data[$m[1]] = $m[2];
277 unset($needed_parts[$m[1]]);
278 dbg_error_log(
"HTTPAuth",
'Received: %s: %s', $m[1], $m[2] );
281 preg_match_all(
'{(\w+)=([^" ,]+)}', $auth_header, $matches, PREG_SET_ORDER);
282 foreach ($matches as $m) {
284 $data[$m[1]] = $m[2];
285 unset($needed_parts[$m[1]]);
286 dbg_error_log(
"HTTPAuth",
'Received: %s: %s', $m[1], $m[2] );
290 @dbg_error_log(
"HTTPAuth",
'Received: nonce: %s, nc: %s, cnonce: %s, qop: %s, username: %s, uri: %s, response: %s',
291 $data[
'nonce'], $data[
'nc'], $data[
'cnonce'], $data[
'qop'], $data[
'username'], $data[
'uri'], $data[
'response']
293 return $needed_parts ? false : $data;
304 if(isset($c->login_append_domain_if_missing) && $c->login_append_domain_if_missing && !preg_match(
'/@/',$username))
305 $username.=
'@'.$c->domain_name;
307 if ( !isset($c->authenticate_hook) || !isset($c->authenticate_hook[
'call'])
308 || !function_exists($c->authenticate_hook[
'call'])
309 || (isset($c->authenticate_hook[
'optional']) && $c->authenticate_hook[
'optional']) )
311 if ( $principal =
new Principal(
'username', $username) ) {
312 if ( isset($c->dbg[
'password']) ) dbg_error_log(
"password",
":CheckPassword: Name:%s, Pass:%s, File:%s, Active:%s", $username, $password, $principal->password, ($principal->user_active?
'Yes':
'No') );
313 if ( $principal->user_active && session_validate_password( $password, $principal->password ) ) {
319 if ( isset($c->authenticate_hook) && isset($c->authenticate_hook[
'call']) && function_exists($c->authenticate_hook[
'call']) ) {
331 $principal = call_user_func( $c->authenticate_hook[
'call'], $username, $password );
332 if ( $principal !==
false && !($principal instanceof
Principal) ) {
333 $principal =
new Principal(
'username', $username);
351 return ( isset($this->logged_in) && $this->logged_in && isset($this->roles[$whatever]) && $this->roles[$whatever] );
359 $this->roles = array();
360 $qry =
new AwlQuery(
'SELECT role_name FROM role_member m join roles r ON r.role_no = m.role_no WHERE user_no = :user_no ',
361 array(
':user_no' => $this->user_no) );
362 if ( $qry->Exec(
'BasicAuth') && $qry->rows() > 0 ) {
363 while( $role = $qry->Fetch() ) {
364 $this->roles[$role->role_name] =
true;
375 if ( is_string($principal) ) $principal =
new Principal(
'username',$principal);
376 if ( get_class($principal) !=
'Principal' ) {
377 $principal =
new Principal(
'username',$principal->username);
381 foreach( $principal AS $k => $v ) {
384 if ( !get_class($principal) ==
'Principal' ) {
385 throw new Exception(
'HTTPAuthSession::AssignSessionDetails could not find a Principal object');
387 $this->username = $principal->username();
388 $this->user_no = $principal->user_no();
389 $this->principal_id = $principal->principal_id();
390 $this->email = $principal->email();
391 $this->fullname = $principal->fullname;
392 $this->dav_name = $principal->dav_name();
393 $this->principal = $principal;
396 $this->logged_in =
true;
397 if ( function_exists(
"awl_set_locale") && isset($this->locale) && $this->locale !=
"" ) {
398 awl_set_locale($this->locale);