diff options
| author | Jan Schumann <js@schumann-it.com> | 2012-02-20 19:51:26 +0100 |
|---|---|---|
| committer | Jan Schumann <js@schumann-it.com> | 2012-02-20 19:51:26 +0100 |
| commit | f4476bd9b5badd36cd0617d76538e47d9649986b (patch) | |
| tree | 8100a814f4ccc279694f0a77596ce498a6eb4a0c | |
| parent | 396b87bebcb14765849b43a259a2b6cf2aff98f3 (diff) | |
| download | rpg-f4476bd9b5badd36cd0617d76538e47d9649986b.tar.gz rpg-f4476bd9b5badd36cd0617d76538e47d9649986b.tar.bz2 | |
Refactored auth system: All auth methods are now introduced as plugins.
| -rw-r--r-- | inc/auth.php | 37 | ||||
| -rw-r--r-- | inc/auth/basic.class.php | 403 | ||||
| -rw-r--r-- | inc/auth/pgsql.class.php | 410 | ||||
| -rw-r--r-- | lib/plugins/auth.php | 420 | ||||
| -rw-r--r-- | lib/plugins/authad/auth.php (renamed from inc/auth/ad.class.php) | 48 | ||||
| -rw-r--r-- | lib/plugins/authad/plugin.info.txt | 7 | ||||
| -rw-r--r-- | lib/plugins/authldap/auth.php (renamed from inc/auth/ldap.class.php) | 20 | ||||
| -rw-r--r-- | lib/plugins/authldap/plugin.info.txt | 7 | ||||
| -rw-r--r-- | lib/plugins/authmysql/auth.php (renamed from inc/auth/mysql.class.php) | 23 | ||||
| -rw-r--r-- | lib/plugins/authmysql/plugin.info.txt | 7 | ||||
| -rw-r--r-- | lib/plugins/authpgsql/auth.php | 331 | ||||
| -rw-r--r-- | lib/plugins/authpgsql/plugin.info.txt | 7 | ||||
| -rw-r--r-- | lib/plugins/authplain/auth.php (renamed from inc/auth/plain.class.php) | 23 | ||||
| -rw-r--r-- | lib/plugins/authplain/plugin.info.txt | 7 | ||||
| -rw-r--r-- | lib/plugins/config/settings/extra.class.php | 50 |
15 files changed, 902 insertions, 898 deletions
diff --git a/inc/auth.php b/inc/auth.php index b11a14d50..aac7a2fca 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -45,35 +45,19 @@ function auth_setup(){ $plugins = $plugin_controller->getList('auth'); foreach ($plugin_controller->getList('auth') as $plugin) { if ($conf['authtype'] === $plugin) { - $auth = $plugin_controller->load('auth', $plugin)->getAuth(); + $auth = $plugin_controller->load('auth', $plugin); break; } } - if (!$auth) { - // load the the backend auth functions and instantiate the auth object XXX - if (@file_exists(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php')) { - require_once(DOKU_INC.'inc/auth/basic.class.php'); - require_once(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php'); - - $auth_class = "auth_".$conf['authtype']; - if (class_exists($auth_class)) { - $auth = new $auth_class(); - if ($auth->success == false) { - // degrade to unauthenticated user - unset($auth); - auth_logoff(); - msg($lang['authtempfail'], -1); - } - } else { - nice_die($lang['authmodfailed']); - } - } else { - nice_die($lang['authmodfailed']); - } - } + if(!$auth) return; - if(!$auth) return; + if ($auth && $auth->success == false) { + // degrade to unauthenticated user + unset($auth); + auth_logoff(); + msg($lang['authtempfail'], -1); + } // do the login either by cookie or provided credentials XXX if (!isset($_REQUEST['u'])) $_REQUEST['u'] = ''; @@ -102,7 +86,10 @@ function auth_setup(){ } // apply cleaning - $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + if (true === $auth->success) + { + $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + } if(isset($_REQUEST['authtok'])){ // when an authentication token is given, trust the session diff --git a/inc/auth/basic.class.php b/inc/auth/basic.class.php deleted file mode 100644 index c7e7031bf..000000000 --- a/inc/auth/basic.class.php +++ /dev/null @@ -1,403 +0,0 @@ -<?php -/** - * auth/basic.class.php - * - * foundation authorisation class - * all auth classes should inherit from this class - * - * @author Chris Smith <chris@jalakai.co.uk> - */ - -class auth_basic { - - var $success = true; - - - /** - * Posible things an auth backend module may be able to - * do. The things a backend can do need to be set to true - * in the constructor. - */ - var $cando = array ( - 'addUser' => false, // can Users be created? - 'delUser' => false, // can Users be deleted? - 'modLogin' => false, // can login names be changed? - 'modPass' => false, // can passwords be changed? - 'modName' => false, // can real names be changed? - 'modMail' => false, // can emails be changed? - 'modGroups' => false, // can groups be changed? - 'getUsers' => false, // can a (filtered) list of users be retrieved? - 'getUserCount'=> false, // can the number of users be retrieved? - 'getGroups' => false, // can a list of available groups be retrieved? - 'external' => false, // does the module do external auth checking? - 'logout' => true, // can the user logout again? (eg. not possible with HTTP auth) - ); - - - /** - * Constructor. - * - * Carry out sanity checks to ensure the object is - * able to operate. Set capabilities in $this->cando - * array here - * - * Set $this->success to false if checks fail - * - * @author Christopher Smith <chris@jalakai.co.uk> - */ - function auth_basic() { - // the base class constructor does nothing, derived class - // constructors do the real work - } - - /** - * Capability check. [ DO NOT OVERRIDE ] - * - * Checks the capabilities set in the $this->cando array and - * some pseudo capabilities (shortcutting access to multiple - * ones) - * - * ususal capabilities start with lowercase letter - * shortcut capabilities start with uppercase letter - * - * @author Andreas Gohr <andi@splitbrain.org> - * @return bool - */ - function canDo($cap) { - switch($cap){ - case 'Profile': - // can at least one of the user's properties be changed? - return ( $this->cando['modPass'] || - $this->cando['modName'] || - $this->cando['modMail'] ); - break; - case 'UserMod': - // can at least anything be changed? - return ( $this->cando['modPass'] || - $this->cando['modName'] || - $this->cando['modMail'] || - $this->cando['modLogin'] || - $this->cando['modGroups'] || - $this->cando['modMail'] ); - break; - default: - // print a helping message for developers - if(!isset($this->cando[$cap])){ - msg("Check for unknown capability '$cap' - Do you use an outdated Plugin?",-1); - } - return $this->cando[$cap]; - } - } - - /** - * Trigger the AUTH_USERDATA_CHANGE event and call the modification function. [ DO NOT OVERRIDE ] - * - * You should use this function instead of calling createUser, modifyUser or - * deleteUsers directly. The event handlers can prevent the modification, for - * example for enforcing a user name schema. - * - * @author Gabriel Birke <birke@d-scribe.de> - * @param string $type Modification type ('create', 'modify', 'delete') - * @param array $params Parameters for the createUser, modifyUser or deleteUsers method. The content of this array depends on the modification type - * @return mixed Result from the modification function or false if an event handler has canceled the action - */ - function triggerUserMod($type, $params) - { - $validTypes = array( - 'create' => 'createUser', - 'modify' => 'modifyUser', - 'delete' => 'deleteUsers' - ); - if(empty($validTypes[$type])) - return false; - $eventdata = array('type' => $type, 'params' => $params, 'modification_result' => null); - $evt = new Doku_Event('AUTH_USER_CHANGE', $eventdata); - if ($evt->advise_before(true)) { - $result = call_user_func_array(array($this, $validTypes[$type]), $params); - $evt->data['modification_result'] = $result; - } - $evt->advise_after(); - unset($evt); - return $result; - } - - /** - * Log off the current user [ OPTIONAL ] - * - * Is run in addition to the ususal logoff method. Should - * only be needed when trustExternal is implemented. - * - * @see auth_logoff() - * @author Andreas Gohr <andi@splitbrain.org> - */ - function logOff(){ - } - - /** - * Do all authentication [ OPTIONAL ] - * - * Set $this->cando['external'] = true when implemented - * - * If this function is implemented it will be used to - * authenticate a user - all other DokuWiki internals - * will not be used for authenticating, thus - * implementing the checkPass() function is not needed - * anymore. - * - * The function can be used to authenticate against third - * party cookies or Apache auth mechanisms and replaces - * the auth_login() function - * - * The function will be called with or without a set - * username. If the Username is given it was called - * from the login form and the given credentials might - * need to be checked. If no username was given it - * the function needs to check if the user is logged in - * by other means (cookie, environment). - * - * The function needs to set some globals needed by - * DokuWiki like auth_login() does. - * - * @see auth_login() - * @author Andreas Gohr <andi@splitbrain.org> - * - * @param string $user Username - * @param string $pass Cleartext Password - * @param bool $sticky Cookie should not expire - * @return bool true on successful auth - */ - function trustExternal($user,$pass,$sticky=false){ -# // some example: -# -# global $USERINFO; -# global $conf; -# $sticky ? $sticky = true : $sticky = false; //sanity check -# -# // do the checking here -# -# // set the globals if authed -# $USERINFO['name'] = 'FIXME'; -# $USERINFO['mail'] = 'FIXME'; -# $USERINFO['grps'] = array('FIXME'); -# $_SERVER['REMOTE_USER'] = $user; -# $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; -# $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; -# $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; -# return true; - } - - /** - * Check user+password [ MUST BE OVERRIDDEN ] - * - * Checks if the given user exists and the given - * plaintext password is correct - * - * May be ommited if trustExternal is used. - * - * @author Andreas Gohr <andi@splitbrain.org> - * @return bool - */ - function checkPass($user,$pass){ - msg("no valid authorisation system in use", -1); - return false; - } - - /** - * Return user info [ MUST BE OVERRIDDEN ] - * - * Returns info about the given user needs to contain - * at least these fields: - * - * name string full name of the user - * mail string email addres of the user - * grps array list of groups the user is in - * - * @author Andreas Gohr <andi@splitbrain.org> - * @return array containing user data or false - */ - function getUserData($user) { - if(!$this->cando['external']) msg("no valid authorisation system in use", -1); - return false; - } - - /** - * Create a new User [implement only where required/possible] - * - * Returns false if the user already exists, null when an error - * occurred and true if everything went well. - * - * The new user HAS TO be added to the default group by this - * function! - * - * Set addUser capability when implemented - * - * @author Andreas Gohr <andi@splitbrain.org> - */ - function createUser($user,$pass,$name,$mail,$grps=null){ - msg("authorisation method does not allow creation of new users", -1); - return null; - } - - /** - * Modify user data [implement only where required/possible] - * - * Set the mod* capabilities according to the implemented features - * - * @author Chris Smith <chris@jalakai.co.uk> - * @param $user nick of the user to be changed - * @param $changes array of field/value pairs to be changed (password will be clear text) - * @return bool - */ - function modifyUser($user, $changes) { - msg("authorisation method does not allow modifying of user data", -1); - return false; - } - - /** - * Delete one or more users [implement only where required/possible] - * - * Set delUser capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - * @param array $users - * @return int number of users deleted - */ - function deleteUsers($users) { - msg("authorisation method does not allow deleting of users", -1); - return false; - } - - /** - * Return a count of the number of user which meet $filter criteria - * [should be implemented whenever retrieveUsers is implemented] - * - * Set getUserCount capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - */ - function getUserCount($filter=array()) { - msg("authorisation method does not provide user counts", -1); - return 0; - } - - /** - * Bulk retrieval of user data [implement only where required/possible] - * - * Set getUsers capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - * @param start index of first user to be returned - * @param limit max number of users to be returned - * @param filter array of field/pattern pairs, null for no filter - * @return array of userinfo (refer getUserData for internal userinfo details) - */ - function retrieveUsers($start=0,$limit=-1,$filter=null) { - msg("authorisation method does not support mass retrieval of user data", -1); - return array(); - } - - /** - * Define a group [implement only where required/possible] - * - * Set addGroup capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - * @return bool - */ - function addGroup($group) { - msg("authorisation method does not support independent group creation", -1); - return false; - } - - /** - * Retrieve groups [implement only where required/possible] - * - * Set getGroups capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - * @return array - */ - function retrieveGroups($start=0,$limit=0) { - msg("authorisation method does not support group list retrieval", -1); - return array(); - } - - /** - * Return case sensitivity of the backend [OPTIONAL] - * - * When your backend is caseinsensitive (eg. you can login with USER and - * user) then you need to overwrite this method and return false - */ - function isCaseSensitive(){ - return true; - } - - /** - * Sanitize a given username [OPTIONAL] - * - * This function is applied to any user name that is given to - * the backend and should also be applied to any user name within - * the backend before returning it somewhere. - * - * This should be used to enforce username restrictions. - * - * @author Andreas Gohr <andi@splitbrain.org> - * @param string $user - username - * @param string - the cleaned username - */ - function cleanUser($user){ - return $user; - } - - /** - * Sanitize a given groupname [OPTIONAL] - * - * This function is applied to any groupname that is given to - * the backend and should also be applied to any groupname within - * the backend before returning it somewhere. - * - * This should be used to enforce groupname restrictions. - * - * Groupnames are to be passed without a leading '@' here. - * - * @author Andreas Gohr <andi@splitbrain.org> - * @param string $group - groupname - * @param string - the cleaned groupname - */ - function cleanGroup($group){ - return $group; - } - - - /** - * Check Session Cache validity [implement only where required/possible] - * - * DokuWiki caches user info in the user's session for the timespan defined - * in $conf['auth_security_timeout']. - * - * This makes sure slow authentication backends do not slow down DokuWiki. - * This also means that changes to the user database will not be reflected - * on currently logged in users. - * - * To accommodate for this, the user manager plugin will touch a reference - * file whenever a change is submitted. This function compares the filetime - * of this reference file with the time stored in the session. - * - * This reference file mechanism does not reflect changes done directly in - * the backend's database through other means than the user manager plugin. - * - * Fast backends might want to return always false, to force rechecks on - * each page load. Others might want to use their own checking here. If - * unsure, do not override. - * - * @param string $user - The username - * @author Andreas Gohr <andi@splitbrain.org> - * @return bool - */ - function useSessionCache($user){ - global $conf; - return ($_SESSION[DOKU_COOKIE]['auth']['time'] >= @filemtime($conf['cachedir'].'/sessionpurge')); - } - -} -//Setup VIM: ex: et ts=2 : diff --git a/inc/auth/pgsql.class.php b/inc/auth/pgsql.class.php deleted file mode 100644 index cf8bf7600..000000000 --- a/inc/auth/pgsql.class.php +++ /dev/null @@ -1,410 +0,0 @@ -<?php -/** - * PgSQL authentication backend - * - * This class inherits much functionality from the MySQL class - * and just reimplements the Postgres specific parts. - * - * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) - * @author Andreas Gohr <andi@splitbrain.org> - * @author Chris Smith <chris@jalakai.co.uk> - * @author Matthias Grimm <matthias.grimmm@sourceforge.net> -*/ - -require_once(DOKU_INC.'inc/auth/mysql.class.php'); - -class auth_pgsql extends auth_mysql { - - /** - * Constructor - * - * checks if the pgsql interface is available, otherwise it will - * set the variable $success of the basis class to false - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - * @author Andreas Gohr <andi@splitbrain.org> - */ - function auth_pgsql() { - global $conf; - $this->cnf = $conf['auth']['pgsql']; - if(!$this->cnf['port']) $this->cnf['port'] = 5432; - - if (method_exists($this, 'auth_basic')) - parent::auth_basic(); - - if(!function_exists('pg_connect')) { - if ($this->cnf['debug']) - msg("PgSQL err: PHP Postgres extension not found.",-1); - $this->success = false; - return; - } - - $this->defaultgroup = $conf['defaultgroup']; - - // set capabilities based upon config strings set - if (empty($this->cnf['user']) || - empty($this->cnf['password']) || empty($this->cnf['database'])){ - if ($this->cnf['debug']) - msg("PgSQL err: insufficient configuration.",-1,__LINE__,__FILE__); - $this->success = false; - return; - } - - $this->cando['addUser'] = $this->_chkcnf(array('getUserInfo', - 'getGroups', - 'addUser', - 'getUserID', - 'getGroupID', - 'addGroup', - 'addUserGroup')); - $this->cando['delUser'] = $this->_chkcnf(array('getUserID', - 'delUser', - 'delUserRefs')); - $this->cando['modLogin'] = $this->_chkcnf(array('getUserID', - 'updateUser', - 'UpdateTarget')); - $this->cando['modPass'] = $this->cando['modLogin']; - $this->cando['modName'] = $this->cando['modLogin']; - $this->cando['modMail'] = $this->cando['modLogin']; - $this->cando['modGroups'] = $this->_chkcnf(array('getUserID', - 'getGroups', - 'getGroupID', - 'addGroup', - 'addUserGroup', - 'delGroup', - 'getGroupID', - 'delUserGroup')); - /* getGroups is not yet supported - $this->cando['getGroups'] = $this->_chkcnf(array('getGroups', - 'getGroupID')); */ - $this->cando['getUsers'] = $this->_chkcnf(array('getUsers', - 'getUserInfo', - 'getGroups')); - $this->cando['getUserCount'] = $this->_chkcnf(array('getUsers')); - } - - /** - * Check if the given config strings are set - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - * @return bool - */ - function _chkcnf($keys, $wop=false){ - foreach ($keys as $key){ - if (empty($this->cnf[$key])) return false; - } - return true; - } - - // @inherit function checkPass($user,$pass) - // @inherit function getUserData($user) - // @inherit function createUser($user,$pwd,$name,$mail,$grps=null) - // @inherit function modifyUser($user, $changes) - // @inherit function deleteUsers($users) - - - /** - * [public function] - * - * Counts users which meet certain $filter criteria. - * - * @param array $filter filter criteria in item/pattern pairs - * @return count of found users. - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - */ - function getUserCount($filter=array()) { - $rc = 0; - - if($this->_openDB()) { - $sql = $this->_createSQLFilter($this->cnf['getUsers'], $filter); - - // no equivalent of SQL_CALC_FOUND_ROWS in pgsql? - if (($result = $this->_queryDB($sql))){ - $rc = count($result); - } - $this->_closeDB(); - } - return $rc; - } - - /** - * Bulk retrieval of user data. [public function] - * - * @param first index of first user to be returned - * @param limit max number of users to be returned - * @param filter array of field/pattern pairs - * @return array of userinfo (refer getUserData for internal userinfo details) - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - */ - function retrieveUsers($first=0,$limit=10,$filter=array()) { - $out = array(); - - if($this->_openDB()) { - $this->_lockTables("READ"); - $sql = $this->_createSQLFilter($this->cnf['getUsers'], $filter); - $sql .= " ".$this->cnf['SortOrder']." LIMIT $limit OFFSET $first"; - $result = $this->_queryDB($sql); - - foreach ($result as $user) - if (($info = $this->_getUserInfo($user['user']))) - $out[$user['user']] = $info; - - $this->_unlockTables(); - $this->_closeDB(); - } - return $out; - } - - // @inherit function joinGroup($user, $group) - // @inherit function leaveGroup($user, $group) { - - /** - * Adds a user to a group. - * - * If $force is set to '1' non existing groups would be created. - * - * The database connection must already be established. Otherwise - * this function does nothing and returns 'false'. - * - * @param $user user to add to a group - * @param $group name of the group - * @param $force '1' create missing groups - * @return bool 'true' on success, 'false' on error - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - * @author Andreas Gohr <andi@splitbrain.org> - */ - function _addUserToGroup($user, $group, $force=0) { - $newgroup = 0; - - if (($this->dbcon) && ($user)) { - $gid = $this->_getGroupID($group); - if (!$gid) { - if ($force) { // create missing groups - $sql = str_replace('%{group}',addslashes($group),$this->cnf['addGroup']); - $this->_modifyDB($sql); - //group should now exists try again to fetch it - $gid = $this->_getGroupID($group); - $newgroup = 1; // group newly created - } - } - if (!$gid) return false; // group didn't exist and can't be created - - $sql = $this->cnf['addUserGroup']; - if(strpos($sql,'%{uid}') !== false){ - $uid = $this->_getUserID($user); - $sql = str_replace('%{uid}', addslashes($uid), $sql); - } - $sql = str_replace('%{user}', addslashes($user),$sql); - $sql = str_replace('%{gid}', addslashes($gid),$sql); - $sql = str_replace('%{group}',addslashes($group),$sql); - if ($this->_modifyDB($sql) !== false) return true; - - if ($newgroup) { // remove previously created group on error - $sql = str_replace('%{gid}', addslashes($gid),$this->cnf['delGroup']); - $sql = str_replace('%{group}',addslashes($group),$sql); - $this->_modifyDB($sql); - } - } - return false; - } - - // @inherit function _delUserFromGroup($user $group) - // @inherit function _getGroups($user) - // @inherit function _getUserID($user) - - /** - * Adds a new User to the database. - * - * The database connection must already be established - * for this function to work. Otherwise it will return - * 'false'. - * - * @param $user login of the user - * @param $pwd encrypted password - * @param $name full name of the user - * @param $mail email address - * @param $grps array of groups the user should become member of - * @return bool - * - * @author Andreas Gohr <andi@splitbrain.org> - * @author Chris Smith <chris@jalakai.co.uk> - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - */ - function _addUser($user,$pwd,$name,$mail,$grps){ - if($this->dbcon && is_array($grps)) { - $sql = str_replace('%{user}', addslashes($user),$this->cnf['addUser']); - $sql = str_replace('%{pass}', addslashes($pwd),$sql); - $sql = str_replace('%{name}', addslashes($name),$sql); - $sql = str_replace('%{email}',addslashes($mail),$sql); - if($this->_modifyDB($sql)){ - $uid = $this->_getUserID($user); - }else{ - return false; - } - - if ($uid) { - foreach($grps as $group) { - $gid = $this->_addUserToGroup($user, $group, 1); - if ($gid === false) break; - } - - if ($gid) return true; - else { - /* remove the new user and all group relations if a group can't - * be assigned. Newly created groups will remain in the database - * and won't be removed. This might create orphaned groups but - * is not a big issue so we ignore this problem here. - */ - $this->_delUser($user); - if ($this->cnf['debug']) - msg("PgSQL err: Adding user '$user' to group '$group' failed.",-1,__LINE__,__FILE__); - } - } - } - return false; - } - - // @inherit function _delUser($user) - // @inherit function _getUserInfo($user) - // @inherit function _updateUserInfo($changes, $uid) - // @inherit function _getGroupID($group) - - /** - * Opens a connection to a database and saves the handle for further - * usage in the object. The successful call to this functions is - * essential for most functions in this object. - * - * @return bool - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - */ - function _openDB() { - if (!$this->dbcon) { - $dsn = $this->cnf['server'] ? 'host='.$this->cnf['server'] : ''; - $dsn .= ' port='.$this->cnf['port']; - $dsn .= ' dbname='.$this->cnf['database']; - $dsn .= ' user='.$this->cnf['user']; - $dsn .= ' password='.$this->cnf['password']; - - $con = @pg_connect($dsn); - if ($con) { - $this->dbcon = $con; - return true; // connection and database successfully opened - } else if ($this->cnf['debug']){ - msg ("PgSQL err: Connection to {$this->cnf['user']}@{$this->cnf['server']} not possible.", - -1,__LINE__,__FILE__); - } - return false; // connection failed - } - return true; // connection already open - } - - /** - * Closes a database connection. - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - */ - function _closeDB() { - if ($this->dbcon) { - pg_close ($this->dbcon); - $this->dbcon = 0; - } - } - - /** - * Sends a SQL query to the database and transforms the result into - * an associative array. - * - * This function is only able to handle queries that returns a - * table such as SELECT. - * - * @param $query SQL string that contains the query - * @return array with the result table - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - */ - function _queryDB($query) { - if ($this->dbcon) { - $result = @pg_query($this->dbcon,$query); - if ($result) { - while (($t = pg_fetch_assoc($result)) !== false) - $resultarray[]=$t; - pg_free_result ($result); - return $resultarray; - }elseif ($this->cnf['debug']) - msg('PgSQL err: '.pg_last_error($this->dbcon),-1,__LINE__,__FILE__); - } - return false; - } - - /** - * Executes an update or insert query. This differs from the - * MySQL one because it does NOT return the last insertID - * - * @author Andreas Gohr - */ - function _modifyDB($query) { - if ($this->dbcon) { - $result = @pg_query($this->dbcon,$query); - if ($result) { - pg_free_result ($result); - return true; - } - if ($this->cnf['debug']){ - msg('PgSQL err: '.pg_last_error($this->dbcon),-1,__LINE__,__FILE__); - } - } - return false; - } - - /** - * Start a transaction - * - * @param $mode could be 'READ' or 'WRITE' - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - */ - function _lockTables($mode) { - if ($this->dbcon) { - $this->_modifyDB('BEGIN'); - return true; - } - return false; - } - - /** - * Commit a transaction - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - */ - function _unlockTables() { - if ($this->dbcon) { - $this->_modifyDB('COMMIT'); - return true; - } - return false; - } - - // @inherit function _createSQLFilter($sql, $filter) - - - /** - * Escape a string for insertion into the database - * - * @author Andreas Gohr <andi@splitbrain.org> - * @param string $string The string to escape - * @param boolean $like Escape wildcard chars as well? - */ - function _escape($string,$like=false){ - $string = pg_escape_string($string); - if($like){ - $string = addcslashes($string,'%_'); - } - return $string; - } - -} - -//Setup VIM: ex: et ts=2 : diff --git a/lib/plugins/auth.php b/lib/plugins/auth.php index 3ec64018c..59631143f 100644 --- a/lib/plugins/auth.php +++ b/lib/plugins/auth.php @@ -9,17 +9,421 @@ if(!defined('DOKU_INC')) die(); /** - * All plugins that provide Authentication should inherit from this class and implement - * the getAuth() method to make its Auth-System available. + * auth/basic.class.php * - * @author Jan Schumann <js@jschumann-it.com> + * foundation authorisation class + * all auth classes should inherit from this class + * + * @author Chris Smith <chris@jalakai.co.uk> + * @author Jan Schumann <js@jschumann-it.com> */ class DokuWiki_Auth_Plugin extends DokuWiki_Plugin { - /** - * Retrieves the authentication system - */ - function getAuth() { - trigger_error('getAuth() not implemented in '.get_class($this), E_USER_WARNING); + var $success = true; + + + /** + * Posible things an auth backend module may be able to + * do. The things a backend can do need to be set to true + * in the constructor. + */ + var $cando = array ( + 'addUser' => false, // can Users be created? + 'delUser' => false, // can Users be deleted? + 'modLogin' => false, // can login names be changed? + 'modPass' => false, // can passwords be changed? + 'modName' => false, // can real names be changed? + 'modMail' => false, // can emails be changed? + 'modGroups' => false, // can groups be changed? + 'getUsers' => false, // can a (filtered) list of users be retrieved? + 'getUserCount'=> false, // can the number of users be retrieved? + 'getGroups' => false, // can a list of available groups be retrieved? + 'external' => false, // does the module do external auth checking? + 'logout' => true, // can the user logout again? (eg. not possible with HTTP auth) + ); + + + /** + * Constructor. + * + * Carry out sanity checks to ensure the object is + * able to operate. Set capabilities in $this->cando + * array here + * + * Set $this->success to false if checks fail + * + * @author Christopher Smith <chris@jalakai.co.uk> + */ + function auth_basic() { + // the base class constructor does nothing, derived class + // constructors do the real work + } + + /** + * Capability check. [ DO NOT OVERRIDE ] + * + * Checks the capabilities set in the $this->cando array and + * some pseudo capabilities (shortcutting access to multiple + * ones) + * + * ususal capabilities start with lowercase letter + * shortcut capabilities start with uppercase letter + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function canDo($cap) { + switch($cap){ + case 'Profile': + // can at least one of the user's properties be changed? + return ( $this->cando['modPass'] || + $this->cando['modName'] || + $this->cando['modMail'] ); + break; + case 'UserMod': + // can at least anything be changed? + return ( $this->cando['modPass'] || + $this->cando['modName'] || + $this->cando['modMail'] || + $this->cando['modLogin'] || + $this->cando['modGroups'] || + $this->cando['modMail'] ); + break; + default: + // print a helping message for developers + if(!isset($this->cando[$cap])){ + msg("Check for unknown capability '$cap' - Do you use an outdated Plugin?",-1); + } + return $this->cando[$cap]; + } + } + + /** + * Trigger the AUTH_USERDATA_CHANGE event and call the modification function. [ DO NOT OVERRIDE ] + * + * You should use this function instead of calling createUser, modifyUser or + * deleteUsers directly. The event handlers can prevent the modification, for + * example for enforcing a user name schema. + * + * @author Gabriel Birke <birke@d-scribe.de> + * @param string $type Modification type ('create', 'modify', 'delete') + * @param array $params Parameters for the createUser, modifyUser or deleteUsers method. The content of this array depends on the modification type + * @return mixed Result from the modification function or false if an event handler has canceled the action + */ + function triggerUserMod($type, $params) + { + $validTypes = array( + 'create' => 'createUser', + 'modify' => 'modifyUser', + 'delete' => 'deleteUsers' + ); + if(empty($validTypes[$type])) + return false; + $eventdata = array('type' => $type, 'params' => $params, 'modification_result' => null); + $evt = new Doku_Event('AUTH_USER_CHANGE', $eventdata); + if ($evt->advise_before(true)) { + $result = call_user_func_array(array($this, $validTypes[$type]), $params); + $evt->data['modification_result'] = $result; } + $evt->advise_after(); + unset($evt); + return $result; + } + + /** + * Log off the current user [ OPTIONAL ] + * + * Is run in addition to the ususal logoff method. Should + * only be needed when trustExternal is implemented. + * + * @see auth_logoff() + * @author Andreas Gohr <andi@splitbrain.org> + */ + function logOff(){ + } + + /** + * Do all authentication [ OPTIONAL ] + * + * Set $this->cando['external'] = true when implemented + * + * If this function is implemented it will be used to + * authenticate a user - all other DokuWiki internals + * will not be used for authenticating, thus + * implementing the checkPass() function is not needed + * anymore. + * + * The function can be used to authenticate against third + * party cookies or Apache auth mechanisms and replaces + * the auth_login() function + * + * The function will be called with or without a set + * username. If the Username is given it was called + * from the login form and the given credentials might + * need to be checked. If no username was given it + * the function needs to check if the user is logged in + * by other means (cookie, environment). + * + * The function needs to set some globals needed by + * DokuWiki like auth_login() does. + * + * @see auth_login() + * @author Andreas Gohr <andi@splitbrain.org> + * + * @param string $user Username + * @param string $pass Cleartext Password + * @param bool $sticky Cookie should not expire + * @return bool true on successful auth + */ + function trustExternal($user,$pass,$sticky=false){ +# // some example: +# +# global $USERINFO; +# global $conf; +# $sticky ? $sticky = true : $sticky = false; //sanity check +# +# // do the checking here +# +# // set the globals if authed +# $USERINFO['name'] = 'FIXME'; +# $USERINFO['mail'] = 'FIXME'; +# $USERINFO['grps'] = array('FIXME'); +# $_SERVER['REMOTE_USER'] = $user; +# $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; +# $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; +# $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; +# return true; + } + + /** + * Check user+password [ MUST BE OVERRIDDEN ] + * + * Checks if the given user exists and the given + * plaintext password is correct + * + * May be ommited if trustExternal is used. + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function checkPass($user,$pass){ + msg("no valid authorisation system in use", -1); + return false; + } + + /** + * Return user info [ MUST BE OVERRIDDEN ] + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return array containing user data or false + */ + function getUserData($user) { + if(!$this->cando['external']) msg("no valid authorisation system in use", -1); + return false; + } + + /** + * Create a new User [implement only where required/possible] + * + * Returns false if the user already exists, null when an error + * occurred and true if everything went well. + * + * The new user HAS TO be added to the default group by this + * function! + * + * Set addUser capability when implemented + * + * @author Andreas Gohr <andi@splitbrain.org> + */ + function createUser($user,$pass,$name,$mail,$grps=null){ + msg("authorisation method does not allow creation of new users", -1); + return null; + } + + /** + * Modify user data [implement only where required/possible] + * + * Set the mod* capabilities according to the implemented features + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param $user nick of the user to be changed + * @param $changes array of field/value pairs to be changed (password will be clear text) + * @return bool + */ + function modifyUser($user, $changes) { + msg("authorisation method does not allow modifying of user data", -1); + return false; + } + + /** + * Delete one or more users [implement only where required/possible] + * + * Set delUser capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param array $users + * @return int number of users deleted + */ + function deleteUsers($users) { + msg("authorisation method does not allow deleting of users", -1); + return false; + } + + /** + * Return a count of the number of user which meet $filter criteria + * [should be implemented whenever retrieveUsers is implemented] + * + * Set getUserCount capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + function getUserCount($filter=array()) { + msg("authorisation method does not provide user counts", -1); + return 0; + } + + /** + * Bulk retrieval of user data [implement only where required/possible] + * + * Set getUsers capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param start index of first user to be returned + * @param limit max number of users to be returned + * @param filter array of field/pattern pairs, null for no filter + * @return array of userinfo (refer getUserData for internal userinfo details) + */ + function retrieveUsers($start=0,$limit=-1,$filter=null) { + msg("authorisation method does not support mass retrieval of user data", -1); + return array(); + } + + /** + * Define a group [implement only where required/possible] + * + * Set addGroup capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @return bool + */ + function addGroup($group) { + msg("authorisation method does not support independent group creation", -1); + return false; + } + + /** + * Retrieve groups [implement only where required/possible] + * + * Set getGroups capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @return array + */ + function retrieveGroups($start=0,$limit=0) { + msg("authorisation method does not support group list retrieval", -1); + return array(); + } + + /** + * Return case sensitivity of the backend [OPTIONAL] + * + * When your backend is caseinsensitive (eg. you can login with USER and + * user) then you need to overwrite this method and return false + */ + function isCaseSensitive(){ + return true; + } + + /** + * Sanitize a given username [OPTIONAL] + * + * This function is applied to any user name that is given to + * the backend and should also be applied to any user name within + * the backend before returning it somewhere. + * + * This should be used to enforce username restrictions. + * + * @author Andreas Gohr <andi@splitbrain.org> + * @param string $user - username + * @param string - the cleaned username + */ + function cleanUser($user){ + return $user; + } + + /** + * Sanitize a given groupname [OPTIONAL] + * + * This function is applied to any groupname that is given to + * the backend and should also be applied to any groupname within + * the backend before returning it somewhere. + * + * This should be used to enforce groupname restrictions. + * + * Groupnames are to be passed without a leading '@' here. + * + * @author Andreas Gohr <andi@splitbrain.org> + * @param string $group - groupname + * @param string - the cleaned groupname + */ + function cleanGroup($group){ + return $group; + } + + + /** + * Check Session Cache validity [implement only where required/possible] + * + * DokuWiki caches user info in the user's session for the timespan defined + * in $conf['auth_security_timeout']. + * + * This makes sure slow authentication backends do not slow down DokuWiki. + * This also means that changes to the user database will not be reflected + * on currently logged in users. + * + * To accommodate for this, the user manager plugin will touch a reference + * file whenever a change is submitted. This function compares the filetime + * of this reference file with the time stored in the session. + * + * This reference file mechanism does not reflect changes done directly in + * the backend's database through other means than the user manager plugin. + * + * Fast backends might want to return always false, to force rechecks on + * each page load. Others might want to use their own checking here. If + * unsure, do not override. + * + * @param string $user - The username + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function useSessionCache($user){ + global $conf; + return ($_SESSION[DOKU_COOKIE]['auth']['time'] >= @filemtime($conf['cachedir'].'/sessionpurge')); + } + + + /** + * loadConfig() + * merges the plugin's default settings with any local settings + * this function is automatically called through getConf() + */ + function loadConfig(){ + global $conf; + + parent::loadConfig(); + + $this->conf['debug'] = $conf['debug']; + $this->conf['useacl'] = $conf['useacl']; + $this->conf['disableactions'] = $conf['disableactions']; + $this->conf['autopasswd'] = $conf['autopasswd']; + $this->conf['passcrypt'] = $conf['ssha']; + } + } diff --git a/inc/auth/ad.class.php b/lib/plugins/authad/auth.php index 1fddad243..70d3cfb8c 100644 --- a/inc/auth/ad.class.php +++ b/lib/plugins/authad/auth.php @@ -1,5 +1,16 @@ <?php /** + * Plugin auth provider + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Jan Schumann <js@schumann-it.com> + */ +// must be run within Dokuwiki +if(!defined('DOKU_INC')) die(); + +require_once(DOKU_INC.'inc/adLDAP.php'); + +/** * Active Directory authentication backend for DokuWiki * * This makes authentication with a Active Directory server much easier @@ -11,35 +22,34 @@ * $conf['useacl'] = 1; * $conf['disableactions'] = 'register'; * $conf['autopasswd'] = 0; - * $conf['authtype'] = 'ad'; + * $conf['authtype'] = 'authad'; * $conf['passcrypt'] = 'ssha'; * - * $conf['auth']['ad']['account_suffix'] = '@my.domain.org'; - * $conf['auth']['ad']['base_dn'] = 'DC=my,DC=domain,DC=org'; - * $conf['auth']['ad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org'; + * $conf['plugin']['authad']['account_suffix'] = '@my.domain.org'; + * $conf['plugin']['authad']['base_dn'] = 'DC=my,DC=domain,DC=org'; + * $conf['plugin']['authad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org'; * * //optional: - * $conf['auth']['ad']['sso'] = 1; - * $conf['auth']['ad']['ad_username'] = 'root'; - * $conf['auth']['ad']['ad_password'] = 'pass'; - * $conf['auth']['ad']['real_primarygroup'] = 1; - * $conf['auth']['ad']['use_ssl'] = 1; - * $conf['auth']['ad']['use_tls'] = 1; - * $conf['auth']['ad']['debug'] = 1; + * $conf['plugin']['authad']['sso'] = 1; + * $conf['plugin']['authad']['ad_username'] = 'root'; + * $conf['plugin']['authad']['ad_password'] = 'pass'; + * $conf['plugin']['authad']['real_primarygroup'] = 1; + * $conf['plugin']['authad']['use_ssl'] = 1; + * $conf['plugin']['authad']['use_tls'] = 1; + * $conf['plugin']['authad']['debug'] = 1; * * // get additional information to the userinfo array * // add a list of comma separated ldap contact fields. - * $conf['auth']['ad']['additional'] = 'field1,field2'; + * $conf['plugin']['authad']['additional'] = 'field1,field2'; * * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) * @author James Van Lommel <jamesvl@gmail.com> * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ * @author Andreas Gohr <andi@splitbrain.org> + * @author Jan Schumann <js@schumann-it.com> */ - -require_once(DOKU_INC.'inc/adLDAP.php'); - -class auth_ad extends auth_basic { +class auth_plugin_authad extends DokuWiki_Auth_Plugin +{ var $cnf = null; var $opts = null; var $adldap = null; @@ -48,7 +58,7 @@ class auth_ad extends auth_basic { /** * Constructor */ - function auth_ad() { + function auth_plugin_authad() { global $conf; $this->cnf = $conf['auth']['ad']; @@ -346,6 +356,4 @@ class auth_ad extends auth_basic { $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/i'; // allow regex characters } } -} - -//Setup VIM: ex: et ts=4 : +}
\ No newline at end of file diff --git a/lib/plugins/authad/plugin.info.txt b/lib/plugins/authad/plugin.info.txt new file mode 100644 index 000000000..ad565b853 --- /dev/null +++ b/lib/plugins/authad/plugin.info.txt @@ -0,0 +1,7 @@ +base authad +author +email +date +name active directory auth plugin +desc Provides authentication against a Microsoft Active Directory +url diff --git a/inc/auth/ldap.class.php b/lib/plugins/authldap/auth.php index 8eb411995..723685f94 100644 --- a/inc/auth/ldap.class.php +++ b/lib/plugins/authldap/auth.php @@ -1,13 +1,23 @@ <?php /** + * Plugin auth provider + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Jan Schumann <js@schumann-it.com> + */ +// must be run within Dokuwiki +if(!defined('DOKU_INC')) die(); + +/** * LDAP authentication backend * * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) * @author Andreas Gohr <andi@splitbrain.org> * @author Chris Smith <chris@jalakaic.co.uk> + * @author Jan Schumann <js@schumann-it.com> */ - -class auth_ldap extends auth_basic { +class auth_plugin_authldap extends DokuWiki_Auth_Plugin +{ var $cnf = null; var $con = null; var $bound = 0; // 0: anonymous, 1: user, 2: superuser @@ -15,7 +25,7 @@ class auth_ldap extends auth_basic { /** * Constructor */ - function auth_ldap(){ + function auth_plugin_authldap(){ global $conf; $this->cnf = $conf['auth']['ldap']; @@ -458,6 +468,4 @@ class auth_ldap extends auth_basic { $attrsonly, $sizelimit, $timelimit, $deref); } } -} - -//Setup VIM: ex: et ts=4 : +}
\ No newline at end of file diff --git a/lib/plugins/authldap/plugin.info.txt b/lib/plugins/authldap/plugin.info.txt new file mode 100644 index 000000000..c36385224 --- /dev/null +++ b/lib/plugins/authldap/plugin.info.txt @@ -0,0 +1,7 @@ +base authldap +author +email +date +name ldap auth plugin +desc Provides authentication against am LDAP server +url diff --git a/inc/auth/mysql.class.php b/lib/plugins/authmysql/auth.php index 653c725a3..9150d3939 100644 --- a/inc/auth/mysql.class.php +++ b/lib/plugins/authmysql/auth.php @@ -1,15 +1,24 @@ <?php /** + * Plugin auth provider + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Jan Schumann <js@schumann-it.com> + */ +// must be run within Dokuwiki +if(!defined('DOKU_INC')) die(); + +/** * MySQLP authentication backend * * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) * @author Andreas Gohr <andi@splitbrain.org> * @author Chris Smith <chris@jalakai.co.uk> * @author Matthias Grimm <matthias.grimmm@sourceforge.net> -*/ - -class auth_mysql extends auth_basic { - + * @author Jan Schumann <js@schumann-it.com> + */ +class auth_plugin_authmysql extends DokuWiki_Auth_Plugin +{ var $dbcon = 0; var $dbver = 0; // database version var $dbrev = 0; // database revision @@ -25,7 +34,7 @@ class auth_mysql extends auth_basic { * * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> */ - function auth_mysql() { + function auth_plugin_authmysql() { global $conf; $this->cnf = $conf['auth']['mysql']; @@ -934,6 +943,4 @@ class auth_mysql extends auth_basic { } return $string; } -} - -//Setup VIM: ex: et ts=2 : +}
\ No newline at end of file diff --git a/lib/plugins/authmysql/plugin.info.txt b/lib/plugins/authmysql/plugin.info.txt new file mode 100644 index 000000000..d08d4a7ef --- /dev/null +++ b/lib/plugins/authmysql/plugin.info.txt @@ -0,0 +1,7 @@ +base authmysql +author +email +date +name mysql auth plugin +desc Provides authentication against a MySQL Server +url diff --git a/lib/plugins/authpgsql/auth.php b/lib/plugins/authpgsql/auth.php new file mode 100644 index 000000000..824a77882 --- /dev/null +++ b/lib/plugins/authpgsql/auth.php @@ -0,0 +1,331 @@ +<?php +/** + * Plugin auth provider + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Jan Schumann <js@schumann-it.com> + */ +// must be run within Dokuwiki +if(!defined('DOKU_INC')) die(); + +/** + * PgSQL authentication backend + * + * This class inherits much functionality from the MySQL class + * and just reimplements the Postgres specific parts. + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + * @author Matthias Grimm <matthias.grimmm@sourceforge.net> + * @author Jan Schumann <js@schumann-it.com> +*/ +class auth_plugin_authpgsql extends auth_plugin_authmysql +{ + var $cnf = null; + var $opts = null; + var $adldap = null; + var $users = null; + + /** + * Constructor + */ + function auth_plugin_authpgsql() { + global $conf; + $this->cnf = $conf['auth']['ad']; + + + // additional information fields + if (isset($this->cnf['additional'])) { + $this->cnf['additional'] = str_replace(' ', '', $this->cnf['additional']); + $this->cnf['additional'] = explode(',', $this->cnf['additional']); + } else $this->cnf['additional'] = array(); + + // ldap extension is needed + if (!function_exists('ldap_connect')) { + if ($this->cnf['debug']) + msg("AD Auth: PHP LDAP extension not found.",-1); + $this->success = false; + return; + } + + // Prepare SSO + if($_SERVER['REMOTE_USER'] && $this->cnf['sso']){ + // remove possible NTLM domain + list($dom,$usr) = explode('\\',$_SERVER['REMOTE_USER'],2); + if(!$usr) $usr = $dom; + + // remove possible Kerberos domain + list($usr,$dom) = explode('@',$usr); + + $dom = strtolower($dom); + $_SERVER['REMOTE_USER'] = $usr; + + // we need to simulate a login + if(empty($_COOKIE[DOKU_COOKIE])){ + $_REQUEST['u'] = $_SERVER['REMOTE_USER']; + $_REQUEST['p'] = 'sso_only'; + } + } + + // prepare adLDAP standard configuration + $this->opts = $this->cnf; + + // add possible domain specific configuration + if($dom && is_array($this->cnf[$dom])) foreach($this->cnf[$dom] as $key => $val){ + $this->opts[$key] = $val; + } + + // handle multiple AD servers + $this->opts['domain_controllers'] = explode(',',$this->opts['domain_controllers']); + $this->opts['domain_controllers'] = array_map('trim',$this->opts['domain_controllers']); + $this->opts['domain_controllers'] = array_filter($this->opts['domain_controllers']); + + // we can change the password if SSL is set + if($this->opts['use_ssl'] || $this->opts['use_tls']){ + $this->cando['modPass'] = true; + } + $this->cando['modName'] = true; + $this->cando['modMail'] = true; + } + + /** + * Check user+password [required auth function] + * + * Checks if the given user exists and the given + * plaintext password is correct by trying to bind + * to the LDAP server + * + * @author James Van Lommel <james@nosq.com> + * @return bool + */ + function checkPass($user, $pass){ + if($_SERVER['REMOTE_USER'] && + $_SERVER['REMOTE_USER'] == $user && + $this->cnf['sso']) return true; + + if(!$this->_init()) return false; + return $this->adldap->authenticate($user, $pass); + } + + /** + * Return user info [required auth function] + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email address of the user + * grps array list of groups the user is in + * + * This LDAP specific function returns the following + * addional fields: + * + * dn string distinguished name (DN) + * uid string Posix User ID + * + * @author James Van Lommel <james@nosq.com> + */ + function getUserData($user){ + global $conf; + if(!$this->_init()) return false; + + $fields = array('mail','displayname','samaccountname'); + + // add additional fields to read + $fields = array_merge($fields, $this->cnf['additional']); + $fields = array_unique($fields); + + //get info for given user + $result = $this->adldap->user_info($user, $fields); + //general user info + $info['name'] = $result[0]['displayname'][0]; + $info['mail'] = $result[0]['mail'][0]; + $info['uid'] = $result[0]['samaccountname'][0]; + $info['dn'] = $result[0]['dn']; + + // additional information + foreach ($this->cnf['additional'] as $field) { + if (isset($result[0][strtolower($field)])) { + $info[$field] = $result[0][strtolower($field)][0]; + } + } + + // handle ActiveDirectory memberOf + $info['grps'] = $this->adldap->user_groups($user,(bool) $this->opts['recursive_groups']); + + if (is_array($info['grps'])) { + foreach ($info['grps'] as $ndx => $group) { + $info['grps'][$ndx] = $this->cleanGroup($group); + } + } + + // always add the default group to the list of groups + if(!is_array($info['grps']) || !in_array($conf['defaultgroup'],$info['grps'])){ + $info['grps'][] = $conf['defaultgroup']; + } + + return $info; + } + + /** + * Make AD group names usable by DokuWiki. + * + * Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores. + * + * @author James Van Lommel (jamesvl@gmail.com) + */ + function cleanGroup($name) { + $sName = str_replace('\\', '', $name); + $sName = str_replace('#', '', $sName); + $sName = preg_replace('[\s]', '_', $sName); + return $sName; + } + + /** + * Sanitize user names + */ + function cleanUser($name) { + return $this->cleanGroup($name); + } + + /** + * Most values in LDAP are case-insensitive + */ + function isCaseSensitive(){ + return false; + } + + /** + * Bulk retrieval of user data + * + * @author Dominik Eckelmann <dokuwiki@cosmocode.de> + * @param start index of first user to be returned + * @param limit max number of users to be returned + * @param filter array of field/pattern pairs, null for no filter + * @return array of userinfo (refer getUserData for internal userinfo details) + */ + function retrieveUsers($start=0,$limit=-1,$filter=array()) { + if(!$this->_init()) return false; + + if ($this->users === null) { + //get info for given user + $result = $this->adldap->all_users(); + if (!$result) return array(); + $this->users = array_fill_keys($result, false); + } + + $i = 0; + $count = 0; + $this->_constructPattern($filter); + $result = array(); + + foreach ($this->users as $user => &$info) { + if ($i++ < $start) { + continue; + } + if ($info === false) { + $info = $this->getUserData($user); + } + if ($this->_filter($user, $info)) { + $result[$user] = $info; + if (($limit >= 0) && (++$count >= $limit)) break; + } + } + return $result; + } + + /** + * Modify user data + * + * @param $user nick of the user to be changed + * @param $changes array of field/value pairs to be changed + * @return bool + */ + function modifyUser($user, $changes) { + $return = true; + + // password changing + if(isset($changes['pass'])){ + try { + $return = $this->adldap->user_password($user,$changes['pass']); + } catch (adLDAPException $e) { + if ($this->cnf['debug']) msg('AD Auth: '.$e->getMessage(), -1); + $return = false; + } + if(!$return) msg('AD Auth: failed to change the password. Maybe the password policy was not met?',-1); + } + + // changing user data + $adchanges = array(); + if(isset($changes['name'])){ + // get first and last name + $parts = explode(' ',$changes['name']); + $adchanges['surname'] = array_pop($parts); + $adchanges['firstname'] = join(' ',$parts); + $adchanges['display_name'] = $changes['name']; + } + if(isset($changes['mail'])){ + $adchanges['email'] = $changes['mail']; + } + if(count($adchanges)){ + try { + $return = $return & $this->adldap->user_modify($user,$adchanges); + } catch (adLDAPException $e) { + if ($this->cnf['debug']) msg('AD Auth: '.$e->getMessage(), -1); + $return = false; + } + } + + return $return; + } + + /** + * Initialize the AdLDAP library and connect to the server + */ + function _init(){ + if(!is_null($this->adldap)) return true; + + // connect + try { + $this->adldap = new adLDAP($this->opts); + if (isset($this->opts['ad_username']) && isset($this->opts['ad_password'])) { + $this->canDo['getUsers'] = true; + } + return true; + } catch (adLDAPException $e) { + if ($this->cnf['debug']) { + msg('AD Auth: '.$e->getMessage(), -1); + } + $this->success = false; + $this->adldap = null; + } + return false; + } + + /** + * return 1 if $user + $info match $filter criteria, 0 otherwise + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + function _filter($user, $info) { + foreach ($this->_pattern as $item => $pattern) { + if ($item == 'user') { + if (!preg_match($pattern, $user)) return 0; + } else if ($item == 'grps') { + if (!count(preg_grep($pattern, $info['grps']))) return 0; + } else { + if (!preg_match($pattern, $info[$item])) return 0; + } + } + return 1; + } + + function _constructPattern($filter) { + $this->_pattern = array(); + foreach ($filter as $item => $pattern) { +// $this->_pattern[$item] = '/'.preg_quote($pattern,"/").'/i'; // don't allow regex characters + $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/i'; // allow regex characters + } + } +}
\ No newline at end of file diff --git a/lib/plugins/authpgsql/plugin.info.txt b/lib/plugins/authpgsql/plugin.info.txt new file mode 100644 index 000000000..ad565b853 --- /dev/null +++ b/lib/plugins/authpgsql/plugin.info.txt @@ -0,0 +1,7 @@ +base authad +author +email +date +name active directory auth plugin +desc Provides authentication against a Microsoft Active Directory +url diff --git a/inc/auth/plain.class.php b/lib/plugins/authplain/auth.php index 3941190e9..4be0e0c19 100644 --- a/inc/auth/plain.class.php +++ b/lib/plugins/authplain/auth.php @@ -1,14 +1,23 @@ <?php /** + * Plugin auth provider + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Jan Schumann <js@schumann-it.com> + */ +// must be run within Dokuwiki +if(!defined('DOKU_INC')) die(); + +/** * Plaintext authentication backend * * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) * @author Andreas Gohr <andi@splitbrain.org> * @author Chris Smith <chris@jalakai.co.uk> + * @author Jan Schumann <js@schumann-it.com> */ - -class auth_plain extends auth_basic { - +class auth_plugin_authplain extends DokuWiki_Auth_Plugin +{ var $users = null; var $_pattern = array(); @@ -20,7 +29,7 @@ class auth_plain extends auth_basic { * * @author Christopher Smith <chris@jalakai.co.uk> */ - function auth_plain() { + function auth_plugin_authplain() { global $config_cascade; if (!@is_readable($config_cascade['plainauth.users']['default'])){ @@ -322,7 +331,5 @@ class auth_plain extends auth_basic { // $this->_pattern[$item] = '/'.preg_quote($pattern,"/").'/i'; // don't allow regex characters $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/i'; // allow regex characters } - } -} - -//Setup VIM: ex: et ts=2 : + } +}
\ No newline at end of file diff --git a/lib/plugins/authplain/plugin.info.txt b/lib/plugins/authplain/plugin.info.txt new file mode 100644 index 000000000..3273e21d7 --- /dev/null +++ b/lib/plugins/authplain/plugin.info.txt @@ -0,0 +1,7 @@ +base authplain +author +email +date +name auth plugin +desc Provides authentication against local password storage +url diff --git a/lib/plugins/config/settings/extra.class.php b/lib/plugins/config/settings/extra.class.php index cee3c6b20..f6adf1c18 100644 --- a/lib/plugins/config/settings/extra.class.php +++ b/lib/plugins/config/settings/extra.class.php @@ -45,22 +45,52 @@ if (!class_exists('setting_authtype')) { function initialize($default,$local,$protected) { global $plugin_controller; - // populate $this->_choices with a list of available auth mechanisms - $authtypes = glob(DOKU_INC.'inc/auth/*.class.php'); - $authtypes = preg_replace('#^.*/([^/]*)\.class\.php$#i','$1', $authtypes); - $authtypes = array_diff($authtypes, array('basic')); - // retrive auth types provided by plugins foreach ($plugin_controller->getList('auth') as $plugin) { - $authtypes[] = $plugin; + $this->_choices[] = $plugin; } - $authtypes = array_unique($authtypes); - - $this->_choices = $authtypes; - parent::initialize($default,$local,$protected); } + + function update($input) { + global $plugin_controller; + + // is an update posible? + $mayUpdate = parent::update($input); + + // is it an auth plugin? + if (in_array($input, $plugin_controller->getList('auth'))) { + // reject disabled plugins + if ($plugin_controller->isdisabled($input)) { + $this->_error = true; + msg('Auth type ' . $input . ' is disabled.'); + return false; + } + + // load the plugin + $auth_plugin = $plugin_controller->load('auth', $input); + + // @TODO: throw an error in plugin controller instead of returning null + if (is_null($auth_plugin)) { + $this->_error = true; + msg('Cannot load Auth Plugin "' . $input . '"'); + return false; + } + + // verify proper instanciation (is this really a plugin?) @TODO use instanceof? impement interface? + if (is_object($auth_plugin) && !method_exists($auth_plugin, 'getPluginName')) { + $this->_error = true; + msg('Cannot create Auth Plugin "' . $input . '"'); + return false; + } + } + + msg('Successfully changed auth system. Please re-login.'); + auth_logoff(); + + return true; + } } } |