external authentication

This patch adds the functionality to override the usual auth_mechanism
completely and replace it with your own. This can be used to authenticate
against Apache auth mechanisms or third party software cookies. A very
basic example for using PunBB's $pun_user variable is included.

darcs-hash:20060110092903-6e07b-7c7750da4eb4e9116ddc28c77015488ea500c07d.gz

3 files changed, 112 insertions, 2 deletions

diff --git a/inc/auth.php b/inc/auth.php
index 26d208a1f..f9d00b9b1 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -85,8 +85,15 @@
   define('AUTH_DELETE',16);
   define('AUTH_ADMIN',255);
 
+  // do the login either by cookie or provided credentials
   if($conf['useacl']){
-    auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']);
+    // external trust mechanism in place?
+    if(auth_canDo('trustExternal') && !is_null($auth)){
+      $auth->trustExternal($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']);
+    }else{
+      auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']);
+    }
+
     //load ACL into a global array
     if(is_readable(DOKU_CONF.'acl.auth.php')){
       $AUTH_ACL = file(DOKU_CONF.'acl.auth.php');
diff --git a/inc/auth/basic.class.php b/inc/auth/basic.class.php
index 8905f283d..f39a9c392 100644
--- a/inc/auth/basic.class.php
+++ b/inc/auth/basic.class.php
@@ -10,7 +10,55 @@
  
 class auth_basic {
 
-	var $success = TRUE;
+	var $success = true;
+
+  /**
+   * Do all authentication [ OPTIONAL ]
+   *
+   * If this function is implemented it will be used to
+   * authenticate a user - all other DokuWiki internals
+   * will not be used for authenticating, thus
+   * implementing the functions below becomes optional.
+   *
+   * The function can be used to authenticate against third
+   * party cookies or Apache auth mechanisms and replaces
+   * the auth_login() function
+   *
+   * The function will be called with or without a set
+   * username. If the Username is given it was called
+   * from the login form and the given credentials might
+   * need to be checked. If no username was given it
+   * the function needs to check if the user is logged in
+   * by other means (cookie, environment).
+   *
+   * The function needs to set some globals needed by
+   * DokuWiki like auth_login() does.
+   *
+   * @see auth_login()
+   * @author  Andreas Gohr <andi@splitbrain.org>
+   *
+   * @param   string  $user    Username
+   * @param   string  $pass    Cleartext Password
+   * @param   bool    $sticky  Cookie should not expire
+   * @return  bool             true on successful auth
+   */
+#  function trustExternal($user,$pass,$sticky=false){
+#    global $USERINFO;
+#    global $conf;
+#    $sticky ? $sticky = true : $sticky = false; //sanity check
+#
+#    // do the checking here
+#
+#    // set the globals if authed
+#    $USERINFO['name'] = 'FIXME';
+#    $USERINFO['mail'] = 'FIXME';
+#    $USERINFO['grps'] = array('FIXME');
+#    $_SERVER['REMOTE_USER'] = $user;
+#    $_SESSION[$conf['title']]['auth']['user'] = $user;
+#    $_SESSION[$conf['title']]['auth']['pass'] = $pass;
+#    $_SESSION[$conf['title']]['auth']['info'] = $USERINFO;
+#    return true;
+#  }
 
 	/**
 	 * Check user+password [ MUST BE OVERRIDDEN ]
diff --git a/inc/auth/punbb.class.php b/inc/auth/punbb.class.php
new file mode 100644
index 000000000..e4e7bca42
--- /dev/null
+++ b/inc/auth/punbb.class.php
@@ -0,0 +1,55 @@
+<?php
+/**
+ * PunBB auth backend
+ *
+ * Uses external Trust mechanism to check against PunBB's
+ * user cookie. PunBB's PUN_ROOT must be defined correctly.
+ *
+ * It inherits from the MySQL module, so you may set up
+ * the correct SQL strings for user modification if you like.
+ *
+ * @todo      This is far from perfect yet. SQL Strings should be
+ *            predefined. Logging in should be handled correctly.
+ * @author    Andreas Gohr <andi@splitbrain.org>
+ */
+
+if(!defined('PUN_ROOT')) define('PUN_ROOT', DOKU_INC.'../forum/');
+require_once PUN_ROOT.'include/common.php';
+require_once DOKU_INC.'inc/auth/mysql.class.php';
+
+class auth_punbb extends auth_mysql {
+
+  /**
+   * Just checks against the $pun_user variable
+   */
+  function trustExternal($user,$pass,$sticky=false){
+    global $USERINFO;
+    global $conf;
+    global $pun_user;
+    $sticky ? $sticky = true : $sticky = false; //sanity check
+
+    // someone used the login form
+    if(isset($user)){
+      msg('Please login at the forum',-1);
+      //FIXME a redirect to PunBBs login would be nice here
+      auth_logoff();
+      return false;
+    }
+
+    if(isset($pun_user) && !$pun_user['is_guest']){
+      // okay we're logged in - set the globals
+      $USERINFO['name'] = $pun_user['username'];
+      $USERINFO['mail'] = $pun_user['email'];
+      $USERINFO['grps'] = array($pun_user['g_title']);
+
+      $_SERVER['REMOTE_USER'] = $pun_user['username'];
+      $_SESSION[$conf['title']]['auth']['user'] = $pun_user['username'];
+      $_SESSION[$conf['title']]['auth']['info'] = $USERINFO;
+      return true;
+    }
+
+    // to be sure
+    auth_logoff();
+    return false;
+  }
+}