PageRenderTime 56ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 0ms

/inc/auth.php

https://bitbucket.org/yoander/mtrack
PHP | 352 lines | 258 code | 40 blank | 54 comment | 57 complexity | f047c3637c7099f1ae60927f80ebd4d5 MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0 
    

  1. <?php # vim:ts=2:sw=2:et:
    2. 

  2. /* For licensing and copyright terms, see the file named LICENSE */
    3. 

  3. 

  4. include_once MTRACK_INC_DIR . '/auth/mtrack.php';
    5. 

  5. include_once MTRACK_INC_DIR . '/auth/anon.php';
    6. 

  6. include_once MTRACK_INC_DIR . '/auth/http.php';
    7. 

  7. include_once MTRACK_INC_DIR . '/auth/openid.php';
    8. 

  8. include_once MTRACK_INC_DIR . '/auth/browserid.php';
    9. 

  9. include_once MTRACK_INC_DIR . '/auth/facebook.php';
    10. 

  10. 

  11. interface IMTrackAuth {
    12. 

  12.   /** Returns the authenticated user, or null if authentication is
    13. 

  13.    * required */
    14. 

  14.   function authenticate();
    15. 

  15. 

  16.   /** Called if the user is not authenticated as a registered
    17. 

  17.    * user and if the page requires it.
    18. 

  18.    * Should initiate whatever is appropriate to begin the authentication
    19. 

  19.    * process (eg: displaying logon information).
    20. 

  20.    * You may assume that no output has been sent to the client at
    21. 

  21.    * the time that this function is called.
    22. 

  22.    * Returns null if not supported, throw an exception if failed,
    23. 

  23.    * else return a the authenticated user (if it can be determined
    24. 

  24.    * by the time the function returns).
    25. 

  25.    * If an alternate login page is displayed, this function should
    26. 

  26.    * exit instead of returning.
    27. 

  27.    */
    28. 

  28.   function doAuthenticate($force = false);
    29. 

  29. 

  30.   /** Returns a list of available groups.
    31. 

  31.    * Returns null if not supported, throw an exception if failed. */
    32. 

  32.   function enumGroups();
    33. 

  33. 

  34.   /** Returns a list of groups that a given user belongs to.
    35. 

  35.    * Returns null if not supported, throw an exception if failed. */
    36. 

  36.   function getGroups($username);
    37. 

  37. 

  38.   /** Adds a user to a group.
    39. 

  39.    * Returns null if not supported, throw an exception if failed,
    40. 

  40.    * return true if succeeded */
    41. 

  41.   function addToGroup($username, $groupname);
    42. 

  42. 

  43.   /** Removes a user from a group.
    44. 

  44.    * Returns null if not supported, throw an exception if failed,
    45. 

  45.    * return true if succeeded */
    46. 

  46.   function removeFromGroup($username, $groupname);
    47. 

  47. 

  48.   /** Returns userdata for a given user id
    49. 

  49.    * Some authentication mechanisms outsource the storage of user data.
    50. 

  50.    * This function returns null if no additional information is available,
    51. 

  51.    * or an array containing the following keys:
    52. 

  52.    *   email - the email address
    53. 

  53.    *   fullname - the full name
    54. 

  54.    *   avatar - URL to an avatar image
    55. 

  55.    */
    56. 

  56.   function getUserData($username);
    57. 

  57. 

  58.   /** Returns true if this mechanism is one that is capable of signing
    59. 

  59.    * out under application control */
    60. 

  60.   function canLogOut();
    61. 

  61. 

  62.   /** logs the user out */
    63. 

  63.   function LogOut();
    64. 

  64. }
    65. 

  65. 

  66. class MTrackAuth
    67. 

  67. {
    68. 

  68.   static $stack = array();
    69. 

  69.   static $mechs = array();
    70. 

  70.   static $group_assoc = array();
    71. 

  71. 

  72.   public static function registerMech(IMTrackAuth $mech) {
    73. 

  73.     self::$mechs[] = $mech;
    74. 

  74.   }
    75. 

  75. 

  76.   /** switch user */
    77. 

  77.   public static function su($user) {
    78. 

  78.     if (!strlen($user)) throw new Exception("invalid user");
    79. 

  79.     array_unshift(self::$stack, $user);
    80. 

  80.     putenv("MTRACK_LOGNAME=$user");
    81. 

  81.   }
    82. 

  82. 

  83.   /** returns the instance of an auth mechanism given its class name */
    84. 

  84.   public static function getMech($name) {
    85. 

  85.     foreach (self::$mechs as $inst) {
    86. 

  86.       if ($inst instanceof $name) {
    87. 

  87.         return $inst;
    88. 

  88.       }
    89. 

  89.     }
    90. 

  90.     return null;
    91. 

  91.   }
    92. 

  92. 

  93.   /** drop identity set by last su */
    94. 

  94.   public static function drop() {
    95. 

  95.     if (count(self::$stack) == 0) {
    96. 

  96.       throw new Exception("no privs to drop");
    97. 

  97.     }
    98. 

  98.     $user = array_shift(self::$stack);
    99. 

  99.     putenv("MTRACK_LOGNAME=$user");
    100. 

  100.     return $user;
    101. 

  101.   }
    102. 

  102. 

  103.   /** returns the authenticated user, or null if authentication
    104. 

  104.    * is required */
    105. 

  105.   public static function authenticate() {
    106. 

  106. 

  107.     /* admin party trumps all; we need to bypass all auth mechs
    108. 

  108.      * while we're configuring the system */
    109. 

  109.     if (!MTrackConfig::get('core', 'admin_party')) {
    110. 

  110.       foreach (self::$mechs as $mech) {
    111. 

  111.         $name = $mech->authenticate();
    112. 

  112.         if ($name !== null) {
    113. 

  113.           return $name;
    114. 

  114.         }
    115. 

  115.       }
    116. 

  116.     }
    117. 

  117. 

  118.     /* always fall back on the unix username when running from
    119. 

  119.      * the console */
    120. 

  120.     if (php_sapi_name() == 'cli') {
    121. 

  121.       static $envs = array('MTRACK_LOGNAME', 'LOGNAME', 'USER');
    122. 

  122.       foreach ($envs as $name) {
    123. 

  123.         if (isset($_ENV[$name])) {
    124. 

  124.           return $_ENV[$name];
    125. 

  125.         }
    126. 

  126.       }
    127. 

  127.     } elseif (MTrackConfig::get('core', 'admin_party') == 1) {
    128. 

  128.       $party = MTrackConfig::get('core', 'admin_party_remote_address');
    129. 

  129.       if (in_array($_SERVER['REMOTE_ADDR'], explode(',', $party))) {
    130. 

  130.         return 'adminparty';
    131. 

  131.       }
    132. 

  132.     }
    133. 

  133. 

  134.     return null;
    135. 

  135.   }
    136. 

  136. 

  137.   public static function isAuthConfigured() {
    138. 

  138.     return count(self::$mechs) ? true : false;
    139. 

  139.   }
    140. 

  140. 

  141.   /** determine the current identity.  If doauth is true (default),
    142. 

  142.    * then the authentication hook will be invoked */
    143. 

  143.   public static function whoami($doauth = true) {
    144. 

  144.     if (count(self::$stack) == 0 && $doauth) {
    145. 

  145.       try {
    146. 

  146.         $who = self::authenticate();
    147. 

  147.         if ($who === null && !MTrackConfig::get('core', 'admin_party')) {
    148. 

  148.           foreach (self::$mechs as $mech) {
    149. 

  149.             $who = $mech->doAuthenticate();
    150. 

  150.             if ($who !== null) {
    151. 

  151.               break;
    152. 

  152.             }
    153. 

  153.           }
    154. 

  154.         }
    155. 

  155.         if ($who !== null) {
    156. 

  156.           self::su($who);
    157. 

  157.         }
    158. 

  158.       } catch (Exception $e) {
    159. 

  159.         if (php_sapi_name() != 'cli') {
    160. 

  160.           header('HTTP/1.0 401 Unauthorized');
    161. 

  161.           echo "<h1>Not authorized</h1>";
    162. 

  162.           echo htmlentities($e->getMessage());
    163. 

  163.         } else {
    164. 

  164.           echo " ** Not authorized\n\n";
    165. 

  165.           echo $e->getMessage() . "\n";
    166. 

  166.         }
    167. 

  167.         error_log($e->getMessage());
    168. 

  168.         exit(1);
    169. 

  169.       }
    170. 

  170.     }
    171. 

  171.     if (!count(self::$stack)) {
    172. 

  172.       return "anonymous";
    173. 

  173.     }
    174. 

  174.     return self::$stack[0];
    175. 

  175.   }
    176. 

  176. 

  177.   static function getUserClass($user = null) {
    178. 

  178.     if ($user === null) {
    179. 

  179.       $user = self::whoami();
    180. 

  180.     }
    181. 

  181.     if (MTrackConfig::get('core', 'admin_party') == 1
    182. 

  182.         && $user == 'adminparty'
    183. 

  183.         && in_array($_SERVER['REMOTE_ADDR'], explode(',', MTrackConfig::get('core', 'admin_party_remote_address')))) {
    184. 

  184.       return 'admin';
    185. 

  185.     }
    186. 

  186. 

  187.     $user_class = MTrackConfig::get('user_classes', $user);
    188. 

  188.     if ($user_class === null) {
    189. 

  189.       if ($user == 'anonymous') {
    190. 

  190.         return 'anonymous';
    191. 

  191.       }
    192. 

  192.       return 'authenticated';
    193. 

  193.     }
    194. 

  194.     return $user_class;
    195. 

  195.   }
    196. 

  196. 

  197.   static $userdata_cache = array();
    198. 

  198.   static function getUserData($username) {
    199. 

  199.     $username = mtrack_canon_username($username);
    200. 

  200. 

  201.     if (array_key_exists($username, self::$userdata_cache)) {
    202. 

  202.       return self::$userdata_cache[$username];
    203. 

  203.     }
    204. 

  204.     $data = null;
    205. 

  205.     foreach (self::$mechs as $mech) {
    206. 

  206.       $data = $mech->getUserData($username);
    207. 

  207.       if ($data !== null) {
    208. 

  208.         break;
    209. 

  209.       }
    210. 

  210.     }
    211. 

  211.     foreach (MTrackDB::q(
    212. 

  212.           'select fullname, email from userinfo where userid = ?',
    213. 

  213.           $username)->fetchAll(PDO::FETCH_ASSOC) as $row) {
    214. 

  214.       if ($data === null) {
    215. 

  215.         $data = $row;
    216. 

  216.         break;
    217. 

  217.       }
    218. 

  218.       foreach ($row as $k => $v) {
    219. 

  219.         if (!isset($data[$k]) || empty($data[$k])) {
    220. 

  220.           $data[$k] = $v;
    221. 

  221.         }
    222. 

  222.       }
    223. 

  223.       break;
    224. 

  224.     }
    225. 

  225.     if ($data === null) {
    226. 

  226.       $data = array(
    227. 

  227.         'fullname' => $username
    228. 

  228.       );
    229. 

  229.     }
    230. 

  230. 

  231.     if (!isset($data['email'])) {
    232. 

  232.       if (preg_match('/<([a-z0-9_.+=-]+@[a-z0-9.-]+)>/', $username, $M)) {
    233. 

  233.         // username contains an email address
    234. 

  234.         $data['email'] = $M[1];
    235. 

  235.       } else if (preg_match('/^([a-z0-9_.+=-]+@[a-z0-9.-]+)$/', $username)) {
    236. 

  236.         // username is an email address
    237. 

  237.         $data['email'] = $username;
    238. 

  238.       } else if (preg_match('/^[a-z0-9_.+=-]+$/', $username)) {
    239. 

  239.         // valid localpart; assume a domain and construct an email address
    240. 

  240.         $dom = MTrackConfig::get('core', 'default_email_domain');
    241. 

  241.         if ($dom !== null) {
    242. 

  242.           $data['email'] = $username . '@' . $dom;
    243. 

  243.         }
    244. 

  244.       }
    245. 

  245.     }
    246. 

  246. 

  247.     self::$userdata_cache[$username] = $data;
    248. 

  248. 

  249.     return $data;
    250. 

  250.   }
    251. 

  251. 

  252.   /* enumerates possible groups from the auth plugin layer */
    253. 

  253.   static function enumGroups() {
    254. 

  254.     $groups = array();
    255. 

  255.     foreach (self::$mechs as $mech) {
    256. 

  256.       $g = $mech->enumGroups();
    257. 

  257.       if (is_array($g)) {
    258. 

  258.         foreach ($g as $i => $grp) {
    259. 

  259.           if (is_integer($i)) {
    260. 

  260.             $groups[$grp] = $grp;
    261. 

  261.           } else {
    262. 

  262.             $groups[$i] = $grp;
    263. 

  263.           }
    264. 

  264.         }
    265. 

  265.       }
    266. 

  266.     }
    267. 

  267.     /* merge in our project groups */
    268. 

  268.     foreach (MTrackDB::q('select project, g.name, p.name from groups g left join projects p on g.project = p.projid')
    269. 

  269.         as $row) {
    270. 

  270.       $gid = "project:$row[0]:$row[1]";
    271. 

  271.       $groups[$gid] = "$row[1] ($row[2])";
    272. 

  272.     }
    273. 

  273.     return $groups;
    274. 

  274.   }
    275. 

  275. 

  276.   /* returns groups of which the authenticated user is a member */
    277. 

  277.   static function getGroups($user = null) {
    278. 

  278.     if ($user === null) {
    279. 

  279.       $user = self::whoami();
    280. 

  280.     }
    281. 

  281.     $canon = mtrack_canon_username($user);
    282. 

  282. 

  283.     if (isset(self::$group_assoc[$user])) {
    284. 

  284.       return self::$group_assoc[$user];
    285. 

  285.     }
    286. 

  286. 

  287.     $roles = array($canon => $canon);
    288. 

  288. 

  289.     $user_class = self::getUserClass($user); // FIXME: $canon?
    290. 

  290.     $class_roles = MTrackConfig::get('user_class_roles', $user_class);
    291. 

  291.     foreach (preg_split('/\s*,\s*/', $class_roles) as $role) {
    292. 

  292.       $roles[$role] = $role;
    293. 

  293.     }
    294. 

  294. 

  295.     foreach (self::$mechs as $mech) {
    296. 

  296.       $g = $mech->getGroups($user);
    297. 

  297.       if (is_array($g)) {
    298. 

  298.         foreach ($g as $i => $grp) {
    299. 

  299.           if (is_integer($i)) {
    300. 

  300.             $roles[$grp] = $grp;
    301. 

  301.           } else {
    302. 

  302.             $roles[$i] = $grp;
    303. 

  303.           }
    304. 

  304.         }
    305. 

  305.       }
    306. 

  306.     }
    307. 

  307.     /* merge in our project group membership */
    308. 

  308.     foreach (MTrackDB::q('select project, groupname, p.name from group_membership gm left join projects p on gm.project = p.projid where username = ?',
    309. 

  309.         $canon)->fetchAll() as $row) {
    310. 

  310.       $gid = "project:$row[0]:$row[1]";
    311. 

  311.       $roles[$gid] = "$row[1] ($row[2])";
    312. 

  312.     }
    313. 

  313. 

  314.     self::$group_assoc[$user] = $roles;
    315. 

  315.     return $roles;
    316. 

  316.   }
    317. 

  317. 

  318.   static function forceAuthenticate() {
    319. 

  319.     try {
    320. 

  320.       $who = self::authenticate();
    321. 

  321.       if ($who === null && !MTrackConfig::get('core', 'admin_party')) {
    322. 

  322.         foreach (self::$mechs as $mech) {
    323. 

  323.           $who = $mech->doAuthenticate(true);
    324. 

  324.           if ($who !== null) {
    325. 

  325.             break;
    326. 

  326.           }
    327. 

  327.         }
    328. 

  328.       }
    329. 

  329.       if ($who !== null) {
    330. 

  330.         self::su($who);
    331. 

  331.       }
    332. 

  332.     } catch (Exception $e) {
    333. 

  333.     }
    334. 

  334.   }
    335. 

  335. 

  336.   static function canLogOut() {
    337. 

  337.     foreach (self::$mechs as $mech) {
    338. 

  338.       if ($mech->canLogOut()) {
    339. 

  339.         return true;
    340. 

  340.       }
    341. 

  341.     }
    342. 

  342.     return false;
    343. 

  343.   }
    344. 

  344. 

  345.   static function LogOut() {
    346. 

  346.     foreach (self::$mechs as $mech) {
    347. 

  347.       $mech->LogOut();
    348. 

  348.     }
    349. 

  349.   }
    350. 

  350. 

  351. }
    352. 

  352. 

  353.