PageRenderTime 29ms CodeModel.GetById 24ms RepoModel.GetById 1ms app.codeStats 0ms

/htdocs/auth/internal/lib.php

https://gitlab.com/mahara/mahara
PHP | 331 lines | 163 code | 31 blank | 137 comment | 47 complexity | 7de408607f5a39f284c801cc757dfca0 MD5 | raw file
Possible License(s): Apache-2.0, BSD-3-Clause, MIT, LGPL-2.1, LGPL-3.0, GPL-3.0 
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  *
    4. 

  4.  * @package    mahara
    5. 

  5.  * @subpackage auth-internal
    6. 

  6.  * @author     Catalyst IT Ltd
    7. 

  7.  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL version 3 or later
    8. 

  8.  * @copyright  For copyright information on Mahara, please see the README file distributed with this software.
    9. 

  9.  *
    10. 

  10.  */
    11. 

  11. 

  12. defined('INTERNAL') || die();
    13. 

  13. require_once(get_config('docroot') . 'auth/lib.php');
    14. 

  14. 

  15. /**
    16. 

  16.  * The internal authentication method, which authenticates users against the
    17. 

  17.  * Mahara database.
    18. 

  18.  */
    19. 

  19. class AuthInternal extends Auth {
    20. 

  20. 

  21.     public function __construct($id = null) {
    22. 

  22.         $this->has_instance_config = false;
    23. 

  23.         $this->type       = 'internal';
    24. 

  24.         if (!empty($id)) {
    25. 

  25.             return $this->init($id);
    26. 

  26.         }
    27. 

  27.         return true;
    28. 

  28.     }
    29. 

  29. 

  30.     public function init($id) {
    31. 

  31.         $this->ready = parent::init($id);
    32. 

  32.         return true;
    33. 

  33.     }
    34. 

  34. 

  35.     /**
    36. 

  36.      * Attempt to authenticate user
    37. 

  37.      *
    38. 

  38.      * @param object $user     As returned from the usr table
    39. 

  39.      * @param string $password The password being used for authentication
    40. 

  40.      * @return bool            True/False based on whether the user
    41. 

  41.      *                         authenticated successfully
    42. 

  42.      * @throws AuthUnknownUserException If the user does not exist
    43. 

  43.      */
    44. 

  44.     public function authenticate_user_account($user, $password) {
    45. 

  45.         $this->must_be_ready();
    46. 

  46.         $result = $this->validate_password($password, $user->password, $user->salt);
    47. 

  47.         // If result == 1, password is correct
    48. 

  48.         // If result > 1, password is correct but using old settings, should be changed
    49. 

  49.         if ($result > 1 ) {
    50. 

  50.             if ($user->passwordchange != 1) {
    51. 

  51.                 $userobj = new User();
    52. 

  52.                 $userobj->find_by_id($user->id);
    53. 

  53.                 $this->change_password($userobj, $password);
    54. 

  54.                 $user->password = $userobj->password;
    55. 

  55.                 $user->salt = $userobj->salt;
    56. 

  56.             }
    57. 

  57.         }
    58. 

  58.         return $result > 0;
    59. 

  59.     }
    60. 

  60. 

  61.     /**
    62. 

  62.      * Internal authentication never auto-creates users - users instead
    63. 

  63.      * register through register.php
    64. 

  64.      */
    65. 

  65.     public function can_auto_create_users() {
    66. 

  66.         return false;
    67. 

  67.     }
    68. 

  68. 

  69.     public static function can_use_registration_captcha() {
    70. 

  70.         return true;
    71. 

  71.     }
    72. 

  72. 

  73.     /**
    74. 

  74.      * For internal authentication, passwords can contain a range of letters,
    75. 

  75.      * numbers and symbols. There is a minimum limit of eight characters allowed
    76. 

  76.      * for the password, and no upper limit
    77. 

  77.      *
    78. 

  78.      * @param string $password The password to check
    79. 

  79.      * @return bool            Whether the password is valid
    80. 

  80.      */
    81. 

  81.     public function is_password_valid($password) {
    82. 

  82.         list($minlength, $format) = get_password_policy(true);
    83. 

  83. 

  84.         if (!preg_match('/^[a-zA-Z0-9 ~!@#\$%\^&\*\(\)_\-=\+\,\.<>\/\?;:"\[\]\{\}\\\|`\']{' . $minlength . ',}$/', $password)) {
    85. 

  85.             return false;
    86. 

  86.         }
    87. 

  87. 

  88.         // for unicode character properties in php see:
    89. 

  89.         // http://php.net/manual/en/regexp.reference.unicode.php
    90. 

  90.         $containsUppercase = preg_match('/\p{Lu}/',       $password); // '/[A-Z]/'
    91. 

  91.         $containsLowercase = preg_match('/\p{Ll}/',       $password); // '/[a-z]/'
    92. 

  92.         $containsNumber = preg_match('/\pN/',       $password); // '/\d/'
    93. 

  93.         $containsSymbol = preg_match('/[^\pL\pN]/', $password); // '/[^a-zA-Z\d]/'
    94. 

  94. 

  95.         if ($format == 'ul') {
    96. 

  96.             return $containsUppercase && $containsLowercase;
    97. 

  97.         }
    98. 

  98.         if ($format == 'uln') {
    99. 

  99.             return ($containsUppercase && $containsLowercase && $containsNumber);
    100. 

  100.         }
    101. 

  101.         if ($format == 'ulns') {
    102. 

  102.             return ($containsUppercase && $containsLowercase && $containsNumber && $containsSymbol);
    103. 

  103.         }
    104. 

  104. 

  105.         return false;
    106. 

  106.     }
    107. 

  107. 

  108.     /**
    109. 

  109.      * Changes the user's password.
    110. 

  110.      *
    111. 

  111.      * This method is not strictly part of the authentication API, but if
    112. 

  112.      * defined allows the method to change a user's password.
    113. 

  113.      *
    114. 

  114.      * @param object  $user     The user to change the password for
    115. 

  115.      * @param string  $password The password to set for the user
    116. 

  116.      * @param boolean $resetpasswordchange Whether to reset the passwordchange variable or not
    117. 

  117.      * @return string The new password, or empty if the password could not be set
    118. 

  118.      */
    119. 

  119.     public function change_password(User $user, $password, $resetpasswordchange = true, $quickhash = false) {
    120. 

  120.         $this->must_be_ready();
    121. 

  121.         // Create a salted password and set it for the user
    122. 

  122.         $user->salt = substr(md5(rand(1000000, 9999999)), 2, 8);
    123. 

  123.         if ($quickhash) {
    124. 

  124.             // $6$ is SHA512, used as a quick hash instead of bcrypt for now.
    125. 

  125.             $user->password = $this->encrypt_password($password, $user->salt, '$6$', get_config('passwordsaltmain'));
    126. 

  126.         }
    127. 

  127.         else {
    128. 

  128.             // $2a$ is bcrypt hash. See http://php.net/manual/en/function.crypt.php
    129. 

  129.             // It requires a cost, a 2 digit number in the range 04-31
    130. 

  130.             $user->password = $this->encrypt_password($password, $user->salt, '$2a$' . get_config('bcrypt_cost') . '$', get_config('passwordsaltmain'));
    131. 

  131.         }
    132. 

  132.         if ($resetpasswordchange) {
    133. 

  133.             $user->passwordchange = 0;
    134. 

  134.         }
    135. 

  135.         $user->commit();
    136. 

  136.         return $user->password;
    137. 

  137.     }
    138. 

  138. 

  139.     /**
    140. 

  140.      * Internal authentication allows most standard us-keyboard-typable characters
    141. 

  141.      * for username, as long as the username is between three and thirty
    142. 

  142.      * characters in length.
    143. 

  143.      *
    144. 

  144.      * This method is NOT part of the authentication API. Other authentication
    145. 

  145.      * methods never have to do anything regarding usernames being validated on
    146. 

  146.      * the Mahara side, so they do not need this method.
    147. 

  147.      *
    148. 

  148.      * @param string $username The username to check
    149. 

  149.      * @return bool            Whether the username is valid
    150. 

  150.      */
    151. 

  151.     public function is_username_valid($username) {
    152. 

  152.         return preg_match('/^[a-zA-Z0-9!@#$%^&*()\-_=+\[{\]}\\|;:\'",<\.>\/?`]{3,30}$/', $username);
    153. 

  153.     }
    154. 

  154.     /**
    155. 

    156. 

    157. 

  157.      * Internal authentication allows most standard us-keyboard-typable characters
    158. 

  158.      * for username, as long as the username is between three and 236
    159. 

  159.      * characters in length.
    160. 

  160.      *
    161. 

  161.      * This method is NOT part of the authentication API. Other authentication
    162. 

  162.      * methods never have to do anything regarding usernames being validated on
    163. 

  163.      * the Mahara side, so they do not need this method.
    164. 

  164.      *
    165. 

  165.      * This method is meant to only be called for validation by an admin of the user
    166. 

  166.      * and is able to set a password longer than thirty characters in length
    167. 

  167.      *
    168. 

  168.      * @param string $username The username to check
    169. 

  169.      * @return bool            Whether the username is valid
    170. 

  170.      */
    171. 

  171.     public function is_username_valid_admin($username) {
    172. 

  172.         return preg_match('/^[a-zA-Z0-9!@#$%^&*()\-_=+\[{\]}\\|;:\'",<\.>\/?`]{3,236}$/', $username);
    173. 

  173.     }
    174. 

  174. 

  175.     /**
    176. 

  176.      * Changes the user's username.
    177. 

  177.      *
    178. 

  178.      * This method is not strictly part of the authentication API, but if
    179. 

  179.      * defined allows the method to change a user's username.
    180. 

  180.      *
    181. 

  181.      * @param object  $user     The user to change the password for
    182. 

  182.      * @param string  $username The username to set for the user
    183. 

  183.      * @return string The new username, or the original username if it could not be set
    184. 

  184.      */
    185. 

  185.     public function change_username(User $user, $username) {
    186. 

  186.         global $USER;
    187. 

  187. 

  188.         $this->must_be_ready();
    189. 

  189. 

  190.         // proposed username must pass validation
    191. 

  191.         $valid = false;
    192. 

  192.         if ($USER->is_admin_for_user($user)) {
    193. 

  193.             $valid = $this->is_username_valid_admin($username);
    194. 

  194.         } else {
    195. 

  195.             $valid = $this->is_username_valid($username);
    196. 

  196.         }
    197. 

  197. 

  198.         if ($valid) {
    199. 

  199.             $user->username = $username;
    200. 

  200.             $user->commit();
    201. 

  201.         }
    202. 

  202. 

  203.         // return the new username, or the original one if it failed validation
    204. 

  204.         return $user->username;
    205. 

  205.     }
    206. 

  206. 

  207.     /*
    208. 

  208.      The following two functions are inspired by Andrew McMillan's salted md5
    209. 

  209.      functions in AWL, adapted with his kind permission. Changed to use sha1
    210. 

  210.      and match the coding standards for Mahara.
    211. 

  211.     */
    212. 

  212. 

  213.    /**
    214. 

  214.     * Given a password and an optional salt, encrypt the given password.
    215. 

  215.     *
    216. 

  216.     * Passwords are stored in SHA1 form.
    217. 

  217.     *
    218. 

  218.     * @param string $password The password to encrypt
    219. 

  219.     * @param string $salt     The salt to use to encrypt the password
    220. 

  220.     * @param string $alg      The algorithm to use, defaults to $6$ which is SHA512
    221. 

  221.     * @param string $sitesalt A salt to combine with the user's salt to add an extra layer or salting
    222. 

  222.     * @todo salt mandatory
    223. 

  223.     */
    224. 

  224.     public function encrypt_password($password, $salt='', $alg='$6$', $sitesalt='') {
    225. 

  225.         if ($salt == '') {
    226. 

  226.             $salt = substr(md5(rand(1000000, 9999999)), 2, 8);
    227. 

  227.         }
    228. 

  228.         if ($alg == '$6$') { // $6$ is the identifier for the SHA512 algorithm
    229. 

  229.             // Return a hash which is sha512(originalHash, salt), where original is sha1(salt + password)
    230. 

  230.             $password = sha1($salt . $password);
    231. 

  231.             // Generate a salt based on a supplied salt and the passwordsaltmain
    232. 

  232.             $fullsalt = substr(md5($sitesalt . $salt), 0, 16); // SHA512 expects 16 chars of salt
    233. 

  233.         }
    234. 

  234.         else { // This is most likely bcrypt $2a$, but any other algorithm can take up to 22 chars of salt
    235. 

  235.             // Generate a salt based on a supplied salt and the passwordsaltmain
    236. 

  236.             $fullsalt = substr(md5($sitesalt . $salt), 0, 22); // bcrypt expects 22 chars of salt
    237. 

  237.         }
    238. 

  238.         $hash = crypt($password, $alg . $fullsalt);
    239. 

  239.         // Strip out the computed salt
    240. 

  240.         // We strip out the salt hide the computed salt (in case the sitesalt was used which isn't in the database)
    241. 

  241.         $hash = substr($hash, 0, strlen($alg)) . substr($hash, strlen($alg)+strlen($fullsalt));
    242. 

  242.         return $hash;
    243. 

  243.     }
    244. 

  244. 

  245.     /**
    246. 

  246.      * Given a password that the user has sent, the password we have for them
    247. 

  247.      * and the salt we have, see if the password they sent is correct.
    248. 

  248.      *
    249. 

  249.      * @param string $theysent The password the user sent
    250. 

  250.      * @param string $wehave   The salted and hashed password we have in the database for them
    251. 

  251.      * @param string $salt     The salt we have.
    252. 

  252.      * @returns int     0 means not validated, 1 means validated, 2 means validated but needs updating
    253. 

  253.      */
    254. 

  254.     protected function validate_password($theysent, $wehave, $salt) {
    255. 

  255.         $this->must_be_ready();
    256. 

  256. 

  257.         if ($salt == '*') {
    258. 

  258.             // This is a special salt that means this user simply CAN'T log in.
    259. 

  259.             // It is used on the root user (id=0)
    260. 

  260.             return false;
    261. 

  261.         }
    262. 

  262. 

  263.         if (empty($wehave)) {
    264. 

  264.             // This means the user has not been set up completely yet
    265. 

  265.             // Common cause is that still in registration phase
    266. 

  266.             return false;
    267. 

  267.         }
    268. 

  268. 

  269.         $sitesalt = get_config('passwordsaltmain');
    270. 

  270.         $bcrypt = substr($wehave, 0, 4) == '$2a$';
    271. 

  271.         if ($bcrypt) {
    272. 

  272.             $alg = substr($wehave, 0, 7);
    273. 

  273.             $hash = $this->encrypt_password($theysent, $salt, $alg, $sitesalt);
    274. 

  274.         }
    275. 

  275.         else {
    276. 

  276.             $alg = substr($wehave, 0, 3);
    277. 

  277.             $hash = $this->encrypt_password($theysent, $salt, $alg, $sitesalt);
    278. 

  278.         }
    279. 

  279.         if ($hash == $wehave) {
    280. 

  280.             if (!$bcrypt || substr($alg, 4, 2) != get_config('bcrypt_cost')) {
    281. 

  281.                 // Either not using bcrypt yet, or the cost parameter has changed, update the hash
    282. 

  282.                 return 2;
    283. 

  283.             }
    284. 

  284.             // Using bcrypt with the correct cost parameter, leave as is.
    285. 

  285.             return 1;
    286. 

  286.         }
    287. 

  287.         // See http://docs.moodle.org/20/en/Password_salting#Changing_the_salt
    288. 

  288.         if (!empty($sitesalt)) {
    289. 

  289.             // There is a sitesalt set, try without it, and update if passes
    290. 

  290.             $hash = $this->encrypt_password($theysent, $salt, $alg, '');
    291. 

  291.             if ($hash == $wehave) {
    292. 

  292.                 return 2;
    293. 

  293.             }
    294. 

  294.         }
    295. 

  295.         for ($i = 1; $i <= 20; ++ $i) {
    296. 

  296.             // Try 20 alternate sitesalts
    297. 

  297.             $alt = get_config('passwordsaltalt' . $i);
    298. 

  298.             if (!empty($alt)) {
    299. 

  299.                 $hash = $this->encrypt_password($theysent, $salt, $alg, $alt);
    300. 

  300.                 if ($hash == $wehave) {
    301. 

  301.                     return 2;
    302. 

  302.                 }
    303. 

  303.             }
    304. 

  304.         }
    305. 

  305.         // Nothing works, fail
    306. 

  306.         return 0;
    307. 

  307.     }
    308. 

  308. 

  309. }
    310. 

  310. 

  311. /**
    312. 

  312.  * Plugin configuration class
    313. 

  313.  */
    314. 

  314. class PluginAuthInternal extends PluginAuth {
    315. 

  315. 

  316.     public static function has_config() {
    317. 

  317.         return false;
    318. 

  318.     }
    319. 

  319. 

  320.     public static function get_config_options() {
    321. 

  321.         return array();
    322. 

  322.     }
    323. 

  323. 

  324.     public static function has_instance_config() {
    325. 

  325.         return false;
    326. 

  326.     }
    327. 

  327. 

  328.     public static function get_instance_config_options($institution, $instance = 0) {
    329. 

  329.         return array();
    330. 

  330.     }
    331. 

  331. }
    332. 

  332.