-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.php
260 lines (225 loc) · 8.98 KB
/
auth.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
<?php
/**
* DokuWiki Plugin authyubikey (Auth Component)
* Plaintext authentication backend combined with Yubico's OTP
*
* @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
* @author Dirk Scheer <[email protected]>
*/
// This lib is developed by Yubico.
// Take a look at https://developers.yubico.com/php-yubico/
require_once 'lib/Yubico.php';
// must be run within Dokuwiki
if(!defined('DOKU_INC')) die();
/*
* Class auth_plugin_authyubikey simply extends the basic
* auth_plugin_authplain class definition by Andreas Gohr
* <[email protected]>.
*/
class auth_plugin_authyubikey extends auth_plugin_authplain {
/**
* Constructor
*
* Carry out sanity checks to ensure the object is
* able to operate. Set capabilities.
*
* @author Dirk Scheer <[email protected]>
*/
public function __construct() {
parent::__construct();
}
/**
* Check user+password
*
* Checks if the given user exists and the given
* plaintext password is correct
*
* @author Dirk Scheer <[email protected]>
* @param string $user
* @param string $pass
* @return bool
*/
public function checkPass($user, $pass) {
global $INPUT;
global $config;
/* Get all defined users with their attributes */
$userinfo = $this->getUserData($user);
if($userinfo === false) return false;
/* Check the given password */
if(auth_verifyPassword($pass, $this->users[$user]['pass']) === false) return false;
/* If this function is called in another context as the login form;
* then checking of the password is enough.
* (I hope, this is not a security risc!!!)
*/
if($INPUT->str('do') !== 'login') {
return true;
}
/* Get the yubikey IDs of the user. If the user has no IDs,
* no further checking is needed for this user.
*/
$yubikeys = $this->users[$user]['yubi'];
if(count($yubikeys) === 0) return true;
/* Get the one-time password, the user has entered
* in the login form. From this OTP we have to extract the
* first 12 bytes. These bytes build the ID of the key, which
* is stored in the yubikey-mapping file.
*/
$otp = $INPUT->str('otp');
$yid = substr($otp, 0, 12);
if(in_array($yid, $yubikeys) === false) return false;
/* A corresponding Yubikey ID was found, so we will check
* finally the entered OTP against the servers of Yubico.
*/
$yubi = new Auth_Yubico($this->getConf('yubico_client_id'), $this->getConf('yubico_secret_key'));
$auth = $yubi->verify($otp);
return (PEAR::isError($auth) ? false : true);
}
/**
* Modify user data
*
* @author Dirk Scheer <[email protected]>
* @author Chris Smith <[email protected]>
* @param string $user nick of the user to be changed
* @param array $changes array of field/value pairs to be changed (password will be clear text)
* @return bool
*/
public function modifyUser($user, $changes) {
global $ACT;
global $INPUT;
global $conf;
global $config_cascade;
// sanity checks, user must already exist and there must be something to change
if(($userinfo = $this->getUserData($user)) === false) return false;
if(!is_array($changes) || !count($changes)) return true;
// update userinfo with new data, remembering to encrypt any password
$newuser = $user;
foreach($changes as $field => $value) {
if($field == 'user') {
$newuser = $value;
continue;
}
if($field == 'pass') $value = auth_cryptPassword($value);
$userinfo[$field] = $value;
}
// Check all entered Yubikeys
$yubi = new Auth_Yubico($this->getConf('yubico_client_id'), $this->getConf('yubico_secret_key'));
$errors = array();
$userinfo['yubi'] = array();
for($i=0; $i < intval($this->getConf('yubico_maxkeys')); $i++) {
$otp = $INPUT->str('yubikeyid'.$i);
if($otp !== '') {
if($otp == $this->users[$user]['yubi'][$i]) {
array_push($userinfo['yubi'], substr($otp, 0, 12));
}
else {
$auth = $yubi->verify($otp);
if(PEAR::isError($auth) && $auth != 'REPLAYED_OTP') {
if($this->getConf('yubico_maxkeys') == 1) {
array_push($errors, sprintf($this->getLang('yubikeyiderr'), substr($otp, 0, 12), $auth));
}
else {
array_push($errors, sprintf($this->getLang('yubikeyidserr'), $i+1, substr($otp, 0, 12), $auth));
}
}
else {
array_push($userinfo['yubi'], substr($otp, 0, 12));
}
}
}
}
if(count($errors) > 0) {
foreach($errors as $error) {
$errtext .= $error . '<BR>';
}
msg($errtext, -1);
return false;
}
$userline = $this->_createUserLine($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $userinfo['grps']);
if(!$this->deleteUsers(array($user))) {
msg($this->getLang('yubikeymodifyerr1'), -1);
return false;
}
if(!io_saveFile($config_cascade['plainauth.users']['default'], $userline, true)) {
msg($this->getLang('yubikeymodifyerr2'), -1);
// FIXME, user has been deleted but not recreated, should force a logout and redirect to login page
$ACT = 'register';
return false;
}
$yubiline = '';
foreach($userinfo['yubi'] as $yubi) {
$yubiline .= $newuser . ':' . $yubi . "\n";
}
if(!io_saveFile(DOKU_CONF . 'users.yubikeys.php', $yubiline, true)) {
msg($this->getLang('yubikeymodifyerr3'), -1);
return false;
}
$this->users[$newuser] = $userinfo;
return true;
}
/**
* Remove one or more users from the list of registered users
*
* @author Dirk Scheer <[email protected]>
* @author Christopher Smith <[email protected]>
* @param array $users array of users to be deleted
* @return int the number of users deleted
*/
public function deleteUsers($users) {
global $config_cascade;
if(!is_array($users) || empty($users)) return 0;
if($this->users === null) $this->_loadUserData();
$deleted = array();
foreach($users as $user) {
if(isset($this->users[$user])) $deleted[] = preg_quote($user, '/');
}
if(empty($deleted)) return 0;
$pattern = '/^('.join('|', $deleted).'):/';
io_deleteFromFile($config_cascade['plainauth.users']['default'], $pattern, true);
io_deleteFromFile(DOKU_CONF . 'users.yubikeys.php', $pattern, true);
// reload the user list and count the difference
$count = count($this->users);
$this->_loadUserData();
$count -= count($this->users);
return $count;
}
/**
* Load all user data
*
* loads the user file into a datastructure
*
* @author Dirk Scheer <[email protected]>
* @author Andreas Gohr <[email protected]>
*/
protected function _loadUserData() {
global $config_cascade;
$this->users = array();
if(!@file_exists($config_cascade['plainauth.users']['default'])) return;
$lines = file($config_cascade['plainauth.users']['default']);
foreach($lines as $line) {
$line = preg_replace('/#.*$/', '', $line); //ignore comments
$line = trim($line);
if(empty($line)) continue;
/* NB: preg_split can be deprecated/replaced with str_getcsv once dokuwiki is min php 5.3 */
$row = $this->_splitUserData($line);
$row = str_replace('\\:', ':', $row);
$row = str_replace('\\\\', '\\', $row);
$groups = array_values(array_filter(explode(",", $row[4])));
$this->users[$row[0]]['pass'] = $row[1];
$this->users[$row[0]]['name'] = urldecode($row[2]);
$this->users[$row[0]]['mail'] = $row[3];
$this->users[$row[0]]['grps'] = $groups;
$this->users[$row[0]]['yubi'] = array();
}
/* Read the mapping table for Yubikeys */
$lines = file(DOKU_CONF . 'users.yubikeys.php');
foreach($lines as $line) {
$line = preg_replace('/#.*$/', '', $line); //ignore comments
$line = trim($line);
if(empty($line)) continue;
list($user, $yubikey) = explode(':', $line);
if(isset($this->users[$user])) {
array_push($this->users[$user]['yubi'], $yubikey);
}
}
}
}