Platform  3.1
PHP API documentation
 All Data Structures Namespaces Files Functions Variables Pages
Class.AuthenticatorManager.php
Go to the documentation of this file.
1 <?php
2 /*
3  * @author Anakeen
4  * @license http://creativecommons.org/licenses/by-nc-sa/2.0/fr/ Anakeen - licence CC
5  * @package FDL
6 */
7 /**
8  * Authenticator manager class
9  *
10  * Manage authentification method (classes)
11  *
12  * @author Anakeen 2009
13  * @version $Id: Class.Authenticator.php,v 1.6 2009/01/16 13:33:00 jerome Exp $
14  * @license http://creativecommons.org/licenses/by-nc-sa/2.0/fr/ Anakeen - licence CC
15  * @package FDL
16  * @subpackage
17  */
18 /**
19  */
20 
21 include_once ('WHAT/Lib.Common.php');
22 include_once ('WHAT/Class.Authenticator.php');
23 include_once ('WHAT/Class.Session.php');
24 include_once ('WHAT/Class.User.php');
25 include_once ('WHAT/Class.Log.php');
26 
27 abstract class AuthenticatorManager
28 {
29 
30  public static $session = null;
31  public static $auth = null;
32  public static $provider_errno = 0;
33 
34  public static function checkAccess($authtype = null, $noask = false)
35  {
36  $error = 0;
37  self::$provider_errno = 0;
38  if ($authtype == null) $authtype = getAuthType();
39  if ($authtype == 'apache') {
40  // Apache has already handled the authentication
41  return 0;
42  } else {
43  if (!preg_match('/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/', $authtype)) {
44  print sprintf("Invalid authtype '%s'", $authtype);
45  exit;
46  }
47  $authClass = strtolower($authtype) . "Authenticator";
48  if (!@include_once ('WHAT/Class.' . $authClass . '.php')) {
49  print "Unknown authtype " . $_GET['authtype'];
50  exit;
51  }
52  $auth = new $authClass($authtype, "__for_logout__");
53  }
54 
55  $authProviderList = getAuthProviderList();
56  foreach ($authProviderList as $authProvider) {
57  self::$auth = new $authClass($authtype, $authProvider);
58  $status = self::$auth->checkAuthentication();
59  if ($status === Authenticator::AUTH_ASK) {
60  if ($noask) {
61  return 1;
62  } else {
63  self::$auth->askAuthentication();
64  exit(0);
65  }
66  }
67  if ($status === Authenticator::AUTH_OK) {
68  break;
69  }
70  }
71 
72  if ($status === Authenticator::AUTH_NOK) {
73  $error = 1;
74  $providerErrno = self::$auth->getProviderErrno();
75  if ($providerErrno != 0) {
76  self::$provider_errno = $providerErrno;
77  switch ($providerErrno) {
78  case Provider::ERRNO_BUG_639:
79  // User must change his password
80  $error = - 1;
81  break;
82  }
83  }
84  self::secureLog("failure", "invalid credential", self::$auth->provider->parms['type'] . "/" . self::$auth->provider->parms['provider'], $_SERVER["REMOTE_ADDR"], $_REQUEST["auth_user"], $_SERVER["HTTP_USER_AGENT"]);
85  // count login failure
86  if (getParam("AUTHENT_FAILURECOUNT") > 0) {
87  $wu = new User();
88  if ($wu->SetLoginName(self::$auth->getAuthUser())) {
89  if ($wu->id != 1) {
90  include_once ("FDL/freedom_util.php");
91  $du = new_Doc(getParam("FREEDOM_DB") , $wu->fid);
92  if ($du->isAlive()) {
93  $du->disableEditControl();
94  $du->increaseLoginFailure();
95  $du->enableEditControl();
96  }
97  }
98  }
99  }
100  self::clearGDocs();
101  return $error;
102  }
103  // Authentication success
104  $login = self::$auth->getAuthUser();
105  $wu = new User();
106  $existu = false;
107  if ($wu->SetLoginName($login)) {
108  $existu = true;
109  }
110 
111  if (!$existu) {
112  self::secureLog("failure", "login have no Dynacase account", self::$auth->provider->parms['type'] . "/" . self::$auth->provider->parms['provider'], $_SERVER["REMOTE_ADDR"], $login, $_SERVER["HTTP_USER_AGENT"]);
113  return 1;
114  }
115 
116  if ($wu->id != 1) {
117 
118  include_once ("FDL/freedom_util.php");
119  $du = new_Doc(getParam("FREEDOM_DB") , $wu->fid);
120  // First check if account is active
121  if ($du->isAccountInactive()) {
122  self::secureLog("failure", "inactive account", self::$auth->provider->parms['type'] . "/" . self::$auth->provider->parms['provider'], $_SERVER["REMOTE_ADDR"], $login, $_SERVER["HTTP_USER_AGENT"]);
123  self::clearGDocs();
124  return 3;
125  }
126  // check if the account expiration date is elapsed
127  if ($du->accountHasExpired()) {
128  self::secureLog("failure", "account has expired", self::$auth->provider->parms['type'] . "/" . self::$auth->provider->parms['provider'], $_SERVER["REMOTE_ADDR"], $login, $_SERVER["HTTP_USER_AGENT"]);
129  self::clearGDocs();
130  return 4;
131  }
132  // check count of login failure
133  $maxfail = getParam("AUTHENT_FAILURECOUNT");
134  if ($maxfail > 0 && $du->getValue("us_loginfailure", 0) >= $maxfail) {
135  self::secureLog("failure", "max connection (" . $maxfail . ") attempts exceeded", self::$auth->provider->parms['type'] . "/" . self::$auth->provider->parms['provider'], $_SERVER["REMOTE_ADDR"], $login, $_SERVER["HTTP_USER_AGENT"]);
136  self::clearGDocs();
137  return 2;
138  }
139  // authen OK, max login failure OK => reset count of login failure
140  $du->disableEditControl();
141  $du->resetLoginFailure();
142  $du->enableEditControl();
143  }
144  /*
145  * All authenticators are not necessarily based on sessions (i.e. 'basic')
146  */
147  if (method_exists(self::$auth, 'getAuthSession')) {
148  self::$session = self::$auth->getAuthSession();
149  if (self::$session->read('username') == "") {
150  self::secureLog("failure", "username should exists in session", $authprovider, $_SERVER["REMOTE_ADDR"], $login, $_SERVER["HTTP_USER_AGENT"]);
151  exit(0);
152  }
153  }
154 
155  self::clearGDocs();
156  return 0;
157  }
158 
159  public function closeAccess()
160  {
161  $authtype = getAuthType();
162  if( $authtype == 'apache' ) {
163  AuthenticatorManager::secureLog("close", "see you tomorrow", "apache/apache", $_SERVER["REMOTE_ADDR"], $_SERVER["PHP_AUTH_USER"], $_SERVER["HTTP_USER_AGENT"]);
164  global $action;
165  if( $action ) {
166  $rapp = GetHttpVars("rapp");
167  $raction = GetHttpVars("raction");
168  $rurl = GetHttpVars("rurl", $action->GetParam("CORE_ROOTURL"));
169 
170  if(!isset($_SERVER['PHP_AUTH_USER']) || ($_POST["SeenBefore"] == 1 && !strcmp($_POST["OldAuth"],$_SERVER['PHP_AUTH_USER'] )) ) {
171  self::authenticate($action);
172  } else {
173  redirect($action,$rapp,$raction,$rurl);
174  }
175  }
176  exit(0);
177  } else {
178  $authClass = strtolower($authtype)."Authenticator";
179  if (! @include_once('WHAT/Class.'.$authClass.'.php')) {
180  print "Unknown authtype ".$_GET['authtype'];
181  exit;
182  }
183  $auth = new $authClass( $authtype, "__for_logout__" );
184 
185  if( method_exists(AuthenticatorManager::$auth, 'logout') ) {
186  AuthenticatorManager::secureLog("close", "see you tomorrow", AuthenticatorManager::$auth->provider->parms['type']."/".AuthenticatorManager::$auth->provider->parms['provider'], $_SERVER["REMOTE_ADDR"], AuthenticatorManager::$auth->getAuthUser(), $_SERVER["HTTP_USER_AGENT"]);
187  AuthenticatorManager::$auth->logout();
188  exit(0);
189  }
190 
191  header('HTTP/1.0 500 Internal Error');
192  print sprintf("logout method not supported by authtype '%s'", $authtype);
193  exit(0);
194  }
195  }
196 
197  /**
198  * Send a 401 Unauthorized HTTP header
199  */
200  public function authenticate(&$action)
201  {
202  // Header( "WWW-Authenticate: Basic realm=\"WHAT Connection\", stale=FALSE");
203  //Header( "WWW-Authenticate: Basic realm=\"WHAT Connection\", stale=true");
204  //Header( "HTTP/1.0 401 Unauthorized");
205  header('WWW-Authenticate: Basic realm="' . getParam("CORE_REALM", "Dynacase Platform connection") . '"');
206  header('HTTP/1.0 401 Unauthorized');
207  // Header("Location:guest.php");
208  echo _("Vous devez entrer un nom d'utilisateur valide et un mot de passe correct pour acceder a cette ressource");
209  exit;
210  }
211 
212  public function secureLog($status = "", $additionalMessage = "", $provider = "", $clientIp = "", $account = "", $userAgent = "")
213  {
214  global $_GET;
215  $log = new Log("", "Session", "Authentication");
216  $facility = constant(getParam("AUTH_LOGFACILITY", "LOG_AUTH"));
217  $log->wlog("S", sprintf("[%s] [%s] [%s] [%s] [%s] [%s]", $status, $additionalMessage, $provider, $clientIp, $account, $userAgent) , NULL, $facility);
218  return 0;
219  }
220 
221  private static function clearGDocs()
222  {
223  global $gdocs;
224  $gdocs = array();
225  }
226 }
227 ?>
← centre documentaire © anakeen - published under CC License - Dynacase