File: Htpasswd.php

package info (click to toggle)
simplesamlphp 1.14.11-1%2Bdeb9u2
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 15,024 kB
  • sloc: php: 72,337; xml: 1,078; python: 376; sh: 220; perl: 185; makefile: 57
file content (99 lines) | stat: -rw-r--r-- 2,970 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
<?php

/**
 * Authentication source for Apache 'htpasswd' files.
 *
 * @author Dyonisius (Dick) Visser, TERENA.
 * @package SimpleSAMLphp
 */

use WhiteHat101\Crypt\APR1_MD5;

class sspmod_authcrypt_Auth_Source_Htpasswd extends sspmod_core_Auth_UserPassBase {


	/**
	 * Our users, stored in an array, where each value is "<username>:<passwordhash>".
	 */
	private $users;

	/**
	 * Constructor for this authentication source.
	 *
	 * @param array $info  Information about this authentication source.
	 * @param array $config  Configuration.
	 */
	public function __construct($info, $config) {
		assert('is_array($info)');
		assert('is_array($config)');

		// Call the parent constructor first, as required by the interface
		parent::__construct($info, $config);

		$this->users = array();

		if(!$htpasswd = file_get_contents($config['htpasswd_file'])) {
			throw new Exception('Could not read ' . $config['htpasswd_file']);
		}

		$this->users = explode("\n", trim($htpasswd));

		try {
			$this->attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($config['static_attributes']);
		} catch(Exception $e) {
			throw new Exception('Invalid static_attributes in authentication source ' .
				$this->authId . ': ' .	$e->getMessage());
		}
	}


	/**
	 * Attempt to log in using the given username and password.
	 *
	 * On a successful login, this function should return the username as 'uid' attribute,
	 * and merged attributes from the configuration file.
	 * On failure, it should throw an exception. A SimpleSAML_Error_Error('WRONGUSERPASS')
	 * should be thrown in case of a wrong username OR a wrong password, to prevent the
	 * enumeration of usernames.
	 *
	 * @param string $username  The username the user wrote.
	 * @param string $password  The password the user wrote.
	 * @return array  Associative array with the users attributes.
	 */
	protected function login($username, $password) {
		assert('is_string($username)');
		assert('is_string($password)');

		foreach($this->users as $userpass) {
			$matches = explode(':', $userpass, 2);
			if($matches[0] == $username) {

				$crypted = $matches[1];

				// This is about the only attribute we can add
				$attributes = array_merge(array('uid' => array($username)), $this->attributes);

				// Traditional crypt(3)
				if(crypt($password, $crypted) == $crypted) {
					SimpleSAML_Logger::debug('User '. $username . ' authenticated successfully');
					return $attributes;
				}

				// Apache's custom MD5
				if(APR1_MD5::check($password, $crypted)) {
					SimpleSAML_Logger::debug('User '. $username . ' authenticated successfully');
					return $attributes;
				}

				// SHA1 or plain-text
				if(SimpleSAML\Utils\Crypto::pwValid($crypted, $password)) {
					SimpleSAML_Logger::debug('User '. $username . ' authenticated successfully');
					return $attributes;
				}
				throw new SimpleSAML_Error_Error('WRONGUSERPASS');
			}
		}
		throw new SimpleSAML_Error_Error('WRONGUSERPASS');
	}

}