1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
<?php
/**
* Authentication source for Apache 'htpasswd' files.
*
* @author Dyonisius (Dick) Visser, TERENA.
* @package SimpleSAMLphp
*/
use WhiteHat101\Crypt\APR1_MD5;
class sspmod_authcrypt_Auth_Source_Htpasswd extends sspmod_core_Auth_UserPassBase
{
/**
* Our users, stored in an array, where each value is "<username>:<passwordhash>".
*
* @var array
*/
private $users;
/**
* An array containing static attributes for our users.
*
* @var array
*/
private $attributes = array();
/**
* Constructor for this authentication source.
*
* @param array $info Information about this authentication source.
* @param array $config Configuration.
*
* @throws Exception if the htpasswd file is not readable or the static_attributes array is invalid.
*/
public function __construct($info, $config)
{
assert(is_array($info));
assert(is_array($config));
// Call the parent constructor first, as required by the interface
parent::__construct($info, $config);
$this->users = array();
if (!$htpasswd = file_get_contents($config['htpasswd_file'])) {
throw new Exception('Could not read '.$config['htpasswd_file']);
}
$this->users = explode("\n", trim($htpasswd));
try {
$this->attributes = SimpleSAML\Utils\Attributes::normalizeAttributesArray($config['static_attributes']);
} catch (Exception $e) {
throw new Exception('Invalid static_attributes in authentication source '.
$this->authId.': '.$e->getMessage());
}
}
/**
* Attempt to log in using the given username and password.
*
* On a successful login, this function should return the username as 'uid' attribute,
* and merged attributes from the configuration file.
* On failure, it should throw an exception. A SimpleSAML_Error_Error('WRONGUSERPASS')
* should be thrown in case of a wrong username OR a wrong password, to prevent the
* enumeration of usernames.
*
* @param string $username The username the user wrote.
* @param string $password The password the user wrote.
*
* @return array Associative array with the users attributes.
*
* @throws SimpleSAML_Error_Error if authentication fails.
*/
protected function login($username, $password)
{
assert(is_string($username));
assert(is_string($password));
foreach ($this->users as $userpass) {
$matches = explode(':', $userpass, 2);
if ($matches[0] == $username) {
$crypted = $matches[1];
// This is about the only attribute we can add
$attributes = array_merge(array('uid' => array($username)), $this->attributes);
// Traditional crypt(3)
if (SimpleSAML\Utils\Crypto::secureCompare($crypted, crypt($password, $crypted))) {
SimpleSAML\Logger::debug('User '.$username.' authenticated successfully');
SimpleSAML\Logger::warning(
'CRYPT authentication is insecure. Please consider using something else.'
);
return $attributes;
}
// Apache's custom MD5
if (APR1_MD5::check($password, $crypted)) {
SimpleSAML\Logger::debug('User '.$username.' authenticated successfully');
return $attributes;
}
// SHA1 or plain-text
if (SimpleSAML\Utils\Crypto::pwValid($crypted, $password)) {
SimpleSAML\Logger::debug('User '.$username.' authenticated successfully');
SimpleSAML\Logger::warning(
'SHA1 and PLAIN TEXT authentication are insecure. Please consider using something else.'
);
return $attributes;
}
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
}
throw new SimpleSAML_Error_Error('WRONGUSERPASS');
}
}
|
