izcontrol/lib/auth.php

<?php

/*

	Copyright (c) 2009-2019 F3::Factory/Bong Cosca, All rights reserved.

	This file is part of the Fat-Free Framework (http://fatfreeframework.com).

	This is free software: you can redistribute it and/or modify it under the
	terms of the GNU General Public License as published by the Free Software
	Foundation, either version 3 of the License, or later.

	Fat-Free Framework is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
	General Public License for more details.

	You should have received a copy of the GNU General Public License along
	with Fat-Free Framework.  If not, see <http://www.gnu.org/licenses/>.

*/

//! Authorization/authentication plug-in
class Auth {

	//@{ Error messages
	const
		E_LDAP='LDAP connection failure',
		E_SMTP='SMTP connection failure';
	//@}

	protected
		//! Auth storage
		$storage,
		//! Mapper object
		$mapper,
		//! Storage options
		$args,
		//! Custom compare function
		$func;

	/**
	*	Jig storage handler
	*	@return bool
	*	@param $id string
	*	@param $pw string
	*	@param $realm string
	**/
	protected function _jig($id,$pw,$realm) {
		$success = (bool)
			call_user_func_array(
				[$this->mapper,'load'],
				[
					array_merge(
						[
							'@'.$this->args['id'].'==?'.
							($this->func?'':' AND @'.$this->args['pw'].'==?').
							(isset($this->args['realm'])?
								(' AND @'.$this->args['realm'].'==?'):''),
							$id
						],
						($this->func?[]:[$pw]),
						(isset($this->args['realm'])?[$realm]:[])
					)
				]
			);
		if ($success && $this->func)
			$success = call_user_func($this->func,$pw,$this->mapper->get($this->args['pw']));
		return $success;
	}

	/**
	*	MongoDB storage handler
	*	@return bool
	*	@param $id string
	*	@param $pw string
	*	@param $realm string
	**/
	protected function _mongo($id,$pw,$realm) {
		$success = (bool)
			$this->mapper->load(
				[$this->args['id']=>$id]+
				($this->func?[]:[$this->args['pw']=>$pw])+
				(isset($this->args['realm'])?
					[$this->args['realm']=>$realm]:[])
			);
		if ($success && $this->func)
			$success = call_user_func($this->func,$pw,$this->mapper->get($this->args['pw']));
		return $success;
	}

	/**
	*	SQL storage handler
	*	@return bool
	*	@param $id string
	*	@param $pw string
	*	@param $realm string
	**/
	protected function _sql($id,$pw,$realm) {
		$success = (bool)
			call_user_func_array(
				[$this->mapper,'load'],
				[
					array_merge(
						[
							$this->args['id'].'=?'.
							($this->func?'':' AND '.$this->args['pw'].'=?').
							(isset($this->args['realm'])?
								(' AND '.$this->args['realm'].'=?'):''),
							$id
						],
						($this->func?[]:[$pw]),
						(isset($this->args['realm'])?[$realm]:[])
					)
				]
			);
		if ($success && $this->func)
			$success = call_user_func($this->func,$pw,$this->mapper->get($this->args['pw']));
		return $success;
	}

	/**
	*	LDAP storage handler
	*	@return bool
	*	@param $id string
	*	@param $pw string
	**/
	protected function _ldap($id,$pw) {
		$port=(int)($this->args['port']?:389);
		$filter=$this->args['filter']=$this->args['filter']?:"uid=".$id;
		$this->args['attr']=$this->args['attr']?:["uid"];
		array_walk($this->args['attr'],
		function($attr)use(&$filter,$id) {
			$filter=str_ireplace($attr."=*",$attr."=".$id,$filter);});
		$dc=@ldap_connect($this->args['dc'],$port);
		if ($dc &&
			ldap_set_option($dc,LDAP_OPT_PROTOCOL_VERSION,3) &&
			ldap_set_option($dc,LDAP_OPT_REFERRALS,0) &&
			ldap_bind($dc,$this->args['rdn'],$this->args['pw']) &&
			($result=ldap_search($dc,$this->args['base_dn'],
				$filter,$this->args['attr'])) &&
			ldap_count_entries($dc,$result) &&
			($info=ldap_get_entries($dc,$result)) &&
			$info['count']==1 &&
			@ldap_bind($dc,$info[0]['dn'],$pw) &&
			@ldap_close($dc)) {
			return in_array($id,(array_map(function($value){return $value[0];},
				array_intersect_key($info[0],
					array_flip($this->args['attr'])))),TRUE);
		}
		user_error(self::E_LDAP,E_USER_ERROR);
	}

	/**
	*	SMTP storage handler
	*	@return bool
	*	@param $id string
	*	@param $pw string
	**/
	protected function _smtp($id,$pw) {
		$socket=@fsockopen(
			(strtolower($this->args['scheme'])=='ssl'?
				'ssl://':'').$this->args['host'],
				$this->args['port']);
		$dialog=function($cmd=NULL) use($socket) {
			if (!is_null($cmd))
				fputs($socket,$cmd."\r\n");
			$reply='';
			while (!feof($socket) &&
				($info=stream_get_meta_data($socket)) &&
				!$info['timed_out'] && $str=fgets($socket,4096)) {
				$reply.=$str;
				if (preg_match('/(?:^|\n)\d{3} .+\r\n/s',
					$reply))
					break;
			}
			return $reply;
		};
		if ($socket) {
			stream_set_blocking($socket,TRUE);
			$dialog();
			$fw=Base::instance();
			$dialog('EHLO '.$fw->HOST);
			if (strtolower($this->args['scheme'])=='tls') {
				$dialog('STARTTLS');
				stream_socket_enable_crypto(
					$socket,TRUE,STREAM_CRYPTO_METHOD_TLS_CLIENT);
				$dialog('EHLO '.$fw->HOST);
			}
			// Authenticate
			$dialog('AUTH LOGIN');
			$dialog(base64_encode($id));
			$reply=$dialog(base64_encode($pw));
			$dialog('QUIT');
			fclose($socket);
			return (bool)preg_match('/^235 /',$reply);
		}
		user_error(self::E_SMTP,E_USER_ERROR);
	}

	/**
	*	Login auth mechanism
	*	@return bool
	*	@param $id string
	*	@param $pw string
	*	@param $realm string
	**/
	function login($id,$pw,$realm=NULL) {
		return $this->{'_'.$this->storage}($id,$pw,$realm);
	}

	/**
	*	HTTP basic auth mechanism
	*	@return bool
	*	@param $func callback
	**/
	function basic($func=NULL) {
		$fw=Base::instance();
		$realm=$fw->REALM;
		$hdr=NULL;
		if (isset($_SERVER['HTTP_AUTHORIZATION']))
			$hdr=$_SERVER['HTTP_AUTHORIZATION'];
		elseif (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']))
			$hdr=$_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
		if (!empty($hdr))
			list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])=
				explode(':',base64_decode(substr($hdr,6)));
		if (isset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) &&
			$this->login(
				$_SERVER['PHP_AUTH_USER'],
				$func?
					$fw->call($func,$_SERVER['PHP_AUTH_PW']):
					$_SERVER['PHP_AUTH_PW'],
				$realm
			))
			return TRUE;
		if (PHP_SAPI!='cli')
			header('WWW-Authenticate: Basic realm="'.$realm.'"');
		$fw->status(401);
		return FALSE;
	}

	/**
	*	Instantiate class
	*	@return object
	*	@param $storage string|object
	*	@param $args array
	*	@param $func callback
	**/
	function __construct($storage,array $args=NULL,$func=NULL) {
		if (is_object($storage) && is_a($storage,'DB\Cursor')) {
			$this->storage=$storage->dbtype();
			$this->mapper=$storage;
			unset($ref);
		}
		else
			$this->storage=$storage;
		$this->args=$args;
		$this->func=$func;
	}

}
initial 4 years ago			`<?php`

			`/*`

			`Copyright (c) 2009-2019 F3::Factory/Bong Cosca, All rights reserved.`

			`This file is part of the Fat-Free Framework (http://fatfreeframework.com).`

			`This is free software: you can redistribute it and/or modify it under the`
			`terms of the GNU General Public License as published by the Free Software`
			`Foundation, either version 3 of the License, or later.`

			`Fat-Free Framework is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU`
			`General Public License for more details.`

			`You should have received a copy of the GNU General Public License along`
			`with Fat-Free Framework. If not, see <http://www.gnu.org/licenses/>.`

			`*/`

			`//! Authorization/authentication plug-in`
			`class Auth {`

			`//@{ Error messages`
			`const`
			`E_LDAP='LDAP connection failure',`
			`E_SMTP='SMTP connection failure';`
			`//@}`

			`protected`
			`//! Auth storage`
			`$storage,`
			`//! Mapper object`
			`$mapper,`
			`//! Storage options`
			`$args,`
			`//! Custom compare function`
			`$func;`

			`/**`
			`* Jig storage handler`
			`* @return bool`
			`* @param $id string`
			`* @param $pw string`
			`* @param $realm string`
			`**/`
			`protected function _jig($id,$pw,$realm) {`
			`$success = (bool)`
			`call_user_func_array(`
			`[$this->mapper,'load'],`
			`[`
			`array_merge(`
			`[`
			`'@'.$this->args['id'].'==?'.`
			`($this->func?'':' AND @'.$this->args['pw'].'==?').`
			`(isset($this->args['realm'])?`
			`(' AND @'.$this->args['realm'].'==?'):''),`
			`$id`
			`],`
			`($this->func?[]:[$pw]),`
			`(isset($this->args['realm'])?[$realm]:[])`
			`)`
			`]`
			`);`
			`if ($success && $this->func)`
			`$success = call_user_func($this->func,$pw,$this->mapper->get($this->args['pw']));`
			`return $success;`
			`}`

			`/**`
			`* MongoDB storage handler`
			`* @return bool`
			`* @param $id string`
			`* @param $pw string`
			`* @param $realm string`
			`**/`
			`protected function _mongo($id,$pw,$realm) {`
			`$success = (bool)`
			`$this->mapper->load(`
			`[$this->args['id']=>$id]+`
			`($this->func?[]:[$this->args['pw']=>$pw])+`
			`(isset($this->args['realm'])?`
			`[$this->args['realm']=>$realm]:[])`
			`);`
			`if ($success && $this->func)`
			`$success = call_user_func($this->func,$pw,$this->mapper->get($this->args['pw']));`
			`return $success;`
			`}`

			`/**`
			`* SQL storage handler`
			`* @return bool`
			`* @param $id string`
			`* @param $pw string`
			`* @param $realm string`
			`**/`
			`protected function _sql($id,$pw,$realm) {`
			`$success = (bool)`
			`call_user_func_array(`
			`[$this->mapper,'load'],`
			`[`
			`array_merge(`
			`[`
			`$this->args['id'].'=?'.`
			`($this->func?'':' AND '.$this->args['pw'].'=?').`
			`(isset($this->args['realm'])?`
			`(' AND '.$this->args['realm'].'=?'):''),`
			`$id`
			`],`
			`($this->func?[]:[$pw]),`
			`(isset($this->args['realm'])?[$realm]:[])`
			`)`
			`]`
			`);`
			`if ($success && $this->func)`
			`$success = call_user_func($this->func,$pw,$this->mapper->get($this->args['pw']));`
			`return $success;`
			`}`

			`/**`
			`* LDAP storage handler`
			`* @return bool`
			`* @param $id string`
			`* @param $pw string`
			`**/`
			`protected function _ldap($id,$pw) {`
			`$port=(int)($this->args['port']?:389);`
			`$filter=$this->args['filter']=$this->args['filter']?:"uid=".$id;`
			`$this->args['attr']=$this->args['attr']?:["uid"];`
			`array_walk($this->args['attr'],`
			`function($attr)use(&$filter,$id) {`
			`$filter=str_ireplace($attr."=*",$attr."=".$id,$filter);});`
			`$dc=@ldap_connect($this->args['dc'],$port);`
			`if ($dc &&`
			`ldap_set_option($dc,LDAP_OPT_PROTOCOL_VERSION,3) &&`
			`ldap_set_option($dc,LDAP_OPT_REFERRALS,0) &&`
			`ldap_bind($dc,$this->args['rdn'],$this->args['pw']) &&`
			`($result=ldap_search($dc,$this->args['base_dn'],`
			`$filter,$this->args['attr'])) &&`
			`ldap_count_entries($dc,$result) &&`
			`($info=ldap_get_entries($dc,$result)) &&`
			`$info['count']==1 &&`
			`@ldap_bind($dc,$info[0]['dn'],$pw) &&`
			`@ldap_close($dc)) {`
			`return in_array($id,(array_map(function($value){return $value[0];},`
			`array_intersect_key($info[0],`
			`array_flip($this->args['attr'])))),TRUE);`
			`}`
			`user_error(self::E_LDAP,E_USER_ERROR);`
			`}`

			`/**`
			`* SMTP storage handler`
			`* @return bool`
			`* @param $id string`
			`* @param $pw string`
			`**/`
			`protected function _smtp($id,$pw) {`
			`$socket=@fsockopen(`
			`(strtolower($this->args['scheme'])=='ssl'?`
			`'ssl://':'').$this->args['host'],`
			`$this->args['port']);`
			`$dialog=function($cmd=NULL) use($socket) {`
			`if (!is_null($cmd))`
			`fputs($socket,$cmd."\r\n");`
			`$reply='';`
			`while (!feof($socket) &&`
			`($info=stream_get_meta_data($socket)) &&`
			`!$info['timed_out'] && $str=fgets($socket,4096)) {`
			`$reply.=$str;`
			`if (preg_match('/(?:^\|\n)\d{3} .+\r\n/s',`
			`$reply))`
			`break;`
			`}`
			`return $reply;`
			`};`
			`if ($socket) {`
			`stream_set_blocking($socket,TRUE);`
			`$dialog();`
			`$fw=Base::instance();`
			`$dialog('EHLO '.$fw->HOST);`
			`if (strtolower($this->args['scheme'])=='tls') {`
			`$dialog('STARTTLS');`
			`stream_socket_enable_crypto(`
			`$socket,TRUE,STREAM_CRYPTO_METHOD_TLS_CLIENT);`
			`$dialog('EHLO '.$fw->HOST);`
			`}`
			`// Authenticate`
			`$dialog('AUTH LOGIN');`
			`$dialog(base64_encode($id));`
			`$reply=$dialog(base64_encode($pw));`
			`$dialog('QUIT');`
			`fclose($socket);`
			`return (bool)preg_match('/^235 /',$reply);`
			`}`
			`user_error(self::E_SMTP,E_USER_ERROR);`
			`}`

			`/**`
			`* Login auth mechanism`
			`* @return bool`
			`* @param $id string`
			`* @param $pw string`
			`* @param $realm string`
			`**/`
			`function login($id,$pw,$realm=NULL) {`
			`return $this->{'_'.$this->storage}($id,$pw,$realm);`
			`}`

			`/**`
			`* HTTP basic auth mechanism`
			`* @return bool`
			`* @param $func callback`
			`**/`
			`function basic($func=NULL) {`
			`$fw=Base::instance();`
			`$realm=$fw->REALM;`
			`$hdr=NULL;`
			`if (isset($_SERVER['HTTP_AUTHORIZATION']))`
			`$hdr=$_SERVER['HTTP_AUTHORIZATION'];`
			`elseif (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']))`
			`$hdr=$_SERVER['REDIRECT_HTTP_AUTHORIZATION'];`
			`if (!empty($hdr))`
			`list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])=`
			`explode(':',base64_decode(substr($hdr,6)));`
			`if (isset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) &&`
			`$this->login(`
			`$_SERVER['PHP_AUTH_USER'],`
			`$func?`
			`$fw->call($func,$_SERVER['PHP_AUTH_PW']):`
			`$_SERVER['PHP_AUTH_PW'],`
			`$realm`
			`))`
			`return TRUE;`
			`if (PHP_SAPI!='cli')`
			`header('WWW-Authenticate: Basic realm="'.$realm.'"');`
			`$fw->status(401);`
			`return FALSE;`
			`}`

			`/**`
			`* Instantiate class`
			`* @return object`
			`* @param $storage string\|object`
			`* @param $args array`
			`* @param $func callback`
			`**/`
			`function __construct($storage,array $args=NULL,$func=NULL) {`
			`if (is_object($storage) && is_a($storage,'DB\Cursor')) {`
			`$this->storage=$storage->dbtype();`
			`$this->mapper=$storage;`
			`unset($ref);`
			`}`
			`else`
			`$this->storage=$storage;`
			`$this->args=$args;`
			`$this->func=$func;`
			`}`

			`}`