2
/* vim:set softtabstop=4 shiftwidth=4 expandtab: */
5
* LICENSE: GNU General Public License, version 2 (GPLv2)
6
* Copyright 2001 - 2013 Ampache.org
8
* This program is free software; you can redistribute it and/or
9
* modify it under the terms of the GNU General Public License v2
10
* as published by the Free Software Foundation.
12
* This program is distributed in the hope that it will be useful,
13
* but WITHOUT ANY WARRANTY; without even the implied warranty of
14
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15
* GNU General Public License for more details.
17
* You should have received a copy of the GNU General Public License
18
* along with this program; if not, write to the Free Software
19
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25
* This class handles all of the session related stuff in Ampache
26
* it takes over for the vauth libs, and takes some stuff out of other
27
* classes where it didn't belong.
34
* This should never be called
36
private function __construct() {
43
* This is called when you want to log out and nuke your session.
44
* This is the function used for the Ajax logouts, if no id is passed
45
* it tries to find one from the session,
47
public static function logout($key='', $relogin = true) {
49
// If no key is passed try to find the session id
50
$key = $key ? $key : session_id();
52
// Nuke the cookie before all else
53
Session::destroy($key);
54
if ((!$relogin) && Config::get('logout_redirect')) {
55
$target = Config::get('logout_redirect');
58
$target = Config::get('web_path') . '/login.php';
61
// Do a quick check to see if this is an AJAXed logout request
62
// if so use the iframe to redirect
63
if (defined('AJAX_INCLUDE')) {
67
/* Set the correct headers */
68
header("Content-type: text/xml; charset=" . Config::get('site_charset'));
69
header("Content-Disposition: attachment; filename=ajax.xml");
70
header("Expires: Tuesday, 27 Mar 1984 05:00:00 GMT");
71
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
72
header("Cache-Control: no-store, no-cache, must-revalidate");
73
header("Pragma: no-cache");
75
$results['rfc3514'] = '<script type="text/javascript">reloadRedirect("' . $target . '")</script>';
76
echo xml_from_array($results);
79
/* Redirect them to the login page */
80
header('Location: ' . $target);
89
* This takes a username and password and then returns the results
90
* based on what happens when we try to do the auth.
92
public static function login($username, $password) {
93
foreach (Config::get('auth_methods') as $method) {
94
$function_name = $method . '_auth';
96
if (!method_exists('Auth', $function_name)) {
100
$results = self::$function_name($username, $password);
101
if ($results['success']) { break; }
110
* This is the core function of our built-in authentication.
112
private static function mysql_auth($username, $password) {
114
if (strlen($password) && strlen($username)) {
115
$sql = 'SELECT `password` FROM `user` WHERE `username` = ?';
116
$db_results = Dba::read($sql, array($username));
118
if ($row = Dba::fetch_assoc($db_results)) {
119
// Use SHA2 now... cooking with fire.
120
// For backwards compatibility we hash a couple of different
121
// variations of the password. Increases collision chances, but
122
// doesn't break things.
123
// FIXME: Break things in the future.
124
$hashed_password[] = hash('sha256', $password);
125
$hashed_password[] = hash('sha256',
126
Dba::escape(stripslashes(htmlspecialchars(strip_tags($password)))));
128
// Automagically update the password if it's old and busted.
129
if ($row['password'] == $hashed_password[1] &&
130
$hashed_password[0] != $hashed_password[1]) {
131
$user = User::get_from_username($username);
132
$user->update_password($password);
135
if (in_array($row['password'], $hashed_password)) {
139
'username' => $username
147
'error' => 'MySQL login attempt failed'
154
* Check to make sure the pam_auth function is implemented (module is
155
* installed), then check the credentials.
157
private static function pam_auth($username, $password) {
158
if (!function_exists('pam_auth')) {
159
$results['success'] = false;
160
$results['error'] = 'The PAM PHP module is not installed';
164
$password = scrub_in($password);
166
if (pam_auth($username, $password)) {
167
$results['success'] = true;
168
$results['type'] = 'pam';
169
$results['username'] = $username;
172
$results['success'] = false;
173
$results['error'] = 'PAM login attempt failed';
182
* Calls an external program compatible with mod_authnz_external
185
private static function external_auth($username, $password) {
186
$authenticator = Config::get('external_authenticator');
187
if (!$authenticator) {
190
'error' => 'No external authenticator configured'
194
//FIXME: should we do input sanitization?
195
$proc = proc_open($authenticator,
197
0 => array('pipe', 'r'),
198
1 => array('pipe', 'w'),
199
2 => array('pipe', 'w')
202
if (is_resource($proc)) {
203
fwrite($pipes[0], $username."\n".$password."\n");
206
if ($stderr = fread($pipes[2], 8192)) {
207
debug_event('external_auth', $stderr, 5);
214
'error' => 'Failed to run external authenticator'
218
if (proc_close($proc) == 0) {
221
'type' => 'external',
222
'username' => $username
228
'error' => 'The external authenticator did not accept the login'
234
* Step one, connect to the LDAP server and perform a search for the
236
* Step two, attempt to bind using that username and the password
238
* Step three, figure out if they are authorized to use ampache:
239
* TODO: in config but unimplemented:
240
* * require-dn "Grant access if the DN in the directive matches
241
* the DN fetched from the LDAP directory"
242
* * require-attribute "an attribute fetched from the LDAP
243
* directory matches the given value"
245
private static function ldap_auth($username, $password) {
247
$ldap_username = Config::get('ldap_username');
248
$ldap_password = Config::get('ldap_password');
250
$require_group = Config::get('ldap_require_group');
252
// This is the DN for the users (required)
253
$ldap_dn = Config::get('ldap_search_dn');
255
// This is the server url (required)
256
$ldap_url = Config::get('ldap_url');
258
// This is the ldap filter string (required)
259
$ldap_filter = Config::get('ldap_filter');
261
//This is the ldap objectclass (required)
262
$ldap_class = Config::get('ldap_objectclass');
264
if (!($ldap_dn && $ldap_url && $ldap_filter && $ldap_class)) {
265
debug_event('ldap_auth', 'Required config value missing', 1);
266
$results['success'] = false;
267
$results['error'] = 'Incomplete LDAP config';
271
$ldap_name_field = Config::get('ldap_name_field');
272
$ldap_email_field = Config::get('ldap_email_field');
274
if ($ldap_link = ldap_connect($ldap_url) ) {
276
/* Set to Protocol 3 */
277
ldap_set_option($ldap_link, LDAP_OPT_PROTOCOL_VERSION, 3);
279
// bind using our auth if we need to for initial search
280
if (!ldap_bind($ldap_link, $ldap_username, $ldap_password)) {
281
$results['success'] = false;
282
$results['error'] = 'Could not bind to LDAP server.';
286
$sr = ldap_search($ldap_link, $ldap_dn, "(&(objectclass=$ldap_class)($ldap_filter=$username))");
287
$info = ldap_get_entries($ldap_link, $sr);
289
if ($info["count"] == 1) {
290
$user_entry = ldap_first_entry($ldap_link, $sr);
291
$user_dn = ldap_get_dn($ldap_link, $user_entry);
292
$password = scrub_in($password);
293
// bind using the user..
294
$retval = ldap_bind($ldap_link, $user_dn, $password);
297
// When the current user needs to be in
298
// a specific group to access Ampache,
299
// check whether the 'member' list of
300
// the group contains the DN
301
if ($require_group) {
302
$group_result = ldap_read($ldap_link, $require_group, 'objectclass=*', array('member'));
303
if (!$group_result) {
304
debug_event('ldap_auth', "Failure reading $require_group", 1);
305
$results['success'] = false;
306
$results['error'] = 'The LDAP group could not be read';
310
$group_info = ldap_get_entries($ldap_link, $group_result);
312
if ($group_info['count'] < 1) {
313
debug_event('ldap_auth', "No members found in $require_group", 1);
314
$results['success'] = false;
315
$results['error'] = 'Empty LDAP group';
319
$group_match = preg_grep("/^$user_dn\$/i", $group_info[0]['member']);
321
debug_event('ldap_auth', "$user_dn is not a member of $require_group",1);
322
$results['success'] = false;
323
$results['error'] = 'LDAP login attempt failed';
327
ldap_close($ldap_link);
328
$results['success'] = true;
329
$results['type'] = "ldap";
330
$results['username'] = $username;
331
$results['name'] = $info[0][$ldap_name_field][0];
332
$results['email'] = $info[0][$ldap_email_field][0];
336
} // if we get something good back
338
} // if something was sent back
340
} // if failed connect
342
/* Default to bad news */
343
$results['success'] = false;
344
$results['error'] = 'LDAP login attempt failed';
352
* This auth method relies on HTTP auth from the webserver
354
private static function http_auth($username, $password) {
355
if (($_SERVER['REMOTE_USER'] == $username) ||
356
($_SERVER['HTTP_REMOTE_USER'] == $username)) {
357
$results['success'] = true;
358
$results['type'] = 'http';
359
$results['username'] = $username;
360
$results['name'] = $username;
361
$results['email'] = '';
364
$results['success'] = false;
365
$results['error'] = 'HTTP auth login attempt failed';