2006-03-12 00:03:24 +00:00
|
|
|
<?php
|
|
|
|
/* SVN FILE: $Id$ */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Short description for file.
|
|
|
|
*
|
|
|
|
* Long description for file
|
|
|
|
*
|
|
|
|
* PHP versions 4 and 5
|
|
|
|
*
|
|
|
|
* CakePHP : Rapid Development Framework <http://www.cakephp.org/>
|
2006-05-26 05:29:17 +00:00
|
|
|
* Copyright (c) 2006, Cake Software Foundation, Inc.
|
|
|
|
* 1785 E. Sahara Avenue, Suite 490-204
|
|
|
|
* Las Vegas, Nevada 89104
|
2006-03-12 00:03:24 +00:00
|
|
|
*
|
|
|
|
* Licensed under The MIT License
|
|
|
|
* Redistributions of files must retain the above copyright notice.
|
|
|
|
*
|
|
|
|
* @filesource
|
2006-05-26 05:29:17 +00:00
|
|
|
* @copyright Copyright (c) 2006, Cake Software Foundation, Inc.
|
|
|
|
* @link http://www.cakefoundation.org/projects/info/cakephp CakePHP Project
|
|
|
|
* @package cake
|
|
|
|
* @subpackage cake.cake.libs.controller.components
|
|
|
|
* @since CakePHP v 0.10.8.2156
|
|
|
|
* @version $Revision$
|
|
|
|
* @modifiedby $LastChangedBy$
|
|
|
|
* @lastmodified $Date$
|
|
|
|
* @license http://www.opensource.org/licenses/mit-license.php The MIT License
|
2006-03-12 00:03:24 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Short description for file.
|
|
|
|
*
|
|
|
|
* Long description for file
|
|
|
|
*
|
2006-05-26 05:29:17 +00:00
|
|
|
* @package cake
|
|
|
|
* @subpackage cake.cake.libs.controller.components
|
2006-03-12 00:03:24 +00:00
|
|
|
*/
|
2006-06-16 19:45:33 +00:00
|
|
|
class SecurityComponent extends Object {
|
2006-03-12 00:03:24 +00:00
|
|
|
|
2006-05-26 05:29:17 +00:00
|
|
|
var $Security = null;
|
2006-03-12 00:03:24 +00:00
|
|
|
|
2006-05-26 05:29:17 +00:00
|
|
|
var $blackHoleCallback = null;
|
2006-03-12 00:03:24 +00:00
|
|
|
|
2006-05-26 05:29:17 +00:00
|
|
|
var $requirePost = array();
|
2006-03-12 00:03:24 +00:00
|
|
|
|
2006-05-26 05:29:17 +00:00
|
|
|
var $requireAuth = array();
|
2006-03-12 00:03:24 +00:00
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
var $requireLogin = array();
|
|
|
|
|
|
|
|
var $loginOptions = array();
|
|
|
|
|
|
|
|
var $loginUsers = array();
|
|
|
|
|
2006-05-26 05:29:17 +00:00
|
|
|
var $allowedControllers = array();
|
2006-03-12 00:03:24 +00:00
|
|
|
|
2006-05-26 05:29:17 +00:00
|
|
|
var $allowedActions = array();
|
2006-03-12 00:03:24 +00:00
|
|
|
|
2006-05-26 05:29:17 +00:00
|
|
|
var $components = array('RequestHandler', 'Session');
|
2006-03-12 00:03:24 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Security class constructor
|
|
|
|
*
|
|
|
|
*/
|
2006-06-16 19:45:33 +00:00
|
|
|
function __construct () {
|
2006-05-26 05:29:17 +00:00
|
|
|
$this->Security = Security::getInstance();
|
|
|
|
}
|
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
function startup(&$controller) {
|
2006-05-26 05:29:17 +00:00
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
// Check requirePost
|
|
|
|
if (is_array($this->requirePost) && !empty($this->requirePost)) {
|
|
|
|
if (in_array($controller->action, $this->requirePost) || $this->requirePost == array('*')) {
|
|
|
|
|
|
|
|
if (!$this->RequestHandler->isPost()) {
|
|
|
|
if (!$this->blackHole($controller, 'post')) {
|
2006-05-26 05:29:17 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
// Check requireAuth
|
|
|
|
if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($controller->params['form'])) {
|
|
|
|
if (in_array($controller->action, $this->requireAuth) || $this->requireAuth == array('*')) {
|
|
|
|
|
|
|
|
if (!isset($controller->params['data']['_Token'])) {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2006-05-26 05:29:17 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$token = $controller->params['data']['_Token']['key'];
|
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
if ($this->Session->check('_Token')) {
|
2006-05-26 05:29:17 +00:00
|
|
|
$tData = $this->Session->read('_Token');
|
2006-06-16 19:45:33 +00:00
|
|
|
if (!(intval($tData['expires']) > strtotime('now')) || $tData['key'] !== $token) {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2006-05-26 05:29:17 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
if (!empty($tData['allowedControllers']) && !in_array($controller->params['controller'], $tData['allowedControllers']) ||!empty($tData['allowedActions']) && !in_array($controller->params['action'], $tData['allowedActions'])) {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2006-05-26 05:29:17 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
} else {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2006-05-26 05:29:17 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
// Check requireLogin
|
|
|
|
if (is_array($this->requireLogin) && !empty($this->requireLogin)) {
|
2006-06-24 05:18:07 +00:00
|
|
|
if (in_array($controller->action, $this->requireLogin) || $this->requireLogin == array('*')) {
|
2006-06-16 19:45:33 +00:00
|
|
|
|
|
|
|
if (!isset($this->loginOptions['type'])) {
|
|
|
|
$this->loginOptions['type'] = '';
|
|
|
|
}
|
|
|
|
$login = $this->loginCredentials($this->loginOptions['type']);
|
|
|
|
if ($login == null) {
|
|
|
|
// User hasn't been authenticated yet
|
|
|
|
header($this->loginRequest());
|
|
|
|
if (isset($this->loginOptions['prompt'])) {
|
|
|
|
$this->__callback($controller, $this->loginOptions['prompt']);
|
|
|
|
} else {
|
|
|
|
$this->blackHole($controller, 'login');
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (isset($this->loginOptions['login'])) {
|
|
|
|
$this->__callback($controller, $this->loginOptions['login'], array($login));
|
|
|
|
} else {
|
|
|
|
if (low($this->loginOptions['type']) == 'digest') {
|
|
|
|
// Do digest authentication
|
|
|
|
} else {
|
2006-06-16 20:06:11 +00:00
|
|
|
if (!(in_array($login['username'], array_keys($this->loginUsers)) && $this->loginUsers[$login['username']] == $login['password'])) {
|
2006-06-16 19:45:33 +00:00
|
|
|
$this->blackHole($controller, 'login');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-05-26 05:29:17 +00:00
|
|
|
// Add auth key for new form posts
|
|
|
|
$authKey = Security::generateAuthKey();
|
|
|
|
$expires = strtotime('+'.Security::inactiveMins().' minutes');
|
2006-06-16 19:45:33 +00:00
|
|
|
$token = array(
|
|
|
|
'key' => $authKey,
|
|
|
|
'expires' => $expires,
|
|
|
|
'allowedControllers' => $this->allowedControllers,
|
|
|
|
'allowedActions' => $this->allowedActions
|
|
|
|
);
|
2006-05-26 05:29:17 +00:00
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
if (!isset($controller->params['data'])) {
|
2006-05-26 05:29:17 +00:00
|
|
|
$controller->params['data'] = array();
|
|
|
|
}
|
|
|
|
$controller->params['_Token'] = $token;
|
|
|
|
$this->Session->write('_Token', $token);
|
|
|
|
}
|
2006-03-12 00:03:24 +00:00
|
|
|
/**
|
|
|
|
* Black-hole an invalid request with a 404 error or custom callback
|
|
|
|
*
|
|
|
|
*/
|
2006-06-16 19:45:33 +00:00
|
|
|
function blackHole(&$controller, $error = '') {
|
|
|
|
if ($this->blackHoleCallback == null) {
|
|
|
|
if ($error == 'login') {
|
|
|
|
header('HTTP/1.0 401 Unauthorized');
|
|
|
|
} else {
|
|
|
|
header('HTTP/1.0 404 Not Found');
|
|
|
|
}
|
2006-05-26 05:29:17 +00:00
|
|
|
exit();
|
2006-06-16 20:06:11 +00:00
|
|
|
} else {
|
|
|
|
return $this->__callback($controller, $this->blackHoleCallback, array($error));
|
2006-06-16 19:45:33 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Sets the actions that require a POST request, or empty for all actions
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
function requirePost() {
|
|
|
|
$this->requirePost = func_get_args();
|
|
|
|
if (empty($this->requirePost)) {
|
|
|
|
$this->requirePost = array('*');
|
2006-05-26 05:29:17 +00:00
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Sets the actions that require an authenticated request, or empty for all actions
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
function requireAuth() {
|
|
|
|
$this->requireAuth = func_get_args();
|
|
|
|
if (empty($this->requireAuth)) {
|
|
|
|
$this->requireAuth = array('*');
|
2006-05-26 05:29:17 +00:00
|
|
|
}
|
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
/**
|
|
|
|
* Sets the actions that require an HTTP-authenticated request, or empty for all actions
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
function requireLogin() {
|
|
|
|
$args = func_get_args();
|
|
|
|
foreach ($args as $arg) {
|
|
|
|
if (is_array($arg)) {
|
|
|
|
$this->loginOptions = $arg;
|
|
|
|
} else {
|
|
|
|
$this->requireLogin[] = $arg;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (empty($this->requireLogin)) {
|
|
|
|
$this->requireLogin = array('*');
|
|
|
|
}
|
|
|
|
if (isset($this->loginOptions['users'])) {
|
|
|
|
$this->loginUsers =& $this->loginOptions['users'];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Gets the login credentials for an HTTP-authenticated request
|
|
|
|
*
|
|
|
|
* @param string $type Either 'basic', 'digest', or empty. If empty, will try both.
|
|
|
|
* @return mixed If successful, returns an array with login name and password, otherwise null.
|
|
|
|
*/
|
|
|
|
function loginCredentials($type = '') {
|
2006-05-26 05:29:17 +00:00
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
if ($type == '' || low($type) == 'basic') {
|
2006-06-16 20:06:11 +00:00
|
|
|
$login = array('username' => env('PHP_AUTH_USER'), 'password' => env('PHP_AUTH_PW'));
|
|
|
|
if ($login['username'] != null) {
|
2006-06-16 19:45:33 +00:00
|
|
|
return $login;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($type == '' || low($type) == 'digest') {
|
|
|
|
|
|
|
|
$digest = null;
|
|
|
|
if (version_compare(phpversion(), '5.1') != -1) {
|
|
|
|
$digest = env('PHP_AUTH_DIGEST');
|
|
|
|
|
|
|
|
} elseif (function_exists('apache_request_headers')) {
|
|
|
|
$headers = apache_request_headers();
|
|
|
|
if (isset($headers['Authorization']) && !empty($headers['Authorization'])) {
|
|
|
|
if (substr($headers['Authorization'], 0, 7) == 'Digest ') {
|
|
|
|
$digest = substr($headers['Authorization'], 7);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// Server doesn't support digest-auth headers
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($digest == null) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
$data = $this->parseDigestAuthData($digest);
|
|
|
|
}
|
|
|
|
|
|
|
|
return null;
|
2006-05-26 05:29:17 +00:00
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
/**
|
|
|
|
* Sets the default login options for an HTTP-authenticated request
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
function __setLoginDefaults(&$options) {
|
|
|
|
if (!isset($options['type']) || empty($options['type'])) {
|
|
|
|
$options['type'] = 'basic';
|
|
|
|
}
|
|
|
|
if (!isset($options['realm']) || empty($options['realm'])) {
|
|
|
|
$options['realm'] = env('SERVER_NAME');
|
|
|
|
}
|
|
|
|
if (!isset($options['qop']) || empty($options['qop'])) {
|
|
|
|
$options['qop'] = 'auth';
|
|
|
|
}
|
|
|
|
if (!isset($options['nonce']) || empty($options['nonce'])) {
|
|
|
|
$options['nonce'] = uniqid();
|
|
|
|
}
|
|
|
|
if (!isset($options['opaque']) || empty($options['opaque'])) {
|
|
|
|
$options['opaque'] = md5($options['realm']);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Generates the text of an HTTP-authentication request header from an array of options
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
function loginRequest($options = array()) {
|
|
|
|
if (empty($options)) {
|
|
|
|
$options = $this->loginOptions;
|
|
|
|
}
|
|
|
|
$this->__setLoginDefaults($options);
|
|
|
|
$data = 'WWW-Authenticate: ' . ucfirst($options['type']);
|
|
|
|
$data .= ' realm="' . $options['realm'] . '"';
|
|
|
|
|
|
|
|
return $data;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Parses an HTTP digest authentication response, and returns an array of the data,
|
|
|
|
* or null on failure.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
function parseDigestAuthData($digest) {
|
|
|
|
if (substr($digest, 0, 7) == 'Digest ') {
|
|
|
|
$digest = substr($digest, 7);
|
|
|
|
}
|
2006-05-26 05:29:17 +00:00
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
$keys = array();
|
|
|
|
$match = array();
|
|
|
|
$req = array('nonce' => 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1);
|
|
|
|
preg_match_all('@(\w+)=([\'"]?)([a-zA-Z0-9=./\_-]+)\2@', $digest, $match, PREG_SET_ORDER);
|
|
|
|
|
|
|
|
foreach ($match as $i) {
|
|
|
|
$keys[$i[1]] = $i[3];
|
|
|
|
unset($req[$i[1]]);
|
|
|
|
}
|
|
|
|
if (empty($req)) {
|
|
|
|
return $keys;
|
|
|
|
} else {
|
|
|
|
return null;
|
|
|
|
}
|
2006-05-26 05:29:17 +00:00
|
|
|
}
|
2006-06-16 20:06:11 +00:00
|
|
|
/**
|
|
|
|
* Private method
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
function __callback(&$controller, $method, $params = array()) {
|
|
|
|
if (is_callable(array($controller, $method))) {
|
|
|
|
return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
|
|
|
|
} else {
|
|
|
|
// Debug::warning('Callback method ' . $method . ' in controller ' . get_class($controller)
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
2006-03-12 00:03:24 +00:00
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
|
2006-03-12 00:03:24 +00:00
|
|
|
?>
|