diff -r bd595ad770fc -r 1c2f13fd785c web/enmi/Zend/Auth/Adapter/Http.php --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/web/enmi/Zend/Auth/Adapter/Http.php Thu Jan 20 19:30:54 2011 +0100 @@ -0,0 +1,869 @@ + 'basic'|'digest'|'basic digest' + * 'realm' => + * 'digest_domains' => Space-delimited list of URIs + * 'nonce_timeout' => + * 'use_opaque' => Whether to send the opaque value in the header + * 'alogrithm' => See $_supportedAlgos. Default: MD5 + * 'proxy_auth' => Whether to do authentication as a Proxy + * @throws Zend_Auth_Adapter_Exception + * @return void + */ + public function __construct(array $config) + { + if (!extension_loaded('hash')) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception(__CLASS__ . ' requires the \'hash\' extension'); + } + + $this->_request = null; + $this->_response = null; + $this->_ieNoOpaque = false; + + + if (empty($config['accept_schemes'])) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('Config key \'accept_schemes\' is required'); + } + + $schemes = explode(' ', $config['accept_schemes']); + $this->_acceptSchemes = array_intersect($schemes, $this->_supportedSchemes); + if (empty($this->_acceptSchemes)) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('No supported schemes given in \'accept_schemes\'. Valid values: ' + . implode(', ', $this->_supportedSchemes)); + } + + // Double-quotes are used to delimit the realm string in the HTTP header, + // and colons are field delimiters in the password file. + if (empty($config['realm']) || + !ctype_print($config['realm']) || + strpos($config['realm'], ':') !== false || + strpos($config['realm'], '"') !== false) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('Config key \'realm\' is required, and must contain only printable ' + . 'characters, excluding quotation marks and colons'); + } else { + $this->_realm = $config['realm']; + } + + if (in_array('digest', $this->_acceptSchemes)) { + if (empty($config['digest_domains']) || + !ctype_print($config['digest_domains']) || + strpos($config['digest_domains'], '"') !== false) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('Config key \'digest_domains\' is required, and must contain ' + . 'only printable characters, excluding quotation marks'); + } else { + $this->_domains = $config['digest_domains']; + } + + if (empty($config['nonce_timeout']) || + !is_numeric($config['nonce_timeout'])) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('Config key \'nonce_timeout\' is required, and must be an ' + . 'integer'); + } else { + $this->_nonceTimeout = (int) $config['nonce_timeout']; + } + + // We use the opaque value unless explicitly told not to + if (isset($config['use_opaque']) && false == (bool) $config['use_opaque']) { + $this->_useOpaque = false; + } else { + $this->_useOpaque = true; + } + + if (isset($config['algorithm']) && in_array($config['algorithm'], $this->_supportedAlgos)) { + $this->_algo = $config['algorithm']; + } else { + $this->_algo = 'MD5'; + } + } + + // Don't be a proxy unless explicitly told to do so + if (isset($config['proxy_auth']) && true == (bool) $config['proxy_auth']) { + $this->_imaProxy = true; // I'm a Proxy + } else { + $this->_imaProxy = false; + } + } + + /** + * Setter for the _basicResolver property + * + * @param Zend_Auth_Adapter_Http_Resolver_Interface $resolver + * @return Zend_Auth_Adapter_Http Provides a fluent interface + */ + public function setBasicResolver(Zend_Auth_Adapter_Http_Resolver_Interface $resolver) + { + $this->_basicResolver = $resolver; + + return $this; + } + + /** + * Getter for the _basicResolver property + * + * @return Zend_Auth_Adapter_Http_Resolver_Interface + */ + public function getBasicResolver() + { + return $this->_basicResolver; + } + + /** + * Setter for the _digestResolver property + * + * @param Zend_Auth_Adapter_Http_Resolver_Interface $resolver + * @return Zend_Auth_Adapter_Http Provides a fluent interface + */ + public function setDigestResolver(Zend_Auth_Adapter_Http_Resolver_Interface $resolver) + { + $this->_digestResolver = $resolver; + + return $this; + } + + /** + * Getter for the _digestResolver property + * + * @return Zend_Auth_Adapter_Http_Resolver_Interface + */ + public function getDigestResolver() + { + return $this->_digestResolver; + } + + /** + * Setter for the Request object + * + * @param Zend_Controller_Request_Http $request + * @return Zend_Auth_Adapter_Http Provides a fluent interface + */ + public function setRequest(Zend_Controller_Request_Http $request) + { + $this->_request = $request; + + return $this; + } + + /** + * Getter for the Request object + * + * @return Zend_Controller_Request_Http + */ + public function getRequest() + { + return $this->_request; + } + + /** + * Setter for the Response object + * + * @param Zend_Controller_Response_Http $response + * @return Zend_Auth_Adapter_Http Provides a fluent interface + */ + public function setResponse(Zend_Controller_Response_Http $response) + { + $this->_response = $response; + + return $this; + } + + /** + * Getter for the Response object + * + * @return Zend_Controller_Response_Http + */ + public function getResponse() + { + return $this->_response; + } + + /** + * Authenticate + * + * @throws Zend_Auth_Adapter_Exception + * @return Zend_Auth_Result + */ + public function authenticate() + { + if (empty($this->_request) || + empty($this->_response)) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('Request and Response objects must be set before calling ' + . 'authenticate()'); + } + + if ($this->_imaProxy) { + $getHeader = 'Proxy-Authorization'; + } else { + $getHeader = 'Authorization'; + } + + $authHeader = $this->_request->getHeader($getHeader); + if (!$authHeader) { + return $this->_challengeClient(); + } + + list($clientScheme) = explode(' ', $authHeader); + $clientScheme = strtolower($clientScheme); + + // The server can issue multiple challenges, but the client should + // answer with only the selected auth scheme. + if (!in_array($clientScheme, $this->_supportedSchemes)) { + $this->_response->setHttpResponseCode(400); + return new Zend_Auth_Result( + Zend_Auth_Result::FAILURE_UNCATEGORIZED, + array(), + array('Client requested an incorrect or unsupported authentication scheme') + ); + } + + // client sent a scheme that is not the one required + if (!in_array($clientScheme, $this->_acceptSchemes)) { + // challenge again the client + return $this->_challengeClient(); + } + + switch ($clientScheme) { + case 'basic': + $result = $this->_basicAuth($authHeader); + break; + case 'digest': + $result = $this->_digestAuth($authHeader); + break; + default: + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('Unsupported authentication scheme'); + } + + return $result; + } + + /** + * Challenge Client + * + * Sets a 401 or 407 Unauthorized response code, and creates the + * appropriate Authenticate header(s) to prompt for credentials. + * + * @return Zend_Auth_Result Always returns a non-identity Auth result + */ + protected function _challengeClient() + { + if ($this->_imaProxy) { + $statusCode = 407; + $headerName = 'Proxy-Authenticate'; + } else { + $statusCode = 401; + $headerName = 'WWW-Authenticate'; + } + + $this->_response->setHttpResponseCode($statusCode); + + // Send a challenge in each acceptable authentication scheme + if (in_array('basic', $this->_acceptSchemes)) { + $this->_response->setHeader($headerName, $this->_basicHeader()); + } + if (in_array('digest', $this->_acceptSchemes)) { + $this->_response->setHeader($headerName, $this->_digestHeader()); + } + return new Zend_Auth_Result( + Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID, + array(), + array('Invalid or absent credentials; challenging client') + ); + } + + /** + * Basic Header + * + * Generates a Proxy- or WWW-Authenticate header value in the Basic + * authentication scheme. + * + * @return string Authenticate header value + */ + protected function _basicHeader() + { + return 'Basic realm="' . $this->_realm . '"'; + } + + /** + * Digest Header + * + * Generates a Proxy- or WWW-Authenticate header value in the Digest + * authentication scheme. + * + * @return string Authenticate header value + */ + protected function _digestHeader() + { + $wwwauth = 'Digest realm="' . $this->_realm . '", ' + . 'domain="' . $this->_domains . '", ' + . 'nonce="' . $this->_calcNonce() . '", ' + . ($this->_useOpaque ? 'opaque="' . $this->_calcOpaque() . '", ' : '') + . 'algorithm="' . $this->_algo . '", ' + . 'qop="' . implode(',', $this->_supportedQops) . '"'; + + return $wwwauth; + } + + /** + * Basic Authentication + * + * @param string $header Client's Authorization header + * @throws Zend_Auth_Adapter_Exception + * @return Zend_Auth_Result + */ + protected function _basicAuth($header) + { + if (empty($header)) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('The value of the client Authorization header is required'); + } + if (empty($this->_basicResolver)) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('A basicResolver object must be set before doing Basic ' + . 'authentication'); + } + + // Decode the Authorization header + $auth = substr($header, strlen('Basic ')); + $auth = base64_decode($auth); + if (!$auth) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('Unable to base64_decode Authorization header value'); + } + + // See ZF-1253. Validate the credentials the same way the digest + // implementation does. If invalid credentials are detected, + // re-challenge the client. + if (!ctype_print($auth)) { + return $this->_challengeClient(); + } + // Fix for ZF-1515: Now re-challenges on empty username or password + $creds = array_filter(explode(':', $auth)); + if (count($creds) != 2) { + return $this->_challengeClient(); + } + + $password = $this->_basicResolver->resolve($creds[0], $this->_realm); + if ($password && $this->_secureStringCompare($password, $creds[1])) { + $identity = array('username'=>$creds[0], 'realm'=>$this->_realm); + return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $identity); + } else { + return $this->_challengeClient(); + } + } + + /** + * Digest Authentication + * + * @param string $header Client's Authorization header + * @throws Zend_Auth_Adapter_Exception + * @return Zend_Auth_Result Valid auth result only on successful auth + */ + protected function _digestAuth($header) + { + if (empty($header)) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('The value of the client Authorization header is required'); + } + if (empty($this->_digestResolver)) { + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('A digestResolver object must be set before doing Digest authentication'); + } + + $data = $this->_parseDigestAuth($header); + if ($data === false) { + $this->_response->setHttpResponseCode(400); + return new Zend_Auth_Result( + Zend_Auth_Result::FAILURE_UNCATEGORIZED, + array(), + array('Invalid Authorization header format') + ); + } + + // See ZF-1052. This code was a bit too unforgiving of invalid + // usernames. Now, if the username is bad, we re-challenge the client. + if ('::invalid::' == $data['username']) { + return $this->_challengeClient(); + } + + // Verify that the client sent back the same nonce + if ($this->_calcNonce() != $data['nonce']) { + return $this->_challengeClient(); + } + // The opaque value is also required to match, but of course IE doesn't + // play ball. + if (!$this->_ieNoOpaque && $this->_calcOpaque() != $data['opaque']) { + return $this->_challengeClient(); + } + + // Look up the user's password hash. If not found, deny access. + // This makes no assumptions about how the password hash was + // constructed beyond that it must have been built in such a way as + // to be recreatable with the current settings of this object. + $ha1 = $this->_digestResolver->resolve($data['username'], $data['realm']); + if ($ha1 === false) { + return $this->_challengeClient(); + } + + // If MD5-sess is used, a1 value is made of the user's password + // hash with the server and client nonce appended, separated by + // colons. + if ($this->_algo == 'MD5-sess') { + $ha1 = hash('md5', $ha1 . ':' . $data['nonce'] . ':' . $data['cnonce']); + } + + // Calculate h(a2). The value of this hash depends on the qop + // option selected by the client and the supported hash functions + switch ($data['qop']) { + case 'auth': + $a2 = $this->_request->getMethod() . ':' . $data['uri']; + break; + case 'auth-int': + // Should be REQUEST_METHOD . ':' . uri . ':' . hash(entity-body), + // but this isn't supported yet, so fall through to default case + default: + /** + * @see Zend_Auth_Adapter_Exception + */ + require_once 'Zend/Auth/Adapter/Exception.php'; + throw new Zend_Auth_Adapter_Exception('Client requested an unsupported qop option'); + } + // Using hash() should make parameterizing the hash algorithm + // easier + $ha2 = hash('md5', $a2); + + + // Calculate the server's version of the request-digest. This must + // match $data['response']. See RFC 2617, section 3.2.2.1 + $message = $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $ha2; + $digest = hash('md5', $ha1 . ':' . $message); + + // If our digest matches the client's let them in, otherwise return + // a 401 code and exit to prevent access to the protected resource. + if ($this->_secureStringCompare($digest, $data['response'])) { + $identity = array('username'=>$data['username'], 'realm'=>$data['realm']); + return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $identity); + } else { + return $this->_challengeClient(); + } + } + + /** + * Calculate Nonce + * + * @return string The nonce value + */ + protected function _calcNonce() + { + // Once subtle consequence of this timeout calculation is that it + // actually divides all of time into _nonceTimeout-sized sections, such + // that the value of timeout is the point in time of the next + // approaching "boundary" of a section. This allows the server to + // consistently generate the same timeout (and hence the same nonce + // value) across requests, but only as long as one of those + // "boundaries" is not crossed between requests. If that happens, the + // nonce will change on its own, and effectively log the user out. This + // would be surprising if the user just logged in. + $timeout = ceil(time() / $this->_nonceTimeout) * $this->_nonceTimeout; + + $nonce = hash('md5', $timeout . ':' . $this->_request->getServer('HTTP_USER_AGENT') . ':' . __CLASS__); + return $nonce; + } + + /** + * Calculate Opaque + * + * The opaque string can be anything; the client must return it exactly as + * it was sent. It may be useful to store data in this string in some + * applications. Ideally, a new value for this would be generated each time + * a WWW-Authenticate header is sent (in order to reduce predictability), + * but we would have to be able to create the same exact value across at + * least two separate requests from the same client. + * + * @return string The opaque value + */ + protected function _calcOpaque() + { + return hash('md5', 'Opaque Data:' . __CLASS__); + } + + /** + * Parse Digest Authorization header + * + * @param string $header Client's Authorization: HTTP header + * @return array|false Data elements from header, or false if any part of + * the header is invalid + */ + protected function _parseDigestAuth($header) + { + $temp = null; + $data = array(); + + // See ZF-1052. Detect invalid usernames instead of just returning a + // 400 code. + $ret = preg_match('/username="([^"]+)"/', $header, $temp); + if (!$ret || empty($temp[1]) + || !ctype_print($temp[1]) + || strpos($temp[1], ':') !== false) { + $data['username'] = '::invalid::'; + } else { + $data['username'] = $temp[1]; + } + $temp = null; + + $ret = preg_match('/realm="([^"]+)"/', $header, $temp); + if (!$ret || empty($temp[1])) { + return false; + } + if (!ctype_print($temp[1]) || strpos($temp[1], ':') !== false) { + return false; + } else { + $data['realm'] = $temp[1]; + } + $temp = null; + + $ret = preg_match('/nonce="([^"]+)"/', $header, $temp); + if (!$ret || empty($temp[1])) { + return false; + } + if (!ctype_xdigit($temp[1])) { + return false; + } else { + $data['nonce'] = $temp[1]; + } + $temp = null; + + $ret = preg_match('/uri="([^"]+)"/', $header, $temp); + if (!$ret || empty($temp[1])) { + return false; + } + // Section 3.2.2.5 in RFC 2617 says the authenticating server must + // verify that the URI field in the Authorization header is for the + // same resource requested in the Request Line. + $rUri = @parse_url($this->_request->getRequestUri()); + $cUri = @parse_url($temp[1]); + if (false === $rUri || false === $cUri) { + return false; + } else { + // Make sure the path portion of both URIs is the same + if ($rUri['path'] != $cUri['path']) { + return false; + } + // Section 3.2.2.5 seems to suggest that the value of the URI + // Authorization field should be made into an absolute URI if the + // Request URI is absolute, but it's vague, and that's a bunch of + // code I don't want to write right now. + $data['uri'] = $temp[1]; + } + $temp = null; + + $ret = preg_match('/response="([^"]+)"/', $header, $temp); + if (!$ret || empty($temp[1])) { + return false; + } + if (32 != strlen($temp[1]) || !ctype_xdigit($temp[1])) { + return false; + } else { + $data['response'] = $temp[1]; + } + $temp = null; + + // The spec says this should default to MD5 if omitted. OK, so how does + // that square with the algo we send out in the WWW-Authenticate header, + // if it can easily be overridden by the client? + $ret = preg_match('/algorithm="?(' . $this->_algo . ')"?/', $header, $temp); + if ($ret && !empty($temp[1]) + && in_array($temp[1], $this->_supportedAlgos)) { + $data['algorithm'] = $temp[1]; + } else { + $data['algorithm'] = 'MD5'; // = $this->_algo; ? + } + $temp = null; + + // Not optional in this implementation + $ret = preg_match('/cnonce="([^"]+)"/', $header, $temp); + if (!$ret || empty($temp[1])) { + return false; + } + if (!ctype_print($temp[1])) { + return false; + } else { + $data['cnonce'] = $temp[1]; + } + $temp = null; + + // If the server sent an opaque value, the client must send it back + if ($this->_useOpaque) { + $ret = preg_match('/opaque="([^"]+)"/', $header, $temp); + if (!$ret || empty($temp[1])) { + + // Big surprise: IE isn't RFC 2617-compliant. + if (false !== strpos($this->_request->getHeader('User-Agent'), 'MSIE')) { + $temp[1] = ''; + $this->_ieNoOpaque = true; + } else { + return false; + } + } + // This implementation only sends MD5 hex strings in the opaque value + if (!$this->_ieNoOpaque && + (32 != strlen($temp[1]) || !ctype_xdigit($temp[1]))) { + return false; + } else { + $data['opaque'] = $temp[1]; + } + $temp = null; + } + + // Not optional in this implementation, but must be one of the supported + // qop types + $ret = preg_match('/qop="?(' . implode('|', $this->_supportedQops) . ')"?/', $header, $temp); + if (!$ret || empty($temp[1])) { + return false; + } + if (!in_array($temp[1], $this->_supportedQops)) { + return false; + } else { + $data['qop'] = $temp[1]; + } + $temp = null; + + // Not optional in this implementation. The spec says this value + // shouldn't be a quoted string, but apparently some implementations + // quote it anyway. See ZF-1544. + $ret = preg_match('/nc="?([0-9A-Fa-f]{8})"?/', $header, $temp); + if (!$ret || empty($temp[1])) { + return false; + } + if (8 != strlen($temp[1]) || !ctype_xdigit($temp[1])) { + return false; + } else { + $data['nc'] = $temp[1]; + } + $temp = null; + + return $data; + } + + /** + * Securely compare two strings for equality while avoided C level memcmp() + * optimisations capable of leaking timing information useful to an attacker + * attempting to iteratively guess the unknown string (e.g. password) being + * compared against. + * + * @param string $a + * @param string $b + * @return bool + */ + protected function _secureStringCompare($a, $b) + { + if (strlen($a) !== strlen($b)) { + return false; + } + $result = 0; + for ($i = 0; $i < strlen($a); $i++) { + $result |= ord($a[$i]) ^ ord($b[$i]); + } + return $result == 0; + } +}