1<?php
2
3namespace dokuwiki\Extension;
4
5/**
6 * Auth Plugin Prototype
7 *
8 * allows to authenticate users in a plugin
9 *
10 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
11 * @author     Chris Smith <chris@jalakai.co.uk>
12 * @author     Jan Schumann <js@jschumann-it.com>
13 */
14abstract class AuthPlugin extends Plugin
15{
16    public $success = true;
17
18    /**
19     * Possible things an auth backend module may be able to
20     * do. The things a backend can do need to be set to true
21     * in the constructor.
22     */
23    protected $cando = [
24        'addUser' => false, // can Users be created?
25        'delUser' => false, // can Users be deleted?
26        'modLogin' => false, // can login names be changed?
27        'modPass' => false, // can passwords be changed?
28        'modName' => false, // can real names be changed?
29        'modMail' => false, // can emails be changed?
30        'modGroups' => false, // can groups be changed?
31        'getUsers' => false, // can a (filtered) list of users be retrieved?
32        'getUserCount' => false, // can the number of users be retrieved?
33        'getGroups' => false, // can a list of available groups be retrieved?
34        'external' => false, // does the module do external auth checking?
35        'logout' => true, // can the user logout again? (eg. not possible with HTTP auth)
36    ];
37
38    /**
39     * Constructor.
40     *
41     * Carry out sanity checks to ensure the object is
42     * able to operate. Set capabilities in $this->cando
43     * array here
44     *
45     * For future compatibility, sub classes should always include a call
46     * to parent::__constructor() in their constructors!
47     *
48     * Set $this->success to false if checks fail
49     *
50     * @author  Christopher Smith <chris@jalakai.co.uk>
51     */
52    public function __construct()
53    {
54        // the base class constructor does nothing, derived class
55        // constructors do the real work
56    }
57
58    /**
59     * Available Capabilities. [ DO NOT OVERRIDE ]
60     *
61     * For introspection/debugging
62     *
63     * @author  Christopher Smith <chris@jalakai.co.uk>
64     * @return  array
65     */
66    public function getCapabilities()
67    {
68        return array_keys($this->cando);
69    }
70
71    /**
72     * Capability check. [ DO NOT OVERRIDE ]
73     *
74     * Checks the capabilities set in the $this->cando array and
75     * some pseudo capabilities (shortcutting access to multiple
76     * ones)
77     *
78     * ususal capabilities start with lowercase letter
79     * shortcut capabilities start with uppercase letter
80     *
81     * @author  Andreas Gohr <andi@splitbrain.org>
82     * @param   string $cap the capability to check
83     * @return  bool
84     */
85    public function canDo($cap)
86    {
87        switch ($cap) {
88            case 'Profile':
89                // can at least one of the user's properties be changed?
90                return ($this->cando['modPass'] ||
91                    $this->cando['modName'] ||
92                    $this->cando['modMail']);
93            case 'UserMod':
94                // can at least anything be changed?
95                return ($this->cando['modPass'] ||
96                    $this->cando['modName'] ||
97                    $this->cando['modMail'] ||
98                    $this->cando['modLogin'] ||
99                    $this->cando['modGroups'] ||
100                    $this->cando['modMail']);
101            default:
102                // print a helping message for developers
103                if (!isset($this->cando[$cap])) {
104                    msg("Check for unknown capability '$cap' - Do you use an outdated Plugin?", -1);
105                }
106                return $this->cando[$cap];
107        }
108    }
109
110    /**
111     * Trigger the AUTH_USERDATA_CHANGE event and call the modification function. [ DO NOT OVERRIDE ]
112     *
113     * You should use this function instead of calling createUser, modifyUser or
114     * deleteUsers directly. The event handlers can prevent the modification, for
115     * example for enforcing a user name schema.
116     *
117     * @author Gabriel Birke <birke@d-scribe.de>
118     * @param string $type Modification type ('create', 'modify', 'delete')
119     * @param array $params Parameters for the createUser, modifyUser or deleteUsers method.
120     *                       The content of this array depends on the modification type
121     * @return bool|null|int Result from the modification function or false if an event handler has canceled the action
122     */
123    public function triggerUserMod($type, $params)
124    {
125        $validTypes = [
126            'create' => 'createUser',
127            'modify' => 'modifyUser',
128            'delete' => 'deleteUsers'
129        ];
130        if (empty($validTypes[$type])) {
131            return false;
132        }
133
134        $result = false;
135        $eventdata = ['type' => $type, 'params' => $params, 'modification_result' => null];
136        $evt = new Event('AUTH_USER_CHANGE', $eventdata);
137        if ($evt->advise_before(true)) {
138            $result = call_user_func_array([$this, $validTypes[$type]], $evt->data['params']);
139            $evt->data['modification_result'] = $result;
140        }
141        $evt->advise_after();
142        unset($evt);
143        return $result;
144    }
145
146    /**
147     * Log off the current user [ OPTIONAL ]
148     *
149     * Is run in addition to the ususal logoff method. Should
150     * only be needed when trustExternal is implemented.
151     *
152     * @see     auth_logoff()
153     * @author  Andreas Gohr <andi@splitbrain.org>
154     */
155    public function logOff()
156    {
157    }
158
159    /**
160     * Do all authentication [ OPTIONAL ]
161     *
162     * Set $this->cando['external'] = true when implemented
163     *
164     * If this function is implemented it will be used to
165     * authenticate a user - all other DokuWiki internals
166     * will not be used for authenticating (except this
167     * function returns null, in which case, DokuWiki will
168     * still run auth_login as a fallback, which may call
169     * checkPass()). If this function is not returning null,
170     * implementing checkPass() is not needed here anymore.
171     *
172     * The function can be used to authenticate against third
173     * party cookies or Apache auth mechanisms and replaces
174     * the auth_login() function
175     *
176     * The function will be called with or without a set
177     * username. If the Username is given it was called
178     * from the login form and the given credentials might
179     * need to be checked. If no username was given it
180     * the function needs to check if the user is logged in
181     * by other means (cookie, environment).
182     *
183     * The function needs to set some globals needed by
184     * DokuWiki like auth_login() does.
185     *
186     * @see     auth_login()
187     * @author  Andreas Gohr <andi@splitbrain.org>
188     *
189     * @param   string $user Username
190     * @param   string $pass Cleartext Password
191     * @param   bool $sticky Cookie should not expire
192     * @return  bool         true on successful auth,
193     *                       null on unknown result (fallback to checkPass)
194     */
195    public function trustExternal($user, $pass, $sticky = false)
196    {
197        /* some example:
198
199        global $USERINFO;
200        global $conf;
201        $sticky ? $sticky = true : $sticky = false; //sanity check
202
203        // do the checking here
204
205        // set the globals if authed
206        $USERINFO['name'] = 'FIXME';
207        $USERINFO['mail'] = 'FIXME';
208        $USERINFO['grps'] = array('FIXME');
209        $_SERVER['REMOTE_USER'] = $user;
210        $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
211        $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
212        $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
213        return true;
214
215        */
216    }
217
218    /**
219     * Check user+password [ MUST BE OVERRIDDEN ]
220     *
221     * Checks if the given user exists and the given
222     * plaintext password is correct
223     *
224     * May be ommited if trustExternal is used.
225     *
226     * @author  Andreas Gohr <andi@splitbrain.org>
227     * @param   string $user the user name
228     * @param   string $pass the clear text password
229     * @return  bool
230     */
231    public function checkPass($user, $pass)
232    {
233        msg("no valid authorisation system in use", -1);
234        return false;
235    }
236
237    /**
238     * Return user info [ MUST BE OVERRIDDEN ]
239     *
240     * Returns info about the given user needs to contain
241     * at least these fields:
242     *
243     * name string  full name of the user
244     * mail string  email address of the user
245     * grps array   list of groups the user is in
246     *
247     * @author  Andreas Gohr <andi@splitbrain.org>
248     * @param   string $user the user name
249     * @param   bool $requireGroups whether or not the returned data must include groups
250     * @return  false|array containing user data or false
251     */
252    public function getUserData($user, $requireGroups = true)
253    {
254        if (!$this->cando['external']) msg("no valid authorisation system in use", -1);
255        return false;
256    }
257
258    /**
259     * Create a new User [implement only where required/possible]
260     *
261     * Returns false if the user already exists, null when an error
262     * occurred and true if everything went well.
263     *
264     * The new user HAS TO be added to the default group by this
265     * function!
266     *
267     * Set addUser capability when implemented
268     *
269     * @author  Andreas Gohr <andi@splitbrain.org>
270     * @param  string $user
271     * @param  string $pass
272     * @param  string $name
273     * @param  string $mail
274     * @param  null|array $grps
275     * @return bool|null
276     */
277    public function createUser($user, $pass, $name, $mail, $grps = null)
278    {
279        msg("authorisation method does not allow creation of new users", -1);
280        return null;
281    }
282
283    /**
284     * Modify user data [implement only where required/possible]
285     *
286     * Set the mod* capabilities according to the implemented features
287     *
288     * @author  Chris Smith <chris@jalakai.co.uk>
289     * @param   string $user nick of the user to be changed
290     * @param   array $changes array of field/value pairs to be changed (password will be clear text)
291     * @return  bool
292     */
293    public function modifyUser($user, $changes)
294    {
295        msg("authorisation method does not allow modifying of user data", -1);
296        return false;
297    }
298
299    /**
300     * Delete one or more users [implement only where required/possible]
301     *
302     * Set delUser capability when implemented
303     *
304     * @author  Chris Smith <chris@jalakai.co.uk>
305     * @param   array $users
306     * @return  int    number of users deleted
307     */
308    public function deleteUsers($users)
309    {
310        msg("authorisation method does not allow deleting of users", -1);
311        return 0;
312    }
313
314    /**
315     * Return a count of the number of user which meet $filter criteria
316     * [should be implemented whenever retrieveUsers is implemented]
317     *
318     * Set getUserCount capability when implemented
319     *
320     * @author Chris Smith <chris@jalakai.co.uk>
321     * @param  array $filter array of field/pattern pairs, empty array for no filter
322     * @return int
323     */
324    public function getUserCount($filter = [])
325    {
326        msg("authorisation method does not provide user counts", -1);
327        return 0;
328    }
329
330    /**
331     * Bulk retrieval of user data [implement only where required/possible]
332     *
333     * Set getUsers capability when implemented
334     *
335     * @author  Chris Smith <chris@jalakai.co.uk>
336     * @param   int $start index of first user to be returned
337     * @param   int $limit max number of users to be returned, 0 for unlimited
338     * @param   array $filter array of field/pattern pairs, null for no filter
339     * @return  array list of userinfo (refer getUserData for internal userinfo details)
340     */
341    public function retrieveUsers($start = 0, $limit = 0, $filter = null)
342    {
343        msg("authorisation method does not support mass retrieval of user data", -1);
344        return [];
345    }
346
347    /**
348     * Define a group [implement only where required/possible]
349     *
350     * Set addGroup capability when implemented
351     *
352     * @author  Chris Smith <chris@jalakai.co.uk>
353     * @param   string $group
354     * @return  bool
355     */
356    public function addGroup($group)
357    {
358        msg("authorisation method does not support independent group creation", -1);
359        return false;
360    }
361
362    /**
363     * Retrieve groups [implement only where required/possible]
364     *
365     * Set getGroups capability when implemented
366     *
367     * @author  Chris Smith <chris@jalakai.co.uk>
368     * @param   int $start
369     * @param   int $limit
370     * @return  array
371     */
372    public function retrieveGroups($start = 0, $limit = 0)
373    {
374        msg("authorisation method does not support group list retrieval", -1);
375        return [];
376    }
377
378    /**
379     * Return case sensitivity of the backend [OPTIONAL]
380     *
381     * When your backend is caseinsensitive (eg. you can login with USER and
382     * user) then you need to overwrite this method and return false
383     *
384     * @return bool
385     */
386    public function isCaseSensitive()
387    {
388        return true;
389    }
390
391    /**
392     * Sanitize a given username [OPTIONAL]
393     *
394     * This function is applied to any user name that is given to
395     * the backend and should also be applied to any user name within
396     * the backend before returning it somewhere.
397     *
398     * This should be used to enforce username restrictions.
399     *
400     * @author Andreas Gohr <andi@splitbrain.org>
401     * @param string $user username
402     * @return string the cleaned username
403     */
404    public function cleanUser($user)
405    {
406        return $user;
407    }
408
409    /**
410     * Sanitize a given groupname [OPTIONAL]
411     *
412     * This function is applied to any groupname that is given to
413     * the backend and should also be applied to any groupname within
414     * the backend before returning it somewhere.
415     *
416     * This should be used to enforce groupname restrictions.
417     *
418     * Groupnames are to be passed without a leading '@' here.
419     *
420     * @author Andreas Gohr <andi@splitbrain.org>
421     * @param  string $group groupname
422     * @return string the cleaned groupname
423     */
424    public function cleanGroup($group)
425    {
426        return $group;
427    }
428
429    /**
430     * Check Session Cache validity [implement only where required/possible]
431     *
432     * DokuWiki caches user info in the user's session for the timespan defined
433     * in $conf['auth_security_timeout'].
434     *
435     * This makes sure slow authentication backends do not slow down DokuWiki.
436     * This also means that changes to the user database will not be reflected
437     * on currently logged in users.
438     *
439     * To accommodate for this, the user manager plugin will touch a reference
440     * file whenever a change is submitted. This function compares the filetime
441     * of this reference file with the time stored in the session.
442     *
443     * This reference file mechanism does not reflect changes done directly in
444     * the backend's database through other means than the user manager plugin.
445     *
446     * Fast backends might want to return always false, to force rechecks on
447     * each page load. Others might want to use their own checking here. If
448     * unsure, do not override.
449     *
450     * @param  string $user - The username
451     * @author Andreas Gohr <andi@splitbrain.org>
452     * @return bool
453     */
454    public function useSessionCache($user)
455    {
456        global $conf;
457        return ($_SESSION[DOKU_COOKIE]['auth']['time'] >= @filemtime($conf['cachedir'] . '/sessionpurge'));
458    }
459}
460