1<?php 2/** 3 * DokuWiki Plugin authpdo (Auth Component) 4 * 5 * @license GPL 2 http://www.gnu.org/licenses/gpl-2.0.html 6 * @author Andreas Gohr <andi@splitbrain.org> 7 */ 8 9// must be run within Dokuwiki 10if(!defined('DOKU_INC')) die(); 11 12/** 13 * Class auth_plugin_authpdo 14 */ 15class auth_plugin_authpdo extends DokuWiki_Auth_Plugin { 16 17 /** @var PDO */ 18 protected $pdo; 19 20 /** @var null|array The list of all groups */ 21 protected $groupcache = null; 22 23 /** 24 * Constructor. 25 */ 26 public function __construct() { 27 parent::__construct(); // for compatibility 28 29 if(!class_exists('PDO')) { 30 $this->_debug('PDO extension for PHP not found.', -1, __LINE__); 31 $this->success = false; 32 return; 33 } 34 35 if(!$this->getConf('dsn')) { 36 $this->_debug('No DSN specified', -1, __LINE__); 37 $this->success = false; 38 return; 39 } 40 41 try { 42 $this->pdo = new PDO( 43 $this->getConf('dsn'), 44 $this->getConf('user'), 45 conf_decodeString($this->getConf('pass')), 46 array( 47 PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, // always fetch as array 48 PDO::ATTR_EMULATE_PREPARES => true, // emulating prepares allows us to reuse param names 49 PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, // we want exceptions, not error codes 50 ) 51 ); 52 } catch(PDOException $e) { 53 $this->_debug($e); 54 msg($this->getLang('connectfail'), -1); 55 $this->success = false; 56 return; 57 } 58 59 // can Users be created? 60 $this->cando['addUser'] = $this->_chkcnf( 61 array( 62 'select-user', 63 'select-user-groups', 64 'select-groups', 65 'insert-user', 66 'insert-group', 67 'join-group' 68 ) 69 ); 70 71 // can Users be deleted? 72 $this->cando['delUser'] = $this->_chkcnf( 73 array( 74 'select-user', 75 'select-user-groups', 76 'select-groups', 77 'leave-group', 78 'delete-user' 79 ) 80 ); 81 82 // can login names be changed? 83 $this->cando['modLogin'] = $this->_chkcnf( 84 array( 85 'select-user', 86 'select-user-groups', 87 'update-user-login' 88 ) 89 ); 90 91 // can passwords be changed? 92 $this->cando['modPass'] = $this->_chkcnf( 93 array( 94 'select-user', 95 'select-user-groups', 96 'update-user-pass' 97 ) 98 ); 99 100 // can real names be changed? 101 $this->cando['modName'] = $this->_chkcnf( 102 array( 103 'select-user', 104 'select-user-groups', 105 'update-user-info:name' 106 ) 107 ); 108 109 // can real email be changed? 110 $this->cando['modMail'] = $this->_chkcnf( 111 array( 112 'select-user', 113 'select-user-groups', 114 'update-user-info:mail' 115 ) 116 ); 117 118 // can groups be changed? 119 $this->cando['modGroups'] = $this->_chkcnf( 120 array( 121 'select-user', 122 'select-user-groups', 123 'select-groups', 124 'leave-group', 125 'join-group', 126 'insert-group' 127 ) 128 ); 129 130 // can a filtered list of users be retrieved? 131 $this->cando['getUsers'] = $this->_chkcnf( 132 array( 133 'list-users' 134 ) 135 ); 136 137 // can the number of users be retrieved? 138 $this->cando['getUserCount'] = $this->_chkcnf( 139 array( 140 'count-users' 141 ) 142 ); 143 144 // can a list of available groups be retrieved? 145 $this->cando['getGroups'] = $this->_chkcnf( 146 array( 147 'select-groups' 148 ) 149 ); 150 151 $this->success = true; 152 } 153 154 /** 155 * Check user+password 156 * 157 * @param string $user the user name 158 * @param string $pass the clear text password 159 * @return bool 160 */ 161 public function checkPass($user, $pass) { 162 163 $userdata = $this->_selectUser($user); 164 if($userdata == false) return false; 165 166 // password checking done in SQL? 167 if($this->_chkcnf(array('check-pass'))) { 168 $userdata['clear'] = $pass; 169 $userdata['hash'] = auth_cryptPassword($pass); 170 $result = $this->_query($this->getConf('check-pass'), $userdata); 171 if($result === false) return false; 172 return (count($result) == 1); 173 } 174 175 // we do password checking on our own 176 if(isset($userdata['hash'])) { 177 // hashed password 178 $passhash = new PassHash(); 179 return $passhash->verify_hash($pass, $userdata['hash']); 180 } else { 181 // clear text password in the database O_o 182 return ($pass === $userdata['clear']); 183 } 184 } 185 186 /** 187 * Return user info 188 * 189 * Returns info about the given user needs to contain 190 * at least these fields: 191 * 192 * name string full name of the user 193 * mail string email addres of the user 194 * grps array list of groups the user is in 195 * 196 * @param string $user the user name 197 * @param bool $requireGroups whether or not the returned data must include groups 198 * @return array|bool containing user data or false 199 */ 200 public function getUserData($user, $requireGroups = true) { 201 $data = $this->_selectUser($user); 202 if($data == false) return false; 203 204 if(isset($data['hash'])) unset($data['hash']); 205 if(isset($data['clean'])) unset($data['clean']); 206 207 if($requireGroups) { 208 $data['grps'] = $this->_selectUserGroups($data); 209 if($data['grps'] === false) return false; 210 } 211 212 return $data; 213 } 214 215 /** 216 * Create a new User [implement only where required/possible] 217 * 218 * Returns false if the user already exists, null when an error 219 * occurred and true if everything went well. 220 * 221 * The new user HAS TO be added to the default group by this 222 * function! 223 * 224 * Set addUser capability when implemented 225 * 226 * @param string $user 227 * @param string $clear 228 * @param string $name 229 * @param string $mail 230 * @param null|array $grps 231 * @return bool|null 232 */ 233 public function createUser($user, $clear, $name, $mail, $grps = null) { 234 global $conf; 235 236 if(($info = $this->getUserData($user, false)) !== false) { 237 msg($this->getLang('userexists'), -1); 238 return false; // user already exists 239 } 240 241 // prepare data 242 if($grps == null) $grps = array(); 243 array_unshift($grps, $conf['defaultgroup']); 244 $grps = array_unique($grps); 245 $hash = auth_cryptPassword($clear); 246 $userdata = compact('user', 'clear', 'hash', 'name', 'mail'); 247 248 // action protected by transaction 249 $this->pdo->beginTransaction(); 250 { 251 // insert the user 252 $ok = $this->_query($this->getConf('insert-user'), $userdata); 253 if($ok === false) goto FAIL; 254 $userdata = $this->getUserData($user, false); 255 if($userdata === false) goto FAIL; 256 257 // create all groups that do not exist, the refetch the groups 258 $allgroups = $this->_selectGroups(); 259 foreach($grps as $group) { 260 if(!isset($allgroups[$group])) { 261 $ok = $this->addGroup($group); 262 if($ok === false) goto FAIL; 263 } 264 } 265 $allgroups = $this->_selectGroups(); 266 267 // add user to the groups 268 foreach($grps as $group) { 269 $ok = $this->_joinGroup($userdata, $allgroups[$group]); 270 if($ok === false) goto FAIL; 271 } 272 } 273 $this->pdo->commit(); 274 return true; 275 276 // something went wrong, rollback 277 FAIL: 278 $this->pdo->rollBack(); 279 $this->_debug('Transaction rolled back', 0, __LINE__); 280 msg($this->getLang('writefail'), -1); 281 return null; // return error 282 } 283 284 /** 285 * Modify user data 286 * 287 * @param string $user nick of the user to be changed 288 * @param array $changes array of field/value pairs to be changed (password will be clear text) 289 * @return bool 290 */ 291 public function modifyUser($user, $changes) { 292 // secure everything in transaction 293 $this->pdo->beginTransaction(); 294 { 295 $olddata = $this->getUserData($user); 296 $oldgroups = $olddata['grps']; 297 unset($olddata['grps']); 298 299 // changing the user name? 300 if(isset($changes['user'])) { 301 if($this->getUserData($changes['user'], false)) goto FAIL; 302 $params = $olddata; 303 $params['newlogin'] = $changes['user']; 304 305 $ok = $this->_query($this->getConf('update-user-login'), $params); 306 if($ok === false) goto FAIL; 307 } 308 309 // changing the password? 310 if(isset($changes['pass'])) { 311 $params = $olddata; 312 $params['clear'] = $changes['pass']; 313 $params['hash'] = auth_cryptPassword($changes['pass']); 314 315 $ok = $this->_query($this->getConf('update-user-pass'), $params); 316 if($ok === false) goto FAIL; 317 } 318 319 // changing info? 320 if(isset($changes['mail']) || isset($changes['name'])) { 321 $params = $olddata; 322 if(isset($changes['mail'])) $params['mail'] = $changes['mail']; 323 if(isset($changes['name'])) $params['name'] = $changes['name']; 324 325 $ok = $this->_query($this->getConf('update-user-info'), $params); 326 if($ok === false) goto FAIL; 327 } 328 329 // changing groups? 330 if(isset($changes['grps'])) { 331 $allgroups = $this->_selectGroups(); 332 333 // remove membership for previous groups 334 foreach($oldgroups as $group) { 335 if(!in_array($group, $changes['grps']) && isset($allgroups[$group])) { 336 $ok = $this->_leaveGroup($olddata, $allgroups[$group]); 337 if($ok === false) goto FAIL; 338 } 339 } 340 341 // create all new groups that are missing 342 $added = 0; 343 foreach($changes['grps'] as $group) { 344 if(!isset($allgroups[$group])) { 345 $ok = $this->addGroup($group); 346 if($ok === false) goto FAIL; 347 $added++; 348 } 349 } 350 // reload group info 351 if($added > 0) $allgroups = $this->_selectGroups(); 352 353 // add membership for new groups 354 foreach($changes['grps'] as $group) { 355 if(!in_array($group, $oldgroups)) { 356 $ok = $this->_joinGroup($olddata, $allgroups[$group]); 357 if($ok === false) goto FAIL; 358 } 359 } 360 } 361 362 } 363 $this->pdo->commit(); 364 return true; 365 366 // something went wrong, rollback 367 FAIL: 368 $this->pdo->rollBack(); 369 $this->_debug('Transaction rolled back', 0, __LINE__); 370 msg($this->getLang('writefail'), -1); 371 return false; // return error 372 } 373 374 /** 375 * Delete one or more users 376 * 377 * Set delUser capability when implemented 378 * 379 * @param array $users 380 * @return int number of users deleted 381 */ 382 public function deleteUsers($users) { 383 $count = 0; 384 foreach($users as $user) { 385 if($this->_deleteUser($user)) $count++; 386 } 387 return $count; 388 } 389 390 /** 391 * Bulk retrieval of user data [implement only where required/possible] 392 * 393 * Set getUsers capability when implemented 394 * 395 * @param int $start index of first user to be returned 396 * @param int $limit max number of users to be returned 397 * @param array $filter array of field/pattern pairs, null for no filter 398 * @return array list of userinfo (refer getUserData for internal userinfo details) 399 */ 400 public function retrieveUsers($start = 0, $limit = -1, $filter = null) { 401 if($limit < 0) $limit = 10000; // we don't support no limit 402 if(is_null($filter)) $filter = array(); 403 404 foreach(array('user', 'name', 'mail', 'group') as $key) { 405 if(!isset($filter[$key])) { 406 $filter[$key] = '%'; 407 } else { 408 $filter[$key] = '%' . $filter[$key] . '%'; 409 } 410 } 411 $filter['start'] = (int) $start; 412 $filter['end'] = (int) $start + $limit; 413 $filter['limit'] = (int) $limit; 414 415 $result = $this->_query($this->getConf('list-users'), $filter); 416 if(!$result) return array(); 417 $users = array(); 418 foreach($result as $row) { 419 if(!isset($row['user'])) { 420 $this->_debug("Statement did not return 'user' attribute", -1, __LINE__); 421 return array(); 422 } 423 $users[] = $row['user']; 424 } 425 return $users; 426 } 427 428 /** 429 * Return a count of the number of user which meet $filter criteria 430 * 431 * @param array $filter array of field/pattern pairs, empty array for no filter 432 * @return int 433 */ 434 public function getUserCount($filter = array()) { 435 if(is_null($filter)) $filter = array(); 436 437 foreach(array('user', 'name', 'mail', 'group') as $key) { 438 if(!isset($filter[$key])) { 439 $filter[$key] = '%'; 440 } else { 441 $filter[$key] = '%' . $filter[$key] . '%'; 442 } 443 } 444 445 $result = $this->_query($this->getConf('count-users'), $filter); 446 if(!$result || !isset($result[0]['count'])) { 447 $this->_debug("Statement did not return 'count' attribute", -1, __LINE__); 448 } 449 return isset($result[0]['count']); 450 } 451 452 /** 453 * Create a new group with the given name 454 * 455 * @param string $group 456 * @return bool 457 */ 458 public function addGroup($group) { 459 $sql = $this->getConf('insert-group'); 460 461 $result = $this->_query($sql, array(':group' => $group)); 462 $this->_clearGroupCache(); 463 if($result === false) return false; 464 return true; 465 } 466 467 /** 468 * Retrieve groups 469 * 470 * Set getGroups capability when implemented 471 * 472 * @param int $start 473 * @param int $limit 474 * @return array 475 */ 476 public function retrieveGroups($start = 0, $limit = 0) { 477 $groups = array_keys($this->_selectGroups()); 478 if($groups === false) return array(); 479 480 if(!$limit) { 481 return array_splice($groups, $start); 482 } else { 483 return array_splice($groups, $start, $limit); 484 } 485 } 486 487 /** 488 * Select data of a specified user 489 * 490 * @param string $user the user name 491 * @return bool|array user data, false on error 492 */ 493 protected function _selectUser($user) { 494 $sql = $this->getConf('select-user'); 495 496 $result = $this->_query($sql, array(':user' => $user)); 497 if(!$result) return false; 498 499 if(count($result) > 1) { 500 $this->_debug('Found more than one matching user', -1, __LINE__); 501 return false; 502 } 503 504 $data = array_shift($result); 505 $dataok = true; 506 507 if(!isset($data['user'])) { 508 $this->_debug("Statement did not return 'user' attribute", -1, __LINE__); 509 $dataok = false; 510 } 511 if(!isset($data['hash']) && !isset($data['clear']) && !$this->_chkcnf(array('check-pass'))) { 512 $this->_debug("Statement did not return 'clear' or 'hash' attribute", -1, __LINE__); 513 $dataok = false; 514 } 515 if(!isset($data['name'])) { 516 $this->_debug("Statement did not return 'name' attribute", -1, __LINE__); 517 $dataok = false; 518 } 519 if(!isset($data['mail'])) { 520 $this->_debug("Statement did not return 'mail' attribute", -1, __LINE__); 521 $dataok = false; 522 } 523 524 if(!$dataok) return false; 525 return $data; 526 } 527 528 /** 529 * Delete a user after removing all their group memberships 530 * 531 * @param string $user 532 * @return bool true when the user was deleted 533 */ 534 protected function _deleteUser($user) { 535 $this->pdo->beginTransaction(); 536 { 537 $userdata = $this->getUserData($user); 538 if($userdata === false) goto FAIL; 539 $allgroups = $this->_selectGroups(); 540 541 // remove group memberships (ignore errors) 542 foreach($userdata['grps'] as $group) { 543 if(isset($allgroups[$group])) { 544 $this->_leaveGroup($userdata, $allgroups[$group]); 545 } 546 } 547 548 $ok = $this->_query($this->getConf('delete-user'), $userdata); 549 if($ok === false) goto FAIL; 550 } 551 $this->pdo->commit(); 552 return true; 553 554 FAIL: 555 $this->pdo->rollBack(); 556 return false; 557 } 558 559 /** 560 * Select all groups of a user 561 * 562 * @param array $userdata The userdata as returned by _selectUser() 563 * @return array|bool list of group names, false on error 564 */ 565 protected function _selectUserGroups($userdata) { 566 global $conf; 567 $sql = $this->getConf('select-user-groups'); 568 $result = $this->_query($sql, $userdata); 569 if($result === false) return false; 570 571 $groups = array($conf['defaultgroup']); // always add default config 572 foreach($result as $row) { 573 if(!isset($row['group'])) { 574 $this->_debug("No 'group' field returned in select-user-groups statement"); 575 return false; 576 } 577 $groups[] = $row['group']; 578 } 579 580 $groups = array_unique($groups); 581 sort($groups); 582 return $groups; 583 } 584 585 /** 586 * Select all available groups 587 * 588 * @return array|bool list of all available groups and their properties 589 */ 590 protected function _selectGroups() { 591 if($this->groupcache) return $this->groupcache; 592 593 $sql = $this->getConf('select-groups'); 594 $result = $this->_query($sql); 595 if($result === false) return false; 596 597 $groups = array(); 598 foreach($result as $row) { 599 if(!isset($row['group'])) { 600 $this->_debug("No 'group' field returned from select-groups statement", -1, __LINE__); 601 return false; 602 } 603 604 // relayout result with group name as key 605 $group = $row['group']; 606 $groups[$group] = $row; 607 } 608 609 ksort($groups); 610 return $groups; 611 } 612 613 /** 614 * Remove all entries from the group cache 615 */ 616 protected function _clearGroupCache() { 617 $this->groupcache = null; 618 } 619 620 /** 621 * Adds the user to the group 622 * 623 * @param array $userdata all the user data 624 * @param array $groupdata all the group data 625 * @return bool 626 */ 627 protected function _joinGroup($userdata, $groupdata) { 628 $data = array_merge($userdata, $groupdata); 629 $sql = $this->getConf('join-group'); 630 $result = $this->_query($sql, $data); 631 if($result === false) return false; 632 return true; 633 } 634 635 /** 636 * Removes the user from the group 637 * 638 * @param array $userdata all the user data 639 * @param array $groupdata all the group data 640 * @return bool 641 */ 642 protected function _leaveGroup($userdata, $groupdata) { 643 $data = array_merge($userdata, $groupdata); 644 $sql = $this->getConf('leave-group'); 645 $result = $this->_query($sql, $data); 646 if($result === false) return false; 647 return true; 648 } 649 650 /** 651 * Executes a query 652 * 653 * @param string $sql The SQL statement to execute 654 * @param array $arguments Named parameters to be used in the statement 655 * @return array|int|bool The result as associative array for SELECTs, affected rows for others, false on error 656 */ 657 protected function _query($sql, $arguments = array()) { 658 $sql = trim($sql); 659 if(empty($sql)) { 660 $this->_debug('No SQL query given', -1, __LINE__); 661 return false; 662 } 663 664 // execute 665 $params = array(); 666 $sth = $this->pdo->prepare($sql); 667 try { 668 // prepare parameters - we only use those that exist in the SQL 669 foreach($arguments as $key => $value) { 670 if(is_array($value)) continue; 671 if(is_object($value)) continue; 672 if($key[0] != ':') $key = ":$key"; // prefix with colon if needed 673 if(strpos($sql, $key) === false) continue; // skip if parameter is missing 674 675 if(is_int($value)) { 676 $sth->bindValue($key, $value, PDO::PARAM_INT); 677 } else { 678 $sth->bindValue($key, $value); 679 } 680 $params[$key] = $value; //remember for debugging 681 } 682 683 $sth->execute(); 684 if(strtolower(substr($sql, 0, 6)) == 'select') { 685 $result = $sth->fetchAll(); 686 } else { 687 $result = $sth->rowCount(); 688 } 689 } catch(Exception $e) { 690 // report the caller's line 691 $trace = debug_backtrace(); 692 $line = $trace[0]['line']; 693 $dsql = $this->_debugSQL($sql, $params, !defined('DOKU_UNITTEST')); 694 $this->_debug($e, -1, $line); 695 $this->_debug("SQL: <pre>$dsql</pre>", -1, $line); 696 $result = false; 697 } 698 $sth->closeCursor(); 699 $sth = null; 700 701 return $result; 702 } 703 704 /** 705 * Wrapper around msg() but outputs only when debug is enabled 706 * 707 * @param string|Exception $message 708 * @param int $err 709 * @param int $line 710 */ 711 protected function _debug($message, $err = 0, $line = 0) { 712 if(!$this->getConf('debug')) return; 713 if(is_a($message, 'Exception')) { 714 $err = -1; 715 $msg = $message->getMessage(); 716 if(!$line) $line = $message->getLine(); 717 } else { 718 $msg = $message; 719 } 720 721 if(defined('DOKU_UNITTEST')) { 722 printf("\n%s, %s:%d\n", $msg, __FILE__, $line); 723 } else { 724 msg('authpdo: ' . $msg, $err, $line, __FILE__); 725 } 726 } 727 728 /** 729 * Check if the given config strings are set 730 * 731 * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> 732 * 733 * @param string[] $keys 734 * @return bool 735 */ 736 protected function _chkcnf($keys) { 737 foreach($keys as $key) { 738 $params = explode(':', $key); 739 $key = array_shift($params); 740 $sql = trim($this->getConf($key)); 741 742 // check if sql is set 743 if(!$sql) return false; 744 // check if needed params are there 745 foreach($params as $param) { 746 if(strpos($sql, ":$param") === false) return false; 747 } 748 } 749 750 return true; 751 } 752 753 /** 754 * create an approximation of the SQL string with parameters replaced 755 * 756 * @param string $sql 757 * @param array $params 758 * @param bool $htmlescape Should the result be escaped for output in HTML? 759 * @return string 760 */ 761 protected function _debugSQL($sql, $params, $htmlescape = true) { 762 foreach($params as $key => $val) { 763 if(is_int($val)) { 764 $val = $this->pdo->quote($val, PDO::PARAM_INT); 765 } elseif(is_bool($val)) { 766 $val = $this->pdo->quote($val, PDO::PARAM_BOOL); 767 } elseif(is_null($val)) { 768 $val = 'NULL'; 769 } else { 770 $val = $this->pdo->quote($val); 771 } 772 $sql = str_replace($key, $val, $sql); 773 } 774 if($htmlescape) $sql = hsc($sql); 775 return $sql; 776 } 777} 778 779// vim:ts=4:sw=4:et: 780