xref: /plugin/authwordpress/auth.php (revision bc637d09828a67a2c4152fc9960945b628992431)
124cd6f55SDamien Regad<?php
2e03e23f3SDamien Regad
324cd6f55SDamien Regad/**
424cd6f55SDamien Regad * DokuWiki Plugin authwordpress (Auth Component)
524cd6f55SDamien Regad *
635dd80b8SDamien Regad * Provides authentication against a WordPress MySQL database backend
735dd80b8SDamien Regad *
835dd80b8SDamien Regad * This program is free software; you can redistribute it and/or modify
935dd80b8SDamien Regad * it under the terms of the GNU General Public License as published by
1035dd80b8SDamien Regad * the Free Software Foundation; version 2 of the License
1135dd80b8SDamien Regad *
1235dd80b8SDamien Regad * This program is distributed in the hope that it will be useful,
1335dd80b8SDamien Regad * but WITHOUT ANY WARRANTY; without even the implied warranty of
1435dd80b8SDamien Regad * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
1535dd80b8SDamien Regad * GNU General Public License for more details.
1635dd80b8SDamien Regad *
1735dd80b8SDamien Regad * See the COPYING file in your DokuWiki folder for details
1835dd80b8SDamien Regad *
1924cd6f55SDamien Regad * @author     Damien Regad <dregad@mantisbt.org>
2035dd80b8SDamien Regad * @copyright  2015 Damien Regad
2135dd80b8SDamien Regad * @license    GPL 2 http://www.gnu.org/licenses/gpl-2.0.html
22b5b72c15SDamien Regad * @version    1.1
2335dd80b8SDamien Regad * @link       https://github.com/dregad/dokuwiki-authwordpress
24d7435096SDamien Regad *
25d7435096SDamien Regad * @noinspection PhpComposerExtensionStubsInspection
26d7435096SDamien Regad *               PhpUnused
27d7435096SDamien Regad *               PhpMissingReturnTypeInspection
2824cd6f55SDamien Regad */
2924cd6f55SDamien Regad
3024cd6f55SDamien Regad// must be run within Dokuwiki
31b741ff68SDamien Regadif (!defined('DOKU_INC')) {
32b741ff68SDamien Regad    die();
33b741ff68SDamien Regad}
3424cd6f55SDamien Regad
35308b48d3SDamien Regaduse dokuwiki\Logger;
36308b48d3SDamien Regad
3735dd80b8SDamien Regad/**
3835dd80b8SDamien Regad * WordPress password hashing framework
3935dd80b8SDamien Regad */
4035dd80b8SDamien Regadrequire_once('class-phpass.php');
4135dd80b8SDamien Regad
4235dd80b8SDamien Regad/**
4335dd80b8SDamien Regad * Authentication class
4435dd80b8SDamien Regad */
45b741ff68SDamien Regad// @codingStandardsIgnoreLine
46b741ff68SDamien Regadclass auth_plugin_authwordpress extends DokuWiki_Auth_Plugin
47b741ff68SDamien Regad{
4835dd80b8SDamien Regad    /**
4935dd80b8SDamien Regad     * SQL statement to retrieve User data from WordPress DB
5035dd80b8SDamien Regad     * (including group memberships)
51b5b72c15SDamien Regad     * '%prefix%' will be replaced by the actual prefix (from plugin config)
525d099ac1SDamien Regad     * @var string $sql_wp_user_data
5335dd80b8SDamien Regad     */
540341717fSDamien Regad    protected $sql_wp_user_data = "SELECT
5535dd80b8SDamien Regad            id, user_login, user_pass, user_email, display_name,
56493dbdc6SFerdinand Thiessen            meta_value AS grps
57b5b72c15SDamien Regad        FROM %prefix%users u
582ef3e6a1SDamien Regad        JOIN %prefix%usermeta m ON u.id = m.user_id AND meta_key = '%prefix%capabilities'";
5924cd6f55SDamien Regad
6024cd6f55SDamien Regad    /**
61015f33b2SDamien Regad     * Wordpress database connection
625d099ac1SDamien Regad     * @var PDO $db
63015f33b2SDamien Regad     */
640341717fSDamien Regad    protected $db;
65015f33b2SDamien Regad
66d35aa3ecSDamien Regad    /**
67d35aa3ecSDamien Regad     * Users cache
685d099ac1SDamien Regad     * @var array $users
69d35aa3ecSDamien Regad     */
70d35aa3ecSDamien Regad    protected $users;
71d35aa3ecSDamien Regad
72d35aa3ecSDamien Regad    /**
73d35aa3ecSDamien Regad     * True if all users have been loaded in the cache
74d35aa3ecSDamien Regad     * @see $users
755d099ac1SDamien Regad     * @var bool $usersCached
76d35aa3ecSDamien Regad     */
77d35aa3ecSDamien Regad    protected $usersCached = false;
78d35aa3ecSDamien Regad
799f5692a3SDamien Regad    /**
809f5692a3SDamien Regad     * Filter pattern
815d099ac1SDamien Regad     * @var array $filter
829f5692a3SDamien Regad     */
839f5692a3SDamien Regad    protected $filter;
84015f33b2SDamien Regad
85015f33b2SDamien Regad    /**
8624cd6f55SDamien Regad     * Constructor.
8724cd6f55SDamien Regad     */
88b741ff68SDamien Regad    public function __construct()
89b741ff68SDamien Regad    {
9035dd80b8SDamien Regad        parent::__construct();
9124cd6f55SDamien Regad
92aa69c0cfSDamien Regad        // Plugin capabilities
9316ceb666SDamien Regad        $this->cando['getUsers'] = true;
94aa69c0cfSDamien Regad        $this->cando['getUserCount'] = true;
9516ceb666SDamien Regad
9635dd80b8SDamien Regad        // Try to establish a connection to the WordPress DB
9735dd80b8SDamien Regad        // abort in case of failure
9835dd80b8SDamien Regad        try {
99b741ff68SDamien Regad            $this->connectWordpressDb();
100b741ff68SDamien Regad        } catch (Exception $e) {
10135dd80b8SDamien Regad            msg(sprintf($this->getLang('error_connect_failed'), $e->getMessage()));
10235dd80b8SDamien Regad            $this->success = false;
10335dd80b8SDamien Regad            return;
10435dd80b8SDamien Regad        }
10524cd6f55SDamien Regad
106b5b72c15SDamien Regad        // Initialize SQL query with configured prefix
107b5b72c15SDamien Regad        $this->sql_wp_user_data = str_replace(
108b5b72c15SDamien Regad            '%prefix%',
109b5b72c15SDamien Regad            $this->getConf('prefix'),
110b5b72c15SDamien Regad            $this->sql_wp_user_data
111b5b72c15SDamien Regad        );
112b5b72c15SDamien Regad
11324cd6f55SDamien Regad        $this->success = true;
11424cd6f55SDamien Regad    }
11524cd6f55SDamien Regad
11624cd6f55SDamien Regad
11724cd6f55SDamien Regad    /**
118d7435096SDamien Regad     * Check user+password.
11924cd6f55SDamien Regad     *
120666403eeSDamien Regad     * Note that WordPress adds slashes to the password before generating the hash
121666403eeSDamien Regad     * {@see https://developer.wordpress.org/reference/functions/wp_magic_quotes/},
122666403eeSDamien Regad     * so we need to do the same otherwise password containing `\`, `'` or `"` will
123666403eeSDamien Regad     * never match ({@see https://github.com/dregad/dokuwiki-plugin-authwordpress/issues/23)}.
124666403eeSDamien Regad     *
12524cd6f55SDamien Regad     * @param   string $user the user name
12624cd6f55SDamien Regad     * @param   string $pass the clear text password
127d7435096SDamien Regad     *
12824cd6f55SDamien Regad     * @return  bool
12935dd80b8SDamien Regad     *
13035dd80b8SDamien Regad     * @uses PasswordHash::CheckPassword WordPress password hasher
13124cd6f55SDamien Regad     */
132b741ff68SDamien Regad    public function checkPass($user, $pass)
133b741ff68SDamien Regad    {
13435dd80b8SDamien Regad        $data = $this->getUserData($user);
13535dd80b8SDamien Regad        if ($data === false) {
13635dd80b8SDamien Regad            return false;
13724cd6f55SDamien Regad        }
138*bc637d09STim Oberländer        // check if new type of hash
139*bc637d09STim Oberländer        if(str_starts_with( $data['pass'], '$wp' )){
140*bc637d09STim Oberländer                $password_to_verify = base64_encode( hash_hmac( 'sha384', $pass, 'wp-sha384', true ) );
141*bc637d09STim Oberländer                $check              = password_verify( $password_to_verify, substr( $data['pass'], 3 ) );
142*bc637d09STim Oberländer        }else{
14335dd80b8SDamien Regad            $hasher = new PasswordHash(8, true);
144666403eeSDamien Regad            // Add slashes to match WordPress behavior
145666403eeSDamien Regad            $check = $hasher->CheckPassword(addslashes($pass), $data['pass']);
146*bc637d09STim Oberländer        }
147308b48d3SDamien Regad            $this->logDebug("Password " . ($check ? 'OK' : 'Invalid'));
148eed09871SDamien Regad
149eed09871SDamien Regad        return $check;
15035dd80b8SDamien Regad    }
15135dd80b8SDamien Regad
15216ceb666SDamien Regad    /**
153d7435096SDamien Regad     * Bulk retrieval of user data.
15416ceb666SDamien Regad     *
15516ceb666SDamien Regad     * @param   int   $start index of first user to be returned
15616ceb666SDamien Regad     * @param   int   $limit max number of users to be returned
15716ceb666SDamien Regad     * @param   array $filter array of field/pattern pairs
158d7435096SDamien Regad     *
15916ceb666SDamien Regad     * @return  array userinfo (refer getUserData for internal userinfo details)
16016ceb666SDamien Regad     */
161b741ff68SDamien Regad    public function retrieveUsers($start = 0, $limit = 0, $filter = array())
162b741ff68SDamien Regad    {
16316ceb666SDamien Regad        msg($this->getLang('user_list_use_wordpress'));
1642ef3e6a1SDamien Regad
165d35aa3ecSDamien Regad        $this->cacheAllUsers();
1669f5692a3SDamien Regad
1679f5692a3SDamien Regad        // Apply filter and pagination
1689f5692a3SDamien Regad        $this->setFilter($filter);
1699f5692a3SDamien Regad        $list = array();
170acc20be0SDamien Regad        $count = $i = 0;
1719f5692a3SDamien Regad        foreach ($this->users as $user => $info) {
1729f5692a3SDamien Regad            if ($this->applyFilter($user, $info)) {
1739f5692a3SDamien Regad                if ($i >= $start) {
1749f5692a3SDamien Regad                    $list[$user] = $info;
1759f5692a3SDamien Regad                    $count++;
1769f5692a3SDamien Regad                    if ($limit > 0 && $count >= $limit) {
1779f5692a3SDamien Regad                        break;
1789f5692a3SDamien Regad                    }
1799f5692a3SDamien Regad                }
1809f5692a3SDamien Regad                $i++;
1819f5692a3SDamien Regad            }
1829f5692a3SDamien Regad        }
1839f5692a3SDamien Regad
1849f5692a3SDamien Regad        return $list;
18516ceb666SDamien Regad    }
18616ceb666SDamien Regad
187aa69c0cfSDamien Regad    /**
188d7435096SDamien Regad     * Return a count of the number of user which meet $filter criteria.
189aa69c0cfSDamien Regad     *
190aa69c0cfSDamien Regad     * @param array $filter
191d7435096SDamien Regad     *
192aa69c0cfSDamien Regad     * @return int
193aa69c0cfSDamien Regad     */
194b741ff68SDamien Regad    public function getUserCount($filter = array())
195b741ff68SDamien Regad    {
196aa69c0cfSDamien Regad        $this->cacheAllUsers();
1979f5692a3SDamien Regad
1989f5692a3SDamien Regad        if (empty($filter)) {
1999f5692a3SDamien Regad            $count = count($this->users);
2009f5692a3SDamien Regad        } else {
2019f5692a3SDamien Regad            $this->setFilter($filter);
202acc20be0SDamien Regad            $count = 0;
2039f5692a3SDamien Regad            foreach ($this->users as $user => $info) {
2049f5692a3SDamien Regad                $count += (int)$this->applyFilter($user, $info);
2059f5692a3SDamien Regad            }
2069f5692a3SDamien Regad        }
2079f5692a3SDamien Regad        return $count;
208aa69c0cfSDamien Regad    }
209aa69c0cfSDamien Regad
21035dd80b8SDamien Regad
21124cd6f55SDamien Regad    /**
212d7435096SDamien Regad     * Returns info about the given user.
21324cd6f55SDamien Regad     *
21424cd6f55SDamien Regad     * @param string $user the user name
2155d099ac1SDamien Regad     * @param bool   $requireGroups defaults to true
216d7435096SDamien Regad     *
2175d099ac1SDamien Regad     * @return array|false containing user data or false in case of error
21824cd6f55SDamien Regad     */
219b741ff68SDamien Regad    public function getUserData($user, $requireGroups = true)
220b741ff68SDamien Regad    {
221d35aa3ecSDamien Regad        if (isset($this->users[$user])) {
222d35aa3ecSDamien Regad            return $this->users[$user];
223d35aa3ecSDamien Regad        }
224d35aa3ecSDamien Regad
2252ef3e6a1SDamien Regad        $sql = $this->sql_wp_user_data
2262ef3e6a1SDamien Regad            . 'WHERE user_login = :user';
22735dd80b8SDamien Regad
2282ef3e6a1SDamien Regad        $stmt = $this->db->prepare($sql);
22935dd80b8SDamien Regad        $stmt->bindParam(':user', $user);
230308b48d3SDamien Regad        $this->logDebug("Retrieving data for user '$user'\n$sql");
23135dd80b8SDamien Regad
23235dd80b8SDamien Regad        if (!$stmt->execute()) {
2339520968dSDamien Regad            // Query execution failed
234eed09871SDamien Regad            $err = $stmt->errorInfo();
235308b48d3SDamien Regad            $this->logDebug("Error $err[1]: $err[2]");
23624cd6f55SDamien Regad            return false;
23724cd6f55SDamien Regad        }
2389520968dSDamien Regad
2399520968dSDamien Regad        $user = $stmt->fetch(PDO::FETCH_ASSOC);
2409520968dSDamien Regad        if ($user === false) {
2419520968dSDamien Regad            // Unknown user
242308b48d3SDamien Regad            $this->logDebug("Unknown user");
2439520968dSDamien Regad            return false;
2449520968dSDamien Regad        }
24524cd6f55SDamien Regad
246d35aa3ecSDamien Regad        return $this->cacheUser($user);
24724cd6f55SDamien Regad    }
24824cd6f55SDamien Regad
24924cd6f55SDamien Regad
25024cd6f55SDamien Regad    /**
251d7435096SDamien Regad     * Connect to Wordpress database.
252d7435096SDamien Regad     *
253d7435096SDamien Regad     * Initializes $db property as PDO object.
254d7435096SDamien Regad     *
255d7435096SDamien Regad     * @return void
25624cd6f55SDamien Regad     */
257d7435096SDamien Regad    protected function connectWordpressDb(): void
258b741ff68SDamien Regad    {
259cb81639bSDamien Regad        if ($this->db) {
260cb81639bSDamien Regad            // Already connected
261cb81639bSDamien Regad            return;
262cb81639bSDamien Regad        }
263cb81639bSDamien Regad
264cb81639bSDamien Regad        // Build connection string
26535dd80b8SDamien Regad        $dsn = array(
26635dd80b8SDamien Regad            'host=' . $this->getConf('hostname'),
26735dd80b8SDamien Regad            'dbname=' . $this->getConf('database'),
26802fbe6b4SDamien Regad            'charset=UTF8',
26935dd80b8SDamien Regad        );
27035dd80b8SDamien Regad        $port = $this->getConf('port');
27135dd80b8SDamien Regad        if ($port) {
27235dd80b8SDamien Regad            $dsn[] = 'port=' . $port;
27335dd80b8SDamien Regad        }
27435dd80b8SDamien Regad        $dsn = 'mysql:' . implode(';', $dsn);
27535dd80b8SDamien Regad
276015f33b2SDamien Regad        $this->db = new PDO($dsn, $this->getConf('username'), $this->getConf('password'));
27724cd6f55SDamien Regad    }
27824cd6f55SDamien Regad
279d1f83a80SDamien Regad    /**
280d7435096SDamien Regad     * Cache User Data.
281d7435096SDamien Regad     *
282d1f83a80SDamien Regad     * Convert a Wordpress DB User row to DokuWiki user info array
283d7435096SDamien Regad     * and stores it in the users cache.
284d1f83a80SDamien Regad     *
2855d099ac1SDamien Regad     * @param  array $row Raw Wordpress user table row
286d7435096SDamien Regad     *
287d1f83a80SDamien Regad     * @return array user data
288d1f83a80SDamien Regad     */
289d7435096SDamien Regad    protected function cacheUser(array $row): array
290b741ff68SDamien Regad    {
291d1f83a80SDamien Regad        global $conf;
292d1f83a80SDamien Regad
293d35aa3ecSDamien Regad        $login = $row['user_login'];
294d35aa3ecSDamien Regad
295d35aa3ecSDamien Regad        // If the user is already cached, just return it
296d35aa3ecSDamien Regad        if (isset($this->users[$login])) {
297d35aa3ecSDamien Regad            return $this->users[$login];
298d35aa3ecSDamien Regad        }
299d35aa3ecSDamien Regad
300d1f83a80SDamien Regad        // Group membership - add DokuWiki's default group
301493dbdc6SFerdinand Thiessen        $groups = array_keys(unserialize($row['grps']));
302d1f83a80SDamien Regad        if ($this->getConf('usedefaultgroup')) {
303d1f83a80SDamien Regad            $groups[] = $conf['defaultgroup'];
304d1f83a80SDamien Regad        }
305d1f83a80SDamien Regad
306d1f83a80SDamien Regad        $info = array(
307d35aa3ecSDamien Regad            'user' => $login,
308d35aa3ecSDamien Regad            'name' => $row['display_name'],
309d35aa3ecSDamien Regad            'pass' => $row['user_pass'],
310d35aa3ecSDamien Regad            'mail' => $row['user_email'],
311d1f83a80SDamien Regad            'grps' => $groups,
312d1f83a80SDamien Regad        );
313d35aa3ecSDamien Regad
314d35aa3ecSDamien Regad        $this->users[$login] = $info;
315d1f83a80SDamien Regad        return $info;
316d1f83a80SDamien Regad    }
317d1f83a80SDamien Regad
318d35aa3ecSDamien Regad    /**
319d7435096SDamien Regad     * Loads all Wordpress users into the cache.
320d35aa3ecSDamien Regad     *
321d35aa3ecSDamien Regad     * @return void
322d35aa3ecSDamien Regad     */
323b741ff68SDamien Regad    protected function cacheAllUsers()
324b741ff68SDamien Regad    {
325d35aa3ecSDamien Regad        if ($this->usersCached) {
326d35aa3ecSDamien Regad            return;
327d35aa3ecSDamien Regad        }
328d35aa3ecSDamien Regad
329d35aa3ecSDamien Regad        $stmt = $this->db->prepare($this->sql_wp_user_data);
330d35aa3ecSDamien Regad        $stmt->execute();
331d35aa3ecSDamien Regad
332d35aa3ecSDamien Regad        foreach ($stmt->fetchAll(PDO::FETCH_ASSOC) as $user) {
333d35aa3ecSDamien Regad            $this->cacheUser($user);
334d35aa3ecSDamien Regad        }
335d35aa3ecSDamien Regad
336d35aa3ecSDamien Regad        $this->usersCached = true;
337d35aa3ecSDamien Regad    }
338d35aa3ecSDamien Regad
3399f5692a3SDamien Regad    /**
340d7435096SDamien Regad     * Build filter patterns from given criteria.
3419f5692a3SDamien Regad     *
3429f5692a3SDamien Regad     * @param array $filter
343d7435096SDamien Regad     *
344d7435096SDamien Regad     * @return void
3459f5692a3SDamien Regad     */
346d7435096SDamien Regad    protected function setFilter(array $filter): void
347b741ff68SDamien Regad    {
3489f5692a3SDamien Regad        $this->filter = array();
3499f5692a3SDamien Regad        foreach ($filter as $field => $value) {
3509f5692a3SDamien Regad            // Build PCRE pattern, utf8 + case insensitive
3519f5692a3SDamien Regad            $this->filter[$field] = '/' . str_replace('/', '\/', $value) . '/ui';
3529f5692a3SDamien Regad        }
3539f5692a3SDamien Regad    }
3549f5692a3SDamien Regad
3559f5692a3SDamien Regad    /**
356d7435096SDamien Regad     * Return true if given user matches filter pattern, false otherwise.
3579f5692a3SDamien Regad     *
3589f5692a3SDamien Regad     * @param string $user login
3599f5692a3SDamien Regad     * @param array  $info User data
360d7435096SDamien Regad     *
3619f5692a3SDamien Regad     * @return bool
3629f5692a3SDamien Regad     */
363d7435096SDamien Regad    protected function applyFilter(string $user, array $info): bool
364b741ff68SDamien Regad    {
3659f5692a3SDamien Regad        foreach ($this->filter as $elem => $pattern) {
3669f5692a3SDamien Regad            if ($elem == 'grps') {
36737a3480aSDamien Regad                if (!preg_grep($pattern, $info['grps'])) {
3689f5692a3SDamien Regad                    return false;
3699f5692a3SDamien Regad                }
3709f5692a3SDamien Regad            } else {
3719f5692a3SDamien Regad                if (!preg_match($pattern, $info[$elem])) {
3729f5692a3SDamien Regad                    return false;
3739f5692a3SDamien Regad                }
3749f5692a3SDamien Regad            }
3759f5692a3SDamien Regad        }
3769f5692a3SDamien Regad        return true;
3779f5692a3SDamien Regad    }
378308b48d3SDamien Regad
379308b48d3SDamien Regad    /**
380308b48d3SDamien Regad     * Add message to debug log.
381308b48d3SDamien Regad     *
382308b48d3SDamien Regad     * @param string $msg
383308b48d3SDamien Regad     *
384308b48d3SDamien Regad     * @return void
385308b48d3SDamien Regad     */
386308b48d3SDamien Regad    protected function logDebug(string $msg): void
387308b48d3SDamien Regad    {
388308b48d3SDamien Regad        global $updateVersion;
389308b48d3SDamien Regad        if ($updateVersion >= 52) {
390308b48d3SDamien Regad            Logger::debug($msg);
391308b48d3SDamien Regad        } else {
392308b48d3SDamien Regad            dbglog($msg);
393308b48d3SDamien Regad        }
394308b48d3SDamien Regad    }
39524cd6f55SDamien Regad}
39624cd6f55SDamien Regad
3970e6cb03cSDamien Regad// vim:ts=4:sw=4:noet:
398