xref: /plugin/oauth/auth.php (revision 4a9a2508c732645b704b0d92419148747b070ea7)
1<?php
2
3use dokuwiki\plugin\oauth\OAuthManager;
4use dokuwiki\plugin\oauth\Session;
5use dokuwiki\Subscriptions\RegistrationSubscriptionSender;
6use OAuth\Common\Exception\Exception as OAuthException;
7
8/**
9 * DokuWiki Plugin oauth (Auth Component)
10 *
11 * @license GPL 2 http://www.gnu.org/licenses/gpl-2.0.html
12 * @author  Andreas Gohr <andi@splitbrain.org>
13 */
14class auth_plugin_oauth extends auth_plugin_authplain
15{
16    /** @var helper_plugin_oauth */
17    protected $hlp;
18
19    /** @var OAuthManager */
20    protected $om;
21
22    // region standard auth methods
23
24    /** @inheritDoc */
25    public function __construct()
26    {
27        parent::__construct();
28        $this->cando['external'] = true;
29        $this->hlp = $this->loadHelper('oauth');
30    }
31
32    /** @inheritDoc */
33    public function trustExternal($user, $pass, $sticky = false)
34    {
35        global $INPUT;
36
37        // handle redirects from farmer to animal wiki instances
38        if ($INPUT->has('state') && plugin_load('helper', 'farmer')) {
39            $this->handleFarmState($INPUT->str('state'));
40        }
41
42        try {
43            // either oauth or "normal" plain auth login via form
44            $this->om = new OAuthManager();
45            if ($this->om->continueFlow()) return true;
46            if ($this->getConf('singleService')) {
47                return false; // no normal login in singleService mode
48            }
49            return null; // triggers the normal auth_login()
50        } catch (OAuthException $e) {
51            $this->hlp->showException($e);
52            auth_logoff(); // clears all session and cookie data
53            return false;
54        }
55    }
56
57    /**
58     * Enforce oauth login for certain email domains
59     *
60     * @inheritdoc
61     */
62    public function checkPass($user, $pass)
63    {
64        $ok = parent::checkPass($user, $pass);
65        if(!$ok) return $ok;
66        $domains = $this->hlp->getEnforcedDomains();
67        if($domains === []) return $ok;
68
69        if($this->hlp->checkMail($this->getUserData($user)['mail'], $domains)) {
70            global $lang;
71            // we overwrite the standard bad password message with our own
72            $lang['badlogin'] = $this->getLang('eMailEnforced');
73            return false;
74        }
75        return $ok;
76    }
77
78
79    /**
80     * Enhance function to check against duplicate emails
81     *
82     * @inheritdoc
83     */
84    public function createUser($user, $pwd, $name, $mail, $grps = null)
85    {
86        if ($this->getUserByEmail($mail)) {
87            msg($this->getLang('emailduplicate'), -1);
88            return false;
89        }
90
91        return parent::createUser($user, $pwd, $name, $mail, $grps);
92    }
93
94    /**
95     * Enhance function to check against duplicate emails
96     *
97     * @inheritdoc
98     */
99    public function modifyUser($user, $changes)
100    {
101        global $conf;
102
103        if (isset($changes['mail'])) {
104            $found = $this->getUserByEmail($changes['mail']);
105            if ($found && $found != $user) {
106                msg($this->getLang('emailduplicate'), -1);
107                return false;
108            }
109        }
110
111        $ok = parent::modifyUser($user, $changes);
112
113        // refresh session cache
114        touch($conf['cachedir'] . '/sessionpurge');
115        return $ok;
116    }
117
118    /**
119     * Unset additional stuff in session on logout
120     */
121    public function logOff()
122    {
123        parent::logOff();
124        if (isset($this->om)) {
125            $this->om->logout();
126        }
127    }
128
129    // endregion
130
131    /**
132     * Register a new user logged in by oauth
133     *
134     * It ensures the username is unique, by adding a number if needed.
135     * Default and service name groups are set here.
136     * Registration notifications are triggered.
137     *
138     * @param array $userinfo This will be updated with the new username
139     * @param string $servicename
140     *
141     * @return bool
142     * @todo - should this be part of the OAuthManager class instead?
143     */
144    public function registerOAuthUser(&$userinfo, $servicename)
145    {
146        global $conf;
147        $user = $userinfo['user'];
148        $count = '';
149        while ($this->getUserData($user . $count)) {
150            if ($count) {
151                $count++;
152            } else {
153                $count = 1;
154            }
155        }
156        $user .= $count;
157        $userinfo['user'] = $user;
158        $groups_on_creation = [];
159        $groups_on_creation[] = $conf['defaultgroup'];
160        $groups_on_creation[] = $this->cleanGroup($servicename); // add service as group
161        $userinfo['grps'] = array_merge((array)$userinfo['grps'], $groups_on_creation);
162
163        // the password set here will remain unknown to the user
164        $ok = $this->triggerUserMod(
165            'create',
166            [
167                $user,
168                auth_pwgen($user),
169                $userinfo['name'],
170                $userinfo['mail'],
171                $userinfo['grps'],
172            ]
173        );
174        if (!$ok) {
175            return false;
176        }
177
178        // send notification about the new user
179        $subscriptionSender = new RegistrationSubscriptionSender();
180        $subscriptionSender->sendRegister($user, $userinfo['name'], $userinfo['mail']);
181
182        return true;
183    }
184
185    /**
186     * Find a user by email address
187     *
188     * @param $mail
189     * @return bool|string
190     */
191    public function getUserByEmail($mail)
192    {
193        if ($this->users === null) {
194            $this->loadUserData();
195        }
196        $mail = strtolower($mail);
197
198        foreach ($this->users as $user => $userinfo) {
199            if (strtolower($userinfo['mail']) === $mail) return $user;
200        }
201
202        return false;
203    }
204
205    /**
206     * Fall back to plain auth strings
207     *
208     * @inheritdoc
209     */
210    public function getLang($id)
211    {
212        $result = parent::getLang($id);
213        if ($result) return $result;
214
215        $parent = new auth_plugin_authplain();
216        return $parent->getLang($id);
217    }
218
219    /**
220     * Farmer plugin support
221     *
222     * When coming back to farmer instance via OAUTH redirectURI, we need to redirect again
223     * to a proper animal instance detected from $state
224     *
225     * @param $state
226     */
227    protected function handleFarmState($state)
228    {
229        /** @var \helper_plugin_farmer $farmer */
230        $farmer = plugin_load('helper', 'farmer', false, true);
231        $data = json_decode(base64_decode(urldecode($state)));
232        if (empty($data->animal) || $farmer->getAnimal() == $data->animal) {
233            return;
234        }
235        $animal = $data->animal;
236        $allAnimals = $farmer->getAllAnimals();
237        if (!in_array($animal, $allAnimals)) {
238            msg('Animal ' . $animal . ' does not exist!');
239            return;
240        }
241        global $INPUT;
242        $url = $farmer->getAnimalURL($animal) . '/doku.php?' . $INPUT->server->str('QUERY_STRING');
243        send_redirect($url);
244    }
245}
246