1<?php 2/** 3 * DokuWiki Plugin oauth (Auth Component) 4 * 5 * @license GPL 2 http://www.gnu.org/licenses/gpl-2.0.html 6 * @author Andreas Gohr <andi@splitbrain.org> 7 */ 8 9// must be run within Dokuwiki 10if(!defined('DOKU_INC')) die(); 11 12class auth_plugin_oauth extends auth_plugin_authplain { 13 14 /** 15 * Constructor 16 * 17 * Sets capabilities. 18 */ 19 public function __construct() { 20 parent::__construct(); 21 22 $this->cando['external'] = true; 23 } 24 25 /** 26 * Handle the login 27 * 28 * This either trusts the session data (if any), processes the second oAuth step or simply 29 * executes a normal plugin against local users. 30 * 31 * @param string $user 32 * @param string $pass 33 * @param bool $sticky 34 * @return bool 35 */ 36 function trustExternal($user, $pass, $sticky = false) { 37 global $conf; 38 global $USERINFO; 39 40 // are we in login progress? 41 if(isset($_SESSION[DOKU_COOKIE]['oauth-inprogress'])) { 42 $servicename = $_SESSION[DOKU_COOKIE]['oauth-inprogress']['service']; 43 $page = $_SESSION[DOKU_COOKIE]['oauth-inprogress']['id']; 44 45 unset($_SESSION[DOKU_COOKIE]['oauth-inprogress']); 46 } 47 48 // check session for existing oAuth login data 49 $session = $_SESSION[DOKU_COOKIE]['auth']; 50 if(!isset($servicename) && isset($session['oauth'])) { 51 $servicename = $session['oauth']; 52 // check if session data is still considered valid 53 if(($session['time'] >= time() - $conf['auth_security_timeout']) && 54 ($session['buid'] == auth_browseruid()) 55 ) { 56 57 $_SERVER['REMOTE_USER'] = $session['user']; 58 $USERINFO = $session['info']; 59 return true; 60 } 61 } 62 63 // either we're in oauth login or a previous log needs to be rechecked 64 if(isset($servicename)) { 65 /** @var helper_plugin_oauth $hlp */ 66 $hlp = plugin_load('helper', 'oauth'); 67 $service = $hlp->loadService($servicename); 68 if(is_null($service)) return false; 69 70 // get the token 71 if($service->checkToken()) { 72 $uinfo = $service->getUser(); 73 74 $uinfo['user'] = $this->cleanUser((string) $uinfo['user']); 75 if(!$uinfo['name']) $uinfo['name'] = $uinfo['user']; 76 77 if(!$uinfo['user'] || !$uinfo['mail']) { 78 msg("$servicename did not provide the needed user info. Can't log you in", -1); 79 return false; 80 } 81 82 // see if the user is known already 83 $user = $this->getUserByEmail($uinfo['mail']); 84 if($user) { 85 $sinfo = $this->getUserData($user); 86 // check if the user allowed access via this service 87 if(!in_array($this->cleanGroup($servicename), $sinfo['grps'])) { 88 msg(sprintf($this->getLang('authnotenabled'), $servicename), -1); 89 return false; 90 } 91 $uinfo['user'] = $user; 92 $uinfo['name'] = $sinfo['name']; 93 $uinfo['grps'] = array_merge((array) $uinfo['grps'], $sinfo['grps']); 94 } else { 95 // new user, create him - making sure the login is unique by adding a number if needed 96 $user = $uinfo['user']; 97 $count = ''; 98 while($this->getUserData($user . $count)) { 99 if($count) { 100 $count++; 101 } else { 102 $count = 1; 103 } 104 } 105 $user = $user . $count; 106 $uinfo['user'] = $user; 107 $uinfo['grps'] = (array) $uinfo['grps']; 108 $uinfo['grps'][] = $conf['defaultgroup']; 109 $uinfo['grps'][] = $this->cleanGroup($servicename); // add service as group 110 111 //FIXME we should call trigger_user_mod? 112 $ok = $this->createUser($user, auth_pwgen($user), $uinfo['name'], $uinfo['mail'], $uinfo['grps']); 113 if(!$ok) { 114 msg('something went wrong creating your user account. please try again later.', -1); 115 return false; 116 } 117 118 // send notification about the new user 119 $subscription = new Subscription(); 120 $subscription->send_register($user, $uinfo['name'], $uinfo['mail']); 121 } 122 123 // set user session 124 $this->setUserSession($uinfo, $servicename); 125 return true; 126 } 127 128 return false; // something went wrong during oAuth login 129 } 130 131 // do the "normal" plain auth login via form 132 return auth_login($user, $pass, $sticky); 133 } 134 135 /** 136 * @param array $data 137 * @param string $service 138 */ 139 protected function setUserSession($data, $service) { 140 global $USERINFO; 141 global $conf; 142 143 // set up groups 144 if(!is_array($data['grps'])) { 145 $data['grps'] = array(); 146 } 147 $data['grps'][] = $this->cleanGroup($service); 148 $data['grps'] = array_unique($data['grps']); 149 150 $USERINFO = $data; 151 $_SERVER['REMOTE_USER'] = $data['user']; 152 $_SESSION[DOKU_COOKIE]['auth']['user'] = $data['user']; 153 $_SESSION[DOKU_COOKIE]['auth']['pass'] = $data['pass']; 154 $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; 155 $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); 156 $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); 157 $_SESSION[DOKU_COOKIE]['auth']['oauth'] = $service; 158 } 159 160 /** 161 * Unset additional stuff in session on logout 162 */ 163 public function logOff() { 164 parent::logOff(); 165 166 if(isset($_SESSION[DOKU_COOKIE]['auth']['buid'])) { 167 unset($_SESSION[DOKU_COOKIE]['auth']['buid']); 168 } 169 if(isset($_SESSION[DOKU_COOKIE]['auth']['time'])) { 170 unset($_SESSION[DOKU_COOKIE]['auth']['time']); 171 } 172 if(isset($_SESSION[DOKU_COOKIE]['auth']['oauth'])) { 173 unset($_SESSION[DOKU_COOKIE]['auth']['oauth']); 174 } 175 } 176 177 /** 178 * Find a user by his email address 179 * 180 * @param $mail 181 * @return bool|string 182 */ 183 protected function getUserByEmail($mail) { 184 if($this->users === null) $this->_loadUserData(); 185 $mail = strtolower($mail); 186 187 foreach($this->users as $user => $uinfo) { 188 if(strtolower($uinfo['mail']) == $mail) return $user; 189 } 190 191 return false; 192 } 193 194 /** 195 * Enhance function to check aainst duplicate emails 196 * 197 * @param string $user 198 * @param string $pwd 199 * @param string $name 200 * @param string $mail 201 * @param null $grps 202 * @return bool|null|string 203 */ 204 public function createUser($user, $pwd, $name, $mail, $grps = null) { 205 if($this->getUserByEmail($mail)) { 206 msg($this->getLang('emailduplicate'), -1); 207 return false; 208 } 209 210 return parent::createUser($user, $pwd, $name, $mail, $grps); 211 } 212 213 /** 214 * Enhance function to check aainst duplicate emails 215 * 216 * @param string $user 217 * @param array $changes 218 * @return bool 219 */ 220 public function modifyUser($user, $changes) { 221 global $conf; 222 223 if(isset($changes['mail'])) { 224 $found = $this->getUserByEmail($changes['mail']); 225 if($found != $user) { 226 msg($this->getLang('emailduplicate'), -1); 227 return false; 228 } 229 } 230 231 $ok = parent::modifyUser($user, $changes); 232 233 // refresh session cache 234 touch($conf['cachedir'] . '/sessionpurge'); 235 236 return $ok; 237 } 238 239} 240 241// vim:ts=4:sw=4:et: