Commit 441237df authored by Aaron Wells's avatar Aaron Wells

Updating to work with Mahara 1.6

parent 17494a59
...@@ -44,20 +44,23 @@ class MaharaAuthPlugin extends AuthPlugin { ...@@ -44,20 +44,23 @@ class MaharaAuthPlugin extends AuthPlugin {
var $dbtype; var $dbtype;
var $dbuser; var $dbuser;
var $dbpass; var $dbpass;
var $passwordsaltmain;
public function __construct($dbname, $host='localhost',$dbtype='', $user='', $password='', $prefix='') { public function __construct($dbname, $host='localhost',$dbtype='', $user='', $password='', $prefix='', $passwordsaltmain='') {
$this->dbname = $dbname; $this->dbname = $dbname;
$this->host = $host; $this->host = $host;
$this->prefix = $prefix; $this->prefix = $prefix;
$this->dbtype = $dbtype; $this->dbtype = $dbtype;
$this->dbuser = $user; $this->dbuser = $user;
$this->dbpass = $password; $this->dbpass = $password;
$this->passwordsaltmain = $passwordsaltmain;
} }
public function userExists( $username ) { public function userExists( $username ) {
$username = strtolower($username); $username = strtolower($username);
$db = $this->getDatabase(); $db = $this->getDatabase();
$sql = "SELECT username FROM ".$this->prefix."usr where LOWER(username) = '".$username."'"; // This will only work for the "internal" auth plugin, where the user's password is stored locally.
$sql = "SELECT username FROM ".$this->prefix."usr u inner join {$this->prefix}auth_instance ai on u.authinstance=ai.id where ai.authname='internal' and LOWER(username) = '".$username."'";
$res = $db->query($sql); $res = $db->query($sql);
$val = $db->fetchObject($res); $val = $db->fetchObject($res);
$db->close(); $db->close();
...@@ -85,15 +88,92 @@ class MaharaAuthPlugin extends AuthPlugin { ...@@ -85,15 +88,92 @@ class MaharaAuthPlugin extends AuthPlugin {
$val = $db->fetchObject($res); $val = $db->fetchObject($res);
$db->close(); $db->close();
if (!empty($val)) { if (!empty($val)) {
$passcheck = sha1($val->salt . $password); return $this->_validate_password($password, $val->password, $val->salt);
if ($passcheck == $val->password) {
return true;
}
} }
return false; return false;
} }
/** /**
* Given a password that the user has sent, the password we have for them
* and the salt we have, see if the password they sent is correct.
*
* @param string $theysent The password the user sent
* @param string $wehave The salted and hashed password we have in the database for them
* @param string $salt The salt we have.
* @returns int 0 means not validated, 1 means validated, 2 means validated but needs updating
*/
private function _validate_password($theysent, $wehave, $salt) {
if ($salt == '*') {
// This is a special salt that means this user simply CAN'T log in.
// It is used on the root user (id=0)
return false;
}
if (empty($wehave)) {
// This means the user has not been set up completely yet
// Common cause is that still in registration phase
return false;
}
$sitesalt = $this->passwordsaltmain;
$bcrypt = substr($wehave, 0, 4) == '$2a$';
if ($bcrypt) {
$alg = substr($wehave, 0, 7);
$hash = $this->encrypt_password($theysent, $salt, $alg, $sitesalt);
}
else {
$alg = substr($wehave, 0, 3);
$hash = $this->encrypt_password($theysent, $salt, $alg, $sitesalt);
}
if ($hash == $wehave) {
return true;
}
// See http://docs.moodle.org/20/en/Password_salting#Changing_the_salt
if (!empty($sitesalt)) {
// There is a sitesalt set, try without it, and update if passes
$hash = $this->encrypt_password($theysent, $salt, $alg, '');
if ($hash == $wehave) {
return 2;
}
}
// Nothing works, fail
return 0;
}
/**
* Given a password and an optional salt, encrypt the given password.
*
* Passwords are stored in SHA1 form.
*
* @param string $password The password to encrypt
* @param string $salt The salt to use to encrypt the password
* @param string $alg The algorithm to use, defaults to $6$ which is SHA512
* @param string $sitesalt A salt to combine with the user's salt to add an extra layer or salting
* @todo salt mandatory
*/
private function encrypt_password($password, $salt='', $alg='$6$', $sitesalt='') {
if ($salt == '') {
$salt = substr(md5(rand(1000000, 9999999)), 2, 8);
}
if ($alg == '$6$') { // $6$ is the identifier for the SHA512 algorithm
// Return a hash which is sha512(originalHash, salt), where original is sha1(salt + password)
$password = sha1($salt . $password);
// Generate a salt based on a supplied salt and the passwordsaltmain
$fullsalt = substr(md5($sitesalt . $salt), 0, 16); // SHA512 expects 16 chars of salt
}
else { // This is most likely bcrypt $2a$, but any other algorithm can take up to 22 chars of salt
// Generate a salt based on a supplied salt and the passwordsaltmain
$fullsalt = substr(md5($sitesalt . $salt), 0, 22); // bcrypt expects 22 chars of salt
}
$hash = crypt($password, $alg . $fullsalt);
// Strip out the computed salt
// We strip out the salt hide the computed salt (in case the sitesalt was used which isn't in the database)
$hash = substr($hash, 0, strlen($alg)) . substr($hash, strlen($alg)+strlen($fullsalt));
return $hash;
}
/**
* Modify options in the login template. * Modify options in the login template.
* *
* @param $template UserLoginTemplate object. * @param $template UserLoginTemplate object.
...@@ -134,7 +214,7 @@ class MaharaAuthPlugin extends AuthPlugin { ...@@ -134,7 +214,7 @@ class MaharaAuthPlugin extends AuthPlugin {
* @param User $user * @param User $user
*/ */
public function updateUser( &$user ) { public function updateUser( &$user ) {
$db = $this->getDatabase(); $db = $this->getDatabase();
$sql = "SELECT * FROM ".$this->prefix."usr where LOWER(username) = LOWER('".$user->mName."')"; $sql = "SELECT * FROM ".$this->prefix."usr where LOWER(username) = LOWER('".$user->mName."')";
$res = $db->query($sql); $res = $db->query($sql);
...@@ -274,7 +354,7 @@ class MaharaAuthPlugin extends AuthPlugin { ...@@ -274,7 +354,7 @@ class MaharaAuthPlugin extends AuthPlugin {
public function getCanonicalName( $username ) { public function getCanonicalName( $username ) {
return $username; return $username;
} }
/** /**
* Get an instance of a User object * Get an instance of a User object
* *
......
...@@ -23,5 +23,5 @@ To install this plugin, follow these steps: ...@@ -23,5 +23,5 @@ To install this plugin, follow these steps:
1) Copy MaharaAuthPlugin.php into the includes directory in your mediawiki instance. 1) Copy MaharaAuthPlugin.php into the includes directory in your mediawiki instance.
2) Add the following two lines into your LocalSettings.php file: 2) Add the following two lines into your LocalSettings.php file:
$wgAutoloadLocalClasses['MaharaAuthPlugin'] = 'includes/MaharaAuthPlugin.php'; $wgAutoloadLocalClasses['MaharaAuthPlugin'] = 'includes/MaharaAuthPlugin.php';
$wgAuth = new MaharaAuthPlugin('maharadbname','dbhost','dbtype','dbuser','dbpass', 'prefix'); $wgAuth = new MaharaAuthPlugin('maharadbname','dbhost','dbtype','dbuser','dbpass', 'prefix', 'passwordsaltmain');
Replacing maharadbname, dbhost, dbtype, dbuser, dbpass and prefix with the respective values in your setup. Replacing maharadbname, dbhost, dbtype, dbuser, dbpass, prefix, and passwordsaltmain with the respective values in your setup.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment