Commit 441237df authored by Aaron Wells's avatar Aaron Wells

Updating to work with Mahara 1.6

parent 17494a59
......@@ -44,20 +44,23 @@ class MaharaAuthPlugin extends AuthPlugin {
var $dbtype;
var $dbuser;
var $dbpass;
var $passwordsaltmain;
public function __construct($dbname, $host='localhost',$dbtype='', $user='', $password='', $prefix='') {
public function __construct($dbname, $host='localhost',$dbtype='', $user='', $password='', $prefix='', $passwordsaltmain='') {
$this->dbname = $dbname;
$this->host = $host;
$this->prefix = $prefix;
$this->dbtype = $dbtype;
$this->dbuser = $user;
$this->dbpass = $password;
$this->passwordsaltmain = $passwordsaltmain;
}
public function userExists( $username ) {
$username = strtolower($username);
$db = $this->getDatabase();
$sql = "SELECT username FROM ".$this->prefix."usr where LOWER(username) = '".$username."'";
// This will only work for the "internal" auth plugin, where the user's password is stored locally.
$sql = "SELECT username FROM ".$this->prefix."usr u inner join {$this->prefix}auth_instance ai on u.authinstance=ai.id where ai.authname='internal' and LOWER(username) = '".$username."'";
$res = $db->query($sql);
$val = $db->fetchObject($res);
$db->close();
......@@ -85,14 +88,91 @@ class MaharaAuthPlugin extends AuthPlugin {
$val = $db->fetchObject($res);
$db->close();
if (!empty($val)) {
$passcheck = sha1($val->salt . $password);
if ($passcheck == $val->password) {
return true;
return $this->_validate_password($password, $val->password, $val->salt);
}
return false;
}
/**
* Given a password that the user has sent, the password we have for them
* and the salt we have, see if the password they sent is correct.
*
* @param string $theysent The password the user sent
* @param string $wehave The salted and hashed password we have in the database for them
* @param string $salt The salt we have.
* @returns int 0 means not validated, 1 means validated, 2 means validated but needs updating
*/
private function _validate_password($theysent, $wehave, $salt) {
if ($salt == '*') {
// This is a special salt that means this user simply CAN'T log in.
// It is used on the root user (id=0)
return false;
}
if (empty($wehave)) {
// This means the user has not been set up completely yet
// Common cause is that still in registration phase
return false;
}
$sitesalt = $this->passwordsaltmain;
$bcrypt = substr($wehave, 0, 4) == '$2a$';
if ($bcrypt) {
$alg = substr($wehave, 0, 7);
$hash = $this->encrypt_password($theysent, $salt, $alg, $sitesalt);
}
else {
$alg = substr($wehave, 0, 3);
$hash = $this->encrypt_password($theysent, $salt, $alg, $sitesalt);
}
if ($hash == $wehave) {
return true;
}
// See http://docs.moodle.org/20/en/Password_salting#Changing_the_salt
if (!empty($sitesalt)) {
// There is a sitesalt set, try without it, and update if passes
$hash = $this->encrypt_password($theysent, $salt, $alg, '');
if ($hash == $wehave) {
return 2;
}
}
// Nothing works, fail
return 0;
}
/**
* Given a password and an optional salt, encrypt the given password.
*
* Passwords are stored in SHA1 form.
*
* @param string $password The password to encrypt
* @param string $salt The salt to use to encrypt the password
* @param string $alg The algorithm to use, defaults to $6$ which is SHA512
* @param string $sitesalt A salt to combine with the user's salt to add an extra layer or salting
* @todo salt mandatory
*/
private function encrypt_password($password, $salt='', $alg='$6$', $sitesalt='') {
if ($salt == '') {
$salt = substr(md5(rand(1000000, 9999999)), 2, 8);
}
if ($alg == '$6$') { // $6$ is the identifier for the SHA512 algorithm
// Return a hash which is sha512(originalHash, salt), where original is sha1(salt + password)
$password = sha1($salt . $password);
// Generate a salt based on a supplied salt and the passwordsaltmain
$fullsalt = substr(md5($sitesalt . $salt), 0, 16); // SHA512 expects 16 chars of salt
}
else { // This is most likely bcrypt $2a$, but any other algorithm can take up to 22 chars of salt
// Generate a salt based on a supplied salt and the passwordsaltmain
$fullsalt = substr(md5($sitesalt . $salt), 0, 22); // bcrypt expects 22 chars of salt
}
$hash = crypt($password, $alg . $fullsalt);
// Strip out the computed salt
// We strip out the salt hide the computed salt (in case the sitesalt was used which isn't in the database)
$hash = substr($hash, 0, strlen($alg)) . substr($hash, strlen($alg)+strlen($fullsalt));
return $hash;
}
/**
* Modify options in the login template.
*
......
......@@ -23,5 +23,5 @@ To install this plugin, follow these steps:
1) Copy MaharaAuthPlugin.php into the includes directory in your mediawiki instance.
2) Add the following two lines into your LocalSettings.php file:
$wgAutoloadLocalClasses['MaharaAuthPlugin'] = 'includes/MaharaAuthPlugin.php';
$wgAuth = new MaharaAuthPlugin('maharadbname','dbhost','dbtype','dbuser','dbpass', 'prefix');
Replacing maharadbname, dbhost, dbtype, dbuser, dbpass and prefix with the respective values in your setup.
$wgAuth = new MaharaAuthPlugin('maharadbname','dbhost','dbtype','dbuser','dbpass', 'prefix', 'passwordsaltmain');
Replacing maharadbname, dbhost, dbtype, dbuser, dbpass, prefix, and passwordsaltmain with the respective values in your setup.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment