Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
<?php
require(INCLUDE_DIR.'class.ostsession.php');
require(INCLUDE_DIR.'class.usersession.php');
class AuthenticatedUser {
// How the user was authenticated
var $backend;
// Get basic information
function getId() {}
function getUsername() {}
}
/**
* Authentication backend
*
* Authentication provides the basis of abstracting the link between the
* login page with a username and password and the staff member,
* administrator, or client using the system.
*
* The system works by allowing the AUTH_BACKENDS setting from
* ost-config.php to determine the list of authentication backends or
* providers and also specify the order they should be evaluated in.
*
* The authentication backend should define a authenticate() method which
* receives a username and optional password. If the authentication
* succeeds, an instance deriving from <User> should be returned.
*/
class AuthenticationBackend {
static private $registry = array();
static $name;
static $id;
/* static */
static function register($class) {
if (is_string($class))
$class = new $class();
static::$registry[] = $class;
}
static function allRegistered() {
return static::$registry;
}
/* static */
function process($username, $password=null, $backend=null, &$errors) {
global $ost;
foreach (static::$registry as $bk) {
if ($backend && $bk->supportsAuthentication() && $bk::$id != $backend)
// User cannot be authenticated against this backend
continue;
$result = $bk->authenticate($username, $password);
if ($result instanceof AuthenticatedUser) {
//Log debug info.
$ost->logDebug('Staff login',
sprintf("%s logged in [%s], via %s", $result->getUserName(),
$_SERVER['REMOTE_ADDR'], get_class($bk))); //Debug.
if ($result instanceof Staff) {
$sql='UPDATE '.STAFF_TABLE.' SET lastlogin=NOW() '
.' WHERE staff_id='.db_input($result->getId());
db_query($sql);
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array(); //clear.
$_SESSION['_staff']['userID'] = $username;
$result->refreshSession(); //set the hash.
$_SESSION['TZ_OFFSET'] = $result->getTZoffset();
$_SESSION['TZ_DST'] = $result->observeDaylight();
$_SESSION['_staff']['backend'] = $bk;
}
//Regenerate session id.
$sid = session_id(); //Current id
session_regenerate_id(true);
// Destroy old session ID - needed for PHP version < 5.1.0
// DELME: remove when we move to php 5.3 as min. requirement.
if(($session=$ost->getSession()) && is_object($session)
&& $sid!=session_id())
$session->destroy($sid);
Signal::send('auth.login.succeeded', $result);
$result->cancelResetTokens();
return $result;
}
// TODO: Handle permission denied, for instance
elseif ($result instanceof AccessDenied) {
$errors['err'] = $result->reason;
break;
}
}
$info = array('username'=>$username, 'password'=>$password);
Signal::send('auth.login.failed', null, $info);
}
/**
* Fetches the friendly name of the backend
*/
function getName() {
return static::$name;
}
/**
* Indicates if the backed supports authentication. Useful if the
* backend is used for logging or lockout only
*/
function supportsAuthentication() {
return true;
}
/**
* Indicates if the backend can be used to search for user information.
* Lookup is performed to find user information based on a unique
* identifier.
*/
function supportsLookup() {
return false;
}
/**
* Indicates if the backend supports searching for usernames. This is
* distinct from information lookup in that lookup is intended to lookup
* information based on a unique identifier
*/
function supportsSearch() {
return false;
}
/**
* Indicates if the backend supports changing a user's password. This
* would be done in two fashions. Either the currently-logged in user
* want to change its own password or a user requests to have their
* password reset. This requires an administrative privilege which this
* backend might not possess, so it's defined in supportsPasswordReset()
*/
function supportsPasswordChange() {
return false;
}
function supportsPasswordReset() {
return false;
}
}
class RemoteAuthenticationBackend {
var $create_unknown_user = false;
}
/**
* This will be an exception in later versions of PHP
*/
class AccessDenied {
function AccessDenied() {
call_user_func_array(array($this, '__construct'), func_get_args());
}
function __construct($reason) {
$this->reason = $reason;
}
}
/**
* Simple authentication backend which will lock the login form after a
* configurable number of attempts
*/
class AuthLockoutBackend extends AuthenticationBackend {
function authenticate($username, $password=null) {
global $cfg, $ost;
if($_SESSION['_staff']['laststrike']) {
if((time()-$_SESSION['_staff']['laststrike'])<$cfg->getStaffLoginTimeout()) {
$_SESSION['_staff']['laststrike'] = time(); //reset timer.
return new AccessDenied('Max. failed login attempts reached');
} else { //Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike']=null;
$_SESSION['_staff']['strikes']=0;
}
}
$_SESSION['_staff']['strikes']+=1;
if($_SESSION['_staff']['strikes']>$cfg->getStaffMaxLogins()) {
$_SESSION['_staff']['laststrike']=time();
$alert='Excessive login attempts by a staff member?'."\n".
'Username: '.$username."\n"
.'IP: '.$_SERVER['REMOTE_ADDR']."\n"
.'TIME: '.date('M j, Y, g:i a T')."\n\n"
.'Attempts #'.$_SESSION['_staff']['strikes']."\n"
.'Timeout: '.($cfg->getStaffLoginTimeout()/60)." minutes \n\n";
$ost->logWarning('Excessive login attempts ('.$username.')', $alert,
$cfg->alertONLoginError());
return new AccessDenied('Forgot your login info? Contact Admin.');
//Log every other failed login attempt as a warning.
} elseif($_SESSION['_staff']['strikes']%2==0) {
$alert='Username: '.$username."\n"
.'IP: '.$_SERVER['REMOTE_ADDR']."\n"
.'TIME: '.date('M j, Y, g:i a T')."\n\n"
.'Attempts #'.$_SESSION['_staff']['strikes'];
$ost->logWarning('Failed staff login attempt ('.$username.')', $alert, false);
}
}
function supportsAuthentication() {
return false;
}
}
AuthenticationBackend::register(AuthLockoutBackend);
class osTicketAuthentication extends AuthenticationBackend {
static $name = "Local Authenication";
static $id = "local";
function authenticate($username, $password) {
if (($user = new StaffSession($username)) && $user->getId() &&
$user->check_passwd($password)) {
//update last login && password reset stuff.
$sql='UPDATE '.STAFF_TABLE.' SET lastlogin=NOW() ';
if($user->isPasswdResetDue() && !$user->isAdmin())
$sql.=',change_passwd=1';
$sql.=' WHERE staff_id='.db_input($user->getId());
db_query($sql);
return $user;
}
}
}
AuthenticationBackend::register(osTicketAuthentication);
?>