112 lines
3.2 KiB
PHP
112 lines
3.2 KiB
PHP
|
<?php defined('SYSPATH') OR die('No direct access allowed.');
|
||
|
|
||
|
|
||
|
class Auth_Multisite_Model {
|
||
|
private $htpasswdPath;
|
||
|
private $serialsPath;
|
||
|
private $secretPath;
|
||
|
private $authFile;
|
||
|
|
||
|
public function __construct($htpasswdPath, $serialsPath, $secretPath, $loginUrl) {
|
||
|
$this->htpasswdPath = $htpasswdPath;
|
||
|
$this->serialsPath = $serialsPath;
|
||
|
$this->secretPath = $secretPath;
|
||
|
$this->loginUrl = $loginUrl;
|
||
|
|
||
|
// When the auth.serial file exists, use this instead of the htpasswd
|
||
|
// for validating the cookie. The structure of the file is equal, so
|
||
|
// the same code can be used.
|
||
|
if(file_exists($this->serialsPath)) {
|
||
|
$this->authFile = 'serial';
|
||
|
|
||
|
} elseif(file_exists($this->htpasswdPath)) {
|
||
|
$this->authFile = 'htpasswd';
|
||
|
|
||
|
} else {
|
||
|
throw new Kohana_exception("error.auth_multisite_missing_htpasswd");
|
||
|
}
|
||
|
|
||
|
if(!file_exists($this->secretPath)) {
|
||
|
$this->redirectToLogin();
|
||
|
}
|
||
|
}
|
||
|
|
||
|
private function loadAuthFile($path) {
|
||
|
$creds = array();
|
||
|
foreach(file($path) AS $line) {
|
||
|
if(strpos($line, ':') !== false) {
|
||
|
list($username, $secret) = explode(':', $line, 2);
|
||
|
$creds[$username] = rtrim($secret);
|
||
|
}
|
||
|
}
|
||
|
return $creds;
|
||
|
}
|
||
|
|
||
|
private function loadSecret() {
|
||
|
return trim(file_get_contents($this->secretPath));
|
||
|
}
|
||
|
|
||
|
private function generateHash($username, $now, $user_secret) {
|
||
|
$secret = $this->loadSecret();
|
||
|
return md5($username . $now . $user_secret . $secret);
|
||
|
}
|
||
|
|
||
|
private function checkAuthCookie($cookieName) {
|
||
|
if(!isset($_COOKIE[$cookieName]) || $_COOKIE[$cookieName] == '') {
|
||
|
throw new Exception();
|
||
|
}
|
||
|
|
||
|
list($username, $issueTime, $cookieHash) = explode(':', $_COOKIE[$cookieName], 3);
|
||
|
|
||
|
if($this->authFile == 'htpasswd')
|
||
|
$users = $this->loadAuthFile($this->htpasswdPath);
|
||
|
else
|
||
|
$users = $this->loadAuthFile($this->serialsPath);
|
||
|
|
||
|
if(!isset($users[$username])) {
|
||
|
throw new Exception();
|
||
|
}
|
||
|
$user_secret = $users[$username];
|
||
|
|
||
|
// Validate the hash
|
||
|
if($cookieHash != $this->generateHash($username, $issueTime, $user_secret)) {
|
||
|
throw new Exception();
|
||
|
}
|
||
|
|
||
|
// FIXME: Maybe renew the cookie here too
|
||
|
|
||
|
return $username;
|
||
|
}
|
||
|
|
||
|
private function checkAuth() {
|
||
|
// Loop all cookies trying to fetch a valid authentication
|
||
|
// cookie for this installation
|
||
|
foreach(array_keys($_COOKIE) AS $cookieName) {
|
||
|
if(substr($cookieName, 0, 5) != 'auth_') {
|
||
|
continue;
|
||
|
}
|
||
|
try {
|
||
|
$name = $this->checkAuthCookie($cookieName);
|
||
|
return $name;
|
||
|
} catch(Exception $e) {}
|
||
|
}
|
||
|
return '';
|
||
|
}
|
||
|
|
||
|
private function redirectToLogin() {
|
||
|
header('Location:' . $this->loginUrl . '?_origtarget=' . $_SERVER['REQUEST_URI']);
|
||
|
}
|
||
|
|
||
|
public function check() {
|
||
|
$username = $this->checkAuth();
|
||
|
if($username === '') {
|
||
|
$this->redirectToLogin();
|
||
|
exit(0);
|
||
|
}
|
||
|
|
||
|
return $username;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
?>
|