Skip to content
GitLab
An error occurred while loading the file. Please try again.
Switch branch/tag
Find file BlameHistoryPermalink
SQL.php 6.18 KiB
Open in Web IDE
1 
<?php
2
3 
/**
4 
 * SQL/bcrypt authentication source
5 
 *
6 
 * This is an authentication module for authenticating a user against a SQL
7 
 * database. It uses bcrypt for validation of passwords against hashed
8 
 * passwords stored in the database. The implementation is based heavily on
9 
 * sqlauth:SQL.
10 
 *
11 
 * @author Jesper Hvirring Henriksen, Appinux A/S.
12 
 * @package simpleSAMLphp
13 
 * @version $Id$
14 
 */
15 
class sspmod_sqlauthBcrypt_Auth_Source_SQL extends sspmod_core_Auth_UserPassBase {
16
17
18 
	/**
19 
	 * The DSN we should connect to.
20 
	 */
21 
	private $dsn;
22
23
24 
	/**
25 
	 * The username we should connect to the database with.
26 
	 */
27 
	private $username;
28
29
30 
	/**
31 
	 * The password we should connect to the database with.
32 
	 */
33 
	private $password;
34
35
36 
	/**
37 
	 * The query we should use to retrieve the attributes for the user.
38 
	 *
39 
	 * The username and password will be available as :username and :password.
40 
	 */
41 
	private $query;
42
43
44 
	/**
45 
	 * The pepper used to generate the password hash.
46 
	 */
47 
	private $pepper;
48
49
50 
	/**
51 
	 * The column holding the password hash.
52 
	 */
53 
	private $hash_column;
54
55
56 
	/**
57 
	 * The column holding the password salt.
58 
	 */
59 
	private $salt_column;
60
61
62 
	/**
63 
	 * Constructor for this authentication source.
64 
	 *
65 
	 * @param array $info	 Information about this authentication source.
66 
	 * @param array $config	 Configuration.
67 
	 */
68 
	public function __construct($info, $config) {
69 
		assert('is_array($info)');
70 
		assert('is_array($config)');
71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140
/* Call the parent constructor first, as required by the interface. */ parent::__construct($info, $config); /* Make sure that all required parameters are present. */ foreach (array('dsn', 'username', 'password', 'query', 'pepper') as $param) { if (!array_key_exists($param, $config)) { throw new Exception('Missing required attribute \'' . $param . '\' for authentication source ' . $this->authId); } if (!is_string($config[$param])) { throw new Exception('Expected parameter \'' . $param . '\' for authentication source ' . $this->authId . ' to be a string. Instead it was: ' . var_export($config[$param], TRUE)); } } $this->dsn = $config['dsn']; $this->username = $config['username']; $this->password = $config['password']; $this->query = $config['query']; $this->pepper = $config['pepper']; $this->hash_column = $config['hash_column']; $this->salt_column = $config['salt_column']; } /** * Create a database connection. * * @return PDO The database connection. */ private function connect() { try { $db = new PDO($this->dsn, $this->username, $this->password); } catch (PDOException $e) { throw new Exception('sqlauthBcrypt:' . $this->authId . ': - Failed to connect to \'' . $this->dsn . '\': '. $e->getMessage()); } $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $driver = explode(':', $this->dsn, 2); $driver = strtolower($driver[0]); /* Driver specific initialization. */ switch ($driver) { case 'mysql': /* Use UTF-8. */ $db->exec("SET NAMES 'utf8'"); break; case 'pgsql': /* Use UTF-8. */ $db->exec("SET NAMES 'UTF8'"); break; } return $db; } /** * Attempt to log in using the given username and password. * * On a successful login, this function should return the users attributes. On failure, * it should throw an exception. If the error was caused by the user entering the wrong * username or password, a SimpleSAML_Error_Error('WRONGUSERPASS') should be thrown.
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210
* * Note that both the username and the password are UTF-8 encoded. * * @param string $username The username the user wrote. * @param string $password The password the user wrote. * @return array Associative array with the users attributes. */ protected function login($username, $password) { assert('is_string($username)'); assert('is_string($password)'); $db = $this->connect(); try { $sth = $db->prepare($this->query); } catch (PDOException $e) { throw new Exception('sqlauthBcrypt:' . $this->authId . ': - Failed to prepare query: ' . $e->getMessage()); } try { $res = $sth->execute(array('username' => $username)); } catch (PDOException $e) { throw new Exception('sqlauthBcrypt:' . $this->authId . ': - Failed to execute query: ' . $e->getMessage()); } try { $data = $sth->fetchAll(PDO::FETCH_ASSOC); } catch (PDOException $e) { throw new Exception('sqlauth:' . $this->authId . ': - Failed to fetch result set: ' . $e->getMessage()); } SimpleSAML_Logger::info('sqlauthBcrypt:' . $this->authId . ': Got ' . count($data) . ' rows from database'); if (count($data) === 0) { /* No rows returned - invalid username */ SimpleSAML_Logger::error('sqlauthBcrypt:' . $this->authId . ': No rows in result set. Wrong username or sqlauthBcrypt is misconfigured.'); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } /* Validate stored password hash (must be in first row of resultset) */ $password_hash = $data[0][$this->hash_column]; $password_salt = $data[0][$this->salt_column]; if ($password_hash !== crypt($password.$this->pepper, $password_salt)) { /* Invalid password */ SimpleSAML_Logger::error('sqlauthBcrypt:' . $this->authId . ': Hash does not match. Wrong password or sqlauthBcrypt is misconfigured.'); throw new SimpleSAML_Error_Error('WRONGUSERPASS'); } /* Extract attributes. We allow the resultset to consist of multiple rows. Attributes * which are present in more than one row will become multivalued. NULL values and * duplicate values will be skipped. All values will be converted to strings. */ $attributes = array(); foreach ($data as $row) { foreach ($row as $name => $value) { if ($value === NULL) { continue; } if ($name === $this->hash_column || $name === $this->salt_column) { /* Don't add password hash and salt to attributes */ continue;
211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236
} $value = (string)$value; if (!array_key_exists($name, $attributes)) { $attributes[$name] = array(); } if (in_array($value, $attributes[$name], TRUE)) { /* Value already exists in attribute. */ continue; } $attributes[$name][] = $value; } } SimpleSAML_Logger::info('sqlauthBcrypt:' . $this->authId . ': Attributes: ' . implode(',', array_keys($attributes))); return $attributes; } } ?>

Dies ist die Gitlab-Instanz des Transferportals der Hochschule für Technik Stuttgart. Hier geht es zurück zum Portal