babolivier
/
moodle_macaroons
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Moodle authentication plugin for Macaroons
16 Commits
1 Branch
Tree: aa8a7d1d51
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'aa8a7d1d51'
${ noResults }
moodle_macaroons/auth.php

auth.php 8.6KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313 
  1. <?php

  2. // This file is part of Moodle - http://moodle.org/

  3. //

  4. // Moodle is free software: you can redistribute it and/or modify

  5. // it under the terms of the GNU General Public License as published by

  6. // the Free Software Foundation, either version 3 of the License, or

  7. // (at your option) any later version.

  8. //

  9. // Moodle is distributed in the hope that it will be useful,

  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of

  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  12. // GNU General Public License for more details.

  13. //

  14. // You should have received a copy of the GNU General Public License

  15. // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.

  16. 

  17. /**

  18.  * Authentication plugin: Macaroons

  19.  *

  20.  * Macaroons: Cookies with Contextual Caveats for Decentralized Authorization

  21.  *

  22.  * @package auth_macaroons

  23.  * @author Brendan Abolivier

  24.  * @license http://www.gnu.org/copyleft/gpl.html GNU Public License

  25.  */

  26. 

  27. defined('MOODLE_INTERNAL') || die();

  28. 

  29. require_once($CFG->libdir.'/authlib.php');

  30. 

  31. require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Macaroon.php');

  32. require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Caveat.php');

  33. require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Packet.php');

  34. require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Utils.php');

  35. require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Verifier.php');

  36. require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Exceptions/CaveatUnsatisfiedException.php');

  37. require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Exceptions/InvalidMacaroonKeyException.php');

  38. require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Exceptions/SignatureMismatchException.php');

  39. 

  40. use Macaroons\Macaroon;

  41. use Macaroons\Verifier;

  42. 

  43. 

  44. /**

  45.  * Plugin for no authentication.

  46.  */

  47. class auth_plugin_macaroons extends auth_plugin_base {

  48. 

  49. 	/*

  50. 	* The name of the component. Used by the configuration.

  51. 	*/

  52. 	const COMPONENT_NAME = 'auth_macaroons';

  53. 

  54. 	/**

  55. 	 * Constructor.

  56. 	 */

  57. 	public function __construct() {

  58. 		$this->authtype = 'macaroons';

  59. 		$this->config = get_config(self::COMPONENT_NAME);

  60. 	}

  61. 

  62. 	/**

  63. 	 * Old syntax of class constructor. Deprecated in PHP7.

  64. 	 *

  65. 	 * @deprecated since Moodle 3.1

  66. 	 */

  67. 	public function auth_plugin_macaroons() {

  68. 		debugging('Use of class name as constructor is deprecated', DEBUG_DEVELOPER);

  69. 		self::__construct();

  70. 	}

  71. 

  72. 	/* Login page hook

  73. 	*

  74. 	* Called before displaying the login form, is used to authenticate the user

  75. 	* and bypass the form.

  76. 	*/

  77. 	function loginpage_hook() {

  78. 		global $DB, $login, $CFG;

  79. 		$placeholders[0] = "/{{firstname}}/";

  80. 		$placeholders[1] = "/{{lastname}}/";

  81. 		if(!empty($_COOKIE[$this->config->cookie_name])) {

  82. 			try {

  83. 				$m = Macaroon::deserialize($_COOKIE[$this->config->cookie_name]);

  84. 

  85. 				$callbacks = array();

  86. 

  87. 				if(!empty($this->config->caveat1_condition)) {

  88. 					array_push($callbacks, function($a) {

  89. 						return !strcmp($a, $this->config->caveat1_condition);

  90. 					});

  91. 				}

  92. 				if(!empty($this->config->caveat2_condition)) {

  93. 					array_push($callbacks, function($a) {

  94. 						return !strcmp($a, $this->config->caveat2_condition);

  95. 					});

  96. 				}

  97. 				if(!empty($this->config->caveat3_condition)) {

  98. 					array_push($callbacks, function($a) {

  99. 						return !strcmp($a, $this->config->caveat3_condition);

  100. 					});

  101. 				}

  102. 

  103. 				$v = new Verifier();

  104. 				$v->setCallbacks($callbacks);

  105. 

  106. 				if($v->verify($m, $this->config->secret)) {

  107. 					$identifier = explode(";", $m->getIdentifier());

  108. 					$parsed_id = $this->parse_identifier($identifier);

  109. 					if(empty($parsed_id["username"])) {

  110. 						$login = $parsed_id["firstname"].$parsed_id["lastname"];

  111. 					} else {

  112. 						$login = $parsed_id["username"];

  113. 					}

  114. 					$user = authenticate_user_login($login, null);

  115. 

  116. 					if($user) {

  117. 						if(!empty($parsed_id["firstname"])) {

  118. 							$user->firstname = $parsed_id["firstname"];

  119. 						}

  120. 						if(!empty($parsed_id["lastname"])) {

  121. 							$user->lastname = $parsed_id["lastname"];

  122. 						}

  123. 						$user->email = preg_replace($placeholders, [

  124. 							$parsed_id["firstname"],

  125. 							$parsed_id["lastname"]

  126. 						], $this->config->email_config);

  127. 						$DB->update_record('user', $user);

  128. 						var_dump($user);

  129. 						complete_user_login($user);

  130. 						redirect($CFG->wwwroot);

  131. 					}

  132. 				}

  133. 			} catch(Exception $e) {

  134. 				$message = $e->getMessage();

  135. 			}

  136. 		}

  137. 	}

  138. 

  139. 

  140. 	/*

  141. 	* Parses the macaroon identifier based on the user's config

  142. 	*

  143. 	* @param array $identifier The macaroon identifier split based on the separator

  144. 	* @return array A map linking a field with an user value

  145. 	*/

  146. 	function parse_identifier($identifier) {

  147. 		$placeholders = explode(";", $this->config->identifier_format);

  148. 

  149. 		$parsed_id = array();

  150. 

  151. 		// Check if the identifier has the same number of fields as configured

  152. 		if(sizeof($placeholders) != sizeof($identifier)) {

  153. 			// Returning an empty array as the return value is expected to be

  154. 			// an array

  155. 			return $parsed_id;

  156. 		}

  157. 

  158. 		if(is_numeric($index = array_search("{{username}}", $placeholders))) {

  159. 			$parsed_id["username"] = $identifier[$index];

  160. 		}

  161. 		if(is_numeric($index = array_search("{{firstname}}", $placeholders))) {

  162. 			$parsed_id["firstname"] = $identifier[$index];

  163. 		}

  164. 		if(is_numeric($index = array_search("{{lastname}}", $placeholders))) {

  165. 			$parsed_id["lastname"] = $identifier[$index];

  166. 		}

  167. 

  168. 		return $parsed_id;

  169. 	}

  170. 

  171. 	/**

  172. 	 * Returns true if the username and password work or don't exist and false

  173. 	 * if the user exists and the password is wrong.

  174. 	 *

  175. 	 * @param string $username The username

  176. 	 * @param string $password The password

  177. 	 * @return bool Authentication success or failure.

  178. 	 */

  179. 	function user_login ($username, $password) {

  180. 		global $login;

  181. 		if($login == $username) {

  182. 			return true;

  183. 		}

  184. 		return false;

  185. 	}

  186. 

  187. 	/**

  188. 	 * Updates the user's password.

  189. 	 *

  190. 	 * called when the user password is updated.

  191. 	 *

  192. 	 * @param  object  $user		User table object

  193. 	 * @param  string  $newpassword Plaintext password

  194. 	 * @return boolean result

  195. 	 *

  196. 	 */

  197. 	function user_update_password($user, $newpassword) {

  198. 		$user = get_complete_user_data('id', $user->id);

  199. 		// This will also update the stored hash to the latest algorithm

  200. 		// if the existing hash is using an out-of-date algorithm (or the

  201. 		// legacy md5 algorithm).

  202. 		return update_internal_user_password($user, $newpassword);

  203. 	}

  204. 

  205. 	function prevent_local_passwords() {

  206. 		return false;

  207. 	}

  208. 

  209. 	/**

  210. 	 * Returns true if this authentication plugin is 'internal'.

  211. 	 *

  212. 	 * @return bool

  213. 	 */

  214. 	function is_internal() {

  215. 		return false;

  216. 	}

  217. 

  218. 	/**

  219. 	 * Returns true if this authentication plugin can change the user's

  220. 	 * password.

  221. 	 *

  222. 	 * @return bool

  223. 	 */

  224. 	function can_change_password() {

  225. 		return true;

  226. 	}

  227. 

  228. 	/**

  229. 	 * Returns the URL for changing the user's pw, or empty if the default can

  230. 	 * be used.

  231. 	 *

  232. 	 * @return moodle_url

  233. 	 */

  234. 	function change_password_url() {

  235. 		return null;

  236. 	}

  237. 

  238. 	/**

  239. 	 * Returns true if plugin allows resetting of internal password.

  240. 	 *

  241. 	 * @return bool

  242. 	 */

  243. 	function can_reset_password() {

  244. 		return true;

  245. 	}

  246. 

  247. 	/**

  248. 	 * Returns true if plugin can be manually set.

  249. 	 *

  250. 	 * @return bool

  251. 	 */

  252. 	function can_be_manually_set() {

  253. 		return true;

  254. 	}

  255. 

  256. 	/**

  257. 	 * Prints a form for configuring this authentication plugin.

  258. 	 *

  259. 	 * This function is called from admin/auth.php, and outputs a full page with

  260. 	 * a form for configuring this plugin.

  261. 	 *

  262. 	 * @param array $page An object containing all the data for this page.

  263. 	 */

  264. 	function config_form($config, $err, $user_fields) {

  265. 		include "config.html";

  266. 	}

  267. 

  268. 	/**

  269. 	 * Processes and stores configuration data for this authentication plugin.

  270. 	 */

  271. 	function process_config($config) {

  272. 		if(!isset($config->cookie_name)) {

  273. 			$config->cookie_name = 'das-macaroon';

  274. 		}

  275. 		if(!isset($config->secret)) {

  276. 			$config->secret = 'pocsecret';

  277. 		}

  278. 		if(!isset($config->identifier_format)) {

  279. 			$config->identifier_format = '{{firstname}};{{lastname}}';

  280. 		}

  281. 		if(!isset($config->email_config)) {

  282. 			$config->email_config = '{{firstname}}.{{lastname}}@company.tld';

  283. 		}

  284. 		// Caveats

  285. 		if(!isset($config->caveat1_condition)) {

  286. 				$config->caveat1_condition = '';

  287. 		}

  288. 		if(!isset($config->caveat2_condition)) {

  289. 				$config->caveat2_condition = '';

  290. 		}

  291. 		if(!isset($config->caveat3_condition)) {

  292. 				$config->caveat3_condition = '';

  293. 		}

  294. 

  295. 

  296. 		set_config('cookie_name', $config->cookie_name, self::COMPONENT_NAME);

  297. 		set_config('secret', $config->secret, self::COMPONENT_NAME);

  298. 		set_config('identifier_format', $config->identifier_format, self::COMPONENT_NAME);

  299. 		set_config('email_config', $config->email_config, self::COMPONENT_NAME);

  300. 		// Caveats

  301. 		set_config('caveat1_condition', $config->caveat1_condition, self::COMPONENT_NAME);

  302. 		set_config('caveat2_condition', $config->caveat2_condition, self::COMPONENT_NAME);

  303. 		set_config('caveat3_condition', $config->caveat3_condition, self::COMPONENT_NAME);

  304. 

  305. 		return true;

  306. 	}

  307. 

  308. 	function is_synchronised_with_external() {

  309. 		return false;

  310. 	}

  311. }

  312.