Common: SWAT/auth/SGlobalAuthModule.php5 Source File

00001 <?php
00002 
00009 class SGlobalAuthModule extends SObject {
00010 
00011     private $username;
00012     private $firstName;
00013     private $lastName;
00014     private $email;
00015     private $userId;
00016     private $ldapUserId;
00017     private $role;
00018     private $projects;
00019     private $groups;
00020     
00021     //This is only used for efficiency during ldap syncing
00022     private $groupObjects;
00023     
00024     private $ldap;
00025     private $user;
00026     
00034     public function __construct() {
00035         parent::__construct();
00036     }
00037 
00047     public function authenticate($username, $password) {
00048         $db = authDB::getDBI();
00049         
00050         # Report any errors connecting, exit
00051         if (count($db->getError()) > 0) {
00052             $this->setPrettyError('authenticate', 'Could not connect to authentication database.');
00053             return false;
00054         }
00055         
00056         //Get invalid login attempts
00057         $timePassed = date('Y-m-d H:i:s', intval(time() - (SConfig::getOption('auth.invalidLoginTimeoutMinutes') * 60)));
00058         $invalid = AuthInvalidLoginAttempt::getList(array(
00059             'username' => $username,
00060             '>=' => array(
00061                 'requestTime' => $timePassed
00062             )
00063         ), array(), array(), true);
00064         
00065         //Reject credentials if there are too many invalid login attempts
00066         if($invalid >= SConfig::getOption('auth.maxLoginAttempts')) {
00067             $latest = AuthInvalidLoginAttempt::getList(
00068                 array(
00069                     'username' => $username,
00070                     '>=' => array(
00071                         'requestTime' => $timePassed
00072                     )
00073                 ),
00074                 //limit
00075                 array(1),
00076                 //order by
00077                 array(
00078                     'requestTime' => 'ASC'
00079                 )
00080             );
00081             $wait = ceil(((SConfig::getOption('auth.invalidLoginTimeoutMinutes') * 60) + strtotime($latest[0]->requestTime) - time()) / 60);
00082             if($wait == 1) {
00083                 $wait .= ' minute';
00084             } else {
00085                 $wait .= ' minutes';
00086             }
00087             global $SWAT;
00088             $SWAT->authError('Too many failed login attempts. Please wait ' . $wait . '.');
00089             return false;
00090         }
00091 
00092         $users = AuthUser::getList(array('username' => $username), array(1));
00093 
00094         # Report any query errors
00095         if (count($db->getError()) > 0) {
00096             $this->setPrettyError('authenticate', $db->getError());
00097             return false;
00098         }
00099 
00100         # Reject user's credentials if not found in the DB
00101         if (count($users) == 0) {
00102             authDB::invalidLoginAttempt($username);
00103             return false;
00104         }
00105         $this->user = $users[0];
00106         
00107         if($this->user->ldapUserId != null) {
00108             $this->ldap = new SLdap;
00109             //Reject credentials if ldap login fails
00110             if(!$this->ldap->authenticate($username, $password)) {
00111                 authDB::invalidLoginAttempt($username);
00112                 return false;
00113             }
00114             
00115             //Retrieve ldap user information
00116             $this->username = $this->ldap->getUserName();
00117             $this->firstName = $this->ldap->getFirstName();
00118             $this->lastName = $this->ldap->getLastName();
00119             $this->email = $this->ldap->getEmail();
00120             $this->ldapUserId = $this->ldap->getUID();
00121         } else {
00122             //Get hash type and hash password
00123             $hash = new AuthHashType(array('id' => $this->user->hashTypeId));
00124             $hashedPassword = SHash::password($password, $this->user->salt, $hash->name);
00125             
00126             //Reject credentials if password is wrong
00127             if($this->user->password !== $hashedPassword) {
00128                 authDB::invalidLoginAttempt($username);
00129                 return false;
00130             }
00131             
00132             //Switch to a more secure hash if user is using old hashing system
00133             if($hash->name == 'md5') {
00134                 authDB::setPassword($this->user, $password);
00135                 $this->user->commit();
00136             }
00137             
00138             //Retrieve user information
00139             $this->username = $this->user->username;
00140             $this->firstName = $this->user->firstName;
00141             $this->lastName = $this->user->lastName;
00142             $this->email = $this->user->email;
00143         }
00144 
00145         $this->userId = $this->user->id;
00146         $this->role = 'other';
00147 
00148         //Get user projects
00149         $associations = AuthUserToProject::getList(array('userId' => $this->user->id));
00150         $projects = array();
00151         foreach($associations as $association) {
00152             $project = new AuthProject(array('id' => $association->projectId));
00153             $projects[] = $project->name;
00154         }
00155         $this->projects = $projects;
00156         
00157         //Get user groups
00158         $associations = AuthUserToGenGroup::getList(array('userId' => $this->user->id));
00159         $groups = array();
00160         $groupObjects = array();
00161         foreach($associations as $association) {
00162             $group = new AuthGenGroup(array('id' => $association->genGroupId));
00163             $groups[] = $group->name;
00164             $groupObjects[$group->name] = $group;
00165         }
00166         $this->groups = $groups;
00167         $this->groupObjects = $groupObjects;
00168 
00169         $this->syncUserWithLdap();
00170         $this->groupObjects = null;
00171         return true;
00172     }
00173     
00182     public function requireProjects($projects, $redirect = null) {
00183         if(!is_array($projects)) {
00184             $this->setPrettyError('SGLobalAuthModule::requireProjects', 'Projects should be an array, ' . gettype($projects) . ' given.');
00185             return;
00186         }
00187         if($redirect === null) {
00188             global $PATH;
00189             if(isset($PATH['access_denied'])) {
00190                 $redirect = $PATH['access_denied'];
00191             } elseif(isset($PATH['main'])) {
00192                 $redirect = $PATH['main'];
00193             } else {
00194                 $redirect = '/';
00195             }
00196         }
00197         //Loop through projects and redirect if the user is not in one
00198         foreach($projects as $project) {
00199             if(!in_array($project, $this->projects)) {
00200                 SWAT_Functions::redirect($redirect);
00201             }
00202         }
00203     }
00204     
00211     public function syncUserWithLdap() {
00212         //Find shodor internal project
00213         $internal = array_search(AuthProject::SHODOR_INTERNAL, $this->projects);
00214         
00215         //non-ldap users only
00216         if($this->ldapUserId === null || !($this->ldap instanceof SLdap)) {     
00217             //Non-ldap users shouldn't have this, remove it
00218             if($internal !== false) {
00219                 authDB::removeProjectUser($this->user, AuthProject::SHODOR_INTERNAL);
00220                 unset($this->projects[$internal]);
00221                 $this->user->commit();
00222             }
00223             return;
00224         }
00225         
00226         if($internal === false) {
00227             authDB::addProjectUser($this->user, AuthProject::SHODOR_INTERNAL);
00228             $this->projects[] = AuthProject::SHODOR_INTERNAL;
00229             $this->user->commit();
00230         }
00231         
00232         $commit = false;
00233         if($this->user->firstName !== $this->firstName)  {
00234             $this->user->firstName = $this->firstName;
00235             $commit = true;
00236         }
00237         if($this->user->lastName !== $this->lastName)  {
00238             $this->user->lastName = $this->lastName;
00239             $commit = true;
00240         }
00241         if($this->user->email !== $this->email)  {
00242             $this->user->email = $this->email;
00243             $commit = true;
00244         }
00245         if($commit) {
00246             $this->user->commit();
00247         }
00248         
00249         $ldapGroups = $this->ldap->listGroups($this->ldapUserId);
00250         foreach($this->groups as $index => $groupName) {
00251             if(!in_array($groupName, $ldapGroups) && $this->groupObjects[$groupName]->ldapGroupId !== null) {
00252                 authDB::removeGroupUser($this->user, $groupName);
00253                 unset($this->groups[$index]);
00254             }
00255         }
00256         foreach($ldapGroups as $ldapGroupId => $ldapGroupName) {
00257             if(!authDB::groupExists($ldapGroupName)) {
00258                 authDB::addGroup($ldapGroupName, $ldapGroupId);
00259             } else {
00260                 $group = new AuthGenGroup(array('name' => $ldapGroupName));
00261                 if($group->ldapGroupId !== $ldapGroupId) {
00262                     $group->ldapGroupId = $ldapGroupId;
00263                     $group->commit();
00264                 }
00265             }
00266             if(!in_array($ldapGroupName, $this->groups)) {
00267                 authDB::addGroupUser($this->user, $ldapGroupName);
00268                 $this->groups[] = $ldapGroupName;
00269             }
00270         }
00271     }
00272 
00273 
00279     public function getProjects() {
00280         return $this->projects;
00281     }
00282     
00288     public function getGroups() {
00289         return $this->groups;
00290     }
00291     
00299     public function inProject($project) {
00300         return in_array($project, $this->projects);
00301     }
00302     
00308     public function getRole() {
00309         return $this->role;
00310     }
00311 
00317     public function getPermissions() {
00318         return false;
00319     }
00320 
00328     public function getUID() {
00329         return $this->userId;
00330     }
00331     
00339     public function getLdapUID() {
00340         return $this->ldapUserId;
00341     }
00342 
00348     public function getFirstName() {
00349         return $this->firstName;
00350     }
00351 
00357     public function getLastName() {
00358         return $this->lastName;
00359     }
00360 
00366     public function getEmail() {
00367         return $this->email;
00368     }
00369 
00375     public function getLdap() {
00376         return $this->ldap;
00377     }
00378     
00384     public function getUser() {
00385         return $this->user;
00386     }
00387 
00396     protected function setUID($uid) {
00397         $this->userId = $uid;
00398     }
00399     
00408     protected function setLdapUID($uid) {
00409         $this->ldapUserId = $uid;
00410     }
00411 
00420     protected function setUserName($username) {
00421         $this->username = $username;
00422     }
00423 
00432     protected function setEmail($email) {
00433         $this->email = $email;
00434     }
00435 
00443     public function __sleep() {
00444         return array_keys(get_object_vars($this));
00445     }
00446 
00454     public function __wakeup() {
00455         $this->user = AuthUser::retrieve(array('id' => $this->userId));
00456         return array_keys(get_object_vars($this));
00457     }
00458 
00459 }
00460 
00461 ?>