From dc4593f5b54112093c94cc2ea39a4f2d138c1432 Mon Sep 17 00:00:00 2001 From: Klaus Weidenbach Date: Sun, 12 Oct 2014 00:33:37 +0200 Subject: Moved classes from reddav.php into own files. Finished moving classes out from include/reddav.php into own files. Also continued with namespace for RedDAV. Improved some docs and added some todos and fixmes. --- include/RedDAV/RedBasicAuth.php | 208 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 208 insertions(+) create mode 100644 include/RedDAV/RedBasicAuth.php (limited to 'include/RedDAV/RedBasicAuth.php') diff --git a/include/RedDAV/RedBasicAuth.php b/include/RedDAV/RedBasicAuth.php new file mode 100644 index 000000000..c1da73da1 --- /dev/null +++ b/include/RedDAV/RedBasicAuth.php @@ -0,0 +1,208 @@ +setAuthenticated($r[0]); + } + } + $r = q("SELECT * FROM channel WHERE channel_address = '%s' LIMIT 1", + dbesc($username) + ); + if ($r) { + $x = q("SELECT account_flags, account_salt, account_password FROM account WHERE account_id = %d LIMIT 1", + intval($r[0]['channel_account_id']) + ); + if ($x) { + // @fixme this foreach should not be needed? + foreach ($x as $record) { + if (($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED) + && (hash('whirlpool', $record['account_salt'] . $password) === $record['account_password'])) { + logger('(DAV) RedBasicAuth: password verified for ' . $username); + return $this->setAuthenticated($r[0]); + } + } + } + } + logger('(DAV) RedBasicAuth: password failed for ' . $username); + return false; + } + + /** + * @brief Sets variables and session parameters after successfull authentication. + * + * @param array $r + * Array with the values for the authenticated channel. + * @return bool + */ + protected function setAuthenticated($r) { + $this->channel_name = $r['channel_address']; + $this->channel_id = $r['channel_id']; + $this->channel_hash = $this->observer = $r['channel_hash']; + $_SESSION['uid'] = $r['channel_id']; + $_SESSION['account_id'] = $r['channel_account_id']; + $_SESSION['authenticated'] = true; + return true; + } + + /** + * Sets the channel_name from the currently logged-in channel. + * + * @param string $name + * The channel's name + */ + public function setCurrentUser($name) { + $this->channel_name = $name; + } + /** + * Returns information about the currently logged-in channel. + * + * If nobody is currently logged in, this method should return null. + * + * @see \Sabre\DAV\Auth\Backend\AbstractBasic::getCurrentUser + * @return string|null + */ + public function getCurrentUser() { + return $this->channel_name; + } + + /** + * @brief Sets the timezone from the channel in RedBasicAuth. + * + * Set in mod/cloud.php if the channel has a timezone set. + * + * @param string $timezone + * The channel's timezone. + * @return void + */ + public function setTimezone($timezone) { + $this->timezone = $timezone; + } + /** + * @brief Returns the timezone. + * + * @return string + * Return the channel's timezone. + */ + public function getTimezone() { + return $this->timezone; + } + + /** + * @brief Set browser plugin for SabreDAV. + * + * @see RedBrowser::set_writeable() + * @param DAV\Browser\Plugin $browser + */ + public function setBrowserPlugin($browser) { + $this->browser = $browser; + } + + /** + * Prints out all RedBasicAuth variables to logger(). + * + * @return void + */ + public function log() { + logger('dav: auth: channel_name ' . $this->channel_name, LOGGER_DATA); + logger('dav: auth: channel_id ' . $this->channel_id, LOGGER_DATA); + logger('dav: auth: channel_hash ' . $this->channel_hash, LOGGER_DATA); + logger('dav: auth: observer ' . $this->observer, LOGGER_DATA); + logger('dav: auth: owner_id ' . $this->owner_id, LOGGER_DATA); + logger('dav: auth: owner_nick ' . $this->owner_nick, LOGGER_DATA); + } +} \ No newline at end of file -- cgit v1.2.3 From bc2ad74813b2993e1d7c076181b904b3a5c4be5f Mon Sep 17 00:00:00 2001 From: Klaus Weidenbach Date: Tue, 14 Oct 2014 00:08:55 +0200 Subject: When you delete something in /cloud stay in the right folder. When you deleted a file in /cloud you was always jumped back to /cloud/[channel], now you will stay in the parent folder. Some more doxygen documentation. Removed duplicate data from logging output and reduced logging in RedDAV in general. --- include/RedDAV/RedBasicAuth.php | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) (limited to 'include/RedDAV/RedBasicAuth.php') diff --git a/include/RedDAV/RedBasicAuth.php b/include/RedDAV/RedBasicAuth.php index c1da73da1..2f86d4f82 100644 --- a/include/RedDAV/RedBasicAuth.php +++ b/include/RedDAV/RedBasicAuth.php @@ -46,7 +46,7 @@ class RedBasicAuth extends DAV\Auth\Backend\AbstractBasic { /** * * @see RedBrowser::set_writeable() - * @var DAV\Browser\Plugin + * @var \Sabre\DAV\Browser\Plugin */ public $browser; /** @@ -85,7 +85,7 @@ class RedBasicAuth extends DAV\Auth\Backend\AbstractBasic { */ protected function validateUserPass($username, $password) { if (trim($password) === '+++') { - logger('(DAV): RedBasicAuth::validateUserPass(): guest ' . $username); + logger('guest: ' . $username); return true; } @@ -112,13 +112,14 @@ class RedBasicAuth extends DAV\Auth\Backend\AbstractBasic { foreach ($x as $record) { if (($record['account_flags'] == ACCOUNT_OK) || ($record['account_flags'] == ACCOUNT_UNVERIFIED) && (hash('whirlpool', $record['account_salt'] . $password) === $record['account_password'])) { - logger('(DAV) RedBasicAuth: password verified for ' . $username); + logger('password verified for ' . $username); return $this->setAuthenticated($r[0]); } } } } - logger('(DAV) RedBasicAuth: password failed for ' . $username); + logger('password failed for ' . $username); + // @TODO add security logger return false; } @@ -186,23 +187,23 @@ class RedBasicAuth extends DAV\Auth\Backend\AbstractBasic { * @brief Set browser plugin for SabreDAV. * * @see RedBrowser::set_writeable() - * @param DAV\Browser\Plugin $browser + * @param \Sabre\DAV\Browser\Plugin $browser */ public function setBrowserPlugin($browser) { $this->browser = $browser; } /** - * Prints out all RedBasicAuth variables to logger(). + * @brief Prints out all RedBasicAuth variables to logger(). * * @return void */ public function log() { - logger('dav: auth: channel_name ' . $this->channel_name, LOGGER_DATA); - logger('dav: auth: channel_id ' . $this->channel_id, LOGGER_DATA); - logger('dav: auth: channel_hash ' . $this->channel_hash, LOGGER_DATA); - logger('dav: auth: observer ' . $this->observer, LOGGER_DATA); - logger('dav: auth: owner_id ' . $this->owner_id, LOGGER_DATA); - logger('dav: auth: owner_nick ' . $this->owner_nick, LOGGER_DATA); + logger('channel_name ' . $this->channel_name, LOGGER_DATA); + logger('channel_id ' . $this->channel_id, LOGGER_DATA); + logger('channel_hash ' . $this->channel_hash, LOGGER_DATA); + logger('observer ' . $this->observer, LOGGER_DATA); + logger('owner_id ' . $this->owner_id, LOGGER_DATA); + logger('owner_nick ' . $this->owner_nick, LOGGER_DATA); } } \ No newline at end of file -- cgit v1.2.3 From 233903c84428b9322eaea94bf22f6ae972e44332 Mon Sep 17 00:00:00 2001 From: Klaus Weidenbach Date: Sun, 14 Dec 2014 01:22:52 +0100 Subject: Add security logger to RedDAV. Some smaller clean ups whitepsaces and tabs, use PHP_EOL, Doxygen, etc. --- include/RedDAV/RedBasicAuth.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'include/RedDAV/RedBasicAuth.php') diff --git a/include/RedDAV/RedBasicAuth.php b/include/RedDAV/RedBasicAuth.php index 2f86d4f82..19dd9a5f0 100644 --- a/include/RedDAV/RedBasicAuth.php +++ b/include/RedDAV/RedBasicAuth.php @@ -118,8 +118,11 @@ class RedBasicAuth extends DAV\Auth\Backend\AbstractBasic { } } } - logger('password failed for ' . $username); - // @TODO add security logger + + $error = 'password failed for ' . $username; + logger($error); + log_failed_login($error); + return false; } -- cgit v1.2.3