1: <?php
  2: /**
  3:  * CakePHP(tm) : Rapid Development Framework (https://cakephp.org)
  4:  * Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
  5:  *
  6:  * Licensed under The MIT License
  7:  * Redistributions of files must retain the above copyright notice.
  8:  *
  9:  * @copyright     Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
 10:  * @link          https://cakephp.org CakePHP(tm) Project
 11:  * @since         3.0.0
 12:  * @license       https://opensource.org/licenses/mit-license.php MIT License
 13:  */
 14: namespace Cake\Http\Client\Auth;
 15: 
 16: use Cake\Http\Client;
 17: use Cake\Http\Client\Request;
 18: 
 19: /**
 20:  * Digest authentication adapter for Cake\Http\Client
 21:  *
 22:  * Generally not directly constructed, but instead used by Cake\Http\Client
 23:  * when $options['auth']['type'] is 'digest'
 24:  */
 25: class Digest
 26: {
 27: 
 28:     /**
 29:      * Instance of Cake\Http\Client
 30:      *
 31:      * @var \Cake\Http\Client
 32:      */
 33:     protected $_client;
 34: 
 35:     /**
 36:      * Constructor
 37:      *
 38:      * @param \Cake\Http\Client $client Http client object.
 39:      * @param array|null $options Options list.
 40:      */
 41:     public function __construct(Client $client, $options = null)
 42:     {
 43:         $this->_client = $client;
 44:     }
 45: 
 46:     /**
 47:      * Add Authorization header to the request.
 48:      *
 49:      * @param \Cake\Http\Client\Request $request The request object.
 50:      * @param array $credentials Authentication credentials.
 51:      * @return \Cake\Http\Client\Request The updated request.
 52:      * @see https://www.ietf.org/rfc/rfc2617.txt
 53:      */
 54:     public function authentication(Request $request, array $credentials)
 55:     {
 56:         if (!isset($credentials['username'], $credentials['password'])) {
 57:             return $request;
 58:         }
 59:         if (!isset($credentials['realm'])) {
 60:             $credentials = $this->_getServerInfo($request, $credentials);
 61:         }
 62:         if (!isset($credentials['realm'])) {
 63:             return $request;
 64:         }
 65:         $value = $this->_generateHeader($request, $credentials);
 66: 
 67:         return $request->withHeader('Authorization', $value);
 68:     }
 69: 
 70:     /**
 71:      * Retrieve information about the authentication
 72:      *
 73:      * Will get the realm and other tokens by performing
 74:      * another request without authentication to get authentication
 75:      * challenge.
 76:      *
 77:      * @param \Cake\Http\Client\Request $request The request object.
 78:      * @param array $credentials Authentication credentials.
 79:      * @return array modified credentials.
 80:      */
 81:     protected function _getServerInfo(Request $request, $credentials)
 82:     {
 83:         $response = $this->_client->get(
 84:             $request->getUri(),
 85:             [],
 86:             ['auth' => ['type' => null]]
 87:         );
 88: 
 89:         if (!$response->getHeader('WWW-Authenticate')) {
 90:             return [];
 91:         }
 92:         preg_match_all(
 93:             '@(\w+)=(?:(?:")([^"]+)"|([^\s,$]+))@',
 94:             $response->getHeaderLine('WWW-Authenticate'),
 95:             $matches,
 96:             PREG_SET_ORDER
 97:         );
 98:         foreach ($matches as $match) {
 99:             $credentials[$match[1]] = $match[2];
100:         }
101:         if (!empty($credentials['qop']) && empty($credentials['nc'])) {
102:             $credentials['nc'] = 1;
103:         }
104: 
105:         return $credentials;
106:     }
107: 
108:     /**
109:      * Generate the header Authorization
110:      *
111:      * @param \Cake\Http\Client\Request $request The request object.
112:      * @param array $credentials Authentication credentials.
113:      * @return string
114:      */
115:     protected function _generateHeader(Request $request, $credentials)
116:     {
117:         $path = $request->getUri()->getPath();
118:         $a1 = md5($credentials['username'] . ':' . $credentials['realm'] . ':' . $credentials['password']);
119:         $a2 = md5($request->getMethod() . ':' . $path);
120:         $nc = null;
121: 
122:         if (empty($credentials['qop'])) {
123:             $response = md5($a1 . ':' . $credentials['nonce'] . ':' . $a2);
124:         } else {
125:             $credentials['cnonce'] = uniqid();
126:             $nc = sprintf('%08x', $credentials['nc']++);
127:             $response = md5($a1 . ':' . $credentials['nonce'] . ':' . $nc . ':' . $credentials['cnonce'] . ':auth:' . $a2);
128:         }
129: 
130:         $authHeader = 'Digest ';
131:         $authHeader .= 'username="' . str_replace(['\\', '"'], ['\\\\', '\\"'], $credentials['username']) . '", ';
132:         $authHeader .= 'realm="' . $credentials['realm'] . '", ';
133:         $authHeader .= 'nonce="' . $credentials['nonce'] . '", ';
134:         $authHeader .= 'uri="' . $path . '", ';
135:         $authHeader .= 'response="' . $response . '"';
136:         if (!empty($credentials['opaque'])) {
137:             $authHeader .= ', opaque="' . $credentials['opaque'] . '"';
138:         }
139:         if (!empty($credentials['qop'])) {
140:             $authHeader .= ', qop="auth", nc=' . $nc . ', cnonce="' . $credentials['cnonce'] . '"';
141:         }
142: 
143:         return $authHeader;
144:     }
145: }
146: 
147: // @deprecated 3.4.0 Add backwards compat alias.
148: class_alias('Cake\Http\Client\Auth\Digest', 'Cake\Network\Http\Auth\Digest');
149: