Resources/Documents/_salted_password_service_8php_source.html

<?php

namespace TYPO3\CMS\Saltedpasswords;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


class SaltedPasswordService extends \TYPO3\CMS\Sv\AbstractAuthenticationService

{

    public $prefixId = 'tx_saltedpasswords_sv1';


    public $scriptRelPath = 'sv1/class.tx_saltedpasswords_sv1.php';


    public $extKey = 'saltedpasswords';


    protected $extConf;


    protected $objInstanceSaltedPW = null;


    protected $authenticationFailed = false;


    public function init()

    {

        $available = false;

        $mode = TYPO3_MODE;

        if ($this->info['requestedServiceSubType'] === 'authUserBE') {

            $mode = 'BE';

        } elseif ($this->info['requestedServiceSubType'] === 'authUserFE') {

            $mode = 'FE';

        }

        if (\TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::isUsageEnabled($mode)) {

            $available = true;

            $this->extConf = \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::returnExtConf();

        }

        return $available ? parent::init() : false;

    }


    public function compareUident(array $user, array $loginData, $passwordCompareStrategy = '')

    {

        $validPasswd = false;

        $password = $loginData['uident_text'];

        // Determine method used for given salted hashed password

        $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance($user['password']);

        // Existing record is in format of Salted Hash password

        if (is_object($this->objInstanceSaltedPW)) {

            $validPasswd = $this->objInstanceSaltedPW->checkPassword($password, $user['password']);

            // Record is in format of Salted Hash password but authentication failed

            // skip further authentication methods

            if (!$validPasswd) {

                $this->authenticationFailed = true;

            }

            $defaultHashingClassName = \TYPO3\CMS\Saltedpasswords\Utility\SaltedPasswordsUtility::getDefaultSaltingHashingMethod();

            $skip = false;

            // Test for wrong salted hashing method

            if ($validPasswd && !(get_class($this->objInstanceSaltedPW) == $defaultHashingClassName) || is_subclass_of($this->objInstanceSaltedPW, $defaultHashingClassName)) {

                // Instanciate default method class

                $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null);

                $this->updatePassword((int)$user['uid'], array('password' => $this->objInstanceSaltedPW->getHashedPassword($password)));

            }

            if ($validPasswd && !$skip && $this->objInstanceSaltedPW->isHashUpdateNeeded($user['password'])) {

                $this->updatePassword((int)$user['uid'], array('password' => $this->objInstanceSaltedPW->getHashedPassword($password)));

            }

        } elseif (!(int)$this->extConf['forceSalted']) {

            // Stored password is in deprecated salted hashing method

            if (\TYPO3\CMS\Core\Utility\GeneralUtility::inList('C$,M$', substr($user['password'], 0, 2))) {

                // Instanciate default method class

                $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(substr($user['password'], 1));

                // md5

                if ($user['password'][0] === 'M') {

                    $validPasswd = $this->objInstanceSaltedPW->checkPassword(md5($password), substr($user['password'], 1));

                } else {

                    $validPasswd = $this->objInstanceSaltedPW->checkPassword($password, substr($user['password'], 1));

                }

                // Skip further authentication methods

                if (!$validPasswd) {

                    $this->authenticationFailed = true;

                }

            } elseif (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {

                $validPasswd = md5($password) === (string)$user['password'];

                // Skip further authentication methods

                if (!$validPasswd) {

                    $this->authenticationFailed = true;

                }

            } else {

                $validPasswd = (string)$password === (string)$user['password'];

            }

            // Should we store the new format value in DB?

            if ($validPasswd && (int)$this->extConf['updatePasswd']) {

                // Instanciate default method class

                $this->objInstanceSaltedPW = \TYPO3\CMS\Saltedpasswords\Salt\SaltFactory::getSaltingInstance(null);

                $this->updatePassword((int)$user['uid'], array('password' => $this->objInstanceSaltedPW->getHashedPassword($password)));

            }

        }

        return $validPasswd;

    }


    public function authUser(array $user)

    {

        $OK = 100;

        $validPasswd = false;

        if ($this->login['uident'] && $this->login['uname']) {

            if (!empty($this->login['uident_text'])) {

                $validPasswd = $this->compareUident($user, $this->login);

            }

            if (!$validPasswd) {

                // Failed login attempt (wrong password)

                $errorMessage = 'Login-attempt from %s (%s), username \'%s\', password not accepted!';

                // No delegation to further services

                if ((int)$this->extConf['onlyAuthService'] || $this->authenticationFailed) {

                    $this->writeLogMessage(TYPO3_MODE . ' Authentication failed - wrong password for username \'%s\'', $this->login['uname']);

                    $OK = 0;

                } else {

                    $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']);

                }

                $this->writelog(255, 3, 3, 1, $errorMessage, array(

                    $this->authInfo['REMOTE_ADDR'],

                    $this->authInfo['REMOTE_HOST'],

                    $this->login['uname']

                ));

                \TYPO3\CMS\Core\Utility\GeneralUtility::sysLog(sprintf($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', \TYPO3\CMS\Core\Utility\GeneralUtility::SYSLOG_SEVERITY_INFO);

            } elseif ($validPasswd && $user['lockToDomain'] && strcasecmp($user['lockToDomain'], $this->authInfo['HTTP_HOST'])) {

                // Lock domain didn't match, so error:

                $errorMessage = 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!';

                $this->writeLogMessage($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname'], $user['lockToDomain'], $this->authInfo['HTTP_HOST']);

                $this->writelog(255, 3, 3, 1, $errorMessage, array(

                    $this->authInfo['REMOTE_ADDR'],

                    $this->authInfo['REMOTE_HOST'],

                    $user[$this->db_user['username_column']],

                    $user['lockToDomain'],

                    $this->authInfo['HTTP_HOST']

                ));

                \TYPO3\CMS\Core\Utility\GeneralUtility::sysLog(sprintf($errorMessage, $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']), 'core', \TYPO3\CMS\Core\Utility\GeneralUtility::SYSLOG_SEVERITY_INFO);

                $OK = 0;

            } elseif ($validPasswd) {

                $this->writeLogMessage(TYPO3_MODE . ' Authentication successful for username \'%s\'', $this->login['uname']);

                $OK = 200;

            }

        }

        return $OK;

    }


    protected function updatePassword($uid, $updateFields)

    {

        $GLOBALS['TYPO3_DB']->exec_UPDATEquery($this->pObj->user_table, sprintf('uid = %u', $uid), $updateFields);

        \TYPO3\CMS\Core\Utility\GeneralUtility::devLog(sprintf('Automatic password update for user record in %s with uid %u', $this->pObj->user_table, $uid), $this->extKey, 1);

    }


    public function writeLogMessage($message)

    {

        if (func_num_args() > 1) {

            $params = func_get_args();

            array_shift($params);

            $message = vsprintf($message, $params);

        }

        if (TYPO3_MODE === 'BE') {

            \TYPO3\CMS\Core\Utility\GeneralUtility::sysLog($message, $this->extKey, \TYPO3\CMS\Core\Utility\GeneralUtility::SYSLOG_SEVERITY_NOTICE);

        } else {

            $GLOBALS['TT']->setTSlogMessage($message);

        }

        if (TYPO3_DLOG) {

            \TYPO3\CMS\Core\Utility\GeneralUtility::devLog($message, $this->extKey, \TYPO3\CMS\Core\Utility\GeneralUtility::SYSLOG_SEVERITY_NOTICE);

        }

    }

}