From: Denis Chenu Date: Tue, 1 Apr 2014 12:21:53 +0000 (+0200) Subject: Started a Wp Auth plugin X-Git-Url: http://gitweb.wikimedia.es/?a=commitdiff_plain;h=3007ffd9caa615cfc1d2a6e36daf4805991ffcc8;p=limesurvey%2FAuthWMESbyDB Started a Wp Auth plugin --- 3007ffd9caa615cfc1d2a6e36daf4805991ffcc8 diff --git a/AuthWPbyDB.php b/AuthWPbyDB.php new file mode 100644 index 0000000..2ee44c1 --- /dev/null +++ b/AuthWPbyDB.php @@ -0,0 +1,260 @@ + + * @copyright 2014 Denis Chenu + * @copyright 2014 Bruce Mahillet de Komet + * @license GPL v3 + * @version 1.0 + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +class AuthWPbyDB extends AuthPluginBase +{ + protected $storage = 'DbStorage'; + + static protected $description = 'A plugin to authenticate user via WordPress DB.'; + static protected $name = 'WordPress DB Authentification'; + + protected $settings = array( + 'authwp_dbhost' => array( + 'type' => 'string', + 'label' => 'WordPress DB Host (default to LimeSurvey DB Host)' + ), + 'authwp_dbport' => array( + 'type' => 'string', + 'label' => 'WordPress DB Port (default to LimeSurvey DB Port or 3306 id name or host is define)' + ), + 'authwp_dbname' => array( + 'type' => 'string', + 'label' => 'WordPress DB Name (default to LimeSurvey DB Name)' + ), + 'authwp_dbuser' => array( + 'type' => 'string', + 'label' => 'WordPress DB User (default to LimeSurvey DB User)' + ), + 'authwp_dbpassword' => array( + 'type' => 'string', + 'label' => 'WordPress DB User password (default to LimeSurvey DB User)' + ), + 'authwp_dbprefix' => array( + 'type' => 'string', + 'label' => 'WordPress DB prefix', + 'default' => 'wp_' + ), + 'authwp_default' => array( + 'type' => 'checkbox', + 'label' => 'Check to make default authentication method' + ), + 'authwp_autocreate' => array( + 'type' => 'checkbox', + 'label' => 'Auto create user.', + 'default' => true + ), + ); + + protected $sWpLoad = false; + + public function __construct(PluginManager $manager, $id) { + parent::__construct($manager, $id); + /** + * Here you should handle subscribing to the events your plugin will handle + */ + $this->subscribe('beforeLogin'); + $this->subscribe('newLoginForm'); + $this->subscribe('newUserSession'); + $this->subscribe('afterLoginFormSubmit'); + $this->subscribe('beforeActivate'); + } + + public function beforeActivate() + { + $oEvent = $this->getEvent(); + // Get configuration settings: + if($this->testWpDb()) + { + $oEvent->set('success', true); + }else{ + $oEvent->set('success', false); + $oEvent->set('message',"Unable to conect to WordPress DB, please verify the connection parameters"); + } + } + + public function beforeLogin() + { + $oEvent = $this->getEvent(); + if ($this->testWpDb() && $this->get('authwp_default')) + { + $this->getEvent()->set('default', get_class($this)); + } + } + + public function newLoginForm() + { + $this->getEvent()->getContent($this) + ->addContent(CHtml::tag('li', array(), "")) + ->addContent(CHtml::tag('li', array(), "")); + } + + public function afterLoginFormSubmit() + { + // Allways (trying to reset password if user exist in DB ????) + $request = $this->api->getRequest(); + if ($request->getIsPostRequest()) { + $this->setUsername( $request->getPost('user')); + $this->setPassword($request->getPost('password')); + } + } + + public function newUserSession() + { + $sUserName = $this->getUserName(); + $sUserPass = $this->getPassword(); + + $aWpUser=$this->getWpDbUser($sUserName,$sUserPass); + if(!$aWpUser){ + $this->setAuthFailure(self::ERROR_USERNAME_INVALID); + return; + } + $oUser = $this->api->getUserByName($sUserName); + if (is_null($oUser) && $this->get('authwp_autocreate')) + { + $oUser=new User; + $oUser->users_name=$aWpUser['user_login']; + $oUser->full_name=$aWpUser['display_name']; + $oUser->password=substr(md5(rand()),0,20);; + $oUser->parent_id=1; + $oUser->lang='auto'; + $oUser->email=$aWpUser['user_email']; + if ($oUser->save()) + { + // TODO by plugin settings + if((int)$aWpUser['user_level']>=9){ + $aPermission=Array( + 'superadmin' => array('read'=>true), + ); + }else{ + $aPermission=Array( + 'surveys' => array('create'=>true,'import'=>true,'export'=>true), + 'template' => array('read'=>true), + 'labelsets' => array('read'=>true,'export'=>true), + 'participantpanel' => array('create'=>true,'read'=>true,'update'=>true,'delete'=>true), + ); + } + $permission=new Permission; + $permission->setPermissions($oUser->uid, 0, 'global', $aPermission, true); + + // read again user from newly created entry + $this->setAuthSuccess($oUser); + return; + }else{ + $this->setAuthFailure("DB error"); + return; + } + } + elseif($oUser)// Invalid user + { + $this->setAuthSuccess($oUser); + return; + } + else{ + $this->setAuthFailure(self::ERROR_USERNAME_INVALID); + return; + } + } + + /** + * Validate user by username/password from WordPress + * @param string $sUserName : the user name + * @param string $sUserPass : the user pass + * return array : User information + **/ + private function getWpDbUser($sUserName,$sUserPass) + { + if($this->testWpDb()) + { + $aUser = Yii::app()->wpdb->createCommand() + ->select('user_login,user_pass,user_nicename,user_email,display_name,ul.meta_value as user_level') + ->from('{{users}}') + ->leftJoin('{{usermeta}} ul', 'ID = ul.user_id AND ul.meta_key="wp_user_level"') + ->andWhere("user_login = :user_login") + ->bindParam(':user_login',$sUserName) + ->queryRow(); + if(!$aUser) + return; + //Yii::import('plugins.AuthWPbyAPI.third_party.phpass.PasswordHash'); + require_once dirname(__FILE__).'/third_party/phpass/PasswordHash.php';// DIRECTORY_SEPARATOR not needed + $oHasher = new PasswordHash(8, TRUE); + $bCheck = $oHasher->CheckPassword($sUserPass, $aUser['user_pass']); + if($bCheck) + return $aUser; + else + return; + } + else + { + return; // Invalid settings + } + } + /** + * Add the db from plugin configuration in new Yii db + **/ + private function addWpDb() + { + $bExist=Yii::app()->getComponent('wpdb',false); + if($bExist)// If already exist + return; + $sWpDbHost = $this->get('authwp_dbhost'); + $sWpDbPort = $this->get('authwp_dbport'); + $sWpDbName = $this->get('authwp_dbname'); + $sWpDbUser = $this->get('authwp_dbuser'); + $sWpDbPassword = $this->get('authwp_dbpassword'); + $sWpDbPrefix = $this->get('authwp_dbprefix'); + $sWpDbCharset = "utf8"; + if($sWpDbHost || $sWpDbPort || $sWpDbName){ + if(!$sWpDbPort) + $sWpDbPort="3306"; + $sConnectionString="mysql:host={$sWpDbHost};port={$sWpDbPort};dbname={$sWpDbName}"; + }else{ + $sConnectionString=Yii::app()->db->connectionString; + } + if(!$sWpDbUser) + $sWpDbUser=Yii::app()->db->username; + if(!$sWpDbPassword) + $sWpDbPassword=Yii::app()->db->password; + + $wpdb = Yii::createComponent(array( + 'class' => 'CDbConnection', + 'connectionString'=>$sConnectionString, + 'username'=>$sWpDbUser, + 'password'=> $sWpDbPassword, + 'charset'=>$sWpDbCharset, + 'emulatePrepare' => true, + 'tablePrefix' => $sWpDbPrefix, + )); + Yii::app()->setComponent('wpdb', $wpdb); + + } + private function testWpDb() + { + $this->addWpDb(); + $sWpDbPrefix = $this->get('authwp_dbprefix'); + // Test the connexion and return false if NOT + if(!in_array($sWpDbPrefix.'options',Yii::app()->wpdb->schema->getTableNames())){ + return false; + }else{ + return true; + } + } + +} diff --git a/third_party/phpass/PasswordHash.php b/third_party/phpass/PasswordHash.php new file mode 100644 index 0000000..12958c7 --- /dev/null +++ b/third_party/phpass/PasswordHash.php @@ -0,0 +1,253 @@ + in 2004-2006 and placed in +# the public domain. Revised in subsequent years, still public domain. +# +# There's absolutely no warranty. +# +# The homepage URL for this framework is: +# +# http://www.openwall.com/phpass/ +# +# Please be sure to update the Version line if you edit this file in any way. +# It is suggested that you leave the main version number intact, but indicate +# your project name (after the slash) and add your own revision information. +# +# Please do not change the "private" password hashing method implemented in +# here, thereby making your hashes incompatible. However, if you must, please +# change the hash type identifier (the "$P$") to something different. +# +# Obviously, since this code is in the public domain, the above are not +# requirements (there can be none), but merely suggestions. +# +class PasswordHash { + var $itoa64; + var $iteration_count_log2; + var $portable_hashes; + var $random_state; + + function PasswordHash($iteration_count_log2, $portable_hashes) + { + $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; + + if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) + $iteration_count_log2 = 8; + $this->iteration_count_log2 = $iteration_count_log2; + + $this->portable_hashes = $portable_hashes; + + $this->random_state = microtime(); + if (function_exists('getmypid')) + $this->random_state .= getmypid(); + } + + function get_random_bytes($count) + { + $output = ''; + if (is_readable('/dev/urandom') && + ($fh = @fopen('/dev/urandom', 'rb'))) { + $output = fread($fh, $count); + fclose($fh); + } + + if (strlen($output) < $count) { + $output = ''; + for ($i = 0; $i < $count; $i += 16) { + $this->random_state = + md5(microtime() . $this->random_state); + $output .= + pack('H*', md5($this->random_state)); + } + $output = substr($output, 0, $count); + } + + return $output; + } + + function encode64($input, $count) + { + $output = ''; + $i = 0; + do { + $value = ord($input[$i++]); + $output .= $this->itoa64[$value & 0x3f]; + if ($i < $count) + $value |= ord($input[$i]) << 8; + $output .= $this->itoa64[($value >> 6) & 0x3f]; + if ($i++ >= $count) + break; + if ($i < $count) + $value |= ord($input[$i]) << 16; + $output .= $this->itoa64[($value >> 12) & 0x3f]; + if ($i++ >= $count) + break; + $output .= $this->itoa64[($value >> 18) & 0x3f]; + } while ($i < $count); + + return $output; + } + + function gensalt_private($input) + { + $output = '$P$'; + $output .= $this->itoa64[min($this->iteration_count_log2 + + ((PHP_VERSION >= '5') ? 5 : 3), 30)]; + $output .= $this->encode64($input, 6); + + return $output; + } + + function crypt_private($password, $setting) + { + $output = '*0'; + if (substr($setting, 0, 2) == $output) + $output = '*1'; + + $id = substr($setting, 0, 3); + # We use "$P$", phpBB3 uses "$H$" for the same thing + if ($id != '$P$' && $id != '$H$') + return $output; + + $count_log2 = strpos($this->itoa64, $setting[3]); + if ($count_log2 < 7 || $count_log2 > 30) + return $output; + + $count = 1 << $count_log2; + + $salt = substr($setting, 4, 8); + if (strlen($salt) != 8) + return $output; + + # We're kind of forced to use MD5 here since it's the only + # cryptographic primitive available in all versions of PHP + # currently in use. To implement our own low-level crypto + # in PHP would result in much worse performance and + # consequently in lower iteration counts and hashes that are + # quicker to crack (by non-PHP code). + if (PHP_VERSION >= '5') { + $hash = md5($salt . $password, TRUE); + do { + $hash = md5($hash . $password, TRUE); + } while (--$count); + } else { + $hash = pack('H*', md5($salt . $password)); + do { + $hash = pack('H*', md5($hash . $password)); + } while (--$count); + } + + $output = substr($setting, 0, 12); + $output .= $this->encode64($hash, 16); + + return $output; + } + + function gensalt_extended($input) + { + $count_log2 = min($this->iteration_count_log2 + 8, 24); + # This should be odd to not reveal weak DES keys, and the + # maximum valid value is (2**24 - 1) which is odd anyway. + $count = (1 << $count_log2) - 1; + + $output = '_'; + $output .= $this->itoa64[$count & 0x3f]; + $output .= $this->itoa64[($count >> 6) & 0x3f]; + $output .= $this->itoa64[($count >> 12) & 0x3f]; + $output .= $this->itoa64[($count >> 18) & 0x3f]; + + $output .= $this->encode64($input, 3); + + return $output; + } + + function gensalt_blowfish($input) + { + # This one needs to use a different order of characters and a + # different encoding scheme from the one in encode64() above. + # We care because the last character in our encoded string will + # only represent 2 bits. While two known implementations of + # bcrypt will happily accept and correct a salt string which + # has the 4 unused bits set to non-zero, we do not want to take + # chances and we also do not want to waste an additional byte + # of entropy. + $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; + + $output = '$2a$'; + $output .= chr(ord('0') + $this->iteration_count_log2 / 10); + $output .= chr(ord('0') + $this->iteration_count_log2 % 10); + $output .= '$'; + + $i = 0; + do { + $c1 = ord($input[$i++]); + $output .= $itoa64[$c1 >> 2]; + $c1 = ($c1 & 0x03) << 4; + if ($i >= 16) { + $output .= $itoa64[$c1]; + break; + } + + $c2 = ord($input[$i++]); + $c1 |= $c2 >> 4; + $output .= $itoa64[$c1]; + $c1 = ($c2 & 0x0f) << 2; + + $c2 = ord($input[$i++]); + $c1 |= $c2 >> 6; + $output .= $itoa64[$c1]; + $output .= $itoa64[$c2 & 0x3f]; + } while (1); + + return $output; + } + + function HashPassword($password) + { + $random = ''; + + if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) { + $random = $this->get_random_bytes(16); + $hash = + crypt($password, $this->gensalt_blowfish($random)); + if (strlen($hash) == 60) + return $hash; + } + + if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) { + if (strlen($random) < 3) + $random = $this->get_random_bytes(3); + $hash = + crypt($password, $this->gensalt_extended($random)); + if (strlen($hash) == 20) + return $hash; + } + + if (strlen($random) < 6) + $random = $this->get_random_bytes(6); + $hash = + $this->crypt_private($password, + $this->gensalt_private($random)); + if (strlen($hash) == 34) + return $hash; + + # Returning '*' on error is safe here, but would _not_ be safe + # in a crypt(3)-like function used _both_ for generating new + # hashes and for validating passwords against existing hashes. + return '*'; + } + + function CheckPassword($password, $stored_hash) + { + $hash = $this->crypt_private($password, $stored_hash); + if ($hash[0] == '*') + $hash = crypt($password, $stored_hash); + + return $hash == $stored_hash; + } +} + +?> diff --git a/third_party/phpass/c/Makefile b/third_party/phpass/c/Makefile new file mode 100644 index 0000000..fe48917 --- /dev/null +++ b/third_party/phpass/c/Makefile @@ -0,0 +1,21 @@ +# +# Written by Solar Designer and placed in the public domain. +# See crypt_private.c for more information. +# +CC = gcc +LD = $(CC) +RM = rm -f +CFLAGS = -Wall -O2 -fomit-frame-pointer -funroll-loops +LDFLAGS = -s +LIBS = -lcrypto + +all: crypt_private-test + +crypt_private-test: crypt_private-test.o + $(LD) $(LDFLAGS) $(LIBS) crypt_private-test.o -o $@ + +crypt_private-test.o: crypt_private.c + $(CC) -c $(CFLAGS) crypt_private.c -DTEST -o $@ + +clean: + $(RM) crypt_private-test* diff --git a/third_party/phpass/c/crypt_private.c b/third_party/phpass/c/crypt_private.c new file mode 100644 index 0000000..6abc05b --- /dev/null +++ b/third_party/phpass/c/crypt_private.c @@ -0,0 +1,106 @@ +/* + * This code exists for the sole purpose to serve as another implementation + * of the "private" password hashing method implemened in PasswordHash.php + * and thus to confirm that these password hashes are indeed calculated as + * intended. + * + * Other uses of this code are discouraged. There are much better password + * hashing algorithms available to C programmers; one of those is bcrypt: + * + * http://www.openwall.com/crypt/ + * + * Written by Solar Designer in 2005 and placed in + * the public domain. + * + * There's absolutely no warranty. + */ + +#include +#include + +#ifdef TEST +#include +#endif + +static char *itoa64 = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +static void encode64(char *dst, char *src, int count) +{ + int i, value; + + i = 0; + do { + value = (unsigned char)src[i++]; + *dst++ = itoa64[value & 0x3f]; + if (i < count) + value |= (unsigned char)src[i] << 8; + *dst++ = itoa64[(value >> 6) & 0x3f]; + if (i++ >= count) + break; + if (i < count) + value |= (unsigned char)src[i] << 16; + *dst++ = itoa64[(value >> 12) & 0x3f]; + if (i++ >= count) + break; + *dst++ = itoa64[(value >> 18) & 0x3f]; + } while (i < count); +} + +char *crypt_private(char *password, char *setting) +{ + static char output[35]; + MD5_CTX ctx; + char hash[MD5_DIGEST_LENGTH]; + char *p, *salt; + int count_log2, length, count; + + strcpy(output, "*0"); + if (!strncmp(setting, output, 2)) + output[1] = '1'; + + if (strncmp(setting, "$P$", 3)) + return output; + + p = strchr(itoa64, setting[3]); + if (!p) + return output; + count_log2 = p - itoa64; + if (count_log2 < 7 || count_log2 > 30) + return output; + + salt = setting + 4; + if (strlen(salt) < 8) + return output; + + length = strlen(password); + + MD5_Init(&ctx); + MD5_Update(&ctx, salt, 8); + MD5_Update(&ctx, password, length); + MD5_Final(hash, &ctx); + + count = 1 << count_log2; + do { + MD5_Init(&ctx); + MD5_Update(&ctx, hash, MD5_DIGEST_LENGTH); + MD5_Update(&ctx, password, length); + MD5_Final(hash, &ctx); + } while (--count); + + memcpy(output, setting, 12); + encode64(&output[12], hash, MD5_DIGEST_LENGTH); + + return output; +} + +#ifdef TEST +int main(int argc, char **argv) +{ + if (argc != 3) return 1; + + puts(crypt_private(argv[1], argv[2])); + + return 0; +} +#endif diff --git a/third_party/phpass/test.php b/third_party/phpass/test.php new file mode 100644 index 0000000..d13bbb0 --- /dev/null +++ b/third_party/phpass/test.php @@ -0,0 +1,72 @@ +HashPassword($correct); + +print 'Hash: ' . $hash . "\n"; + +$check = $t_hasher->CheckPassword($correct, $hash); +if ($check) $ok++; +print "Check correct: '" . $check . "' (should be '1')\n"; + +$wrong = 'test12346'; +$check = $t_hasher->CheckPassword($wrong, $hash); +if (!$check) $ok++; +print "Check wrong: '" . $check . "' (should be '0' or '')\n"; + +unset($t_hasher); + +# Force the use of weaker portable hashes. +$t_hasher = new PasswordHash(8, TRUE); + +$hash = $t_hasher->HashPassword($correct); + +print 'Hash: ' . $hash . "\n"; + +$check = $t_hasher->CheckPassword($correct, $hash); +if ($check) $ok++; +print "Check correct: '" . $check . "' (should be '1')\n"; + +$check = $t_hasher->CheckPassword($wrong, $hash); +if (!$check) $ok++; +print "Check wrong: '" . $check . "' (should be '0' or '')\n"; + +# A correct portable hash for 'test12345'. +# Please note the use of single quotes to ensure that the dollar signs will +# be interpreted literally. Of course, a real application making use of the +# framework won't store password hashes within a PHP source file anyway. +# We only do this for testing. +$hash = '$P$Bxe0X/dG3qKryeO78TZxCoVlArO7x21'; +print "
"; +print 'Hash: ' . $hash . "\n"; + +$check = $t_hasher->CheckPassword($correct, $hash); +if ($check) $ok++; +print "Check correct: '" . $check . "' (should be '1')\n"; + +$check = $t_hasher->CheckPassword($wrong, $hash); +if (!$check) $ok++; +print "Check wrong: '" . $check . "' (should be '0' or '')\n"; + +if ($ok == 6) + print "All tests have PASSED\n"; +else + print "Some tests have FAILED\n"; + +?> diff --git a/wp-settings.php b/wp-settings.php new file mode 100644 index 0000000..b3d9bbc --- /dev/null +++ b/wp-settings.php @@ -0,0 +1 @@ +