<?php
/**
* Zend Framework
*
* LICENSE
*
* This source file is subject to the new BSD license that is bundled
* with this package in the file LICENSE.txt.
* It is also available through the world-wide-web at this URL:
* http://framework.zend.com/license/new-bsd
* If you did not receive a copy of the license and are unable to
* obtain it through the world-wide-web, please send an email
* to license@zend.com so we can send you a copy immediately.
*
* @category Zend
* @package Zend_Auth
* @subpackage Zend_Auth_Adapter_Http
* @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
* @version $Id$
*/
/**
* @see Zend_Auth_Adapter_Interface
*/
require_once 'Zend/Auth/Adapter/Interface.php';
/**
* HTTP Authentication Adapter
*
* Implements a pretty good chunk of RFC 2617.
*
* @category Zend
* @package Zend_Auth
* @subpackage Zend_Auth_Adapter_Http
* @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com)
* @license http://framework.zend.com/license/new-bsd New BSD License
* @todo Support auth-int
* @todo Track nonces, nonce-count, opaque for replay protection and stale support
* @todo Support Authentication-Info header
*/
class Zend_Auth_Adapter_Http implements Zend_Auth_Adapter_Interface
{
/**
* Reference to the HTTP Request object
*
* @var Zend_Controller_Request_Http
*/
protected $_request;
/**
* Reference to the HTTP Response object
*
* @var Zend_Controller_Response_Http
*/
protected $_response;
/**
* Object that looks up user credentials for the Basic scheme
*
* @var Zend_Auth_Adapter_Http_Resolver_Interface
*/
protected $_basicResolver;
/**
* Object that looks up user credentials for the Digest scheme
*
* @var Zend_Auth_Adapter_Http_Resolver_Interface
*/
protected $_digestResolver;
/**
* List of authentication schemes supported by this class
*
* @var array
*/
protected $_supportedSchemes = array('basic', 'digest');
/**
* List of schemes this class will accept from the client
*
* @var array
*/
protected $_acceptSchemes;
/**
* Space-delimited list of protected domains for Digest Auth
*
* @var string
*/
protected $_domains;
/**
* The protection realm to use
*
* @var string
*/
protected $_realm;
/**
* Nonce timeout period
*
* @var integer
*/
protected $_nonceTimeout;
/**
* Whether to send the opaque value in the header. True by default
*
* @var boolean
*/
protected $_useOpaque;
/**
* List of the supported digest algorithms. I want to support both MD5 and
* MD5-sess, but MD5-sess won't make it into the first version.
*
* @var array
*/
protected $_supportedAlgos = array('MD5');
/**
* The actual algorithm to use. Defaults to MD5
*
* @var string
*/
protected $_algo;
/**
* List of supported qop options. My intetion is to support both 'auth' and
* 'auth-int', but 'auth-int' won't make it into the first version.
*
* @var array
*/
protected $_supportedQops = array('auth');
/**
* Whether or not to do Proxy Authentication instead of origin server
* authentication (send 407's instead of 401's). Off by default.
*
* @var boolean
*/
protected $_imaProxy;
/**
* Flag indicating the client is IE and didn't bother to return the opaque string
*
* @var boolean
*/
protected $_ieNoOpaque;
/**
* Constructor
*
* @param array $config Configuration settings:
* 'accept_schemes' => 'basic'|'digest'|'basic digest'
* 'realm' => <string>
* 'digest_domains' => <string> Space-delimited list of URIs
* 'nonce_timeout' => <int>
* 'use_opaque' => <bool> Whether to send the opaque value in the header
* 'alogrithm' => <string> See $_supportedAlgos. Default: MD5
* 'proxy_auth' => <bool> Whether to do authentication as a Proxy
* @throws Zend_Auth_Adapter_Exception
* @return void
*/
public function __construct(array $config)
{
if (!extension_loaded('hash')) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception(__CLASS__ . ' requires the \'hash\' extension');
}
$this->_request = null;
$this->_response = null;
$this->_ieNoOpaque = false;
if (empty($config['accept_schemes'])) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('Config key \'accept_schemes\' is required');
}
$schemes = explode(' ', $config['accept_schemes']);
$this->_acceptSchemes = array_intersect($schemes, $this->_supportedSchemes);
if (empty($this->_acceptSchemes)) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('No supported schemes given in \'accept_schemes\'. Valid values: '
. implode(', ', $this->_supportedSchemes));
}
// Double-quotes are used to delimit the realm string in the HTTP header,
// and colons are field delimiters in the password file.
if (empty($config['realm']) ||
!ctype_print($config['realm']) ||
strpos($config['realm'], ':') !== false ||
strpos($config['realm'], '"') !== false) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('Config key \'realm\' is required, and must contain only printable '
. 'characters, excluding quotation marks and colons');
} else {
$this->_realm = $config['realm'];
}
if (in_array('digest', $this->_acceptSchemes)) {
if (empty($config['digest_domains']) ||
!ctype_print($config['digest_domains']) ||
strpos($config['digest_domains'], '"') !== false) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('Config key \'digest_domains\' is required, and must contain '
. 'only printable characters, excluding quotation marks');
} else {
$this->_domains = $config['digest_domains'];
}
if (empty($config['nonce_timeout']) ||
!is_numeric($config['nonce_timeout'])) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('Config key \'nonce_timeout\' is required, and must be an '
. 'integer');
} else {
$this->_nonceTimeout = (int) $config['nonce_timeout'];
}
// We use the opaque value unless explicitly told not to
if (isset($config['use_opaque']) && false == (bool) $config['use_opaque']) {
$this->_useOpaque = false;
} else {
$this->_useOpaque = true;
}
if (isset($config['algorithm']) && in_array($config['algorithm'], $this->_supportedAlgos)) {
$this->_algo = $config['algorithm'];
} else {
$this->_algo = 'MD5';
}
}
// Don't be a proxy unless explicitly told to do so
if (isset($config['proxy_auth']) && true == (bool) $config['proxy_auth']) {
$this->_imaProxy = true; // I'm a Proxy
} else {
$this->_imaProxy = false;
}
}
/**
* Setter for the _basicResolver property
*
* @param Zend_Auth_Adapter_Http_Resolver_Interface $resolver
* @return Zend_Auth_Adapter_Http Provides a fluent interface
*/
public function setBasicResolver(Zend_Auth_Adapter_Http_Resolver_Interface $resolver)
{
$this->_basicResolver = $resolver;
return $this;
}
/**
* Getter for the _basicResolver property
*
* @return Zend_Auth_Adapter_Http_Resolver_Interface
*/
public function getBasicResolver()
{
return $this->_basicResolver;
}
/**
* Setter for the _digestResolver property
*
* @param Zend_Auth_Adapter_Http_Resolver_Interface $resolver
* @return Zend_Auth_Adapter_Http Provides a fluent interface
*/
public function setDigestResolver(Zend_Auth_Adapter_Http_Resolver_Interface $resolver)
{
$this->_digestResolver = $resolver;
return $this;
}
/**
* Getter for the _digestResolver property
*
* @return Zend_Auth_Adapter_Http_Resolver_Interface
*/
public function getDigestResolver()
{
return $this->_digestResolver;
}
/**
* Setter for the Request object
*
* @param Zend_Controller_Request_Http $request
* @return Zend_Auth_Adapter_Http Provides a fluent interface
*/
public function setRequest(Zend_Controller_Request_Http $request)
{
$this->_request = $request;
return $this;
}
/**
* Getter for the Request object
*
* @return Zend_Controller_Request_Http
*/
public function getRequest()
{
return $this->_request;
}
/**
* Setter for the Response object
*
* @param Zend_Controller_Response_Http $response
* @return Zend_Auth_Adapter_Http Provides a fluent interface
*/
public function setResponse(Zend_Controller_Response_Http $response)
{
$this->_response = $response;
return $this;
}
/**
* Getter for the Response object
*
* @return Zend_Controller_Response_Http
*/
public function getResponse()
{
return $this->_response;
}
/**
* Authenticate
*
* @throws Zend_Auth_Adapter_Exception
* @return Zend_Auth_Result
*/
public function authenticate()
{
if (empty($this->_request) ||
empty($this->_response)) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('Request and Response objects must be set before calling '
. 'authenticate()');
}
if ($this->_imaProxy) {
$getHeader = 'Proxy-Authorization';
} else {
$getHeader = 'Authorization';
}
$authHeader = $this->_request->getHeader($getHeader);
if (!$authHeader) {
return $this->_challengeClient();
}
list($clientScheme) = explode(' ', $authHeader);
$clientScheme = strtolower($clientScheme);
// The server can issue multiple challenges, but the client should
// answer with only the selected auth scheme.
if (!in_array($clientScheme, $this->_supportedSchemes)) {
$this->_response->setHttpResponseCode(400);
return new Zend_Auth_Result(
Zend_Auth_Result::FAILURE_UNCATEGORIZED,
array(),
array('Client requested an incorrect or unsupported authentication scheme')
);
}
// client sent a scheme that is not the one required
if (!in_array($clientScheme, $this->_acceptSchemes)) {
// challenge again the client
return $this->_challengeClient();
}
switch ($clientScheme) {
case 'basic':
$result = $this->_basicAuth($authHeader);
break;
case 'digest':
$result = $this->_digestAuth($authHeader);
break;
default:
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('Unsupported authentication scheme');
}
return $result;
}
/**
* Challenge Client
*
* Sets a 401 or 407 Unauthorized response code, and creates the
* appropriate Authenticate header(s) to prompt for credentials.
*
* @return Zend_Auth_Result Always returns a non-identity Auth result
*/
protected function _challengeClient()
{
if ($this->_imaProxy) {
$statusCode = 407;
$headerName = 'Proxy-Authenticate';
} else {
$statusCode = 401;
$headerName = 'WWW-Authenticate';
}
$this->_response->setHttpResponseCode($statusCode);
// Send a challenge in each acceptable authentication scheme
if (in_array('basic', $this->_acceptSchemes)) {
$this->_response->setHeader($headerName, $this->_basicHeader());
}
if (in_array('digest', $this->_acceptSchemes)) {
$this->_response->setHeader($headerName, $this->_digestHeader());
}
return new Zend_Auth_Result(
Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID,
array(),
array('Invalid or absent credentials; challenging client')
);
}
/**
* Basic Header
*
* Generates a Proxy- or WWW-Authenticate header value in the Basic
* authentication scheme.
*
* @return string Authenticate header value
*/
protected function _basicHeader()
{
return 'Basic realm="' . $this->_realm . '"';
}
/**
* Digest Header
*
* Generates a Proxy- or WWW-Authenticate header value in the Digest
* authentication scheme.
*
* @return string Authenticate header value
*/
protected function _digestHeader()
{
$wwwauth = 'Digest realm="' . $this->_realm . '", '
. 'domain="' . $this->_domains . '", '
. 'nonce="' . $this->_calcNonce() . '", '
. ($this->_useOpaque ? 'opaque="' . $this->_calcOpaque() . '", ' : '')
. 'algorithm="' . $this->_algo . '", '
. 'qop="' . implode(',', $this->_supportedQops) . '"';
return $wwwauth;
}
/**
* Basic Authentication
*
* @param string $header Client's Authorization header
* @throws Zend_Auth_Adapter_Exception
* @return Zend_Auth_Result
*/
protected function _basicAuth($header)
{
if (empty($header)) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('The value of the client Authorization header is required');
}
if (empty($this->_basicResolver)) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('A basicResolver object must be set before doing Basic '
. 'authentication');
}
// Decode the Authorization header
$auth = substr($header, strlen('Basic '));
$auth = base64_decode($auth);
if (!$auth) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('Unable to base64_decode Authorization header value');
}
// See ZF-1253. Validate the credentials the same way the digest
// implementation does. If invalid credentials are detected,
// re-challenge the client.
if (!ctype_print($auth)) {
return $this->_challengeClient();
}
// Fix for ZF-1515: Now re-challenges on empty username or password
$creds = array_filter(explode(':', $auth));
if (count($creds) != 2) {
return $this->_challengeClient();
}
$password = $this->_basicResolver->resolve($creds[0], $this->_realm);
if ($password && $this->_secureStringCompare($password, $creds[1])) {
$identity = array('username'=>$creds[0], 'realm'=>$this->_realm);
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $identity);
} else {
return $this->_challengeClient();
}
}
/**
* Digest Authentication
*
* @param string $header Client's Authorization header
* @throws Zend_Auth_Adapter_Exception
* @return Zend_Auth_Result Valid auth result only on successful auth
*/
protected function _digestAuth($header)
{
if (empty($header)) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('The value of the client Authorization header is required');
}
if (empty($this->_digestResolver)) {
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('A digestResolver object must be set before doing Digest authentication');
}
$data = $this->_parseDigestAuth($header);
if ($data === false) {
$this->_response->setHttpResponseCode(400);
return new Zend_Auth_Result(
Zend_Auth_Result::FAILURE_UNCATEGORIZED,
array(),
array('Invalid Authorization header format')
);
}
// See ZF-1052. This code was a bit too unforgiving of invalid
// usernames. Now, if the username is bad, we re-challenge the client.
if ('::invalid::' == $data['username']) {
return $this->_challengeClient();
}
// Verify that the client sent back the same nonce
if ($this->_calcNonce() != $data['nonce']) {
return $this->_challengeClient();
}
// The opaque value is also required to match, but of course IE doesn't
// play ball.
if (!$this->_ieNoOpaque && $this->_calcOpaque() != $data['opaque']) {
return $this->_challengeClient();
}
// Look up the user's password hash. If not found, deny access.
// This makes no assumptions about how the password hash was
// constructed beyond that it must have been built in such a way as
// to be recreatable with the current settings of this object.
$ha1 = $this->_digestResolver->resolve($data['username'], $data['realm']);
if ($ha1 === false) {
return $this->_challengeClient();
}
// If MD5-sess is used, a1 value is made of the user's password
// hash with the server and client nonce appended, separated by
// colons.
if ($this->_algo == 'MD5-sess') {
$ha1 = hash('md5', $ha1 . ':' . $data['nonce'] . ':' . $data['cnonce']);
}
// Calculate h(a2). The value of this hash depends on the qop
// option selected by the client and the supported hash functions
switch ($data['qop']) {
case 'auth':
$a2 = $this->_request->getMethod() . ':' . $data['uri'];
break;
case 'auth-int':
// Should be REQUEST_METHOD . ':' . uri . ':' . hash(entity-body),
// but this isn't supported yet, so fall through to default case
default:
/**
* @see Zend_Auth_Adapter_Exception
*/
require_once 'Zend/Auth/Adapter/Exception.php';
throw new Zend_Auth_Adapter_Exception('Client requested an unsupported qop option');
}
// Using hash() should make parameterizing the hash algorithm
// easier
$ha2 = hash('md5', $a2);
// Calculate the server's version of the request-digest. This must
// match $data['response']. See RFC 2617, section 3.2.2.1
$message = $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $ha2;
$digest = hash('md5', $ha1 . ':' . $message);
// If our digest matches the client's let them in, otherwise return
// a 401 code and exit to prevent access to the protected resource.
if ($this->_secureStringCompare($digest, $data['response'])) {
$identity = array('username'=>$data['username'], 'realm'=>$data['realm']);
return new Zend_Auth_Result(Zend_Auth_Result::SUCCESS, $identity);
} else {
return $this->_challengeClient();
}
}
/**
* Calculate Nonce
*
* @return string The nonce value
*/
protected function _calcNonce()
{
// Once subtle consequence of this timeout calculation is that it
// actually divides all of time into _nonceTimeout-sized sections, such
// that the value of timeout is the point in time of the next
// approaching "boundary" of a section. This allows the server to
// consistently generate the same timeout (and hence the same nonce
// value) across requests, but only as long as one of those
// "boundaries" is not crossed between requests. If that happens, the
// nonce will change on its own, and effectively log the user out. This
// would be surprising if the user just logged in.
$timeout = ceil(time() / $this->_nonceTimeout) * $this->_nonceTimeout;
$nonce = hash('md5', $timeout . ':' . $this->_request->getServer('HTTP_USER_AGENT') . ':' . __CLASS__);
return $nonce;
}
/**
* Calculate Opaque
*
* The opaque string can be anything; the client must return it exactly as
* it was sent. It may be useful to store data in this string in some
* applications. Ideally, a new value for this would be generated each time
* a WWW-Authenticate header is sent (in order to reduce predictability),
* but we would have to be able to create the same exact value across at
* least two separate requests from the same client.
*
* @return string The opaque value
*/
protected function _calcOpaque()
{
return hash('md5', 'Opaque Data:' . __CLASS__);
}
/**
* Parse Digest Authorization header
*
* @param string $header Client's Authorization: HTTP header
* @return array|false Data elements from header, or false if any part of
* the header is invalid
*/
protected function _parseDigestAuth($header)
{
$temp = null;
$data = array();
// See ZF-1052. Detect invalid usernames instead of just returning a
// 400 code.
$ret = preg_match('/username="([^"]+)"/', $header, $temp);
if (!$ret || empty($temp[1])
|| !ctype_print($temp[1])
|| strpos($temp[1], ':') !== false) {
$data['username'] = '::invalid::';
} else {
$data['username'] = $temp[1];
}
$temp = null;
$ret = preg_match('/realm="([^"]+)"/', $header, $temp);
if (!$ret || empty($temp[1])) {
return false;
}
if (!ctype_print($temp[1]) || strpos($temp[1], ':') !== false) {
return false;
} else {
$data['realm'] = $temp[1];
}
$temp = null;
$ret = preg_match('/nonce="([^"]+)"/', $header, $temp);
if (!$ret || empty($temp[1])) {
return false;
}
if (!ctype_xdigit($temp[1])) {
return false;
} else {
$data['nonce'] = $temp[1];
}
$temp = null;
$ret = preg_match('/uri="([^"]+)"/', $header, $temp);
if (!$ret || empty($temp[1])) {
return false;
}
// Section 3.2.2.5 in RFC 2617 says the authenticating server must
// verify that the URI field in the Authorization header is for the
// same resource requested in the Request Line.
$rUri = @parse_url($this->_request->getRequestUri());
$cUri = @parse_url($temp[1]);
if (false === $rUri || false === $cUri) {
return false;
} else {
// Make sure the path portion of both URIs is the same
if ($rUri['path'] != $cUri['path']) {
return false;
}
// Section 3.2.2.5 seems to suggest that the value of the URI
// Authorization field should be made into an absolute URI if the
// Request URI is absolute, but it's vague, and that's a bunch of
// code I don't want to write right now.
$data['uri'] = $temp[1];
}
$temp = null;
$ret = preg_match('/response="([^"]+)"/', $header, $temp);
if (!$ret || empty($temp[1])) {
return false;
}
if (32 != strlen($temp[1]) || !ctype_xdigit($temp[1])) {
return false;
} else {
$data['response'] = $temp[1];
}
$temp = null;
// The spec says this should default to MD5 if omitted. OK, so how does
// that square with the algo we send out in the WWW-Authenticate header,
// if it can easily be overridden by the client?
$ret = preg_match('/algorithm="?(' . $this->_algo . ')"?/', $header, $temp);
if ($ret && !empty($temp[1])
&& in_array($temp[1], $this->_supportedAlgos)) {
$data['algorithm'] = $temp[1];
} else {
$data['algorithm'] = 'MD5'; // = $this->_algo; ?
}
$temp = null;
// Not optional in this implementation
$ret = preg_match('/cnonce="([^"]+)"/', $header, $temp);
if (!$ret || empty($temp[1])) {
return false;
}
if (!ctype_print($temp[1])) {
return false;
} else {
$data['cnonce'] = $temp[1];
}
$temp = null;
// If the server sent an opaque value, the client must send it back
if ($this->_useOpaque) {
$ret = preg_match('/opaque="([^"]+)"/', $header, $temp);
if (!$ret || empty($temp[1])) {
// Big surprise: IE isn't RFC 2617-compliant.
if (false !== strpos($this->_request->getHeader('User-Agent'), 'MSIE')) {
$temp[1] = '';
$this->_ieNoOpaque = true;
} else {
return false;
}
}
// This implementation only sends MD5 hex strings in the opaque value
if (!$this->_ieNoOpaque &&
(32 != strlen($temp[1]) || !ctype_xdigit($temp[1]))) {
return false;
} else {
$data['opaque'] = $temp[1];
}
$temp = null;
}
// Not optional in this implementation, but must be one of the supported
// qop types
$ret = preg_match('/qop="?(' . implode('|', $this->_supportedQops) . ')"?/', $header, $temp);
if (!$ret || empty($temp[1])) {
return false;
}
if (!in_array($temp[1], $this->_supportedQops)) {
return false;
} else {
$data['qop'] = $temp[1];
}
$temp = null;
// Not optional in this implementation. The spec says this value
// shouldn't be a quoted string, but apparently some implementations
// quote it anyway. See ZF-1544.
$ret = preg_match('/nc="?([0-9A-Fa-f]{8})"?/', $header, $temp);
if (!$ret || empty($temp[1])) {
return false;
}
if (8 != strlen($temp[1]) || !ctype_xdigit($temp[1])) {
return false;
} else {
$data['nc'] = $temp[1];
}
$temp = null;
return $data;
}
/**
* Securely compare two strings for equality while avoided C level memcmp()
* optimisations capable of leaking timing information useful to an attacker
* attempting to iteratively guess the unknown string (e.g. password) being
* compared against.
*
* @param string $a
* @param string $b
* @return bool
*/
protected function _secureStringCompare($a, $b)
{
if (strlen($a) !== strlen($b)) {
return false;
}
$result = 0;
for ($i = 0; $i < strlen($a); $i++) {
$result |= ord($a[$i]) ^ ord($b[$i]);
}
return $result == 0;
}
}