1: <?php
  2: /* SVN FILE: $Id$ */
  3: /**
  4:  * Short description for file.
  5:  *
  6:  * Long description for file
  7:  *
  8:  * PHP versions 4 and 5
  9:  *
 10:  * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
 11:  * Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
 12:  *
 13:  * Licensed under The MIT License
 14:  * Redistributions of files must retain the above copyright notice.
 15:  *
 16:  * @copyright     Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
 17:  * @link          http://cakephp.org CakePHP(tm) Project
 18:  * @package       cake
 19:  * @subpackage    cake.cake.libs.controller.components
 20:  * @since         CakePHP(tm) v 0.10.8.2156
 21:  * @version       $Revision$
 22:  * @modifiedby    $LastChangedBy$
 23:  * @lastmodified  $Date$
 24:  * @license       http://www.opensource.org/licenses/mit-license.php The MIT License
 25:  */
 26: App::import('Core', 'String');
 27: /**
 28:  * Short description for file.
 29:  *
 30:  * Long description for file
 31:  *
 32:  * @package       cake
 33:  * @subpackage    cake.cake.libs.controller.components
 34:  */
 35: class SecurityComponent extends Object {
 36: /**
 37:  * The controller method that will be called if this request is black-hole'd
 38:  *
 39:  * @var string
 40:  * @access public
 41:  */
 42:     var $blackHoleCallback = null;
 43: /**
 44:  * List of controller actions for which a POST request is required
 45:  *
 46:  * @var array
 47:  * @access public
 48:  * @see SecurityComponent::requirePost()
 49:  */
 50:     var $requirePost = array();
 51: /**
 52:  * List of controller actions for which a GET request is required
 53:  *
 54:  * @var array
 55:  * @access public
 56:  * @see SecurityComponent::requireGet()
 57:  */
 58:     var $requireGet = array();
 59: /**
 60:  * List of controller actions for which a PUT request is required
 61:  *
 62:  * @var array
 63:  * @access public
 64:  * @see SecurityComponent::requirePut()
 65:  */
 66:     var $requirePut = array();
 67: /**
 68:  * List of controller actions for which a DELETE request is required
 69:  *
 70:  * @var array
 71:  * @access public
 72:  * @see SecurityComponent::requireDelete()
 73:  */
 74:     var $requireDelete = array();
 75: /**
 76:  * List of actions that require an SSL-secured connection
 77:  *
 78:  * @var array
 79:  * @access public
 80:  * @see SecurityComponent::requireSecure()
 81:  */
 82:     var $requireSecure = array();
 83: /**
 84:  * List of actions that require a valid authentication key
 85:  *
 86:  * @var array
 87:  * @access public
 88:  * @see SecurityComponent::requireAuth()
 89:  */
 90:     var $requireAuth = array();
 91: /**
 92:  * List of actions that require an HTTP-authenticated login (basic or digest)
 93:  *
 94:  * @var array
 95:  * @access public
 96:  * @see SecurityComponent::requireLogin()
 97:  */
 98:     var $requireLogin = array();
 99: /**
100:  * Login options for SecurityComponent::requireLogin()
101:  *
102:  * @var array
103:  * @access public
104:  * @see SecurityComponent::requireLogin()
105:  */
106:     var $loginOptions = array('type' => '', 'prompt' => null);
107: /**
108:  * An associative array of usernames/passwords used for HTTP-authenticated logins.
109:  *
110:  * @var array
111:  * @access public
112:  * @see SecurityComponent::requireLogin()
113:  */
114:     var $loginUsers = array();
115: /**
116:  * Controllers from which actions of the current controller are allowed to receive
117:  * requests.
118:  *
119:  * @var array
120:  * @access public
121:  * @see SecurityComponent::requireAuth()
122:  */
123:     var $allowedControllers = array();
124: /**
125:  * Actions from which actions of the current controller are allowed to receive
126:  * requests.
127:  *
128:  * @var array
129:  * @access public
130:  * @see SecurityComponent::requireAuth()
131:  */
132:     var $allowedActions = array();
133: /**
134:  * Form fields to disable
135:  *
136:  * @var array
137:  * @access public
138:  */
139:     var $disabledFields = array();
140: /**
141:  * Whether to validate POST data.  Set to false to disable for data coming from 3rd party
142:  * services, etc.
143:  *
144:  * @var boolean
145:  * @access public
146:  */
147:     var $validatePost = true;
148: /**
149:  * Other components used by the Security component
150:  *
151:  * @var array
152:  * @access public
153:  */
154:     var $components = array('RequestHandler', 'Session');
155: /**
156:  * Holds the current action of the controller
157:  *
158:  * @var string
159:  */
160:     var $_action = null;
161: /**
162:  * Component startup. All security checking happens here.
163:  *
164:  * @param object $controller Instantiating controller
165:  * @access public
166:  */
167:     function startup(&$controller) {
168:         $this->_action = strtolower($controller->action);
169:         $this->_methodsRequired($controller);
170:         $this->_secureRequired($controller);
171:         $this->_authRequired($controller);
172:         $this->_loginRequired($controller);
173: 
174:         $isPost = ($this->RequestHandler->isPost() || $this->RequestHandler->isPut());
175:         $isRequestAction = (
176:             !isset($controller->params['requested']) ||
177:             $controller->params['requested'] != 1
178:         );
179: 
180:         if ($isPost && $isRequestAction && $this->validatePost) {
181:             if ($this->_validatePost($controller) === false) {
182:                 if (!$this->blackHole($controller, 'auth')) {
183:                     return null;
184:                 }
185:             }
186:         }
187:         $this->_generateToken($controller);
188:     }
189: /**
190:  * Sets the actions that require a POST request, or empty for all actions
191:  *
192:  * @return void
193:  * @access public
194:  */
195:     function requirePost() {
196:         $args = func_get_args();
197:         $this->_requireMethod('Post', $args);
198:     }
199: /**
200:  * Sets the actions that require a GET request, or empty for all actions
201:  *
202:  * @return void
203:  * @access public
204:  */
205:     function requireGet() {
206:         $args = func_get_args();
207:         $this->_requireMethod('Get', $args);
208:     }
209: /**
210:  * Sets the actions that require a PUT request, or empty for all actions
211:  *
212:  * @return void
213:  * @access public
214:  */
215:     function requirePut() {
216:         $args = func_get_args();
217:         $this->_requireMethod('Put', $args);
218:     }
219: /**
220:  * Sets the actions that require a DELETE request, or empty for all actions
221:  *
222:  * @return void
223:  * @access public
224:  */
225:     function requireDelete() {
226:         $args = func_get_args();
227:         $this->_requireMethod('Delete', $args);
228:     }
229: /**
230:  * Sets the actions that require a request that is SSL-secured, or empty for all actions
231:  *
232:  * @return void
233:  * @access public
234:  */
235:     function requireSecure() {
236:         $args = func_get_args();
237:         $this->_requireMethod('Secure', $args);
238:     }
239: /**
240:  * Sets the actions that require an authenticated request, or empty for all actions
241:  *
242:  * @return void
243:  * @access public
244:  */
245:     function requireAuth() {
246:         $args = func_get_args();
247:         $this->_requireMethod('Auth', $args);
248:     }
249: /**
250:  * Sets the actions that require an HTTP-authenticated request, or empty for all actions
251:  *
252:  * @return void
253:  * @access public
254:  */
255:     function requireLogin() {
256:         $args = func_get_args();
257:         $base = $this->loginOptions;
258: 
259:         foreach ($args as $i => $arg) {
260:             if (is_array($arg)) {
261:                 $this->loginOptions = $arg;
262:                 unset($args[$i]);
263:             }
264:         }
265:         $this->loginOptions = array_merge($base, $this->loginOptions);
266:         $this->_requireMethod('Login', $args);
267: 
268:         if (isset($this->loginOptions['users'])) {
269:             $this->loginUsers =& $this->loginOptions['users'];
270:         }
271:     }
272: /**
273:  * Attempts to validate the login credentials for an HTTP-authenticated request
274:  *
275:  * @param string $type Either 'basic', 'digest', or null. If null/empty, will try both.
276:  * @return mixed If successful, returns an array with login name and password, otherwise null.
277:  * @access public
278:  */
279:     function loginCredentials($type = null) {
280:         switch (strtolower($type)) {
281:             case 'basic':
282:                 $login = array('username' => env('PHP_AUTH_USER'), 'password' => env('PHP_AUTH_PW'));
283:                 if (!empty($login['username'])) {
284:                     return $login;
285:                 }
286:             break;
287:             case 'digest':
288:             default:
289:                 $digest = null;
290: 
291:                 if (version_compare(PHP_VERSION, '5.1') != -1) {
292:                     $digest = env('PHP_AUTH_DIGEST');
293:                 } elseif (function_exists('apache_request_headers')) {
294:                     $headers = apache_request_headers();
295:                     if (isset($headers['Authorization']) && !empty($headers['Authorization']) && substr($headers['Authorization'], 0, 7) == 'Digest ') {
296:                         $digest = substr($headers['Authorization'], 7);
297:                     }
298:                 } else {
299:                     // Server doesn't support digest-auth headers
300:                     trigger_error(__('SecurityComponent::loginCredentials() - Server does not support digest authentication', true), E_USER_WARNING);
301:                 }
302: 
303:                 if (!empty($digest)) {
304:                     return $this->parseDigestAuthData($digest);
305:                 }
306:             break;
307:         }
308:         return null;
309:     }
310: /**
311:  * Generates the text of an HTTP-authentication request header from an array of options.
312:  *
313:  * @param array $options Set of options for header
314:  * @return string HTTP-authentication request header
315:  * @access public
316:  */
317:     function loginRequest($options = array()) {
318:         $options = array_merge($this->loginOptions, $options);
319:         $this->_setLoginDefaults($options);
320:         $auth = 'WWW-Authenticate: ' . ucfirst($options['type']);
321:         $out = array('realm="' . $options['realm'] . '"');
322: 
323:         if (strtolower($options['type']) == 'digest') {
324:             $out[] = 'qop="auth"';
325:             $out[] = 'nonce="' . uniqid("") . '"';
326:             $out[] = 'opaque="' . md5($options['realm']).'"';
327:         }
328: 
329:         return $auth . ' ' . implode(',', $out);
330:     }
331: /**
332:  * Parses an HTTP digest authentication response, and returns an array of the data, or null on failure.
333:  *
334:  * @param string $digest Digest authentication response
335:  * @return array Digest authentication parameters
336:  * @access public
337:  */
338:     function parseDigestAuthData($digest) {
339:         if (substr($digest, 0, 7) == 'Digest ') {
340:             $digest = substr($digest, 7);
341:         }
342:         $keys = array();
343:         $match = array();
344:         $req = array('nonce' => 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1);
345:         preg_match_all('/(\w+)=([\'"]?)([a-zA-Z0-9@=.\/_-]+)\2/', $digest, $match, PREG_SET_ORDER);
346: 
347:         foreach ($match as $i) {
348:             $keys[$i[1]] = $i[3];
349:             unset($req[$i[1]]);
350:         }
351: 
352:         if (empty($req)) {
353:             return $keys;
354:         }
355:         return null;
356:     }
357: /**
358:  * Generates a hash to be compared with an HTTP digest-authenticated response
359:  *
360:  * @param array $data HTTP digest response data, as parsed by SecurityComponent::parseDigestAuthData()
361:  * @return string Digest authentication hash
362:  * @access public
363:  * @see SecurityComponent::parseDigestAuthData()
364:  */
365:     function generateDigestResponseHash($data) {
366:         return md5(
367:             md5($data['username'] . ':' . $this->loginOptions['realm'] . ':' . $this->loginUsers[$data['username']]) .
368:             ':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' .
369:             md5(env('REQUEST_METHOD') . ':' . $data['uri'])
370:         );
371:     }
372: /**
373:  * Black-hole an invalid request with a 404 error or custom callback. If SecurityComponent::$blackHoleCallback
374:  * is specified, it will use this callback by executing the method indicated in $error
375:  *
376:  * @param object $controller Instantiating controller
377:  * @param string $error Error method
378:  * @return mixed If specified, controller blackHoleCallback's response, or no return otherwise
379:  * @access public
380:  * @see SecurityComponent::$blackHoleCallback
381:  */
382:     function blackHole(&$controller, $error = '') {
383:         if ($this->blackHoleCallback == null) {
384:             $code = 404;
385:             if ($error == 'login') {
386:                 $code = 401;
387:                 $controller->header($this->loginRequest());
388:             }
389:             $controller->redirect(null, $code, true);
390:         } else {
391:             return $this->_callback($controller, $this->blackHoleCallback, array($error));
392:         }
393:     }
394: /**
395:  * Sets the actions that require a $method HTTP request, or empty for all actions
396:  *
397:  * @param string $method The HTTP method to assign controller actions to
398:  * @param array $actions Controller actions to set the required HTTP method to.
399:  * @return void
400:  * @access protected
401:  */
402:     function _requireMethod($method, $actions = array()) {
403:         $this->{'require' . $method} = (empty($actions)) ? array('*'): $actions;
404:     }
405: /**
406:  * Check if HTTP methods are required
407:  *
408:  * @param object $controller Instantiating controller
409:  * @return bool true if $method is required
410:  * @access protected
411:  */
412:     function _methodsRequired(&$controller) {
413:         foreach (array('Post', 'Get', 'Put', 'Delete') as $method) {
414:             $property = 'require' . $method;
415:             if (is_array($this->$property) && !empty($this->$property)) {
416:                 $require = array_map('strtolower', $this->$property);
417: 
418:                 if (in_array($this->_action, $require) || $this->$property == array('*')) {
419:                     if (!$this->RequestHandler->{'is' . $method}()) {
420:                         if (!$this->blackHole($controller, strtolower($method))) {
421:                             return null;
422:                         }
423:                     }
424:                 }
425:             }
426:         }
427:         return true;
428:     }
429: /**
430:  * Check if access requires secure connection
431:  *
432:  * @param object $controller Instantiating controller
433:  * @return bool true if secure connection required
434:  * @access protected
435:  */
436:     function _secureRequired(&$controller) {
437:         if (is_array($this->requireSecure) && !empty($this->requireSecure)) {
438:             $requireSecure = array_map('strtolower', $this->requireSecure);
439: 
440:             if (in_array($this->_action, $requireSecure) || $this->requireSecure == array('*')) {
441:                 if (!$this->RequestHandler->isSSL()) {
442:                     if (!$this->blackHole($controller, 'secure')) {
443:                         return null;
444:                     }
445:                 }
446:             }
447:         }
448:         return true;
449:     }
450: /**
451:  * Check if authentication is required
452:  *
453:  * @param object $controller Instantiating controller
454:  * @return bool true if authentication required
455:  * @access protected
456:  */
457:     function _authRequired(&$controller) {
458:         if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($controller->data)) {
459:             $requireAuth = array_map('strtolower', $this->requireAuth);
460: 
461:             if (in_array($this->_action, $requireAuth) || $this->requireAuth == array('*')) {
462:                 if (!isset($controller->data['_Token'] )) {
463:                     if (!$this->blackHole($controller, 'auth')) {
464:                         return null;
465:                     }
466:                 }
467: 
468:                 if ($this->Session->check('_Token')) {
469:                     $tData = unserialize($this->Session->read('_Token'));
470: 
471:                     if (!empty($tData['allowedControllers']) && !in_array($controller->params['controller'], $tData['allowedControllers']) || !empty($tData['allowedActions']) && !in_array($controller->params['action'], $tData['allowedActions'])) {
472:                         if (!$this->blackHole($controller, 'auth')) {
473:                             return null;
474:                         }
475:                     }
476:                 } else {
477:                     if (!$this->blackHole($controller, 'auth')) {
478:                         return null;
479:                     }
480:                 }
481:             }
482:         }
483:         return true;
484:     }
485: /**
486:  * Check if login is required
487:  *
488:  * @param object $controller Instantiating controller
489:  * @return bool true if login is required
490:  * @access protected
491:  */
492:     function _loginRequired(&$controller) {
493:         if (is_array($this->requireLogin) && !empty($this->requireLogin)) {
494:             $requireLogin = array_map('strtolower', $this->requireLogin);
495: 
496:             if (in_array($this->_action, $requireLogin) || $this->requireLogin == array('*')) {
497:                 $login = $this->loginCredentials($this->loginOptions['type']);
498: 
499:                 if ($login == null) {
500:                     $controller->header($this->loginRequest());
501: 
502:                     if (!empty($this->loginOptions['prompt'])) {
503:                         $this->_callback($controller, $this->loginOptions['prompt']);
504:                     } else {
505:                         $this->blackHole($controller, 'login');
506:                     }
507:                 } else {
508:                     if (isset($this->loginOptions['login'])) {
509:                         $this->_callback($controller, $this->loginOptions['login'], array($login));
510:                     } else {
511:                         if (strtolower($this->loginOptions['type']) == 'digest') {
512:                             if ($login && isset($this->loginUsers[$login['username']])) {
513:                                 if ($login['response'] == $this->generateDigestResponseHash($login)) {
514:                                     return true;
515:                                 }
516:                             }
517:                             $this->blackHole($controller, 'login');
518:                         } else {
519:                             if (
520:                                 !(in_array($login['username'], array_keys($this->loginUsers)) &&
521:                                 $this->loginUsers[$login['username']] == $login['password'])
522:                             ) {
523:                                 $this->blackHole($controller, 'login');
524:                             }
525:                         }
526:                     }
527:                 }
528:             }
529:         }
530:         return true;
531:     }
532: /**
533:  * Validate submitted form
534:  *
535:  * @param object $controller Instantiating controller
536:  * @return bool true if submitted form is valid
537:  * @access protected
538:  */
539:     function _validatePost(&$controller) {
540:         if (empty($controller->data)) {
541:             return true;
542:         }
543:         $data = $controller->data;
544: 
545:         if (!isset($data['_Token']) || !isset($data['_Token']['fields']) || !isset($data['_Token']['key'])) {
546:             return false;
547:         }
548:         $token = $data['_Token']['key'];
549: 
550:         if ($this->Session->check('_Token')) {
551:             $tokenData = unserialize($this->Session->read('_Token'));
552: 
553:             if ($tokenData['expires'] < time() || $tokenData['key'] !== $token) {
554:                 return false;
555:             }
556:         } else {
557:             return false;
558:         }
559: 
560:         $locked = null;
561:         $check = $controller->data;
562:         $token = urldecode($check['_Token']['fields']);
563: 
564:         if (strpos($token, ':')) {
565:             list($token, $locked) = explode(':', $token, 2);
566:         }
567:         unset($check['_Token']);
568: 
569:         $locked = explode('|', $locked);
570: 
571:         $lockedFields = array();
572:         $fields = Set::flatten($check);
573:         $fieldList = array_keys($fields);
574:         $multi = array();
575: 
576:         foreach ($fieldList as $i => $key) {
577:             if (preg_match('/\.\d+$/', $key)) {
578:                 $multi[$i] = preg_replace('/\.\d+$/', '', $key);
579:                 unset($fieldList[$i]);
580:             }
581:         }
582:         if (!empty($multi)) {
583:             $fieldList += array_unique($multi);
584:         }
585: 
586:         foreach ($fieldList as $i => $key) {
587:             $isDisabled = false;
588:             $isLocked = (is_array($locked) && in_array($key, $locked));
589: 
590:             if (!empty($this->disabledFields)) {
591:                 foreach ((array)$this->disabledFields as $disabled) {
592:                     $disabled = explode('.', $disabled);
593:                     $field = array_values(array_intersect(explode('.', $key), $disabled));
594:                     $isDisabled = ($field === $disabled);
595:                     if ($isDisabled) {
596:                         break;
597:                     }
598:                 }
599:             }
600: 
601:             if ($isDisabled || $isLocked) {
602:                 unset($fieldList[$i]);
603:                 if ($isLocked) {
604:                     $lockedFields[$key] = $fields[$key];
605:                 }
606:             }
607:         }
608:         sort($fieldList, SORT_STRING);
609:         ksort($lockedFields, SORT_STRING);
610: 
611:         $fieldList += $lockedFields;
612:         $check = Security::hash(serialize($fieldList) . Configure::read('Security.salt'));
613:         return ($token === $check);
614:     }
615: /**
616:  * Add authentication key for new form posts
617:  *
618:  * @param object $controller Instantiating controller
619:  * @return bool Success
620:  * @access protected
621:  */
622:     function _generateToken(&$controller) {
623:         if (isset($controller->params['requested']) && $controller->params['requested'] === 1) {
624:             if ($this->Session->check('_Token')) {
625:                 $tokenData = unserialize($this->Session->read('_Token'));
626:                 $controller->params['_Token'] = $tokenData;
627:             }
628:             return false;
629:         }
630:         $authKey = Security::generateAuthKey();
631:         $expires = strtotime('+' . Security::inactiveMins() . ' minutes');
632:         $token = array(
633:             'key' => $authKey,
634:             'expires' => $expires,
635:             'allowedControllers' => $this->allowedControllers,
636:             'allowedActions' => $this->allowedActions,
637:             'disabledFields' => $this->disabledFields
638:         );
639: 
640:         if (!isset($controller->data)) {
641:             $controller->data = array();
642:         }
643: 
644:         if ($this->Session->check('_Token')) {
645:             $tokenData = unserialize($this->Session->read('_Token'));
646:             $valid = (
647:                 isset($tokenData['expires']) &&
648:                 $tokenData['expires'] > time() &&
649:                 isset($tokenData['key'])
650:             );
651: 
652:             if ($valid) {
653:                 $token['key'] = $tokenData['key'];
654:             }
655:         }
656:         $controller->params['_Token'] = $token;
657:         $this->Session->write('_Token', serialize($token));
658:         return true;
659:     }
660: /**
661:  * Sets the default login options for an HTTP-authenticated request
662:  *
663:  * @param array $options Default login options
664:  * @return void
665:  * @access protected
666:  */
667:     function _setLoginDefaults(&$options) {
668:         $options = array_merge(array(
669:             'type' => 'basic',
670:             'realm' => env('SERVER_NAME'),
671:             'qop' => 'auth',
672:             'nonce' => String::uuid()
673:         ), array_filter($options));
674:         $options = array_merge(array('opaque' => md5($options['realm'])), $options);
675:     }
676: /**
677:  * Calls a controller callback method
678:  *
679:  * @param object $controller Controller to run callback on
680:  * @param string $method Method to execute
681:  * @param array $params Parameters to send to method
682:  * @return mixed Controller callback method's response
683:  * @access protected
684:  */
685:     function _callback(&$controller, $method, $params = array()) {
686:         if (is_callable(array($controller, $method))) {
687:             return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
688:         } else {
689:             // Debug::warning('Callback method ' . $method . ' in controller ' . get_class($controller)
690:             return null;
691:         }
692:     }
693: }
694: 
695: ?>
696: