1: <?php
2: /**
3: * CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
4: * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
5: *
6: * Licensed under The MIT License
7: * For full copyright and license information, please see the LICENSE.txt
8: * Redistributions of files must retain the above copyright notice.
9: *
10: * @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
11: * @link http://cakephp.org CakePHP(tm) Project
12: * @license http://www.opensource.org/licenses/mit-license.php MIT License
13: */
14:
15: App::uses('Security', 'Utility');
16: App::uses('Hash', 'Utility');
17:
18: /**
19: * Base Authentication class with common methods and properties.
20: *
21: * @package Cake.Controller.Component.Auth
22: */
23: abstract class BaseAuthenticate {
24:
25: /**
26: * Settings for this object.
27: *
28: * - `fields` The fields to use to identify a user by.
29: * - `userModel` The model name of the User, defaults to User.
30: * - `scope` Additional conditions to use when looking up and authenticating users,
31: * i.e. `array('User.is_active' => 1).`
32: * - `recursive` The value of the recursive key passed to find(). Defaults to 0.
33: * - `contain` Extra models to contain and store in session.
34: * - `passwordHasher` Password hasher class. Can be a string specifying class name
35: * or an array containing `className` key, any other keys will be passed as
36: * settings to the class. Defaults to 'Simple'.
37: *
38: * @var array
39: */
40: public $settings = array(
41: 'fields' => array(
42: 'username' => 'username',
43: 'password' => 'password'
44: ),
45: 'userModel' => 'User',
46: 'scope' => array(),
47: 'recursive' => 0,
48: 'contain' => null,
49: 'passwordHasher' => 'Simple'
50: );
51:
52: /**
53: * A Component collection, used to get more components.
54: *
55: * @var ComponentCollection
56: */
57: protected $_Collection;
58:
59: /**
60: * Password hasher instance.
61: *
62: * @var AbstractPasswordHasher
63: */
64: protected $_passwordHasher;
65:
66: /**
67: * Constructor
68: *
69: * @param ComponentCollection $collection The Component collection used on this request.
70: * @param array $settings Array of settings to use.
71: */
72: public function __construct(ComponentCollection $collection, $settings) {
73: $this->_Collection = $collection;
74: $this->settings = Hash::merge($this->settings, $settings);
75: }
76:
77: /**
78: * Find a user record using the standard options.
79: *
80: * The $username parameter can be a (string)username or an array containing
81: * conditions for Model::find('first'). If the $password param is not provided
82: * the password field will be present in returned array.
83: *
84: * Input passwords will be hashed even when a user doesn't exist. This
85: * helps mitigate timing attacks that are attempting to find valid usernames.
86: *
87: * @param string|array $username The username/identifier, or an array of find conditions.
88: * @param string $password The password, only used if $username param is string.
89: * @return boolean|array Either false on failure, or an array of user data.
90: */
91: protected function _findUser($username, $password = null) {
92: $userModel = $this->settings['userModel'];
93: list(, $model) = pluginSplit($userModel);
94: $fields = $this->settings['fields'];
95:
96: if (is_array($username)) {
97: $conditions = $username;
98: } else {
99: $conditions = array(
100: $model . '.' . $fields['username'] => $username
101: );
102: }
103:
104: if (!empty($this->settings['scope'])) {
105: $conditions = array_merge($conditions, $this->settings['scope']);
106: }
107:
108: $result = ClassRegistry::init($userModel)->find('first', array(
109: 'conditions' => $conditions,
110: 'recursive' => $this->settings['recursive'],
111: 'contain' => $this->settings['contain'],
112: ));
113: if (empty($result[$model])) {
114: $this->passwordHasher()->hash($password);
115: return false;
116: }
117:
118: $user = $result[$model];
119: if ($password !== null) {
120: if (!$this->passwordHasher()->check($password, $user[$fields['password']])) {
121: return false;
122: }
123: unset($user[$fields['password']]);
124: }
125:
126: unset($result[$model]);
127: return array_merge($user, $result);
128: }
129:
130: /**
131: * Return password hasher object
132: *
133: * @return AbstractPasswordHasher Password hasher instance
134: * @throws CakeException If password hasher class not found or
135: * it does not extend AbstractPasswordHasher
136: */
137: public function passwordHasher() {
138: if ($this->_passwordHasher) {
139: return $this->_passwordHasher;
140: }
141:
142: $config = array();
143: if (is_string($this->settings['passwordHasher'])) {
144: $class = $this->settings['passwordHasher'];
145: } else {
146: $class = $this->settings['passwordHasher']['className'];
147: $config = $this->settings['passwordHasher'];
148: unset($config['className']);
149: }
150: list($plugin, $class) = pluginSplit($class, true);
151: $className = $class . 'PasswordHasher';
152: App::uses($className, $plugin . 'Controller/Component/Auth');
153: if (!class_exists($className)) {
154: throw new CakeException(__d('cake_dev', 'Password hasher class "%s" was not found.', $class));
155: }
156: if (!is_subclass_of($className, 'AbstractPasswordHasher')) {
157: throw new CakeException(__d('cake_dev', 'Password hasher must extend AbstractPasswordHasher class.'));
158: }
159: $this->_passwordHasher = new $className($config);
160: return $this->_passwordHasher;
161: }
162:
163: /**
164: * Hash the plain text password so that it matches the hashed/encrypted password
165: * in the datasource.
166: *
167: * @param string $password The plain text password.
168: * @return string The hashed form of the password.
169: * @deprecated Since 2.4. Use a PasswordHasher class instead.
170: */
171: protected function _password($password) {
172: return Security::hash($password, null, true);
173: }
174:
175: /**
176: * Authenticate a user based on the request information.
177: *
178: * @param CakeRequest $request Request to get authentication information from.
179: * @param CakeResponse $response A response object that can have headers added.
180: * @return mixed Either false on failure, or an array of user data on success.
181: */
182: abstract public function authenticate(CakeRequest $request, CakeResponse $response);
183:
184: /**
185: * Allows you to hook into AuthComponent::logout(),
186: * and implement specialized logout behavior.
187: *
188: * All attached authentication objects will have this method
189: * called when a user logs out.
190: *
191: * @param array $user The user about to be logged out.
192: * @return void
193: */
194: public function logout($user) {
195: }
196:
197: /**
198: * Get a user based on information in the request. Primarily used by stateless authentication
199: * systems like basic and digest auth.
200: *
201: * @param CakeRequest $request Request object.
202: * @return mixed Either false or an array of user information
203: */
204: public function getUser(CakeRequest $request) {
205: return false;
206: }
207:
208: /**
209: * Handle unauthenticated access attempt.
210: *
211: * @param CakeRequest $request A request object.
212: * @param CakeResponse $response A response object.
213: * @return mixed Either true to indicate the unauthenticated request has been
214: * dealt with and no more action is required by AuthComponent or void (default).
215: */
216: public function unauthenticated(CakeRequest $request, CakeResponse $response) {
217: }
218:
219: }
220: