Context Navigation

source: Dev/branches/cakephp/cake/libs/controller/components/security.php @ 126

Last change on this file since 126 was 126, checked in by fpvanagthoven, 14 years ago
Cakephp branch.
File size: 19.8 KB

Line
1	<?php
2	/**
3	* Security Component
4	*
5	* PHP versions 4 and 5
6	*
7	* CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
8	* Copyright 2005-2011, Cake Software Foundation, Inc. (http://cakefoundation.org)
9	*
10	* Licensed under The MIT License
11	* Redistributions of files must retain the above copyright notice.
12	*
13	* @copyright Copyright 2005-2011, Cake Software Foundation, Inc. (http://cakefoundation.org)
14	* @link http://cakephp.org CakePHP(tm) Project
15	* @package cake
16	* @subpackage cake.cake.libs.controller.components
17	* @since CakePHP(tm) v 0.10.8.2156
18	* @license MIT License (http://www.opensource.org/licenses/mit-license.php)
19	*/
20	App::import('Core', array('String', 'Security'));
21
22	/**
23	* SecurityComponent
24	*
25	* @package cake
26	* @subpackage cake.cake.libs.controller.components
27	* @link http://book.cakephp.org/view/1296/Security-Component
28	*/
29	class SecurityComponent extends Object {
30
31	/**
32	* The controller method that will be called if this request is black-hole'd
33	*
34	* @var string
35	* @access public
36	*/
37	var $blackHoleCallback = null;
38
39	/**
40	* List of controller actions for which a POST request is required
41	*
42	* @var array
43	* @access public
44	* @see SecurityComponent::requirePost()
45	*/
46	var $requirePost = array();
47
48	/**
49	* List of controller actions for which a GET request is required
50	*
51	* @var array
52	* @access public
53	* @see SecurityComponent::requireGet()
54	*/
55	var $requireGet = array();
56
57	/**
58	* List of controller actions for which a PUT request is required
59	*
60	* @var array
61	* @access public
62	* @see SecurityComponent::requirePut()
63	*/
64	var $requirePut = array();
65
66	/**
67	* List of controller actions for which a DELETE request is required
68	*
69	* @var array
70	* @access public
71	* @see SecurityComponent::requireDelete()
72	*/
73	var $requireDelete = array();
74
75	/**
76	* List of actions that require an SSL-secured connection
77	*
78	* @var array
79	* @access public
80	* @see SecurityComponent::requireSecure()
81	*/
82	var $requireSecure = array();
83
84	/**
85	* List of actions that require a valid authentication key
86	*
87	* @var array
88	* @access public
89	* @see SecurityComponent::requireAuth()
90	*/
91	var $requireAuth = array();
92
93	/**
94	* List of actions that require an HTTP-authenticated login (basic or digest)
95	*
96	* @var array
97	* @access public
98	* @see SecurityComponent::requireLogin()
99	*/
100	var $requireLogin = array();
101
102	/**
103	* Login options for SecurityComponent::requireLogin()
104	*
105	* @var array
106	* @access public
107	* @see SecurityComponent::requireLogin()
108	*/
109	var $loginOptions = array('type' => '', 'prompt' => null);
110
111	/**
112	* An associative array of usernames/passwords used for HTTP-authenticated logins.
113	*
114	* @var array
115	* @access public
116	* @see SecurityComponent::requireLogin()
117	*/
118	var $loginUsers = array();
119
120	/**
121	* Controllers from which actions of the current controller are allowed to receive
122	* requests.
123	*
124	* @var array
125	* @access public
126	* @see SecurityComponent::requireAuth()
127	*/
128	var $allowedControllers = array();
129
130	/**
131	* Actions from which actions of the current controller are allowed to receive
132	* requests.
133	*
134	* @var array
135	* @access public
136	* @see SecurityComponent::requireAuth()
137	*/
138	var $allowedActions = array();
139
140	/**
141	* Form fields to disable
142	*
143	* @var array
144	* @access public
145	*/
146	var $disabledFields = array();
147
148	/**
149	* Whether to validate POST data. Set to false to disable for data coming from 3rd party
150	* services, etc.
151	*
152	* @var boolean
153	* @access public
154	*/
155	var $validatePost = true;
156
157	/**
158	* Other components used by the Security component
159	*
160	* @var array
161	* @access public
162	*/
163	var $components = array('RequestHandler', 'Session');
164
165	/**
166	* Holds the current action of the controller
167	*
168	* @var string
169	*/
170	var $_action = null;
171
172	/**
173	* Initialize the SecurityComponent
174	*
175	* @param object $controller Controller instance for the request
176	* @param array $settings Settings to set to the component
177	* @return void
178	* @access public
179	*/
180	function initialize(&$controller, $settings = array()) {
181	$this->_set($settings);
182	}
183
184	/**
185	* Component startup. All security checking happens here.
186	*
187	* @param object $controller Instantiating controller
188	* @return void
189	* @access public
190	*/
191	function startup(&$controller) {
192	$this->_action = strtolower($controller->action);
193	$this->_methodsRequired($controller);
194	$this->_secureRequired($controller);
195	$this->_authRequired($controller);
196	$this->_loginRequired($controller);
197
198	$isPost = ($this->RequestHandler->isPost() \|\| $this->RequestHandler->isPut());
199	$isRequestAction = (
200	!isset($controller->params['requested']) \|\|
201	$controller->params['requested'] != 1
202	);
203
204	if ($isPost && $isRequestAction && $this->validatePost) {
205	if ($this->_validatePost($controller) === false) {
206	if (!$this->blackHole($controller, 'auth')) {
207	return null;
208	}
209	}
210	}
211	$this->_generateToken($controller);
212	}
213
214	/**
215	* Sets the actions that require a POST request, or empty for all actions
216	*
217	* @return void
218	* @access public
219	* @link http://book.cakephp.org/view/1299/requirePost
220	*/
221	function requirePost() {
222	$args = func_get_args();
223	$this->_requireMethod('Post', $args);
224	}
225
226	/**
227	* Sets the actions that require a GET request, or empty for all actions
228	*
229	* @return void
230	* @access public
231	*/
232	function requireGet() {
233	$args = func_get_args();
234	$this->_requireMethod('Get', $args);
235	}
236
237	/**
238	* Sets the actions that require a PUT request, or empty for all actions
239	*
240	* @return void
241	* @access public
242	*/
243	function requirePut() {
244	$args = func_get_args();
245	$this->_requireMethod('Put', $args);
246	}
247
248	/**
249	* Sets the actions that require a DELETE request, or empty for all actions
250	*
251	* @return void
252	* @access public
253	*/
254	function requireDelete() {
255	$args = func_get_args();
256	$this->_requireMethod('Delete', $args);
257	}
258
259	/**
260	* Sets the actions that require a request that is SSL-secured, or empty for all actions
261	*
262	* @return void
263	* @access public
264	* @link http://book.cakephp.org/view/1300/requireSecure
265	*/
266	function requireSecure() {
267	$args = func_get_args();
268	$this->_requireMethod('Secure', $args);
269	}
270
271	/**
272	* Sets the actions that require an authenticated request, or empty for all actions
273	*
274	* @return void
275	* @access public
276	* @link http://book.cakephp.org/view/1301/requireAuth
277	*/
278	function requireAuth() {
279	$args = func_get_args();
280	$this->_requireMethod('Auth', $args);
281	}
282
283	/**
284	* Sets the actions that require an HTTP-authenticated request, or empty for all actions
285	*
286	* @return void
287	* @access public
288	* @link http://book.cakephp.org/view/1302/requireLogin
289	*/
290	function requireLogin() {
291	$args = func_get_args();
292	$base = $this->loginOptions;
293
294	foreach ($args as $i => $arg) {
295	if (is_array($arg)) {
296	$this->loginOptions = $arg;
297	unset($args[$i]);
298	}
299	}
300	$this->loginOptions = array_merge($base, $this->loginOptions);
301	$this->_requireMethod('Login', $args);
302
303	if (isset($this->loginOptions['users'])) {
304	$this->loginUsers =& $this->loginOptions['users'];
305	}
306	}
307
308	/**
309	* Attempts to validate the login credentials for an HTTP-authenticated request
310	*
311	* @param string $type Either 'basic', 'digest', or null. If null/empty, will try both.
312	* @return mixed If successful, returns an array with login name and password, otherwise null.
313	* @access public
314	* @link http://book.cakephp.org/view/1303/loginCredentials-string-type
315	*/
316	function loginCredentials($type = null) {
317	switch (strtolower($type)) {
318	case 'basic':
319	$login = array('username' => env('PHP_AUTH_USER'), 'password' => env('PHP_AUTH_PW'));
320	if (!empty($login['username'])) {
321	return $login;
322	}
323	break;
324	case 'digest':
325	default:
326	$digest = null;
327
328	if (version_compare(PHP_VERSION, '5.1') != -1) {
329	$digest = env('PHP_AUTH_DIGEST');
330	} elseif (function_exists('apache_request_headers')) {
331	$headers = apache_request_headers();
332	if (isset($headers['Authorization']) && !empty($headers['Authorization']) && substr($headers['Authorization'], 0, 7) == 'Digest ') {
333	$digest = substr($headers['Authorization'], 7);
334	}
335	} else {
336	// Server doesn't support digest-auth headers
337	trigger_error(__('SecurityComponent::loginCredentials() - Server does not support digest authentication', true), E_USER_WARNING);
338	}
339
340	if (!empty($digest)) {
341	return $this->parseDigestAuthData($digest);
342	}
343	break;
344	}
345	return null;
346	}
347
348	/**
349	* Generates the text of an HTTP-authentication request header from an array of options.
350	*
351	* @param array $options Set of options for header
352	* @return string HTTP-authentication request header
353	* @access public
354	* @link http://book.cakephp.org/view/1304/loginRequest-array-options
355	*/
356	function loginRequest($options = array()) {
357	$options = array_merge($this->loginOptions, $options);
358	$this->_setLoginDefaults($options);
359	$auth = 'WWW-Authenticate: ' . ucfirst($options['type']);
360	$out = array('realm="' . $options['realm'] . '"');
361
362	if (strtolower($options['type']) == 'digest') {
363	$out[] = 'qop="auth"';
364	$out[] = 'nonce="' . uniqid("") . '"';
365	$out[] = 'opaque="' . md5($options['realm']) . '"';
366	}
367
368	return $auth . ' ' . implode(',', $out);
369	}
370
371	/**
372	* Parses an HTTP digest authentication response, and returns an array of the data, or null on failure.
373	*
374	* @param string $digest Digest authentication response
375	* @return array Digest authentication parameters
376	* @access public
377	* @link http://book.cakephp.org/view/1305/parseDigestAuthData-string-digest
378	*/
379	function parseDigestAuthData($digest) {
380	if (substr($digest, 0, 7) == 'Digest ') {
381	$digest = substr($digest, 7);
382	}
383	$keys = array();
384	$match = array();
385	$req = array('nonce' => 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1);
386	preg_match_all('/(\w+)=([\'"]?)([a-zA-Z0-9@=.\/_-]+)\2/', $digest, $match, PREG_SET_ORDER);
387
388	foreach ($match as $i) {
389	$keys[$i[1]] = $i[3];
390	unset($req[$i[1]]);
391	}
392
393	if (empty($req)) {
394	return $keys;
395	}
396	return null;
397	}
398
399	/**
400	* Generates a hash to be compared with an HTTP digest-authenticated response
401	*
402	* @param array $data HTTP digest response data, as parsed by SecurityComponent::parseDigestAuthData()
403	* @return string Digest authentication hash
404	* @access public
405	* @see SecurityComponent::parseDigestAuthData()
406	* @link http://book.cakephp.org/view/1306/generateDigestResponseHash-array-data
407	*/
408	function generateDigestResponseHash($data) {
409	return md5(
410	md5($data['username'] . ':' . $this->loginOptions['realm'] . ':' . $this->loginUsers[$data['username']]) .
411	':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' .
412	md5(env('REQUEST_METHOD') . ':' . $data['uri'])
413	);
414	}
415
416	/**
417	* Black-hole an invalid request with a 404 error or custom callback. If SecurityComponent::$blackHoleCallback
418	* is specified, it will use this callback by executing the method indicated in $error
419	*
420	* @param object $controller Instantiating controller
421	* @param string $error Error method
422	* @return mixed If specified, controller blackHoleCallback's response, or no return otherwise
423	* @access public
424	* @see SecurityComponent::$blackHoleCallback
425	* @link http://book.cakephp.org/view/1307/blackHole-object-controller-string-error
426	*/
427	function blackHole(&$controller, $error = '') {
428	if ($this->blackHoleCallback == null) {
429	$code = 404;
430	if ($error == 'login') {
431	$code = 401;
432	$controller->header($this->loginRequest());
433	}
434	$controller->redirect(null, $code, true);
435	} else {
436	return $this->_callback($controller, $this->blackHoleCallback, array($error));
437	}
438	}
439
440	/**
441	* Sets the actions that require a $method HTTP request, or empty for all actions
442	*
443	* @param string $method The HTTP method to assign controller actions to
444	* @param array $actions Controller actions to set the required HTTP method to.
445	* @return void
446	* @access protected
447	*/
448	function _requireMethod($method, $actions = array()) {
449	if (isset($actions[0]) && is_array($actions[0])) {
450	$actions = $actions[0];
451	}
452	$this->{'require' . $method} = (empty($actions)) ? array('*'): $actions;
453	}
454
455	/**
456	* Check if HTTP methods are required
457	*
458	* @param object $controller Instantiating controller
459	* @return bool true if $method is required
460	* @access protected
461	*/
462	function _methodsRequired(&$controller) {
463	foreach (array('Post', 'Get', 'Put', 'Delete') as $method) {
464	$property = 'require' . $method;
465	if (is_array($this->$property) && !empty($this->$property)) {
466	$require = array_map('strtolower', $this->$property);
467
468	if (in_array($this->_action, $require) \|\| $this->$property == array('*')) {
469	if (!$this->RequestHandler->{'is' . $method}()) {
470	if (!$this->blackHole($controller, strtolower($method))) {
471	return null;
472	}
473	}
474	}
475	}
476	}
477	return true;
478	}
479
480	/**
481	* Check if access requires secure connection
482	*
483	* @param object $controller Instantiating controller
484	* @return bool true if secure connection required
485	* @access protected
486	*/
487	function _secureRequired(&$controller) {
488	if (is_array($this->requireSecure) && !empty($this->requireSecure)) {
489	$requireSecure = array_map('strtolower', $this->requireSecure);
490
491	if (in_array($this->_action, $requireSecure) \|\| $this->requireSecure == array('*')) {
492	if (!$this->RequestHandler->isSSL()) {
493	if (!$this->blackHole($controller, 'secure')) {
494	return null;
495	}
496	}
497	}
498	}
499	return true;
500	}
501
502	/**
503	* Check if authentication is required
504	*
505	* @param object $controller Instantiating controller
506	* @return bool true if authentication required
507	* @access protected
508	*/
509	function _authRequired(&$controller) {
510	if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($controller->data)) {
511	$requireAuth = array_map('strtolower', $this->requireAuth);
512
513	if (in_array($this->_action, $requireAuth) \|\| $this->requireAuth == array('*')) {
514	if (!isset($controller->data['_Token'] )) {
515	if (!$this->blackHole($controller, 'auth')) {
516	return null;
517	}
518	}
519
520	if ($this->Session->check('_Token')) {
521	$tData = unserialize($this->Session->read('_Token'));
522
523	if (!empty($tData['allowedControllers']) && !in_array($controller->params['controller'], $tData['allowedControllers']) \|\| !empty($tData['allowedActions']) && !in_array($controller->params['action'], $tData['allowedActions'])) {
524	if (!$this->blackHole($controller, 'auth')) {
525	return null;
526	}
527	}
528	} else {
529	if (!$this->blackHole($controller, 'auth')) {
530	return null;
531	}
532	}
533	}
534	}
535	return true;
536	}
537
538	/**
539	* Check if login is required
540	*
541	* @param object $controller Instantiating controller
542	* @return bool true if login is required
543	* @access protected
544	*/
545	function _loginRequired(&$controller) {
546	if (is_array($this->requireLogin) && !empty($this->requireLogin)) {
547	$requireLogin = array_map('strtolower', $this->requireLogin);
548
549	if (in_array($this->_action, $requireLogin) \|\| $this->requireLogin == array('*')) {
550	$login = $this->loginCredentials($this->loginOptions['type']);
551
552	if ($login == null) {
553	$controller->header($this->loginRequest());
554
555	if (!empty($this->loginOptions['prompt'])) {
556	$this->_callback($controller, $this->loginOptions['prompt']);
557	} else {
558	$this->blackHole($controller, 'login');
559	}
560	} else {
561	if (isset($this->loginOptions['login'])) {
562	$this->_callback($controller, $this->loginOptions['login'], array($login));
563	} else {
564	if (strtolower($this->loginOptions['type']) == 'digest') {
565	if ($login && isset($this->loginUsers[$login['username']])) {
566	if ($login['response'] == $this->generateDigestResponseHash($login)) {
567	return true;
568	}
569	}
570	$this->blackHole($controller, 'login');
571	} else {
572	if (
573	!(in_array($login['username'], array_keys($this->loginUsers)) &&
574	$this->loginUsers[$login['username']] == $login['password'])
575	) {
576	$this->blackHole($controller, 'login');
577	}
578	}
579	}
580	}
581	}
582	}
583	return true;
584	}
585
586	/**
587	* Validate submitted form
588	*
589	* @param object $controller Instantiating controller
590	* @return bool true if submitted form is valid
591	* @access protected
592	*/
593	function _validatePost(&$controller) {
594	if (empty($controller->data)) {
595	return true;
596	}
597	$data = $controller->data;
598
599	if (!isset($data['_Token']) \|\| !isset($data['_Token']['fields']) \|\| !isset($data['_Token']['key'])) {
600	return false;
601	}
602	$token = $data['_Token']['key'];
603
604	if ($this->Session->check('_Token')) {
605	$tokenData = unserialize($this->Session->read('_Token'));
606
607	if ($tokenData['expires'] < time() \|\| $tokenData['key'] !== $token) {
608	return false;
609	}
610	} else {
611	return false;
612	}
613
614	$locked = null;
615	$check = $controller->data;
616	$token = urldecode($check['_Token']['fields']);
617
618	if (strpos($token, ':')) {
619	list($token, $locked) = explode(':', $token, 2);
620	}
621	unset($check['_Token']);
622
623	$locked = explode('\|', $locked);
624
625	$lockedFields = array();
626	$fields = Set::flatten($check);
627	$fieldList = array_keys($fields);
628	$multi = array();
629
630	foreach ($fieldList as $i => $key) {
631	if (preg_match('/\.\d+$/', $key)) {
632	$multi[$i] = preg_replace('/\.\d+$/', '', $key);
633	unset($fieldList[$i]);
634	}
635	}
636	if (!empty($multi)) {
637	$fieldList += array_unique($multi);
638	}
639
640	foreach ($fieldList as $i => $key) {
641	$isDisabled = false;
642	$isLocked = (is_array($locked) && in_array($key, $locked));
643
644	if (!empty($this->disabledFields)) {
645	foreach ((array)$this->disabledFields as $disabled) {
646	$disabled = explode('.', $disabled);
647	$field = array_values(array_intersect(explode('.', $key), $disabled));
648	$isDisabled = ($field === $disabled);
649	if ($isDisabled) {
650	break;
651	}
652	}
653	}
654
655	if ($isDisabled \|\| $isLocked) {
656	unset($fieldList[$i]);
657	if ($isLocked) {
658	$lockedFields[$key] = $fields[$key];
659	}
660	}
661	}
662	sort($fieldList, SORT_STRING);
663	ksort($lockedFields, SORT_STRING);
664
665	$fieldList += $lockedFields;
666	$check = Security::hash(serialize($fieldList) . Configure::read('Security.salt'));
667	return ($token === $check);
668	}
669
670	/**
671	* Add authentication key for new form posts
672	*
673	* @param object $controller Instantiating controller
674	* @return bool Success
675	* @access protected
676	*/
677	function _generateToken(&$controller) {
678	if (isset($controller->params['requested']) && $controller->params['requested'] === 1) {
679	if ($this->Session->check('_Token')) {
680	$tokenData = unserialize($this->Session->read('_Token'));
681	$controller->params['_Token'] = $tokenData;
682	}
683	return false;
684	}
685	$authKey = Security::generateAuthKey();
686	$expires = strtotime('+' . Security::inactiveMins() . ' minutes');
687	$token = array(
688	'key' => $authKey,
689	'expires' => $expires,
690	'allowedControllers' => $this->allowedControllers,
691	'allowedActions' => $this->allowedActions,
692	'disabledFields' => $this->disabledFields
693	);
694
695	if (!isset($controller->data)) {
696	$controller->data = array();
697	}
698
699	if ($this->Session->check('_Token')) {
700	$tokenData = unserialize($this->Session->read('_Token'));
701	$valid = (
702	isset($tokenData['expires']) &&
703	$tokenData['expires'] > time() &&
704	isset($tokenData['key'])
705	);
706
707	if ($valid) {
708	$token['key'] = $tokenData['key'];
709	}
710	}
711	$controller->params['_Token'] = $token;
712	$this->Session->write('_Token', serialize($token));
713	return true;
714	}
715
716	/**
717	* Sets the default login options for an HTTP-authenticated request
718	*
719	* @param array $options Default login options
720	* @return void
721	* @access protected
722	*/
723	function _setLoginDefaults(&$options) {
724	$options = array_merge(array(
725	'type' => 'basic',
726	'realm' => env('SERVER_NAME'),
727	'qop' => 'auth',
728	'nonce' => String::uuid()
729	), array_filter($options));
730	$options = array_merge(array('opaque' => md5($options['realm'])), $options);
731	}
732
733	/**
734	* Calls a controller callback method
735	*
736	* @param object $controller Controller to run callback on
737	* @param string $method Method to execute
738	* @param array $params Parameters to send to method
739	* @return mixed Controller callback method's response
740	* @access protected
741	*/
742	function _callback(&$controller, $method, $params = array()) {
743	if (is_callable(array($controller, $method))) {
744	return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
745	} else {
746	return null;
747	}
748	}
749	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: