icingaweb2/library/Icinga/Authentication/User/DbUserBackend.php

<?php
/* Icinga Web 2 | (c) 2013-2015 Icinga Development Team | GPLv2+ */

namespace Icinga\Authentication\User;

use Exception;
use PDO;
use Icinga\Exception\AuthenticationException;
use Icinga\Repository\DbRepository;
use Icinga\User;

class DbUserBackend extends DbRepository implements UserBackendInterface
{
    /**
     * The algorithm to use when hashing passwords
     *
     * @var string
     */
    const HASH_ALGORITHM = '$1$'; // MD5

    /**
     * The length of the salt to use when hashing a password
     *
     * @var int
     */
    const SALT_LENGTH = 12; // 12 is required by MD5

    /**
     * The query columns being provided
     *
     * @var array
     */
    protected $queryColumns = array(
        'user' => array(
            'user'          => 'name COLLATE utf8_general_ci',
            'user_name'     => 'name',
            'is_active'     => 'active',
            'created_at'    => 'UNIX_TIMESTAMP(ctime)',
            'last_modified' => 'UNIX_TIMESTAMP(mtime)'
        )
    );

    /**
     * The columns which are not permitted to be queried
     *
     * @var array
     */
    protected $filterColumns = array('user');

    /**
     * The default sort rules to be applied on a query
     *
     * @var array
     */
    protected $sortRules = array(
        'user_name' => array(
            'columns'   => array(
                'user_name asc',
                'is_active desc'
            )
        )
    );

    /**
     * Initialize this database user backend
     */
    protected function init()
    {
        if (! $this->ds->getTablePrefix()) {
            $this->ds->setTablePrefix('icingaweb_');
        }
    }

    /**
     * Add a new user
     *
     * @param   string  $username   The name of the new user
     * @param   string  $password   The new user's password
     * @param   bool    $active     Whether the user is active
     */
    public function addUser($username, $password, $active = true)
    {
        $passwordHash = $this->hashPassword($password);

        $stmt = $this->ds->getDbAdapter()->prepare(
            'INSERT INTO icingaweb_user VALUES (:name, :active, :password_hash, now(), DEFAULT);'
        );
        $stmt->bindParam(':name', $username, PDO::PARAM_STR);
        $stmt->bindParam(':active', $active, PDO::PARAM_INT);
        $stmt->bindParam(':password_hash', $passwordHash, PDO::PARAM_LOB);
        $stmt->execute();
    }

    /**
     * Fetch the hashed password for the given user
     *
     * @param   string  $username   The name of the user
     *
     * @return  string
     */
    protected function getPasswordHash($username)
    {
        if ($this->ds->getDbType() === 'pgsql') {
            // Since PostgreSQL version 9.0 the default value for bytea_output is 'hex' instead of 'escape'
            $stmt = $this->ds->getDbAdapter()->prepare(
                'SELECT ENCODE(password_hash, \'escape\') FROM icingaweb_user WHERE name = :name AND active = 1'
            );
        } else {
            $stmt = $this->ds->getDbAdapter()->prepare(
                'SELECT password_hash FROM icingaweb_user WHERE name = :name AND active = 1'
            );
        }

        $stmt->execute(array(':name' => $username));
        $stmt->bindColumn(1, $lob, PDO::PARAM_LOB);
        $stmt->fetch(PDO::FETCH_BOUND);
        if (is_resource($lob)) {
            $lob = stream_get_contents($lob);
        }

        return $this->ds->getDbType() === 'pgsql' ? pg_unescape_bytea($lob) : $lob;
    }

    /**
     * Authenticate the given user
     *
     * @param   User        $user
     * @param   string      $password
     *
     * @return  bool                        True on success, false on failure
     *
     * @throws  AuthenticationException     In case authentication is not possible due to an error
     */
    public function authenticate(User $user, $password)
    {
        try {
            $passwordHash = $this->getPasswordHash($user->getUsername());
            $passwordSalt = $this->getSalt($passwordHash);
            $hashToCompare = $this->hashPassword($password, $passwordSalt);
            return $hashToCompare === $passwordHash;
        } catch (Exception $e) {
            throw new AuthenticationException(
                'Failed to authenticate user "%s" against backend "%s". An exception was thrown:',
                $user->getUsername(),
                $this->getName(),
                $e
            );
        }
    }

    /**
     * Extract salt from the given password hash
     *
     * @param   string  $hash   The hashed password
     *
     * @return  string
     */
    protected function getSalt($hash)
    {
        return substr($hash, strlen(self::HASH_ALGORITHM), self::SALT_LENGTH);
    }

    /**
     * Return a random salt
     *
     * The returned salt is safe to be used for hashing a user's password
     *
     * @return  string
     */
    protected function generateSalt()
    {
        return openssl_random_pseudo_bytes(self::SALT_LENGTH);
    }

    /**
     * Hash a password
     *
     * @param   string  $password
     * @param   string  $salt
     *
     * @return  string
     */
    protected function hashPassword($password, $salt = null)
    {
        return crypt($password, self::HASH_ALGORITHM . ($salt !== null ? $salt : $this->generateSalt()));
    }
}
Adds DbUserBackend to handle the authentication against a sql db. Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769 2013-06-28 19:00:30 +02:00			`<?php`
Note that our license is GPL v2 or any later version in our license header instead of pointing to the license's URL 2015-02-04 10:46:36 +01:00			`/* Icinga Web 2 \| (c) 2013-2015 Icinga Development Team \| GPLv2+ */`
Adds DbUserBackend to handle the authentication against a sql db. Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769 2013-06-28 19:00:30 +02:00
Move concrete UserBackend classes to Icinga\Authentication\User refs #8826 2015-04-21 12:51:31 +02:00			`namespace Icinga\Authentication\User;`
Adds DbUserBackend to handle the authentication against a sql db. Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769 2013-06-28 19:00:30 +02:00
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`use Exception;`
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`use PDO;`
User backends: Throw exception when authentication fails due to an exception refs #5685 2014-06-02 15:52:58 +02:00			`use Icinga\Exception\AuthenticationException;`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`use Icinga\Repository\DbRepository;`
			`use Icinga\User;`
Adds DbUserBackend to handle the authentication against a sql db. Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769 2013-06-28 19:00:30 +02:00
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`class DbUserBackend extends DbRepository implements UserBackendInterface`
Change the StoreFactory to work with the DbAdapterFactory and fix code styling Change the StoreFactory configuration to reference to a resource instead of defining the whole database. Additionally fix docstrings, fix imports and fix function calls to comply to coding style standards. refs #4503 2013-08-15 14:16:34 +02:00			`{`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`/**`
			`* The algorithm to use when hashing passwords`
			`*`
			`* @var string`
			`*/`
			`const HASH_ALGORITHM = '$1$'; // MD5`

			`/**`
			`* The length of the salt to use when hashing a password`
			`*`
			`* @var int`
			`*/`
			`const SALT_LENGTH = 12; // 12 is required by MD5`

Fix code styling to comply with coding standard refs #4503 2013-08-15 14:58:08 +02:00			`/**`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`* The query columns being provided`
			`*`
			`* @var array`
			`*/`
			`protected $queryColumns = array(`
			`'user' => array(`
DbUserBackend: Add case insensitive filter column `user' refs #8826 2015-05-05 09:34:23 +02:00			`'user' => 'name COLLATE utf8_general_ci',`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`'user_name' => 'name',`
			`'is_active' => 'active',`
			`'created_at' => 'UNIX_TIMESTAMP(ctime)',`
			`'last_modified' => 'UNIX_TIMESTAMP(mtime)'`
			`)`
			`);`

DbUserBackend: Add case insensitive filter column `user' refs #8826 2015-05-05 09:34:23 +02:00			`/**`
			`* The columns which are not permitted to be queried`
			`*`
			`* @var array`
			`*/`
			`protected $filterColumns = array('user');`

DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`/**`
			`* The default sort rules to be applied on a query`
Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00			`*`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`* @var array`
Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00			`*/`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`protected $sortRules = array(`
			`'user_name' => array(`
DbUserBackend: Use is_active as well as a default sort column refs #8826 2015-05-04 15:55:36 +02:00			`'columns' => array(`
			`'user_name asc',`
			`'is_active desc'`
			`)`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`)`
			`);`
Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`/**`
			`* Initialize this database user backend`
			`*/`
			`protected function init()`
Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00			`{`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`if (! $this->ds->getTablePrefix()) {`
			`$this->ds->setTablePrefix('icingaweb_');`
			`}`
Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00			`}`

Add admin creation routine refs #7163 2014-10-08 10:26:12 +02:00			`/**`
			`* Add a new user`
			`*`
			`* @param string $username The name of the new user`
			`* @param string $password The new user's password`
			`* @param bool $active Whether the user is active`
			`*/`
			`public function addUser($username, $password, $active = true)`
			`{`
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`$passwordHash = $this->hashPassword($password);`

DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`$stmt = $this->ds->getDbAdapter()->prepare(`
Leave it up to the database to decide what is the current time 2014-11-04 12:42:39 +01:00			`'INSERT INTO icingaweb_user VALUES (:name, :active, :password_hash, now(), DEFAULT);'`
Add admin creation routine refs #7163 2014-10-08 10:26:12 +02:00			`);`
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`$stmt->bindParam(':name', $username, PDO::PARAM_STR);`
			`$stmt->bindParam(':active', $active, PDO::PARAM_INT);`
			`$stmt->bindParam(':password_hash', $passwordHash, PDO::PARAM_LOB);`
			`$stmt->execute();`
Add admin creation routine refs #7163 2014-10-08 10:26:12 +02:00			`}`

AuthManager: Implement backend chain refs #4641 refs #4590 refs #4593 2013-08-28 10:16:18 +02:00			`/**`
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`* Fetch the hashed password for the given user`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`*`
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`* @param string $username The name of the user`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`*`
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`* @return string`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`*/`
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`protected function getPasswordHash($username)`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`{`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`if ($this->ds->getDbType() === 'pgsql') {`
postgresql/auth: Fix that users cannot login when using PostgreSQL >= version 9.0 fixes #8251 2015-01-19 16:43:19 +01:00			`// Since PostgreSQL version 9.0 the default value for bytea_output is 'hex' instead of 'escape'`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`$stmt = $this->ds->getDbAdapter()->prepare(`
postgresql/auth: Fix that users cannot login when using PostgreSQL >= version 9.0 fixes #8251 2015-01-19 16:43:19 +01:00			`'SELECT ENCODE(password_hash, \'escape\') FROM icingaweb_user WHERE name = :name AND active = 1'`
			`);`
			`} else {`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`$stmt = $this->ds->getDbAdapter()->prepare(`
postgresql/auth: Fix that users cannot login when using PostgreSQL >= version 9.0 fixes #8251 2015-01-19 16:43:19 +01:00			`'SELECT password_hash FROM icingaweb_user WHERE name = :name AND active = 1'`
			`);`
			`}`
Fix login when using a PostgreSQL database as authentication backend fixes #8524 2015-03-06 11:03:45 +01:00
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`$stmt->execute(array(':name' => $username));`
			`$stmt->bindColumn(1, $lob, PDO::PARAM_LOB);`
			`$stmt->fetch(PDO::FETCH_BOUND);`
Fix login when using a PostgreSQL database as authentication backend fixes #8524 2015-03-06 11:03:45 +01:00			`if (is_resource($lob)) {`
			`$lob = stream_get_contents($lob);`
			`}`

DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`return $this->ds->getDbType() === 'pgsql' ? pg_unescape_bytea($lob) : $lob;`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`}`

			`/**`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`* Authenticate the given user`
AuthManager: Implement backend chain refs #4641 refs #4590 refs #4593 2013-08-28 10:16:18 +02:00			`*`
Fix: Database login fixes #5706 2014-03-06 14:07:33 +01:00			`* @param User $user`
			`* @param string $password`
Change the StoreFactory to work with the DbAdapterFactory and fix code styling Change the StoreFactory configuration to reference to a resource instead of defining the whole database. Additionally fix docstrings, fix imports and fix function calls to comply to coding style standards. refs #4503 2013-08-15 14:16:34 +02:00			`*`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`* @return bool True on success, false on failure`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`*`
DbUserBackend: Extend DbRepository and implement UserBackendInterface refs #8826 2015-05-04 12:15:05 +02:00			`* @throws AuthenticationException In case authentication is not possible due to an error`
Adds DbUserBackend to handle the authentication against a sql db. Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769 2013-06-28 19:00:30 +02:00			`*/`
Decouple authentication backend creation from Icinga\Authentication\Manager Add authentication backend type msldap with default values for user_class and user_name_attribute. Backend type ldap now logs an error when user_class and user_name_attribute ist not configured. Rename membership.ini to memberships.ini since all our INI configuration files are in the plurar where it makes sense. The AuthenticationController now handles authentication refs #5685 refs #5638 fixes #5218 2014-03-03 17:21:17 +01:00			`public function authenticate(User $user, $password)`
Add default login to the authentication database refs #3772 2013-07-25 16:47:43 +02:00			`{`
Fix authentication error handling 2014-03-28 14:45:03 +01:00			`try {`
Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00			`$passwordHash = $this->getPasswordHash($user->getUsername());`
			`$passwordSalt = $this->getSalt($passwordHash);`
			`$hashToCompare = $this->hashPassword($password, $passwordSalt);`
			`return $hashToCompare === $passwordHash;`
Fix authentication error handling 2014-03-28 14:45:03 +01:00			`} catch (Exception $e) {`
User backends: Throw exception when authentication fails due to an exception refs #5685 2014-06-02 15:52:58 +02:00			`throw new AuthenticationException(`
AuthenticationException: extend IcingaException refs #6931 2014-08-22 10:59:52 +02:00			`'Failed to authenticate user "%s" against backend "%s". An exception was thrown:',`
			`$user->getUsername(),`
			`$this->getName(),`
User backends: Throw exception when authentication fails due to an exception refs #5685 2014-06-02 15:52:58 +02:00			`$e`
Fix authentication error handling 2014-03-28 14:45:03 +01:00			`);`
			`}`
Adds DbUserBackend to handle the authentication against a sql db. Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769 2013-06-28 19:00:30 +02:00			`}`

			`/**`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`* Extract salt from the given password hash`
Add default login to the authentication database refs #3772 2013-07-25 16:47:43 +02:00			`*`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`* @param string $hash The hashed password`
Add the DbAdapterFactory to instanciate database adapters using resource names Create the DbAdapterFactory to instanciate db adapters, add resources.ini to configure resources, change the authentication Manager to fall back to backends with lower priority in case of errors, update the current UserBackends to the changed environment. Also adjust the documentation and existing unit tests. resolves #4503 2013-08-13 18:08:21 +02:00			`*`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`* @return string`
Adds DbUserBackend to handle the authentication against a sql db. Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769 2013-06-28 19:00:30 +02:00			`*/`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`protected function getSalt($hash)`
Add default login to the authentication database refs #3772 2013-07-25 16:47:43 +02:00			`{`
Fix salt extraction 2014-11-04 13:03:36 +01:00			`return substr($hash, strlen(self::HASH_ALGORITHM), self::SALT_LENGTH);`
Adds DbUserBackend to handle the authentication against a sql db. Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769 2013-06-28 19:00:30 +02:00			`}`

Add admin creation routine refs #7163 2014-10-08 10:26:12 +02:00			`/**`
			`* Return a random salt`
			`*`
			`* The returned salt is safe to be used for hashing a user's password`
			`*`
			`* @return string`
			`*/`
			`protected function generateSalt()`
			`{`
Require the OpenSSL module instead of providing an unsafe fallback refs #7163 2014-11-11 10:19:09 +01:00			`return openssl_random_pseudo_bytes(self::SALT_LENGTH);`
Add admin creation routine refs #7163 2014-10-08 10:26:12 +02:00			`}`

Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00			`/**`
Decouple authentication backend creation from Icinga\Authentication\Manager Add authentication backend type msldap with default values for user_class and user_name_attribute. Backend type ldap now logs an error when user_class and user_name_attribute ist not configured. Rename membership.ini to memberships.ini since all our INI configuration files are in the plurar where it makes sense. The AuthenticationController now handles authentication refs #5685 refs #5638 fixes #5218 2014-03-03 17:21:17 +01:00			`* Hash a password`
Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00			`*`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`* @param string $password`
			`* @param string $salt`
Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00			`*`
			`* @return string`
			`*/`
Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00			`protected function hashPassword($password, $salt = null)`
			`{`
			`return crypt($password, self::HASH_ALGORITHM . ($salt !== null ? $salt : $this->generateSalt()));`
Make DbUserBackend extensible Fix: Swap hmac secret key refs #5151 2013-11-27 10:58:43 +01:00			`}`
AuthenticationException: extend IcingaException refs #6931 2014-08-22 10:59:52 +02:00			`}`