API
6 years ago
Access
6 years ago
Application
6 years ago
Archive
6 years ago
ArchiveProcessor
6 years ago
Archiver
6 years ago
AssetManager
6 years ago
Auth
6 years ago
Category
6 years ago
CliMulti
6 years ago
Columns
6 years ago
Composer
6 years ago
Concurrency
6 years ago
Config
6 years ago
Container
6 years ago
CronArchive
6 years ago
DataAccess
5 years ago
DataFiles
6 years ago
DataTable
6 years ago
Db
6 years ago
DeviceDetector
5 years ago
Email
6 years ago
Exception
6 years ago
Http
6 years ago
Intl
6 years ago
Mail
6 years ago
Measurable
6 years ago
Menu
6 years ago
Metrics
6 years ago
Notification
6 years ago
Period
6 years ago
Plugin
6 years ago
ProfessionalServices
6 years ago
Report
6 years ago
ReportRenderer
6 years ago
Scheduler
6 years ago
Segment
6 years ago
Session
6 years ago
Settings
6 years ago
Tracker
5 years ago
Translation
6 years ago
UpdateCheck
6 years ago
Updater
6 years ago
Updates
6 years ago
Validators
6 years ago
View
6 years ago
ViewDataTable
6 years ago
Visualization
6 years ago
Widget
6 years ago
.htaccess
6 years ago
Access.php
6 years ago
Archive.php
6 years ago
ArchiveProcessor.php
6 years ago
AssetManager.php
6 years ago
Auth.php
6 years ago
BaseFactory.php
6 years ago
Cache.php
6 years ago
CacheId.php
6 years ago
CliMulti.php
6 years ago
Common.php
6 years ago
Config.php
6 years ago
Console.php
6 years ago
Context.php
6 years ago
Cookie.php
5 years ago
CronArchive.php
5 years ago
DataArray.php
6 years ago
DataTable.php
6 years ago
Date.php
6 years ago
Db.php
6 years ago
DbHelper.php
6 years ago
Development.php
6 years ago
DeviceDetectorFactory.php
6 years ago
ErrorHandler.php
6 years ago
EventDispatcher.php
6 years ago
ExceptionHandler.php
6 years ago
FileIntegrity.php
6 years ago
Filechecks.php
6 years ago
Filesystem.php
6 years ago
FrontController.php
6 years ago
Http.php
6 years ago
IP.php
6 years ago
Log.php
6 years ago
LogDeleter.php
6 years ago
Mail.php
6 years ago
Metrics.php
6 years ago
MetricsFormatter.php
6 years ago
Nonce.php
5 years ago
Notification.php
6 years ago
NumberFormatter.php
6 years ago
Option.php
5 years ago
Period.php
6 years ago
Piwik.php
6 years ago
Plugin.php
6 years ago
Profiler.php
6 years ago
ProxyHeaders.php
6 years ago
ProxyHttp.php
6 years ago
QuickForm2.php
6 years ago
RankingQuery.php
6 years ago
Registry.php
6 years ago
ReportRenderer.php
6 years ago
ScheduledTask.php
6 years ago
Segment.php
6 years ago
Sequence.php
6 years ago
Session.php
6 years ago
SettingsPiwik.php
6 years ago
SettingsServer.php
6 years ago
Singleton.php
6 years ago
Site.php
6 years ago
TCPDF.php
6 years ago
TaskScheduler.php
6 years ago
Theme.php
6 years ago
Timer.php
6 years ago
Tracker.php
6 years ago
Translate.php
6 years ago
Twig.php
6 years ago
Unzip.php
6 years ago
UpdateCheck.php
6 years ago
Updater.php
6 years ago
Updates.php
6 years ago
Url.php
6 years ago
UrlHelper.php
6 years ago
Version.php
5 years ago
View.php
6 years ago
bootstrap.php
6 years ago
dispatch.php
6 years ago
testMinimumPhpVersion.php
6 years ago
Auth.php
222 lines
| 1 | <?php |
| 2 | /** |
| 3 | * Piwik - free/libre analytics platform |
| 4 | * |
| 5 | * @link https://matomo.org |
| 6 | * @license http://www.gnu.org/licenses/gpl-3.0.html GPL v3 or later |
| 7 | * |
| 8 | */ |
| 9 | |
| 10 | namespace Piwik; |
| 11 | |
| 12 | use Exception; |
| 13 | |
| 14 | /** |
| 15 | * Base interface for authentication implementations. |
| 16 | * |
| 17 | * Plugins that provide Auth implementations must provide a class that implements |
| 18 | * this interface. Additionally, an instance of that class must be set in the |
| 19 | * container with the 'Piwik\Auth' key during the |
| 20 | * [Request.initAuthenticationObject](http://developer.piwik.org/api-reference/events#requestinitauthenticationobject) |
| 21 | * event. |
| 22 | * |
| 23 | * Authentication implementations must support authentication via username and |
| 24 | * clear-text password and authentication via username and token auth. They can |
| 25 | * additionally support authentication via username and an MD5 hash of a password. If |
| 26 | * they don't support it, then [formless authentication](http://piwik.org/faq/how-to/faq_30/) will fail. |
| 27 | * |
| 28 | * Derived implementations should favor authenticating by password over authenticating |
| 29 | * by token auth. That is to say, if a token auth and a password are set, password |
| 30 | * authentication should be used. |
| 31 | * |
| 32 | * ### Examples |
| 33 | * |
| 34 | * **How an Auth implementation will be used** |
| 35 | * |
| 36 | * // authenticating by password |
| 37 | * $auth = StaticContainer::get('Piwik\Auth'); |
| 38 | * $auth->setLogin('user'); |
| 39 | * $auth->setPassword('password'); |
| 40 | * $result = $auth->authenticate(); |
| 41 | * |
| 42 | * // authenticating by token auth |
| 43 | * $auth = StaticContainer::get('Piwik\Auth'); |
| 44 | * $auth->setLogin('user'); |
| 45 | * $auth->setTokenAuth('...'); |
| 46 | * $result = $auth->authenticate(); |
| 47 | * |
| 48 | * @api |
| 49 | */ |
| 50 | interface Auth |
| 51 | { |
| 52 | /** |
| 53 | * Must return the Authentication module's name, e.g., `"Login"`. |
| 54 | * |
| 55 | * @return string |
| 56 | */ |
| 57 | public function getName(); |
| 58 | |
| 59 | /** |
| 60 | * Sets the authentication token to authenticate with. |
| 61 | * |
| 62 | * @param string $token_auth authentication token |
| 63 | */ |
| 64 | public function setTokenAuth($token_auth); |
| 65 | |
| 66 | /** |
| 67 | * Returns the login of the user being authenticated. |
| 68 | * |
| 69 | * @return string |
| 70 | */ |
| 71 | public function getLogin(); |
| 72 | |
| 73 | /** |
| 74 | * Returns the secret used to calculate a user's token auth. |
| 75 | * |
| 76 | * A users token auth is generated using the user's login and this secret. The secret |
| 77 | * should be specific to the user and not easily guessed. Piwik's default Auth implementation |
| 78 | * uses an MD5 hash of a user's password. |
| 79 | * |
| 80 | * @return string |
| 81 | * @throws Exception if the token auth secret does not exist or cannot be obtained. |
| 82 | */ |
| 83 | public function getTokenAuthSecret(); |
| 84 | |
| 85 | /** |
| 86 | * Sets the login name to authenticate with. |
| 87 | * |
| 88 | * @param string $login The username. |
| 89 | */ |
| 90 | public function setLogin($login); |
| 91 | |
| 92 | /** |
| 93 | * Sets the password to authenticate with. |
| 94 | * |
| 95 | * @param string $password Password (not hashed). |
| 96 | */ |
| 97 | public function setPassword($password); |
| 98 | |
| 99 | /** |
| 100 | * Sets the hash of the password to authenticate with. The hash will be an MD5 hash. |
| 101 | * |
| 102 | * @param string $passwordHash The hashed password. |
| 103 | * @throws Exception if authentication by hashed password is not supported. |
| 104 | */ |
| 105 | public function setPasswordHash($passwordHash); |
| 106 | |
| 107 | /** |
| 108 | * Authenticates a user using the login and password set using the setters. Can also authenticate |
| 109 | * via token auth if one is set and no password is set. |
| 110 | * |
| 111 | * Note: this method must successfully authenticate if the token auth supplied is a special hash |
| 112 | * of the user's real token auth. This is because the SessionInitializer class stores a |
| 113 | * hash of the token auth in the session cookie. You can calculate the token auth hash using the |
| 114 | * {@link Piwik\Plugins\Login\SessionInitializer::getHashTokenAuth()} method. |
| 115 | * |
| 116 | * @return AuthResult |
| 117 | * @throws Exception if the Auth implementation has an invalid state (ie, no login |
| 118 | * was specified). Note: implementations are not **required** to throw |
| 119 | * exceptions for invalid state, but they are allowed to. |
| 120 | */ |
| 121 | public function authenticate(); |
| 122 | } |
| 123 | |
| 124 | /** |
| 125 | * Authentication result. This is what is returned by authentication attempts using {@link Auth} |
| 126 | * implementations. |
| 127 | * |
| 128 | * @api |
| 129 | */ |
| 130 | class AuthResult |
| 131 | { |
| 132 | const FAILURE = 0; |
| 133 | const SUCCESS = 1; |
| 134 | const SUCCESS_SUPERUSER_AUTH_CODE = 42; |
| 135 | |
| 136 | /** |
| 137 | * token_auth parameter used to authenticate in the API |
| 138 | * |
| 139 | * @var string |
| 140 | */ |
| 141 | protected $tokenAuth = null; |
| 142 | |
| 143 | /** |
| 144 | * The login used to authenticate. |
| 145 | * |
| 146 | * @var string |
| 147 | */ |
| 148 | protected $login = null; |
| 149 | |
| 150 | /** |
| 151 | * The authentication result code. Can be self::FAILURE, self::SUCCESS, or |
| 152 | * self::SUCCESS_SUPERUSER_AUTH_CODE. |
| 153 | * |
| 154 | * @var int |
| 155 | */ |
| 156 | protected $code = null; |
| 157 | |
| 158 | /** |
| 159 | * Constructor for AuthResult |
| 160 | * |
| 161 | * @param int $code |
| 162 | * @param string $login identity |
| 163 | * @param string $tokenAuth |
| 164 | */ |
| 165 | public function __construct($code, $login, $tokenAuth) |
| 166 | { |
| 167 | $this->code = (int)$code; |
| 168 | $this->login = $login; |
| 169 | $this->tokenAuth = $tokenAuth; |
| 170 | } |
| 171 | |
| 172 | /** |
| 173 | * Returns the login used to authenticate. |
| 174 | * |
| 175 | * @return string |
| 176 | */ |
| 177 | public function getIdentity() |
| 178 | { |
| 179 | return $this->login; |
| 180 | } |
| 181 | |
| 182 | /** |
| 183 | * Returns the token_auth to authenticate the current user in the API |
| 184 | * |
| 185 | * @return string |
| 186 | */ |
| 187 | public function getTokenAuth() |
| 188 | { |
| 189 | return $this->tokenAuth; |
| 190 | } |
| 191 | |
| 192 | /** |
| 193 | * Returns the authentication result code. |
| 194 | * |
| 195 | * @return int |
| 196 | */ |
| 197 | public function getCode() |
| 198 | { |
| 199 | return $this->code; |
| 200 | } |
| 201 | |
| 202 | /** |
| 203 | * Returns true if the user has Super User access, false otherwise. |
| 204 | * |
| 205 | * @return bool |
| 206 | */ |
| 207 | public function hasSuperUserAccess() |
| 208 | { |
| 209 | return $this->getCode() == self::SUCCESS_SUPERUSER_AUTH_CODE; |
| 210 | } |
| 211 | |
| 212 | /** |
| 213 | * Returns true if this result was successfully authentication. |
| 214 | * |
| 215 | * @return bool |
| 216 | */ |
| 217 | public function wasAuthenticationSuccessful() |
| 218 | { |
| 219 | return $this->code > self::FAILURE; |
| 220 | } |
| 221 | } |
| 222 |