-
Notifications
You must be signed in to change notification settings - Fork 346
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1284 from lightbluetom/general-approach-for-pdo-b…
…asic-auth A more secure and generalized approach for PDO Basic Auth Backend
- Loading branch information
Showing
3 changed files
with
284 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| <?php | ||
|
|
||
| namespace Sabre\DAV\Auth\Backend; | ||
|
|
||
| /** | ||
| * This is an authentication backend that uses a database to manage passwords. | ||
| * | ||
| * @copyright Copyright (C) fruux GmbH (https://fruux.com/) | ||
| * @license http://sabre.io/license/ Modified BSD License | ||
| */ | ||
| class PDOBasicAuth extends AbstractBasic | ||
| { | ||
| /** | ||
| * Reference to PDO connection. | ||
| * | ||
| * @var PDO | ||
| */ | ||
| protected $pdo; | ||
|
|
||
| /** | ||
| * PDO table name we'll be using. | ||
| * | ||
| * @var string | ||
| */ | ||
| protected $tableName; | ||
|
|
||
| /** | ||
| * PDO digest column name we'll be using | ||
| * (i.e. digest, password, password_hash). | ||
| * | ||
| * @var string | ||
| */ | ||
| protected $digestColumn; | ||
|
|
||
| /** | ||
| * PDO uuid(unique user identifier) column name we'll be using | ||
| * (i.e. username, email). | ||
| * | ||
| * @var string | ||
| */ | ||
| protected $uuidColumn; | ||
|
|
||
| /** | ||
| * Digest prefix: | ||
| * if the backend you are using for is prefixing | ||
| * your password hashes set this option to your prefix to | ||
| * cut it off before verfiying. | ||
| * | ||
| * @var string | ||
| */ | ||
| protected $digestPrefix; | ||
|
|
||
| /** | ||
| * Creates the backend object. | ||
| * | ||
| * If the filename argument is passed in, it will parse out the specified file fist. | ||
| */ | ||
| public function __construct(\PDO $pdo, array $options = []) | ||
| { | ||
| $this->pdo = $pdo; | ||
| if (isset($options['tableName'])) { | ||
| $this->tableName = $options['tableName']; | ||
| } else { | ||
| $this->tableName = 'users'; | ||
| } | ||
| if (isset($options['digestColumn'])) { | ||
| $this->digestColumn = $options['digestColumn']; | ||
| } else { | ||
| $this->digestColumn = 'digest'; | ||
| } | ||
| if (isset($options['uuidColumn'])) { | ||
| $this->uuidColumn = $options['uuidColumn']; | ||
| } else { | ||
| $this->uuidColumn = 'username'; | ||
| } | ||
| if (isset($options['digestPrefix'])) { | ||
| $this->digestPrefix = $options['digestPrefix']; | ||
| } | ||
| } | ||
|
|
||
| /** | ||
| * Validates a username and password. | ||
| * | ||
| * This method should return true or false depending on if login | ||
| * succeeded. | ||
| * | ||
| * @param string $username | ||
| * @param string $password | ||
| * | ||
| * @return bool | ||
| */ | ||
| public function validateUserPass($username, $password) | ||
| { | ||
| $stmt = $this->pdo->prepare('SELECT '.$this->digestColumn.' FROM '.$this->tableName.' WHERE '.$this->uuidColumn.' = ?'); | ||
| $stmt->execute([$username]); | ||
| $result = $stmt->fetchAll(); | ||
|
|
||
| if (!count($result)) { | ||
| return false; | ||
| } else { | ||
| $digest = $result[0][$this->digestColumn]; | ||
|
|
||
| if (isset($this->digestPrefix)) { | ||
| $digest = substr($digest, strlen($this->digestPrefix)); | ||
| } | ||
|
|
||
| if (password_verify($password, $digest)) { | ||
| return true; | ||
| } | ||
|
|
||
| return false; | ||
| } | ||
| } | ||
| } |
160 changes: 160 additions & 0 deletions
160
tests/Sabre/DAV/Auth/Backend/AbstractPDOBasicAuthTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,160 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace Sabre\DAV\Auth\Backend; | ||
|
|
||
| use Sabre\HTTP; | ||
|
|
||
| abstract class AbstractPDOBasicAuthTest extends \PHPUnit\Framework\TestCase | ||
| { | ||
| use \Sabre\DAV\DbTestHelperTrait; | ||
|
|
||
| public function setup(): void | ||
| { | ||
| $this->dropTables('users'); | ||
| $this->createSchema('users'); | ||
|
|
||
| // The supplied hash is a salted bcrypt hash of the plaintext : 'password' | ||
| $this->getPDO()->query( | ||
| "INSERT INTO users (username,digesta1) VALUES ('user','\$2b\$12\$IwetRH4oj6.AWFGGVy8fpet7Pgp1TafspB6iq1/fiLDxfsGZfi2jS')" | ||
| ); | ||
| $this->getPDO()->query( | ||
| "INSERT INTO users (username,digesta1) VALUES ('prefix_user','bcrypt\$\$2b\$12\$IwetRH4oj6.AWFGGVy8fpet7Pgp1TafspB6iq1/fiLDxfsGZfi2jS')" | ||
| ); | ||
| } | ||
|
|
||
| public function testConstruct() | ||
| { | ||
| $pdo = $this->getPDO(); | ||
| $backend = new PDOBasicAuth($pdo); | ||
| $this->assertTrue($backend instanceof PDOBasicAuth); | ||
| } | ||
|
|
||
| public function testCheckNoHeaders() | ||
| { | ||
| $request = new HTTP\Request('GET', '/'); | ||
| $response = new HTTP\Response(); | ||
|
|
||
| $options = [ | ||
| 'tableName' => 'users', | ||
| 'digestColumn' => 'digesta1', | ||
| 'uuidColumn' => 'username', | ||
| ]; | ||
| $pdo = $this->getPDO(); | ||
| $backend = new PDOBasicAuth($pdo, $options); | ||
|
|
||
| $this->assertFalse( | ||
| $backend->check($request, $response)[0] | ||
| ); | ||
| } | ||
|
|
||
| public function testCheckUnknownUser() | ||
| { | ||
| $request = HTTP\Sapi::createFromServerArray([ | ||
| 'REQUEST_METHOD' => 'GET', | ||
| 'REQUEST_URI' => '/', | ||
| 'PHP_AUTH_USER' => 'unkown_user', | ||
| 'PHP_AUTH_PW' => 'wrongpassword', | ||
| ]); | ||
| $response = new HTTP\Response(); | ||
|
|
||
| $options = [ | ||
| 'tableName' => 'users', | ||
| 'digestColumn' => 'digesta1', | ||
| 'uuidColumn' => 'username', | ||
| ]; | ||
| $pdo = $this->getPDO(); | ||
| $backend = new PDOBasicAuth($pdo, $options); | ||
|
|
||
| $this->assertFalse( | ||
| $backend->check($request, $response)[0] | ||
| ); | ||
| } | ||
|
|
||
| public function testCheckAuthenticationFailure() | ||
| { | ||
| $request = HTTP\Sapi::createFromServerArray([ | ||
| 'REQUEST_METHOD' => 'GET', | ||
| 'REQUEST_URI' => '/', | ||
| 'PHP_AUTH_USER' => 'user', | ||
| 'PHP_AUTH_PW' => 'wrongpassword', | ||
| ]); | ||
| $response = new HTTP\Response(); | ||
|
|
||
| $options = [ | ||
| 'tableName' => 'users', | ||
| 'digestColumn' => 'digesta1', | ||
| 'uuidColumn' => 'username', | ||
| ]; | ||
| $pdo = $this->getPDO(); | ||
| $backend = new PDOBasicAuth($pdo, $options); | ||
|
|
||
| $this->assertFalse( | ||
| $backend->check($request, $response)[0] | ||
| ); | ||
| } | ||
|
|
||
| public function testCheckSuccess() | ||
| { | ||
| $request = HTTP\Sapi::createFromServerArray([ | ||
| 'REQUEST_METHOD' => 'GET', | ||
| 'REQUEST_URI' => '/', | ||
| 'PHP_AUTH_USER' => 'user', | ||
| 'PHP_AUTH_PW' => 'password', | ||
| ]); | ||
| $response = new HTTP\Response(); | ||
|
|
||
| $options = [ | ||
| 'tableName' => 'users', | ||
| 'digestColumn' => 'digesta1', | ||
| 'uuidColumn' => 'username', | ||
| ]; | ||
| $pdo = $this->getPDO(); | ||
| $backend = new PDOBasicAuth($pdo, $options); | ||
| $this->assertEquals( | ||
| [true, 'principals/user'], | ||
| $backend->check($request, $response) | ||
| ); | ||
| } | ||
|
|
||
| public function testPrefixSuccess() | ||
| { | ||
| $request = HTTP\Sapi::createFromServerArray([ | ||
| 'REQUEST_METHOD' => 'GET', | ||
| 'REQUEST_URI' => '/', | ||
| 'PHP_AUTH_USER' => 'prefix_user', | ||
| 'PHP_AUTH_PW' => 'password', | ||
| ]); | ||
| $response = new HTTP\Response(); | ||
|
|
||
| $options = [ | ||
| 'tableName' => 'users', | ||
| 'digestColumn' => 'digesta1', | ||
| 'uuidColumn' => 'username', | ||
| 'digestPrefix' => 'bcrypt$', | ||
| ]; | ||
| $pdo = $this->getPDO(); | ||
| $backend = new PDOBasicAuth($pdo, $options); | ||
| $this->assertEquals( | ||
| [true, 'principals/prefix_user'], | ||
| $backend->check($request, $response) | ||
| ); | ||
| } | ||
|
|
||
| public function testRequireAuth() | ||
| { | ||
| $request = new HTTP\Request('GET', '/'); | ||
| $response = new HTTP\Response(); | ||
|
|
||
| $pdo = $this->getPDO(); | ||
| $backend = new PDOBasicAuth($pdo); | ||
| $backend->setRealm('writing unittests on a saturday night'); | ||
| $backend->challenge($request, $response); | ||
|
|
||
| $this->assertEquals( | ||
| 'Basic realm="writing unittests on a saturday night", charset="UTF-8"', | ||
| $response->getHeader('WWW-Authenticate') | ||
| ); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| <?php | ||
|
|
||
| declare(strict_types=1); | ||
|
|
||
| namespace Sabre\DAV\Auth\Backend; | ||
|
|
||
| class PDOBasicAuthSqliteTest extends AbstractPDOBasicAuthTest | ||
| { | ||
| public $driver = 'sqlite'; | ||
| } |