tommaso/liceo-ariosto
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
tommaso
2025-06-17 11:53:18 +02:00
commit 9f0f7ba12b
8804 changed files with 1369176 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
plugins/authentication/cookie/cookie.xml Normal file
View File

@ -0,0 +1,51 @@
<?xml version="1.0" encoding="UTF-8"?>
<extension type="plugin" group="authentication" method="upgrade">
<name>plg_authentication_cookie</name>
<author>Joomla! Project</author>
<creationDate>2013-07</creationDate>
<copyright>(C) 2013 Open Source Matters, Inc.</copyright>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<version>3.0.0</version>
<description>PLG_AUTHENTICATION_COOKIE_XML_DESCRIPTION</description>
<namespace path="src">Joomla\Plugin\Authentication\Cookie</namespace>
<files>
<folder plugin="cookie">services</folder>
<folder>src</folder>
</files>
<languages>
<language tag="en-GB">language/en-GB/plg_authentication_cookie.ini</language>
<language tag="en-GB">language/en-GB/plg_authentication_cookie.sys.ini</language>
</languages>
<config>
<fields name="params">
<fieldset name="basic">
<field
name="cookie_lifetime"
type="number"
label="PLG_AUTHENTICATION_COOKIE_FIELD_COOKIE_LIFETIME_LABEL"
default="60"
filter="integer"
required="true"
/>
<field
name="key_length"
type="list"
label="PLG_AUTHENTICATION_COOKIE_FIELD_KEY_LENGTH_LABEL"
default="16"
filter="integer"
required="true"
validate="options"
>
<option value="8">8</option>
<option value="16">16</option>
<option value="32">32</option>
<option value="64">64</option>
</field>
</fieldset>
</fields>
</config>
</extension>

50
plugins/authentication/cookie/services/provider.php Normal file
View File

@ -0,0 +1,50 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Authentication.cookie
*
* @copyright (C) 2023 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
\defined('_JEXEC') or die;
use Joomla\CMS\Extension\PluginInterface;
use Joomla\CMS\Factory;
use Joomla\CMS\Plugin\PluginHelper;
use Joomla\CMS\User\UserFactoryInterface;
use Joomla\Database\DatabaseInterface;
use Joomla\DI\Container;
use Joomla\DI\ServiceProviderInterface;
use Joomla\Event\DispatcherInterface;
use Joomla\Plugin\Authentication\Cookie\Extension\Cookie;
return new class () implements ServiceProviderInterface {
/**
* Registers the service provider with a DI container.
*
* @param Container $container The DI container.
*
* @return void
*
* @since 4.3.0
*/
public function register(Container $container)
{
$container->set(
PluginInterface::class,
function (Container $container) {
$plugin = new Cookie(
$container->get(DispatcherInterface::class),
(array) PluginHelper::getPlugin('authentication', 'cookie')
);
$plugin->setApplication(Factory::getApplication());
$plugin->setDatabase($container->get(DatabaseInterface::class));
$plugin->setUserFactory($container->get(UserFactoryInterface::class));
return $plugin;
}
);
}
};

404
plugins/authentication/cookie/src/Extension/Cookie.php Normal file
View File

@ -0,0 +1,404 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Authentication.cookie
*
* @copyright (C) 2013 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Plugin\Authentication\Cookie\Extension;
use Joomla\CMS\Authentication\Authentication;
use Joomla\CMS\Filter\InputFilter;
use Joomla\CMS\Language\Text;
use Joomla\CMS\Log\Log;
use Joomla\CMS\Plugin\CMSPlugin;
use Joomla\CMS\User\UserFactoryAwareTrait;
use Joomla\CMS\User\UserHelper;
use Joomla\Database\DatabaseAwareTrait;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* Joomla Authentication plugin
*
* @since 3.2
* @note Code based on http://jaspan.com/improved_persistent_login_cookie_best_practice
* and http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/
*/
final class Cookie extends CMSPlugin
{
use DatabaseAwareTrait;
use UserFactoryAwareTrait;
/**
* Reports the privacy related capabilities for this plugin to site administrators.
*
* @return array
*
* @since 3.9.0
*/
public function onPrivacyCollectAdminCapabilities()
{
$this->loadLanguage();
return [
$this->getApplication()->getLanguage()->_('PLG_AUTHENTICATION_COOKIE') => [
$this->getApplication()->getLanguage()->_('PLG_AUTHENTICATION_COOKIE_PRIVACY_CAPABILITY_COOKIE'),
],
];
}
/**
* This method should handle any authentication and report back to the subject
*
* @param array $credentials Array holding the user credentials
* @param array $options Array of extra options
* @param object &$response Authentication response object
*
* @return boolean
*
* @since 3.2
*/
public function onUserAuthenticate($credentials, $options, &$response)
{
$app = $this->getApplication();
// No remember me for admin
if ($app->isClient('administrator')) {
return false;
}
// Get cookie
$cookieName = 'joomla_remember_me_' . UserHelper::getShortHashedUserAgent();
$cookieValue = $app->getInput()->cookie->get($cookieName);
// Try with old cookieName (pre 3.6.0) if not found
if (!$cookieValue) {
$cookieName = UserHelper::getShortHashedUserAgent();
$cookieValue = $app->getInput()->cookie->get($cookieName);
}
if (!$cookieValue) {
return false;
}
$cookieArray = explode('.', $cookieValue);
// Check for valid cookie value
if (\count($cookieArray) !== 2) {
// Destroy the cookie in the browser.
$app->getInput()->cookie->set($cookieName, '', 1, $app->get('cookie_path', '/'), $app->get('cookie_domain', ''));
Log::add('Invalid cookie detected.', Log::WARNING, 'error');
return false;
}
$response->type = 'Cookie';
// Filter series since we're going to use it in the query
$filter = new InputFilter();
$series = $filter->clean($cookieArray[1], 'ALNUM');
$now = time();
// Remove expired tokens
$db = $this->getDatabase();
$query = $db->getQuery(true)
->delete($db->quoteName('#__user_keys'))
->where($db->quoteName('time') . ' < :now')
->bind(':now', $now);
try {
$db->setQuery($query)->execute();
} catch (\RuntimeException $e) {
// We aren't concerned with errors from this query, carry on
}
// Find the matching record if it exists.
$query = $db->getQuery(true)
->select($db->quoteName(['user_id', 'token', 'series', 'time']))
->from($db->quoteName('#__user_keys'))
->where($db->quoteName('series') . ' = :series')
->where($db->quoteName('uastring') . ' = :uastring')
->order($db->quoteName('time') . ' DESC')
->bind(':series', $series)
->bind(':uastring', $cookieName);
try {
$results = $db->setQuery($query)->loadObjectList();
} catch (\RuntimeException $e) {
$response->status = Authentication::STATUS_FAILURE;
return false;
}
if (\count($results) !== 1) {
// Destroy the cookie in the browser.
$app->getInput()->cookie->set($cookieName, '', 1, $app->get('cookie_path', '/'), $app->get('cookie_domain', ''));
$response->status = Authentication::STATUS_FAILURE;
return false;
}
// We have a user with one cookie with a valid series and a corresponding record in the database.
if (!UserHelper::verifyPassword($cookieArray[0], $results[0]->token)) {
/*
* This is a real attack!
* Either the series was guessed correctly or a cookie was stolen and used twice (once by attacker and once by victim).
* Delete all tokens for this user!
*/
$query = $db->getQuery(true)
->delete($db->quoteName('#__user_keys'))
->where($db->quoteName('user_id') . ' = :userid')
->bind(':userid', $results[0]->user_id);
try {
$db->setQuery($query)->execute();
} catch (\RuntimeException $e) {
// Log an alert for the site admin
Log::add(
sprintf('Failed to delete cookie token for user %s with the following error: %s', $results[0]->user_id, $e->getMessage()),
Log::WARNING,
'security'
);
}
// Destroy the cookie in the browser.
$app->getInput()->cookie->set($cookieName, '', 1, $app->get('cookie_path', '/'), $app->get('cookie_domain', ''));
// Issue warning by email to user and/or admin?
Log::add(Text::sprintf('PLG_AUTHENTICATION_COOKIE_ERROR_LOG_LOGIN_FAILED', $results[0]->user_id), Log::WARNING, 'security');
$response->status = Authentication::STATUS_FAILURE;
return false;
}
// Make sure there really is a user with this name and get the data for the session.
$query = $db->getQuery(true)
->select($db->quoteName(['id', 'username', 'password']))
->from($db->quoteName('#__users'))
->where($db->quoteName('username') . ' = :userid')
->where($db->quoteName('requireReset') . ' = 0')
->bind(':userid', $results[0]->user_id);
try {
$result = $db->setQuery($query)->loadObject();
} catch (\RuntimeException $e) {
$response->status = Authentication::STATUS_FAILURE;
return false;
}
if ($result) {
// Bring this in line with the rest of the system
$user = $this->getUserFactory()->loadUserById($result->id);
// Set response data.
$response->username = $result->username;
$response->email = $user->email;
$response->fullname = $user->name;
$response->password = $result->password;
$response->language = $user->getParam('language');
// Set response status.
$response->status = Authentication::STATUS_SUCCESS;
$response->error_message = '';
} else {
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $app->getLanguage()->_('JGLOBAL_AUTH_NO_USER');
}
}
/**
* We set the authentication cookie only after login is successfully finished.
* We set a new cookie either for a user with no cookies or one
* where the user used a cookie to authenticate.
*
* @param array $options Array holding options
*
* @return boolean True on success
*
* @since 3.2
*/
public function onUserAfterLogin($options)
{
$app = $this->getApplication();
// No remember me for admin
if ($app->isClient('administrator')) {
return false;
}
$db = $this->getDatabase();
if (isset($options['responseType']) && $options['responseType'] === 'Cookie') {
// Logged in using a cookie
$cookieName = 'joomla_remember_me_' . UserHelper::getShortHashedUserAgent();
// We need the old data to get the existing series
$cookieValue = $app->getInput()->cookie->get($cookieName);
// Try with old cookieName (pre 3.6.0) if not found
if (!$cookieValue) {
$oldCookieName = UserHelper::getShortHashedUserAgent();
$cookieValue = $app->getInput()->cookie->get($oldCookieName);
// Destroy the old cookie in the browser
$app->getInput()->cookie->set($oldCookieName, '', 1, $app->get('cookie_path', '/'), $app->get('cookie_domain', ''));
}
$cookieArray = explode('.', $cookieValue);
// Filter series since we're going to use it in the query
$filter = new InputFilter();
$series = $filter->clean($cookieArray[1], 'ALNUM');
} elseif (!empty($options['remember'])) {
// Remember checkbox is set
$cookieName = 'joomla_remember_me_' . UserHelper::getShortHashedUserAgent();
// Create a unique series which will be used over the lifespan of the cookie
$unique = false;
$errorCount = 0;
do {
$series = UserHelper::genRandomPassword(20);
$query = $db->getQuery(true)
->select($db->quoteName('series'))
->from($db->quoteName('#__user_keys'))
->where($db->quoteName('series') . ' = :series')
->bind(':series', $series);
try {
$results = $db->setQuery($query)->loadResult();
if ($results === null) {
$unique = true;
}
} catch (\RuntimeException $e) {
$errorCount++;
// We'll let this query fail up to 5 times before giving up, there's probably a bigger issue at this point
if ($errorCount === 5) {
return false;
}
}
} while ($unique === false);
} else {
return false;
}
// Get the parameter values
$lifetime = $this->params->get('cookie_lifetime', 60) * 24 * 60 * 60;
$length = $this->params->get('key_length', 16);
// Generate new cookie
$token = UserHelper::genRandomPassword($length);
$cookieValue = $token . '.' . $series;
// Overwrite existing cookie with new value
$app->getInput()->cookie->set(
$cookieName,
$cookieValue,
time() + $lifetime,
$app->get('cookie_path', '/'),
$app->get('cookie_domain', ''),
$app->isHttpsForced(),
true
);
$query = $db->getQuery(true);
if (!empty($options['remember'])) {
$future = (time() + $lifetime);
// Create new record
$query
->insert($db->quoteName('#__user_keys'))
->set($db->quoteName('user_id') . ' = :userid')
->set($db->quoteName('series') . ' = :series')
->set($db->quoteName('uastring') . ' = :uastring')
->set($db->quoteName('time') . ' = :time')
->bind(':userid', $options['user']->username)
->bind(':series', $series)
->bind(':uastring', $cookieName)
->bind(':time', $future);
} else {
// Update existing record with new token
$query
->update($db->quoteName('#__user_keys'))
->where($db->quoteName('user_id') . ' = :userid')
->where($db->quoteName('series') . ' = :series')
->where($db->quoteName('uastring') . ' = :uastring')
->bind(':userid', $options['user']->username)
->bind(':series', $series)
->bind(':uastring', $cookieName);
}
$hashedToken = UserHelper::hashPassword($token);
$query->set($db->quoteName('token') . ' = :token')
->bind(':token', $hashedToken);
try {
$db->setQuery($query)->execute();
} catch (\RuntimeException $e) {
return false;
}
return true;
}
/**
* This is where we delete any authentication cookie when a user logs out
*
* @param array $options Array holding options (length, timeToExpiration)
*
* @return boolean True on success
*
* @since 3.2
*/
public function onUserAfterLogout($options)
{
$app = $this->getApplication();
// No remember me for admin
if ($app->isClient('administrator')) {
return false;
}
$cookieName = 'joomla_remember_me_' . UserHelper::getShortHashedUserAgent();
$cookieValue = $app->getInput()->cookie->get($cookieName);
// There are no cookies to delete.
if (!$cookieValue) {
return true;
}
$cookieArray = explode('.', $cookieValue);
// Filter series since we're going to use it in the query
$filter = new InputFilter();
$series = $filter->clean($cookieArray[1], 'ALNUM');
// Remove the record from the database
$db = $this->getDatabase();
$query = $db->getQuery(true)
->delete($db->quoteName('#__user_keys'))
->where($db->quoteName('series') . ' = :series')
->bind(':series', $series);
try {
$db->setQuery($query)->execute();
} catch (\RuntimeException $e) {
// We aren't concerned with errors from this query, carry on
}
// Destroy the cookie
$app->getInput()->cookie->set($cookieName, '', 1, $app->get('cookie_path', '/'), $app->get('cookie_domain', ''));
return true;
}
}

21
plugins/authentication/joomla/joomla.xml Normal file
View File

@ -0,0 +1,21 @@
<?xml version="1.0" encoding="UTF-8"?>
<extension type="plugin" group="authentication" method="upgrade">
<name>plg_authentication_joomla</name>
<author>Joomla! Project</author>
<creationDate>2005-11</creationDate>
<copyright>(C) 2005 Open Source Matters, Inc.</copyright>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<version>3.0.0</version>
<description>PLG_AUTHENTICATION_JOOMLA_XML_DESCRIPTION</description>
<namespace path="src">Joomla\Plugin\Authentication\Joomla</namespace>
<files>
<folder plugin="joomla">services</folder>
<folder>src</folder>
</files>
<languages>
<language tag="en-GB">language/en-GB/plg_authentication_joomla.ini</language>
<language tag="en-GB">language/en-GB/plg_authentication_joomla.sys.ini</language>
</languages>
</extension>

50
plugins/authentication/joomla/services/provider.php Normal file
View File

@ -0,0 +1,50 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Authentication.joomla
*
* @copyright (C) 2023 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
\defined('_JEXEC') or die;
use Joomla\CMS\Extension\PluginInterface;
use Joomla\CMS\Factory;
use Joomla\CMS\Plugin\PluginHelper;
use Joomla\CMS\User\UserFactoryInterface;
use Joomla\Database\DatabaseInterface;
use Joomla\DI\Container;
use Joomla\DI\ServiceProviderInterface;
use Joomla\Event\DispatcherInterface;
use Joomla\Plugin\Authentication\Joomla\Extension\Joomla;
return new class () implements ServiceProviderInterface {
/**
* Registers the service provider with a DI container.
*
* @param Container $container The DI container.
*
* @return void
*
* @since 4.3.0
*/
public function register(Container $container)
{
$container->set(
PluginInterface::class,
function (Container $container) {
$plugin = new Joomla(
$container->get(DispatcherInterface::class),
(array) PluginHelper::getPlugin('authentication', 'joomla')
);
$plugin->setApplication(Factory::getApplication());
$plugin->setDatabase($container->get(DatabaseInterface::class));
$plugin->setUserFactory($container->get(UserFactoryInterface::class));
return $plugin;
}
);
}
};

128
plugins/authentication/joomla/src/Extension/Joomla.php Normal file
View File

@ -0,0 +1,128 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Authentication.joomla
*
* @copyright (C) 2006 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Plugin\Authentication\Joomla\Extension;
use Joomla\CMS\Authentication\Authentication;
use Joomla\CMS\Event\User\AuthenticationEvent;
use Joomla\CMS\Plugin\CMSPlugin;
use Joomla\CMS\User\UserFactoryAwareTrait;
use Joomla\CMS\User\UserHelper;
use Joomla\Database\DatabaseAwareTrait;
use Joomla\Event\SubscriberInterface;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* Joomla Authentication plugin
*
* @since 1.5
*/
final class Joomla extends CMSPlugin implements SubscriberInterface
{
use DatabaseAwareTrait;
use UserFactoryAwareTrait;
/**
* Returns an array of events this subscriber will listen to.
*
* @return array
*
* @since 5.0.0
*/
public static function getSubscribedEvents(): array
{
return ['onUserAuthenticate' => 'onUserAuthenticate'];
}
/**
* This method should handle any authentication and report back to the subject
*
* @param AuthenticationEvent $event Authentication event
*
* @return void
*
* @since 1.5
*/
public function onUserAuthenticate(AuthenticationEvent $event)
{
$credentials = $event->getCredentials();
$response = $event->getAuthenticationResponse();
$response->type = 'Joomla';
// Joomla does not like blank passwords
if (empty($credentials['password'])) {
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED');
return;
}
$db = $this->getDatabase();
$query = $db->getQuery(true)
->select($db->quoteName(['id', 'password']))
->from($db->quoteName('#__users'))
->where($db->quoteName('username') . ' = :username')
->bind(':username', $credentials['username']);
$db->setQuery($query);
$result = $db->loadObject();
if ($result) {
$match = UserHelper::verifyPassword($credentials['password'], $result->password, $result->id);
if ($match === true) {
// Bring this in line with the rest of the system
$user = $this->getUserFactory()->loadUserById($result->id);
$response->email = $user->email;
$response->fullname = $user->name;
// Set default status response to success
$_status = Authentication::STATUS_SUCCESS;
$_errorMessage = '';
if ($this->getApplication()->isClient('administrator')) {
$response->language = $user->getParam('admin_language');
} else {
$response->language = $user->getParam('language');
if ($this->getApplication()->get('offline') && !$user->authorise('core.login.offline')) {
// User do not have access in offline mode
$_status = Authentication::STATUS_FAILURE;
$_errorMessage = $this->getApplication()->getLanguage()->_('JLIB_LOGIN_DENIED');
}
}
$response->status = $_status;
$response->error_message = $_errorMessage;
// Stop event propagation when status is STATUS_SUCCESS
if ($response->status === Authentication::STATUS_SUCCESS) {
$event->stopPropagation();
}
} else {
// Invalid password
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_INVALID_PASS');
}
} else {
// Let's hash the entered password even if we don't have a matching user for some extra response time
// By doing so, we mitigate side channel user enumeration attacks
UserHelper::hashPassword($credentials['password']);
// Invalid user
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_NO_USER');
}
}
}

186
plugins/authentication/ldap/ldap.xml Normal file
View File

@ -0,0 +1,186 @@
<?xml version="1.0" encoding="UTF-8"?>
<extension type="plugin" group="authentication" method="upgrade">
<name>plg_authentication_ldap</name>
<author>Joomla! Project</author>
<creationDate>2005-11</creationDate>
<copyright>(C) 2005 Open Source Matters, Inc.</copyright>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<version>3.0.0</version>
<description>PLG_LDAP_XML_DESCRIPTION</description>
<namespace path="src">Joomla\Plugin\Authentication\Ldap</namespace>
<files>
<folder plugin="ldap">services</folder>
<folder>src</folder>
</files>
<languages>
<language tag="en-GB">language/en-GB/plg_authentication_ldap.ini</language>
<language tag="en-GB">language/en-GB/plg_authentication_ldap.sys.ini</language>
</languages>
<config>
<fields name="params">
<fieldset name="basic">
<field
name="host"
type="text"
label="PLG_LDAP_FIELD_HOST_LABEL"
required="true"
/>
<field
name="port"
type="number"
label="PLG_LDAP_FIELD_PORT_LABEL"
min="1"
max="65535"
default="389"
hint="389"
validate="number"
filter="integer"
/>
<field
name="use_ldapV3"
type="radio"
layout="joomla.form.field.radio.switcher"
label="PLG_LDAP_FIELD_V3_LABEL"
default="1"
filter="integer"
>
<option value="0">JNO</option>
<option value="1">JYES</option>
</field>
<field
name="encryption"
type="list"
label="PLG_LDAP_FIELD_ENCRYPTION_LABEL"
default="none"
validate="options"
>
<option value="none">PLG_LDAP_FIELD_VALUE_ENCRYPTIONNONE</option>
<option value="tls">PLG_LDAP_FIELD_VALUE_ENCRYPTIONTLS</option>
<option value="ssl">PLG_LDAP_FIELD_VALUE_ENCRYPTIONSSL</option>
</field>
<field
name="ignore_reqcert_tls"
type="radio"
label="PLG_LDAP_FIELD_IGNORE_REQCERT_TLS_LABEL"
layout="joomla.form.field.radio.switcher"
default="1"
filter="boolean"
showon="encryption!:none"
>
<option value="0">JNO</option>
<option value="1">JYES</option>
</field>
<field
name="cacert"
type="text"
label="PLG_LDAP_FIELD_CACERT_LABEL"
description="PLG_LDAP_FIELD_CACERT_DESC"
required="false"
showon="encryption!:none[AND]ignore_reqcert_tls:0"
/>
<field
name="no_referrals"
type="radio"
label="PLG_LDAP_FIELD_REFERRALS_LABEL"
default="0"
filter="integer"
layout="joomla.form.field.radio.switcher"
>
<option value="0">JNO</option>
<option value="1">JYES</option>
</field>
<field
name="auth_method"
type="list"
label="PLG_LDAP_FIELD_AUTHMETHOD_LABEL"
default="bind"
validate="options"
>
<option value="search">PLG_LDAP_FIELD_VALUE_BINDSEARCH</option>
<option value="bind">PLG_LDAP_FIELD_VALUE_BINDUSER</option>
</field>
<field
name="base_dn"
type="text"
label="PLG_LDAP_FIELD_BASEDN_LABEL"
required="true"
/>
<field
name="search_string"
type="text"
label="PLG_LDAP_FIELD_SEARCHSTRING_LABEL"
description="PLG_LDAP_FIELD_SEARCHSTRING_DESC"
required="true"
/>
<field
name="users_dn"
type="text"
label="PLG_LDAP_FIELD_USERSDN_LABEL"
description="PLG_LDAP_FIELD_USERSDN_DESC"
/>
<field
name="username"
type="text"
label="PLG_LDAP_FIELD_USERNAME_LABEL"
description="PLG_LDAP_FIELD_USERNAME_DESC"
/>
<field
name="password"
type="password"
label="PLG_LDAP_FIELD_PASSWORD_LABEL"
description="PLG_LDAP_FIELD_PASSWORD_DESC"
/>
<field
name="ldap_fullname"
type="text"
label="PLG_LDAP_FIELD_FULLNAME_LABEL"
description="PLG_LDAP_FIELD_FULLNAME_DESC"
default="fullName"
/>
<field
name="ldap_email"
type="text"
label="PLG_LDAP_FIELD_EMAIL_LABEL"
description="PLG_LDAP_FIELD_EMAIL_DESC"
default="mail"
/>
<field
name="ldap_uid"
type="text"
label="PLG_LDAP_FIELD_UID_LABEL"
description="PLG_LDAP_FIELD_UID_DESC"
default="uid"
/>
<field
name="ldap_debug"
type="radio"
label="PLG_LDAP_FIELD_LDAPDEBUG_LABEL"
description="PLG_LDAP_FIELD_LDAPDEBUG_DESC"
default="0"
filter="integer"
layout="joomla.form.field.radio.switcher"
>
<option value="0">JNO</option>
<option value="1">JYES</option>
</field>
</fieldset>
</fields>
</config>
</extension>

48
plugins/authentication/ldap/services/provider.php Normal file
View File

@ -0,0 +1,48 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Authentication.ldap
*
* @copyright (C) 2023 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
\defined('_JEXEC') or die;
use Joomla\CMS\Extension\PluginInterface;
use Joomla\CMS\Factory;
use Joomla\CMS\Plugin\PluginHelper;
use Joomla\DI\Container;
use Joomla\DI\ServiceProviderInterface;
use Joomla\Event\DispatcherInterface;
use Joomla\Plugin\Authentication\Ldap\Extension\Ldap;
use Joomla\Plugin\Authentication\Ldap\Factory\LdapFactory;
return new class () implements ServiceProviderInterface {
/**
* Registers the service provider with a DI container.
*
* @param Container $container The DI container.
*
* @return void
*
* @since 4.3.0
*/
public function register(Container $container)
{
$container->set(
PluginInterface::class,
function (Container $container) {
$plugin = new Ldap(
new LdapFactory(),
$container->get(DispatcherInterface::class),
(array) PluginHelper::getPlugin('authentication', 'ldap')
);
$plugin->setApplication(Factory::getApplication());
return $plugin;
}
);
}
};

298
plugins/authentication/ldap/src/Extension/Ldap.php Normal file
View File

@ -0,0 +1,298 @@
<?php
/**
* @package Joomla.Plugin
* @subpackage Authentication.ldap
*
* @copyright (C) 2006 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Plugin\Authentication\Ldap\Extension;
use Joomla\CMS\Authentication\Authentication;
use Joomla\CMS\Log\Log;
use Joomla\CMS\Plugin\CMSPlugin;
use Joomla\Event\DispatcherInterface;
use Joomla\Plugin\Authentication\Ldap\Factory\LdapFactoryInterface;
use Symfony\Component\Ldap\Entry;
use Symfony\Component\Ldap\Exception\ConnectionException;
use Symfony\Component\Ldap\Exception\LdapException;
use Symfony\Component\Ldap\LdapInterface;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* LDAP Authentication Plugin
*
* @since 1.5
*/
final class Ldap extends CMSPlugin
{
/**
* The ldap factory
*
* @var LdapFactoryInterface
* @since 4.3.0
*/
private $factory;
/**
* Constructor
*
* @param LdapFactoryInterface $factory The Ldap factory
* @param DispatcherInterface $dispatcher The object to observe
* @param array $config An optional associative array of configuration settings.
* Recognized key values include 'name', 'group', 'params', 'language'
* (this list is not meant to be comprehensive).
*
* @since 4.3.0
*/
public function __construct(LdapFactoryInterface $factory, DispatcherInterface $dispatcher, array $config = [])
{
parent::__construct($dispatcher, $config);
$this->factory = $factory;
}
/**
* This method should handle any authentication and report back to the subject
*
* @param array $credentials Array holding the user credentials
* @param array $options Array of extra options
* @param object &$response Authentication response object
*
* @return boolean
*
* @since 1.5
*/
public function onUserAuthenticate($credentials, $options, &$response)
{
// If LDAP not correctly configured then bail early.
if (!$this->params->get('host', '')) {
return false;
}
// For JLog
$logcategory = 'ldap';
$response->type = $logcategory;
// Strip null bytes from the password
$credentials['password'] = str_replace(\chr(0), '', $credentials['password']);
// LDAP does not like Blank passwords (tries to Anon Bind which is bad)
if (empty($credentials['password'])) {
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_EMPTY_PASS_NOT_ALLOWED');
return false;
}
// Load plugin params info
$ldap_email = $this->params->get('ldap_email', '');
$ldap_fullname = $this->params->get('ldap_fullname', '');
$ldap_uid = $this->params->get('ldap_uid', '');
$auth_method = $this->params->get('auth_method', '');
// Load certificate info
$ignore_reqcert_tls = (bool) $this->params->get('ignore_reqcert_tls', '1');
$cacert = $this->params->get('cacert', '');
// getting certificate file and certificate directory options (both need to be set)
if (!$ignore_reqcert_tls && !empty($cacert)) {
if (is_dir($cacert)) {
$cacertdir = $cacert;
$cacertfile = "";
} elseif (is_file($cacert)) {
$cacertfile = $cacert;
$cacertdir = \dirname($cacert);
} else {
$cacertfile = $cacert;
$cacertdir = $cacert;
Log::add(sprintf('Certificate path for LDAP client is neither an existing file nor directory: "%s"', $cacert), Log::ERROR, $logcategory);
}
} else {
Log::add(sprintf('Not setting any LDAP TLS CA certificate options because %s, system wide settings are used', $ignore_reqcert_tls ? "certificate is ignored" : "no certificate location is configured"), Log::DEBUG, $logcategory);
}
$options = [
'host' => $this->params->get('host', ''),
'port' => (int) $this->params->get('port', ''),
'version' => $this->params->get('use_ldapV3', '1') == '1' ? 3 : 2,
'referrals' => (bool) $this->params->get('no_referrals', '0'),
'encryption' => $this->params->get('encryption', 'none'),
'debug' => (bool) $this->params->get('ldap_debug', '0'),
'options' => [
'x_tls_require_cert' => $ignore_reqcert_tls ? LDAP_OPT_X_TLS_NEVER : LDAP_OPT_X_TLS_DEMAND,
],
];
// if these are not set, the system defaults are used
if (isset($cacertdir) && isset($cacertfile)) {
$options['options']['x_tls_cacertdir'] = $cacertdir;
$options['options']['x_tls_cacertfile'] = $cacertfile;
}
Log::add(sprintf('Creating LDAP session with options: %s', json_encode($options)), Log::DEBUG, $logcategory);
$connection_string = sprintf('ldap%s://%s:%s', 'ssl' === $options['encryption'] ? 's' : '', $options['host'], $options['port']);
Log::add(sprintf('Creating LDAP session to connect to "%s" while binding', $connection_string), Log::DEBUG, $logcategory);
$ldap = $this->factory->createLdap($options);
switch ($auth_method) {
case 'search':
try {
$dn = $this->params->get('username', '');
Log::add(sprintf('Binding to LDAP server with administrative dn "%s" and given administrative password (anonymous if user dn is blank)', $dn), Log::DEBUG, $logcategory);
$ldap->bind($dn, $this->params->get('password', ''));
} catch (ConnectionException | LdapException $exception) {
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_NOT_CONNECT');
Log::add($exception->getMessage(), Log::ERROR, $logcategory);
return;
}
// Search for users DN
try {
$searchstring = str_replace(
'[search]',
str_replace(';', '\3b', $ldap->escape($credentials['username'], '', LDAP_ESCAPE_FILTER)),
$this->params->get('search_string', '')
);
Log::add(sprintf('Searching LDAP entry with filter: "%s"', $searchstring), Log::DEBUG, $logcategory);
$entry = $this->searchByString($searchstring, $ldap);
} catch (LdapException $exception) {
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_UNKNOWN_ACCESS_DENIED');
Log::add($exception->getMessage(), Log::ERROR, $logcategory);
return;
}
if (!$entry) {
// we did not find the login in LDAP
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_NO_USER');
Log::add($this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_USER_NOT_FOUND'), Log::ERROR, $logcategory);
return;
}
Log::add(sprintf('LDAP entry found at "%s"', $entry->getDn()), Log::DEBUG, $logcategory);
try {
// Verify Users Credentials
Log::add(sprintf('Binding to LDAP server with found user dn "%s" and user entered password', $entry->getDn()), Log::DEBUG, $logcategory);
$ldap->bind($entry->getDn(), $credentials['password']);
} catch (ConnectionException $exception) {
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_INVALID_PASS');
Log::add($exception->getMessage(), Log::ERROR, $logcategory);
return;
}
break;
case 'bind':
// We just accept the result here
try {
if ($this->params->get('users_dn', '') == '') {
$dn = $credentials['username'];
} else {
$dn = str_replace(
'[username]',
$ldap->escape($credentials['username'], '', LDAP_ESCAPE_DN),
$this->params->get('users_dn', '')
);
}
Log::add(sprintf('Direct binding to LDAP server with entered user dn "%s" and user entered password', $dn), Log::DEBUG, $logcategory);
$ldap->bind($dn, $credentials['password']);
} catch (ConnectionException | LdapException $exception) {
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_INVALID_PASS');
Log::add($exception->getMessage(), Log::ERROR, $logcategory);
return;
}
try {
$searchstring = str_replace(
'[search]',
str_replace(';', '\3b', $ldap->escape($credentials['username'], '', LDAP_ESCAPE_FILTER)),
$this->params->get('search_string', '')
);
Log::add(sprintf('Searching LDAP entry with filter: "%s"', $searchstring), Log::DEBUG, $logcategory);
$entry = $this->searchByString($searchstring, $ldap);
} catch (LdapException $exception) {
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_UNKNOWN_ACCESS_DENIED');
Log::add($exception->getMessage(), Log::ERROR, $logcategory);
return;
}
if (!$entry) {
// we did not find the login in LDAP
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_NO_USER');
Log::add($this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_USER_NOT_FOUND'), Log::ERROR, $logcategory);
return;
}
Log::add(sprintf('LDAP entry found at "%s"', $entry->getDn()), Log::DEBUG, $logcategory);
break;
default:
// Unsupported configuration
$response->status = Authentication::STATUS_FAILURE;
$response->error_message = $this->getApplication()->getLanguage()->_('JGLOBAL_AUTH_UNKNOWN_ACCESS_DENIED');
Log::add($response->error_message, Log::ERROR, $logcategory);
return;
}
// Grab some details from LDAP and return them
$response->username = $entry->getAttribute($ldap_uid)[0] ?? false;
$response->email = $entry->getAttribute($ldap_email)[0] ?? false;
$response->fullname = $entry->getAttribute($ldap_fullname)[0] ?? $credentials['username'];
// Were good - So say so.
Log::add(sprintf('LDAP login succeeded; username: "%s", email: "%s", fullname: "%s"', $response->username, $response->email, $response->fullname), Log::DEBUG, $logcategory);
$response->status = Authentication::STATUS_SUCCESS;
$response->error_message = '';
// The connection is no longer needed, destroy the object to close it
unset($ldap);
}
/**
* Shortcut method to perform a LDAP search based on a semicolon separated string
*
* Note that this method requires that semicolons which should be part of the search term to be escaped
* to correctly split the search string into separate lookups
*
* @param string $search search string of search values
* @param LdapInterface $ldap The LDAP client
*
* @return Entry|null The search result entry if a matching record was found
*
* @since 3.8.2
*/
private function searchByString(string $search, LdapInterface $ldap)
{
$dn = $this->params->get('base_dn', '');
// We return the first entry from the first search result which contains data
foreach (explode(';', $search) as $key => $result) {
$results = $ldap->query($dn, '(' . str_replace('\3b', ';', $result) . ')')->execute();
if (\count($results)) {
return $results[0];
}
}
}
}

41
plugins/authentication/ldap/src/Factory/LdapFactory.php Normal file
View File

@ -0,0 +1,41 @@
<?php
/**
* Joomla! Content Management System
*
* @copyright (C) 2023 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Plugin\Authentication\Ldap\Factory;
use Symfony\Component\Ldap\Ldap;
use Symfony\Component\Ldap\LdapInterface;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* Factory to create Ldap clients.
*
* @since 4.3.0
*/
class LdapFactory implements LdapFactoryInterface
{
/**
* Method to load and return an Ldap client.
*
* @param array $config The configuration array for the ldap client
*
* @return LdapInterface
*
* @since 4.3.0
*
* @throws \Exception
*/
public function createLdap(array $config): LdapInterface
{
return Ldap::create('ext_ldap', $config);
}
}

36
plugins/authentication/ldap/src/Factory/LdapFactoryInterface.php Normal file
View File

@ -0,0 +1,36 @@
<?php
/**
* Joomla! Content Management System
*
* @copyright (C) 2023 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
namespace Joomla\Plugin\Authentication\Ldap\Factory;
use Symfony\Component\Ldap\LdapInterface;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* Factory to create Ldap clients.
*
* @since 4.3.0
*/
interface LdapFactoryInterface
{
/**
* Method to load and return an Ldap client.
*
* @param array $config The configuration array for the ldap client
*
* @return LdapInterface
*
* @since 4.3.0
* @throws \Exception
*/
public function createLdap(array $config): LdapInterface;
}