aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--endpoints/rest.php8
-rw-r--r--engine/lib/api.php69
-rw-r--r--engine/lib/pam.php64
3 files changed, 69 insertions, 72 deletions
diff --git a/endpoints/rest.php b/endpoints/rest.php
index 862540e57..6d4e253f8 100644
--- a/endpoints/rest.php
+++ b/endpoints/rest.php
@@ -33,8 +33,8 @@
throw new ConfigurationException("Sorry, API access has been disabled by the administrator.");
// Register some default PAM methods, plugins can add their own
- register_api_pam_handler('pam_auth_session');
- register_api_pam_handler('pam_auth_hmac');
+ register_pam_handler('pam_auth_session');
+ register_pam_handler('pam_auth_hmac');
// Get parameter variables
$format = get_input('format', 'php');
@@ -42,7 +42,7 @@
$result = null;
// Authenticate session
- if (api_pam_authenticate())
+ if (pam_authenticate())
{
// Authenticated somehow, now execute.
$token = "";
@@ -51,6 +51,8 @@
$result = execute_method($method, $params, $token);
}
+ else
+ throw new SecurityException("No authentication methods were found that could authenticate this API request.");
// Finally output
if (!($result instanceof GenericResult))
diff --git a/engine/lib/api.php b/engine/lib/api.php
index 4eb1905b5..dccb703f8 100644
--- a/engine/lib/api.php
+++ b/engine/lib/api.php
@@ -615,76 +615,11 @@
}
// PAM functions //////////////////////////////////////////////////////////////////////////
-
- $PAM_HANDLERS = array();
- $PAM_HANDLER_MSG = array(); // Messages
-
- /**
- * Register a method of authenticating an incoming API request.
- * This function registers a PAM handler which is a function that matches the desciption pam_handler_name()
- * and returns either 'true' if an incoming api request was authorised, false or throws an exception if not.
- *
- * The handlers are tried in turn until one of them successfully authenticates the session.
- *
- * This architecture lets an administrator choose what methods to accept for API authentication or
- *
- * @param unknown_type $handler
- */
- function register_api_pam_handler($handler)
- {
- global $PAM_HANDLERS;
-
- if (is_callable($handler))
- {
- $PAM_HANDLERS[$handler] = $handler;
- return true;
- }
-
- return false;
- }
-
- /**
- * Magically authenticate an API session using one of the registered methods.
- *
- * This function will return true if authentication was possible, otherwise it'll throw an exception.
- *
- * If $CONFIG->debug is set then additional debug information will be returned.
- */
- function api_pam_authenticate()
- {
- global $PAM_HANDLERS, $PAM_HANDLER_MSG;
- global $CONFIG;
-
- $dbg_msgs = array();
- foreach ($PAM_HANDLERS as $k => $v)
- {
- try {
- // Execute the handler
- if ($v())
- {
- // Explicitly returned true
- $PAM_HANDLER_MSG[$k] = "Authenticated!";
-
- return true;
- }
- else
- $PAM_HANDLER_MSG[$k] = "Not Authenticated.";
- }
- catch (Exception $e)
- {
- $PAM_HANDLER_MSG[$k] = "$e";
- }
- }
-
- // Got this far, so no methods could be found to authenticate the session
- throw new SecurityException("No authentication methods were found that could authenticate this request.");
- }
-
/**
* See if the user has a valid login sesson.
*/
- function pam_auth_session()
+ function pam_auth_session($credentials = NULL)
{
return isloggedin();
}
@@ -692,7 +627,7 @@
/**
* Secure authentication through headers and HMAC.
*/
- function pam_auth_hmac()
+ function pam_auth_hmac($credentials = NULL)
{
global $CONFIG;
diff --git a/engine/lib/pam.php b/engine/lib/pam.php
index 1986b5897..6bbfce79d 100644
--- a/engine/lib/pam.php
+++ b/engine/lib/pam.php
@@ -7,9 +7,69 @@
* @package Elgg
* @subpackage Core
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
- * @author Curverider Ltd
+ * @author Marcus Povey
* @copyright Curverider Ltd 2008
* @link http://elgg.org/
*/
-
+
+ $_PAM_HANDLERS = array();
+ $_PAM_HANDLERS_MSG = array();
+
+
+ /**
+ * Register a PAM handler.
+ *
+ * @param string $handler The handler function in the format
+ * pam_handler($credentials = NULL);
+ */
+ function register_pam_handler($handler)
+ {
+ global $_PAM_HANDLERS;
+
+ if (is_callable($handler))
+ {
+ $_PAM_HANDLERS[$handler] = $handler;
+ return true;
+ }
+
+ return false;
+ }
+
+ /**
+ * Attempt to authenticate.
+ * This function will go through all registered PAM handlers to see if a user can be authorised.
+ *
+ * If $credentials are provided the PAM handler should authenticate using the provided credentials, if
+ * not then credentials should be prompted for or otherwise retrieved (eg from the HTTP header or $_SESSION).
+ *
+ * @param mixed $credentials Mixed PAM handler specific credentials (eg username,password or hmac etc)
+ * @return bool true if authenticated, false if not.
+ */
+ function pam_authenticate($credentials = NULL)
+ {
+ global $_PAM_HANDLERS, $_PAM_HANDLERS_MSG;
+
+ foreach ($_PAM_HANDLERS as $k => $v)
+ {
+ try {
+ // Execute the handler
+ if ($v($credentials))
+ {
+ // Explicitly returned true
+ $_PAM_HANDLERS_MSG[$k] = "Authenticated!";
+
+ return true;
+ }
+ else
+ $_PAM_HANDLERS_MSG[$k] = "Not Authenticated.";
+ }
+ catch (Exception $e)
+ {
+ $_PAM_HANDLERS_MSG[$k] = "$e";
+ }
+ }
+
+ return false;
+ }
+
?> \ No newline at end of file