diff options
-rw-r--r-- | endpoints/rest.php | 8 | ||||
-rw-r--r-- | engine/lib/api.php | 69 | ||||
-rw-r--r-- | engine/lib/pam.php | 64 |
3 files changed, 69 insertions, 72 deletions
diff --git a/endpoints/rest.php b/endpoints/rest.php index 862540e57..6d4e253f8 100644 --- a/endpoints/rest.php +++ b/endpoints/rest.php @@ -33,8 +33,8 @@ throw new ConfigurationException("Sorry, API access has been disabled by the administrator."); // Register some default PAM methods, plugins can add their own - register_api_pam_handler('pam_auth_session'); - register_api_pam_handler('pam_auth_hmac'); + register_pam_handler('pam_auth_session'); + register_pam_handler('pam_auth_hmac'); // Get parameter variables $format = get_input('format', 'php'); @@ -42,7 +42,7 @@ $result = null; // Authenticate session - if (api_pam_authenticate()) + if (pam_authenticate()) { // Authenticated somehow, now execute. $token = ""; @@ -51,6 +51,8 @@ $result = execute_method($method, $params, $token); } + else + throw new SecurityException("No authentication methods were found that could authenticate this API request."); // Finally output if (!($result instanceof GenericResult)) diff --git a/engine/lib/api.php b/engine/lib/api.php index 4eb1905b5..dccb703f8 100644 --- a/engine/lib/api.php +++ b/engine/lib/api.php @@ -615,76 +615,11 @@ } // PAM functions ////////////////////////////////////////////////////////////////////////// - - $PAM_HANDLERS = array(); - $PAM_HANDLER_MSG = array(); // Messages - - /** - * Register a method of authenticating an incoming API request. - * This function registers a PAM handler which is a function that matches the desciption pam_handler_name() - * and returns either 'true' if an incoming api request was authorised, false or throws an exception if not. - * - * The handlers are tried in turn until one of them successfully authenticates the session. - * - * This architecture lets an administrator choose what methods to accept for API authentication or - * - * @param unknown_type $handler - */ - function register_api_pam_handler($handler) - { - global $PAM_HANDLERS; - - if (is_callable($handler)) - { - $PAM_HANDLERS[$handler] = $handler; - return true; - } - - return false; - } - - /** - * Magically authenticate an API session using one of the registered methods. - * - * This function will return true if authentication was possible, otherwise it'll throw an exception. - * - * If $CONFIG->debug is set then additional debug information will be returned. - */ - function api_pam_authenticate() - { - global $PAM_HANDLERS, $PAM_HANDLER_MSG; - global $CONFIG; - - $dbg_msgs = array(); - foreach ($PAM_HANDLERS as $k => $v) - { - try { - // Execute the handler - if ($v()) - { - // Explicitly returned true - $PAM_HANDLER_MSG[$k] = "Authenticated!"; - - return true; - } - else - $PAM_HANDLER_MSG[$k] = "Not Authenticated."; - } - catch (Exception $e) - { - $PAM_HANDLER_MSG[$k] = "$e"; - } - } - - // Got this far, so no methods could be found to authenticate the session - throw new SecurityException("No authentication methods were found that could authenticate this request."); - } - /** * See if the user has a valid login sesson. */ - function pam_auth_session() + function pam_auth_session($credentials = NULL) { return isloggedin(); } @@ -692,7 +627,7 @@ /** * Secure authentication through headers and HMAC. */ - function pam_auth_hmac() + function pam_auth_hmac($credentials = NULL) { global $CONFIG; diff --git a/engine/lib/pam.php b/engine/lib/pam.php index 1986b5897..6bbfce79d 100644 --- a/engine/lib/pam.php +++ b/engine/lib/pam.php @@ -7,9 +7,69 @@ * @package Elgg
* @subpackage Core
* @license http://www.gnu.org/licenses/old-licenses/gpl-2.0.html GNU Public License version 2
- * @author Curverider Ltd
+ * @author Marcus Povey
* @copyright Curverider Ltd 2008
* @link http://elgg.org/
*/
-
+ + $_PAM_HANDLERS = array(); + $_PAM_HANDLERS_MSG = array(); + + + /** + * Register a PAM handler. + * + * @param string $handler The handler function in the format + * pam_handler($credentials = NULL); + */ + function register_pam_handler($handler) + { + global $_PAM_HANDLERS; + + if (is_callable($handler)) + { + $_PAM_HANDLERS[$handler] = $handler; + return true; + } + + return false; + } + + /** + * Attempt to authenticate. + * This function will go through all registered PAM handlers to see if a user can be authorised. + * + * If $credentials are provided the PAM handler should authenticate using the provided credentials, if + * not then credentials should be prompted for or otherwise retrieved (eg from the HTTP header or $_SESSION). + * + * @param mixed $credentials Mixed PAM handler specific credentials (eg username,password or hmac etc) + * @return bool true if authenticated, false if not. + */ + function pam_authenticate($credentials = NULL) + { + global $_PAM_HANDLERS, $_PAM_HANDLERS_MSG; + + foreach ($_PAM_HANDLERS as $k => $v) + { + try { + // Execute the handler + if ($v($credentials)) + { + // Explicitly returned true + $_PAM_HANDLERS_MSG[$k] = "Authenticated!"; + + return true; + } + else + $_PAM_HANDLERS_MSG[$k] = "Not Authenticated."; + } + catch (Exception $e) + { + $_PAM_HANDLERS_MSG[$k] = "$e"; + } + } + + return false; + } +
?>
\ No newline at end of file |