diff options
Diffstat (limited to 'engine/lib/pam.php')
| -rw-r--r-- | engine/lib/pam.php | 74 |
1 files changed, 13 insertions, 61 deletions
diff --git a/engine/lib/pam.php b/engine/lib/pam.php index 21cfdbbb9..1c9c3bfe1 100644 --- a/engine/lib/pam.php +++ b/engine/lib/pam.php @@ -14,22 +14,30 @@ * For more information on PAMs see: * http://www.freebsd.org/doc/en/articles/pam/index.html * + * @see ElggPAM + * * @package Elgg.Core * @subpackage Authentication.PAM */ +global $_PAM_HANDLERS; $_PAM_HANDLERS = array(); -$_PAM_HANDLERS_MSG = array(); /** * Register a PAM handler. * - * @param string $handler The handler function in the format + * A PAM handler should return true if the authentication attempt passed. For a + * failure, return false or throw an exception. Returning nothing indicates that + * the handler wants to be skipped. + * + * Note, $handler must be string callback (not an array/Closure). + * + * @param string $handler Callable global handler function in the format () * pam_handler($credentials = NULL); * @param string $importance The importance - "sufficient" (default) or "required" * @param string $policy The policy type, default is "user" * - * @return boolean + * @return bool */ function register_pam_handler($handler, $importance = "sufficient", $policy = "user") { global $_PAM_HANDLERS; @@ -39,7 +47,8 @@ function register_pam_handler($handler, $importance = "sufficient", $policy = "u $_PAM_HANDLERS[$policy] = array(); } - if (is_callable($handler)) { + // @todo remove requirement that $handle be a global function + if (is_string($handler) && is_callable($handler, true)) { $_PAM_HANDLERS[$policy][$handler] = new stdClass; $_PAM_HANDLERS[$policy][$handler]->handler = $handler; @@ -65,60 +74,3 @@ function unregister_pam_handler($handler, $policy = "user") { unset($_PAM_HANDLERS[$policy][$handler]); } - -/** - * Attempt to authenticate. - * This function will process all registered PAM handlers or stop when the first - * handler fails. A handler fails by either returning false or throwing an - * exception. The advantage of throwing an exception is that it returns a message - * through the global $_PAM_HANDLERS_MSG which can be used in communication with - * a user. The order that handlers are processed is determined by the order that - * they were registered. - * - * If $credentials are provided the PAM handler should authenticate using the - * provided credentials, if not then credentials should be prompted for or - * otherwise retrieved (eg from the HTTP header or $_SESSION). - * - * @param mixed $credentials Mixed PAM handler specific credentials (e.g. username, password) - * @param string $policy The policy type, default is "user" - * - * @return bool true if authenticated, false if not. - */ -function pam_authenticate($credentials = NULL, $policy = "user") { - global $_PAM_HANDLERS, $_PAM_HANDLERS_MSG; - - $_PAM_HANDLERS_MSG = array(); - - $authenticated = false; - - foreach ($_PAM_HANDLERS[$policy] as $k => $v) { - $handler = $v->handler; - $importance = $v->importance; - - try { - // Execute the handler - if ($handler($credentials)) { - // Explicitly returned true - $_PAM_HANDLERS_MSG[$k] = "Authenticated!"; - - $authenticated = true; - } else { - $_PAM_HANDLERS_MSG[$k] = "Not Authenticated."; - - // If this is required then abort. - if ($importance == 'required') { - return false; - } - } - } catch (Exception $e) { - $_PAM_HANDLERS_MSG[$k] = "$e"; - - // If this is required then abort. - if ($importance == 'required') { - return false; - } - } - } - - return $authenticated; -}
\ No newline at end of file |