aboutsummaryrefslogtreecommitdiff
path: root/engine/lib/pam.php
blob: 255a10089127f98e677fb6d9dc3a6da4084f3bb3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
<?php

	/**
	 * Elgg PAM library
	 * Contains functions for managing authentication using various arbitrary methods
	 * 
	 * @package Elgg
	 * @subpackage Core

	 * @author Curverider Ltd

	 * @link http://elgg.org/
	 */

	$_PAM_HANDLERS = array();
	$_PAM_HANDLERS_MSG = array();
	
	
	/**
	 * Register a PAM handler.
	 * 
	 * @param string $handler The handler function in the format 
	 * 		pam_handler($credentials = NULL);
	 * @param string $importance The importance - "sufficient" or "required"
	 */
	function register_pam_handler($handler, $importance = "sufficient")
	{
		global $_PAM_HANDLERS;
		
		if (is_callable($handler))
		{
			$_PAM_HANDLERS[$handler] = new stdClass;
			
			$_PAM_HANDLERS[$handler]->handler = $handler;
			$_PAM_HANDLERS[$handler]->importance = strtolower($importance);
			
			return true;
		}
		
		return false;
	}
	
	/**
	 * Attempt to authenticate.
	 * This function will go through all registered PAM handlers to see if a user can be authorised.
	 *
	 * If $credentials are provided the PAM handler should authenticate using the provided credentials, if
	 * not then credentials should be prompted for or otherwise retrieved (eg from the HTTP header or $_SESSION).
	 * 
	 * @param mixed $credentials Mixed PAM handler specific credentials (eg username,password or hmac etc)
	 * @return bool true if authenticated, false if not.
	 */
	function pam_authenticate($credentials = NULL)
	{
		global $_PAM_HANDLERS, $_PAM_HANDLERS_MSG;
		
		$authenticated = false;
		
		foreach ($_PAM_HANDLERS as $k => $v)
		{
			$handler = $v->handler;
			$importance = $v->importance;
		
			try {
				// Execute the handler 
				if ($handler($credentials))
				{
					// Explicitly returned true
					$_PAM_HANDLERS_MSG[$k] = "Authenticated!";

					$authenticated = true;
				}
				else
				{
					$_PAM_HANDLERS_MSG[$k] = "Not Authenticated.";
				
					// If this is required then abort.
					if ($importance == 'required')
						return false;
				}
			} 
			catch (Exception $e)
			{		
				$_PAM_HANDLERS_MSG[$k] = "$e";
				
				// If this is required then abort.
				if ($importance == 'required')
					return false;
			}	
		}
		
		return $authenticated;
	}
	
?>