Initial import

Author: tvdijen

.codecov.yml

@@ -0,0 +1,11 @@
+coverage:
+  status:
+    project: yes
+
+comment:
+  layout: "diff"
+  behavior: once
+  require_changes: true
+  require_base: no
+  require_head: yes
+  branches: null

.php_cs.dist

@@ -0,0 +1,15 @@
+<?php
+$finder = PhpCsFixer\Finder::create()
+    ->in([
+        __DIR__ . '/lib',
+        __DIR__ . '/tests',
+    ])
+;
+return PhpCsFixer\Config::create()
+    ->setRules([
+        '@PSR2' => true,
+        '@PSR4' => true,
+        '@PSR5' => true,
+    ])
+    ->setFinder($finder)
+;

.travis.yml

@@ -0,0 +1,35 @@
+sudo: required
+
+language: php
+
+php:
+  - 5.6
+  - 7.0
+  - 7.1
+  - 7.2
+  - 7.3
+
+env:
+  - SIMPLESAMLPHP_VERSION=1.17.*
+  
+matrix:
+  allow_failures:
+    - php: 7.3
+
+before_script:
+  - composer require "simplesamlphp/simplesamlphp:${SIMPLESAMLPHP_VERSION}" --no-update
+  - composer update --no-interaction
+  - if [[ "$TRAVIS_PHP_VERSION" == "7.3" ]]; then composer require --dev vimeo/psalm:1.1.9; fi
+
+script:
+  - bin/check-syntax.sh
+  - if [[ "$TRAVIS_PHP_VERSION" == "5.6" ]]; then php vendor/phpunit/phpunit/phpunit; else php vendor/phpunit/phpunit/phpunit --no-coverage; fi
+  - if [[ "$TRAVIS_PHP_VERSION" == "7.3" ]]; then vendor/bin/psalm; fi
+
+after_success:
+  # Codecov, need to edit bash uploader for incorrect TRAVIS_PYTHON_VERSION environment variable matching, at least until codecov/codecov-bash#133 is resolved
+  - curl -s https://codecov.io/bash > .codecov
+  - sed -i -e 's/TRAVIS_.*_VERSION/^TRAVIS_.*_VERSION=/' .codecov
+  - chmod +x .codecov
+  - if [[ $TRAVIS_PHP_VERSION == "5.6" ]]; then ./.codecov -X gcov; fi
+# - if [[ "$TRAVIS_PHP_VERSION" == "5.6" ]]; then bash <(curl -s https://codecov.io/bash); fi

bin/check-syntax.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+PHP='/usr/bin/env php'
+RETURN=0
+
+# check PHP files
+for FILE in `find lib tests -name "*.php"`; do
+    $PHP -l $FILE > /dev/null 2>&1
+    if [ $? -ne 0 ]; then
+        echo "Syntax check failed for ${FILE}"
+        RETURN=`expr ${RETURN} + 1`
+    fi
+done
+
+exit $RETURN

composer.json

@@ -0,0 +1,42 @@
+{
+    "name": "simplesamlphp/simplesamlphp-module-authcrypt",
+    "description": "This module provides authentication against password hashes or .htpasswd files",
+    "type": "simplesamlphp-module",
+    "keywords": ["simplesamlphp", "authcrypt"],
+    "license": "LGPL-3.0-or-later",
+    "authors": [
+        {
+            "name": "Olav Morken",
+            "email": "olavmrk@gmail.com"
+        }
+    ],
+    "config": {
+        "preferred-install": {
+            "simplesamlphp/simplesamlphp": "source",
+            "*": "dist"
+        }
+    },
+    "autoload": {
+        "psr-4": {
+            "SimpleSAML\\Module\\authcrypt\\": "lib/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "SimpleSAML\\Test\\Utils\\": "vendor/simplesamlphp/simplesamlphp/tests/Utils"
+        }
+    },
+    "require": {
+        "php": ">=5.6",
+        "simplesamlphp/composer-module-installer": "~1.1",
+        "webmozart/assert": "~1.4",
+    },
+    "require-dev": {
+        "simplesamlphp/simplesamlphp": "^1.17",
+        "phpunit/phpunit": "~5.7"
+    },
+    "support": {
+        "issues": "https://github.com/tvdijen/simplesamlphp-module-authcrypt/issues",
+        "source": "https://github.com/tvdijen/simplesamlphp-module-authcrypt"
+    }
+}

default-disable

@@ -0,0 +1,3 @@
+This file indicates that the default state of this module
+is disabled. To enable, create a file named enable in the
+same directory as this file.

docs/authcrypt.md

@@ -0,0 +1,73 @@
+AuthCrypt
+=========
+
+This module provides two methods for authentication:
+
+`authcrypt:Hash`
+: Username & password authentication with hashed passwords.
+
+`authcrypt:Htpasswd`
+: Username & password authentication against an `.htpasswd` file.
+
+
+`authcrypt:Hash`
+----------------
+
+This is based on `exampleAuth:UserPass`, and adds support for hashed passwords.
+Hashes can be generated with the included command line tool `bin/pwgen.sh`.
+This tool will interactively ask for a password, a hashing algorithm , and whether or not you want to use a salt:
+
+    [user@server simplesamlphp]$ bin/pwgen.php
+    Enter password: hackme
+    The following hashing algorithms are available:
+    md2          md4          md5          sha1         sha224       sha256
+    sha384       sha512       ripemd128    ripemd160    ripemd256    ripemd320
+    whirlpool    tiger128,3   tiger160,3   tiger192,3   tiger128,4   tiger160,4
+    tiger192,4   snefru       snefru256    gost         adler32      crc32
+    crc32b       salsa10      salsa20      haval128,3   haval160,3   haval192,3
+    haval224,3   haval256,3   haval128,4   haval160,4   haval192,4   haval224,4
+    haval256,4   haval128,5   haval160,5   haval192,5   haval224,5   haval256,5
+
+    Which one do you want? [sha256]
+    Do you want to use a salt? (yes/no) [yes]
+
+      {SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==
+
+Now create an authentication source in `config/authsources.php` and use the resulting string as the password:
+
+    'example-hashed' => array(
+        'authCrypt:Hash',
+        'student:{SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==' => array(
+            'uid' => array('student'),
+            'eduPersonAffiliation' => array('member', 'student'),
+            ),
+    ),
+
+This example creates a user `student` with password `hackme`, and some attributes.
+
+### Compatibility ###
+The generated hashes can also be used in `config.php` for the administrative password:
+
+    'auth.adminpassword'        => '{SSHA256}y1mj3xsZ4/+LoQyPNVJzXUFfBcLHfwcHx1xxltxeQ1C5MeyEX/RxWA==',
+
+Instead of generating hashes, you can also use existing ones from OpenLDAP, provided that the `userPassword` attribute is stored as MD5, SMD5, SHA, or SSHA.
+
+
+`authCrypt:Htpasswd`
+--------------------
+
+Authenticate users against an [`.htpasswd`](http://httpd.apache.org/docs/2.2/programs/htpasswd.html) file. It can be used for example when you migrate a web site from basic HTTP authentication to SimpleSAMLphp.
+
+The simple structure of the `.htpasswd` file does not allow for per-user attributes, but you can define some static attributes for all users.
+
+An example authentication source in `config/authsources.php` could look like this:
+
+    'htpasswd' => array(
+        'authcrypt:Htpasswd',
+            'htpasswd_file' => '/var/www/foo.edu/legacy_app/.htpasswd',
+            'static_attributes' => array(
+                'eduPersonAffiliation' => array('member', 'employee'),
+                'Organization' => array('University of Foo'),
+        ),
+    ),
+

lib/Auth/Source/Hash.php

@@ -0,0 +1,103 @@
+<?php
+
+namespace SimpleSAML\Module\authcrypt\Auth\Source;
+
+/**
+ * Authentication source for username & hashed password.
+ *
+ * This class is an authentication source which stores all username/hashes in an array,
+ * and authenticates users against this array.
+ *
+ * @author Dyonisius Visser, TERENA.
+ * @package SimpleSAMLphp
+ */
+
+class Hash extends \SimpleSAML\Module\core\Auth\UserPassBase
+{
+    /**
+     * Our users, stored in an associative array. The key of the array is "<username>:<passwordhash>",
+     * while the value of each element is a new array with the attributes for each user.
+     */
+    private $users;
+
+
+    /**
+     * Constructor for this authentication source.
+     *
+     * @param array $info Information about this authentication source.
+     * @param array $config Configuration.
+     *
+     * @throws Exception in case of a configuration error.
+     */
+    public function __construct($info, $config)
+    {
+        assert(is_array($info));
+        assert(is_array($config));
+
+        // Call the parent constructor first, as required by the interface
+        parent::__construct($info, $config);
+
+        $this->users = [];
+
+        // Validate and parse our configuration
+        foreach ($config as $userpass => $attributes) {
+            if (!is_string($userpass)) {
+                throw new \Exception('Invalid <username>:<passwordhash> for authentication source '.
+                    $this->authId.': '.$userpass);
+            }
+
+            $userpass = explode(':', $userpass, 2);
+            if (count($userpass) !== 2) {
+                throw new \Exception('Invalid <username>:<passwordhash> for authentication source '.
+                    $this->authId.': '.$userpass[0]);
+            }
+            $username = $userpass[0];
+            $passwordhash = $userpass[1];
+
+            try {
+                $attributes = \SimpleSAML\Utils\Attributes::normalizeAttributesArray($attributes);
+            } catch (\Exception $e) {
+                throw new \Exception('Invalid attributes for user '.$username.
+                    ' in authentication source '.$this->authId.': '.
+                    $e->getMessage());
+            }
+
+            $this->users[$username.':'.$passwordhash] = $attributes;
+        }
+    }
+
+
+    /**
+     * Attempt to log in using the given username and password.
+     *
+     * On a successful login, this function should return the users attributes. On failure,
+     * it should throw an exception. If the error was caused by the user entering the wrong
+     * username OR password, a \SimpleSAML\Error\Error('WRONGUSERPASS') should be thrown.
+     *
+     * The username is UTF-8 encoded, and the hash is base64 encoded.
+     *
+     * @param string $username The username the user wrote.
+     * @param string $password The password the user wrote.
+     *
+     * @return array  Associative array with the users attributes.
+     *
+     * @throws \SimpleSAML\Error\Error if authentication fails.
+     */
+    protected function login($username, $password)
+    {
+        assert(is_string($username));
+        assert(is_string($password));
+
+        foreach ($this->users as $userpass => $attrs) {
+            $matches = explode(':', $userpass, 2);
+            if ($matches[0] === $username) {
+                if (\SimpleSAML\Utils\Crypto::pwValid($matches[1], $password)) {
+                    return $attrs;
+                } else {
+                    \SimpleSAML\Logger::debug('Incorrect password "'.$password.'" for user '.$username);
+                }
+            }
+        }
+        throw new \SimpleSAML\Error\Error('WRONGUSERPASS');
+    }
+}