From cf44092c16ed68e1db3c98335da288baf88127a9 Mon Sep 17 00:00:00 2001 From: Andrew Engelbrecht Date: Wed, 17 Nov 2021 17:07:42 -0500 Subject: [PATCH] updated module code based on upstream sqlauth mod --- lib/Auth/Source/FSFDrupalAuth.php | 61 ++++++++++++++++++------------- 1 file changed, 35 insertions(+), 26 deletions(-) diff --git a/lib/Auth/Source/FSFDrupalAuth.php b/lib/Auth/Source/FSFDrupalAuth.php index 1dac6e7..669b1cc 100644 --- a/lib/Auth/Source/FSFDrupalAuth.php +++ b/lib/Auth/Source/FSFDrupalAuth.php @@ -2,6 +2,12 @@ namespace SimpleSAML\Module\fsfdrupalauth\Auth\Source; +use Exception; +use PDO; +use PDOException; +use SimpleSAML\Error; +use SimpleSAML\Logger; + /** * Extension of simple SQL authentication source * @@ -56,12 +62,12 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase // Make sure that all required parameters are present. foreach (['dsn', 'username', 'password', 'query_main', 'query_membership', 'query_staff'] as $param) { if (!array_key_exists($param, $config)) { - throw new \Exception('Missing required attribute \''.$param. + throw new Exception('Missing required attribute \''.$param. '\' for authentication source '.$this->authId); } if (!is_string($config[$param])) { - throw new \Exception('Expected parameter \''.$param. + throw new Exception('Expected parameter \''.$param. '\' for authentication source '.$this->authId. ' to be a string. Instead it was: '. var_export($config[$param], true)); @@ -88,13 +94,16 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase private function connect() { try { - $db = new \PDO($this->dsn, $this->username, $this->password, $this->options); - } catch (\PDOException $e) { - throw new \Exception('fsfdrupalauth:'.$this->authId.': - Failed to connect to \''. - $this->dsn.'\': '.$e->getMessage()); + $db = new PDO($this->dsn, $this->username, $this->password, $this->options); + } catch (PDOException $e) { + // Obfuscate the password if it's part of the dsn + $obfuscated_dsn = preg_replace('/(user|password)=(.*?([;]|$))/', '${1}=***', $this->dsn); + + throw new Exception('fsfdrupalauth:' . $this->authId . ': - Failed to connect to \'' . + $obfuscated_dsn . '\': ' . $e->getMessage()); } - $db->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION); + $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $driver = explode(':', $this->dsn, 2); $driver = strtolower($driver[0]); @@ -157,14 +166,14 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase // proc_close in order to avoid a deadlock $return_value = proc_close($process); - //\SimpleSAML\Logger::debug('fsfdrupalauth:'.$this->authId.': authenticator stdout: '.$result); + //Logger::debug('fsfdrupalauth:'.$this->authId.': authenticator stdout: '.$result); if ($errors != "") { - \SimpleSAML\Logger::error('fsfdrupalauth:'.$this->authId.': authenticator stderr: '.$errors); + Logger::error('fsfdrupalauth:'.$this->authId.': authenticator stderr: '.$errors); } if ($return_value != 0) { - \SimpleSAML\Logger::error('fsfdrupalauth:'.$this->authId.': authenticator non-zero return code: '.$return_value); + Logger::error('fsfdrupalauth:'.$this->authId.': authenticator non-zero return code: '.$return_value); return false; } @@ -172,7 +181,7 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase } else { - \SimpleSAML\Logger::error('fsfdrupalauth:'.$this->authId.': unable to launch authenticator'); + Logger::error('fsfdrupalauth:'.$this->authId.': unable to launch authenticator'); return false; } @@ -192,26 +201,26 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase try { $sth = $db->prepare($this->$queryname); - } catch (\PDOException $e) { - throw new \Exception('fsfdrupalauth:'.$this->authId. + } catch (PDOException $e) { + throw new Exception('fsfdrupalauth:'.$this->authId. ': - Failed to prepare queryname: '.$queryname.': '.$e->getMessage()); } try { $sth->execute(['username' => $username]); - } catch (\PDOException $e) { - throw new \Exception('fsfdrupalauth:'.$this->authId. + } catch (PDOException $e) { + throw new Exception('fsfdrupalauth:'.$this->authId. ': - Failed to execute queryname: '.$queryname.': '.$e->getMessage()); } try { $data = $sth->fetchAll(\PDO::FETCH_ASSOC); - } catch (\PDOException $e) { - throw new \Exception('fsfdrupalauth:'.$this->authId. + } catch (PDOException $e) { + throw new Exception('fsfdrupalauth:'.$this->authId. ': - Failed to fetch result set: '.$e->getMessage()); } - \SimpleSAML\Logger::info('fsfdrupalauth:'.$this->authId.': Got '.count($data). + Logger::info('fsfdrupalauth:'.$this->authId.': Got '.count($data). ' rows from database'); return $data; @@ -230,7 +239,7 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase if (count($membership_data) === 0) { // No rows returned - invalid username - \SimpleSAML\Logger::debug('fsfdrupalauth:'.$this->authId. + Logger::debug('fsfdrupalauth:'.$this->authId. ': No rows in result set. Probably no membership.'); } @@ -261,7 +270,7 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase if (count($staff_data) === 0) { // No rows returned - invalid username - \SimpleSAML\Logger::debug('fsfdrupalauth:'.$this->authId. + Logger::debug('fsfdrupalauth:'.$this->authId. ': No rows in result set. Probably not FSF staff.'); } @@ -289,7 +298,7 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase * * On a successful login, this function should return the users attributes. On failure, * it should throw an exception. If the error was caused by the user entering the wrong - * username or password, a \SimpleSAML\Error\Error('WRONGUSERPASS') should be thrown. + * username or password, a Error\Error('WRONGUSERPASS') should be thrown. * * Note that both the username and the password are UTF-8 encoded. * @@ -303,7 +312,7 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase assert(is_string($password)); //// keep this commented when it's not in use. it prints user passwords to the log file - //\SimpleSAML\Logger::debug('fsfdrupalauth:'.$this->authId.': entered password: '.$password); + //Logger::debug('fsfdrupalauth:'.$this->authId.': entered password: '.$password); $user_data = $this->query_db('query_main', $username); @@ -311,9 +320,9 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase if (count($user_data) === 0) { // No rows returned - invalid username - \SimpleSAML\Logger::error('fsfdrupalauth:'.$this->authId. + Logger::error('fsfdrupalauth:'.$this->authId. ': No rows in result set. Probably wrong username.'); - throw new \SimpleSAML\Error\Error('WRONGUSERPASS'); + throw new Error\Error('WRONGUSERPASS'); } /* Extract attributes. We allow the resultset to consist of multiple rows. Attributes @@ -350,7 +359,7 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase } if (!$this->check_password($password, $attributes['pass'][0])) { - throw new \SimpleSAML\Error\Error('WRONGUSERPASS'); + throw new Error\Error('WRONGUSERPASS'); } unset($attributes['pass']); @@ -359,7 +368,7 @@ class FSFDrupalAuth extends \SimpleSAML\Module\core\Auth\UserPassBase $this->add_more_attributes($attributes, $username); - \SimpleSAML\Logger::info('fsfdrupalauth:'.$this->authId.': Attributes: '. + Logger::info('fsfdrupalauth:'.$this->authId.': Attributes: '. implode(',', array_keys($attributes))); return $attributes; -- 2.25.1