1: <?php
  2: /**
  3:  * THis class provides authentication for IMP.
  4:  *
  5:  * The following is the list of IMP session variables:
  6:  *   - compose_cache: (array) List of compose objects that have not yet been
  7:  *                    garbage collected.
  8:  *   - file_upload: (integer) If file uploads are allowed, the max size.
  9:  *   - filteravail: (boolean) Can we apply filters manually?
 10:  *   - imap_acl: (boolean) See 'acl' entry in config/backends.php.
 11:  *   - imap_admin: (array) See 'admin' entry in config/backends.php.
 12:  *   - imap_namespace: (array) See 'namespace' entry in config/backends.php
 13:  *   - imap_ob/*: (Horde_Imap_Client_Base) The IMAP client objects. Stored by
 14:  *                server key.
 15:  *   - imap_quota: (array) See 'quota' entry in config/backends.php.
 16:  *   - imap_thread: (string) The trheading algorithm supported by the server.
 17:  *   - maildomain: (string) See 'maildomain' entry in config/backends.php.
 18:  *   - notepadavail: (boolean) Is listing of notepads available?
 19:  *   - pgp: (array) Cached PGP passhprase values.
 20:  *   - rteavail: (boolean) Is the HTML editor available?
 21:  *   - search: (IMP_Search) The IMP_Search object.
 22:  *   - server_key: (string) Server used to login.
 23:  *   - smime: (array) Settings related to the S/MIME viewer.
 24:  *   - smtp: (array) SMTP options ('host' and 'port')
 25:  *   - showunsub: (boolean) Show unsusubscribed mailboxes on the folders
 26:  *                screen.
 27:  *   - tasklistavail: (boolean) Is listing of tasklists available?
 28:  *   - view: (string) Either 'dimp', 'imp', 'mimp', or 'mobile'.
 29:  *
 30:  * Copyright 1999-2012 Horde LLC (http://www.horde.org/)
 31:  *
 32:  * See the enclosed file COPYING for license information (GPL). If you
 33:  * did not receive this file, see http://www.horde.org/licenses/gpl.
 34:  *
 35:  * @author   Chuck Hagenbuch <chuck@horde.org>
 36:  * @author   Jon Parise <jon@horde.org>
 37:  * @author   Michael Slusarz <slusarz@horde.org>
 38:  * @category Horde
 39:  * @license  http://www.horde.org/licenses/gpl GPL
 40:  * @package  IMP
 41:  */
 42: class IMP_Auth
 43: {
 44:     /**
 45:      * Authenticate to the mail server.
 46:      *
 47:      * @param array $credentials  An array of login credentials. If empty,
 48:      *                            attempts to login to the cached session.
 49:      *   - password: (string) The user password.
 50:      *   - server: (string) The server key to use (from backends.php).
 51:      *   - userId: (string) The username.
 52:      *
 53:      * @return mixed  If authentication was successful, and no session
 54:      *                exists, an array of data to add to the session.
 55:      *                Otherwise returns false.
 56:      * @throws Horde_Auth_Exception
 57:      */
 58:     static public function authenticate($credentials = array())
 59:     {
 60:         global $injector, $registry;
 61: 
 62:         $result = false;
 63: 
 64:         // Do 'horde' authentication.
 65:         $imp_app = $registry->getApiInstance('imp', 'application');
 66:         if (!empty($imp_app->initParams['authentication']) &&
 67:             ($imp_app->initParams['authentication'] == 'horde')) {
 68:             if ($registry->getAuth()) {
 69:                 return $result;
 70:             }
 71:             throw new Horde_Auth_Exception('', Horde_Auth::REASON_FAILED);
 72:         }
 73: 
 74:         if (!isset($credentials['server'])) {
 75:             $credentials['server'] = self::getAutoLoginServer();
 76:         }
 77: 
 78:         $imp_imap = $injector->getInstance('IMP_Factory_Imap')->create($credentials['server']);
 79: 
 80:         // Check for valid IMAP Client object.
 81:         if (!$imp_imap->ob) {
 82:             if (!isset($credentials['userId']) ||
 83:                 !isset($credentials['password'])) {
 84:                 throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
 85:             }
 86: 
 87:             try {
 88:                 $imp_imap->createImapObject($credentials['userId'], $credentials['password'], $credentials['server']);
 89:             } catch (IMP_Imap_Exception $e) {
 90:                 self::_logMessage(false, $imp_imap);
 91:                 throw $e->authException();
 92:             }
 93: 
 94:             $result = array(
 95:                 'server_key' => $credentials['server']
 96:             );
 97:         }
 98: 
 99:         try {
100:             $imp_imap->login();
101:         } catch (IMP_Imap_Exception $e) {
102:             self::_logMessage(false, $imp_imap);
103:             throw $e->authException();
104:         }
105: 
106:         return $result;
107:     }
108: 
109:     /**
110:      * Perform transparent authentication.
111:      *
112:      * @param Horde_Auth_Application $auth_ob  The authentication object.
113:      *
114:      * @return mixed  If authentication was successful, and no session
115:      *                exists, an array of data to add to the session.
116:      *                Otherwise returns false.
117:      */
118:     static public function transparent($auth_ob)
119:     {
120:         $credentials = $auth_ob->getCredential('credentials');
121: 
122:         if (empty($credentials['transparent'])) {
123:             /* Attempt hordeauth authentication. */
124:             $credentials = self::_canAutoLogin();
125:             if ($credentials === false) {
126:                 return false;
127:             }
128:         } else {
129:             /* It is possible that preauthenticate() set the credentials.
130:              * If so, use that information instead of hordeauth. */
131:             $credentials['userId'] = $auth_ob->getCredential('userId');
132:         }
133: 
134:         try {
135:             return self::authenticate($credentials);
136:         } catch (Horde_Auth_Exception $e) {
137:             return false;
138:         }
139:     }
140: 
141:     /**
142:      * Log login related message.
143:      *
144:      * @param boolean $success   True on success, false on failure.
145:      * @param IMP_Imap $imap_ob  The IMP_Imap object to use.
146:      */
147:     static protected function _logMessage($status, $imap_ob)
148:     {
149:         if ($status) {
150:             $msg = 'Login success';
151:             $level = 'NOTICE';
152:         } else {
153:             $msg = 'FAILED LOGIN';
154:             $level = 'INFO';
155:         }
156: 
157:         $user = $imap_ob->getParam('username');
158:         if (($auth_id = $GLOBALS['registry']->getAuth()) !== false) {
159:             $user .= ' (Horde user ' . $auth_id . ')';
160:         }
161: 
162:         $protocol = $imap_ob->imap
163:             ? 'imap'
164:             : ($imap_ob->pop3 ? 'pop' : '');
165: 
166:         $msg = sprintf(
167:             $msg . ' for %s [%s]%s to {%s:%s%s}',
168:             $user,
169:             $_SERVER['REMOTE_ADDR'],
170:             empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? '' : ' (forwarded for [' . $_SERVER['HTTP_X_FORWARDED_FOR'] . '])',
171:             $imap_ob->ob ? $imap_ob->getParam('hostspec') : '',
172:             $imap_ob->ob ? $imap_ob->getParam('port') : '',
173:             $protocol ? ' [' . $protocol . ']' : ''
174:         );
175: 
176:         Horde::logMessage($msg, $level);
177:     }
178: 
179:     /**
180:      * Returns the autologin server key.
181:      *
182:      * @return string  The server key, or null if none available.
183:      */
184:     static public function getAutoLoginServer()
185:     {
186:         if (($servers = IMP_Imap::loadServerConfig()) === false) {
187:             return null;
188:         }
189: 
190:         $server_key = null;
191:         foreach ($servers as $key => $val) {
192:             if (is_null($server_key) && substr($key, 0, 1) != '_') {
193:                 $server_key = $key;
194:             }
195:             if (self::isPreferredServer($val, $key)) {
196:                 $server_key = $key;
197:                 break;
198:             }
199:         }
200: 
201:         return $server_key;
202:     }
203: 
204:     /**
205:      * Determines if the given mail server is the "preferred" mail server for
206:      * this web server.  This decision is based on the global 'SERVER_NAME'
207:      * and 'HTTP_HOST' server variables and the contents of the 'preferred'
208:      * field in the server's definition.  The 'preferred' field may take a
209:      * single value or an array of multiple values.
210:      *
211:      * @param string $server  A complete server entry from the $servers hash.
212:      * @param string $key     The server key entry.
213:      *
214:      * @return boolean  True if this entry is "preferred".
215:      */
216:     static public function isPreferredServer($server, $key = null)
217:     {
218:         if (empty($server['preferred'])) {
219:             return false;
220:         }
221: 
222:         $preferred = is_array($server['preferred'])
223:             ? $server['preferred']
224:             : array($server['preferred']);
225: 
226:         return in_array($_SERVER['SERVER_NAME'], $preferred) ||
227:                in_array($_SERVER['HTTP_HOST'], $preferred);
228:     }
229: 
230:     /**
231:      * Returns whether we can log in without a login screen for $server_key.
232:      *
233:      * @param string $server_key  The server to check. Defaults to the
234:      *                            autologin server.
235:      * @param boolean $force      If true, check $server_key even if there is
236:      *                            more than one server available.
237:      *
238:      * @return array  The credentials needed to login ('userId', 'password',
239:      *                 'server') or false if autologin not available.
240:      */
241:     static protected function _canAutoLogin($server_key = null, $force = false)
242:     {
243:         if (($servers = $GLOBALS['injector']->getInstance('IMP_Factory_Imap')->create()->loadServerConfig()) === false) {
244:             return false;
245:         }
246: 
247:         if (is_null($server_key) || !$force) {
248:             $auto_server = self::getAutoLoginServer();
249:             if (is_null($server_key)) {
250:                 $server_key = $auto_server;
251:             }
252:         }
253: 
254:         if ((!empty($auto_server) || $force) &&
255:             $GLOBALS['registry']->getAuth() &&
256:             !empty($servers[$server_key]['hordeauth'])) {
257:             return array(
258:                 'userId' => $GLOBALS['registry']->getAuth((strcasecmp($servers[$server_key]['hordeauth'], 'full') == 0) ? null : 'bare'),
259:                 'password' => $GLOBALS['registry']->getAuthCredential('password'),
260:                 'server' => $server_key
261:             );
262:         }
263: 
264:         return false;
265:     }
266: 
267:     /**
268:      * Returns the initial page.
269:      *
270:      * @return object  Object with the following properties:
271:      *   - fullpath (string)
272:      *   - mbox (IMP_Mailbox)
273:      *   - page (string)
274:      *   - url (Horde_Url)
275:      */
276:     static public function getInitialPage()
277:     {
278:         $init_url = $GLOBALS['prefs']->getValue('initial_page');
279:         if (!$init_url ||
280:             !$GLOBALS['injector']->getInstance('IMP_Factory_Imap')->create()->access(IMP_Imap::ACCESS_FOLDERS)) {
281:             $init_url = 'INBOX';
282:         }
283: 
284:         if ($init_url == IMP::INITIAL_FOLDERS) {
285:             $mbox = null;
286:         } else {
287:             $mbox = IMP_Mailbox::get($init_url);
288:             if (!$mbox->exists) {
289:                 $mbox = IMP_Mailbox::get('INBOX');
290:             }
291: 
292:             IMP::setCurrentMailboxInfo($mbox);
293:         }
294: 
295:         $result = new stdClass;
296:         $result->mbox = $mbox;
297: 
298:         switch (IMP::getViewMode()) {
299:         case 'dimp':
300:             if (is_null($mbox)) {
301:                 $result->mbox = IMP_Mailbox::get('INBOX');
302:             }
303:             $page = 'index-dimp.php';
304:             break;
305: 
306:         case 'imp':
307:             if (is_null($mbox)) {
308:                 $page = 'folders.php';
309:             } else {
310:                 $page = 'mailbox.php';
311:                 $result->url = $mbox->url($page);
312:             }
313:             break;
314: 
315:         case 'mimp':
316:             if (is_null($mbox)) {
317:                 $page = 'folders-mimp.php';
318:             } else {
319:                 $page ='mailbox-mimp.php';
320:                 $result->url = $mbox->url($page);
321:             }
322:             break;
323: 
324:         case 'mobile':
325:             // TODO: Folders for mobile page?
326:             if (is_null($mbox)) {
327:                 $result->mbox = IMP_Mailbox::get('INBOX');
328:             }
329:             $page = 'mobile.php';
330:             break;
331:         }
332: 
333:         $result->fullpath = IMP_BASE . '/' . $page;
334:         $result->page = $page;
335: 
336:         if (!isset($result->url)) {
337:             $result->url = Horde::url($page, true);
338:         }
339: 
340:         return $result;
341:     }
342: 
343:     /**
344:      * Perform post-login tasks. Session creation requires the full IMP
345:      * environment, which is not available until this callback.
346:      *
347:      * @throws Horde_Auth_Exception
348:      */
349:     static public function authenticateCallback()
350:     {
351:         global $browser, $conf, $injector, $prefs, $registry, $session;
352: 
353:         $imp_imap = $injector->getInstance('IMP_Factory_Imap')->create(null, true);
354:         $ptr = $imp_imap->loadServerConfig($session->get('imp', 'server_key'));
355:         if ($ptr === false) {
356:             throw new Horde_Auth_Exception('', Horde_Auth::REASON_FAILED);
357:         }
358: 
359:         /* Set the maildomain. */
360:         $maildomain = $prefs->getValue('mail_domain');
361:         $session->set('imp', 'maildomain', $maildomain ? $maildomain : (isset($ptr['maildomain']) ? $ptr['maildomain'] : ''));
362: 
363:         /* Store some basic IMAP server information. */
364:         if ($imp_imap->imap) {
365:             /* Can't call this until now, since we need prefs to be properly
366:              * loaded to grab the special mailboxes information. */
367:             $imp_imap->updateFetchIgnore();
368: 
369:             foreach (array('acl', 'admin', 'namespace', 'quota') as $val) {
370:                 if (!empty($ptr[$val])) {
371:                     $tmp = $ptr[$val];
372: 
373:                     /* 'admin' and 'quota' have password entries - encrypt
374:                      * these entries in the session if they exist. */
375:                     foreach (array('password', 'admin_password') as $key) {
376:                         if (isset($ptr[$val]['params'][$key])) {
377:                             $secret = $injector->getInstance('Horde_Secret');
378:                             $tmp['params'][$key] = $secret->write($secret->getKey('imp'), $ptr[$val]['params'][$key]);
379:                         }
380:                     }
381: 
382:                     $session->set('imp', 'imap_' . $val, $tmp);
383:                 }
384:             }
385: 
386:             /* Set the IMAP threading algorithm. */
387:             $thread_cap = $imp_imap->queryCapability('THREAD');
388:             $session->set(
389:                 'imp',
390:                 'imap_thread',
391:                 in_array(isset($ptr['thread']) ? strtoupper($ptr['thread']) : 'REFERENCES', is_array($thread_cap) ? $thread_cap : array())
392:                     ? 'REFERENCES'
393:                     : 'ORDEREDSUBJECT'
394:             );
395:         }
396: 
397:         /* Set the SMTP options, if needed. */
398:         if ($conf['mailer']['type'] == 'smtp') {
399:             $smtp = array();
400:             foreach (array('smtphost' => 'host', 'smtpport' => 'port') as $key => $val) {
401:                 if (!empty($ptr[$key])) {
402:                     $smtp[$val] = $ptr[$key];
403:                 }
404:             }
405: 
406:             if (!empty($smtp)) {
407:                 $session->set('imp', 'smtp', $smtp);
408:             }
409:         }
410: 
411:         /* Does the server allow file uploads? If yes, store the
412:          * value, in bytes, of the maximum file size. */
413:         $session->set('imp', 'file_upload', $browser->allowFileUploads());
414: 
415:         /* Is the 'mail/canApplyFilters' API call available? */
416:         try {
417:             if ($registry->call('mail/canApplyFilters')) {
418:                 $session->set('imp', 'filteravail', true);
419:             }
420:         } catch (Horde_Exception $e) {}
421: 
422:         /* Is the 'tasks/listTasklists' call available? */
423:         if ($conf['tasklist']['use_tasklist'] &&
424:             $registry->hasMethod('tasks/listTasklists')) {
425:             $session->set('imp', 'tasklistavail', true);
426:         }
427: 
428:         /* Is the 'notes/listNotepads' call available? */
429:         if ($conf['notepad']['use_notepad'] &&
430:             $registry->hasMethod('notes/listNotepads')) {
431:             $session->set('imp', 'notepadavail', true);
432:         }
433: 
434:         /* Determine View */
435:         $mode = $session->get('horde', 'mode');
436:         if (!IMP::showAjaxView() && !$mode == 'smartmobile') {
437:             if ($mode == 'dynamic' || ($mode == 'auto' && $prefs->getValue('dynamic_view'))) {
438:                 $GLOBALS['notification']->push(_("Your browser is too old to display the dynamic mode. Using traditional mode instead."), 'horde.warning');
439:             }
440:             $session->set('imp', 'view', 'imp');
441:         } else {
442:             /* Map to IMP view */
443:             switch($mode) {
444:             case 'auto':
445:             case 'dynamic':
446:             case 'traditional':
447:                 $impview = IMP::showAjaxView() ? 'dimp' : 'imp';
448:                 break;
449: 
450:             case 'smartmobile':
451:                 $impview = Horde::ajaxAvailable() ? 'mobile' : 'mimp';
452:                 break;
453: 
454:             case 'mobile':
455:                 $impview = 'mimp';
456:                 break;
457:             }
458: 
459:             $session->set('imp', 'view', $impview);
460:         }
461: 
462:         /* Indicate that notifications should use AJAX mode. */
463:         if ($session->get('imp', 'view') == 'dimp') {
464:             $session->set(
465:                 'horde',
466:                 'notification_override',
467:                 array(
468:                     IMP_BASE . '/lib/Notification/Listener/AjaxStatus.php',
469:                     'IMP_Notification_Listener_AjaxStatus'
470:                 )
471:             );
472:         }
473: 
474:         /* Is the HTML editor available? */
475:         $imp_ui = new IMP_Ui_Compose();
476:         $session->set('imp', 'rteavail', $injector->getInstance('Horde_Editor')->supportedByBrowser());
477: 
478:         self::_logMessage(true, $imp_imap);
479:     }
480: 
481: }
482: