1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
<?php
require_once('AuthPlugin.php');
class Auth_FAS extends AuthPlugin {
function authenticate($username, $password) {
if ( ucfirst(strtolower($username)) != ucfirst($username) ) {
return false;
}
$username = strtolower( $username);
$ch = curl_init();
{% if env == 'staging' %}
curl_setopt($ch, CURLOPT_URL, 'https://admin.stg.fedoraproject.org/accounts/json/person_by_username?tg_format=json');
{% else %}
curl_setopt($ch, CURLOPT_URL, 'https://admin.fedoraproject.org/accounts/json/person_by_username?tg_format=json');
{% endif %}
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Auth_FAS 0.9");
curl_setopt($ch, CURLOPT_POSTFIELDS, "username=".urlencode($username)."&user_name=".urlencode($username)."&password=".urlencode($password)."&login=Login");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
# WARNING: Never leave this on in production, as it will cause
# plaintext passwords to show up in error logs.
curl_setopt($ch, CURLOPT_VERBOSE, 0);
# The following two lines need to be enabled when using a test FAS
# with an invalid cert. Otherwise they should be commented (or
# set to True) for security.
#curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
#curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$response = json_decode(curl_exec($ch), true);
curl_close ($ch);
if (!isset($response["success"])) {
error_log("FAS auth failed for $username: incorrect username or password", 0);
return false;
}
$groups = $response["person"]["approved_memberships"];
$has_cla = false;
$has_plus_one = false;
for ($i = 0, $cnt = count($groups); $i < $cnt; $i++) {
if ($groups[$i]["name"] == "cla_done" || $groups[$i]["name"] == "cla_fpca") {
$has_cla = true;
} else {
$has_plus_one = true;
}
}
if($has_cla && $has_plus_one) {
error_log("FAS auth succeeded for $username", 0);
return true;
}
error_log("FAS auth failed for $username: insufficient group membership", 0);
return false;
}
function userExists( $username ) {
if ( ucfirst(strtolower($username)) != ucfirst($username) ) {
return false;
}
return true;
}
function modifyUITemplate(&$template) {
$template->set('create', false);
$template->set('useemail', false);
$template->set('usedomain', false);
}
function updateUser( &$user ){
$user->mEmail = strtolower($user->getName())."@fedoraproject.org";
return true;
}
function autoCreate() {
return true;
}
function setPassword($password) {
return false;
}
function setDomain( $domain ) {
$this->domain = $domain;
}
function validDomain( $domain ) {
return true;
}
function updateExternalDB($user) {
return true;
}
function canCreateAccounts() {
return false;
}
function addUser($user, $password) {
return true;
}
function strict() {
return true;
}
function strictUserAuth( $username ) {
return true;
}
function allowPasswordChange() {
return false;
}
function initUser(&$user) {
$user->mEmail = strtolower($user->getName())."@fedoraproject.org";
$user->mEmailAuthenticated = wfTimestampNow();
$user->setToken();
$user->saveSettings();
return true;
}
}
/**
* Some extension information init
*/
$wgExtensionCredits['other'][] = array(
'name' => 'Auth_FAS',
'version' => '0.9.1',
'author' => 'Nigel Jones',
'description' => 'Authorisation plugin allowing login with FAS2 accounts'
);
?>
|
