andre/scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b24febb8a858676ca902c902fa4e4685c62383bc
scripts/Perl OTRS/Kernel/System/CustomerAuth/DB.pm
Andre Geißler 1462d52e13 init III
2024-10-14 00:08:40 +02:00

325 lines
9.6 KiB
Perl
Raw Blame History

# --
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
# --
package Kernel::System::CustomerAuth::DB;
use strict;
use warnings;
use Crypt::PasswdMD5 qw(unix_md5_crypt apache_md5_crypt);
use Digest::SHA;
our @ObjectDependencies = (
'Kernel::Config',
'Kernel::System::DB',
'Kernel::System::Encode',
'Kernel::System::Log',
'Kernel::System::Main',
);
sub new {
my ( $Type, %Param ) = @_;
# allocate new hash for object
my $Self = {};
bless( $Self, $Type );
# get database object
$Self->{DBObject} = $Kernel::OM->Get('Kernel::System::DB');
# Debug 0=off 1=on
$Self->{Debug} = 0;
# get config object
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
# config options
$Self->{Table} = $ConfigObject->Get( 'Customer::AuthModule::DB::Table' . $Param{Count} )
|| die "Need CustomerAuthModule::DB::Table$Param{Count} in Kernel/Config.pm!";
$Self->{Key} = $ConfigObject->Get( 'Customer::AuthModule::DB::CustomerKey' . $Param{Count} )
|| die "Need CustomerAuthModule::DB::CustomerKey$Param{Count} in Kernel/Config.pm!";
$Self->{Pw} = $ConfigObject->Get( 'Customer::AuthModule::DB::CustomerPassword' . $Param{Count} )
|| die "Need CustomerAuthModule::DB::CustomerPw$Param{Count} in Kernel/Config.pm!";
$Self->{CryptType} = $ConfigObject->Get( 'Customer::AuthModule::DB::CryptType' . $Param{Count} )
|| '';
if ( $ConfigObject->Get( 'Customer::AuthModule::DB::DSN' . $Param{Count} ) ) {
$Self->{DBObject} = Kernel::System::DB->new(
DatabaseDSN =>
$ConfigObject->Get( 'Customer::AuthModule::DB::DSN' . $Param{Count} ),
DatabaseUser =>
$ConfigObject->Get( 'Customer::AuthModule::DB::User' . $Param{Count} ),
DatabasePw =>
$ConfigObject->Get( 'Customer::AuthModule::DB::Password' . $Param{Count} ),
Type => $ConfigObject->Get( 'Customer::AuthModule::DB::Type' . $Param{Count} )
|| '',
)
|| die "Can't connect to "
. $ConfigObject->Get( 'Customer::AuthModule::DB::DSN' . $Param{Count} );
# remember that we have the DBObject not from parent call
$Self->{NotParentDBObject} = 1;
}
return $Self;
}
sub GetOption {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{What} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need What!"
);
return;
}
# module options
my %Option = (
PreAuth => 0,
);
# return option
return $Option{ $Param{What} };
}
sub Auth {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{User} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need User!"
);
return;
}
# get params
my $User = $Param{User} || '';
my $Pw = $Param{Pw} || '';
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
my $UserID = '';
my $GetPw = '';
# sql query
$Self->{DBObject}->Prepare(
SQL => "
SELECT $Self->{Pw}, $Self->{Key} FROM $Self->{Table} WHERE
$Self->{Key} = ?
",
Bind => [ \$Param{User} ],
);
while ( my @Row = $Self->{DBObject}->FetchrowArray() ) {
$GetPw = $Row[0] || '';
$UserID = $Row[1];
}
# check if user exists in auth table
if ( !$UserID ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: No auth record in '$Self->{Table}' for '$User' "
. "(REMOTE_ADDR: $RemoteAddr)",
);
return;
}
# get encode object
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
# crypt given pw
my $CryptedPw = '';
my $Salt = $GetPw;
if ( $Self->{CryptType} eq 'plain' ) {
$CryptedPw = $Pw;
}
# md5 or sha pw
elsif ( $GetPw !~ /^.{13}$/ ) {
# md5 pw
if ( $GetPw =~ m{\A \$.+? \$.+? \$.* \z}xms ) {
# strip Salt
$Salt =~ s/^(\$.+?\$)(.+?)\$.*$/$2/;
my $Magic = $1;
# encode output, needed by unix_md5_crypt() only non utf8 signs
$EncodeObject->EncodeOutput( \$Pw );
$EncodeObject->EncodeOutput( \$Salt );
if ( $Magic eq '$apr1$' ) {
$CryptedPw = apache_md5_crypt( $Pw, $Salt );
}
else {
$CryptedPw = unix_md5_crypt( $Pw, $Salt );
}
$EncodeObject->EncodeInput( \$CryptedPw );
}
# sha256 pw
elsif ( $GetPw =~ m{\A [0-9a-f]{64} \z}xmsi ) {
my $SHAObject = Digest::SHA->new('sha256');
$EncodeObject->EncodeOutput( \$Pw );
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
}
# sha512 pw
elsif ( $GetPw =~ m{\A [0-9a-f]{128} \z}xmsi ) {
my $SHAObject = Digest::SHA->new('sha512');
$EncodeObject->EncodeOutput( \$Pw );
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
}
elsif ( $GetPw =~ m{^BCRYPT:} ) {
# require module, log errors if module was not found
if ( !$Kernel::OM->Get('Kernel::System::Main')->Require('Crypt::Eksblowfish::Bcrypt') )
{
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message =>
"User: '$User' tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!",
);
return;
}
# get salt and cost from stored PW string
my ( $Cost, $Salt, $Base64Hash ) = $GetPw =~ m{^BCRYPT:(\d+):(.{16}):(.*)$}xms;
# remove UTF8 flag, required by Crypt::Eksblowfish::Bcrypt
$EncodeObject->EncodeOutput( \$Pw );
# calculate password hash with the same cost and hash settings
my $Octets = Crypt::Eksblowfish::Bcrypt::bcrypt_hash(
{
key_nul => 1,
cost => $Cost,
salt => $Salt,
},
$Pw
);
$CryptedPw = "BCRYPT:$Cost:$Salt:" . Crypt::Eksblowfish::Bcrypt::en_base64($Octets);
}
# sha1 pw
elsif ( $GetPw =~ m{\A [0-9a-f]{40} \z}xmsi ) {
my $SHAObject = Digest::SHA->new('sha1');
# encode output, needed by sha1_hex() only non utf8 signs
$EncodeObject->EncodeOutput( \$Pw );
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
}
# No-13-chars-long crypt pw (e.g. in Fedora28).
else {
my $SaltUser = $User;
$EncodeObject->EncodeOutput( \$Pw );
$EncodeObject->EncodeOutput( \$SaltUser );
# Encode output, needed by crypt() only non utf8 signs.
$CryptedPw = crypt( $Pw, $SaltUser );
$EncodeObject->EncodeInput( \$CryptedPw );
}
}
# crypt pw
else {
# strip salt only for (Extended) DES, not for any of modular crypt's
if ( $Salt !~ /^\$\d\$/ ) {
$Salt =~ s/^(..).*/$1/;
}
$EncodeObject->EncodeOutput( \$Pw );
$EncodeObject->EncodeOutput( \$Salt );
# encode output, needed by crypt() only non utf8 signs
$CryptedPw = crypt( $Pw, $Salt );
$EncodeObject->EncodeInput( \$CryptedPw );
}
# just in case!
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: '$User' tried to authenticate with Pw: '$Pw' "
. "($UserID/$CryptedPw/$GetPw/$Salt/$RemoteAddr)",
);
}
# just a note
if ( !$Pw ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"CustomerUser: $User authentication without Pw!!! (REMOTE_ADDR: $RemoteAddr)",
);
return;
}
# login note
elsif ( ( $GetPw && $User && $UserID ) && $CryptedPw eq $GetPw ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: $User Authentication ok (REMOTE_ADDR: $RemoteAddr).",
);
return $User;
}
# just a note
elsif ( $UserID && $GetPw ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"CustomerUser: $User Authentication with wrong Pw!!! (REMOTE_ADDR: $RemoteAddr)"
);
return;
}
# just a note
else {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"CustomerUser: $User doesn't exist or is invalid!!! (REMOTE_ADDR: $RemoteAddr)"
);
return;
}
}
sub DESTROY {
my $Self = shift;
# disconnect if it's not a parent DBObject
if ( $Self->{NotParentDBObject} ) {
if ( $Self->{DBObject} ) {
$Self->{DBObject}->Disconnect();
}
}
return 1;
}
1;
Reference in New Issue View Git Blame Copy Permalink