294 lines
8.4 KiB
Perl
294 lines
8.4 KiB
Perl
# --
|
|
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
|
|
# --
|
|
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
|
|
# the enclosed file COPYING for license information (GPL). If you
|
|
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
|
|
# --
|
|
|
|
package Kernel::System::Auth::DB;
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use Crypt::PasswdMD5 qw(unix_md5_crypt apache_md5_crypt);
|
|
use Digest::SHA;
|
|
|
|
our @ObjectDependencies = (
|
|
'Kernel::Config',
|
|
'Kernel::System::DB',
|
|
'Kernel::System::Encode',
|
|
'Kernel::System::Log',
|
|
'Kernel::System::Main',
|
|
'Kernel::System::Valid',
|
|
);
|
|
|
|
sub new {
|
|
my ( $Type, %Param ) = @_;
|
|
|
|
# allocate new hash for object
|
|
my $Self = {};
|
|
bless( $Self, $Type );
|
|
|
|
# Debug 0=off 1=on
|
|
$Self->{Debug} = 0;
|
|
|
|
# get config object
|
|
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
|
|
|
# get user table
|
|
$Self->{UserTable} = $ConfigObject->Get( 'DatabaseUserTable' . $Param{Count} )
|
|
|| 'users';
|
|
$Self->{UserTableUserID} = $ConfigObject->Get( 'DatabaseUserTableUserID' . $Param{Count} )
|
|
|| 'id';
|
|
$Self->{UserTableUserPW} = $ConfigObject->Get( 'DatabaseUserTableUserPW' . $Param{Count} )
|
|
|| 'pw';
|
|
$Self->{UserTableUser} = $ConfigObject->Get( 'DatabaseUserTableUser' . $Param{Count} )
|
|
|| 'login';
|
|
|
|
return $Self;
|
|
}
|
|
|
|
sub GetOption {
|
|
my ( $Self, %Param ) = @_;
|
|
|
|
# check needed stuff
|
|
if ( !$Param{What} ) {
|
|
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
|
Priority => 'error',
|
|
Message => "Need What!"
|
|
);
|
|
return;
|
|
}
|
|
|
|
# module options
|
|
my %Option = (
|
|
PreAuth => 0,
|
|
);
|
|
|
|
# return option
|
|
return $Option{ $Param{What} };
|
|
}
|
|
|
|
sub Auth {
|
|
my ( $Self, %Param ) = @_;
|
|
|
|
# check needed stuff
|
|
if ( !$Param{User} ) {
|
|
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
|
Priority => 'error',
|
|
Message => "Need User!"
|
|
);
|
|
return;
|
|
}
|
|
|
|
# get params
|
|
my $User = $Param{User} || '';
|
|
my $Pw = $Param{Pw} || '';
|
|
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
|
|
my $UserID = '';
|
|
my $GetPw = '';
|
|
my $Method;
|
|
|
|
# get database object
|
|
my $DBObject = $Kernel::OM->Get('Kernel::System::DB');
|
|
|
|
# sql query
|
|
my $SQL = "SELECT $Self->{UserTableUserPW}, $Self->{UserTableUserID}, $Self->{UserTableUser} "
|
|
. " FROM "
|
|
. " $Self->{UserTable} "
|
|
. " WHERE "
|
|
. " valid_id IN ( ${\(join ', ', $Kernel::OM->Get('Kernel::System::Valid')->ValidIDsGet())} ) AND "
|
|
. " $Self->{UserTableUser} = '" . $DBObject->Quote($User) . "'";
|
|
$DBObject->Prepare( SQL => $SQL );
|
|
|
|
while ( my @Row = $DBObject->FetchrowArray() ) {
|
|
$GetPw = $Row[0];
|
|
$UserID = $Row[1];
|
|
$User = $Row[2];
|
|
}
|
|
|
|
# get needed objects
|
|
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
|
|
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
|
|
|
# crypt given pw
|
|
my $CryptedPw = '';
|
|
my $Salt = $GetPw;
|
|
if (
|
|
$ConfigObject->Get('AuthModule::DB::CryptType')
|
|
&& $ConfigObject->Get('AuthModule::DB::CryptType') eq 'plain'
|
|
)
|
|
{
|
|
$CryptedPw = $Pw;
|
|
$Method = 'plain';
|
|
}
|
|
|
|
# md5, bcrypt or sha pw
|
|
elsif ( $GetPw !~ /^.{13}$/ ) {
|
|
|
|
# md5 pw
|
|
if ( $GetPw =~ m{\A \$.+? \$.+? \$.* \z}xms ) {
|
|
|
|
# strip Salt
|
|
$Salt =~ s/^(\$.+?\$)(.+?)\$.*$/$2/;
|
|
my $Magic = $1;
|
|
|
|
# encode output, needed by unix_md5_crypt() only non utf8 signs
|
|
$EncodeObject->EncodeOutput( \$Pw );
|
|
$EncodeObject->EncodeOutput( \$Salt );
|
|
|
|
if ( $Magic eq '$apr1$' ) {
|
|
$CryptedPw = apache_md5_crypt( $Pw, $Salt );
|
|
$Method = 'apache_md5_crypt';
|
|
}
|
|
else {
|
|
$CryptedPw = unix_md5_crypt( $Pw, $Salt );
|
|
$Method = 'unix_md5_crypt';
|
|
}
|
|
|
|
}
|
|
|
|
# sha256 pw
|
|
elsif ( $GetPw =~ m{\A [0-9a-f]{64} \z}xmsi ) {
|
|
|
|
my $SHAObject = Digest::SHA->new('sha256');
|
|
$EncodeObject->EncodeOutput( \$Pw );
|
|
$SHAObject->add($Pw);
|
|
$CryptedPw = $SHAObject->hexdigest();
|
|
$Method = 'sha256';
|
|
}
|
|
|
|
# sha512 pw
|
|
elsif ( $GetPw =~ m{\A [0-9a-f]{128} \z}xmsi ) {
|
|
|
|
my $SHAObject = Digest::SHA->new('sha512');
|
|
$EncodeObject->EncodeOutput( \$Pw );
|
|
$SHAObject->add($Pw);
|
|
$CryptedPw = $SHAObject->hexdigest();
|
|
$Method = 'sha256';
|
|
}
|
|
|
|
elsif ( $GetPw =~ m{^BCRYPT:} ) {
|
|
|
|
# require module, log errors if module was not found
|
|
if ( !$Kernel::OM->Get('Kernel::System::Main')->Require('Crypt::Eksblowfish::Bcrypt') )
|
|
{
|
|
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
|
Priority => 'error',
|
|
Message =>
|
|
"User: '$User' tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!",
|
|
);
|
|
return;
|
|
}
|
|
|
|
# get salt and cost from stored PW string
|
|
my ( $Cost, $Salt, $Base64Hash ) = $GetPw =~ m{^BCRYPT:(\d+):(.{16}):(.*)$}xms;
|
|
|
|
# remove UTF8 flag, required by Crypt::Eksblowfish::Bcrypt
|
|
$EncodeObject->EncodeOutput( \$Pw );
|
|
|
|
# calculate password hash with the same cost and hash settings
|
|
my $Octets = Crypt::Eksblowfish::Bcrypt::bcrypt_hash(
|
|
{
|
|
key_nul => 1,
|
|
cost => $Cost,
|
|
salt => $Salt,
|
|
},
|
|
$Pw
|
|
);
|
|
|
|
$CryptedPw = "BCRYPT:$Cost:$Salt:" . Crypt::Eksblowfish::Bcrypt::en_base64($Octets);
|
|
$Method = 'bcrypt';
|
|
}
|
|
|
|
# sha1 pw
|
|
elsif ( $GetPw =~ m{\A [0-9a-f]{40} \z}xmsi ) {
|
|
|
|
my $SHAObject = Digest::SHA->new('sha1');
|
|
|
|
# encode output, needed by sha1_hex() only non utf8 signs
|
|
$EncodeObject->EncodeOutput( \$Pw );
|
|
|
|
$SHAObject->add($Pw);
|
|
$CryptedPw = $SHAObject->hexdigest();
|
|
$Method = 'sha1';
|
|
}
|
|
|
|
# No-13-chars-long crypt pw (e.g. in Fedora28).
|
|
else {
|
|
$EncodeObject->EncodeOutput( \$Pw );
|
|
$EncodeObject->EncodeOutput( \$User );
|
|
|
|
# Encode output, needed by crypt() only non utf8 signs.
|
|
$CryptedPw = crypt( $Pw, $User );
|
|
$EncodeObject->EncodeInput( \$CryptedPw );
|
|
$Method = 'crypt';
|
|
}
|
|
}
|
|
|
|
# crypt pw
|
|
else {
|
|
|
|
# strip Salt only for (Extended) DES, not for any of Modular crypt's
|
|
if ( $Salt !~ /^\$\d\$/ ) {
|
|
$Salt =~ s/^(..).*/$1/;
|
|
}
|
|
|
|
# encode output, needed by crypt() only non utf8 signs
|
|
$EncodeObject->EncodeOutput( \$Pw );
|
|
$EncodeObject->EncodeOutput( \$Salt );
|
|
$CryptedPw = crypt( $Pw, $Salt );
|
|
$Method = 'crypt';
|
|
}
|
|
|
|
# just in case for debug!
|
|
if ( $Self->{Debug} > 0 ) {
|
|
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
|
Priority => 'notice',
|
|
Message =>
|
|
"User: '$User' tried to authenticate with Pw: '$Pw' ($UserID/$Method/$CryptedPw/$GetPw/$Salt/$RemoteAddr)",
|
|
);
|
|
}
|
|
|
|
# just a note
|
|
if ( !$Pw ) {
|
|
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
|
Priority => 'notice',
|
|
Message => "User: $User without Pw!!! (REMOTE_ADDR: $RemoteAddr)",
|
|
);
|
|
return;
|
|
}
|
|
|
|
# login note
|
|
elsif ( ( ($GetPw) && ($User) && ($UserID) ) && $CryptedPw eq $GetPw ) {
|
|
|
|
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
|
Priority => 'notice',
|
|
Message => "User: $User authentication ok (Method: $Method, REMOTE_ADDR: $RemoteAddr).",
|
|
);
|
|
return $User;
|
|
}
|
|
|
|
# just a note
|
|
elsif ( ($UserID) && ($GetPw) ) {
|
|
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
|
Priority => 'notice',
|
|
Message =>
|
|
"User: $User authentication with wrong Pw!!! (Method: $Method, REMOTE_ADDR: $RemoteAddr)"
|
|
);
|
|
return;
|
|
}
|
|
|
|
# just a note
|
|
else {
|
|
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
|
Priority => 'notice',
|
|
Message => "User: $User doesn't exist or is invalid!!! (REMOTE_ADDR: $RemoteAddr)"
|
|
);
|
|
return;
|
|
}
|
|
}
|
|
|
|
1;
|