modules/securesite/securesite.module

<?php
// $Id: securesite.module,v 1.42 2008/10/22 21:03:29 darrenoh Exp $

/**
 * @file securesite.module
 *
 * Enables HTTP Auth security or an HTML form to restrict site access.
 */

/**
 * Secure Site status: Disabled
 */
define('SECURESITE_DISABLED', 0);

/**
 * Secure Site status: Always on
 */
define('SECURESITE_ALWAYS', 1);

/**
 * Secure Site status: Only when site is offline
 */
define('SECURESITE_OFFLINE', 2);

/**
 * Secure Site status: Only for restricted pages
 */
define('SECURESITE_403', 3);

/**
 * Secure Site type: HTML log-in form
 */
define('SECURESITE_FORM', 1);

/**
 * Secure Site type: Web browser HTTP Auth security
 */
define('SECURESITE_BASIC', 2);

/**
 * Secure Site type: HTTP digest
 */
define('SECURESITE_DIGEST', 3);

/**
 * Implementation of hook_help().
 */
function securesite_help($path, $arg) {
  switch ($path) {
    case 'admin/help#securesite':
      module_load_include('inc', 'securesite', 'securesite.admin');
      return _securesite_admin_help();
  }
}

/**
 * Implementation of hook_perm().
 */
function securesite_perm() {
  return array('access secured pages');
}

/**
 * Implementation of hook_menu().
 */
function securesite_menu() {
  $items['securesite_403'] = array(
    'page callback' => '_securesite_403',
    'access callback' => TRUE,
    'type' => MENU_CALLBACK,
    'file' => 'securesite.inc',
  );
  $items['admin/settings/securesite'] = array(
    'title' => 'Secure Site',
    'description' => 'Enables HTTP Auth security or an HTML form to restrict site access.',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('securesite_admin_settings'),
    'access arguments' => array('administer site configuration'),
    'file' => 'securesite.admin.inc',
  );
  return $items;
}

/**
 * Implementation of hook_form_$form-id_alter().
 */
function securesite_form_system_error_reporting_settings_alter(&$form, &$form_state) {
  if (variable_get('securesite_enabled', SECURESITE_403)) {
    $form['securesite_403'] = $form['site_403'];
    $form['securesite_403']['#default_value'] = variable_get('securesite_403', '');
    unset($form['site_403']);
  }
}

/**
 * Implementation of hook_boot().
 */
function securesite_boot() {
  global $user;
  // Did the user send credentials that we accept?
  $type = _securesite_mechanism();
  if ($type !== FALSE && (isset($_SESSION['securesite_repeat']) ? !$_SESSION['securesite_repeat'] : TRUE)) {
    drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
    module_load_include('inc', 'securesite');
    _securesite_boot($type);
  }
  // If credentials are missing and user is not logged in, request new credentials.
  elseif (empty($user->uid) && !isset($_SESSION['securesite_guest'])) {
    unset($_SESSION['securesite_repeat']);
    $types = variable_get('securesite_type', array(SECURESITE_BASIC));
    sort($types, SORT_NUMERIC);
    drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
    module_load_include('inc', 'securesite');
    if (_securesite_forced()) {
      _securesite_dialog(array_pop($types));
    }
  }
}

/**
 * Return the authentication method used by the client, or FALSE if the client
 * did not send credentials.
 */
function _securesite_mechanism() {
  static $mechanism;
  if (!isset($mechanism)) {
    // PHP in CGI mode work-arounds. Sometimes "REDIRECT_" prefixes $_SERVER
    // variables. See http://www.php.net/reserved.variables.
    if (empty($_SERVER['HTTP_AUTHORIZATION']) && !empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
      $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
    }
    if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
      list($type, $authorization) = explode(' ', $_SERVER['HTTP_AUTHORIZATION'], 2);
      switch (strtolower($type)) {
        case 'digest':
          $_SERVER['PHP_AUTH_DIGEST'] = $authorization;
          break;
        case 'basic':
          list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode($authorization), 2);
          break;
      }
    }
    $mechanism = FALSE;
    $types = variable_get('securesite_type', array(SECURESITE_BASIC));
    rsort($types, SORT_NUMERIC);
    foreach ($types as $type) {
      switch ($type) {
        case SECURESITE_DIGEST:
          if (isset($_SERVER['PHP_AUTH_DIGEST'])) {
            $mechanism = SECURESITE_DIGEST;
            break 2;
          }
          break;
        case SECURESITE_BASIC:
          if ((isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER['PHP_AUTH_PW']))) {
            $mechanism = SECURESITE_BASIC;
            break 2;
          }
          break;
        case SECURESITE_FORM:
          if (isset($_POST['form_id']) && $_POST['form_id'] == 'securesite_user_login') {
            $mechanism = SECURESITE_FORM;
            break 2;
          }
          break;
      }
    }
  }
  return $mechanism;
}

/**
 * Implementation of hook_user().
 *
 * When users logout, show the HTTP Auth dialog to make sure the HTTP Auth
 * credentials are cleared
 */
function securesite_user($op, &$edit, &$user) {
  switch ($op) {
    case 'insert':
    case 'load':
    case 'update':
      if (in_array(SECURESITE_DIGEST, variable_get('securesite_type', array(SECURESITE_BASIC))) && isset($edit['pass'])) {
        $script = variable_get('securesite_digest_script', drupal_get_path('module', 'securesite') .'/digest_md5/stored_passwords.php');
        $values = array(
          escapeshellarg("name=$edit[name]"),
          escapeshellarg('realm='. variable_get('securesite_realm', variable_get('site_name', 'Drupal'))),
          escapeshellarg("pass=$edit[pass]"),
        );
        exec($script .' '. implode(' ', $values));
        if ($user->name != $edit['name']) {
          securesite_user('delete', $edit, $user);
        }
      }
      break;
    case 'delete':
      if (in_array(SECURESITE_DIGEST, variable_get('securesite_type', array(SECURESITE_BASIC)))) {
        $script = variable_get('securesite_digest_script', drupal_get_path('module', 'securesite') .'/digest_md5/stored_passwords.php');
        $values = array(
          escapeshellarg("name=$edit[name]"),
          escapeshellarg('realm='. variable_get('securesite_realm', variable_get('site_name', 'Drupal'))),
          escapeshellarg('op=delete'),
        );
        exec($script .' '. implode(' ', $values));
      }
      break;
    case 'logout':
      $types = variable_get('securesite_type', array(SECURESITE_BASIC));
      if ((in_array(SECURESITE_BASIC, $types) || in_array(SECURESITE_DIGEST, $types)) && $_SESSION['securesite_login']) {
        module_load_include('inc', 'securesite');
        // Load the anonymous user.
        $user = drupal_anonymous_user();
        // Safari will attempt to use old credentials before requesting new credentials
        // from the user. Logging out requires that the WWW-Authenticate header be sent
        // twice.
        $user_agent = (isset($_SERVER['HTTP_USER_AGENT']) ? strtolower($_SERVER['HTTP_USER_AGENT']) : '');
        if ($user_agent != str_replace('safari', '', $user_agent)) {
          session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy_sid', 'sess_gc');
          session_start();
          $_SESSION['securesite_repeat'] = TRUE;
        }
        // Clear stored credentials.
        _securesite_dialog(array_pop($types));
      }
      break;
  }
}

/**
 * Implementation of hook_theme().
 */
function securesite_theme() {
  $themes = theme_get_registry();
  return array(
    'securesite_page' => array(
      'template' => 'securesite-page',
      'arguments' => array('content' => NULL, 'show_blocks' => FALSE, 'show_messages' => FALSE),
      'file' => 'securesite.inc',
    ),
    'securesite_user_login' => array(
      'template' => 'securesite-user-login',
      'arguments' => array('form' => NULL),
      'file' => 'securesite.inc',
    ),
    'securesite_user_pass' => array(
      'template' => 'securesite-user-pass',
      'arguments' => array('form' => NULL),
      'file' => 'securesite.inc',
    ),
  );
}

function securesite_theme_registry_alter(&$theme_registry) {
  $theme_registry['securesite_page']['preprocess functions'] = $theme_registry['page']['preprocess functions'];
}

1	<?php
2	// $Id: securesite.module,v 1.42 2008/10/22 21:03:29 darrenoh Exp $
3
4	/**
5	* @file securesite.module
6	*
7	* Enables HTTP Auth security or an HTML form to restrict site access.
8	*/
9
10	/**
11	* Secure Site status: Disabled
12	*/
13	define('SECURESITE_DISABLED', 0);
14
15	/**
16	* Secure Site status: Always on
17	*/
18	define('SECURESITE_ALWAYS', 1);
19
20	/**
21	* Secure Site status: Only when site is offline
22	*/
23	define('SECURESITE_OFFLINE', 2);
24
25	/**
26	* Secure Site status: Only for restricted pages
27	*/
28	define('SECURESITE_403', 3);
29
30	/**
31	* Secure Site type: HTML log-in form
32	*/
33	define('SECURESITE_FORM', 1);
34
35	/**
36	* Secure Site type: Web browser HTTP Auth security
37	*/
38	define('SECURESITE_BASIC', 2);
39
40	/**
41	* Secure Site type: HTTP digest
42	*/
43	define('SECURESITE_DIGEST', 3);
44
45	/**
46	* Implementation of hook_help().
47	*/
48	function securesite_help($path, $arg) {
49	switch ($path) {
50	case 'admin/help#securesite':
51	module_load_include('inc', 'securesite', 'securesite.admin');
52	return _securesite_admin_help();
53	}
54	}
55
56	/**
57	* Implementation of hook_perm().
58	*/
59	function securesite_perm() {
60	return array('access secured pages');
61	}
62
63	/**
64	* Implementation of hook_menu().
65	*/
66	function securesite_menu() {
67	$items['securesite_403'] = array(
68	'page callback' => '_securesite_403',
69	'access callback' => TRUE,
70	'type' => MENU_CALLBACK,
71	'file' => 'securesite.inc',
72	);
73	$items['admin/settings/securesite'] = array(
74	'title' => 'Secure Site',
75	'description' => 'Enables HTTP Auth security or an HTML form to restrict site access.',
76	'page callback' => 'drupal_get_form',
77	'page arguments' => array('securesite_admin_settings'),
78	'access arguments' => array('administer site configuration'),
79	'file' => 'securesite.admin.inc',
80	);
81	return $items;
82	}
83
84	/**
85	* Implementation of hook_form_$form-id_alter().
86	*/
87	function securesite_form_system_error_reporting_settings_alter(&$form, &$form_state) {
88	if (variable_get('securesite_enabled', SECURESITE_403)) {
89	$form['securesite_403'] = $form['site_403'];
90	$form['securesite_403']['#default_value'] = variable_get('securesite_403', '');
91	unset($form['site_403']);
92	}
93	}
94
95	/**
96	* Implementation of hook_boot().
97	*/
98	function securesite_boot() {
99	global $user;
100	// Did the user send credentials that we accept?
101	$type = _securesite_mechanism();
102	if ($type !== FALSE && (isset($_SESSION['securesite_repeat']) ? !$_SESSION['securesite_repeat'] : TRUE)) {
103	drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
104	module_load_include('inc', 'securesite');
105	_securesite_boot($type);
106	}
107	// If credentials are missing and user is not logged in, request new credentials.
108	elseif (empty($user->uid) && !isset($_SESSION['securesite_guest'])) {
109	unset($_SESSION['securesite_repeat']);
110	$types = variable_get('securesite_type', array(SECURESITE_BASIC));
111	sort($types, SORT_NUMERIC);
112	drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
113	module_load_include('inc', 'securesite');
114	if (_securesite_forced()) {
115	_securesite_dialog(array_pop($types));
116	}
117	}
118	}
119
120	/**
121	* Return the authentication method used by the client, or FALSE if the client
122	* did not send credentials.
123	*/
124	function _securesite_mechanism() {
125	static $mechanism;
126	if (!isset($mechanism)) {
127	// PHP in CGI mode work-arounds. Sometimes "REDIRECT_" prefixes $_SERVER
128	// variables. See http://www.php.net/reserved.variables.
129	if (empty($_SERVER['HTTP_AUTHORIZATION']) && !empty($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
130	$_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
131	}
132	if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
133	list($type, $authorization) = explode(' ', $_SERVER['HTTP_AUTHORIZATION'], 2);
134	switch (strtolower($type)) {
135	case 'digest':
136	$_SERVER['PHP_AUTH_DIGEST'] = $authorization;
137	break;
138	case 'basic':
139	list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode($authorization), 2);
140	break;
141	}
142	}
143	$mechanism = FALSE;
144	$types = variable_get('securesite_type', array(SECURESITE_BASIC));
145	rsort($types, SORT_NUMERIC);
146	foreach ($types as $type) {
147	switch ($type) {
148	case SECURESITE_DIGEST:
149	if (isset($_SERVER['PHP_AUTH_DIGEST'])) {
150	$mechanism = SECURESITE_DIGEST;
151	break 2;
152	}
153	break;
154	case SECURESITE_BASIC:
155	if ((isset($_SERVER['PHP_AUTH_USER']) \|\| isset($_SERVER['PHP_AUTH_PW']))) {
156	$mechanism = SECURESITE_BASIC;
157	break 2;
158	}
159	break;
160	case SECURESITE_FORM:
161	if (isset($_POST['form_id']) && $_POST['form_id'] == 'securesite_user_login') {
162	$mechanism = SECURESITE_FORM;
163	break 2;
164	}
165	break;
166	}
167	}
168	}
169	return $mechanism;
170	}
171
172	/**
173	* Implementation of hook_user().
174	*
175	* When users logout, show the HTTP Auth dialog to make sure the HTTP Auth
176	* credentials are cleared
177	*/
178	function securesite_user($op, &$edit, &$user) {
179	switch ($op) {
180	case 'insert':
181	case 'load':
182	case 'update':
183	if (in_array(SECURESITE_DIGEST, variable_get('securesite_type', array(SECURESITE_BASIC))) && isset($edit['pass'])) {
184	$script = variable_get('securesite_digest_script', drupal_get_path('module', 'securesite') .'/digest_md5/stored_passwords.php');
185	$values = array(
186	escapeshellarg("name=$edit[name]"),
187	escapeshellarg('realm='. variable_get('securesite_realm', variable_get('site_name', 'Drupal'))),
188	escapeshellarg("pass=$edit[pass]"),
189	);
190	exec($script .' '. implode(' ', $values));
191	if ($user->name != $edit['name']) {
192	securesite_user('delete', $edit, $user);
193	}
194	}
195	break;
196	case 'delete':
197	if (in_array(SECURESITE_DIGEST, variable_get('securesite_type', array(SECURESITE_BASIC)))) {
198	$script = variable_get('securesite_digest_script', drupal_get_path('module', 'securesite') .'/digest_md5/stored_passwords.php');
199	$values = array(
200	escapeshellarg("name=$edit[name]"),
201	escapeshellarg('realm='. variable_get('securesite_realm', variable_get('site_name', 'Drupal'))),
202	escapeshellarg('op=delete'),
203	);
204	exec($script .' '. implode(' ', $values));
205	}
206	break;
207	case 'logout':
208	$types = variable_get('securesite_type', array(SECURESITE_BASIC));
209	if ((in_array(SECURESITE_BASIC, $types) \|\| in_array(SECURESITE_DIGEST, $types)) && $_SESSION['securesite_login']) {
210	module_load_include('inc', 'securesite');
211	// Load the anonymous user.
212	$user = drupal_anonymous_user();
213	// Safari will attempt to use old credentials before requesting new credentials
214	// from the user. Logging out requires that the WWW-Authenticate header be sent
215	// twice.
216	$user_agent = (isset($_SERVER['HTTP_USER_AGENT']) ? strtolower($_SERVER['HTTP_USER_AGENT']) : '');
217	if ($user_agent != str_replace('safari', '', $user_agent)) {
218	session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy_sid', 'sess_gc');
219	session_start();
220	$_SESSION['securesite_repeat'] = TRUE;
221	}
222	// Clear stored credentials.
223	_securesite_dialog(array_pop($types));
224	}
225	break;
226	}
227	}
228
229	/**
230	* Implementation of hook_theme().
231	*/
232	function securesite_theme() {
233	$themes = theme_get_registry();
234	return array(
235	'securesite_page' => array(
236	'template' => 'securesite-page',
237	'arguments' => array('content' => NULL, 'show_blocks' => FALSE, 'show_messages' => FALSE),
238	'file' => 'securesite.inc',
239	),
240	'securesite_user_login' => array(
241	'template' => 'securesite-user-login',
242	'arguments' => array('form' => NULL),
243	'file' => 'securesite.inc',
244	),
245	'securesite_user_pass' => array(
246	'template' => 'securesite-user-pass',
247	'arguments' => array('form' => NULL),
248	'file' => 'securesite.inc',
249	),
250	);
251	}
252
253	function securesite_theme_registry_alter(&$theme_registry) {
254	$theme_registry['securesite_page']['preprocess functions'] = $theme_registry['page']['preprocess functions'];
255	}
256