[geeklog-cvs] Geeklog-1.x/system lib-webservices.php,1.35,1.36

Thu May 1 13:01:46 EDT 2008

Update of /cvsroot/geeklog/Geeklog-1.x/system
In directory qs1489.pair.com:/tmp/cvs-serv1723/system

Modified Files:
	lib-webservices.php 
Log Message:
It doesn't work, but I didn't want to lose the code: This is how WSSE authentication _would_ work if we had access to the user's _unencrypted_ password ...


Index: lib-webservices.php
===================================================================
RCS file: /cvsroot/geeklog/Geeklog-1.x/system/lib-webservices.php,v
retrieving revision 1.35
retrieving revision 1.36
diff -C2 -d -r1.35 -r1.36
*** lib-webservices.php	31 Mar 2008 20:03:23 -0000	1.35
--- lib-webservices.php	1 May 2008 17:01:43 -0000	1.36
***************
*** 718,722 ****
  function WS_authenticate()
  {
!     global $_CONF, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
  
      $uid = '';
--- 718,722 ----
  function WS_authenticate()
  {
!     global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
  
      $uid = '';
***************
*** 733,736 ****
--- 733,797 ----
              COM_errorLog("WS: Attempting to log in user '$username'");
          }
+ 
+ /** this does not work! *******************************************************
+ 
+     } elseif (!empty($_SERVER['HTTP_X_WSSE']) &&
+             (strpos($_SERVER['HTTP_X_WSSE'], 'UsernameToken') !== false)) {
+ 
+         // this is loosely based on a code snippet taken from Elgg (elgg.org)
+ 
+         $wsse = str_replace('UsernameToken', '', $_SERVER['HTTP_X_WSSE']);
+         $wsse = explode(',', $wsse);
+ 
+         $username = '';
+         $pwdigest = '';
+         $created = '';
+         $nonce = '';
+ 
+         foreach ($wsse as $element) {
+             $element = explode('=', $element);
+             $key = array_shift($element);
+             if (count($element) == 1) {
+                 $val = $element[0];
+             } else {
+                 $val = implode('=', $element);
+             }
+             $key = trim($key);
+             $val = trim($val, "\x22\x27");
+             if ($key == 'Username') {
+                 $username = $val;
+             } elseif ($key == 'PasswordDigest') {
+                 $pwdigest = $val;
+             } elseif ($key == 'Created') {
+                 $created = $val;
+             } elseif ($key == 'Nonce') {
+                 $nonce = $val;
+             }
+         }
+ 
+         if (!empty($username) && !empty($pwdigest) && !empty($created) &&
+                 !empty($nonce)) {
+ 
+             $uname = addslashes($username);
+             $pwd = DB_getItem($_TABLES['users'], 'passwd',
+                               "username = '$uname'");
+             // ... and here we would need the _unencrypted_ password
+ 
+             if (!empty($pwd)) {
+                 $mydigest = pack('H*', sha1($nonce . $created . $pwd));
+                 $mydigest = base64_encode($mydigest);
+ 
+                 if ($pwdigest == $mydigest) {
+                     $password = $pwd;
+                 }   
+             }   
+         }
+ 
+         if ($WS_VERBOSE) {
+             COM_errorLog("WS: Attempting to log in user '$username' (via WSSE)");
+         }
+ 
+ ******************************************************************************/
+ 
      } elseif (!empty($_SERVER['REMOTE_USER'])) {
          /* PHP installed as CGI may not have access to authorization headers of