ivo/ponzi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactoring for dependency injection and testability.

Browse Source
This commit is contained in:
Taylor Otwell
2011-08-25 22:53:05 -05:00
parent 0b86c94551
commit 1e7850d9ba
75 changed files with 1441 additions and 1461 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
laravel/security/authenticator.php Normal file
View File

@@ -0,0 +1,170 @@
<?php namespace Laravel\Security;
use Laravel\IoC;
use Laravel\Config;
use Laravel\Session\Driver;
class Authenticator {
/**
* The current user of the application.
*
* If no user is logged in, this will be NULL. Otherwise, it will contain the result
* of the "by_id" closure in the authentication configuration file.
*
* Typically, the user should be accessed via the "user" method.
*
* @var object
*/
public $user;
/**
* The session driver being used by the Auth instance.
*
* @var Session\Driver
*/
protected $session;
/**
* The hashing engine that should be used to perform hashing.
*
* @var Hashing\Engine
*/
protected $hasher;
/**
* The key used to store the user ID in the session.
*
* @var string
*/
protected static $key = 'laravel_user_id';
/**
* Create a new Auth class instance.
*
* @param Session\Driver $driver
* @param Hashing\Engine $hasher
* @return void
*/
public function __construct(Driver $driver, Hashing\Engine $hasher)
{
$this->hasher = $hasher;
$this->session = $driver;
}
/**
* Create a new Auth class instance.
*
* If no session driver or hasher is provided, the default implementations will be used.
*
* @return Auth
*/
public static function make()
{
return IoC::container()->resolve('laravel.security.auth');
}
/**
* Determine if the current user of the application is authenticated.
*
* @see login()
* @return bool
*/
public function check()
{
return ! is_null($this->user());
}
/**
* Get the current user of the application.
*
* To retrieve the user, the user ID stored in the session will be passed to
* the "by_id" closure in the authentication configuration file. The result
* of the closure will be cached and returned.
*
* <code>
* $email = Auth::user()->email;
* </code>
*
* @return object
*/
public function user()
{
if (is_null($this->user) and $this->session->has(static::$key))
{
$this->user = call_user_func(Config::get('auth.by_id'), $this->session->get(static::$key));
}
return $this->user;
}
/**
* Attempt to log a user into your application.
*
* If the user credentials are valid. The user's ID will be stored in the session and the
* user will be considered "logged in" on subsequent requests to the application.
*
* The password passed to the method should be plain text, as it will be hashed
* by the Hash class when authenticating.
*
* <code>
* if (Auth::login('email@example.com', 'password'))
* {
* // The credentials are valid and the user is now logged in.
* }
* </code>
*
* @param string $username
* @param string $password
* @return bool
*/
public function login($username, $password)
{
if ( ! is_null($user = call_user_func(Config::get('auth.by_username'), $username)))
{
if ($this->hasher->check($password, $user->password))
{
$this->remember($user);
return true;
}
}
return false;
}
/**
* Log a user into your application.
*
* The user's ID will be stored in the session and the user will be considered
* "logged in" on subsequent requests to your application. This method is called
* by the login method after determining a user's credentials are valid.
*
* Note: The user given to this method should be an object having an "id" property.
*
* @param object $user
* @return void
*/
public function remember($user)
{
$this->user = $user;
$this->session->put(static::$key, $user->id);
}
/**
* Log the user out of your application.
*
* The user ID will be removed from the session and the user will no longer
* be considered logged in on subsequent requests to your application.
*
* @return void
*/
public function logout()
{
$this->user = null;
$this->session->forget(static::$key);
}
}

128
laravel/security/crypter.php Normal file
View File

@@ -0,0 +1,128 @@
<?php namespace Laravel\Security;
use Laravel\Config;
class Crypter {
/**
* The encryption cipher.
*
* @var string
*/
public $cipher;
/**
* The encryption mode.
*
* @var string
*/
public $mode;
/**
* The encryption key.
*
* @var string
*/
public $key;
/**
* Create a new Crypter instance.
*
* @param string $cipher
* @param string $mode
* @param string $key
* @return void
*/
public function __construct($cipher = MCRYPT_RIJNDAEL_256, $mode = 'cbc', $key = null)
{
$this->cipher = $cipher;
$this->mode = $mode;
$this->key = $key;
if (trim((string) $this->key) === '')
{
throw new \Exception('The encryption class may not be used without an encryption key.');
}
}
/**
* Create a new Crypter instance.
*
* Any cipher and mode supported by Mcrypt may be specified. For more information regarding
* the supported ciphers and modes, check out: http://php.net/manual/en/mcrypt.ciphers.php
*
* By default, the AES-256 cipher will be used in CBC mode.
*
* @param string $cipher
* @param string $mode
* @param string $key
* @return Crypt
*/
public static function make($cipher = MCRYPT_RIJNDAEL_256, $mode = 'cbc', $key = null)
{
return new static($cipher, $mode, (is_null($key)) ? Config::get('application.key') : $key);
}
/**
* Encrypt a string using Mcrypt.
*
* @param string $value
* @return string
*/
public function encrypt($value)
{
$iv = mcrypt_create_iv($this->iv_size(), $this->randomizer());
return base64_encode($iv.mcrypt_encrypt($this->cipher, $this->key, $value, $this->mode, $iv));
}
/**
* Get the random number source available to the OS.
*
* @return int
*/
protected function randomizer()
{
if (defined('MCRYPT_DEV_URANDOM'))
{
return MCRYPT_DEV_URANDOM;
}
elseif (defined('MCRYPT_DEV_RANDOM'))
{
return MCRYPT_DEV_RANDOM;
}
return MCRYPT_RAND;
}
/**
* Decrypt a string using Mcrypt.
*
* @param string $value
* @return string
*/
public function decrypt($value)
{
if ( ! is_string($value = base64_decode($value, true)))
{
throw new \Exception('Decryption error. Input value is not valid base64 data.');
}
list($iv, $value) = array(substr($value, 0, $this->iv_size()), substr($value, $this->iv_size()));
return rtrim(mcrypt_decrypt($this->cipher, $this->key, $value, $this->mode, $iv), "\0");
}
/**
* Get the input vector size for the cipher and mode.
*
* Different ciphers and modes use varying lengths of input vectors.
*
* @return int
*/
private function iv_size()
{
return mcrypt_get_iv_size($this->cipher, $this->mode);
}
}

253
laravel/security/hashing/bcrypt.php Normal file
View File

@@ -0,0 +1,253 @@
<?php namespace Laravel\Security\Hashing;
#
# Portable PHP password hashing framework.
#
# Version 0.3 / genuine.
#
# Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in
# the public domain. Revised in subsequent years, still public domain.
#
# There's absolutely no warranty.
#
# The homepage URL for this framework is:
#
# http://www.openwall.com/phpass/
#
# Please be sure to update the Version line if you edit this file in any way.
# It is suggested that you leave the main version number intact, but indicate
# your project name (after the slash) and add your own revision information.
#
# Please do not change the "private" password hashing method implemented in
# here, thereby making your hashes incompatible. However, if you must, please
# change the hash type identifier (the "$P$") to something different.
#
# Obviously, since this code is in the public domain, the above are not
# requirements (there can be none), but merely suggestions.
#
class BCrypt implements Engine {
private $itoa64;
private $iteration_count_log2;
private $portable_hashes;
private $random_state;
public function __construct($iteration_count_log2, $portable_hashes)
{
$this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31)
$iteration_count_log2 = 8;
$this->iteration_count_log2 = $iteration_count_log2;
$this->portable_hashes = $portable_hashes;
$this->random_state = microtime();
if (function_exists('getmypid'))
$this->random_state .= getmypid();
}
private function get_random_bytes($count)
{
$output = '';
if (is_readable('/dev/urandom') &&
($fh = @fopen('/dev/urandom', 'rb'))) {
$output = fread($fh, $count);
fclose($fh);
}
if (strlen($output) < $count) {
$output = '';
for ($i = 0; $i < $count; $i += 16) {
$this->random_state =
md5(microtime() . $this->random_state);
$output .=
pack('H*', md5($this->random_state));
}
$output = substr($output, 0, $count);
}
return $output;
}
private function encode64($input, $count)
{
$output = '';
$i = 0;
do {
$value = ord($input[$i++]);
$output .= $this->itoa64[$value & 0x3f];
if ($i < $count)
$value |= ord($input[$i]) << 8;
$output .= $this->itoa64[($value >> 6) & 0x3f];
if ($i++ >= $count)
break;
if ($i < $count)
$value |= ord($input[$i]) << 16;
$output .= $this->itoa64[($value >> 12) & 0x3f];
if ($i++ >= $count)
break;
$output .= $this->itoa64[($value >> 18) & 0x3f];
} while ($i < $count);
return $output;
}
private function gensalt_private($input)
{
$output = '$P$';
$output .= $this->itoa64[min($this->iteration_count_log2 +
((PHP_VERSION >= '5') ? 5 : 3), 30)];
$output .= $this->encode64($input, 6);
return $output;
}
private function crypt_private($password, $setting)
{
$output = '*0';
if (substr($setting, 0, 2) == $output)
$output = '*1';
$id = substr($setting, 0, 3);
# We use "$P$", phpBB3 uses "$H$" for the same thing
if ($id != '$P$' && $id != '$H$')
return $output;
$count_log2 = strpos($this->itoa64, $setting[3]);
if ($count_log2 < 7 || $count_log2 > 30)
return $output;
$count = 1 << $count_log2;
$salt = substr($setting, 4, 8);
if (strlen($salt) != 8)
return $output;
# We're kind of forced to use MD5 here since it's the only
# cryptographic primitive available in all versions of PHP
# currently in use. To implement our own low-level crypto
# in PHP would result in much worse performance and
# consequently in lower iteration counts and hashes that are
# quicker to crack (by non-PHP code).
if (PHP_VERSION >= '5') {
$hash = md5($salt . $password, TRUE);
do {
$hash = md5($hash . $password, TRUE);
} while (--$count);
} else {
$hash = pack('H*', md5($salt . $password));
do {
$hash = pack('H*', md5($hash . $password));
} while (--$count);
}
$output = substr($setting, 0, 12);
$output .= $this->encode64($hash, 16);
return $output;
}
private function gensalt_extended($input)
{
$count_log2 = min($this->iteration_count_log2 + 8, 24);
# This should be odd to not reveal weak DES keys, and the
# maximum valid value is (2**24 - 1) which is odd anyway.
$count = (1 << $count_log2) - 1;
$output = '_';
$output .= $this->itoa64[$count & 0x3f];
$output .= $this->itoa64[($count >> 6) & 0x3f];
$output .= $this->itoa64[($count >> 12) & 0x3f];
$output .= $this->itoa64[($count >> 18) & 0x3f];
$output .= $this->encode64($input, 3);
return $output;
}
private function gensalt_blowfish($input)
{
# This one needs to use a different order of characters and a
# different encoding scheme from the one in encode64() above.
# We care because the last character in our encoded string will
# only represent 2 bits. While two known implementations of
# bcrypt will happily accept and correct a salt string which
# has the 4 unused bits set to non-zero, we do not want to take
# chances and we also do not want to waste an additional byte
# of entropy.
$itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
$output = '$2a$';
$output .= chr(ord('0') + $this->iteration_count_log2 / 10);
$output .= chr(ord('0') + $this->iteration_count_log2 % 10);
$output .= '$';
$i = 0;
do {
$c1 = ord($input[$i++]);
$output .= $itoa64[$c1 >> 2];
$c1 = ($c1 & 0x03) << 4;
if ($i >= 16) {
$output .= $itoa64[$c1];
break;
}
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 4;
$output .= $itoa64[$c1];
$c1 = ($c2 & 0x0f) << 2;
$c2 = ord($input[$i++]);
$c1 |= $c2 >> 6;
$output .= $itoa64[$c1];
$output .= $itoa64[$c2 & 0x3f];
} while (1);
return $output;
}
public function hash($password)
{
$random = '';
if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) {
$random = $this->get_random_bytes(16);
$hash =
crypt($password, $this->gensalt_blowfish($random));
if (strlen($hash) == 60)
return $hash;
}
if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) {
if (strlen($random) < 3)
$random = $this->get_random_bytes(3);
$hash =
crypt($password, $this->gensalt_extended($random));
if (strlen($hash) == 20)
return $hash;
}
if (strlen($random) < 6)
$random = $this->get_random_bytes(6);
$hash =
$this->crypt_private($password,
$this->gensalt_private($random));
if (strlen($hash) == 34)
return $hash;
# Returning '*' on error is safe here, but would _not_ be safe
# in a crypt(3)-like function used _both_ for generating new
# hashes and for validating passwords against existing hashes.
return '*';
}
public function check($password, $stored_hash)
{
$hash = $this->crypt_private($password, $stored_hash);
if ($hash[0] == '*')
$hash = crypt($password, $stored_hash);
return $hash == $stored_hash;
}
}
?>

22
laravel/security/hashing/engine.php Normal file
View File

@@ -0,0 +1,22 @@
<?php namespace Laravel\Security\Hashing;
interface Engine {
/**
* Perform a one-way hash on a string.
*
* @param string $value
* @return string
*/
public function hash($value);
/**
* Determine if an unhashed value matches a given hash.
*
* @param string $value
* @param string $hash
* @return bool
*/
public function check($value, $hash);
}

67
laravel/security/hashing/hasher.php Normal file
View File

@@ -0,0 +1,67 @@
<?php namespace Laravel\Security\Hashing;
class Hasher {
/**
* The hashing engine being used to perform the hashing.
*
* @var Hash\Engine
*/
public $engine;
/**
* Create a new Hasher instance.
*
* If no hashing engine is provided, the BCrypt engine will be used.
*
* @param Engine $engine
* @return void
*/
public function __construct(Engine $engine = null)
{
$this->engine = (is_null($engine)) ? new BCrypt(10, false) : $engine;
}
/**
* Create a new Hasher instance.
*
* If no hashing engine is provided, the BCrypt engine will be used.
*
* @param Engine $engine
* @return Hasher
*/
public static function make(Engine $engine = null)
{
return new static($engine);
}
/**
* Magic Method for delegating method calls to the hashing engine.
*
* <code>
* // Use the hashing engine to has a value
* $hash = Hasher::make()->hash('password');
*
* // Equivalent method using the engine property
* $hash = Hasher::make()->engine->hash('password');
* </code>
*/
public function __call($method, $parameters)
{
return call_user_func_array(array($this->engine, $method), $parameters);
}
/**
* Magic Method for performing methods on the default hashing engine.
*
* <code>
* // Hash a value using the default hashing engine
* $hash = Hasher::hash('password');
* </code>
*/
public static function __callStatic($method, $parameters)
{
return call_user_func_array(array(static::make()->engine, $method), $parameters);
}
}