Helix SwarmHelix Swarm
Loading...

Http.php

  • //
  • guest/
  • thomas_gray/
  • jambox/
  • main/
  • swarm/
  • library/
  • Zend/
  • Authentication/
  • Adapter/
  • Http.php #1
  • View
  • Commits
  • Open Download .zip Download (26 KB) 
  1. <?php
  2. /**
  3.  * Zend Framework (http://framework.zend.com/)
  4.  *
  5.  * @link      http://github.com/zendframework/zf2 for the canonical source repository
  6.  * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com)
  7.  * @license   http://framework.zend.com/license/new-bsd New BSD License
  8.  */
  9.  
  10. namespace Zend\Authentication\Adapter;
  11.  
  12. use Zend\Authentication;
  13. use Zend\Http\Request as HTTPRequest;
  14. use Zend\Http\Response as HTTPResponse;
  15. use Zend\Uri\UriFactory;
  16. use Zend\Crypt\Utils as CryptUtils;
  17.  
  18. /**
  19.  * HTTP Authentication Adapter
  20.  *
  21.  * Implements a pretty good chunk of RFC 2617.
  22.  *
  23.  * @todo       Support auth-int
  24.  * @todo       Track nonces, nonce-count, opaque for replay protection and stale support
  25.  * @todo       Support Authentication-Info header
  26.  */
  27. class Http implements AdapterInterface
  28. {
  29.     /**
  30.      * Reference to the HTTP Request object
  31.      *
  32.      * @var HTTPRequest
  33.      */
  34.     protected $request;
  35.  
  36.     /**
  37.      * Reference to the HTTP Response object
  38.      *
  39.      * @var HTTPResponse
  40.      */
  41.     protected $response;
  42.  
  43.     /**
  44.      * Object that looks up user credentials for the Basic scheme
  45.      *
  46.      * @var Http\ResolverInterface
  47.      */
  48.     protected $basicResolver;
  49.  
  50.     /**
  51.      * Object that looks up user credentials for the Digest scheme
  52.      *
  53.      * @var Http\ResolverInterface
  54.      */
  55.     protected $digestResolver;
  56.  
  57.     /**
  58.      * List of authentication schemes supported by this class
  59.      *
  60.      * @var array
  61.      */
  62.     protected $supportedSchemes = array('basic', 'digest');
  63.  
  64.     /**
  65.      * List of schemes this class will accept from the client
  66.      *
  67.      * @var array
  68.      */
  69.     protected $acceptSchemes;
  70.  
  71.     /**
  72.      * Space-delimited list of protected domains for Digest Auth
  73.      *
  74.      * @var string
  75.      */
  76.     protected $domains;
  77.  
  78.     /**
  79.      * The protection realm to use
  80.      *
  81.      * @var string
  82.      */
  83.     protected $realm;
  84.  
  85.     /**
  86.      * Nonce timeout period
  87.      *
  88.      * @var int
  89.      */
  90.     protected $nonceTimeout;
  91.  
  92.     /**
  93.      * Whether to send the opaque value in the header. True by default
  94.      *
  95.      * @var bool
  96.      */
  97.     protected $useOpaque;
  98.  
  99.     /**
  100.      * List of the supported digest algorithms. I want to support both MD5 and
  101.      * MD5-sess, but MD5-sess won't make it into the first version.
  102.      *
  103.      * @var array
  104.      */
  105.     protected $supportedAlgos = array('MD5');
  106.  
  107.     /**
  108.      * The actual algorithm to use. Defaults to MD5
  109.      *
  110.      * @var string
  111.      */
  112.     protected $algo;
  113.  
  114.     /**
  115.      * List of supported qop options. My intention is to support both 'auth' and
  116.      * 'auth-int', but 'auth-int' won't make it into the first version.
  117.      *
  118.      * @var array
  119.      */
  120.     protected $supportedQops = array('auth');
  121.  
  122.     /**
  123.      * Whether or not to do Proxy Authentication instead of origin server
  124.      * authentication (send 407's instead of 401's). Off by default.
  125.      *
  126.      * @var bool
  127.      */
  128.     protected $imaProxy;
  129.  
  130.     /**
  131.      * Flag indicating the client is IE and didn't bother to return the opaque string
  132.      *
  133.      * @var bool
  134.      */
  135.     protected $ieNoOpaque;
  136.  
  137.     /**
  138.      * Constructor
  139.      *
  140.      * @param  array $config Configuration settings:
  141.      *    'accept_schemes' => 'basic'|'digest'|'basic digest'
  142.      *    'realm' => <string>
  143.      *    'digest_domains' => <string> Space-delimited list of URIs
  144.      *    'nonce_timeout' => <int>
  145.      *    'use_opaque' => <bool> Whether to send the opaque value in the header
  146.      *    'algorithm' => <string> See $supportedAlgos. Default: MD5
  147.      *    'proxy_auth' => <bool> Whether to do authentication as a Proxy
  148.      * @throws Exception\InvalidArgumentException
  149.      */
  150.     public function __construct(array $config)
  151.     {
  152.         $this->request  = null;
  153.         $this->response = null;
  154.         $this->ieNoOpaque = false;
  155.  
  156.         if (empty($config['accept_schemes'])) {
  157.             throw new Exception\InvalidArgumentException('Config key "accept_schemes" is required');
  158.         }
  159.  
  160.         $schemes = explode(' ', $config['accept_schemes']);
  161.         $this->acceptSchemes = array_intersect($schemes, $this->supportedSchemes);
  162.         if (empty($this->acceptSchemes)) {
  163.             throw new Exception\InvalidArgumentException(sprintf(
  164.                 'No supported schemes given in "accept_schemes". Valid values: %s',
  165.                 implode(', ', $this->supportedSchemes)
  166.             ));
  167.         }
  168.  
  169.         // Double-quotes are used to delimit the realm string in the HTTP header,
  170.         // and colons are field delimiters in the password file.
  171.         if (empty($config['realm']) ||
  172.             !ctype_print($config['realm']) ||
  173.             strpos($config['realm'], ':') !== false ||
  174.             strpos($config['realm'], '"') !== false) {
  175.             throw new Exception\InvalidArgumentException(
  176.                 'Config key \'realm\' is required, and must contain only printable characters,'
  177.                 . 'excluding quotation marks and colons'
  178.             );
  179.         } else {
  180.             $this->realm = $config['realm'];
  181.         }
  182.  
  183.         if (in_array('digest', $this->acceptSchemes)) {
  184.             if (empty($config['digest_domains']) ||
  185.                 !ctype_print($config['digest_domains']) ||
  186.                 strpos($config['digest_domains'], '"') !== false) {
  187.                 throw new Exception\InvalidArgumentException(
  188.                     'Config key \'digest_domains\' is required, and must contain '
  189.                     . 'only printable characters, excluding quotation marks'
  190.                 );
  191.             } else {
  192.                 $this->domains = $config['digest_domains'];
  193.             }
  194.  
  195.             if (empty($config['nonce_timeout']) ||
  196.                 !is_numeric($config['nonce_timeout'])) {
  197.                 throw new Exception\InvalidArgumentException(
  198.                     'Config key \'nonce_timeout\' is required, and must be an integer'
  199.                 );
  200.             } else {
  201.                 $this->nonceTimeout = (int) $config['nonce_timeout'];
  202.             }
  203.  
  204.             // We use the opaque value unless explicitly told not to
  205.             if (isset($config['use_opaque']) && false == (bool) $config['use_opaque']) {
  206.                 $this->useOpaque = false;
  207.             } else {
  208.                 $this->useOpaque = true;
  209.             }
  210.  
  211.             if (isset($config['algorithm']) && in_array($config['algorithm'], $this->supportedAlgos)) {
  212.                 $this->algo = $config['algorithm'];
  213.             } else {
  214.                 $this->algo = 'MD5';
  215.             }
  216.         }
  217.  
  218.         // Don't be a proxy unless explicitly told to do so
  219.         if (isset($config['proxy_auth']) && true == (bool) $config['proxy_auth']) {
  220.             $this->imaProxy = true;  // I'm a Proxy
  221.         } else {
  222.             $this->imaProxy = false;
  223.         }
  224.     }
  225.  
  226.     /**
  227.      * Setter for the basicResolver property
  228.      *
  229.      * @param  Http\ResolverInterface $resolver
  230.      * @return Http Provides a fluent interface
  231.      */
  232.     public function setBasicResolver(Http\ResolverInterface $resolver)
  233.     {
  234.         $this->basicResolver = $resolver;
  235.  
  236.         return $this;
  237.     }
  238.  
  239.     /**
  240.      * Getter for the basicResolver property
  241.      *
  242.      * @return Http\ResolverInterface
  243.      */
  244.     public function getBasicResolver()
  245.     {
  246.         return $this->basicResolver;
  247.     }
  248.  
  249.     /**
  250.      * Setter for the digestResolver property
  251.      *
  252.      * @param  Http\ResolverInterface $resolver
  253.      * @return Http Provides a fluent interface
  254.      */
  255.     public function setDigestResolver(Http\ResolverInterface $resolver)
  256.     {
  257.         $this->digestResolver = $resolver;
  258.  
  259.         return $this;
  260.     }
  261.  
  262.     /**
  263.      * Getter for the digestResolver property
  264.      *
  265.      * @return Http\ResolverInterface
  266.      */
  267.     public function getDigestResolver()
  268.     {
  269.         return $this->digestResolver;
  270.     }
  271.  
  272.     /**
  273.      * Setter for the Request object
  274.      *
  275.      * @param  HTTPRequest $request
  276.      * @return Http Provides a fluent interface
  277.      */
  278.     public function setRequest(HTTPRequest $request)
  279.     {
  280.         $this->request = $request;
  281.  
  282.         return $this;
  283.     }
  284.  
  285.     /**
  286.      * Getter for the Request object
  287.      *
  288.      * @return HTTPRequest
  289.      */
  290.     public function getRequest()
  291.     {
  292.         return $this->request;
  293.     }
  294.  
  295.     /**
  296.      * Setter for the Response object
  297.      *
  298.      * @param  HTTPResponse $response
  299.      * @return Http Provides a fluent interface
  300.      */
  301.     public function setResponse(HTTPResponse $response)
  302.     {
  303.         $this->response = $response;
  304.  
  305.         return $this;
  306.     }
  307.  
  308.     /**
  309.      * Getter for the Response object
  310.      *
  311.      * @return HTTPResponse
  312.      */
  313.     public function getResponse()
  314.     {
  315.         return $this->response;
  316.     }
  317.  
  318.     /**
  319.      * Authenticate
  320.      *
  321.      * @throws Exception\RuntimeException
  322.      * @return Authentication\Result
  323.      */
  324.     public function authenticate()
  325.     {
  326.         if (empty($this->request) || empty($this->response)) {
  327.             throw new Exception\RuntimeException('Request and Response objects must be set before calling '
  328.                                                 . 'authenticate()');
  329.         }
  330.  
  331.         if ($this->imaProxy) {
  332.             $getHeader = 'Proxy-Authorization';
  333.         } else {
  334.             $getHeader = 'Authorization';
  335.         }
  336.  
  337.         $headers = $this->request->getHeaders();
  338.         if (!$headers->has($getHeader)) {
  339.             return $this->_challengeClient();
  340.         }
  341.         $authHeader = $headers->get($getHeader)->getFieldValue();
  342.         if (!$authHeader) {
  343.             return $this->_challengeClient();
  344.         }
  345.  
  346.         list($clientScheme) = explode(' ', $authHeader);
  347.         $clientScheme = strtolower($clientScheme);
  348.  
  349.         // The server can issue multiple challenges, but the client should
  350.         // answer with only the selected auth scheme.
  351.         if (!in_array($clientScheme, $this->supportedSchemes)) {
  352.             $this->response->setStatusCode(400);
  353.             return new Authentication\Result(
  354.                 Authentication\Result::FAILURE_UNCATEGORIZED,
  355.                 array(),
  356.                 array('Client requested an incorrect or unsupported authentication scheme')
  357.             );
  358.         }
  359.  
  360.         // client sent a scheme that is not the one required
  361.         if (!in_array($clientScheme, $this->acceptSchemes)) {
  362.             // challenge again the client
  363.             return $this->_challengeClient();
  364.         }
  365.  
  366.         switch ($clientScheme) {
  367.             case 'basic':
  368.                 $result = $this->_basicAuth($authHeader);
  369.                 break;
  370.             case 'digest':
  371.                 $result = $this->_digestAuth($authHeader);
  372.                 break;
  373.             default:
  374.                 throw new Exception\RuntimeException('Unsupported authentication scheme: ' . $clientScheme);
  375.         }
  376.  
  377.         return $result;
  378.     }
  379.  
  380.     /**
  381.      * Challenge Client
  382.      *
  383.      * Sets a 401 or 407 Unauthorized response code, and creates the
  384.      * appropriate Authenticate header(s) to prompt for credentials.
  385.      *
  386.      * @return Authentication\Result Always returns a non-identity Auth result
  387.      */
  388.     protected function _challengeClient()
  389.     {
  390.         if ($this->imaProxy) {
  391.             $statusCode = 407;
  392.             $headerName = 'Proxy-Authenticate';
  393.         } else {
  394.             $statusCode = 401;
  395.             $headerName = 'WWW-Authenticate';
  396.         }
  397.  
  398.         $this->response->setStatusCode($statusCode);
  399.  
  400.         // Send a challenge in each acceptable authentication scheme
  401.         $headers = $this->response->getHeaders();
  402.         if (in_array('basic', $this->acceptSchemes)) {
  403.             $headers->addHeaderLine($headerName, $this->_basicHeader());
  404.         }
  405.         if (in_array('digest', $this->acceptSchemes)) {
  406.             $headers->addHeaderLine($headerName, $this->_digestHeader());
  407.         }
  408.         return new Authentication\Result(
  409.             Authentication\Result::FAILURE_CREDENTIAL_INVALID,
  410.             array(),
  411.             array('Invalid or absent credentials; challenging client')
  412.         );
  413.     }
  414.  
  415.     /**
  416.      * Basic Header
  417.      *
  418.      * Generates a Proxy- or WWW-Authenticate header value in the Basic
  419.      * authentication scheme.
  420.      *
  421.      * @return string Authenticate header value
  422.      */
  423.     protected function _basicHeader()
  424.     {
  425.         return 'Basic realm="' . $this->realm . '"';
  426.     }
  427.  
  428.     /**
  429.      * Digest Header
  430.      *
  431.      * Generates a Proxy- or WWW-Authenticate header value in the Digest
  432.      * authentication scheme.
  433.      *
  434.      * @return string Authenticate header value
  435.      */
  436.     protected function _digestHeader()
  437.     {
  438.         $wwwauth = 'Digest realm="' . $this->realm . '", '
  439.                  . 'domain="' . $this->domains . '", '
  440.                  . 'nonce="' . $this->_calcNonce() . '", '
  441.                  . ($this->useOpaque ? 'opaque="' . $this->_calcOpaque() . '", ' : '')
  442.                  . 'algorithm="' . $this->algo . '", '
  443.                  . 'qop="' . implode(',', $this->supportedQops) . '"';
  444.  
  445.         return $wwwauth;
  446.     }
  447.  
  448.     /**
  449.      * Basic Authentication
  450.      *
  451.      * @param  string $header Client's Authorization header
  452.      * @throws Exception\ExceptionInterface
  453.      * @return Authentication\Result
  454.      */
  455.     protected function _basicAuth($header)
  456.     {
  457.         if (empty($header)) {
  458.             throw new Exception\RuntimeException('The value of the client Authorization header is required');
  459.         }
  460.         if (empty($this->basicResolver)) {
  461.             throw new Exception\RuntimeException(
  462.                 'A basicResolver object must be set before doing Basic '
  463.                 . 'authentication');
  464.         }
  465.  
  466.         // Decode the Authorization header
  467.         $auth = substr($header, strlen('Basic '));
  468.         $auth = base64_decode($auth);
  469.         if (!$auth) {
  470.             throw new Exception\RuntimeException('Unable to base64_decode Authorization header value');
  471.         }
  472.  
  473.         // See ZF-1253. Validate the credentials the same way the digest
  474.         // implementation does. If invalid credentials are detected,
  475.         // re-challenge the client.
  476.         if (!ctype_print($auth)) {
  477.             return $this->_challengeClient();
  478.         }
  479.         // Fix for ZF-1515: Now re-challenges on empty username or password
  480.         $creds = array_filter(explode(':', $auth));
  481.         if (count($creds) != 2) {
  482.             return $this->_challengeClient();
  483.         }
  484.  
  485.         $result = $this->basicResolver->resolve($creds[0], $this->realm, $creds[1]);
  486.  
  487.         if ($result instanceof Authentication\Result && $result->isValid()) {
  488.             return $result;
  489.         }
  490.  
  491.         if (!$result instanceof Authentication\Result
  492.             && !is_array($result)
  493.             && CryptUtils::compareStrings($result, $creds[1])
  494.         ) {
  495.             $identity = array('username' => $creds[0], 'realm' => $this->realm);
  496.             return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
  497.         } elseif (is_array($result)) {
  498.             return new Authentication\Result(Authentication\Result::SUCCESS, $result);
  499.         }
  500.  
  501.         return $this->_challengeClient();
  502.     }
  503.  
  504.     /**
  505.      * Digest Authentication
  506.      *
  507.      * @param  string $header Client's Authorization header
  508.      * @throws Exception\ExceptionInterface
  509.      * @return Authentication\Result Valid auth result only on successful auth
  510.      */
  511.     protected function _digestAuth($header)
  512.     {
  513.         if (empty($header)) {
  514.             throw new Exception\RuntimeException('The value of the client Authorization header is required');
  515.         }
  516.         if (empty($this->digestResolver)) {
  517.             throw new Exception\RuntimeException('A digestResolver object must be set before doing Digest authentication');
  518.         }
  519.  
  520.         $data = $this->_parseDigestAuth($header);
  521.         if ($data === false) {
  522.             $this->response->setStatusCode(400);
  523.             return new Authentication\Result(
  524.                 Authentication\Result::FAILURE_UNCATEGORIZED,
  525.                 array(),
  526.                 array('Invalid Authorization header format')
  527.             );
  528.         }
  529.  
  530.         // See ZF-1052. This code was a bit too unforgiving of invalid
  531.         // usernames. Now, if the username is bad, we re-challenge the client.
  532.         if ('::invalid::' == $data['username']) {
  533.             return $this->_challengeClient();
  534.         }
  535.  
  536.         // Verify that the client sent back the same nonce
  537.         if ($this->_calcNonce() != $data['nonce']) {
  538.             return $this->_challengeClient();
  539.         }
  540.         // The opaque value is also required to match, but of course IE doesn't
  541.         // play ball.
  542.         if (!$this->ieNoOpaque && $this->_calcOpaque() != $data['opaque']) {
  543.             return $this->_challengeClient();
  544.         }
  545.  
  546.         // Look up the user's password hash. If not found, deny access.
  547.         // This makes no assumptions about how the password hash was
  548.         // constructed beyond that it must have been built in such a way as
  549.         // to be recreatable with the current settings of this object.
  550.         $ha1 = $this->digestResolver->resolve($data['username'], $data['realm']);
  551.         if ($ha1 === false) {
  552.             return $this->_challengeClient();
  553.         }
  554.  
  555.         // If MD5-sess is used, a1 value is made of the user's password
  556.         // hash with the server and client nonce appended, separated by
  557.         // colons.
  558.         if ($this->algo == 'MD5-sess') {
  559.             $ha1 = hash('md5', $ha1 . ':' . $data['nonce'] . ':' . $data['cnonce']);
  560.         }
  561.  
  562.         // Calculate h(a2). The value of this hash depends on the qop
  563.         // option selected by the client and the supported hash functions
  564.         switch ($data['qop']) {
  565.             case 'auth':
  566.                 $a2 = $this->request->getMethod() . ':' . $data['uri'];
  567.                 break;
  568.             case 'auth-int':
  569.                 // Should be REQUEST_METHOD . ':' . uri . ':' . hash(entity-body),
  570.                 // but this isn't supported yet, so fall through to default case
  571.             default:
  572.                 throw new Exception\RuntimeException('Client requested an unsupported qop option');
  573.         }
  574.         // Using hash() should make parameterizing the hash algorithm
  575.         // easier
  576.         $ha2 = hash('md5', $a2);
  577.  
  578.  
  579.         // Calculate the server's version of the request-digest. This must
  580.         // match $data['response']. See RFC 2617, section 3.2.2.1
  581.         $message = $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' . $ha2;
  582.         $digest  = hash('md5', $ha1 . ':' . $message);
  583.  
  584.         // If our digest matches the client's let them in, otherwise return
  585.         // a 401 code and exit to prevent access to the protected resource.
  586.         if (CryptUtils::compareStrings($digest, $data['response'])) {
  587.             $identity = array('username' => $data['username'], 'realm' => $data['realm']);
  588.             return new Authentication\Result(Authentication\Result::SUCCESS, $identity);
  589.         }
  590.  
  591.         return $this->_challengeClient();
  592.     }
  593.  
  594.     /**
  595.      * Calculate Nonce
  596.      *
  597.      * @return string The nonce value
  598.      */
  599.     protected function _calcNonce()
  600.     {
  601.         // Once subtle consequence of this timeout calculation is that it
  602.         // actually divides all of time into nonceTimeout-sized sections, such
  603.         // that the value of timeout is the point in time of the next
  604.         // approaching "boundary" of a section. This allows the server to
  605.         // consistently generate the same timeout (and hence the same nonce
  606.         // value) across requests, but only as long as one of those
  607.         // "boundaries" is not crossed between requests. If that happens, the
  608.         // nonce will change on its own, and effectively log the user out. This
  609.         // would be surprising if the user just logged in.
  610.         $timeout = ceil(time() / $this->nonceTimeout) * $this->nonceTimeout;
  611.  
  612.         $userAgentHeader = $this->request->getHeaders()->get('User-Agent');
  613.         if ($userAgentHeader) {
  614.             $userAgent = $userAgentHeader->getFieldValue();
  615.         } elseif (isset($_SERVER['HTTP_USER_AGENT'])) {
  616.             $userAgent = $_SERVER['HTTP_USER_AGENT'];
  617.         } else {
  618.             $userAgent = 'Zend_Authenticaion';
  619.         }
  620.         $nonce = hash('md5', $timeout . ':' . $userAgent . ':' . __CLASS__);
  621.         return $nonce;
  622.     }
  623.  
  624.     /**
  625.      * Calculate Opaque
  626.      *
  627.      * The opaque string can be anything; the client must return it exactly as
  628.      * it was sent. It may be useful to store data in this string in some
  629.      * applications. Ideally, a new value for this would be generated each time
  630.      * a WWW-Authenticate header is sent (in order to reduce predictability),
  631.      * but we would have to be able to create the same exact value across at
  632.      * least two separate requests from the same client.
  633.      *
  634.      * @return string The opaque value
  635.      */
  636.     protected function _calcOpaque()
  637.     {
  638.         return hash('md5', 'Opaque Data:' . __CLASS__);
  639.     }
  640.  
  641.     /**
  642.      * Parse Digest Authorization header
  643.      *
  644.      * @param  string $header Client's Authorization: HTTP header
  645.      * @return array|bool Data elements from header, or false if any part of
  646.      *                    the header is invalid
  647.      */
  648.     protected function _parseDigestAuth($header)
  649.     {
  650.         $temp = null;
  651.         $data = array();
  652.  
  653.         // See ZF-1052. Detect invalid usernames instead of just returning a
  654.         // 400 code.
  655.         $ret = preg_match('/username="([^"]+)"/', $header, $temp);
  656.         if (!$ret || empty($temp[1])
  657.                   || !ctype_print($temp[1])
  658.                   || strpos($temp[1], ':') !== false) {
  659.             $data['username'] = '::invalid::';
  660.         } else {
  661.             $data['username'] = $temp[1];
  662.         }
  663.         $temp = null;
  664.  
  665.         $ret = preg_match('/realm="([^"]+)"/', $header, $temp);
  666.         if (!$ret || empty($temp[1])) {
  667.             return false;
  668.         }
  669.         if (!ctype_print($temp[1]) || strpos($temp[1], ':') !== false) {
  670.             return false;
  671.         } else {
  672.             $data['realm'] = $temp[1];
  673.         }
  674.         $temp = null;
  675.  
  676.         $ret = preg_match('/nonce="([^"]+)"/', $header, $temp);
  677.         if (!$ret || empty($temp[1])) {
  678.             return false;
  679.         }
  680.         if (!ctype_xdigit($temp[1])) {
  681.             return false;
  682.         }
  683.  
  684.         $data['nonce'] = $temp[1];
  685.         $temp = null;
  686.  
  687.         $ret = preg_match('/uri="([^"]+)"/', $header, $temp);
  688.         if (!$ret || empty($temp[1])) {
  689.             return false;
  690.         }
  691.         // Section 3.2.2.5 in RFC 2617 says the authenticating server must
  692.         // verify that the URI field in the Authorization header is for the
  693.         // same resource requested in the Request Line.
  694.         $rUri = $this->request->getUri();
  695.         $cUri = UriFactory::factory($temp[1]);
  696.  
  697.         // Make sure the path portion of both URIs is the same
  698.         if ($rUri->getPath() != $cUri->getPath()) {
  699.             return false;
  700.         }
  701.  
  702.         // Section 3.2.2.5 seems to suggest that the value of the URI
  703.         // Authorization field should be made into an absolute URI if the
  704.         // Request URI is absolute, but it's vague, and that's a bunch of
  705.         // code I don't want to write right now.
  706.         $data['uri'] = $temp[1];
  707.         $temp = null;
  708.  
  709.         $ret = preg_match('/response="([^"]+)"/', $header, $temp);
  710.         if (!$ret || empty($temp[1])) {
  711.             return false;
  712.         }
  713.         if (32 != strlen($temp[1]) || !ctype_xdigit($temp[1])) {
  714.             return false;
  715.         }
  716.  
  717.         $data['response'] = $temp[1];
  718.         $temp = null;
  719.  
  720.         // The spec says this should default to MD5 if omitted. OK, so how does
  721.         // that square with the algo we send out in the WWW-Authenticate header,
  722.         // if it can easily be overridden by the client?
  723.         $ret = preg_match('/algorithm="?(' . $this->algo . ')"?/', $header, $temp);
  724.         if ($ret && !empty($temp[1])
  725.                  && in_array($temp[1], $this->supportedAlgos)) {
  726.             $data['algorithm'] = $temp[1];
  727.         } else {
  728.             $data['algorithm'] = 'MD5';  // = $this->algo; ?
  729.         }
  730.         $temp = null;
  731.  
  732.         // Not optional in this implementation
  733.         $ret = preg_match('/cnonce="([^"]+)"/', $header, $temp);
  734.         if (!$ret || empty($temp[1])) {
  735.             return false;
  736.         }
  737.         if (!ctype_print($temp[1])) {
  738.             return false;
  739.         }
  740.  
  741.         $data['cnonce'] = $temp[1];
  742.         $temp = null;
  743.  
  744.         // If the server sent an opaque value, the client must send it back
  745.         if ($this->useOpaque) {
  746.             $ret = preg_match('/opaque="([^"]+)"/', $header, $temp);
  747.             if (!$ret || empty($temp[1])) {
  748.  
  749.                 // Big surprise: IE isn't RFC 2617-compliant.
  750.                 $headers = $this->request->getHeaders();
  751.                 if (!$headers->has('User-Agent')) {
  752.                     return false;
  753.                 }
  754.                 $userAgent = $headers->get('User-Agent')->getFieldValue();
  755.                 if (false === strpos($userAgent, 'MSIE')) {
  756.                     return false;
  757.                 }
  758.  
  759.                 $temp[1] = '';
  760.                 $this->ieNoOpaque = true;
  761.             }
  762.  
  763.             // This implementation only sends MD5 hex strings in the opaque value
  764.             if (!$this->ieNoOpaque &&
  765.                 (32 != strlen($temp[1]) || !ctype_xdigit($temp[1]))) {
  766.                 return false;
  767.             }
  768.  
  769.             $data['opaque'] = $temp[1];
  770.             $temp = null;
  771.         }
  772.  
  773.         // Not optional in this implementation, but must be one of the supported
  774.         // qop types
  775.         $ret = preg_match('/qop="?(' . implode('|', $this->supportedQops) . ')"?/', $header, $temp);
  776.         if (!$ret || empty($temp[1])) {
  777.             return false;
  778.         }
  779.         if (!in_array($temp[1], $this->supportedQops)) {
  780.             return false;
  781.         }
  782.  
  783.         $data['qop'] = $temp[1];
  784.         $temp = null;
  785.  
  786.         // Not optional in this implementation. The spec says this value
  787.         // shouldn't be a quoted string, but apparently some implementations
  788.         // quote it anyway. See ZF-1544.
  789.         $ret = preg_match('/nc="?([0-9A-Fa-f]{8})"?/', $header, $temp);
  790.         if (!$ret || empty($temp[1])) {
  791.             return false;
  792.         }
  793.         if (8 != strlen($temp[1]) || !ctype_xdigit($temp[1])) {
  794.             return false;
  795.         }
  796.  
  797.         $data['nc'] = $temp[1];
  798.         $temp = null;
  799.  
  800.         return $data;
  801.     }
  802. }
# Change User Description Committed
#1 18334 Liz Lam initial add of jambox 9 years ago