/
Digest.php
137 lines (126 loc) · 3.85 KB
/
Digest.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
<?php
/**
* CakePHP(tm) : Rapid Development Framework (http://cakephp.org)
* Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
*
* Licensed under The MIT License
* Redistributions of files must retain the above copyright notice.
*
* @copyright Copyright 2005-2012, Cake Software Foundation, Inc. (http://cakefoundation.org)
* @link http://cakephp.org CakePHP(tm) Project
* @since CakePHP(tm) v 3.0.0
* @license MIT License (http://www.opensource.org/licenses/mit-license.php)
*/
namespace Cake\Network\Http\Auth;
use Cake\Network\Http\Client;
use Cake\Network\Http\Request;
/**
* Digest authentication adapter for Cake\Network\Http\Client
*
* Generally not directly constructed, but instead used by Cake\Network\Http\Client
* when $options['auth']['type'] is 'digest'
*/
class Digest {
/**
* Instance of Cake\Network\Http\Client
*
* @var Cake\Network\Http\Client
*/
protected $_client;
/**
* Constructor
*
* @param Cake\Network\Http\Client $client
* @param array $options
*/
public function __construct(Client $client, $options = null) {
$this->_client = $client;
}
/**
* Add Authorization header to the request.
*
* @param Request $request
* @param array $credentials
* @return void
* @see http://www.ietf.org/rfc/rfc2617.txt
*/
public function authentication(Request $request, $credentials) {
if (!isset($credentials['username'], $credentials['password'])) {
return;
}
if (!isset($credentials['realm'])) {
$credentials = $this->_getServerInfo($request, $credentials);
}
if (!isset($credentials['realm'])) {
return;
}
$value = $this->_generateHeader($request, $credentials);
$request->header('Authorization', $value);
}
/**
* Retrieve information about the authentication
*
* Will get the realm and other tokens by performing
* another request without authentication to get authentication
* challenge.
*
* @param Request $request
* @param array $credentials
* @return Array modified credentials.
*/
protected function _getServerInfo(Request $request, $credentials) {
$response = $this->_client->get(
$request->url(),
[],
['auth' => []]
);
if (!$response->header('WWW-Authenticate')) {
return false;
}
preg_match_all(
'@(\w+)=(?:(?:")([^"]+)"|([^\s,$]+))@',
$response->header('WWW-Authenticate'),
$matches,
PREG_SET_ORDER
);
foreach ($matches as $match) {
$credentials[$match[1]] = $match[2];
}
if (!empty($credentials['qop']) && empty($credentials['nc'])) {
$credentials['nc'] = 1;
}
return $credentials;
}
/**
* Generate the header Authorization
*
* @param Request $request
* @param array $credentials
* @return string
*/
protected function _generateHeader(Request $request, $credentials) {
$path = parse_url($request->url(), PHP_URL_PATH);
$a1 = md5($credentials['username'] . ':' . $credentials['realm'] . ':' . $credentials['password']);
$a2 = md5($request->method() . ':' . $path);
if (empty($credentials['qop'])) {
$response = md5($a1 . ':' . $credentials['nonce'] . ':' . $a2);
} else {
$credentials['cnonce'] = uniqid();
$nc = sprintf('%08x', $credentials['nc']++);
$response = md5($a1 . ':' . $credentials['nonce'] . ':' . $nc . ':' . $credentials['cnonce'] . ':auth:' . $a2);
}
$authHeader = 'Digest ';
$authHeader .= 'username="' . str_replace(array('\\', '"'), array('\\\\', '\\"'), $credentials['username']) . '", ';
$authHeader .= 'realm="' . $credentials['realm'] . '", ';
$authHeader .= 'nonce="' . $credentials['nonce'] . '", ';
$authHeader .= 'uri="' . $path . '", ';
$authHeader .= 'response="' . $response . '"';
if (!empty($credentials['opaque'])) {
$authHeader .= ', opaque="' . $credentials['opaque'] . '"';
}
if (!empty($credentials['qop'])) {
$authHeader .= ', qop="auth", nc=' . $nc . ', cnonce="' . $credentials['cnonce'] . '"';
}
return $authHeader;
}
}