1: <?php
  2: /**
  3:  * CakePHP(tm) : Rapid Development Framework (https://cakephp.org)
  4:  * Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
  5:  *
  6:  * Licensed under The MIT License
  7:  * Redistributions of files must retain the above copyright notice.
  8:  *
  9:  * @copyright     Copyright (c) Cake Software Foundation, Inc. (https://cakefoundation.org)
 10:  * @link          https://cakephp.org CakePHP(tm) Project
 11:  * @since         3.0.0
 12:  * @license       https://opensource.org/licenses/mit-license.php MIT License
 13:  */
 14: namespace Cake\Http\Client\Auth;
 15: 
 16: use Cake\Http\Client;
 17: use Cake\Http\Client\Request;
 18: 
 19: /**
 20:  * Digest authentication adapter for Cake\Http\Client
 21:  *
 22:  * Generally not directly constructed, but instead used by Cake\Http\Client
 23:  * when $options['auth']['type'] is 'digest'
 24:  */
 25: class Digest
 26: {
 27:     /**
 28:      * Instance of Cake\Http\Client
 29:      *
 30:      * @var \Cake\Http\Client
 31:      */
 32:     protected $_client;
 33: 
 34:     /**
 35:      * Constructor
 36:      *
 37:      * @param \Cake\Http\Client $client Http client object.
 38:      * @param array|null $options Options list.
 39:      */
 40:     public function __construct(Client $client, $options = null)
 41:     {
 42:         $this->_client = $client;
 43:     }
 44: 
 45:     /**
 46:      * Add Authorization header to the request.
 47:      *
 48:      * @param \Cake\Http\Client\Request $request The request object.
 49:      * @param array $credentials Authentication credentials.
 50:      * @return \Cake\Http\Client\Request The updated request.
 51:      * @see https://www.ietf.org/rfc/rfc2617.txt
 52:      */
 53:     public function authentication(Request $request, array $credentials)
 54:     {
 55:         if (!isset($credentials['username'], $credentials['password'])) {
 56:             return $request;
 57:         }
 58:         if (!isset($credentials['realm'])) {
 59:             $credentials = $this->_getServerInfo($request, $credentials);
 60:         }
 61:         if (!isset($credentials['realm'])) {
 62:             return $request;
 63:         }
 64:         $value = $this->_generateHeader($request, $credentials);
 65: 
 66:         return $request->withHeader('Authorization', $value);
 67:     }
 68: 
 69:     /**
 70:      * Retrieve information about the authentication
 71:      *
 72:      * Will get the realm and other tokens by performing
 73:      * another request without authentication to get authentication
 74:      * challenge.
 75:      *
 76:      * @param \Cake\Http\Client\Request $request The request object.
 77:      * @param array $credentials Authentication credentials.
 78:      * @return array modified credentials.
 79:      */
 80:     protected function _getServerInfo(Request $request, $credentials)
 81:     {
 82:         $response = $this->_client->get(
 83:             $request->getUri(),
 84:             [],
 85:             ['auth' => ['type' => null]]
 86:         );
 87: 
 88:         if (!$response->getHeader('WWW-Authenticate')) {
 89:             return [];
 90:         }
 91:         preg_match_all(
 92:             '@(\w+)=(?:(?:")([^"]+)"|([^\s,$]+))@',
 93:             $response->getHeaderLine('WWW-Authenticate'),
 94:             $matches,
 95:             PREG_SET_ORDER
 96:         );
 97:         foreach ($matches as $match) {
 98:             $credentials[$match[1]] = $match[2];
 99:         }
100:         if (!empty($credentials['qop']) && empty($credentials['nc'])) {
101:             $credentials['nc'] = 1;
102:         }
103: 
104:         return $credentials;
105:     }
106: 
107:     /**
108:      * Generate the header Authorization
109:      *
110:      * @param \Cake\Http\Client\Request $request The request object.
111:      * @param array $credentials Authentication credentials.
112:      * @return string
113:      */
114:     protected function _generateHeader(Request $request, $credentials)
115:     {
116:         $path = $request->getUri()->getPath();
117:         $a1 = md5($credentials['username'] . ':' . $credentials['realm'] . ':' . $credentials['password']);
118:         $a2 = md5($request->getMethod() . ':' . $path);
119:         $nc = null;
120: 
121:         if (empty($credentials['qop'])) {
122:             $response = md5($a1 . ':' . $credentials['nonce'] . ':' . $a2);
123:         } else {
124:             $credentials['cnonce'] = uniqid();
125:             $nc = sprintf('%08x', $credentials['nc']++);
126:             $response = md5($a1 . ':' . $credentials['nonce'] . ':' . $nc . ':' . $credentials['cnonce'] . ':auth:' . $a2);
127:         }
128: 
129:         $authHeader = 'Digest ';
130:         $authHeader .= 'username="' . str_replace(['\\', '"'], ['\\\\', '\\"'], $credentials['username']) . '", ';
131:         $authHeader .= 'realm="' . $credentials['realm'] . '", ';
132:         $authHeader .= 'nonce="' . $credentials['nonce'] . '", ';
133:         $authHeader .= 'uri="' . $path . '", ';
134:         $authHeader .= 'response="' . $response . '"';
135:         if (!empty($credentials['opaque'])) {
136:             $authHeader .= ', opaque="' . $credentials['opaque'] . '"';
137:         }
138:         if (!empty($credentials['qop'])) {
139:             $authHeader .= ', qop="auth", nc=' . $nc . ', cnonce="' . $credentials['cnonce'] . '"';
140:         }
141: 
142:         return $authHeader;
143:     }
144: }
145: 
146: // @deprecated 3.4.0 Add backwards compat alias.
147: class_alias('Cake\Http\Client\Auth\Digest', 'Cake\Network\Http\Auth\Digest');
148: