#!/usr/bin/php
<?php

/*
External auth script for basic auth protection of xwiki
**********************************************************************
Version: 1.0
Author:  roland.kaeser@thurdata.ch
License: GPL

Usage (Apache 2.4 / CentOS 7 / PHP 7.3/remi)
1: Install the mod authnz external apache module as the php modules: yum install mod_authnz_external php php-cli php-mysqlnd
2: Place the file under /etc/httpd/auth.php (or wherever you like)
3: Create the following location statement:

    DefineExternalAuth phpauth pipe /etc/httpd/auth.php
    <Location /xwiki>
        SSLRequireSSL
        AuthType Basic
        AuthName "Protected Wiki"
        AuthBasicProvider external
        AuthExternal phpauth
        Require valid-user
    </Location>

Note: The DefineExternalAuth statement must be in the same virtual host as the location statement,
      therefore best placed directly above the location statement

*/

// Define here the database connection
$dbHost         = "localhost";
$database       = "xwiki";
$dbUser         = "xwiki";
$dbPassword     = "xwiki";




// Read from stdin. First line is the username, second line is the password.
$handle = fopen ("php://stdin","r");
$username = trim(fgets($handle));
$searchUser = "XWiki." . $username;
$password = trim(fgets($handle));

if ($username == "" || $password == "") {
    echo "wrong username or password for user $username\n";
    sleep (3);
    exit (1);
}


// Open database connection
// **********************************************************************
$mysqli = new mysqli($dbHost, $dbUser, $dbPassword, $database);
if ($mysqli->connect_errno) {
    echo("Verbindung fehlgeschlagen: " . $mysqli->connect_error);
    sleep (3);
    exit (1);
}


// Query the user by its username and fetch its internal id
// **********************************************************************
$userSQL = "select XWO_ID from xwikiobjects where XWO_NAME=? and XWO_CLASSNAME='XWiki.XWikiUsers'";
$userStatement = $mysqli->prepare($userSQL);
$userStatement -> bind_param("s", $searchUser);
$userResult = $userStatement->execute();
if ( false === $userResult ) {
    echo ('Cannot query database for user, the error was ' . htmlspecialchars($userStatement->error));
    sleep (3);
    exit (1);
}

$userStatement -> bind_result($xwoID);
if (!$userStatement -> fetch()) {
    echo "wrong username or password for user $username\n";
    sleep (3);
    exit (1);
}
$userStatement->close();


// Query if the user is enabled (active)
// **********************************************************************
$activeSQL = "select XWI_VALUE from xwikiintegers where XWI_NAME='active' AND XWI_ID=?";
$activeStatement = $mysqli->prepare($activeSQL);
$activeStatement -> bind_param("s", $xwoID);
$activeResult = $activeStatement->execute();
if ( false === $activeResult ) {
    echo ('Cannot query database for active state, the error was ' . htmlspecialchars($userStatement->error));
    sleep (3);
    exit (1);
}

$activeStatement -> bind_result($userActive);
if (!$activeStatement -> fetch()) {
    echo "wrong username or password for user $username\n";
    sleep (3);
    exit (1);
}
$activeStatement->close();

if ($userActive != 1) {
    echo "$username is not active\n";
    sleep (3);
    exit (1);
}




// Query for the regarding password
// ************************************************************************
$passwordSQL = "select XWS_VALUE from xwikistrings where XWS_ID=? and XWS_NAME='password'";
$pwStatement = $mysqli -> prepare($passwordSQL);
$pwStatement -> bind_param('s',$xwoID);
$pwResult = $pwStatement->execute();
if ( false === $pwResult ) {
    echo('Cannot query database for regarding password, the error was ' . htmlspecialchars($pwStatement->error));
    sleep (3);
    exit (1);
}
$pwStatement -> bind_result($dbPwData);
if (!$pwStatement -> fetch()) {
    echo "wrong username or password for user $username\n";
    sleep (3);
    exit (1);
}
$pwStatement->close();


// Password data format
// hash-identifier:hash-type:salt:hash
$passwordParts = explode(":", $dbPwData);

// Usually sha512 so hardcoded here
$pwHash = hash("sha512", $passwordParts[2] . $password,false);

if ($pwHash == $passwordParts[3]) {
    echo "username/password allowed for user $username\n";
    exit (0);
} else {
    echo "wrong username or password for user $username\n";
    sleep (3);
    exit (1);
}

?>