Add 'external' auth method

Based on merge request #11

3 files changed, 63 insertions, 2 deletions

diff --git a/config/ampache.cfg.php.dist b/config/ampache.cfg.php.dist
index d46b9514..baf4d835 100644
--- a/config/ampache.cfg.php.dist
+++ b/config/ampache.cfg.php.dist
@@ -81,9 +81,15 @@ session_cookiesecure       = 0
 ; This defines which auth methods Auth will attempt to use and in which order.
 ; If auto_create isn't enabled the user must exist locally.
 ; DEFAULT: mysql
-; VALUES: mysql,ldap,http,pam
+; VALUES: mysql,ldap,http,pam,external
 auth_methods = "mysql"
 
+; External authentication
+; This sets the helper used for external authentication.  It should conform to
+; the interface used by mod_authnz_external
+; DEFAULT: none
+;external_authenticator = "/usr/sbin/pwauth"
+
 ; Automatic local password updating
 ; Determines whether successful authentication against an external source
 ; will result in an update to the password stored in the database.
diff --git a/docs/CHANGELOG b/docs/CHANGELOG
index bef0a7f0..ba9cc2e2 100755
--- a/docs/CHANGELOG
+++ b/docs/CHANGELOG
@@ -4,6 +4,8 @@
 
 --------------------------------------------------------------------------
   v.3.6-FUTURE
+    - Added support for external authenticators like pwauth (based on a patch by
+        sjlu)
     - Renamed the local auth method to pam, which is less confusing
     - Removed the Flash player
     - Added an HTML5 player (patch by Holger Brunn)
diff --git a/lib/class/auth.class.php b/lib/class/auth.class.php
index a59e2ad4..dacf15d5 100644
--- a/lib/class/auth.class.php
+++ b/lib/class/auth.class.php
@@ -184,7 +184,60 @@ class Auth {
         }
 
         return $results;
-    } // local_auth
+    }
+
+    /**
+     * external_auth
+     *
+     * Calls an external program compatible with mod_authnz_external
+     * such as pwauth.
+     */
+    private static function external_auth($username, $password) {
+        $authenticator = Config::get('external_authenticator');
+        if (!$authenticator) {
+            return array(
+                'success' => false,
+                'error' => 'No external authenticator configured'
+            );
+        }
+
+        //FIXME: should we do input sanitization?
+        $proc = proc_open($authenticator,
+            array(
+                0 => array('pipe', 'r'),
+                1 => array('pipe', 'w'),
+                2 => array('pipe', 'w')
+            ), $pipes);
+
+        if (is_resource($proc)) {
+            fwrite($pipes[0], $username."\n".$password."\n");
+            fclose($pipes[0]);
+            fclose($pipes[1]);
+            if ($stderr = fread($pipes[2], 8192)) {
+                debug_event('external_auth', $stderr, 5);
+            }
+            fclose($pipes[2]);
+        }
+        else {
+            return array(
+                'success' => false,
+                'error' => 'Failed to run external authenticator'
+            );
+        }
+
+        if (proc_close($proc) == 0) {
+            return array(
+                'success' => true,
+                'type' => 'external',
+                'username' => $username
+            );
+        }
+
+        return array(
+            'success' => false,
+            'error' => 'The external authenticator did not accept the login'
+        );
+    }
 
     /**
      * ldap_auth