First commit

.gitignore

@@ -0,0 +1 @@
+*.swp

Macaroons/Caveat.php

@@ -0,0 +1,79 @@
+<?php
+
+namespace Macaroons;
+
+class Caveat
+{
+  private $caveat_id;
+  private $verification_id;
+  private $caveat_location;
+
+  public function __construct($caveatId, $verificationId = NULL, $caveatLocation = NULL)
+  {
+    $this->caveat_id       = $caveatId;
+    $this->verification_id = $verificationId;
+    $this->caveat_location = $caveatLocation;
+  }
+
+  public function getCaveatId()
+  {
+    return $this->caveat_id;
+  }
+
+  public function getCaveatLocation()
+  {
+    return $this->caveat_location;
+  }
+
+  public function getVerificationId()
+  {
+    return $this->verification_id;
+  }
+
+  public function setCaveatLocation($caveatLocation)
+  {
+    $this->caveat_location = $caveatLocation;
+  }
+
+  public function setVerificationId($verificationId)
+  {
+    $this->verification_id = $verificationId;
+  }
+
+  public function isFirstParty()
+  {
+    return $this->verification_id === NULL;
+  }
+
+  public function isThirdParty()
+  {
+    return !$this->isFirstParty();
+  }
+
+  public function toArray()
+  {
+    $caveatKeys = array('cid' => $this->getCaveatId());
+    if ($this->isThirdParty())
+    {
+      $caveatKeys = array_merge(
+                                $caveatKeys,
+                                array(
+                                      'vid' => $this->getVerificationId(),
+                                      'cl' => $this->getCaveatLocation()
+                                      )
+                                );
+    }
+    return $caveatKeys;
+  }
+
+  public function __toString()
+  {
+    $caveatAsArray = $this->toArray();
+    if ($this->isThirdParty())
+      $caveatAsArray['vid'] = Utils::hexlify($caveatAsArray['vid']);
+    return join("\n", array_map(function($key, $value) {
+      return "$key $value";
+    }, array_keys($caveatAsArray), $caveatAsArray));
+  }
+
+}

Macaroons/Exceptions/CaveatUnsatisfiedException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace Macaroons\Exceptions;
+
+class CaveatUnsatisfiedException extends \Exception
+{
+}

Macaroons/Exceptions/InvalidMacaroonKeyException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace Macaroons\Exceptions;
+
+class InvalidMacaroonKeyException extends \Exception
+{
+}

Macaroons/Exceptions/SignatureMismatchException.php

@@ -0,0 +1,7 @@
+<?php
+
+namespace Macaroons\Exceptions;
+
+class SignatureMismatchException extends \Exception
+{
+}

Macaroons/Macaroon.php

@@ -0,0 +1,250 @@
+<?php
+
+namespace Macaroons;
+
+use Macaroons\Exceptions\InvalidMacaroonKeyException;
+
+class Macaroon
+{
+  private $id;
+  private $location;
+  private $signature;
+  private $caveats = array();
+
+  public function __construct($key, $identifier, $location)
+  {
+    $this->identifier = $identifier;
+    $this->location = $location;
+    $this->signature = $this->initialSignature($key, $identifier);
+  }
+
+  public function getIdentifier()
+  {
+    return $this->identifier;
+  }
+
+  public function getLocation()
+  {
+    return $this->location;
+  }
+
+  public function getSignature()
+  {
+    return strtolower( Utils::hexlify( $this->signature ) );
+  }
+
+  public function getFirstPartyCaveats()
+  {
+    return array_filter($this->caveats, function(Caveat $caveat){
+      return $caveat->isFirstParty();
+    });
+  }
+
+  public function getThirdPartyCaveats()
+  {
+    return array_filter($this->caveats, function(Caveat $caveat){
+      return $caveat->isThirdParty();
+    });
+  }
+
+  public function getCaveats()
+  {
+    return $this->caveats;
+  }
+
+  public function setSignature($signature)
+  {
+    if (!isset($signature))
+      throw new \InvalidArgumentException('Must supply updated signature');
+    $this->signature = $signature;
+  }
+
+  public function setCaveats(Array $caveats)
+  {
+    $this->caveats = $caveats;
+  }
+
+  public function addFirstPartyCaveat($predicate)
+  {
+    array_push($this->caveats, new Caveat($predicate));
+    $this->signature = Utils::signFirstPartyCaveat($this->signature, $predicate);
+  }
+
+  public function addThirdPartyCaveat($caveatKey, $caveatId, $caveatLocation)
+  {
+    $derivedCaveatKey = Utils::truncateOrPad( Utils::generateDerivedKey($caveatKey) );
+    $truncatedOrPaddedSignature = Utils::truncateOrPad( $this->signature );
+    // Generate cipher using libsodium
+    $nonce = \Sodium\randombytes_buf(\Sodium\CRYPTO_SECRETBOX_NONCEBYTES);
+    $verificationId = $nonce . \Sodium\crypto_secretbox($derivedCaveatKey, $nonce, $truncatedOrPaddedSignature);
+    array_push($this->caveats, new Caveat($caveatId, $verificationId, $caveatLocation));
+    $this->signature = Utils::signThirdPartyCaveat($this->signature, $verificationId, $caveatId);
+    \Sodium\memzero($caveatKey);
+    \Sodium\memzero($derivedCaveatKey);
+    \Sodium\memzero($caveatId);
+  }
+
+  /**
+   * [prepareForRequest description]
+   * @param  Macaroon $macaroon
+   * @return Macaroon           bound Macaroon (protected discharge)
+   */
+  public function prepareForRequest(Macaroon $macaroon)
+  {
+    $boundMacaroon = clone $macaroon;
+    $boundMacaroon->setSignature($this->bindSignature($macaroon->getSignature()));
+    return $boundMacaroon;
+  }
+
+  /**
+   * [bindSignature description]
+   * @param  string $signature
+   * @return string
+   */
+  public function bindSignature($signature)
+  {
+    $key                  = Utils::truncateOrPad("\0");
+    $currentSignatureHash = Utils::hmac($key, Utils::unhexlify($this->getSignature()));
+    $newSignatureHash     = Utils::hmac($key, Utils::unhexlify($signature));
+    return Utils::hmac($key, $currentSignatureHash . $newSignatureHash);
+  }
+
+  public function inspect()
+  {
+    $str = "location {$this->location}\n";
+    $str .= "identifier {$this->identifier}\n";
+    foreach ($this->caveats as $caveat)
+    {
+      $str .= "$caveat\n";
+    }
+    $str .= "signature {$this->getSignature()}";
+    return $str;
+  }
+
+  private function initialSignature($key, $identifier)
+  {
+    return Utils::hmac( Utils::generateDerivedKey($key), $identifier);
+  }
+
+  // TODO: Move these into a separate object
+  public function serialize()
+  {
+    $p = new Packet();
+    $s = $p->packetize(
+                        array(
+                          'location' => $this->location,
+                          'identifier' => $this->identifier
+                        )
+                      );
+    foreach ($this->caveats as $caveat)
+    {
+      $caveatKeys = array(
+                          'cid' => $caveat->getCaveatId()
+                          );
+      if ($caveat->getVerificationId() && $caveat->getCaveatLocation())
+      {
+        $caveatKeys = array_merge(
+                                  $caveatKeys,
+                                  array(
+                                        'vid' => $caveat->getVerificationId(),
+                                        'cl' => $caveat->getCaveatLocation()
+                                        )
+                                  );
+      }
+      $p = new Packet();
+      $s = $s . $p->packetize($caveatKeys);
+    }
+    $p = new Packet();
+    $s = $s . $p->packetize(array('signature' => $this->signature));
+    return Utils::base64_url_encode($s);
+  }
+
+  public static function deserialize($serialized)
+  {
+    $location   = NULL;
+    $identifier = NULL;
+    $signature  = NULL;
+    $caveats    = array();
+    $decoded    = Utils::base64_url_decode($serialized);
+    $index      = 0;
+
+    while ($index < strlen($decoded))
+    {
+      // TOOD: Replace 4 with PACKET_PREFIX_LENGTH
+      $packetLength    = hexdec(substr($decoded, $index, 4));
+      $packetDataStart = $index + 4;
+      $strippedPacket  = substr($decoded, $packetDataStart, $packetLength - 5);
+      $packet          = new Packet();
+      $packet          = $packet->decode($strippedPacket);
+
+      switch($packet->getKey())
+      {
+        case 'location':
+          $location = $packet->getData();
+        break;
+        case 'identifier':
+          $identifier = $packet->getData();
+        break;
+        case 'signature':
+          $signature = $packet->getData();
+        break;
+        case 'cid':
+          array_push($caveats, new Caveat($packet->getData()));
+        break;
+        case 'vid':
+          $caveat = $caveats[ count($caveats) - 1 ];
+          $caveat->setVerificationId($packet->getData());
+        break;
+        case 'cl':
+          $caveat = $caveats[ count($caveats) - 1 ];
+          $caveat->setCaveatLocation($packet->getData());
+        break;
+        default:
+          throw new InvalidMacaroonKeyException('Invalid key in binary macaroon. Macaroon may be corrupted.');
+        break;
+      }
+      $index = $index + $packetLength;
+    }
+    $m = new Macaroon('no_key', $identifier, $location);
+    $m->setCaveats($caveats);
+    $m->setSignature($signature);
+    return $m;
+  }
+
+  public function toJSON()
+  {
+    return json_encode(array(
+      'location' => $this->location,
+      'identifier' => $this->identifier,
+      'caveats' => array_map(function(Caveat $caveat){
+        $caveatAsArray = $caveat->toArray();
+        if ($caveat->isThirdParty())
+          $caveatAsArray['vid'] = Utils::hexlify($caveatAsArray['vid']);
+        return $caveatAsArray;
+      }, $this->getCaveats()),
+      'signature' => $this->getSignature()
+    ));
+  }
+
+  public static function fromJSON($serialized)
+  {
+    $data       = json_decode($serialized);
+    $location   = $data->location;
+    $identifier = $data->identifier;
+    $signature  = $data->signature;
+    $m          = new Macaroon(
+                                'no_key',
+                                $identifier,
+                                $location
+                              );
+    $caveats = array_map(function(stdClass $data){
+      $caveatId       = $data->cid;
+      $verificationId = $data->vid;
+      $caveatLocation = $data->cl;
+      return new Caveat($caveatId, $verificationId, $caveatLocation);
+    }, $data->caveats);
+    $m->setCaveats($caveats);
+    $m->setSignature(Utils::unhexlify($signature));
+    return $m;
+  }
+}

Macaroons/Packet.php

@@ -0,0 +1,66 @@
+<?php
+
+namespace Macaroons;
+
+class Packet
+{
+  const PACKET_PREFIX_LENGTH = 4;
+  private $key;
+  private $data;
+  public function __construct($key = NULL, $data = NULL)
+  {
+    $this->key = $key;
+    $this->data = $data;
+  }
+
+  public function packetize(Array $packets)
+  {
+    // PHP 5.3 workaround
+    // $this isn't bound in anonymous functions
+    return join('',
+                    array_map(
+                                array($this, 'mapPacketsCallback'),
+                                array_keys($packets),
+                                $packets
+                              )
+                );
+  }
+
+  public function getKey()
+  {
+    return $this->key;
+  }
+
+  public function getData()
+  {
+    return $this->data;
+  }
+
+  private function mapPacketsCallback($key, $data)
+  {
+    return $this->encode($key, $data);
+  }
+
+  private function encode($key, $data)
+  {
+    $packetSize = self::PACKET_PREFIX_LENGTH + 2 + strlen($key) + strlen($data);
+    // packetSize can't be larger than 0xFFFF
+    if ($packetSize > pow(16, 4))
+      throw new \InvalidArgumentException('Data is too long for a binary packet.');
+
+    // hexadecimal representation with lowercase letters
+    $packetSizeHex = sprintf("%x", $packetSize);
+    $header = str_pad($packetSizeHex, 4, '0', STR_PAD_LEFT);
+    $packetContent = "$key $data\n";
+    $packet = $header . $packetContent;
+    return $packet;
+  }
+
+  public function decode($packet)
+  {
+    $packets = explode(' ', $packet);
+    $key = array_shift($packets);
+    $data = substr($packet, strlen($key) + 1);
+    return new Packet($key, $data);
+  }
+}

Macaroons/Utils.php

@@ -0,0 +1,87 @@
+<?php
+
+namespace Macaroons;
+
+class Utils
+{
+  public static function hexlify($value)
+  {
+    return join('', array_map(function($byte){
+        return sprintf("%02X", $byte);
+      }, unpack('C*', $value)));
+  }
+
+  public static function unhexlify($value)
+  {
+    return pack('H*', $value);
+  }
+
+  public static function hmac($key, $data, $digest = 'sha256')
+  {
+    return hash_hmac($digest, $data, $key, true);
+  }
+
+  public static function generateDerivedKey($key)
+  {
+    return self::hmac('macaroons-key-generator', $key);
+  }
+
+  public static function truncateOrPad($str, $size = 32)
+  {
+    if (strlen($str) > $size)
+      return substr($str, 0, $size);
+    else if (strlen($str) < $size)
+      return str_pad($str, $size, "\0", STR_PAD_RIGHT);
+    return $str;
+  }
+
+  public static function startsWith($str, $prefix)
+  {
+    if (!(is_string($str) && is_string($prefix)))
+      throw new \InvalidArgumentException('Both arguments must be strings');
+    return substr($str, 0, strlen($prefix)) === $prefix;
+  }
+
+  public static function base64_strict_encode($data)
+  {
+    $data = str_replace("\r\n", '', base64_encode($data));
+    $data = str_replace("\r", '', $data);
+    return str_replace("\n", '', $data);
+  }
+
+  public static function base64_url_safe_encode($data)
+  {
+    $data = str_replace('+', '-', self::base64_strict_encode($data));
+    return str_replace('/', '_', $data);
+  }
+
+  public static function base64_url_safe_decode($data)
+  {
+    $data = str_replace('-', '+', $data);
+    $data = str_replace('_', '/', $data);
+    return base64_decode($data);
+  }
+
+  public static function base64_url_encode($data)
+  {
+    return str_replace('=', '', self::base64_url_safe_encode($data));
+  }
+
+  public static function base64_url_decode($data)
+  {
+    return self::base64_url_safe_decode(str_pad($data, (4 - (strlen($data) % 4)) % 4, '=', STR_PAD_RIGHT));
+  }
+
+  public static function signFirstPartyCaveat($signature, $predicate)
+  {
+    return self::hmac($signature, $predicate);
+  }
+
+  public static function signThirdPartyCaveat($signature, $verificationId, $caveatId)
+  {
+    $verification_id_hmac = self::hmac($signature, $verificationId);
+    $caveat_id_hmac       = self::hmac($signature, $caveatId);
+    $combined             = $verification_id_hmac . $caveat_id_hmac;
+    return self::hmac($signature, $combined);
+  }
+}

Macaroons/Verifier.php

@@ -0,0 +1,226 @@
+<?php
+
+namespace Macaroons;
+
+use Macaroons\Exceptions\SignatureMismatchException;
+use Macaroons\Exceptions\CaveatUnsatisfiedException;
+
+class Verifier
+{
+  private $predicates = array();
+  private $callbacks = array();
+  private $calculatedSignature;
+
+  /**
+   * return predicates to verify
+   * @return Array|array
+   */
+  public function getPredicates()
+  {
+    return $this->predicates;
+  }
+
+  /**
+   * returns verifier callbacks
+   * @return Array|array
+   */
+  public function getCallbacks()
+  {
+    return $this->callbacks;
+  }
+
+  /**
+   * sets array of predicates
+   * @param Array $predicates
+   */
+  public function setPredicates(Array $predicates)
+  {
+    $this->predicates = $predicates;
+  }
+
+  /**
+   * set array of callbacks
+   * @param Array $callbacks
+   */
+  public function setCallbacks(Array $callbacks)
+  {
+    $this->callbacks = $callbacks;
+  }
+
+  /**
+   * adds a predicate to the verifier
+   * @param string
+   */
+  public function satisfyExact($predicate)
+  {
+    if (!isset($predicate))
+      throw new \InvalidArgumentException('Must provide predicate');
+    array_push($this->predicates, $predicate);
+  }
+
+  /**
+   * adds a callback to array of callbacks
+   * $callback can be anything that is callable including objects
+   * that implement __invoke
+   * See http://php.net/manual/en/language.types.callable.php for more details
+   * @param function|object|array
+   */
+  public function satisfyGeneral($callback)
+  {
+    if (!isset($callback))
+      throw new \InvalidArgumentException('Must provide a callback function');
+    if (!is_callable($callback))
+      throw new \InvalidArgumentException('Callback must be a function');
+    array_push($this->callbacks, $callback);
+  }
+
+  /**
+   * [verify description]
+   * @param  Macaroon $macaroon
+   * @param  string   $key
+   * @param  Array    $dischargeMacaroons
+   * @return boolean
+   */
+  public function verify(Macaroon $macaroon, $key, Array $dischargeMacaroons = array())
+  {
+    $key = Utils::generateDerivedKey($key);
+    return $this->verifyDischarge(
+                                  $macaroon,
+                                  $macaroon,
+                                  $key,
+                                  $dischargeMacaroons
+                                  );
+  }
+
+  /**
+   * [verifyDischarge description]
+   * @param  Macaroon    $rootMacaroon
+   * @param  Macaroon    $macaroon
+   * @param  string      $key
+   * @param  Array|array $dischargeMacaroons
+   * @return boolean|throws SignatureMismatchException
+   */
+  public function verifyDischarge(Macaroon $rootMacaroon, Macaroon $macaroon, $key, Array $dischargeMacaroons = array())
+  {
+    $this->calculatedSignature = Utils::hmac($key, $macaroon->getIdentifier());
+    $this->verifyCaveats($macaroon, $dischargeMacaroons);
+
+    if ($rootMacaroon != $macaroon)
+    {
+      $this->calculatedSignature = $rootMacaroon->bindSignature(strtolower(Utils::hexlify($this->calculatedSignature)));
+    }
+
+    $signature = Utils::unhexlify($macaroon->getSignature());
+    if ($this->signaturesMatch($this->calculatedSignature, $signature) === FALSE)
+    {
+      throw new SignatureMismatchException('Signatures do not match.');
+    }
+    return true;
+  }
+
+  /**
+   * verifies all first and third party caveats of macaroon are valid
+   * @param  Macaroon
+   * @param  Array
+   */
+  private function verifyCaveats(Macaroon $macaroon, Array $dischargeMacaroons = array())
+  {
+    foreach ($macaroon->getCaveats() as $caveat)
+    {
+      $caveatMet = false;
+      if ($caveat->isFirstParty())
+        $caveatMet = $this->verifyFirstPartyCaveat($caveat);
+      else if ($caveat->isThirdParty())
+        $caveatMet = $this->verifyThirdPartyCaveat($caveat, $macaroon, $dischargeMacaroons);
+      if (!$caveatMet)
+        throw new CaveatUnsatisfiedException("Caveat not met. Unable to satisfy: {$caveat->getCaveatId()}");
+    }
+  }
+
+  private function verifyFirstPartyCaveat(Caveat $caveat)
+  {
+    $caveatMet = false;
+    if (in_array($caveat->getCaveatId(), $this->predicates))
+      $caveatMet = true;
+    else
+    {
+      foreach ($this->callbacks as $callback)
+      {
+        if ($callback($caveat->getCaveatId()))
+          $caveatMet = true;
+      }
+    }
+    if ($caveatMet)
+      $this->calculatedSignature = Utils::signFirstPartyCaveat($this->calculatedSignature, $caveat->getCaveatId());
+
+    return $caveatMet;
+  }
+
+  private function verifyThirdPartyCaveat(Caveat $caveat, Macaroon $rootMacaroon, Array $dischargeMacaroons)
+  {
+    $caveatMet = false;
+
+    $dischargesMatchingCaveat = array_filter($dischargeMacaroons, function($discharge) use ($rootMacaroon, $caveat) {
+      return $discharge->getIdentifier() === $caveat->getCaveatId();
+    });
+
+    $caveatMacaroon = array_shift($dischargesMatchingCaveat);
+
+    if (!$caveatMacaroon)
+      throw new CaveatUnsatisfiedException("Caveat not met. No discharge macaroon found for identifier: {$caveat->getCaveatId()}");
+
+    $caveatKey = $this->extractCaveatKey($this->calculatedSignature, $caveat);
+    $caveatMacaroonVerifier = new Verifier();
+    $caveatMacaroonVerifier->setPredicates($this->predicates);
+    $caveatMacaroonVerifier->setCallbacks($this->callbacks);
+
+    $caveatMet = $caveatMacaroonVerifier->verifyDischarge(
+                                                          $rootMacaroon,
+                                                          $caveatMacaroon,
+                                                          $caveatKey,
+                                                          $dischargeMacaroons
+                                                          );
+    if ($caveatMet)
+    {
+      $this->calculatedSignature = Utils::signThirdPartyCaveat(
+                                                                $this->calculatedSignature,
+                                                                $caveat->getVerificationId(),
+                                                                $caveat->getCaveatId()
+                                                              );
+    }
+
+    return $caveatMet;
+  }
+
+  /**
+   * returns the derived key from the caveat verification id
+   * @param  string $signature
+   * @param  Caveat $caveat
+   * @return string
+   */
+  private function extractCaveatKey($signature, Caveat $caveat)
+  {
+    $verificationHash = $caveat->getVerificationId();
+    $nonce            = substr($verificationHash, 0, \Sodium\CRYPTO_SECRETBOX_NONCEBYTES);
+    $verificationId   = substr($verificationHash, \Sodium\CRYPTO_SECRETBOX_NONCEBYTES);
+    $key              = Utils::truncateOrPad($signature);
+    return \Sodium\crypto_secretbox_open($verificationId, $nonce, $key);
+  }
+
+  /**
+   * compares the calculated signature of a macaroon and the macaroon supplied
+   * by the client
+   * The user supplied string MUST be the second argument or this will leak
+   * the length of the actual signature
+   * @param  string $a known signature from our key and macaroon metadata
+   * @param  string $b signature from macaroon we are verifying (from the client)
+   * @return boolean
+   */
+  private function signaturesMatch($a, $b)
+  {
+    $ret = strlen($a) ^ strlen($b);
+    $ret |= array_sum(unpack("C*", $a^$b));
+
+    return !$ret;
+  }
+}

auth.php

@@ -0,0 +1,198 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Anobody can login with any password.
+ *
+ * @package auth_macaroons
+ * @author Brendan Abolivier
+ * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
+ */
+
+defined('MOODLE_INTERNAL') || die();
+
+require_once($CFG->libdir.'/authlib.php');
+
+require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Macaroon.php');
+require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Caveat.php');
+require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Packet.php');
+require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Utils.php');
+require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Verifier.php');
+require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Exceptions/CaveatUnsatisfiedException.php');
+require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Exceptions/InvalidMacaroonKeyException.php');
+require_once($CFG->dirroot.'/auth/macaroons/Macaroons/Exceptions/SignatureMismatchException.php');
+
+use Macaroons\Macaroon;
+use Macaroons\Verifier;
+
+
+/**
+ * Plugin for no authentication.
+ */
+class auth_plugin_macaroons extends auth_plugin_base {
+
+	/**
+	 * Constructor.
+	 */
+	public function __construct() {
+		$this->authtype = 'macaroons';
+	}
+
+	function loginpage_hook() {
+		global $message;
+		$message = "";
+		if(!empty($_COOKIE['das-macaroon'])) {
+			try {
+				$m = Macaroon::deserialize($_COOKIE['das-macaroon']);
+				$frm = new stdClass();
+				$frm->username = $m->getIdentifier();
+				$frm->password = 'passwdMacaroons';
+				$v = new Verifier();
+				$v->setCallbacks([
+					function($a) {
+						return !strcmp($a, "status = student");
+					}
+				]);
+				if($v->verify($m, "pocsecret")) {
+					$frm = new stdClass();
+					$frm->username = $m->getIdentifier();
+					$frm->password = 'passwdMacaroons';
+				}
+			} catch(Exception $e) {
+				$message = $e->getMessage();
+			}
+			authenticate_user_login($frm->username, sesskey());
+		}
+	}
+
+	/**
+	 * Old syntax of class constructor. Deprecated in PHP7.
+	 *
+	 * @deprecated since Moodle 3.1
+	 */
+	public function auth_plugin_macaroons() {
+		debugging('Use of class name as constructor is deprecated', DEBUG_DEVELOPER);
+		self::__construct();
+	}
+
+	/**
+	 * Returns true if the username and password work or don't exist and false
+	 * if the user exists and the password is wrong.
+	 *
+	 * @param string $username The username
+	 * @param string $password The password
+	 * @return bool Authentication success or failure.
+	 */
+	function user_login ($username, $password) {
+		global $message;
+		if(!empty($message)) {
+			return false;
+		} elseif(!empty($_COOKIE['das-macaroon'])) {
+			return true;
+		}
+	}
+
+	/**
+	 * Updates the user's password.
+	 *
+	 * called when the user password is updated.
+	 *
+	 * @param  object  $user		User table object
+	 * @param  string  $newpassword Plaintext password
+	 * @return boolean result
+	 *
+	 */
+	function user_update_password($user, $newpassword) {
+		$user = get_complete_user_data('id', $user->id);
+		// This will also update the stored hash to the latest algorithm
+		// if the existing hash is using an out-of-date algorithm (or the
+		// legacy md5 algorithm).
+		return update_internal_user_password($user, $newpassword);
+	}
+
+	function prevent_local_passwords() {
+		return false;
+	}
+
+	/**
+	 * Returns true if this authentication plugin is 'internal'.
+	 *
+	 * @return bool
+	 */
+	function is_internal() {
+		return false;
+	}
+
+	/**
+	 * Returns true if this authentication plugin can change the user's
+	 * password.
+	 *
+	 * @return bool
+	 */
+	function can_change_password() {
+		return true;
+	}
+
+	/**
+	 * Returns the URL for changing the user's pw, or empty if the default can
+	 * be used.
+	 *
+	 * @return moodle_url
+	 */
+	function change_password_url() {
+		return null;
+	}
+
+	/**
+	 * Returns true if plugin allows resetting of internal password.
+	 *
+	 * @return bool
+	 */
+	function can_reset_password() {
+		return true;
+	}
+
+	/**
+	 * Returns true if plugin can be manually set.
+	 *
+	 * @return bool
+	 */
+	function can_be_manually_set() {
+		return true;
+	}
+
+	/**
+	 * Prints a form for configuring this authentication plugin.
+	 *
+	 * This function is called from admin/auth.php, and outputs a full page with
+	 * a form for configuring this plugin.
+	 *
+	 * @param array $page An object containing all the data for this page.
+	function config_form($config, $err, $user_fields) {
+		include "config.html";
+	}
+	 */
+
+	/**
+	 * Processes and stores configuration data for this authentication plugin.
+	 */
+	function process_config($config) {
+		return true;
+	}
+
+}
+
+

lang/en/auth_macaroons.php

@@ -0,0 +1,26 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Strings for component 'auth_macaroons', language 'en'.
+ *
+ * @package   auth_macaroons
+ * @copyright 2017 onwards Brendan Abolivier
+ * @license   http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+$string['auth_macaroonsdescription'] = 'Macaroons usage for authentication';
+$string['pluginname'] = 'Macaroons';

version.php

@@ -0,0 +1,29 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * Version information
+ *
+ * @package    auth_macaroons
+ * @copyright  2017 Brendan Abolivier
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+
+defined('MOODLE_INTERNAL') || die();
+
+$plugin->version   = 2016120500;        // The current plugin version (Date: YYYYMMDDXX)
+$plugin->requires  = 2016112900;        // Requires this Moodle version
+$plugin->component = 'auth_macaroons';       // Full name of the plugin (used for diagnostics)