From 00801b5b04c9dd2d8eb640d33f4cc6cc27deb6ae Mon Sep 17 00:00:00 2001 From: markjcrane Date: Sun, 16 Apr 2023 01:10:39 -0600 Subject: [PATCH] Add mutli-factor authentication. --- core/authentication/app_config.php | 2 +- core/authentication/app_defaults.php | 100 +++++ core/authentication/app_languages.php | 72 ++++ .../resources/classes/authentication.php | 327 +++++++++++++-- .../resources/classes/plugins/database.php | 153 ++++++- .../resources/classes/plugins/email.php | 395 ++++++++++++++++++ .../resources/classes/plugins/ldap.php | 14 +- .../resources/classes/plugins/totp.php | 266 ++++++++++++ core/authentication/resources/views/email.htm | 36 ++ core/authentication/resources/views/login.htm | 32 ++ core/authentication/resources/views/totp.htm | 44 ++ .../resources/views/username.htm | 31 ++ logout.php | 2 +- resources/check_auth.php | 255 +---------- 14 files changed, 1436 insertions(+), 293 deletions(-) create mode 100644 core/authentication/app_defaults.php create mode 100644 core/authentication/app_languages.php create mode 100644 core/authentication/resources/classes/plugins/email.php create mode 100644 core/authentication/resources/classes/plugins/totp.php create mode 100644 core/authentication/resources/views/email.htm create mode 100644 core/authentication/resources/views/login.htm create mode 100644 core/authentication/resources/views/totp.htm create mode 100644 core/authentication/resources/views/username.htm diff --git a/core/authentication/app_config.php b/core/authentication/app_config.php index 9e0751f085..e6c36f0a32 100644 --- a/core/authentication/app_config.php +++ b/core/authentication/app_config.php @@ -5,7 +5,7 @@ $apps[$x]['uuid'] = "a8a12918-69a4-4ece-a1ae-3932be0e41f1"; $apps[$x]['category'] = "Core"; $apps[$x]['subcategory'] = ""; - $apps[$x]['version'] = "1.0"; + $apps[$x]['version'] = "1.1"; $apps[$x]['license'] = "Mozilla Public License 1.1"; $apps[$x]['url'] = "http://www.fusionpbx.com"; $apps[$x]['description']['en-us'] = "Provides an authentication framework with plugins to check if a user is authorized to login."; diff --git a/core/authentication/app_defaults.php b/core/authentication/app_defaults.php new file mode 100644 index 0000000000..b80a84f98e --- /dev/null +++ b/core/authentication/app_defaults.php @@ -0,0 +1,100 @@ + \n"; + $array['email_templates'][$x]['template_body'] .= " \n"; + $array['email_templates'][$x]['template_body'] .= "
\n"; + $array['email_templates'][$x]['template_body'] .= "
Security Code

\n"; + $array['email_templates'][$x]['template_body'] .= " Use the following code to verify your identity.
\n"; + $array['email_templates'][$x]['template_body'] .= " Authentication Code: \${auth_code}
\n"; + $array['email_templates'][$x]['template_body'] .= "
\n"; + $array['email_templates'][$x]['template_body'] .= " \n"; + $array['email_templates'][$x]['template_body'] .= "\n"; + $array['email_templates'][$x]['template_type'] = "html"; + $array['email_templates'][$x]['template_enabled'] = "true"; + $x++; + $array['email_templates'][$x]['email_template_uuid'] = '9a9e3b5f-c439-47da-a901-90dcd340d101'; + $array['email_templates'][$x]['template_language'] = 'en-gb'; + $array['email_templates'][$x]['template_category'] = 'authentication'; + $array['email_templates'][$x]['template_subcategory'] = 'email'; + $array['email_templates'][$x]['template_subject'] = 'Authentication Code'; + $array['email_templates'][$x]['template_body'] .= "\n"; + $array['email_templates'][$x]['template_body'] .= " \n"; + $array['email_templates'][$x]['template_body'] .= "
\n"; + $array['email_templates'][$x]['template_body'] .= "
Security Code

\n"; + $array['email_templates'][$x]['template_body'] .= " Use the following code to verify your identity.
\n"; + $array['email_templates'][$x]['template_body'] .= " Authentication Code: \${auth_code}
\n"; + $array['email_templates'][$x]['template_body'] .= "
\n"; + $array['email_templates'][$x]['template_body'] .= " \n"; + $array['email_templates'][$x]['template_body'] .= "\n"; + $array['email_templates'][$x]['template_type'] = "html"; + $array['email_templates'][$x]['template_enabled'] = "true"; + $x++; + + //build array of email template uuids + foreach ($array['email_templates'] as $row) { + if (is_uuid($row['email_template_uuid'])) { + $uuids[] = $row['email_template_uuid']; + } + } + + //add the email templates to the database + if (is_array($uuids) && @sizeof($uuids) != 0) { + $sql = "select * from v_email_templates where "; + foreach ($uuids as $index => $uuid) { + $sql_where[] = "email_template_uuid = :email_template_uuid_".$index; + $parameters['email_template_uuid_'.$index] = $uuid; + } + $sql .= implode(' or ', $sql_where); + $database = new database; + $email_templates = $database->select($sql, $parameters, 'all'); + unset($sql, $sql_where, $parameters); + + //remove templates that already exist from the array + foreach ($array['email_templates'] as $index => $row) { + if (is_array($email_templates) && @sizeof($email_templates) != 0) { + foreach($email_templates as $email_template) { + if ($row['email_template_uuid'] == $email_template['email_template_uuid']) { + unset($array['email_templates'][$index]); + } + } + } + } + unset($email_templates, $index); + } + + //add the missing email templates + if (is_array($array['email_templates']) && @sizeof($array['email_templates']) != 0) { + //add the temporary permission + $p = new permissions; + $p->add("email_template_add", 'temp'); + $p->add("email_template_edit", 'temp'); + + //save the data + $database = new database; + $database->app_name = 'email_templates'; + $database->app_uuid = '8173e738-2523-46d5-8943-13883befd2fd'; + $database->save($array); + //$message = $database->message; + + //remove the temporary permission + $p->delete("email_template_add", 'temp'); + $p->delete("email_template_edit", 'temp'); + } + + //remove the array + unset($array); + + } + +?> diff --git a/core/authentication/app_languages.php b/core/authentication/app_languages.php new file mode 100644 index 0000000000..8ba495d5a8 --- /dev/null +++ b/core/authentication/app_languages.php @@ -0,0 +1,72 @@ + \ No newline at end of file diff --git a/core/authentication/resources/classes/authentication.php b/core/authentication/resources/classes/authentication.php index ec11635342..98e2ded24a 100644 --- a/core/authentication/resources/classes/authentication.php +++ b/core/authentication/resources/classes/authentication.php @@ -11,14 +11,10 @@ class authentication { /** * Define variables and their scope */ - public $debug; - public $db; public $domain_uuid; public $domain_name; public $username; public $password; - public $plugins; - public $key; /** * Called when the object is created @@ -43,16 +39,21 @@ class authentication { */ public function validate() { - //set the default authentication method to the database - if (!is_array($_SESSION['authentication']['methods'])) { - $_SESSION['authentication']['methods'][] = 'database'; - } - //get the domain_name and domain_uuid if (!isset($this->domain_name) || !isset($this->domain_uuid)) { $this->get_domain(); } + //start the session if its not started + if (session_status() === PHP_SESSION_NONE) { + session_start(); + } + + //set the default authentication method to the database + if (!is_array($_SESSION['authentication']['methods'])) { + $_SESSION['authentication']['methods'][] = 'database'; + } + //automatically block multiple authentication failures if (!isset($_SESSION['users']['max_retry']['numeric'])) { $_SESSION['users']['max_retry']['numeric'] = 5; @@ -88,52 +89,328 @@ class authentication { //use the authentication plugins foreach ($_SESSION['authentication']['methods'] as $name) { + + //already processed the plugin move to the next plugin + if ($_SESSION['authentication']['plugin'][$name]['authorized']) { + continue; + } + + //prepare variables $class_name = "plugin_".$name; $base = realpath(dirname(__FILE__)) . "/plugins"; $plugin = $base."/".$name.".php"; + + //process the plugin if (file_exists($plugin)) { include_once $plugin; $object = new $class_name(); $object->debug = $this->debug; $object->domain_name = $this->domain_name; $object->domain_uuid = $this->domain_uuid; - if (strlen($this->key) > 0) { + if ($plugin == 'database' && isset($this->key)) { $object->key = $this->key; } - if (strlen($this->username) > 0) { + if ($plugin == 'database' && isset($this->username)) { $object->username = $this->username; $object->password = $this->password; } $array = $object->$name(); + + $id = $array["plugin"]; $result['plugin'] = $array["plugin"]; $result['domain_name'] = $array["domain_name"]; $result['username'] = $array["username"]; - if ($this->debug) { - $result["password"] = $this->password; - } $result['user_uuid'] = $array["user_uuid"]; $result['contact_uuid'] = $array["contact_uuid"]; $result['domain_uuid'] = $array["domain_uuid"]; $result['authorized'] = $array["authorized"]; - if (count($_SESSION['authentication']['methods']) > 1) { - $result['results'][] = $array; + + //save the result to the authentication plugin + $_SESSION['authentication']['plugin'][$name] = $result; + } + } + + //make sure all plugins are in the array + foreach ($_SESSION['authentication']['methods'] as $name) { + if (!isset($_SESSION['authentication']['plugin'][$name]['authorized'])) { + $_SESSION['authentication']['plugin'][$name]['plugin'] = $name; + $_SESSION['authentication']['plugin'][$name]['domain_name'] = $_SESSION['domain_name']; + $_SESSION['authentication']['plugin'][$name]['domain_uuid'] = $_SESSION['domain_uuid']; + $_SESSION['authentication']['plugin'][$name]['username'] = $_SESSION['username']; + $_SESSION['authentication']['plugin'][$name]['user_uuid'] = $_SESSION['user_uuid']; + $_SESSION['authentication']['plugin'][$name]['authorized'] = 0; + } + } + + //debug information + //view_array($_SESSION['authentication'], false); + + //set authorized to false if any authentication method failed + $authorized = false; + if (is_array($_SESSION['authentication']['plugin'])) { + foreach($_SESSION['authentication']['plugin'] as $row) { + if ($row["authorized"]) { + $authorized = true; } - - if ($result["authorized"] == "true") { - //add the username to the session - $_SESSION['username'] = $result["username"]; - - //end the loop + else { + $authorized = false; break; } } } + //result array + $result["plugin"] = "database"; + $result["domain_name"] = $_SESSION['domain_name']; + if (!isset($_SESSION['username'])) { + $result["username"] = $_SESSION['username']; + } + if (!isset($_SESSION['user_uuid'])) { + $result["user_uuid"] = $_SESSION['user_uuid']; + } + $result["domain_uuid"] = $_SESSION['domain_uuid']; + if (!isset($_SESSION['contact_uuid'])) { + $result["contact_uuid"] = $_SESSION['contact_uuid']; + } + $result["authorized"] = $authorized; + //add user logs - if (file_exists($_SERVER["PROJECT_ROOT"]."/core/user_logs/app_config.php")) { + if ($result["authorized"]) { user_logs::add($result); } + //debug information + //if ($row["authorized"]) { + // echo "authorized: true\n"; + //} + //else { + // echo "authorized: false\n"; + //} + + //user is authorized - get user settings, check user cidr + if ($authorized) { + + //set a session variable to indicate authorized is set to true + $_SESSION['authorized'] = true; + + //add the username to the session //username seesion could be set soone when check_auth uses an authorized session variable instead + $_SESSION['username'] = $result["username"]; + + //get the user settings + $sql = "select * from v_user_settings "; + $sql .= "where domain_uuid = :domain_uuid "; + $sql .= "and user_uuid = :user_uuid "; + $sql .= "and user_setting_enabled = 'true' "; + $parameters['domain_uuid'] = $result["domain_uuid"]; + $parameters['user_uuid'] = $result["user_uuid"]; + $database = new database; + $user_settings = $database->select($sql, $parameters, 'all'); + unset($sql, $parameters); + + //build the user cidr array + if (is_array($user_settings) && @sizeof($user_settings) != 0) { + foreach ($user_settings as $row) { + if ($row['user_setting_category'] == "domain" && $row['user_setting_subcategory'] == "cidr" && $row['user_setting_name'] == "array") { + $cidr_array[] = $row['user_setting_value']; + } + } + } + + //check to see if user address is in the cidr array + if (isset($cidr_array) && !defined('STDIN')) { + $found = false; + foreach($cidr_array as $cidr) { + if (check_cidr($cidr, $_SERVER['REMOTE_ADDR'])) { + $found = true; + break; + } + } + if (!$found) { + //destroy session + session_unset(); + session_destroy(); + + //send http 403 + header('HTTP/1.0 403 Forbidden', true, 403); + + //exit the code + exit(); + } + } + + //set the session variables + $_SESSION["domain_uuid"] = $result["domain_uuid"]; + //$_SESSION["domain_name"] = $result["domain_name"]; + $_SESSION["user_uuid"] = $result["user_uuid"]; + $_SESSION["context"] = $result['domain_name']; + + //user session array + $_SESSION["user"]["domain_uuid"] = $result["domain_uuid"]; + $_SESSION["user"]["domain_name"] = $result["domain_name"]; + $_SESSION["user"]["user_uuid"] = $result["user_uuid"]; + $_SESSION["user"]["username"] = $result["username"]; + $_SESSION["user"]["contact_uuid"] = $result["contact_uuid"]; + + //get the groups assigned to the user and then set the groups in $_SESSION["groups"] + $sql = "select "; + $sql .= "u.user_group_uuid, "; + $sql .= "u.domain_uuid, "; + $sql .= "u.user_uuid, "; + $sql .= "u.group_uuid, "; + $sql .= "g.group_name, "; + $sql .= "g.group_level "; + $sql .= "from "; + $sql .= "v_user_groups as u, "; + $sql .= "v_groups as g "; + $sql .= "where u.domain_uuid = :domain_uuid "; + $sql .= "and u.user_uuid = :user_uuid "; + $sql .= "and u.group_uuid = g.group_uuid "; + $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; + $parameters['user_uuid'] = $_SESSION["user_uuid"]; + $database = new database; + $result = $database->select($sql, $parameters, 'all'); + $_SESSION["groups"] = $result; + $_SESSION["user"]["groups"] = $result; + unset($sql, $parameters); + + //get the users group level + $_SESSION["user"]["group_level"] = 0; + foreach ($_SESSION['user']['groups'] as $row) { + if ($_SESSION["user"]["group_level"] < $row['group_level']) { + $_SESSION["user"]["group_level"] = $row['group_level']; + } + } + + //get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions'] + if (is_array($_SESSION["groups"]) && @sizeof($_SESSION["groups"]) != 0) { + $x = 0; + $sql = "select distinct(permission_name) from v_group_permissions "; + $sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) "; + foreach ($_SESSION["groups"] as $field) { + if (strlen($field['group_name']) > 0) { + $sql_where_or[] = "group_name = :group_name_".$x; + $parameters['group_name_'.$x] = $field['group_name']; + $x++; + } + } + if (is_array($sql_where_or) && @sizeof($sql_where_or) != 0) { + $sql .= "and (".implode(' or ', $sql_where_or).") "; + } + $sql .= "and permission_assigned = 'true' "; + $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; + $database = new database; + $result = $database->select($sql, $parameters, 'all'); + if (is_array($result) && @sizeof($result) != 0) { + foreach ($result as $row) { + $_SESSION['permissions'][$row["permission_name"]] = true; + $_SESSION["user"]["permissions"][$row["permission_name"]] = true; + } + } + unset($sql, $parameters, $result, $row); + } + + //get the domains + if (file_exists($_SERVER["PROJECT_ROOT"]."/app/domains/app_config.php") && !is_cli()){ + require_once "app/domains/resources/domains.php"; + } + + //get the user settings + if (is_array($user_settings) && @sizeof($user_settings) != 0) { + foreach ($user_settings as $row) { + $name = $row['user_setting_name']; + $category = $row['user_setting_category']; + $subcategory = $row['user_setting_subcategory']; + if (strlen($row['user_setting_value']) > 0) { + if (strlen($subcategory) == 0) { + //$$category[$name] = $row['domain_setting_value']; + if ($name == "array") { + $_SESSION[$category][] = $row['user_setting_value']; + } + else { + $_SESSION[$category][$name] = $row['user_setting_value']; + } + } + else { + //$$category[$subcategory][$name] = $row['domain_setting_value']; + if ($name == "array") { + $_SESSION[$category][$subcategory][] = $row['user_setting_value']; + } + else { + $_SESSION[$category][$subcategory][$name] = $row['user_setting_value']; + } + } + } + } + } + unset($user_settings); + + //get the extensions that are assigned to this user + if (file_exists($_SERVER["PROJECT_ROOT"]."/app/extensions/app_config.php")) { + if (isset($_SESSION["user"]) && is_uuid($_SESSION["user_uuid"]) && is_uuid($_SESSION["domain_uuid"]) && !isset($_SESSION['user']['extension'])) { + //get the user extension list + $_SESSION['user']['extension'] = null; + $sql = "select "; + $sql .= "e.extension_uuid, "; + $sql .= "e.extension, "; + $sql .= "e.number_alias, "; + $sql .= "e.user_context, "; + $sql .= "e.outbound_caller_id_name, "; + $sql .= "e.outbound_caller_id_number, "; + $sql .= "e.description "; + $sql .= "from "; + $sql .= "v_extension_users as u, "; + $sql .= "v_extensions as e "; + $sql .= "where "; + $sql .= "e.domain_uuid = :domain_uuid "; + $sql .= "and e.extension_uuid = u.extension_uuid "; + $sql .= "and u.user_uuid = :user_uuid "; + $sql .= "and e.enabled = 'true' "; + $sql .= "order by "; + $sql .= "e.extension asc "; + $parameters['domain_uuid'] = $_SESSION['domain_uuid']; + $parameters['user_uuid'] = $_SESSION['user_uuid']; + $database = new database; + $result = $database->select($sql, $parameters, 'all'); + if (is_array($result) && @sizeof($result) != 0) { + foreach($result as $x => $row) { + //set the destination + $destination = $row['extension']; + if (strlen($row['number_alias']) > 0) { + $destination = $row['number_alias']; + } + + //build the user array + $_SESSION['user']['extension'][$x]['user'] = $row['extension']; + $_SESSION['user']['extension'][$x]['number_alias'] = $row['number_alias']; + $_SESSION['user']['extension'][$x]['destination'] = $destination; + $_SESSION['user']['extension'][$x]['extension_uuid'] = $row['extension_uuid']; + $_SESSION['user']['extension'][$x]['outbound_caller_id_name'] = $row['outbound_caller_id_name']; + $_SESSION['user']['extension'][$x]['outbound_caller_id_number'] = $row['outbound_caller_id_number']; + $_SESSION['user']['extension'][$x]['user_context'] = $row['user_context']; + $_SESSION['user']['extension'][$x]['description'] = $row['description']; + + //set the context + $_SESSION['user']['user_context'] = $row["user_context"]; + $_SESSION['user_context'] = $row["user_context"]; + } + } + unset($sql, $parameters, $result, $row); + } + } + + //set the time zone + if (!isset($_SESSION["time_zone"]["user"])) { $_SESSION["time_zone"]["user"] = null; } + if (strlen($_SESSION["time_zone"]["user"]) == 0) { + //set the domain time zone as the default time zone + date_default_timezone_set($_SESSION['domain']['time_zone']['name']); + } + else { + //set the user defined time zone + date_default_timezone_set($_SESSION["time_zone"]["user"]); + } + + } //authorized true + //return the result return $result; } @@ -152,6 +429,7 @@ class authentication { if (count($username_array) > 1) { //get the domain name $domain_name = $username_array[count($username_array) -1]; + //check if the domain from the username exists then set the domain_uuid $domain_exists = false; foreach ($_SESSION['domains'] as $row) { @@ -161,12 +439,14 @@ class authentication { break; } } + //if the domain exists then set domain_name and update the username if ($domain_exists) { $this->domain_name = $domain_name; $this->username = substr($_REQUEST["username"], 0, -(strlen($domain_name)+1)); $_SESSION['domain_uuid'] = $this->domain_uuid; } + //unset the domain name variable unset($domain_name); } @@ -196,7 +476,6 @@ class authentication { //set the setting arrays $obj = new domains(); - $obj->db = $db; $obj->set(); //set the domain settings diff --git a/core/authentication/resources/classes/plugins/database.php b/core/authentication/resources/classes/plugins/database.php index df85e1e936..0344618626 100644 --- a/core/authentication/resources/classes/plugins/database.php +++ b/core/authentication/resources/classes/plugins/database.php @@ -1,7 +1,7 @@ create('login'); + + //add multi-lingual support + $language = new text; + $text = $language->get(null, '/core/authentication'); + + //initialize a template object + $view = new template(); + $view->engine = 'smarty'; + $view->template_dir = $_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/core/authentication/resources/views/'; + $view->cache_dir = $_SESSION['server']['temp']['dir']; + $view->init(); + + //add translations + $view->assign("login_title", $text['button-login']); + $view->assign("label_username", $text['label-username']); + $view->assign("label_password", $text['label-password']); + $view->assign("button_login", $text['button-login']); + + //assign default values to the template + $view->assign("login_destination_url", $login_destination_url); + $view->assign("login_logo_width", $login_logo_width); + $view->assign("login_logo_height", $login_logo_height); + $view->assign("login_logo_source", $login_logo_source); + + //add the token name and hash to the view + //$view->assign("token_name", $token['name']); + //$view->assign("token_hash", $token['hash']); + + //show the views + $content = $view->render('login.htm'); + echo $content; + exit; + } + + //validate the token + //$token = new token; + //if (!$token->validate($_SERVER['PHP_SELF'])) { + // message::add($text['message-invalid_token'],'negative'); + // header('Location: domains.php'); + // exit; + //} + + //add the authentication details + if (isset($_REQUEST["username"]) && isset($_REQUEST["password"])) { + $this->username = $_REQUEST["username"]; + $this->password = $_REQUEST["password"]; + } + if (isset($_REQUEST["key"])) { + $this->key = $_REQUEST["key"]; + } + //set the default status $user_authorized = false; //check the username and password if they don't match then redirect to the login - $sql = "select u.user_uuid, u.contact_uuid, u.username, u.password, u.salt, u.api_key, u.domain_uuid, d.domain_name "; + $sql = "select u.user_uuid, u.contact_uuid, u.username, u.password, "; + $sql .= "u.user_email, u.salt, u.api_key, u.domain_uuid, d.domain_name "; $sql .= "from v_users as u, v_domains as d "; $sql .= "where u.domain_uuid = d.domain_uuid "; if (strlen($this->key) > 30) { @@ -52,7 +162,11 @@ class plugin_database { $sql .= "and (user_enabled = 'true' or user_enabled is null) "; $database = new database; $row = $database->select($sql, $parameters, 'row'); - if (is_array($row) && @sizeof($row) !== 0) { + if (is_array($row)) { + + //set the domain details + $this->domain_uuid = $_SESSION['domain_uuid']; + $this->domain_name = $_SESSION['domain_name']; //get the domain uuid when users are unique globally if ($_SESSION["users"]["unique"]["text"] === "global" && $row["domain_uuid"] !== $this->domain_uuid) { @@ -70,10 +184,22 @@ class plugin_database { $domain->set(); } - //set the user_uuid + //set the variables $this->user_uuid = $row['user_uuid']; + $this->username = $row['username']; $this->contact_uuid = $row['contact_uuid']; + //debug info + //echo "user_uuid ".$this->user_uuid."
\n"; + //echo "username ".$this->username."
\n"; + //echo "contact_uuid ".$this->contact_uuid."
\n"; + + //set a few session variables + $_SESSION["user_uuid"] = $row['user_uuid']; + $_SESSION["contact_uuid"] = $row["contact_uuid"]; + $_SESSION["username"] = $row['username']; + $_SESSION["user_email"] = $row['user_email']; + //validate the password $valid_password = false; if (isset($this->key) && strlen($this->key) > 30 && $this->key === $row["api_key"]) { @@ -82,7 +208,7 @@ class plugin_database { else if (substr($row["password"], 0, 1) === '$') { if (isset($this->password) && strlen($this->password) > 0) { if (password_verify($this->password, $row["password"])) { - $valid_password = true; + $valid_password = true; } } } @@ -137,20 +263,15 @@ class plugin_database { $result["plugin"] = "database"; $result["domain_name"] = $this->domain_name; $result["username"] = $this->username; - if ($this->debug) { - $result["password"] = $this->password; - } $result["user_uuid"] = $this->user_uuid; - $result["domain_uuid"] = $this->domain_uuid; + $result["domain_uuid"] = $_SESSION['domain_uuid']; $result["contact_uuid"] = $this->contact_uuid; $result["sql"] = $sql; - if ($valid_password) { - $result["authorized"] = "true"; - } - else { - $result["authorized"] = "false"; - } + $result["authorized"] = $valid_password; + + //return the results return $result; + } } diff --git a/core/authentication/resources/classes/plugins/email.php b/core/authentication/resources/classes/plugins/email.php new file mode 100644 index 0000000000..a5f36238ba --- /dev/null +++ b/core/authentication/resources/classes/plugins/email.php @@ -0,0 +1,395 @@ + true or false + */ + function email() { + + //set a default template + $_SESSION['domain']['template']['name'] = 'default'; + $_SESSION['theme']['menu_brand_image']['text'] = PROJECT_PATH.'/themes/default/images/logo.png'; + $_SESSION['theme']['menu_brand_type']['text'] = 'image'; + + //login logo source + if (isset($_SESSION['theme']['logo_login']['text']) && $_SESSION['theme']['logo_login']['text'] != '') { + $login_logo_source = $_SESSION['theme']['logo_login']['text']; + } + else if (isset($_SESSION['theme']['logo']['text']) && $_SESSION['theme']['logo']['text'] != '') { + $login_logo_source = $_SESSION['theme']['logo']['text']; + } + else { + $login_logo_source = PROJECT_PATH.'/themes/default/images/logo_login.png'; + } + + //login logo dimensions + if (isset($_SESSION['theme']['login_logo_width']['text']) && $_SESSION['theme']['login_logo_width']['text'] != '') { + $login_logo_width = $_SESSION['theme']['login_logo_width']['text']; + } + else { + $login_logo_width = 'auto; max-width: 300px'; + } + if (isset($_SESSION['theme']['login_logo_height']['text']) && $_SESSION['theme']['login_logo_height']['text'] != '') { + $login_logo_height = $_SESSION['theme']['login_logo_height']['text']; + } + else { + $login_logo_height = 'auto; max-height: 300px'; + } + + //login destination url + $login_destination_url = $_SESSION['login']['destination']['url']; + + //get the domain + $domain_array = explode(":", $_SERVER["HTTP_HOST"]); + $domain_name = $domain_array[0]; + + //temp directory + $_SESSION['server']['temp']['dir'] = '/tmp'; + + //request the username + if (!isset($_POST['username']) && !isset($_POST['authentication_code'])) { + + //add multi-lingual support + $language = new text; + $text = $language->get(null, '/core/authentication'); + + //initialize a template object + $view = new template(); + $view->engine = 'smarty'; + $view->template_dir = $_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/core/authentication/resources/views/'; + $view->cache_dir = $_SESSION['server']['temp']['dir']; + $view->init(); + + //assign default values to the template + $view->assign("login_title", $text['label-username']); + $view->assign("login_username", $text['label-username']); + $view->assign("login_logo_width", $login_logo_width); + $view->assign("login_logo_height", $login_logo_height); + $view->assign("login_logo_source", $login_logo_source); + $view->assign("button_login", $text['button-login']); + + //show the views + $content = $view->render('username.htm'); + echo $content; + exit; + + } + + //show the authentication code view + if (!isset($_POST['authentication_code'])) { + + //get the username + //if (!isset($this->username) && isset($_REQUEST['username'])) { + // $this->username = $_REQUEST['username']; + //} + + //get the user details + $sql = "select user_uuid, username, user_email, contact_uuid \n"; + $sql .= "from v_users\n"; + $sql .= "where username = :username\n"; + if ($_SESSION["users"]["unique"]["text"] != "global") { + //unique username per domain (not globally unique across system - example: email address) + $sql .= "and domain_uuid = :domain_uuid "; + $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; + } + $parameters['username'] = $_REQUEST['username']; + $database = new database; + $row = $database->select($sql, $parameters, 'row'); + unset($parameters); + + //set class variables + //if (strlen($row["user_email"]) > 0) { + // $this->user_uuid = $row['user_uuid']; + // $this->user_email = $row['user_email']; + // $this->contact_uuid = $row['contact_uuid']; + //} + + //set a few session variables + $_SESSION["user_uuid"] = $row['user_uuid']; + $_SESSION["username"] = $row['username']; + $_SESSION["user_email"] = $row['user_email']; + $_SESSION["contact_uuid"] = $row["contact_uuid"]; + + //user email not found + if (strlen($row["user_email"]) == 0) { + //build the result array + $result["plugin"] = "email"; + $result["domain_name"] = $_SESSION["domain_name"]; + $result["username"] = $_REQUEST['username']; + $result["user_uuid"] = $_SESSION["user_uuid"]; + $result["domain_uuid"] = $_SESSION["domain_uuid"]; + $result["contact_uuid"] = $_SESSION["contact_uuid"]; + $result["authorized"] = false; + + //add the failed login to user logs + user_logs::add($result); + + //return the array + return $result; + } + + //authentication code + $_SESSION["user"]["authentication"]["email"]["code"] = generate_password(6, 1); + $_SESSION["user"]["authentication"]["email"]["epoch"] = time(); + + ////$_SESSION["authentication_address"] = $_SERVER['REMOTE_ADDR']; + ////$_SESSION["authentication_date"] = 'now()'; + + //set the authentication code + //$sql = "update v_users \n"; + //$sql .= "set auth_code = :auth_code \n"; + //$sql .= "where user_uuid = :user_uuid;"; + //$parameters['auth_code'] = $auth_code_hash; + //$parameters['user_uuid'] = $this->user_uuid; + //$database->execute($sql, $parameters); + //unset($sql); + + //email settings + //$email_address = $this->user_email; + //$email_subject = 'Validation Code'; + //$email_body = 'Validation Code: '.$authentication_code; + + //send email with the authentication_code + //ob_start(); + //$sent = !send_email($email_address, $email_subject, $email_body, $email_error, null, null, 3, 3) ? false : true; + //$response = ob_get_clean(); + + //get the language code + $language_code = $_SESSION['domain']['language']['code']; + + //get the email template from the database + $sql = "select template_subject, template_body "; + $sql .= "from v_email_templates "; + $sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) "; + $sql .= "and template_language = :template_language "; + $sql .= "and template_category = :template_category "; + $sql .= "and template_subcategory = :template_subcategory "; + $sql .= "and template_type = :template_type "; + $sql .= "and template_enabled = 'true' "; + $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; + $parameters['template_language'] = $language_code; + $parameters['template_category'] = 'authentication'; + $parameters['template_subcategory'] = 'email'; + $parameters['template_type'] = 'html'; + $database = new database; + $row = $database->select($sql, $parameters, 'row'); + $email_subject = $row['template_subject']; + $email_body = $row['template_body']; + unset($sql, $parameters, $row); + + //replace variables in email subject + $email_subject = str_replace('${domain_name}', $_SESSION["domain_name"], $email_subject); + + //replace variables in email body + $email_body = str_replace('${domain_name}', $_SESSION["domain_name"], $email_body); + $email_body = str_replace('${auth_code}', $_SESSION["user"]["authentication"]["email"]["code"], $email_body); + + //get the email from name and address + $email_from_address = $_SESSION['email']['smtp_from']['text']; + $email_from_name = $_SESSION['email']['smtp_from_name']['text']; + + //send email - direct + $email = new email; + $email->recipients = $_SESSION["user_email"]; + $email->subject = $email_subject; + $email->body = $email_body; + $email->from_address = $email_from_address; + $email->from_name = $email_from_name; + //$email->attachments = $email_attachments; + $email->debug_level = 0; + $email->method = 'direct'; + $sent = $email->send(); + + //debug informations + //$email_response = $email->response; + //$email_error = $email->email_error; + //echo $email_response."
\n"; + //echo $email_error."
\n"; + + //set a default template + $_SESSION['domain']['template']['name'] = 'default'; + $_SESSION['theme']['menu_brand_image']['text'] = PROJECT_PATH.'/themes/default/images/logo.png'; + $_SESSION['theme']['menu_brand_type']['text'] = 'image'; + + //get the domain + $domain_array = explode(":", $_SERVER["HTTP_HOST"]); + $domain_name = $domain_array[0]; + + //temp directory + $_SESSION['server']['temp']['dir'] = '/tmp'; + + //create token + //$object = new token; + //$token = $object->create('login'); + + //add multi-lingual support + $language = new text; + $text = $language->get(null, '/core/authentication'); + + //initialize a template object + $view = new template(); + $view->engine = 'smarty'; + $view->template_dir = $_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/core/authentication/resources/views/'; + $view->cache_dir = $_SESSION['server']['temp']['dir']; + $view->init(); + + //assign default values to the template + $view->assign("login_title", $text['label-verify']); + $view->assign("login_email_description", $text['label-email_description']); + $view->assign("login_authentication_code", $text['label-authentication_code']); + $view->assign("login_logo_width", $login_logo_width); + $view->assign("login_logo_height", $login_logo_height); + $view->assign("login_logo_source", $login_logo_source); + $view->assign("button_verify", $text['label-verify']); + + //debug information + //echo "
\n";
+				//print_r($text);
+				//echo "
\n"; + + //show the views + $content = $view->render('email.htm'); + echo $content; + exit; + } + + //if authorized then verify + if (isset($_POST['authentication_code'])) { + + //check if the authentication code has expired. if expired return false + if ($_SESSION["user"]["authentication"]["email"]["epoch"] + 3 > time()) { + //authentication code expired + $result["plugin"] = "email"; + $result["domain_name"] = $_SESSION["domain_name"]; + $result["username"] = $_SESSION["username"]; + $result["error_message"] = 'code expired'; + $result["authorized"] = false; + print_r($result); + return $result; + exit; + } + + //get the user details + $sql = "select user_uuid, user_email, contact_uuid, user_email_secret\n"; + $sql .= "from v_users\n"; + $sql .= "where username = :username\n"; + if ($_SESSION["users"]["unique"]["text"] != "global") { + //unique username per domain (not globally unique across system - example: email address) + $sql .= "and domain_uuid = :domain_uuid "; + $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; + } + $parameters['username'] = $_SESSION["username"]; + $database = new database; + $row = $database->select($sql, $parameters, 'row'); + $this->user_uuid = $row['user_uuid']; + $this->user_email = $row['user_email']; + $this->contact_uuid = $row['contact_uuid']; + $this->user_email_secret = $row['user_email_secret']; + unset($parameters); + + //validate the code + if ($_SESSION["user"]["authentication"]["email"]["code"] === $_POST['authentication_code']) { + $auth_valid = true; + } + else { + $auth_valid = false; + } + + //get the user details + if ($auth_valid) { + //get user data from the database + $sql = "select user_uuid, username, user_email, contact_uuid from v_users "; + $sql .= "where user_uuid = :user_uuid "; + if ($_SESSION["users"]["unique"]["text"] != "global") { + //unique username per domain (not globally unique across system - example: email address) + $sql .= "and domain_uuid = :domain_uuid "; + $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; + } + $parameters['user_uuid'] = $_SESSION["user_uuid"]; + $database = new database; + $row = $database->select($sql, $parameters, 'row'); + //view_array($row); + unset($parameters); + + //set a few session variables + //$_SESSION["username"] = $row['username']; //setting the username makes it skip the rest of the authentication + //$_SESSION["user_email"] = $row['user_email']; + //$_SESSION["contact_uuid"] = $row["contact_uuid"]; + } + else { + //destroy session + session_unset(); + session_destroy(); + //$_SESSION['authentication']['plugin'] + //send http 403 + header('HTTP/1.0 403 Forbidden', true, 403); + + //redirect to the root of the website + header("Location: ".PROJECT_PATH."/"); + + //exit the code + exit(); + } + + /* + //check if user successfully logged in during the interval + //$sql = "select user_log_uuid, timestamp, user_name, user_agent, remote_address "; + $sql = "select count(*) as count "; + $sql .= "from v_user_logs "; + $sql .= "where domain_uuid = :domain_uuid "; + $sql .= "and user_uuid = :user_uuid "; + $sql .= "and user_agent = :user_agent "; + $sql .= "and type = 'login' "; + $sql .= "and result = 'success' "; + $sql .= "and floor(extract(epoch from now()) - extract(epoch from timestamp)) > 3 "; + $sql .= "and floor(extract(epoch from now()) - extract(epoch from timestamp)) < 300 "; + $parameters['domain_uuid'] = $this->domain_uuid; + $parameters['user_uuid'] = $this->user_uuid; + $parameters['user_agent'] = $_SERVER['HTTP_USER_AGENT']; + $database = new database; + $user_log_count = $database->select($sql, $parameters, 'all'); + //view_array($user_log_count); + unset($sql, $parameters); + */ + + //result array + $result["plugin"] = "email"; + $result["domain_name"] = $_SESSION["domain_name"]; + $result["username"] = $_SESSION["username"]; + $result["user_uuid"] = $_SESSION["user_uuid"]; + $result["domain_uuid"] = $_SESSION["domain_uuid"]; + $result["contact_uuid"] = $_SESSION["contact_uuid"]; + $result["authorized"] = $auth_valid ? true : false; + return $result; + + //$_SESSION['authentication']['plugin']['email']['plugin'] = "email"; + //$_SESSION['authentication']['plugin']['email']['domain_name'] = $_SESSION["domain_name"]; + //$_SESSION['authentication']['plugin']['email']['username'] = $row['username']; + //$_SESSION['authentication']['plugin']['email']['user_uuid'] = $_SESSION["user_uuid"]; + //$_SESSION['authentication']['plugin']['email']['contact_uuid'] = $_SESSION["contact_uuid"]; + //$_SESSION['authentication']['plugin']['email']['domain_uuid'] = $_SESSION["domain_uuid"]; + //$_SESSION['authentication']['plugin']['email']['authorized'] = $auth_valid ? true : false; + } + + } +} + +?> diff --git a/core/authentication/resources/classes/plugins/ldap.php b/core/authentication/resources/classes/plugins/ldap.php index 569233e127..adeb9ea8ff 100644 --- a/core/authentication/resources/classes/plugins/ldap.php +++ b/core/authentication/resources/classes/plugins/ldap.php @@ -140,15 +140,15 @@ class plugin_ldap { } //result array - $result["plugin"] = "ldap"; - $result["domain_name"] = $this->domain_name; - $result["username"] = $this->username; + $result["ldap"]["plugin"] = "ldap"; + $result["ldap"]["domain_name"] = $this->domain_name; + $result["ldap"]["username"] = $this->username; if ($this->debug) { - $result["password"] = $this->password; + $result["ldap"]["password"] = $this->password; } - $result["user_uuid"] = $this->user_uuid; - $result["domain_uuid"] = $this->domain_uuid; - $result["authorized"] = $user_authorized ? 'true' : 'false'; + $result["ldap"]["user_uuid"] = $this->user_uuid; + $result["ldap"]["domain_uuid"] = $this->domain_uuid; + $result["ldap"]["authorized"] = $user_authorized ? true : false; return $result; } } diff --git a/core/authentication/resources/classes/plugins/totp.php b/core/authentication/resources/classes/plugins/totp.php new file mode 100644 index 0000000000..eaa28fce40 --- /dev/null +++ b/core/authentication/resources/classes/plugins/totp.php @@ -0,0 +1,266 @@ + true or false + */ + function totp() { + + //request the username + if (!isset($_POST['username']) && !isset($_POST['authentication_code'])) { + + //set a default template + $_SESSION['domain']['template']['name'] = 'default'; + $_SESSION['theme']['menu_brand_image']['text'] = PROJECT_PATH.'/themes/default/images/logo.png'; + $_SESSION['theme']['menu_brand_type']['text'] = 'image'; + + //get the domain + $domain_array = explode(":", $_SERVER["HTTP_HOST"]); + $domain_name = $domain_array[0]; + + //temp directory + $_SESSION['server']['temp']['dir'] = '/tmp'; + + //create token + //$object = new token; + //$token = $object->create('login'); + + //add multi-lingual support + $language = new text; + $text = $language->get(null, '/core/authentication'); + + //initialize a template object + $view = new template(); + $view->engine = 'smarty'; + $view->template_dir = $_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/core/authentication/resources/views/'; + $view->cache_dir = $_SESSION['server']['temp']['dir']; + $view->init(); + + //assign default values to the template + $view->assign("login_title", $text['label-username']); + $view->assign("login_username", $text['label-username']); + $view->assign("login_logo_width", $login_logo_width); + $view->assign("login_logo_height", $login_logo_height); + $view->assign("login_logo_source", $login_logo_source); + $view->assign("button_login", $text['button-login']); + + //show the views + $content = $view->render('username.htm'); + echo $content; + exit; + } + + //show the authentication code view + if (!isset($_POST['authentication_code'])) { + + //get the username + if (!isset($this->username) && isset($_REQUEST['username'])) { + $this->username = $_REQUEST['username']; + } + + //get the user details + $sql = "select user_uuid, username, user_email, contact_uuid, user_totp_secret\n"; + $sql .= "from v_users\n"; + $sql .= "where username = :username\n"; + if ($_SESSION["users"]["unique"]["text"] != "global") { + //unique username per domain (not globally unique across system - example: email address) + $sql .= "and domain_uuid = :domain_uuid "; + $parameters['domain_uuid'] = $this->domain_uuid; + } + $parameters['username'] = $this->username; + $database = new database; + $row = $database->select($sql, $parameters, 'row'); + unset($parameters); + + //set class variables + $this->user_uuid = $row['user_uuid']; + $this->user_email = $row['user_email']; + $this->contact_uuid = $row['contact_uuid']; + $this->user_totp_secret = $row['user_totp_secret']; + + //set a few session variables + $_SESSION["user_uuid"] = $row['user_uuid']; + $_SESSION["username"] = $row['username']; + $_SESSION["user_email"] = $row['user_email']; + $_SESSION["contact_uuid"] = $row["contact_uuid"]; + + //set a default template + $_SESSION['domain']['template']['name'] = 'default'; + $_SESSION['theme']['menu_brand_image']['text'] = PROJECT_PATH.'/themes/default/images/logo.png'; + $_SESSION['theme']['menu_brand_type']['text'] = 'image'; + + //get the domain + $domain_array = explode(":", $_SERVER["HTTP_HOST"]); + $domain_name = $domain_array[0]; + + //temp directory + $_SESSION['server']['temp']['dir'] = '/tmp'; + + //create token + //$object = new token; + //$token = $object->create('login'); + + //add multi-lingual support + $language = new text; + $text = $language->get(null, '/core/authentication'); + + //initialize a template object + $view = new template(); + $view->engine = 'smarty'; + $view->template_dir = $_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/core/authentication/resources/views/'; + $view->cache_dir = $_SESSION['server']['temp']['dir']; + $view->init(); + + //assign default values to the template + $view->assign("login_title", $text['label-verify']); + $view->assign("login_authentication_code", $text['label-authentication_code']); + $view->assign("login_logo_width", $login_logo_width); + $view->assign("login_logo_height", $login_logo_height); + $view->assign("login_logo_source", $login_logo_source); + $view->assign("button_verify", $text['label-verify']); + + //show the views + $content = $view->render('totp.htm'); + echo $content; + exit; + } + + //if authorized then verify + if (isset($_POST['authentication_code'])) { + + //get the user details + $sql = "select user_uuid, user_email, contact_uuid, user_totp_secret\n"; + $sql .= "from v_users\n"; + $sql .= "where username = :username\n"; + if ($_SESSION["users"]["unique"]["text"] != "global") { + //unique username per domain (not globally unique across system - example: email address) + $sql .= "and domain_uuid = :domain_uuid "; + $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; + } + $parameters['username'] = $_SESSION["username"]; + $database = new database; + $row = $database->select($sql, $parameters, 'row'); + $this->user_uuid = $row['user_uuid']; + $this->user_email = $row['user_email']; + $this->contact_uuid = $row['contact_uuid']; + $this->user_totp_secret = $row['user_totp_secret']; + unset($parameters); + + //include the google authenticator + include_once "resources/google_authenticator/GoogleAuthenticatorInterface.php"; + include_once "resources/google_authenticator/FixedBitNotation.php"; + include_once "resources/google_authenticator/GoogleAuthenticator.php"; + + //create the authenticator object + $totp = new \Sonata\GoogleAuthenticator\GoogleAuthenticator(); + + //validate the code + if ($totp->checkCode($this->user_totp_secret, $_POST['authentication_code'])) { + $auth_valid = true; + } + else { + $auth_valid = false; + } + + //get the user details + if ($auth_valid) { + //get user data from the database + $sql = "select user_uuid, username, user_email, contact_uuid from v_users "; + $sql .= "where user_uuid = :user_uuid "; + if ($_SESSION["users"]["unique"]["text"] != "global") { + //unique username per domain (not globally unique across system - example: email address) + $sql .= "and domain_uuid = :domain_uuid "; + $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; + } + $parameters['user_uuid'] = $_SESSION["user_uuid"]; + $database = new database; + $row = $database->select($sql, $parameters, 'row'); + //view_array($row); + unset($parameters); + } + else { + //destroy session + session_unset(); + session_destroy(); + //$_SESSION['authentication']['plugin'] + //send http 403 + header('HTTP/1.0 403 Forbidden', true, 403); + + //redirect to the root of the website + header("Location: ".PROJECT_PATH."/"); + + //exit the code + exit(); + } + + /* + //check if user successfully logged in during the interval + //$sql = "select user_log_uuid, timestamp, user_name, user_agent, remote_address "; + $sql = "select count(*) as count "; + $sql .= "from v_user_logs "; + $sql .= "where domain_uuid = :domain_uuid "; + $sql .= "and user_uuid = :user_uuid "; + $sql .= "and user_agent = :user_agent "; + $sql .= "and type = 'login' "; + $sql .= "and result = 'success' "; + $sql .= "and floor(extract(epoch from now()) - extract(epoch from timestamp)) > 3 "; + $sql .= "and floor(extract(epoch from now()) - extract(epoch from timestamp)) < 300 "; + $parameters['domain_uuid'] = $this->domain_uuid; + $parameters['user_uuid'] = $this->user_uuid; + $parameters['user_agent'] = $_SERVER['HTTP_USER_AGENT']; + $database = new database; + $user_log_count = $database->select($sql, $parameters, 'all'); + //view_array($user_log_count); + unset($sql, $parameters); + */ + + //build the result array + $result["plugin"] = "totp"; + $result["domain_name"] = $_SESSION["domain_name"]; + $result["username"] = $_SESSION["username"]; + $result["user_uuid"] = $_SESSION["user_uuid"]; + $result["domain_uuid"] = $_SESSION["domain_uuid"]; + $result["contact_uuid"] = $_SESSION["contact_uuid"]; + $result["authorized"] = $auth_valid ? true : false; + + //add the failed login to user logs + if (!$auth_valid) { + user_logs::add($result); + } + + //retun the array + return $result; + + + //$_SESSION['authentication']['plugin']['totp']['plugin'] = "totp"; + //$_SESSION['authentication']['plugin']['totp']['domain_name'] = $_SESSION["domain_name"]; + //$_SESSION['authentication']['plugin']['totp']['username'] = $row['username']; + //$_SESSION['authentication']['plugin']['totp']['user_uuid'] = $_SESSION["user_uuid"]; + //$_SESSION['authentication']['plugin']['totp']['contact_uuid'] = $_SESSION["contact_uuid"]; + //$_SESSION['authentication']['plugin']['totp']['domain_uuid'] = $_SESSION["domain_uuid"]; + //$_SESSION['authentication']['plugin']['totp']['authorized'] = $auth_valid ? true : false; + } + + } +} + +?> diff --git a/core/authentication/resources/views/email.htm b/core/authentication/resources/views/email.htm new file mode 100644 index 0000000000..b051e92ef4 --- /dev/null +++ b/core/authentication/resources/views/email.htm @@ -0,0 +1,36 @@ + + + + + + + + +{$login_title} + +
+
+ +
+
+ {$login_email_description} +

+ +

+
+
+ + +
+
+
+
+ + + \ No newline at end of file diff --git a/core/authentication/resources/views/login.htm b/core/authentication/resources/views/login.htm new file mode 100644 index 0000000000..716964e2dc --- /dev/null +++ b/core/authentication/resources/views/login.htm @@ -0,0 +1,32 @@ + + + + + + + + +{$login_title} + +
+
+
+
+
+
+
+
+
+ + +
+
+
+
+ + + diff --git a/core/authentication/resources/views/totp.htm b/core/authentication/resources/views/totp.htm new file mode 100644 index 0000000000..80535706d1 --- /dev/null +++ b/core/authentication/resources/views/totp.htm @@ -0,0 +1,44 @@ + + + + + + + + +{$login_title} + + +
+
+
+
+
+ +

+ +
+
+ + +
+
+
+
+ + + \ No newline at end of file diff --git a/core/authentication/resources/views/username.htm b/core/authentication/resources/views/username.htm new file mode 100644 index 0000000000..0240f492eb --- /dev/null +++ b/core/authentication/resources/views/username.htm @@ -0,0 +1,31 @@ + + + + + + + + +{$login_title} + +
+
+
+
+
+
+
+
+ + +
+
+
+
+ + + diff --git a/logout.php b/logout.php index 3312d5001a..916e2e6d4d 100644 --- a/logout.php +++ b/logout.php @@ -101,7 +101,7 @@ } //redirect the user to the index page - header("Location: ".PROJECT_PATH."/login.php"); + header("Location: ".PROJECT_PATH."/"); exit; ?> \ No newline at end of file diff --git a/resources/check_auth.php b/resources/check_auth.php index 0022889310..b7a981d076 100644 --- a/resources/check_auth.php +++ b/resources/check_auth.php @@ -42,15 +42,8 @@ //define variables if (!isset($_SESSION['template_content'])) { $_SESSION["template_content"] = null; } -//if the username is not provided then send to login.php - if (strlen($_SESSION['username']) == 0 && strlen($_REQUEST["username"]) == 0 && strlen($_REQUEST["key"]) == 0) { - $target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["REQUEST_URI"]; - header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path)); - exit; - } - -//if the username session is not set the check username and password - if (strlen($_SESSION['username']) == 0) { +//if the session is not authorized then verify the identity + if (!isset($_SESSION['authorized']) && !$_SESSION['authorized']) { //clear the menu unset($_SESSION["menu"]); @@ -62,82 +55,13 @@ //validate the username and password $auth = new authentication; - if (isset($_REQUEST["username"]) && isset($_REQUEST["password"])) { - $auth->username = $_REQUEST["username"]; - $auth->password = $_REQUEST["password"]; - } - if (isset($_REQUEST["key"])) { - $auth->key = $_REQUEST["key"]; - } - $auth->debug = false; + $auth->debug = true; $result = $auth->validate(); - if ($result["authorized"] === "true") { - //get the user settings - $sql = "select * from v_user_settings "; - $sql .= "where domain_uuid = :domain_uuid "; - $sql .= "and user_uuid = :user_uuid "; - $sql .= "and user_setting_enabled = 'true' "; - $parameters['domain_uuid'] = $result["domain_uuid"]; - $parameters['user_uuid'] = $result["user_uuid"]; - $database = new database; - $user_settings = $database->select($sql, $parameters, 'all'); - unset($sql, $parameters); + //if not authorized + if (!$_SESSION['authorized']) { - //build the user cidr array - if (is_array($user_settings) && @sizeof($user_settings) != 0) { - foreach ($user_settings as $row) { - if ($row['user_setting_category'] == "domain" && $row['user_setting_subcategory'] == "cidr" && $row['user_setting_name'] == "array") { - $cidr_array[] = $row['user_setting_value']; - } - } - } - - //check to see if user address is in the cidr array - if (isset($cidr_array) && !defined('STDIN')) { - $found = false; - foreach($cidr_array as $cidr) { - if (check_cidr($cidr, $_SERVER['REMOTE_ADDR'])) { - $found = true; - break; - } - } - if (!$found) { - //destroy session - session_unset(); - session_destroy(); - - //send http 403 - header('HTTP/1.0 403 Forbidden', true, 403); - - //redirect to the root of the website - header("Location: ".PROJECT_PATH."/login.php"); - - //exit the code - exit(); - } - } - - //set the session variables - $_SESSION["domain_uuid"] = $result["domain_uuid"]; - //$_SESSION["domain_name"] = $result["domain_name"]; - $_SESSION["user_uuid"] = $result["user_uuid"]; - $_SESSION["context"] = $result['domain_name']; - - //user session array - $_SESSION["user"]["domain_uuid"] = $result["domain_uuid"]; - $_SESSION["user"]["domain_name"] = $result["domain_name"]; - $_SESSION["user"]["user_uuid"] = $result["user_uuid"]; - $_SESSION["user"]["username"] = $result["username"]; - $_SESSION["user"]["contact_uuid"] = $result["contact_uuid"]; - } - else { - //debug - if ($debug) { - view_array($result); - } - - //log the failed auth attempt to the system, to be available for fail2ban. + //log the failed auth attempt to the system to the syslog server openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]); closelog(); @@ -145,157 +69,10 @@ //redirect the user to the login page $target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["PHP_SELF"]; message::add($text['message-invalid_credentials'], 'negative'); - header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path)); + header("Location: ".PROJECT_PATH."/?path=".urlencode($target_path)); exit; } - //get the groups assigned to the user and then set the groups in $_SESSION["groups"] - $sql = "select "; - $sql .= "u.user_group_uuid, "; - $sql .= "u.domain_uuid, "; - $sql .= "u.user_uuid, "; - $sql .= "u.group_uuid, "; - $sql .= "g.group_name, "; - $sql .= "g.group_level "; - $sql .= "from "; - $sql .= "v_user_groups as u, "; - $sql .= "v_groups as g "; - $sql .= "where u.domain_uuid = :domain_uuid "; - $sql .= "and u.user_uuid = :user_uuid "; - $sql .= "and u.group_uuid = g.group_uuid "; - $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; - $parameters['user_uuid'] = $_SESSION["user_uuid"]; - $database = new database; - $result = $database->select($sql, $parameters, 'all'); - $_SESSION["groups"] = $result; - $_SESSION["user"]["groups"] = $result; - unset($sql, $parameters); - - //get the users group level - $_SESSION["user"]["group_level"] = 0; - foreach ($_SESSION['user']['groups'] as $row) { - if ($_SESSION["user"]["group_level"] < $row['group_level']) { - $_SESSION["user"]["group_level"] = $row['group_level']; - } - } - - //get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions'] - if (is_array($_SESSION["groups"]) && @sizeof($_SESSION["groups"]) != 0) { - $x = 0; - $sql = "select distinct(permission_name) from v_group_permissions "; - $sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) "; - foreach ($_SESSION["groups"] as $field) { - if (strlen($field['group_name']) > 0) { - $sql_where_or[] = "group_name = :group_name_".$x; - $parameters['group_name_'.$x] = $field['group_name']; - $x++; - } - } - if (is_array($sql_where_or) && @sizeof($sql_where_or) != 0) { - $sql .= "and (".implode(' or ', $sql_where_or).") "; - } - $sql .= "and permission_assigned = 'true' "; - $parameters['domain_uuid'] = $_SESSION["domain_uuid"]; - $database = new database; - $result = $database->select($sql, $parameters, 'all'); - if (is_array($result) && @sizeof($result) != 0) { - foreach ($result as $row) { - $_SESSION['permissions'][$row["permission_name"]] = true; - $_SESSION["user"]["permissions"][$row["permission_name"]] = true; - } - } - unset($sql, $parameters, $result, $row); - } - - //get the domains - if (file_exists($_SERVER["PROJECT_ROOT"]."/app/domains/app_config.php") && !is_cli()){ - require_once "app/domains/resources/domains.php"; - } - - //get the user settings - if (is_array($user_settings) && @sizeof($user_settings) != 0) { - foreach ($user_settings as $row) { - $name = $row['user_setting_name']; - $category = $row['user_setting_category']; - $subcategory = $row['user_setting_subcategory']; - if (strlen($row['user_setting_value']) > 0) { - if (strlen($subcategory) == 0) { - //$$category[$name] = $row['domain_setting_value']; - if ($name == "array") { - $_SESSION[$category][] = $row['user_setting_value']; - } - else { - $_SESSION[$category][$name] = $row['user_setting_value']; - } - } - else { - //$$category[$subcategory][$name] = $row['domain_setting_value']; - if ($name == "array") { - $_SESSION[$category][$subcategory][] = $row['user_setting_value']; - } - else { - $_SESSION[$category][$subcategory][$name] = $row['user_setting_value']; - } - } - } - } - } - unset($user_settings); - - //get the extensions that are assigned to this user - if (file_exists($_SERVER["PROJECT_ROOT"]."/app/extensions/app_config.php")) { - if (isset($_SESSION["user"]) && is_uuid($_SESSION["user_uuid"]) && is_uuid($_SESSION["domain_uuid"]) && !isset($_SESSION['user']['extension'])) { - //get the user extension list - $_SESSION['user']['extension'] = null; - $sql = "select "; - $sql .= "e.extension_uuid, "; - $sql .= "e.extension, "; - $sql .= "e.number_alias, "; - $sql .= "e.user_context, "; - $sql .= "e.outbound_caller_id_name, "; - $sql .= "e.outbound_caller_id_number, "; - $sql .= "e.description "; - $sql .= "from "; - $sql .= "v_extension_users as u, "; - $sql .= "v_extensions as e "; - $sql .= "where "; - $sql .= "e.domain_uuid = :domain_uuid "; - $sql .= "and e.extension_uuid = u.extension_uuid "; - $sql .= "and u.user_uuid = :user_uuid "; - $sql .= "and e.enabled = 'true' "; - $sql .= "order by "; - $sql .= "e.extension asc "; - $parameters['domain_uuid'] = $_SESSION['domain_uuid']; - $parameters['user_uuid'] = $_SESSION['user_uuid']; - $database = new database; - $result = $database->select($sql, $parameters, 'all'); - if (is_array($result) && @sizeof($result) != 0) { - foreach($result as $x => $row) { - //set the destination - $destination = $row['extension']; - if (strlen($row['number_alias']) > 0) { - $destination = $row['number_alias']; - } - - //build the user array - $_SESSION['user']['extension'][$x]['user'] = $row['extension']; - $_SESSION['user']['extension'][$x]['number_alias'] = $row['number_alias']; - $_SESSION['user']['extension'][$x]['destination'] = $destination; - $_SESSION['user']['extension'][$x]['extension_uuid'] = $row['extension_uuid']; - $_SESSION['user']['extension'][$x]['outbound_caller_id_name'] = $row['outbound_caller_id_name']; - $_SESSION['user']['extension'][$x]['outbound_caller_id_number'] = $row['outbound_caller_id_number']; - $_SESSION['user']['extension'][$x]['user_context'] = $row['user_context']; - $_SESSION['user']['extension'][$x]['description'] = $row['description']; - - //set the context - $_SESSION['user']['user_context'] = $row["user_context"]; - $_SESSION['user_context'] = $row["user_context"]; - } - } - unset($sql, $parameters, $result, $row); - } - } - //if logged in, redirect to login destination if (!isset($_REQUEST["key"])) { if (isset($_SESSION['redirect_path'])) { @@ -308,9 +85,10 @@ } header("Location: ".$redirect_path); } - elseif (isset($_SESSION['login']['destination']['text'])) { - header("Location: ".$_SESSION['login']['destination']['text']); - } elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) { + elseif (isset($_SESSION['login']['destination']['url'])) { + header("Location: ".$_SESSION['login']['destination']['url']); + } + elseif (file_exists($_SERVER["PROJECT_ROOT"]."/core/dashboard/app_config.php")) { header("Location: ".PROJECT_PATH."/core/dashboard/"); } else { @@ -321,15 +99,4 @@ } -//set the time zone - if (!isset($_SESSION["time_zone"]["user"])) { $_SESSION["time_zone"]["user"] = null; } - if (strlen($_SESSION["time_zone"]["user"]) == 0) { - //set the domain time zone as the default time zone - date_default_timezone_set($_SESSION['domain']['time_zone']['name']); - } - else { - //set the user defined time zone - date_default_timezone_set($_SESSION["time_zone"]["user"]); - } - ?>