dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update check_auth.php 

Updated to use the new authentication class.
This commit is contained in:
FusionPBX 2016-09-10 23:13:08 -06:00 committed by GitHub
parent 1082578788
commit 1b485e7d45
1 changed files with 18 additions and 262 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

280
resources/check_auth.php
View File

@ -17,13 +17,14 @@
The Initial Developer of the Original Code is The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com> Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2015 Portions created by the Initial Developer are Copyright (C) 2008-2016
the Initial Developer. All Rights Reserved. the Initial Developer. All Rights Reserved.
Contributor(s): Contributor(s):
Mark J Crane <markjcrane@fusionpbx.com> Mark J Crane <markjcrane@fusionpbx.com>
*/ */
require_once "resources/require.php"; //includes
require_once "resources/require.php";
//for compatability require this library if less than version 5.5 //for compatability require this library if less than version 5.5
if (version_compare(phpversion(), '5.5', '<')) { if (version_compare(phpversion(), '5.5', '<')) {
@ -56,248 +57,24 @@ require_once "resources/require.php";
exit; exit;
} }
//get the domain name //validate the username and password
if (count($_SESSION["domains"]) > 1) { $auth = new authentication;
//get the domain from the url $auth->username = $_REQUEST["username"];
$domain_name = $_SERVER["HTTP_HOST"]; $auth->password = $_REQUEST["password"];
//get the domain name from the username $auth->debug = false;
if ($_SESSION["user"]["unique"]["text"] != "global") { $result = $auth->validate();
$username_array = explode("@", check_str($_REQUEST["username"])); if ($result["authorized"] == "true") {
if (count($username_array) > 1) { // add the user settings
$domain_name = $username_array[count($username_array) -1]; $_SESSION["user_uuid"] = $result["user_uuid"];
$_SESSION['domain_name'] = $domain_name; // user session array
foreach ($_SESSION['domains'] as $row) { $_SESSION["user"]["username"] = $result["username"];
if (lower_case($row['domain_name']) == lower_case($domain_name)) { $_SESSION["user"]["user_uuid"] = $result["user_uuid"];
$_SESSION['domain_uuid'] = $row['domain_uuid']; $_SESSION["user"]["contact_uuid"] = $result["contact_uuid"];
break;
}
}
$_REQUEST["username"] = substr(check_str($_REQUEST["username"]), 0, -(strlen($domain_name)+1));
}
}
//get the domain name from the http value
if (strlen(check_str($_REQUEST["domain_name"])) > 0) {
$domain_name = check_str($_REQUEST["domain_name"]);
}
//set the domain information
if (strlen($domain_name) > 0) {
foreach ($_SESSION['domains'] as &$row) {
if (lower_case($row['domain_name']) == lower_case($domain_name)) {
//set the domain session variables
$domain_uuid = $row["domain_uuid"];
$_SESSION["domain_uuid"] = $row["domain_uuid"];
$_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name'];
//set the setting arrays
$domain = new domains();
$domain->db = $db;
$domain->set();
}
}
}
//set the domain parent uuid
$_SESSION['domain_parent_uuid'] = $_SESSION["domain_uuid"];
} }
else {
//get the username or key
$username = check_str($_REQUEST["username"]);
if (file_exists($_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/app/api/app_config.php')) {
$key = check_str($_REQUEST["key"]);
}
//ldap authentication
if ($_SESSION["ldap"]["enabled"]["boolean"] == "true") {
//use ldap to validate the user credentials
if (strlen(check_str($_REQUEST["domain_name"])) > 0) {
$domain_name = check_str($_REQUEST["domain_name"]);
}
if (isset($_SESSION["ldap"]["certpath"])) {
$s="LDAPTLS_CERT=" . $_SESSION["ldap"]["certpath"]["text"];
putenv($s);
}
if (isset($_SESSION["ldap"]["certkey"])) {
$s="LDAPTLS_KEY=" . $_SESSION["ldap"]["certkey"]["text"];
putenv($s);
}
$host=$_SESSION["ldap"]["server_host"]["text"];
$port=$_SESSION["ldap"]["server_port"]["numeric"];
$connect = ldap_connect($host)
or die("Could not connect to the LDAP server.");
//ldap_set_option($connect, LDAP_OPT_NETWORK_TIMEOUT, 10);
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
//ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
$bind_dn = $_SESSION["ldap"]["user_attribute"]["text"]."=".$username.",".$_SESSION["ldap"]["user_dn"]["text"];
$bind_pw = $_REQUEST["password"];
//Note: As of 4/16, the call below will fail randomly. PHP debug reports ldap_bind
//called below with all arguments '*uninitialized*'. However, the debugger
//single-stepping just before the failing call correctly displays all the values.
$bind = ldap_bind($connect, $bind_dn, $bind_pw);
if ($bind) {
$_SESSION['username'] = $username;
}
//check to see if the user exists
if (strlen($_SESSION['username']) > 0) {
$sql = "select * from v_users ";
$sql .= "where username=:username ";
if ($_SESSION["user"]["unique"]["text"] == "global") {
//unique username - global (example: email address)
}
else {
//unique username - per domain
$sql .= "and domain_uuid=:domain_uuid ";
}
$prep_statement = $db->prepare(check_sql($sql));
if ($_SESSION["user"]["unique"]["text"] != "global") {
$prep_statement->bindParam(':domain_uuid', $domain_uuid);
}
$prep_statement->bindParam(':username', $username);
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
if (count($result) > 0) {
foreach ($result as &$row) {
//get the domain uuid
$domain_uuid = $row["domain_uuid"];
$user_uuid = $row["user_uuid"];
//set the domain session variables
$_SESSION["domain_uuid"] = $domain_uuid;
$domain_name = $_SESSION['domains'][$domain_uuid]['domain_name'];
$_SESSION["domain_name"] = $domain_name;
//set the setting arrays
$domain = new domains();
$domain->db = $db;
$domain->set();
}
}
else {
//salt used with the password to create a one way hash
$salt = generate_password('32', '4');
$password = generate_password('32', '4');
//prepare the uuids
$user_uuid = uuid();
$contact_uuid = uuid();
//set the user_id
$_SESSION["user_uuid"] = $user_uuid;
//add the user
$sql = "insert into v_users ";
$sql .= "(";
$sql .= "domain_uuid, ";
$sql .= "user_uuid, ";
$sql .= "contact_uuid, ";
$sql .= "username, ";
$sql .= "password, ";
$sql .= "salt, ";
$sql .= "add_date, ";
$sql .= "add_user, ";
$sql .= "user_enabled ";
$sql .= ") ";
$sql .= "values ";
$sql .= "(";
$sql .= "'".$domain_uuid."', ";
$sql .= "'".$user_uuid."', ";
$sql .= "'".$contact_uuid."', ";
$sql .= "'".strtolower($username)."', ";
$sql .= "'".md5($salt.$password)."', ";
$sql .= "'".$salt."', ";
$sql .= "now(), ";
$sql .= "'".strtolower($username)."', ";
$sql .= "'true' ";
$sql .= ")";
$db->exec(check_sql($sql));
unset($sql);
//add the user to group user
$group_name = 'user';
$sql = "insert into v_group_users ";
$sql .= "(";
$sql .= "group_user_uuid, ";
$sql .= "domain_uuid, ";
$sql .= "group_name, ";
$sql .= "user_uuid ";
$sql .= ")";
$sql .= "values ";
$sql .= "(";
$sql .= "'".uuid()."', ";
$sql .= "'".$domain_uuid."', ";
$sql .= "'".$group_name."', ";
$sql .= "'".$user_uuid."' ";
$sql .= ")";
$db->exec(check_sql($sql));
unset($sql);
}
}
}
//database authentication
if (strlen($_SESSION['username']) == 0) {
//check the username and password if they don't match then redirect to the login
$sql = "select * from v_users ";
if (strlen($key) > 30) {
//$sql .= "where api_key=:key ";
$sql .= "where api_key='".$key."' ";
}
else {
$sql .= "where username=:username ";
//$sql .= "where username='".$username."' ";
}
//$sql .= "and domain_uuid='".$domain_uuid."' ";
if ($_SESSION["user"]["unique"]["text"] == "global") {
//unique username - global (example: email address)
}
else {
//unique username - per domain
$sql .= "and domain_uuid=:domain_uuid ";
}
$sql .= "and (user_enabled = 'true' or user_enabled is null) ";
$prep_statement = $db->prepare(check_sql($sql));
if ($_SESSION["user"]["unique"]["text"] != "global") {
$prep_statement->bindParam(':domain_uuid', $domain_uuid);
}
if (strlen($key) > 30) {
$prep_statement->bindParam(':key', $key);
}
else {
$prep_statement->bindParam(':username', $username);
}
$prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
if (count($result) > 0) {
foreach ($result as &$row) {
//get the domain uuid
$domain_uuid = $row["domain_uuid"];
//set the domain session variables
$_SESSION["domain_uuid"] = $domain_uuid;
$domain_name = $_SESSION['domains'][$domain_uuid]['domain_name'];
$_SESSION["domain_name"] = $domain_name;
//set the setting arrays
$domain = new domains();
$domain->db = $db;
$domain->set();
//get the salt from the database
$salt = $row["salt"];
//if salt is not defined then use the default salt for backwards compatibility
if (strlen($salt) == 0) {
$salt = 'e3.7d.12';
}
//compare the password provided by the user with the one in the database
if (md5($salt.check_str($_REQUEST["password"])) == $row["password"]) {
$_SESSION['username'] = $row["username"];
} elseif (strlen($_REQUEST["key"]) > 30 && $_REQUEST["key"] == $row["api_key"]) {
$_SESSION['username'] = $row["username"];
} else {
unset($result);
}
//end the loop
break;
}
}
}
if (strlen($_SESSION['username']) == 0) {
//log the failed auth attempt to the system, to be available for fail2ban. //log the failed auth attempt to the system, to be available for fail2ban.
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".check_str($_REQUEST["username"])); syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]);
closelog(); closelog();
//redirect the user to the login page //redirect the user to the login page
$target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["PHP_SELF"]; $target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["PHP_SELF"];
@ -306,27 +83,6 @@ require_once "resources/require.php";
header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path)); header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path));
exit; exit;
} }
else {
//set the user settings
foreach ($result as &$row) {
//allow the user to choose a template only if the template has not been assigned by the superadmin
if (strlen($_SESSION['domain']['template']['name']) == 0) {
$_SESSION['domain']['template']['name'] = $row["user_template_name"];
}
//user defined time zone
$_SESSION["time_zone"]["user"] = '';
if (strlen($row["user_time_zone"]) > 0) {
//user defined time zone
$_SESSION["time_zone"]["user"] = $row["user_time_zone"];
}
// add session variables
$_SESSION["user_uuid"] = $row["user_uuid"];
// user session array
$_SESSION["user"]["username"] = $row["username"];
$_SESSION["user"]["user_uuid"] = $row["user_uuid"];
$_SESSION["user"]["contact_uuid"] = $row["contact_uuid"];
}
}
//get the groups assigned to the user and then set the groups in $_SESSION["groups"] //get the groups assigned to the user and then set the groups in $_SESSION["groups"]
$sql = "SELECT * FROM v_group_users "; $sql = "SELECT * FROM v_group_users ";