dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

spa support

This commit is contained in:
luis daniel lucio quiroz 2015-02-04 03:53:34 +00:00
parent 6cc48d38ac
commit 807df84a38
1 changed files with 132 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

168
app/provision/index.php
View File

@ -21,10 +21,12 @@
Contributor(s): Contributor(s):
Mark J Crane <markjcrane@fusionpbx.com> Mark J Crane <markjcrane@fusionpbx.com>
Luis Daniel Lucio Quiroz <dlucio@okay.com.mx>
*/ */
include "root.php"; include "root.php";
require_once "resources/require.php"; require_once "resources/require.php";
openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0);
//set default variables //set default variables
$dir_count = 0; $dir_count = 0;
@ -58,7 +60,7 @@ require_once "resources/require.php";
//check if provisioning has been enabled //check if provisioning has been enabled
if ($provision["enabled"] != "true") { if ($provision["enabled"] != "true") {
echo "access denied"; echo "access denied 1";
exit; exit;
} }
@ -66,7 +68,7 @@ require_once "resources/require.php";
if (strlen($_SERVER['auth_server']) > 0) { if (strlen($_SERVER['auth_server']) > 0) {
$result = send_http_request($_SERVER['auth_server'], 'mac='.check_str($_REQUEST['mac']).'&secret='.check_str($_REQUEST['secret'])); $result = send_http_request($_SERVER['auth_server'], 'mac='.check_str($_REQUEST['mac']).'&secret='.check_str($_REQUEST['secret']));
if ($result == "false") { if ($result == "false") {
echo "access denied"; echo "access denied 2";
exit; exit;
} }
} }
@ -117,49 +119,126 @@ require_once "resources/require.php";
} }
} }
if (!$found) { if (!$found) {
echo "access denied"; echo "access denied 3";
exit; exit;
} }
} }
//http authentication //Digest or Basic
//http://www.php.net/manual/en/features.http-auth.php $sql_device = "select device_template from v_devices where device_mac_address='$mac' and device_provision_enable='true'";
if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) { $prep_statement_device = $db->prepare($sql_device);
if (!isset($_SERVER['PHP_AUTH_USER'])) { $prep_statement_device->execute();
header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"'); $result_device = $prep_statement_device->fetchAll(PDO::FETCH_NAMED);
header('HTTP/1.0 401 Unauthorized'); foreach($result_device as $row_device) {
header("Content-Type: text/plain"); $device_template = $row_device["device_template"];
echo 'Authorization Required'; }
exit; unset($result_device, $prep_statement_device);
} else {
if ($_SERVER['PHP_AUTH_USER'] == $provision["http_auth_username"] && $_SERVER['PHP_AUTH_PW'] == $provision["http_auth_password"]) { syslog(LOG_INFO, "template: $device_template");
//authorized switch ($device_template){
case "linksys/spa2102":
case "linksys/spa3102":
case "linksys/spa921":
case "linksys/spa942":
case "cisco/spa112":
case "cisco/spa502g":
case "cisco/spa504g":
case "cisco/spa509g":
case "cisco/spa301":
case "cisco/spa514g":
case "cisco/spa512g":
case "cisco/spa501g":
case "cisco/spa525g":
case "cisco/spa508g":
case "cisco/spa122":
case "cisco/spa303":
syslog(LOG_INFO, "using digest authentication");
if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) {
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name'].
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"');
echo 'Authorization Required';
exit;
}
else{
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']))){
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name'].
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"');
echo 'Authorization Required';
exit;
}
$A1 = md5($provision["http_auth_username"] . ':' . $_SESSION['domain_name'] . ':' . $provision["http_auth_password"]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
syslog(LOG_INFO, "valid_response: $valid_response");
syslog(LOG_INFO, "data[response]".$data['response']);
if ($data['response'] != $valid_response){
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name'].
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"');
echo 'Authorization Required';
exit;
}
}
} }
else {
//access denied break;
header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"'); defaut:
unset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']); syslog(LOG_INFO, "using basic authentication");
usleep(rand(1000000,3000000));//1-3 seconds. //http authentication
echo 'Authorization Required'; //http://www.php.net/manual/en/features.http-auth.php
exit; if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) {
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"');
header('HTTP/1.0 401 Unauthorized');
header("Content-Type: text/plain");
echo 'Authorization Required';
exit;
} else {
syslog(LOG_INFO, "user received: ".$_SERVER['PHP_AUTH_USER']);
syslog(LOG_INFO, "password received: ".$_SERVER['PHP_AUTH_PW']);
if ($_SERVER['PHP_AUTH_USER'] == $provision["http_auth_username"] && $_SERVER['PHP_AUTH_PW'] == $provision["http_auth_password"]) {
//authorized
syslog(LOG_INFO, "sucess");
}
else {
//access denied
syslog(LOG_INFO, "denied");
header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"');
unset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
usleep(rand(1000000,3000000));//1-3 seconds.
echo 'Authorization Required';
exit;
}
}
} }
}
//if password was defined in the system -> variables page then require the password.
if (strlen($provision['password']) > 0) {
//deny access if the password doesn't match
if ($provision['password'] != check_str($_REQUEST['password'])) {
//log the failed auth attempt to the system, to be available for fail2ban.
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] provision attempt bad password for ".check_str($_REQUEST['mac']));
closelog();
usleep(rand(1000000,3000000));//1-3 seconds.
echo "access denied 4";
return;
}
}
} }
//if password was defined in the system -> variables page then require the password.
if (strlen($provision['password']) > 0) {
//deny access if the password doesn't match
if ($provision['password'] != check_str($_REQUEST['password'])) {
//log the failed auth attempt to the system, to be available for fail2ban.
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] provision attempt bad password for ".check_str($_REQUEST['mac']));
closelog();
usleep(rand(1000000,3000000));//1-3 seconds.
echo "access denied";
return;
}
}
//output template to string for header processing //output template to string for header processing
$prov = new provision; $prov = new provision;
@ -187,4 +266,21 @@ require_once "resources/require.php";
} }
echo $file_contents; echo $file_contents;
closelog();
function http_digest_parse($txt){
// protect against missing data
$needed_parts = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1);
$data = array();
$keys = implode('|', array_keys($needed_parts));
preg_match_all('@(' . $keys . ')=(?:([\'"])([^\2]+?)\2|([^\s,]+))@', $txt, $matches, PREG_SET_ORDER);
foreach ($matches as $m) {
$data[$m[1]] = $m[3] ? $m[3] : $m[4];
unset($needed_parts[$m[1]]);
}
return $needed_parts ? false : $data;
}
?> ?>