diff --git a/resources/check_auth.php b/resources/check_auth.php index dd2738958d..ceba53fe13 100644 --- a/resources/check_auth.php +++ b/resources/check_auth.php @@ -17,13 +17,14 @@ The Initial Developer of the Original Code is Mark J Crane - Portions created by the Initial Developer are Copyright (C) 2008-2015 + Portions created by the Initial Developer are Copyright (C) 2008-2016 the Initial Developer. All Rights Reserved. Contributor(s): Mark J Crane */ -require_once "resources/require.php"; +//includes + require_once "resources/require.php"; //for compatability require this library if less than version 5.5 if (version_compare(phpversion(), '5.5', '<')) { @@ -56,248 +57,24 @@ require_once "resources/require.php"; exit; } - //get the domain name - if (count($_SESSION["domains"]) > 1) { - //get the domain from the url - $domain_name = $_SERVER["HTTP_HOST"]; - //get the domain name from the username - if ($_SESSION["user"]["unique"]["text"] != "global") { - $username_array = explode("@", check_str($_REQUEST["username"])); - if (count($username_array) > 1) { - $domain_name = $username_array[count($username_array) -1]; - $_SESSION['domain_name'] = $domain_name; - foreach ($_SESSION['domains'] as $row) { - if (lower_case($row['domain_name']) == lower_case($domain_name)) { - $_SESSION['domain_uuid'] = $row['domain_uuid']; - break; - } - } - $_REQUEST["username"] = substr(check_str($_REQUEST["username"]), 0, -(strlen($domain_name)+1)); - } - } - //get the domain name from the http value - if (strlen(check_str($_REQUEST["domain_name"])) > 0) { - $domain_name = check_str($_REQUEST["domain_name"]); - } - //set the domain information - if (strlen($domain_name) > 0) { - foreach ($_SESSION['domains'] as &$row) { - if (lower_case($row['domain_name']) == lower_case($domain_name)) { - //set the domain session variables - $domain_uuid = $row["domain_uuid"]; - $_SESSION["domain_uuid"] = $row["domain_uuid"]; - $_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name']; - //set the setting arrays - $domain = new domains(); - $domain->db = $db; - $domain->set(); - } - } - } - //set the domain parent uuid - $_SESSION['domain_parent_uuid'] = $_SESSION["domain_uuid"]; + //validate the username and password + $auth = new authentication; + $auth->username = $_REQUEST["username"]; + $auth->password = $_REQUEST["password"]; + $auth->debug = false; + $result = $auth->validate(); + if ($result["authorized"] == "true") { + // add the user settings + $_SESSION["user_uuid"] = $result["user_uuid"]; + // user session array + $_SESSION["user"]["username"] = $result["username"]; + $_SESSION["user"]["user_uuid"] = $result["user_uuid"]; + $_SESSION["user"]["contact_uuid"] = $result["contact_uuid"]; } - - //get the username or key - $username = check_str($_REQUEST["username"]); - if (file_exists($_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/app/api/app_config.php')) { - $key = check_str($_REQUEST["key"]); - } - - //ldap authentication - if ($_SESSION["ldap"]["enabled"]["boolean"] == "true") { - //use ldap to validate the user credentials - if (strlen(check_str($_REQUEST["domain_name"])) > 0) { - $domain_name = check_str($_REQUEST["domain_name"]); - } - if (isset($_SESSION["ldap"]["certpath"])) { - $s="LDAPTLS_CERT=" . $_SESSION["ldap"]["certpath"]["text"]; - putenv($s); - } - if (isset($_SESSION["ldap"]["certkey"])) { - $s="LDAPTLS_KEY=" . $_SESSION["ldap"]["certkey"]["text"]; - putenv($s); - } - $host=$_SESSION["ldap"]["server_host"]["text"]; - $port=$_SESSION["ldap"]["server_port"]["numeric"]; - $connect = ldap_connect($host) - or die("Could not connect to the LDAP server."); - //ldap_set_option($connect, LDAP_OPT_NETWORK_TIMEOUT, 10); - ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3); - //ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); - $bind_dn = $_SESSION["ldap"]["user_attribute"]["text"]."=".$username.",".$_SESSION["ldap"]["user_dn"]["text"]; - $bind_pw = $_REQUEST["password"]; - //Note: As of 4/16, the call below will fail randomly. PHP debug reports ldap_bind - //called below with all arguments '*uninitialized*'. However, the debugger - //single-stepping just before the failing call correctly displays all the values. - $bind = ldap_bind($connect, $bind_dn, $bind_pw); - if ($bind) { - $_SESSION['username'] = $username; - } - - //check to see if the user exists - if (strlen($_SESSION['username']) > 0) { - $sql = "select * from v_users "; - $sql .= "where username=:username "; - if ($_SESSION["user"]["unique"]["text"] == "global") { - //unique username - global (example: email address) - } - else { - //unique username - per domain - $sql .= "and domain_uuid=:domain_uuid "; - } - $prep_statement = $db->prepare(check_sql($sql)); - if ($_SESSION["user"]["unique"]["text"] != "global") { - $prep_statement->bindParam(':domain_uuid', $domain_uuid); - } - $prep_statement->bindParam(':username', $username); - $prep_statement->execute(); - $result = $prep_statement->fetchAll(PDO::FETCH_NAMED); - if (count($result) > 0) { - foreach ($result as &$row) { - //get the domain uuid - $domain_uuid = $row["domain_uuid"]; - $user_uuid = $row["user_uuid"]; - //set the domain session variables - $_SESSION["domain_uuid"] = $domain_uuid; - $domain_name = $_SESSION['domains'][$domain_uuid]['domain_name']; - $_SESSION["domain_name"] = $domain_name; - //set the setting arrays - $domain = new domains(); - $domain->db = $db; - $domain->set(); - } - } - else { - //salt used with the password to create a one way hash - $salt = generate_password('32', '4'); - $password = generate_password('32', '4'); - - //prepare the uuids - $user_uuid = uuid(); - $contact_uuid = uuid(); - - //set the user_id - $_SESSION["user_uuid"] = $user_uuid; - - //add the user - $sql = "insert into v_users "; - $sql .= "("; - $sql .= "domain_uuid, "; - $sql .= "user_uuid, "; - $sql .= "contact_uuid, "; - $sql .= "username, "; - $sql .= "password, "; - $sql .= "salt, "; - $sql .= "add_date, "; - $sql .= "add_user, "; - $sql .= "user_enabled "; - $sql .= ") "; - $sql .= "values "; - $sql .= "("; - $sql .= "'".$domain_uuid."', "; - $sql .= "'".$user_uuid."', "; - $sql .= "'".$contact_uuid."', "; - $sql .= "'".strtolower($username)."', "; - $sql .= "'".md5($salt.$password)."', "; - $sql .= "'".$salt."', "; - $sql .= "now(), "; - $sql .= "'".strtolower($username)."', "; - $sql .= "'true' "; - $sql .= ")"; - $db->exec(check_sql($sql)); - unset($sql); - - //add the user to group user - $group_name = 'user'; - $sql = "insert into v_group_users "; - $sql .= "("; - $sql .= "group_user_uuid, "; - $sql .= "domain_uuid, "; - $sql .= "group_name, "; - $sql .= "user_uuid "; - $sql .= ")"; - $sql .= "values "; - $sql .= "("; - $sql .= "'".uuid()."', "; - $sql .= "'".$domain_uuid."', "; - $sql .= "'".$group_name."', "; - $sql .= "'".$user_uuid."' "; - $sql .= ")"; - $db->exec(check_sql($sql)); - unset($sql); - } - } - } - - //database authentication - if (strlen($_SESSION['username']) == 0) { - //check the username and password if they don't match then redirect to the login - $sql = "select * from v_users "; - if (strlen($key) > 30) { - //$sql .= "where api_key=:key "; - $sql .= "where api_key='".$key."' "; - } - else { - $sql .= "where username=:username "; - //$sql .= "where username='".$username."' "; - } - //$sql .= "and domain_uuid='".$domain_uuid."' "; - if ($_SESSION["user"]["unique"]["text"] == "global") { - //unique username - global (example: email address) - } - else { - //unique username - per domain - $sql .= "and domain_uuid=:domain_uuid "; - } - $sql .= "and (user_enabled = 'true' or user_enabled is null) "; - $prep_statement = $db->prepare(check_sql($sql)); - if ($_SESSION["user"]["unique"]["text"] != "global") { - $prep_statement->bindParam(':domain_uuid', $domain_uuid); - } - if (strlen($key) > 30) { - $prep_statement->bindParam(':key', $key); - } - else { - $prep_statement->bindParam(':username', $username); - } - $prep_statement->execute(); - $result = $prep_statement->fetchAll(PDO::FETCH_NAMED); - if (count($result) > 0) { - foreach ($result as &$row) { - //get the domain uuid - $domain_uuid = $row["domain_uuid"]; - //set the domain session variables - $_SESSION["domain_uuid"] = $domain_uuid; - $domain_name = $_SESSION['domains'][$domain_uuid]['domain_name']; - $_SESSION["domain_name"] = $domain_name; - //set the setting arrays - $domain = new domains(); - $domain->db = $db; - $domain->set(); - //get the salt from the database - $salt = $row["salt"]; - //if salt is not defined then use the default salt for backwards compatibility - if (strlen($salt) == 0) { - $salt = 'e3.7d.12'; - } - //compare the password provided by the user with the one in the database - if (md5($salt.check_str($_REQUEST["password"])) == $row["password"]) { - $_SESSION['username'] = $row["username"]; - } elseif (strlen($_REQUEST["key"]) > 30 && $_REQUEST["key"] == $row["api_key"]) { - $_SESSION['username'] = $row["username"]; - } else { - unset($result); - } - //end the loop - break; - } - } - } - if (strlen($_SESSION['username']) == 0) { + else { //log the failed auth attempt to the system, to be available for fail2ban. openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); - syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".check_str($_REQUEST["username"])); + syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".$result["username"]); closelog(); //redirect the user to the login page $target_path = ($_REQUEST["path"] != '') ? $_REQUEST["path"] : $_SERVER["PHP_SELF"]; @@ -306,27 +83,6 @@ require_once "resources/require.php"; header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path)); exit; } - else { - //set the user settings - foreach ($result as &$row) { - //allow the user to choose a template only if the template has not been assigned by the superadmin - if (strlen($_SESSION['domain']['template']['name']) == 0) { - $_SESSION['domain']['template']['name'] = $row["user_template_name"]; - } - //user defined time zone - $_SESSION["time_zone"]["user"] = ''; - if (strlen($row["user_time_zone"]) > 0) { - //user defined time zone - $_SESSION["time_zone"]["user"] = $row["user_time_zone"]; - } - // add session variables - $_SESSION["user_uuid"] = $row["user_uuid"]; - // user session array - $_SESSION["user"]["username"] = $row["username"]; - $_SESSION["user"]["user_uuid"] = $row["user_uuid"]; - $_SESSION["user"]["contact_uuid"] = $row["contact_uuid"]; - } - } //get the groups assigned to the user and then set the groups in $_SESSION["groups"] $sql = "SELECT * FROM v_group_users ";