diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2007-12-20 09:12:04 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2007-12-20 09:12:04 +0000 |
| commit | 7e1432273ab146abfcce8f226a9bc79eb1f25393 (patch) | |
| tree | 3f804a8849b31a1fa237754c026f81d60973b5da | |
| parent | 897b35aeddd117409af95b270ec8309c2a564aaa (diff) | |
| download | ampache-7e1432273ab146abfcce8f226a9bc79eb1f25393.tar.gz ampache-7e1432273ab146abfcce8f226a9bc79eb1f25393.tar.bz2 ampache-7e1432273ab146abfcce8f226a9bc79eb1f25393.zip | |
API and XML-RPC are still broken, but moved to new session code, sleep time
| -rwxr-xr-x | docs/CHANGELOG | 2 | ||||
| -rw-r--r-- | image.php | 5 | ||||
| -rw-r--r-- | lib/class/update.class.php | 29 | ||||
| -rw-r--r-- | lib/class/vauth.class.php | 280 | ||||
| -rw-r--r-- | lib/init.php | 24 | ||||
| -rw-r--r-- | login.php | 12 | ||||
| -rw-r--r-- | modules/vauth/auth.lib.php | 226 | ||||
| -rw-r--r-- | modules/vauth/init.php | 172 | ||||
| -rw-r--r-- | modules/vauth/session.lib.php | 305 |
9 files changed, 313 insertions, 742 deletions
diff --git a/docs/CHANGELOG b/docs/CHANGELOG index 623e39fd..79418239 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -4,6 +4,8 @@ -------------------------------------------------------------------------- v.3.4-Alpha4 + - Migrated to 'new' auth system that unifies xml-rpc,api and normal + sessions in a single table - Fixed some issues with downsampling + seeking and seeking in general (Thx Karl Hungus) - Fixed CSS references to missing files @@ -30,8 +30,9 @@ define('NO_SESSION','1'); require 'lib/init.php'; -// Check their session manually -if (!vauth_check_session() && !Access::session_exists(array(),$_REQUEST['auth'],'api')) { +// Check to see if they've got an interface session or a valid API session, if not GTFO +if (!vauth::session_exists('interface',$_COOKIE[Config::get('session_name')]) AND !vauth::session_exists('api',$_REQUEST['auth'])) { + debug_event('DENIED','Image Access from Sid:' . $_REQUEST['sid'] . ' OR Auth:' . $_REQUEST['auth'],'1'); exit; } diff --git a/lib/class/update.class.php b/lib/class/update.class.php index 130ed2c6..9a6be243 100644 --- a/lib/class/update.class.php +++ b/lib/class/update.class.php @@ -253,6 +253,10 @@ class Update { $version[] = array('version' => '340013','description'=>$update_string); + $update_string = '- Removed API Session table, been a nice run....<br />' . + '- Alterted Session table to handle API sessions correctly.<br />'; + + $version[] = array('version' => '340014','description'=>$update_string); return $version; @@ -1079,5 +1083,30 @@ class Update { } // update_340013 + /** + * update_340014 + * This update drops the session_api table that I added just two updates ago + * it's been nice while it lasted but it's time to pack your stuff and GTFO + * at the same time it updates the core session table to handle the additional + * stuff we're going to ask it to do. + */ + public static function update_340014() { + + $sql = "DROP TABLE `session_api`"; + $db_results = Dba::query($sql); + + $sql = "ALTER TABLE `session` CHANGE `type` `type` ENUM ('mysql','ldap','http','api','xml-rpc') NOT NULL"; + $db_results = Dba::query($sql); + + $sql = "ALTER TABLE `session` ADD `agent` VARCHAR ( 255 ) NOT NULL AFTER `type`"; + $db_results = Dba::query($sql); + + $sql = "ALTER TABLE `session` ADD INDEX (`type`)"; + $db_results = Dba::query($sql); + + self::set_version('db_version','340014'); + + } // update_340014 + } // end update class ?> diff --git a/lib/class/vauth.class.php b/lib/class/vauth.class.php index d0f68e7e..2eb6c8fe 100644 --- a/lib/class/vauth.class.php +++ b/lib/class/vauth.class.php @@ -72,6 +72,7 @@ class vauth { public static function read($key) { $results = self::get_session_data($key); + if (strlen($results['value']) < 1) { debug_event('SESSION','Error unable to read session from key ' . $key . ' no data found','1'); return ''; @@ -97,6 +98,8 @@ class vauth { $sql = "UPDATE `session` SET `value`='$value', `expire`='$expire' WHERE `id`='$key'"; $db_results = Dba::query($sql); + debug_event('SESSION','Writing to ' . $key . ' with expire ' . $expire,'1'); + return $db_results; } // write @@ -140,8 +143,33 @@ class vauth { */ public static function logout($key) { + // Do a quick check to see if this is an AJAX'd logout request + // if so use the iframe to redirect + if (AJAX_INCLUDE == '1') { + ob_end_clean(); + ob_start(); + + /* Set the correct headers */ + header("Content-type: text/xml; charset=" . Config::get('site_charset')); + header("Content-Disposition: attachment; filename=ajax.xml"); + header("Expires: Tuesday, 27 Mar 1984 05:00:00 GMT"); + header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); + header("Cache-Control: no-store, no-cache, must-revalidate"); + header("Pragma: no-cache"); + + $target = Config::get('web_path') . '/login.php'; + $results['rfc3514'] = '<script type="text/javascript">reload_logout("'.$target.'")</script>'; + echo xml_from_array($results); + } + self::destroy($key); - return true; + + /* Redirect them to the login page */ + if (AJAX_INCLUDE != '1') { + header ('Location: ' . Config::get('web_path') . '/login.php'); + } + + exit; } // logout @@ -184,6 +212,8 @@ class vauth { session_set_cookie_params($cookie_life,$cookie_path,$cookie_domain,$cookie_secure); + session_name(Config::get('session_name')); + /* Start the session */ self::ungimp_ie(); session_start(); @@ -191,6 +221,20 @@ class vauth { } // create_cookie, just watch out for the cookie monster /** + * create_remember_cookie + * This function just creates the remember me cookie, nothing special + */ + public static function create_remember_cookie() { + + $remember_length = Config::get('remember_length'); + $session_name = Config::get('session_name'); + + Config::set('cookie_life',$remember_length,'1'); + setcookie($session_name . '_remember',"Rappelez-vous, rappelez-vous le 27 mars",time() + $remember_length,'/',Config::get('cookie_domain')); + + } // create_remember_cookie + + /** * session_create * This is called when you want to create a new session * it takes care of setting the initial cookie, and inserting the first chunk of @@ -212,7 +256,7 @@ class vauth { $type = Dba::escape($data['type']); $value = Dba::escape($data['value']); $agent = Dba::escape($_SERVER['HTTP_USER_AGENT']); - $expire = Dba::escape(time() + vauth_conf('session_length')); + $expire = Dba::escape(time() + Config::get('session_length')); /* We can't have null things here people */ if (!strlen($value)) { $value = ' '; } @@ -237,20 +281,21 @@ class vauth { */ public static function check_session() { + $session_name = Config::get('session_name'); + // No cookie n go! - if (!isset($_COOKIE[Config::get('session_name')]) { return false; } + if (!isset($_COOKIE[$session_name])) { return false; } - $key = scrub_in($_COOKIE[Config::get('session_name')]); + $key = scrub_in($_COOKIE[$session_name]); $data = self::get_session_data($key); - if (!is_array($results)) { + if (!is_array($data)) { return false; } // Check for a remember me - if (isset($_COOKIE[Config::get('session_name') . '_remember'])) { - Config::set('cookie_life',Config::get('remember_length'),'1'); - setcookie(Config::get('session_name') . '_remember',time() + Config::get('remember_length'),'/',Config::get('cookie_domain')); + if (isset($_COOKIE[$session_name . '_remember'])) { + self::create_remember_cookie(); } // Setup the cookie params before we start the session this is vital @@ -261,10 +306,10 @@ class vauth { Config::get('cookie_secure')); // Set name - session_name(Config::get('session_name')); + session_name($session_name); // Ungimp IE and go - self::ungimp_io(); + self::ungimp_ie(); session_start(); return true; @@ -277,12 +322,11 @@ class vauth { * exists, it also provides an array of key'd data that may be required * based on the type */ - public static function session_exists($data,$key,$type) { + public static function session_exists($type,$key,$data=array()) { // Switch on the type they pass switch ($type) { case 'xml-rpc': - case 'interface': case 'api': $key = Dba::escape($key); $time = time(); @@ -293,6 +337,18 @@ class vauth { return true; } break; + //FIXME: This should use the IN() mojo and compare against enabled auths + case 'interface': + $key = Dba::escape($key); + $time = time(); + $sql = "SELECT * FROM `session` WHERE `id`='$key' AND `expire` > '$time' AND `type`!='api' AND `type`!='xml-rpc'"; +debug_event('testo',$sql,'1'); + $db_results = Dba::query($sql); + + if (Dba::num_rows($db_results)) { + return true; + } + break; case 'stream': $key = Dba::escape($key); $ip = ip2int($data['ip']); @@ -321,7 +377,7 @@ class vauth { */ public static function _auto_init() { - session_set_save_handler('vauth::open','vauth::close','vauth::read','vauth::write','vauth::destroy','vauth::gc'); + session_set_save_handler(array('vauth','open'),array('vauth','close'),array('vauth','read'),array('vauth','write'),array('vauth','destroy'),array('vauth','gc')); } // auto init @@ -339,7 +395,7 @@ class vauth { // Try to detect IE $agent = trim($_SERVER['HTTP_USER_AGENT']); - if ((preg_match('|MSIE ([0-9).]+)|',$agent)) || preg_match('|Internet Explorer/([0-9.]+)|',$agent))) { + if (strstr($agent,'MSIE') || strstr($agent,'Internet Explorer/')) { session_cache_limiter('public'); } @@ -347,6 +403,202 @@ class vauth { } // ungimp_ie + /** + * authenticate + * This takes a username and password and then returns true or false + * based on what happens when we try to do the auth then + */ + public static function authenticate($username,$password) { + + // Foreach the auth methods + foreach (Config::get('auth_methods') as $method) { + + // Build the function name and call the custom method on this class + $function_name = $method . '_auth'; + + if (!method_exists('vauth',$function_name)) { continue; } + + $results = self::$function_name($username,$password); + + // If we achive victory return + if ($results['success']) { break; } + + } // end foreach + + return $results; + + } // authenticate + + /** + * mysql_auth + * This is a private function, it should only be called by authenticate + */ + private static function mysql_auth($username,$password) { + + $username = Dba::escape($username); + $password = Dba::escape($password); + + $password_check_sql = "PASSWORD('$password')"; + + $sql = "SELECT `user`.`password`,`session`.`ip`,`user`.`id` FROM `user` " . + "LEFT JOIN `session` ON `session`.`username`=`user`.`username` " . + "WHERE `user`.`username`='$username'"; + $db_results = Dba::query($sql); + $row = Dba::fetch_assoc($db_results); + + // If they don't have a password kick em ou + if (!$row['password']) { + Error::add('general','Error Username or Password incorrect, please try again'); + return false; + } + + if (Config::get('prevent_multiple_logins')) { + $client = new User($row['id']); + $ip = $client->is_logged_in(); + if ($current_ip != ip2int($_SERVER['REMOTE_ADDR'])) { + Error::add('general','User Already Logged in'); + return false; + } + } // if prevent_multiple_logins + + $sql = "SELECT version()"; + $db_results = Dba::query($sql); + $version = Dba::fetch_row($db_results); + $mysql_version = substr(preg_replace("/(\d+)\.(\d+)\.(\d+).*/","$1$2$3",$version[0]),0,3); + + if ($mysql_version > "409" AND substr($row['password'],0,1) !== "*") { + $password_check_sql = "OLD_PASSWORD('$password')"; + } + + $sql = "SELECT username FROM user WHERE username='$username' AND password=$password_check_sql"; + $db_results = Dba::query($sql); + + $results = Dba::fetch_assoc($db_results); + + if (!$results) { + Error::add('general','Error Username or Password incorrect, please try again'); + return false; + } + + $results['type'] = 'mysql'; + $results['success'] = true; + + return $results; + + } // mysql_auth + + /** + * ldap_auth + * Step one, connect to the LDAP server and perform a search for teh username provided. + * If its found, attempt to bind using that username and the password provided. + * Step two, figure out if they are authorized to use ampache: + * TODO: need implimented still: + * * require-group "The DN fetched from the LDAP directory (or the username passed by the client) occurs in the LDAP group" + * * require-dn "Grant access if the DN in the directive matches the DN fetched from the LDAP directory" + * * require-attribute "an attribute fetched from the LDAP directory matches the given value" + */ + private static function ldap_auth($username,$password) { + + $ldap_username = Config::get('ldap_username'); + $ldap_password = Config::get('ldap_password'); + + /* Currently not implemented */ + $require_group = Config::get('ldap_require_group'); + + // This is the DN for the users (required) + $ldap_dn = Config::get('ldap_search_dn'); + + // This is the server url (required) + $ldap_url = Config::get('ldap_url'); + + // This is the ldap filter string (required) + $ldap_filter = Config::get('ldap_filter'); + + //This is the ldap objectclass (required) + $ldap_class = Config::get('ldap_objectclass'); + + $ldap_name_field = Config::get('ldap_name_field'); + $ldap_email_field = Config::get('ldap_email_field'); + + if ($ldap_link = ldap_connect($ldap_url) ) { + + /* Set to Protocol 3 */ + ldap_set_option($ldap_link, LDAP_OPT_PROTOCOL_VERSION, 3); + + // bind using our auth, if we need to, for initial search for username + if (!ldap_bind($ldap_link, $ldap_username, $ldap_password)) { + $results['success'] = false; + $results['error'] = "Could not bind to LDAP server."; + return $results; + } // If bind fails + + $sr = ldap_search($ldap_link, $ldap_dn, "(&(objectclass=$ldap_class)($ldap_filter=$username))"); + $info = ldap_get_entries($ldap_link, $sr); + + if ($info["count"] == 1) { + $user_entry = ldap_first_entry($ldap_link, $sr); + $user_dn = ldap_get_dn($ldap_link, $user_entry); + // bind using the user.. + $retval = ldap_bind($ldap_link, $user_dn, $password); + + if ($retval) { + ldap_close($ldap_link); + $results['success'] = true; + $results['type'] = "ldap"; + $results['username'] = $username; + $results['name'] = $info[0][$ldap_name_field][0]; + $results['email'] = $info[0][$ldap_email_field][0]; + + return $results; + + } // if we get something good back + + } // if something was sent back + + } // if failed connect + + /* Default to bad news */ + $results['success'] = false; + $results['error'] = "LDAP login attempt failed"; + + return $results; + + } // ldap_auth + + /** + * http_auth + * This auth method relies on HTTP auth from Apache + * This is not a very secure method of authentication + * defaulted to off. Because if they can load the page they + * are considered to be authenticated we need to look and + * see if their user exists and if not, by golly we just + * go ahead and created it. NOT SECURE!!!!! + */ + public static function http_auth($username) { + + /* Check if the user exists */ + if ($user = new User($username)) { + $results['success'] = true; + $results['type'] = 'mysql'; + $results['username'] = $username; + $results['name'] = $user->fullname; + $results['email'] = $user->email; + return $results; + } + + /* If not then we auto-create the entry as a user.. :S */ + $user->create($username,$username,'',md5(rand()),'25'); + $user = new User($username); + + $results['success'] = true; + $results['type'] = 'mysql'; + $results['username'] = $username; + $results['name'] = $user->fullname; + $results['email'] = $user->email; + return $results; + + } // http_auth + } // end of vauth class ?> diff --git a/lib/init.php b/lib/init.php index 4796a615..45184584 100644 --- a/lib/init.php +++ b/lib/init.php @@ -87,7 +87,6 @@ $results['int_config_version'] = '6'; $results['raw_web_path'] = $results['web_path']; $results['web_path'] = $http_type . $_SERVER['HTTP_HOST'] . $results['web_path']; $results['http_port'] = $_SERVER['SERVER_PORT']; -$results['stop_auth'] = $results['prefix'] . "/modules/vauth/gone.fishing"; if (!$results['http_port']) { $results['http_port'] = '80'; } @@ -104,7 +103,7 @@ if (!$results['user_ip_cardinality']) { $results['user_ip_cardinality'] = 42; } -/* Variables needed for vauth Module */ +/* Variables needed for vauth class */ $results['cookie_path'] = $results['raw_web_path']; $results['cookie_domain'] = $_SERVER['SERVER_NAME']; $results['cookie_life'] = $results['session_cookielife']; @@ -117,9 +116,6 @@ $results['mysql_db'] = $results['database_name']; // Define that we've loaded the INIT file define('INIT_LOADED','1'); -// Vauth Requires -require_once $prefix . '/modules/vauth/init.php'; - // Library and module includes we can't do with the autoloader require_once $prefix . '/lib/album.lib.php'; require_once $prefix . '/lib/artist.lib.php'; @@ -157,8 +153,6 @@ if (Config::get('ratings')) { /* Set a new Error Handler */ $old_error_handler = set_error_handler('ampache_error_handler'); -/* Initilize the Vauth Library */ -vauth_init($results); /* Check their PHP Vars to make sure we're cool here */ $post_size = @ini_get('post_max_size'); @@ -178,12 +172,12 @@ set_memory_limit($results['memory_limit']); if (in_array("http",$results['auth_methods'])) { $username = scrub_in($_SERVER['PHP_AUTH_USER']); - $results = vauth_http_auth($username); + $results = vauth::http_auth($username); if ($results['success']) { - vauth_session_cookie(); - vauth_session_create($results); - $session_name = vauth_conf('session_name'); + vauth::create_cookie(); + vauth::session_create($results); + $session_name = Config::get('session_name'); $_SESSION['userdata'] = $results; $_COOKIE[$session_name] = session_id(); } @@ -193,13 +187,13 @@ if (in_array("http",$results['auth_methods'])) { // If we want a session if (NO_SESSION != '1' AND Config::get('use_auth')) { /* Verify Their session */ - if (!vauth_check_session()) { logout(); exit; } + if (!vauth::check_session()) { vauth::logout(session_id()); exit; } /* Create the new user */ $GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']); /* If they user ID doesn't exist deny them */ - if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { logout(); exit; } + if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { vauth::logout(session_id()); exit; } /* Load preferences and theme */ $GLOBALS['user']->update_last_seen(); @@ -211,7 +205,7 @@ elseif (!Config::get('use_auth')) { $auth['id'] = -1; $auth['access'] = "admin"; $auth['offset_limit'] = 50; - if (!vauth_check_session()) { vauth_session_create($auth); } + if (!vauth::check_session()) { vauth::session_create($auth); } $GLOBALS['user'] = new User(-1); $GLOBALS['user']->fullname = 'Ampache User'; $GLOBALS['user']->offset_limit = $auth['offset_limit']; @@ -222,7 +216,7 @@ elseif (!Config::get('use_auth')) { // If Auth, but no session is set else { if (isset($_REQUEST['sessid'])) { - $sess_results = vauth_get_session($_REQUEST['sessid']); + $sess_results = vauth::get_session_data($_REQUEST['sessid']); session_name(Config::get('session_name')); session_id(scrub_in($_REQUEST['sessid'])); session_start(); @@ -25,7 +25,7 @@ require_once 'lib/init.php'; /* We have to create a cookie here because IIS * can't handle Cookie + Redirect */ -vauth_session_cookie(); +vauth::create_cookie(); Preference::init(); /** @@ -48,11 +48,7 @@ unset($auth); if ($_POST['username'] && $_POST['password']) { if ($_POST['rememberme']) { - $extended = vauth_conf('remember_length'); - vauth_conf(array('cookie_life'=>$extended),1); - $cookie_name = vauth_conf('session_name') . "_remember"; - $cookie_life = time() + $extended; - setcookie($cookie_name, '1', $cookie_life,'/',vauth_conf('cookie_domain')); + vauth::create_remember_cookie(); } /* If we are in demo mode let's force auth success */ @@ -65,7 +61,7 @@ if ($_POST['username'] && $_POST['password']) { else { $username = scrub_in($_POST['username']); $password = scrub_in($_POST['password']); - $auth = authenticate($username, $password); + $auth = vauth::authenticate($username, $password); $user = User::get_from_username($username); if ($user->disabled == '1') { @@ -105,7 +101,7 @@ if ($_POST['username'] && $_POST['password']) { if ($auth['success']) { // $auth->info are the fields specified in the config file // to retrieve for each user - vauth_session_create($auth); + vauth::session_create($auth); // Generate the user we need for a few things $user = User::get_from_username($username); diff --git a/modules/vauth/auth.lib.php b/modules/vauth/auth.lib.php deleted file mode 100644 index f877cea8..00000000 --- a/modules/vauth/auth.lib.php +++ /dev/null @@ -1,226 +0,0 @@ -<?php -/* - - Copyright (c) 2006 - 2007 Karl Vollmer - All rights reserved. - - This program is free software; you can redistribute it and/or - modify it under the terms of the GNU General Public License v2 - as published by the Free Software Foundation. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -*/ - -/** - * Authenticate library - * Yup! - */ - -/** - * authenticate - * This takes a username and passwords and returns false on failure - * on success it returns true, and the username + type in an array - */ -function authenticate($username,$password) { - - /* Don't even try if stop auth is in place */ - if (file_exists(vauth_conf('stop_auth'))) { - return false; - } - - /* Foreach Through the methods we are allowed to use */ - foreach (vauth_conf('auth_methods') as $method) { - - /* Build Function name and call custom function */ - $function = 'vauth_' . $method . '_auth'; - $results = $function($username,$password); - - /* If we find something break */ - if ($results['success']) { break; } - } // end foreach - - return $results; - -} // authenticate - - -/** - * vauth_mysql_auth - * This functions does mysql authentication againsts a user table - * That has a username and a password field change it if you don't like it! - */ -function vauth_mysql_auth($username,$password) { - - $username = Dba::escape($username); - $password = Dba::escape($password); - - $password_check_sql = "PASSWORD('$password')"; - - $sql = "SELECT `user`.`password`,`session`.`ip`,`user`.`id` FROM `user` " . - "LEFT JOIN `session` ON `session`.`username`=`user`.`username` " . - "WHERE `user`.`username`='$username'"; - $db_results = Dba::query($sql); - $row = Dba::fetch_assoc($db_results); - - // If they don't have a password kick em ou - if (!$row['password']) { - Error::add('general','Error Username or Password incorrect, please try again'); - return false; - } - - if (Config::get('prevent_multiple_logins')) { - $client = new User($row['id']); - $ip = $client->is_logged_in(); - if ($current_ip != ip2int($_SERVER['REMOTE_ADDR'])) { - Error::add('general','User Already Logged in'); - return false; - } - } // if prevent_multiple_logins - - $sql = "SELECT version()"; - $db_results = Dba::query($sql); - $version = Dba::fetch_row($db_results); - $mysql_version = substr(preg_replace("/(\d+)\.(\d+)\.(\d+).*/","$1$2$3",$version[0]),0,3); - - if ($mysql_version > "409" AND substr($row['password'],0,1) !== "*") { - $password_check_sql = "OLD_PASSWORD('$password')"; - } - - $sql = "SELECT username FROM user WHERE username='$username' AND password=$password_check_sql"; - $db_results = Dba::query($sql); - - $results = Dba::fetch_assoc($db_results); - - if (!$results) { - Error::add('general','Error Username or Password incorrect, please try again'); - return false; - } - - $results['type'] = 'mysql'; - $results['success'] = true; - - return $results; - -} // vauth_mysql_auth - -/** - * vauth_ldap_auth - * Step one, connect to the LDAP server and perform a search for teh username provided. - * If its found, attempt to bind using that username and the password provided. - * Step two, figure out if they are authorized to use ampache: - * TODO: need implimented still: - * * require-group "The DN fetched from the LDAP directory (or the username passed by the client) occurs in the LDAP group" - * * require-dn "Grant access if the DN in the directive matches the DN fetched from the LDAP directory" - * * require-attribute "an attribute fetched from the LDAP directory matches the given value" - */ -function vauth_ldap_auth($username, $password) { - - $ldap_username = vauth_conf('ldap_username'); - $ldap_password = vauth_conf('ldap_password'); - - /* Currently not implemented */ - $require_group = vauth_conf('ldap_require_group'); - - // This is the DN for the users (required) - $ldap_dn = vauth_conf('ldap_search_dn'); - - // This is the server url (required) - $ldap_url = vauth_conf('ldap_url'); - - // This is the ldap filter string (required) - $ldap_filter = vauth_conf('ldap_filter'); - - //This is the ldap objectclass (required) - $ldap_class = vauth_conf('ldap_objectclass'); - - $ldap_name_field = vauth_conf('ldap_name_field'); - $ldap_email_field = vauth_conf('ldap_email_field'); - - if ($ldap_link = ldap_connect($ldap_url) ) { - - /* Set to Protocol 3 */ - ldap_set_option($ldap_link, LDAP_OPT_PROTOCOL_VERSION, 3); - - // bind using our auth, if we need to, for initial search for username - if (!ldap_bind($ldap_link, $ldap_username, $ldap_password)) { - $results['success'] = false; - $results['error'] = "Could not bind to LDAP server."; - return $results; - } // If bind fails - - $sr = ldap_search($ldap_link, $ldap_dn, "(&(objectclass=$ldap_class)($ldap_filter=$username))"); - $info = ldap_get_entries($ldap_link, $sr); - - if ($info["count"] == 1) { - $user_entry = ldap_first_entry($ldap_link, $sr); - $user_dn = ldap_get_dn($ldap_link, $user_entry); - // bind using the user.. - $retval = ldap_bind($ldap_link, $user_dn, $password); - - if ($retval) { - ldap_close($ldap_link); - $results['success'] = true; - $results['type'] = "ldap"; - $results['username'] = $username; - $results['name'] = $info[0][$ldap_name_field][0]; - $results['email'] = $info[0][$ldap_email_field][0]; - - return $results; - - } // if we get something good back - } // if something was sent back - } // if failed connect - - /* Default to bad news */ - $results['success'] = false; - $results['error'] = "LDAP login attempt failed"; - return $results; - - -} // vauth_ldap_auth - - -/** - * vauth_http_auth - * This auth method relies on HTTP auth from Apache - * This is not a very secure method of authentication - * defaulted to off. Because if they can load the page they - * are considered to be authenticated we need to look and - * see if their user exists and if not, by golly we just - * go ahead and created it. NOT SECURE!!!!! - */ -function vauth_http_auth($username) { - - /* Check if the user exists */ - if ($user = new User($username)) { - $results['success'] = true; - $results['type'] = 'mysql'; - $results['username'] = $username; - $results['name'] = $user->fullname; - $results['email'] = $user->email; - return $results; - } - - - /* If not then we auto-create the entry as a user.. :S */ - $user->create($username,$username,'',md5(rand()),'25'); - $user = new User($username); - - $results['success'] = true; - $results['type'] = 'mysql'; - $results['username'] = $username; - $results['name'] = $user->fullname; - $results['email'] = $user->email; - return $results; - -} // vauth_http_auth - -?> diff --git a/modules/vauth/init.php b/modules/vauth/init.php deleted file mode 100644 index 7392b480..00000000 --- a/modules/vauth/init.php +++ /dev/null @@ -1,172 +0,0 @@ -<?php -/* - - Copyright (c) 2007 Karl Vollmer - All rights reserved. - - This program is free software; you can redistribute it and/or - modify it under the terms of the GNU General Public License v2 - as published by the Free Software Foundation. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -*/ -/** - * init script - * This script requires all of the additional libraries and does a little error checking to - * make sure that we've got the variables we need to make everything work. - * Be default you should include this file then call the vauth_init() function - * passing in an array of the elements we need (see more docs that in theory I'll write) - */ - -/** - * vauth_init - * This function loads in the extra lib files and checks the data we've got - * If it doesn't find everything it needs it will return use PHP's Error method - * to throw an exception and return false - */ -function vauth_init($data) { - /* Check for the variables we are going to need first */ - if (isset($data['auth_methods']['mysql'])) { - if (!isset($data['mysql_hostname'])) { - vauth_error('No Mysql Hostname Defined [mysql_hostname]'); - $error_status = true; - } - if (!isset($data['mysql_db'])) { - vauth_error('No Mysql Database Defined [mysql_db]'); - $error_status = true; - } - if (!isset($data['mysql_username'])) { - vauth_error('No Mysql Username Defined [mysql_username]'); - $error_status = true; - } - if (!isset($data['mysql_password'])) { - vauth_error('No Mysql Password Defined [mysql_password]'); - $error_status = true; - } - } // if we're doing mysql auth - - if (isset($data['auth_methods']['ldap'])) { - - if (!isset($data['ldap_url'])) { - vauth_error('No LDAP server defined [ldap_url]'); - $error_status = true; - } - if (!isset($data['ldap_name_field'])) { - vauth_error('No Name Field defined [ldap_name_field]'); - } - if (!isset($data['ldap_email_field'])) { - vauth_error('No E-mail Field defined [ldap_email_field]'); - } - if (!isset($data['ldap_username'])) { - vauth_error('No Bind Username defined [ldap_username]'); - } - if (!isset($data['ldap_password'])) { - vauth_error('No Bind Password defined [ldap_password]'); - } - - } // if we're doing ldap auth - - if (isset($data['auth_methods']['http'])) { - - - } // if we're doing http auth - - if (!isset($data['session_length'])) { - vauth_error('No Session Length Defined [session_length]'); - $error_status = true; - } - - if (!isset($data['session_name'])) { - vauth_error('No Session Name Defined [session_name]'); - $error_status = true; - } - - if (!isset($data['cookie_life'])) { - vauth_error('No Cookie Life Defined [cookie_life]'); - $error_status = true; - } - - if (!isset($data['cookie_secure'])) { - vauth_error('Cookie Secure Not Defined [cookie_secure]'); - $error_status = true; - } - - if (!isset($data['cookie_path'])) { - vauth_error('Cookie Path Not Defined [cookie_path]'); - $error_status = true; - } - - if (!isset($data['cookie_domain'])) { - vauth_error('Cookie Domain Not Defined [cookie_domain]'); - $error_status = true; - } - - /* For now we won't require it */ - if (!isset($data['remember_length'])) { - $data['remember_length'] = '900'; - } - - /* If an error has occured then return false */ - if (isset($error_status)) { return false; } - - /* Load the additional libraries that we may or may not need... */ - require_once 'session.lib.php'; - require_once 'auth.lib.php'; - - vauth_conf($data); - - return true; - -} // vauth_init - -/** - * vauth_error - * This function throws a PHP error with whatever went wrong. If you don't use a custom - * Error handler this will get spit out the screen, otherwise well whatever you do with it - * is what is going to happen to it... amazing huh! - */ -function vauth_error($string) { - - trigger_error($string,E_USER_WARNING); - return true; - -} // vauth_error - - -/** - * vauth_conf - * This is a function with a static array that we store the configuration variables in - * So we don't have to worry about globalizing anything - */ -function vauth_conf($param,$clobber=0) { - - static $params = array(); - - // We are trying to set variables - if(is_array($param)) { - foreach ($param as $key=>$val) { - if(!$clobber && isset($params[$key])) { - vauth_error("Attempting to clobber $key = $val"); - return false; - } - $params[$key] = $val; - } - return true; - } - // We are attempting to retrive a variable - else { - if(isset($params[$param])) return $params[$param]; - else return; - } - -} // vauth_conf - -?> diff --git a/modules/vauth/session.lib.php b/modules/vauth/session.lib.php deleted file mode 100644 index ef91a473..00000000 --- a/modules/vauth/session.lib.php +++ /dev/null @@ -1,305 +0,0 @@ -<?php -/* - - Copyright (c) 2006 - 2007 Karl Vollmer - All rights reserved. - - This program is free software; you can redistribute it and/or - modify it under the terms of the GNU General Public License v2 - as published by the Free Software Foundation. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. - -*/ - -/** - * Session Library - * This sets up the custom session handler mojo - * and then contains the functions that the session handler references - */ - -// Quick check for the session functions if they don't exist redirect to /test.php -if (!function_exists('session_set_save_handler')) { - header("Location: " . Config::get('web_path') . "/test.php"); - debug_event('ERROR','Missing PHP Session Module','1'); - exit; -} - -/* Always register the customer handler */ -session_set_save_handler( - 'vauth_sess_open', - 'vauth_sess_close', - 'vauth_sess_read', - 'vauth_sess_write', - 'vauth_sess_destory', - 'vauth_sess_gc'); - -/** - * vauth_sess_open - * This is the function for opening a new session, we just verify that we have a - * database connection, nothing more (since this is a dbh session handler - */ -function vauth_sess_open($save_path,$session_name) { - - if (!is_resource(Dba::dbh())) { - vauth_error('Session open failed, no database handle'); - return false; - } - - return true; - -} // vauth_sess_open - -/** - * vauth_sess_close - * Placeholder function, don't have anything to do in this one for now - */ -function vauth_sess_close() { - return true; -} // vauth_sess_close - -/** - * vauth_sess_read - * Takes a Key and looks in the database, and returns the value - */ -function vauth_sess_read($key) { - - $results = vauth_get_session($key); - if (isset($results['value']) AND strlen($results['value']) < 1) { - vauth_error('Unable to read session data'); - return ''; - } - - /* Return the value column from the db */ - return $results['value']; - -} // vauth_sess_read - -/** - * vauth_sess_write - * Saves the session information to the database - */ -function vauth_sess_write($key,$value) { - - $length = vauth_conf('session_length'); - $expire = time() + intval($length); - $value = Dba::escape($value); - $key = Dba::escape($key); - - /* Check for Rememeber Me */ - $cookie_name = vauth_conf('session_name') . "_remember"; - if (isset($_COOKIE[$cookie_name])) { - $expire = time() + vauth_conf('remember_length'); - } - - $sql = "UPDATE session SET value='$value', expire='$expire'" . - " WHERE id='$key'"; - $db_results = Dba::query($sql); - - return $db_results; - -} // vauth_sess_write - -/** - * vauth_sess_destory - * This removes the specified session from the database - */ -function vauth_sess_destory($key) { - - $key = Dba::escape($key); - - /* Remove any database entries */ - $sql = "DELETE FROM `session` WHERE `id`='$key'"; - $db_results = Dba::query($sql); - - /* Destory the Cookie */ - setcookie (vauth_conf('session_name'),'',time() - 86400); - - return true; - -} // vauth_sess_destory - -/** - * vauth_sess_gc - * This is the randomly called garbage collection function - */ -function vauth_sess_gc($maxlifetime) { - - $sql = "DELETE FROM `session` WHERE `expire` < '" . time() . "'"; - $db_results = Dba::query($sql); - - // Randomly collect the api session table - $sql = "DELETE FROM `session_api` WHERE `expire` < '" . time() . "'"; - $db_results = Dba::query($sql); - - return true; - -} // vauth_sess_gc - -/** - * vauth_logout - * This logs you out of your vauth session - */ -function vauth_logout($key) { - - vauth_sess_destory($key); - return true; - -} // vauth_logout - -/** - * vauth_get_session - * This returns the data for the specified session - */ -function vauth_get_session($key) { - - $key = Dba::escape($key); - - $sql = "SELECT * FROM `session` WHERE `id`='$key' AND `expire` > '" . time() . "'"; - $db_results = Dba::query($sql); - - $results = Dba::fetch_assoc($db_results); - - if (!count($results)) { - return false; - } - - return $results; - -} // vauth_get_session - -/** - * vauth_session_cookie - * This is seperated into it's own cookie because of some flaws in specific - * webservers *cough* IIS *cough* which prevent us from setting at cookie - * at the same time as a header redirect. As such on login view a cookie is set - */ -function vauth_session_cookie() { - - /* Set the Cookies Paramaters, this is very very important */ - $cookie_life = vauth_conf('cookie_life'); - $cookie_path = vauth_conf('cookie_path'); - $cookie_domain = false; - $cookie_secure = vauth_conf('cookie_secure'); - - session_set_cookie_params($cookie_life,$cookie_path,$cookie_domain,$cookie_secure); - - session_name(vauth_conf('session_name')); - - /* Start the Session */ - vauth_ungimp_ie(); - session_start(); - -} // vauth_session_cookie - -/** - * vauth_session_create - * This is called when you want to create a new session - * It takes care of setting the initial cookie, and inserting the first chunk - * of data - */ -function vauth_session_create($data) { - - // Regenerate the session ID to prevent fixation - session_regenerate_id(); - - /* function that creates the cookie for us */ - vauth_session_cookie(); - - /* Before a refresh we don't have the cookie, so use session_id() */ - $key = session_id(); - - $username = Dba::escape($data['username']); - $ip = Dba::escape(ip2int($_SERVER['REMOTE_ADDR'])); - $type = Dba::escape($data['type']); - $value = Dba::escape($data['value']); - $expire = Dba::escape(time() + vauth_conf('session_length')); - - /* We can't have null things here people */ - if (!strlen($value)) { $value = ' '; } - - /* Insert the row */ - $sql = "INSERT INTO session (`id`,`username`,`ip`,`type`,`value`,`expire`) " . - " VALUES ('$key','$username','$ip','$type','$value','$expire')"; - $db_results = Dba::query($sql); - - if (!$db_results) { - vauth_error("Session Creation Failed with Query: $sql and " . mysql_error()); - } - - return $db_results; - -} // vauth_session_create - -/** - * vauth_check_session - * This checks for an existing session, and if it's still there starts it and returns true - */ -function vauth_check_session() { - - /* Make sure we're still valid */ - $session_name = vauth_conf('session_name'); - - if (!isset($_COOKIE[$session_name])) { return false; } - - $key = scrub_in($_COOKIE[$session_name]); - $results = vauth_get_session($key); - - if (!is_array($results)) { - return false; - } - - /* Check for Rememeber Me */ - $cookie_name = vauth_conf('session_name') . "_remember"; - if (isset($_COOKIE[$cookie_name])) { - $extended = vauth_conf('remember_length'); - vauth_conf(array('cookie_life'=>$extended),1); - setcookie($cookie_name, '1', time() + $extended,'/',vauth_conf('cookie_domain')); - } - - /* Set the Cookie Paramaters */ - session_set_cookie_params( - vauth_conf('cookie_life'), - vauth_conf('cookie_path'), - vauth_conf('cookie_domain'), - vauth_conf('cookie_secure')); - - /* Set Session name so it knows what cookie to get */ - session_name($session_name); - - vauth_ungimp_ie(); - session_start(); - - return true; - -} // vauth_check_session - -/** - * vauth_ungimp_ie - * This function sets the cache limiting to public if you are running - * some flavor of IE. The detection used here is very conservative so feel free - * to fix it. This only has to be done if we're rolling HTTPS - */ -function vauth_ungimp_ie() { - - if ($_SERVER['HTTPS'] != 'on') { return true; } - - /* Now try to detect IE */ - $agent = trim($_SERVER['HTTP_USER_AGENT']); - - if ((preg_match('|MSIE ([0-9.]+)|', $agent)) || (preg_match('|Internet Explorer/([0-9.]+)|', $agent))) { - session_cache_limiter('public'); - } - - return true; - -} // vauth_ungimp_ie - -?> |