diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2007-12-20 09:12:04 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2007-12-20 09:12:04 +0000 |
| commit | 7e1432273ab146abfcce8f226a9bc79eb1f25393 (patch) | |
| tree | 3f804a8849b31a1fa237754c026f81d60973b5da /lib | |
| parent | 897b35aeddd117409af95b270ec8309c2a564aaa (diff) | |
| download | ampache-7e1432273ab146abfcce8f226a9bc79eb1f25393.tar.gz ampache-7e1432273ab146abfcce8f226a9bc79eb1f25393.tar.bz2 ampache-7e1432273ab146abfcce8f226a9bc79eb1f25393.zip | |
API and XML-RPC are still broken, but moved to new session code, sleep time
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/class/update.class.php | 29 | ||||
| -rw-r--r-- | lib/class/vauth.class.php | 280 | ||||
| -rw-r--r-- | lib/init.php | 24 |
3 files changed, 304 insertions, 29 deletions
diff --git a/lib/class/update.class.php b/lib/class/update.class.php index 130ed2c6..9a6be243 100644 --- a/lib/class/update.class.php +++ b/lib/class/update.class.php @@ -253,6 +253,10 @@ class Update { $version[] = array('version' => '340013','description'=>$update_string); + $update_string = '- Removed API Session table, been a nice run....<br />' . + '- Alterted Session table to handle API sessions correctly.<br />'; + + $version[] = array('version' => '340014','description'=>$update_string); return $version; @@ -1079,5 +1083,30 @@ class Update { } // update_340013 + /** + * update_340014 + * This update drops the session_api table that I added just two updates ago + * it's been nice while it lasted but it's time to pack your stuff and GTFO + * at the same time it updates the core session table to handle the additional + * stuff we're going to ask it to do. + */ + public static function update_340014() { + + $sql = "DROP TABLE `session_api`"; + $db_results = Dba::query($sql); + + $sql = "ALTER TABLE `session` CHANGE `type` `type` ENUM ('mysql','ldap','http','api','xml-rpc') NOT NULL"; + $db_results = Dba::query($sql); + + $sql = "ALTER TABLE `session` ADD `agent` VARCHAR ( 255 ) NOT NULL AFTER `type`"; + $db_results = Dba::query($sql); + + $sql = "ALTER TABLE `session` ADD INDEX (`type`)"; + $db_results = Dba::query($sql); + + self::set_version('db_version','340014'); + + } // update_340014 + } // end update class ?> diff --git a/lib/class/vauth.class.php b/lib/class/vauth.class.php index d0f68e7e..2eb6c8fe 100644 --- a/lib/class/vauth.class.php +++ b/lib/class/vauth.class.php @@ -72,6 +72,7 @@ class vauth { public static function read($key) { $results = self::get_session_data($key); + if (strlen($results['value']) < 1) { debug_event('SESSION','Error unable to read session from key ' . $key . ' no data found','1'); return ''; @@ -97,6 +98,8 @@ class vauth { $sql = "UPDATE `session` SET `value`='$value', `expire`='$expire' WHERE `id`='$key'"; $db_results = Dba::query($sql); + debug_event('SESSION','Writing to ' . $key . ' with expire ' . $expire,'1'); + return $db_results; } // write @@ -140,8 +143,33 @@ class vauth { */ public static function logout($key) { + // Do a quick check to see if this is an AJAX'd logout request + // if so use the iframe to redirect + if (AJAX_INCLUDE == '1') { + ob_end_clean(); + ob_start(); + + /* Set the correct headers */ + header("Content-type: text/xml; charset=" . Config::get('site_charset')); + header("Content-Disposition: attachment; filename=ajax.xml"); + header("Expires: Tuesday, 27 Mar 1984 05:00:00 GMT"); + header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); + header("Cache-Control: no-store, no-cache, must-revalidate"); + header("Pragma: no-cache"); + + $target = Config::get('web_path') . '/login.php'; + $results['rfc3514'] = '<script type="text/javascript">reload_logout("'.$target.'")</script>'; + echo xml_from_array($results); + } + self::destroy($key); - return true; + + /* Redirect them to the login page */ + if (AJAX_INCLUDE != '1') { + header ('Location: ' . Config::get('web_path') . '/login.php'); + } + + exit; } // logout @@ -184,6 +212,8 @@ class vauth { session_set_cookie_params($cookie_life,$cookie_path,$cookie_domain,$cookie_secure); + session_name(Config::get('session_name')); + /* Start the session */ self::ungimp_ie(); session_start(); @@ -191,6 +221,20 @@ class vauth { } // create_cookie, just watch out for the cookie monster /** + * create_remember_cookie + * This function just creates the remember me cookie, nothing special + */ + public static function create_remember_cookie() { + + $remember_length = Config::get('remember_length'); + $session_name = Config::get('session_name'); + + Config::set('cookie_life',$remember_length,'1'); + setcookie($session_name . '_remember',"Rappelez-vous, rappelez-vous le 27 mars",time() + $remember_length,'/',Config::get('cookie_domain')); + + } // create_remember_cookie + + /** * session_create * This is called when you want to create a new session * it takes care of setting the initial cookie, and inserting the first chunk of @@ -212,7 +256,7 @@ class vauth { $type = Dba::escape($data['type']); $value = Dba::escape($data['value']); $agent = Dba::escape($_SERVER['HTTP_USER_AGENT']); - $expire = Dba::escape(time() + vauth_conf('session_length')); + $expire = Dba::escape(time() + Config::get('session_length')); /* We can't have null things here people */ if (!strlen($value)) { $value = ' '; } @@ -237,20 +281,21 @@ class vauth { */ public static function check_session() { + $session_name = Config::get('session_name'); + // No cookie n go! - if (!isset($_COOKIE[Config::get('session_name')]) { return false; } + if (!isset($_COOKIE[$session_name])) { return false; } - $key = scrub_in($_COOKIE[Config::get('session_name')]); + $key = scrub_in($_COOKIE[$session_name]); $data = self::get_session_data($key); - if (!is_array($results)) { + if (!is_array($data)) { return false; } // Check for a remember me - if (isset($_COOKIE[Config::get('session_name') . '_remember'])) { - Config::set('cookie_life',Config::get('remember_length'),'1'); - setcookie(Config::get('session_name') . '_remember',time() + Config::get('remember_length'),'/',Config::get('cookie_domain')); + if (isset($_COOKIE[$session_name . '_remember'])) { + self::create_remember_cookie(); } // Setup the cookie params before we start the session this is vital @@ -261,10 +306,10 @@ class vauth { Config::get('cookie_secure')); // Set name - session_name(Config::get('session_name')); + session_name($session_name); // Ungimp IE and go - self::ungimp_io(); + self::ungimp_ie(); session_start(); return true; @@ -277,12 +322,11 @@ class vauth { * exists, it also provides an array of key'd data that may be required * based on the type */ - public static function session_exists($data,$key,$type) { + public static function session_exists($type,$key,$data=array()) { // Switch on the type they pass switch ($type) { case 'xml-rpc': - case 'interface': case 'api': $key = Dba::escape($key); $time = time(); @@ -293,6 +337,18 @@ class vauth { return true; } break; + //FIXME: This should use the IN() mojo and compare against enabled auths + case 'interface': + $key = Dba::escape($key); + $time = time(); + $sql = "SELECT * FROM `session` WHERE `id`='$key' AND `expire` > '$time' AND `type`!='api' AND `type`!='xml-rpc'"; +debug_event('testo',$sql,'1'); + $db_results = Dba::query($sql); + + if (Dba::num_rows($db_results)) { + return true; + } + break; case 'stream': $key = Dba::escape($key); $ip = ip2int($data['ip']); @@ -321,7 +377,7 @@ class vauth { */ public static function _auto_init() { - session_set_save_handler('vauth::open','vauth::close','vauth::read','vauth::write','vauth::destroy','vauth::gc'); + session_set_save_handler(array('vauth','open'),array('vauth','close'),array('vauth','read'),array('vauth','write'),array('vauth','destroy'),array('vauth','gc')); } // auto init @@ -339,7 +395,7 @@ class vauth { // Try to detect IE $agent = trim($_SERVER['HTTP_USER_AGENT']); - if ((preg_match('|MSIE ([0-9).]+)|',$agent)) || preg_match('|Internet Explorer/([0-9.]+)|',$agent))) { + if (strstr($agent,'MSIE') || strstr($agent,'Internet Explorer/')) { session_cache_limiter('public'); } @@ -347,6 +403,202 @@ class vauth { } // ungimp_ie + /** + * authenticate + * This takes a username and password and then returns true or false + * based on what happens when we try to do the auth then + */ + public static function authenticate($username,$password) { + + // Foreach the auth methods + foreach (Config::get('auth_methods') as $method) { + + // Build the function name and call the custom method on this class + $function_name = $method . '_auth'; + + if (!method_exists('vauth',$function_name)) { continue; } + + $results = self::$function_name($username,$password); + + // If we achive victory return + if ($results['success']) { break; } + + } // end foreach + + return $results; + + } // authenticate + + /** + * mysql_auth + * This is a private function, it should only be called by authenticate + */ + private static function mysql_auth($username,$password) { + + $username = Dba::escape($username); + $password = Dba::escape($password); + + $password_check_sql = "PASSWORD('$password')"; + + $sql = "SELECT `user`.`password`,`session`.`ip`,`user`.`id` FROM `user` " . + "LEFT JOIN `session` ON `session`.`username`=`user`.`username` " . + "WHERE `user`.`username`='$username'"; + $db_results = Dba::query($sql); + $row = Dba::fetch_assoc($db_results); + + // If they don't have a password kick em ou + if (!$row['password']) { + Error::add('general','Error Username or Password incorrect, please try again'); + return false; + } + + if (Config::get('prevent_multiple_logins')) { + $client = new User($row['id']); + $ip = $client->is_logged_in(); + if ($current_ip != ip2int($_SERVER['REMOTE_ADDR'])) { + Error::add('general','User Already Logged in'); + return false; + } + } // if prevent_multiple_logins + + $sql = "SELECT version()"; + $db_results = Dba::query($sql); + $version = Dba::fetch_row($db_results); + $mysql_version = substr(preg_replace("/(\d+)\.(\d+)\.(\d+).*/","$1$2$3",$version[0]),0,3); + + if ($mysql_version > "409" AND substr($row['password'],0,1) !== "*") { + $password_check_sql = "OLD_PASSWORD('$password')"; + } + + $sql = "SELECT username FROM user WHERE username='$username' AND password=$password_check_sql"; + $db_results = Dba::query($sql); + + $results = Dba::fetch_assoc($db_results); + + if (!$results) { + Error::add('general','Error Username or Password incorrect, please try again'); + return false; + } + + $results['type'] = 'mysql'; + $results['success'] = true; + + return $results; + + } // mysql_auth + + /** + * ldap_auth + * Step one, connect to the LDAP server and perform a search for teh username provided. + * If its found, attempt to bind using that username and the password provided. + * Step two, figure out if they are authorized to use ampache: + * TODO: need implimented still: + * * require-group "The DN fetched from the LDAP directory (or the username passed by the client) occurs in the LDAP group" + * * require-dn "Grant access if the DN in the directive matches the DN fetched from the LDAP directory" + * * require-attribute "an attribute fetched from the LDAP directory matches the given value" + */ + private static function ldap_auth($username,$password) { + + $ldap_username = Config::get('ldap_username'); + $ldap_password = Config::get('ldap_password'); + + /* Currently not implemented */ + $require_group = Config::get('ldap_require_group'); + + // This is the DN for the users (required) + $ldap_dn = Config::get('ldap_search_dn'); + + // This is the server url (required) + $ldap_url = Config::get('ldap_url'); + + // This is the ldap filter string (required) + $ldap_filter = Config::get('ldap_filter'); + + //This is the ldap objectclass (required) + $ldap_class = Config::get('ldap_objectclass'); + + $ldap_name_field = Config::get('ldap_name_field'); + $ldap_email_field = Config::get('ldap_email_field'); + + if ($ldap_link = ldap_connect($ldap_url) ) { + + /* Set to Protocol 3 */ + ldap_set_option($ldap_link, LDAP_OPT_PROTOCOL_VERSION, 3); + + // bind using our auth, if we need to, for initial search for username + if (!ldap_bind($ldap_link, $ldap_username, $ldap_password)) { + $results['success'] = false; + $results['error'] = "Could not bind to LDAP server."; + return $results; + } // If bind fails + + $sr = ldap_search($ldap_link, $ldap_dn, "(&(objectclass=$ldap_class)($ldap_filter=$username))"); + $info = ldap_get_entries($ldap_link, $sr); + + if ($info["count"] == 1) { + $user_entry = ldap_first_entry($ldap_link, $sr); + $user_dn = ldap_get_dn($ldap_link, $user_entry); + // bind using the user.. + $retval = ldap_bind($ldap_link, $user_dn, $password); + + if ($retval) { + ldap_close($ldap_link); + $results['success'] = true; + $results['type'] = "ldap"; + $results['username'] = $username; + $results['name'] = $info[0][$ldap_name_field][0]; + $results['email'] = $info[0][$ldap_email_field][0]; + + return $results; + + } // if we get something good back + + } // if something was sent back + + } // if failed connect + + /* Default to bad news */ + $results['success'] = false; + $results['error'] = "LDAP login attempt failed"; + + return $results; + + } // ldap_auth + + /** + * http_auth + * This auth method relies on HTTP auth from Apache + * This is not a very secure method of authentication + * defaulted to off. Because if they can load the page they + * are considered to be authenticated we need to look and + * see if their user exists and if not, by golly we just + * go ahead and created it. NOT SECURE!!!!! + */ + public static function http_auth($username) { + + /* Check if the user exists */ + if ($user = new User($username)) { + $results['success'] = true; + $results['type'] = 'mysql'; + $results['username'] = $username; + $results['name'] = $user->fullname; + $results['email'] = $user->email; + return $results; + } + + /* If not then we auto-create the entry as a user.. :S */ + $user->create($username,$username,'',md5(rand()),'25'); + $user = new User($username); + + $results['success'] = true; + $results['type'] = 'mysql'; + $results['username'] = $username; + $results['name'] = $user->fullname; + $results['email'] = $user->email; + return $results; + + } // http_auth + } // end of vauth class ?> diff --git a/lib/init.php b/lib/init.php index 4796a615..45184584 100644 --- a/lib/init.php +++ b/lib/init.php @@ -87,7 +87,6 @@ $results['int_config_version'] = '6'; $results['raw_web_path'] = $results['web_path']; $results['web_path'] = $http_type . $_SERVER['HTTP_HOST'] . $results['web_path']; $results['http_port'] = $_SERVER['SERVER_PORT']; -$results['stop_auth'] = $results['prefix'] . "/modules/vauth/gone.fishing"; if (!$results['http_port']) { $results['http_port'] = '80'; } @@ -104,7 +103,7 @@ if (!$results['user_ip_cardinality']) { $results['user_ip_cardinality'] = 42; } -/* Variables needed for vauth Module */ +/* Variables needed for vauth class */ $results['cookie_path'] = $results['raw_web_path']; $results['cookie_domain'] = $_SERVER['SERVER_NAME']; $results['cookie_life'] = $results['session_cookielife']; @@ -117,9 +116,6 @@ $results['mysql_db'] = $results['database_name']; // Define that we've loaded the INIT file define('INIT_LOADED','1'); -// Vauth Requires -require_once $prefix . '/modules/vauth/init.php'; - // Library and module includes we can't do with the autoloader require_once $prefix . '/lib/album.lib.php'; require_once $prefix . '/lib/artist.lib.php'; @@ -157,8 +153,6 @@ if (Config::get('ratings')) { /* Set a new Error Handler */ $old_error_handler = set_error_handler('ampache_error_handler'); -/* Initilize the Vauth Library */ -vauth_init($results); /* Check their PHP Vars to make sure we're cool here */ $post_size = @ini_get('post_max_size'); @@ -178,12 +172,12 @@ set_memory_limit($results['memory_limit']); if (in_array("http",$results['auth_methods'])) { $username = scrub_in($_SERVER['PHP_AUTH_USER']); - $results = vauth_http_auth($username); + $results = vauth::http_auth($username); if ($results['success']) { - vauth_session_cookie(); - vauth_session_create($results); - $session_name = vauth_conf('session_name'); + vauth::create_cookie(); + vauth::session_create($results); + $session_name = Config::get('session_name'); $_SESSION['userdata'] = $results; $_COOKIE[$session_name] = session_id(); } @@ -193,13 +187,13 @@ if (in_array("http",$results['auth_methods'])) { // If we want a session if (NO_SESSION != '1' AND Config::get('use_auth')) { /* Verify Their session */ - if (!vauth_check_session()) { logout(); exit; } + if (!vauth::check_session()) { vauth::logout(session_id()); exit; } /* Create the new user */ $GLOBALS['user'] = User::get_from_username($_SESSION['userdata']['username']); /* If they user ID doesn't exist deny them */ - if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { logout(); exit; } + if (!$GLOBALS['user']->id AND !Config::get('demo_mode')) { vauth::logout(session_id()); exit; } /* Load preferences and theme */ $GLOBALS['user']->update_last_seen(); @@ -211,7 +205,7 @@ elseif (!Config::get('use_auth')) { $auth['id'] = -1; $auth['access'] = "admin"; $auth['offset_limit'] = 50; - if (!vauth_check_session()) { vauth_session_create($auth); } + if (!vauth::check_session()) { vauth::session_create($auth); } $GLOBALS['user'] = new User(-1); $GLOBALS['user']->fullname = 'Ampache User'; $GLOBALS['user']->offset_limit = $auth['offset_limit']; @@ -222,7 +216,7 @@ elseif (!Config::get('use_auth')) { // If Auth, but no session is set else { if (isset($_REQUEST['sessid'])) { - $sess_results = vauth_get_session($_REQUEST['sessid']); + $sess_results = vauth::get_session_data($_REQUEST['sessid']); session_name(Config::get('session_name')); session_id(scrub_in($_REQUEST['sessid'])); session_start(); |