You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
303 lines
9.7 KiB
PHTML
303 lines
9.7 KiB
PHTML
7 years ago
|
<?php
|
||
|
|
||
|
/**
|
||
|
* Authentication and account functions
|
||
|
*/
|
||
|
use Base32\Base32;
|
||
|
use OTPHP\TOTP;
|
||
|
use LdapTools\LdapManager;
|
||
|
use LdapTools\Connection\ADResponseCodes;
|
||
|
|
||
|
////////////////////////////////////////////////////////////////////////////////
|
||
|
// Account handling //
|
||
|
////////////////////////////////////////////////////////////////////////////////
|
||
|
|
||
|
/**
|
||
|
* Add a user to the system. /!\ Assumes input is OK /!\
|
||
|
* @param string $username Username, saved in lowercase.
|
||
|
* @param string $password Password, will be hashed before saving.
|
||
|
* @param string $realname User's real legal name
|
||
|
* @param string $email User's email address.
|
||
|
* @return int The new user's ID number in the database.
|
||
|
*/
|
||
|
function adduser($username, $password, $realname, $email = null, $phone1 = "", $phone2 = "") {
|
||
|
global $database;
|
||
|
$database->debug()->insert('accounts', [
|
||
|
'username' => strtolower($username),
|
||
|
'password' => (is_null($password) ? null : encryptPassword($password)),
|
||
|
'realname' => $realname,
|
||
|
'email' => $email,
|
||
|
'phone1' => $phone1,
|
||
|
'phone2' => $phone2,
|
||
|
'acctstatus' => 1
|
||
|
]);
|
||
|
|
||
|
return $database->id();
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Get where a user's account actually is.
|
||
|
* @param string $username
|
||
|
* @return string "LDAP", "LOCAL", "LDAP_ONLY", or "NONE".
|
||
|
*/
|
||
|
function account_location($username, $password) {
|
||
|
global $database;
|
||
|
$user_exists = user_exists($username);
|
||
|
if (!$user_exists && !LDAP_ENABLED) {
|
||
|
return false;
|
||
|
}
|
||
|
if ($user_exists) {
|
||
|
$userinfo = $database->select('accounts', ['password'], ['username' => $username])[0];
|
||
|
// if password empty, it's an LDAP user
|
||
|
if (is_empty($userinfo['password']) && LDAP_ENABLED) {
|
||
|
return "LDAP";
|
||
|
} else if (is_empty($userinfo['password']) && !LDAP_ENABLED) {
|
||
|
return "NONE";
|
||
|
} else {
|
||
|
return "LOCAL";
|
||
|
}
|
||
|
} else {
|
||
|
if (user_exists_ldap($username, $password)) {
|
||
|
return "LDAP_ONLY";
|
||
|
} else {
|
||
|
return "NONE";
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Checks the given credentials against the database.
|
||
|
* @param string $username
|
||
|
* @param string $password
|
||
|
* @return boolean True if OK, else false
|
||
|
*/
|
||
|
function authenticate_user($username, $password) {
|
||
|
global $database;
|
||
|
global $ldap_config;
|
||
|
if (is_empty($username) || is_empty($password)) {
|
||
|
return false;
|
||
|
}
|
||
|
$loc = account_location($username, $password);
|
||
|
if ($loc == "NONE") {
|
||
|
return false;
|
||
|
} else if ($loc == "LOCAL") {
|
||
|
$hash = $database->select('accounts', ['password'], ['username' => $username, "LIMIT" => 1])[0]['password'];
|
||
|
return (comparePassword($password, $hash));
|
||
|
} else if ($loc == "LDAP") {
|
||
|
return authenticate_user_ldap($username, $password);
|
||
|
} else if ($loc == "LDAP_ONLY") {
|
||
|
if (authenticate_user_ldap($username, $password) === TRUE) {
|
||
|
try {
|
||
|
$user = (new LdapManager($ldap_config))->getRepository('user')->findOneByUsername($username);
|
||
|
var_dump($user);
|
||
|
adduser($user->getUsername(), null, $user->getName(), ($user->hasEmailAddress() ? $user->getEmailAddress() : null));
|
||
|
return true;
|
||
|
} catch (Exception $e) {
|
||
|
sendError("LDAP error: " . $e->getMessage());
|
||
|
}
|
||
|
} else {
|
||
|
return false;
|
||
|
}
|
||
|
} else {
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Check if a username exists in the local database.
|
||
|
* @param String $username
|
||
|
*/
|
||
|
function user_exists($username) {
|
||
|
global $database;
|
||
|
return $database->has('accounts', ['username' => $username, "LIMIT" => QUERY_LIMIT]);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Get the account status: NORMAL, TERMINATED, LOCKED_OR_DISABLED,
|
||
|
* CHANGE_PASSWORD, or ALERT_ON_ACCESS
|
||
|
* @global $database $database
|
||
|
* @param string $username
|
||
|
* @return string
|
||
|
*/
|
||
|
function get_account_status($username) {
|
||
|
global $database;
|
||
|
$loc = account_location($username);
|
||
|
if ($loc == "LOCAL") {
|
||
|
$statuscode = $database->select('accounts', [
|
||
|
'[>]acctstatus' => [
|
||
|
'acctstatus' => 'statusid'
|
||
|
]
|
||
|
], [
|
||
|
'accounts.acctstatus',
|
||
|
'acctstatus.statuscode'
|
||
|
], [
|
||
|
'username' => $username,
|
||
|
"LIMIT" => 1
|
||
|
]
|
||
|
)[0]['statuscode'];
|
||
|
return $statuscode;
|
||
|
} else if ($loc == "LDAP") {
|
||
|
// TODO: Read actual account status from AD servers
|
||
|
return "NORMAL";
|
||
|
} else {
|
||
|
// account isn't setup properly
|
||
|
return "LOCKED_OR_DISABLED";
|
||
|
}
|
||
|
}
|
||
|
|
||
|
////////////////////////////////////////////////////////////////////////////////
|
||
|
// Login handling //
|
||
|
////////////////////////////////////////////////////////////////////////////////
|
||
|
|
||
|
/**
|
||
|
* Setup $_SESSION values to log in a user
|
||
|
* @param string $username
|
||
|
*/
|
||
|
function doLoginUser($username, $password) {
|
||
|
global $database;
|
||
|
$userinfo = $database->select('accounts', ['email', 'uid', 'realname'], ['username' => $username])[0];
|
||
|
$_SESSION['username'] = $username;
|
||
|
$_SESSION['uid'] = $userinfo['uid'];
|
||
|
$_SESSION['email'] = $userinfo['email'];
|
||
|
$_SESSION['realname'] = $userinfo['realname'];
|
||
|
$_SESSION['password'] = $password; // needed for things like EWS
|
||
|
$_SESSION['loggedin'] = true;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Send an alert email to the system admin
|
||
|
*
|
||
|
* Used when an account with the status ALERT_ON_ACCESS logs in
|
||
|
* @param String $username the account username
|
||
|
*/
|
||
|
function sendLoginAlertEmail($username) {
|
||
|
// TODO: add email code
|
||
|
}
|
||
|
|
||
|
////////////////////////////////////////////////////////////////////////////////
|
||
|
// LDAP handling //
|
||
|
////////////////////////////////////////////////////////////////////////////////
|
||
|
|
||
|
/**
|
||
|
* Checks the given credentials against the LDAP server.
|
||
|
* @param string $username
|
||
|
* @param string $password
|
||
|
* @return mixed True if OK, else false or the error code from the server
|
||
|
*/
|
||
|
function authenticate_user_ldap($username, $password) {
|
||
|
global $ldap_config;
|
||
|
if (is_empty($username) || is_empty($password)) {
|
||
|
return false;
|
||
|
}
|
||
|
$ldapManager = new LdapManager($ldap_config);
|
||
|
$msg = "";
|
||
|
$code = 0;
|
||
|
if ($ldapManager->authenticate($username, $password, $msg, $code)) {
|
||
|
return true;
|
||
|
} else {
|
||
|
return $code;
|
||
|
}
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Check if a username exists on the LDAP server.
|
||
|
* @global type $ldap_config
|
||
|
* @param type $username
|
||
|
* @return boolean true if yes, else false
|
||
|
*/
|
||
|
function user_exists_ldap($username, $password) {
|
||
|
global $ldap_config;
|
||
|
$ldap = new LdapManager($ldap_config);
|
||
|
if (!$ldap->authenticate($username, $password, $message, $code)) {
|
||
|
switch ($code) {
|
||
|
case ADResponseCodes::ACCOUNT_INVALID:
|
||
|
return false;
|
||
|
case ADResponseCodes::ACCOUNT_CREDENTIALS_INVALID:
|
||
|
return true;
|
||
|
case ADResponseCodes::ACCOUNT_RESTRICTIONS:
|
||
|
return true;
|
||
|
case ADResponseCodes::ACCOUNT_RESTRICTIONS_TIME:
|
||
|
return true;
|
||
|
case ADResponseCodes::ACCOUNT_RESTRICTIONS_DEVICE:
|
||
|
return true;
|
||
|
case ADResponseCodes::ACCOUNT_PASSWORD_EXPIRED:
|
||
|
return true;
|
||
|
case ADResponseCodes::ACCOUNT_DISABLED:
|
||
|
return true;
|
||
|
case ADResponseCodes::ACCOUNT_CONTEXT_IDS:
|
||
|
return true;
|
||
|
case ADResponseCodes::ACCOUNT_EXPIRED:
|
||
|
return false;
|
||
|
case ADResponseCodes::ACCOUNT_PASSWORD_MUST_CHANGE:
|
||
|
return true;
|
||
|
case ADResponseCodes::ACCOUNT_LOCKED:
|
||
|
return true;
|
||
|
default:
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
////////////////////////////////////////////////////////////////////////////////
|
||
|
// 2-factor authentication //
|
||
|
////////////////////////////////////////////////////////////////////////////////
|
||
|
|
||
|
/**
|
||
|
* Check if a user has TOTP setup
|
||
|
* @global $database $database
|
||
|
* @param string $username
|
||
|
* @return boolean true if TOTP secret exists, else false
|
||
|
*/
|
||
|
function userHasTOTP($username) {
|
||
|
global $database;
|
||
|
$secret = $database->select('accounts', 'authsecret', ['username' => $username])[0];
|
||
|
if (is_empty($secret)) {
|
||
|
return false;
|
||
|
}
|
||
|
return true;
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Generate a TOTP secret for the given user.
|
||
|
* @param string $username
|
||
|
* @return string OTP provisioning URI (for generating a QR code)
|
||
|
*/
|
||
|
function newTOTP($username) {
|
||
|
global $database;
|
||
|
$secret = random_bytes(20);
|
||
|
$encoded_secret = Base32::encode($secret);
|
||
|
$userdata = $database->select('accounts', ['email', 'authsecret', 'realname'], ['username' => $username])[0];
|
||
|
$totp = new TOTP((is_null($userdata['email']) ? $userdata['realname'] : $userdata['email']), $encoded_secret);
|
||
|
$totp->setIssuer(SYSTEM_NAME);
|
||
|
return $totp->getProvisioningUri();
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Save a TOTP secret for the user.
|
||
|
* @global $database $database
|
||
|
* @param string $username
|
||
|
* @param string $secret
|
||
|
*/
|
||
|
function saveTOTP($username, $secret) {
|
||
|
global $database;
|
||
|
$database->update('accounts', ['authsecret' => $secret], ['username' => $username]);
|
||
|
}
|
||
|
|
||
|
/**
|
||
|
* Verify a TOTP multiauth code
|
||
|
* @global $database
|
||
|
* @param string $username
|
||
|
* @param int $code
|
||
|
* @return boolean true if it's legit, else false
|
||
|
*/
|
||
|
function verifyTOTP($username, $code) {
|
||
|
global $database;
|
||
|
$userdata = $database->select('accounts', ['email', 'authsecret'], ['username' => $username])[0];
|
||
|
if (is_empty($userdata['authsecret'])) {
|
||
|
return false;
|
||
|
}
|
||
|
$totp = new TOTP(null, $userdata['authsecret']);
|
||
|
return $totp->verify($code);
|
||
|
}
|