QwikClock is an employee time tracking app.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

login.php 9.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302
  1. <?php
  2. /**
  3. * Authentication and account functions
  4. */
  5. use Base32\Base32;
  6. use OTPHP\TOTP;
  7. use LdapTools\LdapManager;
  8. use LdapTools\Connection\ADResponseCodes;
  9. ////////////////////////////////////////////////////////////////////////////////
  10. // Account handling //
  11. ////////////////////////////////////////////////////////////////////////////////
  12. /**
  13. * Add a user to the system. /!\ Assumes input is OK /!\
  14. * @param string $username Username, saved in lowercase.
  15. * @param string $password Password, will be hashed before saving.
  16. * @param string $realname User's real legal name
  17. * @param string $email User's email address.
  18. * @return int The new user's ID number in the database.
  19. */
  20. function adduser($username, $password, $realname, $email = null, $phone1 = "", $phone2 = "") {
  21. global $database;
  22. $database->debug()->insert('accounts', [
  23. 'username' => strtolower($username),
  24. 'password' => (is_null($password) ? null : encryptPassword($password)),
  25. 'realname' => $realname,
  26. 'email' => $email,
  27. 'phone1' => $phone1,
  28. 'phone2' => $phone2,
  29. 'acctstatus' => 1
  30. ]);
  31. return $database->id();
  32. }
  33. /**
  34. * Get where a user's account actually is.
  35. * @param string $username
  36. * @return string "LDAP", "LOCAL", "LDAP_ONLY", or "NONE".
  37. */
  38. function account_location($username, $password) {
  39. global $database;
  40. $user_exists = user_exists($username);
  41. if (!$user_exists && !LDAP_ENABLED) {
  42. return false;
  43. }
  44. if ($user_exists) {
  45. $userinfo = $database->select('accounts', ['password'], ['username' => $username])[0];
  46. // if password empty, it's an LDAP user
  47. if (is_empty($userinfo['password']) && LDAP_ENABLED) {
  48. return "LDAP";
  49. } else if (is_empty($userinfo['password']) && !LDAP_ENABLED) {
  50. return "NONE";
  51. } else {
  52. return "LOCAL";
  53. }
  54. } else {
  55. if (user_exists_ldap($username, $password)) {
  56. return "LDAP_ONLY";
  57. } else {
  58. return "NONE";
  59. }
  60. }
  61. }
  62. /**
  63. * Checks the given credentials against the database.
  64. * @param string $username
  65. * @param string $password
  66. * @return boolean True if OK, else false
  67. */
  68. function authenticate_user($username, $password) {
  69. global $database;
  70. global $ldap_config;
  71. if (is_empty($username) || is_empty($password)) {
  72. return false;
  73. }
  74. $loc = account_location($username, $password);
  75. if ($loc == "NONE") {
  76. return false;
  77. } else if ($loc == "LOCAL") {
  78. $hash = $database->select('accounts', ['password'], ['username' => $username, "LIMIT" => 1])[0]['password'];
  79. return (comparePassword($password, $hash));
  80. } else if ($loc == "LDAP") {
  81. return authenticate_user_ldap($username, $password);
  82. } else if ($loc == "LDAP_ONLY") {
  83. if (authenticate_user_ldap($username, $password) === TRUE) {
  84. try {
  85. $user = (new LdapManager($ldap_config))->getRepository('user')->findOneByUsername($username);
  86. var_dump($user);
  87. adduser($user->getUsername(), null, $user->getName(), ($user->hasEmailAddress() ? $user->getEmailAddress() : null));
  88. return true;
  89. } catch (Exception $e) {
  90. sendError("LDAP error: " . $e->getMessage());
  91. }
  92. } else {
  93. return false;
  94. }
  95. } else {
  96. return false;
  97. }
  98. }
  99. /**
  100. * Check if a username exists in the local database.
  101. * @param String $username
  102. */
  103. function user_exists($username) {
  104. global $database;
  105. return $database->has('accounts', ['username' => $username, "LIMIT" => QUERY_LIMIT]);
  106. }
  107. /**
  108. * Get the account status: NORMAL, TERMINATED, LOCKED_OR_DISABLED,
  109. * CHANGE_PASSWORD, or ALERT_ON_ACCESS
  110. * @global $database $database
  111. * @param string $username
  112. * @return string
  113. */
  114. function get_account_status($username) {
  115. global $database;
  116. $loc = account_location($username);
  117. if ($loc == "LOCAL") {
  118. $statuscode = $database->select('accounts', [
  119. '[>]acctstatus' => [
  120. 'acctstatus' => 'statusid'
  121. ]
  122. ], [
  123. 'accounts.acctstatus',
  124. 'acctstatus.statuscode'
  125. ], [
  126. 'username' => $username,
  127. "LIMIT" => 1
  128. ]
  129. )[0]['statuscode'];
  130. return $statuscode;
  131. } else if ($loc == "LDAP") {
  132. // TODO: Read actual account status from AD servers
  133. return "NORMAL";
  134. } else {
  135. // account isn't setup properly
  136. return "LOCKED_OR_DISABLED";
  137. }
  138. }
  139. ////////////////////////////////////////////////////////////////////////////////
  140. // Login handling //
  141. ////////////////////////////////////////////////////////////////////////////////
  142. /**
  143. * Setup $_SESSION values to log in a user
  144. * @param string $username
  145. */
  146. function doLoginUser($username, $password) {
  147. global $database;
  148. $userinfo = $database->select('accounts', ['email', 'uid', 'realname'], ['username' => $username])[0];
  149. $_SESSION['username'] = $username;
  150. $_SESSION['uid'] = $userinfo['uid'];
  151. $_SESSION['email'] = $userinfo['email'];
  152. $_SESSION['realname'] = $userinfo['realname'];
  153. $_SESSION['password'] = $password; // needed for things like EWS
  154. $_SESSION['loggedin'] = true;
  155. }
  156. /**
  157. * Send an alert email to the system admin
  158. *
  159. * Used when an account with the status ALERT_ON_ACCESS logs in
  160. * @param String $username the account username
  161. */
  162. function sendLoginAlertEmail($username) {
  163. // TODO: add email code
  164. }
  165. ////////////////////////////////////////////////////////////////////////////////
  166. // LDAP handling //
  167. ////////////////////////////////////////////////////////////////////////////////
  168. /**
  169. * Checks the given credentials against the LDAP server.
  170. * @param string $username
  171. * @param string $password
  172. * @return mixed True if OK, else false or the error code from the server
  173. */
  174. function authenticate_user_ldap($username, $password) {
  175. global $ldap_config;
  176. if (is_empty($username) || is_empty($password)) {
  177. return false;
  178. }
  179. $ldapManager = new LdapManager($ldap_config);
  180. $msg = "";
  181. $code = 0;
  182. if ($ldapManager->authenticate($username, $password, $msg, $code)) {
  183. return true;
  184. } else {
  185. return $code;
  186. }
  187. }
  188. /**
  189. * Check if a username exists on the LDAP server.
  190. * @global type $ldap_config
  191. * @param type $username
  192. * @return boolean true if yes, else false
  193. */
  194. function user_exists_ldap($username, $password) {
  195. global $ldap_config;
  196. $ldap = new LdapManager($ldap_config);
  197. if (!$ldap->authenticate($username, $password, $message, $code)) {
  198. switch ($code) {
  199. case ADResponseCodes::ACCOUNT_INVALID:
  200. return false;
  201. case ADResponseCodes::ACCOUNT_CREDENTIALS_INVALID:
  202. return true;
  203. case ADResponseCodes::ACCOUNT_RESTRICTIONS:
  204. return true;
  205. case ADResponseCodes::ACCOUNT_RESTRICTIONS_TIME:
  206. return true;
  207. case ADResponseCodes::ACCOUNT_RESTRICTIONS_DEVICE:
  208. return true;
  209. case ADResponseCodes::ACCOUNT_PASSWORD_EXPIRED:
  210. return true;
  211. case ADResponseCodes::ACCOUNT_DISABLED:
  212. return true;
  213. case ADResponseCodes::ACCOUNT_CONTEXT_IDS:
  214. return true;
  215. case ADResponseCodes::ACCOUNT_EXPIRED:
  216. return false;
  217. case ADResponseCodes::ACCOUNT_PASSWORD_MUST_CHANGE:
  218. return true;
  219. case ADResponseCodes::ACCOUNT_LOCKED:
  220. return true;
  221. default:
  222. return false;
  223. }
  224. }
  225. return true;
  226. }
  227. ////////////////////////////////////////////////////////////////////////////////
  228. // 2-factor authentication //
  229. ////////////////////////////////////////////////////////////////////////////////
  230. /**
  231. * Check if a user has TOTP setup
  232. * @global $database $database
  233. * @param string $username
  234. * @return boolean true if TOTP secret exists, else false
  235. */
  236. function userHasTOTP($username) {
  237. global $database;
  238. $secret = $database->select('accounts', 'authsecret', ['username' => $username])[0];
  239. if (is_empty($secret)) {
  240. return false;
  241. }
  242. return true;
  243. }
  244. /**
  245. * Generate a TOTP secret for the given user.
  246. * @param string $username
  247. * @return string OTP provisioning URI (for generating a QR code)
  248. */
  249. function newTOTP($username) {
  250. global $database;
  251. $secret = random_bytes(20);
  252. $encoded_secret = Base32::encode($secret);
  253. $userdata = $database->select('accounts', ['email', 'authsecret', 'realname'], ['username' => $username])[0];
  254. $totp = new TOTP((is_null($userdata['email']) ? $userdata['realname'] : $userdata['email']), $encoded_secret);
  255. $totp->setIssuer(SYSTEM_NAME);
  256. return $totp->getProvisioningUri();
  257. }
  258. /**
  259. * Save a TOTP secret for the user.
  260. * @global $database $database
  261. * @param string $username
  262. * @param string $secret
  263. */
  264. function saveTOTP($username, $secret) {
  265. global $database;
  266. $database->update('accounts', ['authsecret' => $secret], ['username' => $username]);
  267. }
  268. /**
  269. * Verify a TOTP multiauth code
  270. * @global $database
  271. * @param string $username
  272. * @param int $code
  273. * @return boolean true if it's legit, else false
  274. */
  275. function verifyTOTP($username, $code) {
  276. global $database;
  277. $userdata = $database->select('accounts', ['email', 'authsecret'], ['username' => $username])[0];
  278. if (is_empty($userdata['authsecret'])) {
  279. return false;
  280. }
  281. $totp = new TOTP(null, $userdata['authsecret']);
  282. return $totp->verify($code);
  283. }