r2226 - merge traceTagChain() and getTagChainExpansion()
[racktables] / inc / auth.php
CommitLineData
b325120a 1<?php
e673ee24
DO
2/*
3
4Authentication library for RackTables.
5
6*/
7
8// This function ensures that we don't continue without a legitimate
9// username and password.
10function authenticate ()
11{
e673ee24
DO
12 if
13 (
14 !isset ($_SERVER['PHP_AUTH_USER']) or
15 !isset ($_SERVER['PHP_AUTH_PW']) or
4eb5efb7
DO
16 !authenticated ($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) or
17 isset ($_REQUEST['logout'])
e673ee24
DO
18 )
19 {
9c0b0016 20 header ('WWW-Authenticate: Basic realm="' . getConfigVar ('enterprise') . ' RackTables access"');
e673ee24
DO
21 header ('HTTP/1.0 401 Unauthorized');
22 showError ('This system requires authentication. You should use a username and a password.');
23 die();
24 }
25}
26
da958e52
DO
27// Merge accumulated tags into a single chain, add location-specific
28// autotags and try getting access clearance. Page and tab are mandatory,
29// operation is optional.
46f92ff7 30function permitted ($p = NULL, $t = NULL, $o = NULL, $annex = array())
e673ee24 31{
da958e52
DO
32 global $pageno, $tabno, $op;
33 global
34 $user_tags,
35 $auto_tags,
36 $expl_tags,
37 $impl_tags;
38
39 if ($p === NULL)
40 $p = $pageno;
41 if ($t === NULL)
42 $t = $tabno;
43 $subject = array_merge
44 (
45 $user_tags,
46 $auto_tags,
47 $expl_tags,
46f92ff7
DO
48 $impl_tags,
49 $annex
da958e52
DO
50 );
51 $subject[] = array ('tag' => '$page_' . $p);
52 $subject[] = array ('tag' => '$tab_' . $t);
53 if ($o === NULL and isset ($op))
7a4fcf70 54 {
da958e52 55 $subject[] = array ('tag' => '$op_' . $op);
7a4fcf70
DO
56 $subject[] = array ('tag' => '$any_op');
57 }
da958e52 58 return gotClearanceForTagChain ($subject);
e673ee24
DO
59}
60
810e3422 61function accessibleSubpage ($p)
b9bd9897 62{
da958e52
DO
63 global $user_tags;
64 $subject = $user_tags;
65 $subject[] = array ('tag' => '$page_' . $p);
810e3422 66 $subject[] = array ('tag' => '$tab_default');
da958e52 67 return gotClearanceForTagChain ($subject);
b9bd9897
DO
68}
69
e673ee24
DO
70// This function returns TRUE, if username and password are valid.
71function authenticated ($username, $password)
72{
73 global $accounts;
b9bd9897 74 if (!isset ($accounts[$username]) or $accounts[$username]['user_enabled'] != 'yes')
e673ee24 75 return FALSE;
7dfd5e44
DO
76 // Always authenticate the administrator locally, thus giving him a chance
77 // to fix broken installation.
78 if ($accounts[$username]['user_id'] == 1)
79 return authenticated_via_database ($username, $password);
80 switch (getConfigVar ('USER_AUTH_SRC'))
81 {
82 case 'database':
83 return authenticated_via_database ($username, $password);
84 break;
85 case 'ldap':
86 return authenticated_via_ldap ($username, $password);
87 break;
88 default:
89 showError ("Unknown user authentication source configured.", __FUNCTION__);
90 return FALSE;
91 break;
92 }
93 // and just to be sure...
94 return FALSE;
95}
96
97function authenticated_via_ldap ($username, $password)
98{
8c3bd904 99 global $ldap_server, $ldap_domain, $ldap_search_dn, $ldap_search_attr;
ae65938e 100 if ($connect = @ldap_connect ($ldap_server))
8c3bd904
DO
101 {
102 if
103 (
104 !isset ($ldap_search_dn) or
105 !isset ($ldap_search_attr) or
106 empty ($ldap_search_dn) or
107 empty ($ldap_search_attr)
108 )
109 $user_name = $username . "@" . $ldap_domain;
110 else
111 {
112 $results = @ldap_search ($connect, $ldap_search_dn, "(${ldap_search_attr}=${username})", array("dn"));
113 if (@ldap_count_entries ($connect, $results) != 1)
114 {
115 @ldap_close ($connect);
116 return FALSE;
117 }
118 $info = @ldap_get_entries($connect,$results);
119 $user_name = $info[0]['dn'];
120 }
121 if ($bind = @ldap_bind ($connect, $user_name, $password))
ae65938e
DO
122 {
123 @ldap_close ($connect);
124 return TRUE;
125 }
8c3bd904 126 }
ae65938e 127 @ldap_close ($connect);
7dfd5e44
DO
128 return FALSE;
129}
130
131function authenticated_via_database ($username, $password)
132{
133 global $accounts;
134 if (!defined ('HASH_HMAC'))
135 {
136 showError ('Fatal error: PHP hash extension is missing', __FUNCTION__);
137 die();
138 }
139 if (array_search (PASSWORD_HASH, hash_algos()) === FALSE)
140 {
141 showError ('Password hash not supported, authentication impossible.', __FUNCTION__);
142 die();
143 }
144 if (!isset ($accounts[$username]['user_password_hash']))
145 return FALSE;
e673ee24
DO
146 if ($accounts[$username]['user_password_hash'] == hash (PASSWORD_HASH, $password))
147 return TRUE;
148 return FALSE;
149}
150
e673ee24
DO
151// This function returns password hash for given user ID.
152function getHashByID ($user_id = 0)
153{
154 if ($user_id <= 0)
155 {
b09549b3 156 showError ('Invalid user_id', __FUNCTION__);
e673ee24
DO
157 return NULL;
158 }
159 global $accounts;
160 foreach ($accounts as $account)
161 if ($account['user_id'] == $user_id)
162 return $account['user_password_hash'];
163 return NULL;
164}
165
b9bd9897
DO
166// Likewise.
167function getUsernameByID ($user_id = 0)
168{
169 if ($user_id <= 0)
170 {
171 showError ('Invalid user_id', __FUNCTION__);
172 return NULL;
173 }
174 global $accounts;
175 foreach ($accounts as $account)
176 if ($account['user_id'] == $user_id)
177 return $account['user_name'];
178 showError ("User with ID '${user_id}' not found!");
179 return NULL;
180}
181
e673ee24 182?>