Commit | Line | Data |
---|---|---|
b325120a | 1 | <?php |
e673ee24 DO |
2 | /* |
3 | ||
4 | Authentication library for RackTables. | |
5 | ||
6 | */ | |
7 | ||
8 | // This function ensures that we don't continue without a legitimate | |
9 | // username and password. | |
10 | function authenticate () | |
11 | { | |
e673ee24 DO |
12 | if |
13 | ( | |
14 | !isset ($_SERVER['PHP_AUTH_USER']) or | |
15 | !isset ($_SERVER['PHP_AUTH_PW']) or | |
4eb5efb7 DO |
16 | !authenticated ($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) or |
17 | isset ($_REQUEST['logout']) | |
e673ee24 DO |
18 | ) |
19 | { | |
9c0b0016 | 20 | header ('WWW-Authenticate: Basic realm="' . getConfigVar ('enterprise') . ' RackTables access"'); |
e673ee24 DO |
21 | header ('HTTP/1.0 401 Unauthorized'); |
22 | showError ('This system requires authentication. You should use a username and a password.'); | |
23 | die(); | |
24 | } | |
25 | } | |
26 | ||
da958e52 DO |
27 | // Merge accumulated tags into a single chain, add location-specific |
28 | // autotags and try getting access clearance. Page and tab are mandatory, | |
29 | // operation is optional. | |
46f92ff7 | 30 | function permitted ($p = NULL, $t = NULL, $o = NULL, $annex = array()) |
e673ee24 | 31 | { |
da958e52 DO |
32 | global $pageno, $tabno, $op; |
33 | global | |
34 | $user_tags, | |
35 | $auto_tags, | |
36 | $expl_tags, | |
37 | $impl_tags; | |
38 | ||
39 | if ($p === NULL) | |
40 | $p = $pageno; | |
41 | if ($t === NULL) | |
42 | $t = $tabno; | |
43 | $subject = array_merge | |
44 | ( | |
45 | $user_tags, | |
46 | $auto_tags, | |
47 | $expl_tags, | |
46f92ff7 DO |
48 | $impl_tags, |
49 | $annex | |
da958e52 DO |
50 | ); |
51 | $subject[] = array ('tag' => '$page_' . $p); | |
52 | $subject[] = array ('tag' => '$tab_' . $t); | |
53 | if ($o === NULL and isset ($op)) | |
7a4fcf70 | 54 | { |
da958e52 | 55 | $subject[] = array ('tag' => '$op_' . $op); |
7a4fcf70 DO |
56 | $subject[] = array ('tag' => '$any_op'); |
57 | } | |
da958e52 | 58 | return gotClearanceForTagChain ($subject); |
e673ee24 DO |
59 | } |
60 | ||
810e3422 | 61 | function accessibleSubpage ($p) |
b9bd9897 | 62 | { |
da958e52 DO |
63 | global $user_tags; |
64 | $subject = $user_tags; | |
65 | $subject[] = array ('tag' => '$page_' . $p); | |
810e3422 | 66 | $subject[] = array ('tag' => '$tab_default'); |
da958e52 | 67 | return gotClearanceForTagChain ($subject); |
b9bd9897 DO |
68 | } |
69 | ||
e673ee24 DO |
70 | // This function returns TRUE, if username and password are valid. |
71 | function authenticated ($username, $password) | |
72 | { | |
73 | global $accounts; | |
b9bd9897 | 74 | if (!isset ($accounts[$username]) or $accounts[$username]['user_enabled'] != 'yes') |
e673ee24 | 75 | return FALSE; |
7dfd5e44 DO |
76 | // Always authenticate the administrator locally, thus giving him a chance |
77 | // to fix broken installation. | |
78 | if ($accounts[$username]['user_id'] == 1) | |
79 | return authenticated_via_database ($username, $password); | |
80 | switch (getConfigVar ('USER_AUTH_SRC')) | |
81 | { | |
82 | case 'database': | |
83 | return authenticated_via_database ($username, $password); | |
84 | break; | |
85 | case 'ldap': | |
86 | return authenticated_via_ldap ($username, $password); | |
87 | break; | |
88 | default: | |
89 | showError ("Unknown user authentication source configured.", __FUNCTION__); | |
90 | return FALSE; | |
91 | break; | |
92 | } | |
93 | // and just to be sure... | |
94 | return FALSE; | |
95 | } | |
96 | ||
97 | function authenticated_via_ldap ($username, $password) | |
98 | { | |
ae65938e DO |
99 | global $ldap_server, $ldap_domain; |
100 | if ($connect = @ldap_connect ($ldap_server)) | |
101 | if ($bind = @ldap_bind ($connect, "${username}@${ldap_domain}", $password)) | |
102 | { | |
103 | @ldap_close ($connect); | |
104 | return TRUE; | |
105 | } | |
106 | @ldap_close ($connect); | |
7dfd5e44 DO |
107 | return FALSE; |
108 | } | |
109 | ||
110 | function authenticated_via_database ($username, $password) | |
111 | { | |
112 | global $accounts; | |
113 | if (!defined ('HASH_HMAC')) | |
114 | { | |
115 | showError ('Fatal error: PHP hash extension is missing', __FUNCTION__); | |
116 | die(); | |
117 | } | |
118 | if (array_search (PASSWORD_HASH, hash_algos()) === FALSE) | |
119 | { | |
120 | showError ('Password hash not supported, authentication impossible.', __FUNCTION__); | |
121 | die(); | |
122 | } | |
123 | if (!isset ($accounts[$username]['user_password_hash'])) | |
124 | return FALSE; | |
e673ee24 DO |
125 | if ($accounts[$username]['user_password_hash'] == hash (PASSWORD_HASH, $password)) |
126 | return TRUE; | |
127 | return FALSE; | |
128 | } | |
129 | ||
e673ee24 DO |
130 | // This function returns password hash for given user ID. |
131 | function getHashByID ($user_id = 0) | |
132 | { | |
133 | if ($user_id <= 0) | |
134 | { | |
b09549b3 | 135 | showError ('Invalid user_id', __FUNCTION__); |
e673ee24 DO |
136 | return NULL; |
137 | } | |
138 | global $accounts; | |
139 | foreach ($accounts as $account) | |
140 | if ($account['user_id'] == $user_id) | |
141 | return $account['user_password_hash']; | |
142 | return NULL; | |
143 | } | |
144 | ||
b9bd9897 DO |
145 | // Likewise. |
146 | function getUsernameByID ($user_id = 0) | |
147 | { | |
148 | if ($user_id <= 0) | |
149 | { | |
150 | showError ('Invalid user_id', __FUNCTION__); | |
151 | return NULL; | |
152 | } | |
153 | global $accounts; | |
154 | foreach ($accounts as $account) | |
155 | if ($account['user_id'] == $user_id) | |
156 | return $account['user_name']; | |
157 | showError ("User with ID '${user_id}' not found!"); | |
158 | return NULL; | |
159 | } | |
160 | ||
e673ee24 | 161 | ?> |