r1975 + get rid of the old user permission table
[racktables] / inc / auth.php
CommitLineData
b325120a 1<?php
e673ee24
DO
2/*
3
4Authentication library for RackTables.
5
6*/
7
8// This function ensures that we don't continue without a legitimate
9// username and password.
10function authenticate ()
11{
e673ee24
DO
12 if
13 (
14 !isset ($_SERVER['PHP_AUTH_USER']) or
15 !isset ($_SERVER['PHP_AUTH_PW']) or
4eb5efb7
DO
16 !authenticated ($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) or
17 isset ($_REQUEST['logout'])
e673ee24
DO
18 )
19 {
9c0b0016 20 header ('WWW-Authenticate: Basic realm="' . getConfigVar ('enterprise') . ' RackTables access"');
e673ee24
DO
21 header ('HTTP/1.0 401 Unauthorized');
22 showError ('This system requires authentication. You should use a username and a password.');
23 die();
24 }
25}
26
27// Show error unless the user is allowed access here.
28function authorize ()
29{
bcd37231
DO
30 global $remote_username, $pageno, $tabno, $expl_tags, $impl_tags, $auto_tags, $verdict;
31 if (gotClearanceForTagChain (array_merge ($expl_tags, $impl_tags, $auto_tags)))
32 $verdict = 'yes';
33 else
34 $verdict = 'no';
e673ee24
DO
35 if (!authorized ($remote_username, $pageno, $tabno))
36 {
37 showError ("User '${remote_username}' is not allowed to access here.");
38 die();
39 }
40}
41
42// This function returns TRUE, if username and password are valid.
43function authenticated ($username, $password)
44{
45 global $accounts;
e673ee24
DO
46 if ($accounts[$username]['user_enabled'] != 'yes')
47 return FALSE;
7dfd5e44
DO
48 // Always authenticate the administrator locally, thus giving him a chance
49 // to fix broken installation.
50 if ($accounts[$username]['user_id'] == 1)
51 return authenticated_via_database ($username, $password);
52 switch (getConfigVar ('USER_AUTH_SRC'))
53 {
54 case 'database':
55 return authenticated_via_database ($username, $password);
56 break;
57 case 'ldap':
58 return authenticated_via_ldap ($username, $password);
59 break;
60 default:
61 showError ("Unknown user authentication source configured.", __FUNCTION__);
62 return FALSE;
63 break;
64 }
65 // and just to be sure...
66 return FALSE;
67}
68
69function authenticated_via_ldap ($username, $password)
70{
ae65938e
DO
71 global $ldap_server, $ldap_domain;
72 if ($connect = @ldap_connect ($ldap_server))
73 if ($bind = @ldap_bind ($connect, "${username}@${ldap_domain}", $password))
74 {
75 @ldap_close ($connect);
76 return TRUE;
77 }
78 @ldap_close ($connect);
7dfd5e44
DO
79 return FALSE;
80}
81
82function authenticated_via_database ($username, $password)
83{
84 global $accounts;
85 if (!defined ('HASH_HMAC'))
86 {
87 showError ('Fatal error: PHP hash extension is missing', __FUNCTION__);
88 die();
89 }
90 if (array_search (PASSWORD_HASH, hash_algos()) === FALSE)
91 {
92 showError ('Password hash not supported, authentication impossible.', __FUNCTION__);
93 die();
94 }
95 if (!isset ($accounts[$username]['user_password_hash']))
96 return FALSE;
e673ee24
DO
97 if ($accounts[$username]['user_password_hash'] == hash (PASSWORD_HASH, $password))
98 return TRUE;
99 return FALSE;
100}
101
102// This function returns TRUE, if specified user has access to the
103// page and tab.
104function authorized ($username, $pageno, $tabno)
105{
106 global $perms;
107 // Deny access by default, then accumulate all corrections from database.
108 // Order of nested cycles is important here!
109 // '%' as page or tab name has a special value and means "any".
110 // 0 as user_id means "any user".
111 $answer = 'no';
112 foreach (array ('%', $username) as $u)
113 foreach (array ('%', $tabno) as $t)
114 foreach (array ('%', $pageno) as $p)
115 if (isset ($perms[$u][$p][$t]))
116 $answer = $perms[$u][$p][$t];
117 if ($answer == 'yes')
118 return TRUE;
119 return FALSE;
120}
121
122// This function returns password hash for given user ID.
123function getHashByID ($user_id = 0)
124{
125 if ($user_id <= 0)
126 {
b09549b3 127 showError ('Invalid user_id', __FUNCTION__);
e673ee24
DO
128 return NULL;
129 }
130 global $accounts;
131 foreach ($accounts as $account)
132 if ($account['user_id'] == $user_id)
133 return $account['user_password_hash'];
134 return NULL;
135}
136
137?>