RackTables git mirrors - racktables/blob - inc/auth.php

   1 <?php
   2 /*
   3
   4 Authentication library for RackTables.
   5
   6 */
   7
   8 // This function ensures that we don't continue without a legitimate
   9 // username and password.
  10 function authenticate ()
  11 {
  12         if
  13         (
  14                 !isset ($_SERVER['PHP_AUTH_USER']) or
  15                 !isset ($_SERVER['PHP_AUTH_PW']) or
  16                 !authenticated ($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) or
  17                 isset ($_REQUEST['logout'])
  18         )
  19         {
  20                 header ('WWW-Authenticate: Basic realm="' . getConfigVar ('enterprise') . ' RackTables access"');
  21                 header ('HTTP/1.0 401 Unauthorized');
  22                 showError ('This system requires authentication. You should use a username and a password.');
  23                 die();
  24         }
  25 }
  26
  27 // Merge accumulated tags into a single chain, add location-specific
  28 // autotags and try getting access clearance. Page and tab are mandatory,
  29 // operation is optional.
  30 function permitted ($p = NULL, $t = NULL, $o = NULL, $annex = array())
  31 {
  32         global $pageno, $tabno, $op;
  33         global
  34                 $user_tags,
  35                 $auto_tags,
  36                 $expl_tags,
  37                 $impl_tags;
  38
  39         if ($p === NULL)
  40                 $p = $pageno;
  41         if ($t === NULL)
  42                 $t = $tabno;
  43         $subject = array_merge
  44         (
  45                 $user_tags,
  46                 $auto_tags,
  47                 $expl_tags,
  48                 $impl_tags,
  49                 $annex
  50         );
  51         $subject[] = array ('tag' => '$page_' . $p);
  52         $subject[] = array ('tag' => '$tab_' . $t);
  53         if ($o === NULL and isset ($op))
  54         {
  55                 $subject[] = array ('tag' => '$op_' . $op);
  56                 $subject[] = array ('tag' => '$any_op');
  57         }
  58         return gotClearanceForTagChain ($subject);
  59 }
  60
  61 function accessibleSubpage ($p)
  62 {
  63         global $user_tags;
  64         $subject = $user_tags;
  65         $subject[] = array ('tag' => '$page_' . $p);
  66         $subject[] = array ('tag' => '$tab_default');
  67         return gotClearanceForTagChain ($subject);
  68 }
  69
  70 // This function returns TRUE, if username and password are valid.
  71 function authenticated ($username, $password)
  72 {
  73         global $accounts;
  74         if (!isset ($accounts[$username]) or $accounts[$username]['user_enabled'] != 'yes')
  75                 return FALSE;
  76         // Always authenticate the administrator locally, thus giving him a chance
  77         // to fix broken installation.
  78         if ($accounts[$username]['user_id'] == 1)
  79                 return authenticated_via_database ($username, $password);
  80         switch (getConfigVar ('USER_AUTH_SRC'))
  81         {
  82                 case 'database':
  83                         return authenticated_via_database ($username, $password);
  84                         break;
  85                 case 'ldap':
  86                         return authenticated_via_ldap ($username, $password);
  87                         break;
  88                 default:
  89                         showError ("Unknown user authentication source configured.", __FUNCTION__);
  90                         return FALSE;
  91                         break;
  92         }
  93         // and just to be sure...
  94         return FALSE;
  95 }
  96
  97 function authenticated_via_ldap ($username, $password)
  98 {
  99         global $ldap_server, $ldap_domain;
 100         if ($connect = @ldap_connect ($ldap_server))
 101                 if ($bind = @ldap_bind ($connect, "${username}@${ldap_domain}", $password))
 102                 {
 103                         @ldap_close ($connect);
 104                         return TRUE;
 105                 }
 106         @ldap_close ($connect);
 107         return FALSE;
 108 }
 109
 110 function authenticated_via_database ($username, $password)
 111 {
 112         global $accounts;
 113         if (!defined ('HASH_HMAC'))
 114         {
 115                 showError ('Fatal error: PHP hash extension is missing', __FUNCTION__);
 116                 die();
 117         }
 118         if (array_search (PASSWORD_HASH, hash_algos()) === FALSE)
 119         {
 120                 showError ('Password hash not supported, authentication impossible.', __FUNCTION__);
 121                 die();
 122         }
 123         if (!isset ($accounts[$username]['user_password_hash']))
 124                 return FALSE;
 125         if ($accounts[$username]['user_password_hash'] == hash (PASSWORD_HASH, $password))
 126                 return TRUE;
 127         return FALSE;
 128 }
 129
 130 // This function returns password hash for given user ID.
 131 function getHashByID ($user_id = 0)
 132 {
 133         if ($user_id <= 0)
 134         {
 135                 showError ('Invalid user_id', __FUNCTION__);
 136                 return NULL;
 137         }
 138         global $accounts;
 139         foreach ($accounts as $account)
 140                 if ($account['user_id'] == $user_id)
 141                         return $account['user_password_hash'];
 142         return NULL;
 143 }
 144
 145 // Likewise.
 146 function getUsernameByID ($user_id = 0)
 147 {
 148         if ($user_id <= 0)
 149         {
 150                 showError ('Invalid user_id', __FUNCTION__);
 151                 return NULL;
 152         }
 153         global $accounts;
 154         foreach ($accounts as $account)
 155                 if ($account['user_id'] == $user_id)
 156                         return $account['user_name'];
 157         showError ("User with ID '${user_id}' not found!");
 158         return NULL;
 159 }
 160
 161 ?>