r1913 + stick with %GPASS% and %GSKIP% delimiters
[racktables] / inc / auth.php
1 <?php
2 /*
3
4 Authentication library for RackTables.
5
6 */
7
8 // This function ensures that we don't continue without a legitimate
9 // username and password.
10 function authenticate ()
11 {
12 if
13 (
14 !isset ($_SERVER['PHP_AUTH_USER']) or
15 !isset ($_SERVER['PHP_AUTH_PW']) or
16 !authenticated ($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) or
17 isset ($_REQUEST['logout'])
18 )
19 {
20 header ('WWW-Authenticate: Basic realm="' . getConfigVar ('enterprise') . ' RackTables access"');
21 header ('HTTP/1.0 401 Unauthorized');
22 showError ('This system requires authentication. You should use a username and a password.');
23 die();
24 }
25 }
26
27 // Show error unless the user is allowed access here.
28 function authorize ()
29 {
30 global $remote_username, $pageno, $tabno;
31 if (!authorized ($remote_username, $pageno, $tabno))
32 {
33 showError ("User '${remote_username}' is not allowed to access here.");
34 die();
35 }
36 }
37
38 // This function returns TRUE, if username and password are valid.
39 function authenticated ($username, $password)
40 {
41 global $accounts;
42 if ($accounts[$username]['user_enabled'] != 'yes')
43 return FALSE;
44 // Always authenticate the administrator locally, thus giving him a chance
45 // to fix broken installation.
46 if ($accounts[$username]['user_id'] == 1)
47 return authenticated_via_database ($username, $password);
48 switch (getConfigVar ('USER_AUTH_SRC'))
49 {
50 case 'database':
51 return authenticated_via_database ($username, $password);
52 break;
53 case 'ldap':
54 return authenticated_via_ldap ($username, $password);
55 break;
56 default:
57 showError ("Unknown user authentication source configured.", __FUNCTION__);
58 return FALSE;
59 break;
60 }
61 // and just to be sure...
62 return FALSE;
63 }
64
65 function authenticated_via_ldap ($username, $password)
66 {
67 global $ldap_server, $ldap_domain;
68 if ($connect = @ldap_connect ($ldap_server))
69 if ($bind = @ldap_bind ($connect, "${username}@${ldap_domain}", $password))
70 {
71 @ldap_close ($connect);
72 return TRUE;
73 }
74 @ldap_close ($connect);
75 return FALSE;
76 }
77
78 function authenticated_via_database ($username, $password)
79 {
80 global $accounts;
81 if (!defined ('HASH_HMAC'))
82 {
83 showError ('Fatal error: PHP hash extension is missing', __FUNCTION__);
84 die();
85 }
86 if (array_search (PASSWORD_HASH, hash_algos()) === FALSE)
87 {
88 showError ('Password hash not supported, authentication impossible.', __FUNCTION__);
89 die();
90 }
91 if (!isset ($accounts[$username]['user_password_hash']))
92 return FALSE;
93 if ($accounts[$username]['user_password_hash'] == hash (PASSWORD_HASH, $password))
94 return TRUE;
95 return FALSE;
96 }
97
98 // This function returns TRUE, if specified user has access to the
99 // page and tab.
100 function authorized ($username, $pageno, $tabno)
101 {
102 global $perms;
103 // Deny access by default, then accumulate all corrections from database.
104 // Order of nested cycles is important here!
105 // '%' as page or tab name has a special value and means "any".
106 // 0 as user_id means "any user".
107 $answer = 'no';
108 foreach (array ('%', $username) as $u)
109 foreach (array ('%', $tabno) as $t)
110 foreach (array ('%', $pageno) as $p)
111 if (isset ($perms[$u][$p][$t]))
112 $answer = $perms[$u][$p][$t];
113 if ($answer == 'yes')
114 return TRUE;
115 return FALSE;
116 }
117
118 // This function returns password hash for given user ID.
119 function getHashByID ($user_id = 0)
120 {
121 if ($user_id <= 0)
122 {
123 showError ('Invalid user_id', __FUNCTION__);
124 return NULL;
125 }
126 global $accounts;
127 foreach ($accounts as $account)
128 if ($account['user_id'] == $user_id)
129 return $account['user_password_hash'];
130 return NULL;
131 }
132
133 ?>