function setCurrentUser(&$User)
{
$this->CurrentUser =& $User;
$this->setCurrentUserOnController($User);
$this->setCurrentUserOnSession($User);
User::setCurrentUser($User);
}
/**
* Attempts to login a user against the authentication source
*
* If successfull, returns a User object
*
* @param string $username A valid identifying token for the source. Not
* necessarily unique. For local user, bots username
* and email are valid.
* @param string $password Clear text password.
* @param string $errmsg Reference of error message
* @param int $errno Reference to error code
*
* @return object The actual User object if login was successfull, false
* otherwise.
*/
public function login($username, $password, &$errmsg = null, &$errno = 0)
{
//echo "DEBUG: login($username, $password, $errmsg)<br/>";
$db = AbstractDb::getObject();
// Init values
$retval = false;
$username = $db->escapeString($username);
if (empty($username)) {
$errmsg .= sprintf(getErrorText(ERR_NO_USERNAME));
$errno = ERR_NO_USERNAME;
$retval = false;
} else {
/* gbastien: this is not reusable!!, why not use password directly? */
//$password_hash = User::passwordHash($_REQUEST['password']);
$password_hash = User::passwordHash($password);
$password = $db->escapeString($password);
$username = $this->getNetwork()->getUsernamesCaseSensitive() ? $username : strtolower($username);
$compareto = $this->getNetwork()->getUsernamesCaseSensitive() ? 'username' : 'lower(username)';
$sql = "SELECT user_id FROM users WHERE ({$compareto} = '{$username}' OR lower(email) = '{$username}') AND account_origin='" . $this->getNetwork()->getId() . "' AND pass='******'";
$db->execSqlUniqueRes($sql, $user_info, false);
if ($user_info != null) {
$user = User::getObject($user_info['user_id']);
if ($user->isUserValid($errmsg, $errno)) {
$retval =& $user;
$errmsg = _("Login successfull");
} else {
$retval = false;
//Reason for refusal is already in $errmsg
}
} else {
/*
* This is only used to discriminate if the problem was a
* non-existent user or a wrong password.
*/
$user_info = null;
$db->execSqlUniqueRes("SELECT * FROM users WHERE ({$compareto} = '{$username}' OR lower(email) = '{$username}') AND account_origin='" . $this->getNetwork()->getId() . "'", $user_info, false);
if ($user_info == null) {
$errmsg = getErrorText(ERR_UNKNOWN_USERNAME);
$errno = ERR_UNKNOWN_USERNAME;
} else {
$errmsg = getErrorText(ERR_WRONG_PASSWORD);
$errno = ERR_WRONG_PASSWORD;
}
$retval = false;
}
}
User::setCurrentUser($retval);
return $retval;
}
function unsetCurrentUser()
{
User::setCurrentUser(null);
}
/**
* Attempts to login a user against the authentication source
*
* If successfull, returns a User object
*
* @param string $username A valid identifying token for the source. Not
* necessarily unique.
* @param string $password Clear text password.
* @param string $errmsg Reference of error message
*
* @return object The actual User object if login was successfull, false
* otherwise.
*/
public function login($username, $password, &$errmsg = null)
{
$db = AbstractDb::getObject();
// Init values
$retval = false;
$username = $db->EscapeString($username);
$password = $db->EscapeString($password);
// Check if php-ldap extension is loaded
if (Dependency::check("ldap", $errmsg)) {
if ($this->checkLdapUser($username, $password, $this->mldap_hostname, $this->mldap_o, $this->mldap_filter, $errmsg)) {
//LDAP Authentication Successful
$sql = "SELECT user_id, pass FROM users WHERE (username='******') AND account_origin='" . $this->getNetwork()->getId() . "'";
$db->ExecSqlUniqueRes($sql, $user_info, false);
if ($user_info != null) {
$user = User::getObject($user_info['user_id']);
if ($user->isUserValid($errmsg)) {
$retval = $user;
User::setCurrentUser($user);
$errmsg = _("Login successfull");
} else {
$retval = false;
//Error already been set
}
} else {
$user = User::createUser(get_guid(), $username, $this->getNetwork(), "", "");
$retval =& $user;
$user->setAccountStatus(ACCOUNT_STATUS_ALLOWED);
$errmsg = _("Login successfull");
}
} else {
$retval = false;
//Error already been set
}
}
User::setCurrentUser($retval);
return $retval;
}
throw new Exception(_('No token specified!'));
}
if (!isset($_REQUEST["user_id"])) {
throw new Exception(_('No user ID specified!'));
}
$validated_user = User::getObject($_REQUEST['user_id']);
if ($db->escapeString($_REQUEST['token']) != $validated_user->getValidationToken()) {
throw new Exception(_('The validation token does not match the one in the database.'));
}
if ($validated_user->getAccountStatus() == ACCOUNT_STATUS_ALLOWED) {
throw new Exception(_('Your account has already been activated.'));
}
// This user wants to validate his account, the token is OK and he's not trying to pass the same token more than once
// Activate his account and let him in NOW
$validated_user->SetAccountStatus(ACCOUNT_STATUS_ALLOWED);
User::setCurrentUser($validated_user);
// Show activation message
$smarty->assign('message', _("Your account has been succesfully activated!\n\nYou may now browse to a remote Internet address and take advantage of the free Internet access!\n\nIf you get prompted for a login, enter the username and password you have just created."));
} catch (Exception $e) {
$smarty->assign('message', $e->getMessage());
}
$ui = MainUI::getObject();
$ui->addContent('main_area_middle', $smarty->fetch("templates/sites/validate.tpl"));
$ui->display();
/*
* Local variables:
* tab-width: 4
* c-basic-offset: 4
* c-hanging-comment-ender-p: nil
* End:
*/
/**
* Attempts to login a user against the authentication source.
*
* If successfull, returns a User object
*
* @param string $username A valid identifying token for the source.
* Not necessarily unique.
* @param string $password Clear text password.
* @param string $errmsg Reference of error message
*
* @return object The actual User object if login was successfull,
* false otherwise.
*/
public function login($username, $password, &$errmsg = null)
{
$db = AbstractDb::getObject();
User::setCurrentUser(null);
//This should fix a security hole if using an empty username. I didn't have time to audit the radius code to see if it really was vulnerable, and code a better fix.
// Init values
$retval = false;
$username = $db->escapeString($username);
$password = $db->escapeString($password);
if (Dependency::check("Auth_RADIUS", $errmsg)) {
/*
* Supported encryption methods are :
*
* CHAP_MD5 :Challenge-Handshake Authentication Protocol with MD5
* MSCHAPv1 and MSCHAPv2: Microsoft's CHAP implementation
*/
switch ($this->mRadius_encryption_method) {
case "PAP":
case "CHAP_MD5":
case "MSCHAPv1":
case "MSCHAPv2":
// Instanciate PEAR class
$classname = 'Auth_RADIUS_' . $this->mRadius_encryption_method;
$radius_server = new $classname($username, $password);
$radius_server->addServer($this->mRadius_hostname, $this->mRadius_auth_port, $this->mRadius_secret_key);
break;
default:
// Invalid encryption method
$errmsg = _("Invalid RADIUS encryption method.");
return false;
}
// Instructing PEAR RADIUS class auth parameters
$radius_server->username = $username;
// Depending on the auth method, generate challenge response
switch ($this->mRadius_encryption_method) {
case 'CHAP_MD5':
case 'MSCHAPv1':
$classname = $this->mRadius_encryption_method == 'MSCHAPv1' ? 'Crypt_CHAP_MSv1' : 'Crypt_CHAP_MD5';
$crypt_class = new $classname();
$crypt_class->password = $password;
$radius_server->challenge = $crypt_class->challenge;
$radius_server->chapid = $crypt_class->chapid;
$radius_server->response = $crypt_class->challengeResponse();
$radius_server->flags = 1;
break;
case 'MSCHAPv2':
$crypt_class = new Crypt_CHAP_MSv2();
$crypt_class->username = $username;
$crypt_class->password = $password;
$radius_server->challenge = $crypt_class->authChallenge;
$radius_server->peerChallenge = $crypt_class->peerChallenge;
$radius_server->chapid = $crypt_class->chapid;
$radius_server->response = $crypt_class->challengeResponse();
break;
default:
$radius_server->password = $password;
break;
}
if (!$radius_server->start()) {
$errmsg = _("Could not initiate PEAR RADIUS Auth class : " . $radius_server->getError());
return false;
}
// Send the authentication request to the RADIUS server
$result = $radius_server->send();
if (PEAR::isError($result)) {
$errmsg = _("Failed to send authentication request to the RADIUS server. : " . $result->getMessage());
return false;
} else {
if ($result === true) {
// RADIUS authentication succeeded!
// Now checking for local copy of this user
$user_info = null;
$sql = "SELECT user_id, pass FROM users WHERE (username='******') AND account_origin='" . $this->getNetwork()->getId() . "'";
$db->execSqlUniqueRes($sql, $user_info, false);
if ($user_info != null) {
$user = User::getObject($user_info['user_id']);
if ($user->isUserValid($errmsg)) {
$retval =& $user;
User::setCurrentUser($user);
$errmsg = _("Login successfull");
} else {
$retval = false;
//Reason for refusal is already in $errmsg
}
} else {
/*
* This user has been succcessfully authenticated through
* remote RADIUS, but it's not yet in our local database.
* Creating the user with a Global Unique ID, empty email
* and password.
* Local database password hashing is based on an empty
* string (we do not store remote passwords).
*/
$user = User::createUser(get_guid(), $username, $this->getNetwork(), "", "");
$retval =& $user;
// Validate the user right away !
$user->setAccountStatus(ACCOUNT_STATUS_ALLOWED);
User::setCurrentUser($user);
$errmsg = _("Login successfull");
}
return $retval;
} else {
$errmsg = _("The RADIUS server rejected this username/password combination.");
return false;
}
}
$radius_server->close();
} else {
return false;
}
}
}
/**
* Start login process section.
*
* If successfull, the browser is redirected to another page
*/
/*
* If this is a splash-only node, skip the login interface and log-in using
* the splash_only user
*/
if (!empty($node) && $node->isSplashOnly()) {
if (!empty($gw_address) && !empty($gw_port)) {
// Login from a gateway, redirect to the gateway to activate the token
$user = $network->getSplashOnlyUser();
$token = $user->generateConnectionToken($mac);
User::setCurrentUser($user);
header("Location: http://" . $gw_address . ":" . $gw_port . "/wifidog/auth?token=" . $token);
} else {
// Virtual login, redirect to the auth server homepage
header("Location: " . BASE_SSL_PATH);
}
}
/*
* Normal login process
*/
if (!empty($_REQUEST["login_form_submit"])) {
// Init values
$errmsg = '';
$user = User::getCurrentUser();
if (!$user) {
//Normally, we already have a user logged-in (processed by process_login_out.php). But we try again, if only to display the error
/**
* Verify the given user credentials against the wifidog database
* @param $username The username to authenticate
* @param $pwdhash The password hash
* @param $gw_id The gateway id
* @param $gw_ip The gateway's ip addresss
* @param $mac The mac address of the user
* @param $gw_port The port of the gateway's http server
* @param $from The ip address of the user on the node
* @param $logout Whether the user wants to logout
* @return unknown_type
*/
protected function executeAuth($username = null, $password = null, $gw_id = null, $gw_ip = null, $mac = null, $gw_port = null, $from = null, $logout = false)
{
$this->_outputArr['auth'] = 0;
require_once 'classes/Node.php';
require_once 'classes/User.php';
require_once 'classes/Network.php';
require_once 'classes/Authenticator.php';
if (!is_null($gw_id)) {
if (is_null($gw_ip) || is_null($gw_port) || is_null($from)) {
throw new WSException("Missing information on the gateway. You must specify parameter 'gw_address' AND 'gw_port' AND 'from_ip' if the parameter 'gw_id' is specified.", WSException::INVALID_PARAMETER);
}
$node = Node::getObjectByGatewayId($gw_id);
if ($node) {
$network = $node->getNetwork();
} else {
throw new WSException("Node identified by {$gw_id} cannot be found", WSException::PROCESS_ERROR);
}
} else {
// Gateway ID is not set ... virtual login
$network = Network::getCurrentNetwork();
$node = null;
}
/*
* If this is a splash-only node, then the user is automatically authenticated
*/
$token = null;
if (!empty($node) && $node->isSplashOnly()) {
$this->_outputArr['auth'] = 1;
$user = $network->getSplashOnlyUser();
$token = $user->generateConnectionTokenNoSession($node, $from, $mac);
if (!$token) {
throw new WSException("User authenticated but cannot generate connection token.", WSException::PROCESS_ERROR);
}
} else {
if (!$logout) {
// Authenticate the user on the requested network
$user = $network->getAuthenticator()->login($username, $password, $errMsg, $errNo);
if (!$user) {
$this->_outputArr['auth'] = 0;
$this->_outputArr['explanation'] = $errMsg;
$this->_outputArr['errorcode'] = $errNo;
} else {
$this->_outputArr['auth'] = 1;
if (!is_null($node)) {
$token = $user->generateConnectionTokenNoSession($node, $from, $mac);
if (!$token) {
throw new WSException("User authenticated but cannot generate connection token.", WSException::PROCESS_ERROR);
}
}
}
} else {
$user = User::getUserByUsernameOrEmail($username);
User::setCurrentUser($user);
$network->getAuthenticator()->logout();
$this->_outputArr['auth'] = 1;
}
}
if ($this->_outputArr['auth'] == 1 && !is_null($token)) {
$this->_outputArr['forwardTo'] = "http://" . $gw_ip . ":" . $gw_port . "/wifidog/auth?token=" . $token;
}
}
