function checkAccess() { global $mode, $user, $actionFunction, $authMechs; global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers; global $inContinuation, $docreaders, $apiValidateFunc; if ($mode == 'xmlrpccall') { // double check for SSL if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1); if (!($user = getUserInfo($xmluser))) { // if first call to getUserInfo fails, try calling with $noupdate set if (!($user = getUserInfo($xmluser, 1))) { $testid = $xmluser; $affilid = DEFAULT_AFFILID; getAffilidAndLogin($testid, $affilid); addLoginLog($testid, 'unknown', $affilid, 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } if (!array_key_exists('HTTP_X_PASS', $_SERVER) || strlen($_SERVER['HTTP_X_PASS']) == 0) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $xmlpass = $_SERVER['HTTP_X_PASS']; if (get_magic_quotes_gpc()) { $xmlpass = stripslashes($xmlpass); } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); if ($apiver == 1) { printXMLRPCerror(8); # unsupported API version dbDisconnect(); exit; } elseif ($apiver == 2) { $authtype = ""; foreach ($authMechs as $key => $authmech) { if ($authmech['affiliationid'] == $user['affiliationid']) { $authtype = $key; break; } } if (empty($authtype)) { print "No authentication mechanism found for passed in X-User"; dbDisconnect(); exit; } if ($authMechs[$authtype]['type'] == 'ldap') { $auth = $authMechs[$authtype]; $ds = ldap_connect("ldaps://{$auth['server']}/"); if (!$ds) { printXMLRPCerror(5); # failed to connect to auth server dbDisconnect(); exit; } ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); if ($auth['lookupuserbeforeauth']) { # in this case, we have to look up what part of the tree the user is in # before we can actually look up the user if (array_key_exists('masterlogin', $auth) && strlen($auth['masterlogin'])) { $res = ldap_bind($ds, $auth['masterlogin'], $auth['masterpwd']); } else { $res = ldap_bind($ds); } if (!$res) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(5); # failed to connect to auth server dbDisconnect(); exit; } $search = ldap_search($ds, $auth['binddn'], "{$auth['lookupuserfield']}={$user['unityid']}", array('dn'), 0, 3, 15); if ($search) { $tmpdata = ldap_get_entries($ds, $search); if (!$tmpdata['count'] || !array_key_exists('dn', $tmpdata[0])) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $ldapuser = $tmpdata[0]['dn']; } else { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } else { $ldapuser = sprintf($auth['userid'], $user['unityid']); } $res = ldap_bind($ds, $ldapuser, $xmlpass); if (!$res) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 1); } elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) { $rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass); if (empty($rc) || $rc['passfail'] == 'fail') { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($authMechs[$authtype]['type'] == 'local') { if (!validateLocalAccount($user['unityid'], $xmlpass)) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($authMechs[$authtype]['type'] == 'redirect') { $affilid = $authMechs[$authtype]['affiliationid']; if (!(isset($apiValidateFunc) && is_array($apiValidateFunc) && array_key_exists($affilid, $apiValidateFunc) && $apiValidateFunc[$affilid]($xmluser, $xmlpass))) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } else { printXMLRPCerror(6); # unable to auth passed in X-User dbDisconnect(); exit; } } else { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif ($mode == 'xmlrpcaffiliations') { // double check for SSL, not really required for this mode, but it keeps things consistant if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); if ($apiver == 1) { printXMLRPCerror(8); # unsupported API version dbDisconnect(); exit; } elseif ($apiver != 2) { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif (!empty($mode)) { if (!in_array($mode, $actions['entry']) && !$inContinuation) { $mode = "main"; $actionFunction = "main"; return; } else { if (!$inContinuation) { # check that user has access to this area switch ($mode) { case 'viewGroups': if (!in_array("groupAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'serverProfiles': if (!in_array("serverProfileAdmin", $user["privileges"]) && !in_array("serverCheckOut", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'pickTimeTable': $computermetadata = getUserComputerMetaData(); if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewNodes': if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'userLookup': if (!checkUserHasPerm('User Lookup (global)') && !checkUserHasPerm('User Lookup (affiliation only)')) { $mode = ""; $actionFunction = "main"; return; } break; case 'editVMInfo': if (!in_array("computerAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'siteMaintenance': if (!checkUserHasPerm('Schedule Site Maintenance')) { $mode = ""; $actionFunction = "main"; return; } break; case 'dashboard': if (!checkUserHasPerm('View Dashboard (global)') && !checkUserHasPerm('View Dashboard (affiliation only)')) { $mode = ""; $actionFunction = "main"; return; } break; } } } } }
function localLogin($userid, $passwd, $authtype) { global $HTMLheader, $phpVer, $authMechs; if (validateLocalAccount($userid, $passwd)) { addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 1); //set cookie $cookie = getAuthCookieData("{$userid}@local"); if (version_compare(PHP_VERSION, "5.2", ">=") == true) { setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN, 0, 1); } else { setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN); } //load main page setcookie("VCLSKIN", "default", time() + SECINDAY * 31, "/", COOKIEDOMAIN); header("Location: " . BASEURL . SCRIPT); dbDisconnect(); exit; } else { addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 0); printLoginPageWithSkin($authtype); printHTMLFooter(); dbDisconnect(); exit; } }
$affil = $row['name']; # create VCL userid $userid = "{$username}@{$affil}"; if ($row['shibonly']) { $userdata = updateShibUser($userid); updateShibGroups($userdata['id'], $_SERVER['affiliation']); $usernid = $userdata['id']; } else { $usernid = getUserlistID($userid, 1); if (is_null($usernid)) { $tmp = updateShibUser($userid); $usernid = $tmp['id']; } } $affilid = getAffiliationID($affil); addLoginLog($userid, 'shibboleth', $affilid, 1); # uncomment the following and change EXAMPLE1 to match your needs to add all # users from a specific affiliation to a particular user group /*if($affil == 'EXAMPLE1') { $gid = getUserGroupID('All EXAMPLE1 Users', $affilid); $query = "INSERT IGNORE INTO usergroupmembers " . "(userid, usergroupid) " . "VALUES ($usernid, $gid)"; doQuery($query, 307); }*/ if (array_key_exists('Shib-logouturl', $_SERVER)) { $logouturl = $_SERVER['Shib-logouturl']; } else { $logouturl = ''; } # save data to shibauth table