function checkAccess()
{
global $mode, $user, $actionFunction, $authMechs;
global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers;
global $inContinuation, $docreaders, $apiValidateFunc;
if ($mode == 'xmlrpccall') {
// double check for SSL
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1);
if (!($user = getUserInfo($xmluser))) {
// if first call to getUserInfo fails, try calling with $noupdate set
if (!($user = getUserInfo($xmluser, 1))) {
$testid = $xmluser;
$affilid = DEFAULT_AFFILID;
getAffilidAndLogin($testid, $affilid);
addLoginLog($testid, 'unknown', $affilid, 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
}
if (!array_key_exists('HTTP_X_PASS', $_SERVER) || strlen($_SERVER['HTTP_X_PASS']) == 0) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$xmlpass = $_SERVER['HTTP_X_PASS'];
if (get_magic_quotes_gpc()) {
$xmlpass = stripslashes($xmlpass);
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
if ($apiver == 1) {
printXMLRPCerror(8);
# unsupported API version
dbDisconnect();
exit;
} elseif ($apiver == 2) {
$authtype = "";
foreach ($authMechs as $key => $authmech) {
if ($authmech['affiliationid'] == $user['affiliationid']) {
$authtype = $key;
break;
}
}
if (empty($authtype)) {
print "No authentication mechanism found for passed in X-User";
dbDisconnect();
exit;
}
if ($authMechs[$authtype]['type'] == 'ldap') {
$auth = $authMechs[$authtype];
$ds = ldap_connect("ldaps://{$auth['server']}/");
if (!$ds) {
printXMLRPCerror(5);
# failed to connect to auth server
dbDisconnect();
exit;
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
if ($auth['lookupuserbeforeauth']) {
# in this case, we have to look up what part of the tree the user is in
# before we can actually look up the user
if (array_key_exists('masterlogin', $auth) && strlen($auth['masterlogin'])) {
$res = ldap_bind($ds, $auth['masterlogin'], $auth['masterpwd']);
} else {
$res = ldap_bind($ds);
}
if (!$res) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(5);
# failed to connect to auth server
dbDisconnect();
exit;
}
$search = ldap_search($ds, $auth['binddn'], "{$auth['lookupuserfield']}={$user['unityid']}", array('dn'), 0, 3, 15);
if ($search) {
$tmpdata = ldap_get_entries($ds, $search);
if (!$tmpdata['count'] || !array_key_exists('dn', $tmpdata[0])) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$ldapuser = $tmpdata[0]['dn'];
} else {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} else {
$ldapuser = sprintf($auth['userid'], $user['unityid']);
}
$res = ldap_bind($ds, $ldapuser, $xmlpass);
if (!$res) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 1);
} elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) {
$rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass);
if (empty($rc) || $rc['passfail'] == 'fail') {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($authMechs[$authtype]['type'] == 'local') {
if (!validateLocalAccount($user['unityid'], $xmlpass)) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($authMechs[$authtype]['type'] == 'redirect') {
$affilid = $authMechs[$authtype]['affiliationid'];
if (!(isset($apiValidateFunc) && is_array($apiValidateFunc) && array_key_exists($affilid, $apiValidateFunc) && $apiValidateFunc[$affilid]($xmluser, $xmlpass))) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(6);
# unable to auth passed in X-User
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif ($mode == 'xmlrpcaffiliations') {
// double check for SSL, not really required for this mode, but it keeps things consistant
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
if ($apiver == 1) {
printXMLRPCerror(8);
# unsupported API version
dbDisconnect();
exit;
} elseif ($apiver != 2) {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif (!empty($mode)) {
if (!in_array($mode, $actions['entry']) && !$inContinuation) {
$mode = "main";
$actionFunction = "main";
return;
} else {
if (!$inContinuation) {
# check that user has access to this area
switch ($mode) {
case 'viewGroups':
if (!in_array("groupAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'serverProfiles':
if (!in_array("serverProfileAdmin", $user["privileges"]) && !in_array("serverCheckOut", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'pickTimeTable':
$computermetadata = getUserComputerMetaData();
if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewNodes':
if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'userLookup':
if (!checkUserHasPerm('User Lookup (global)') && !checkUserHasPerm('User Lookup (affiliation only)')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'editVMInfo':
if (!in_array("computerAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'siteMaintenance':
if (!checkUserHasPerm('Schedule Site Maintenance')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'dashboard':
if (!checkUserHasPerm('View Dashboard (global)') && !checkUserHasPerm('View Dashboard (affiliation only)')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
}
}
}
}
}
function localLogin($userid, $passwd, $authtype)
{
global $HTMLheader, $phpVer, $authMechs;
if (validateLocalAccount($userid, $passwd)) {
addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 1);
//set cookie
$cookie = getAuthCookieData("{$userid}@local");
if (version_compare(PHP_VERSION, "5.2", ">=") == true) {
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN, 0, 1);
} else {
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN);
}
//load main page
setcookie("VCLSKIN", "default", time() + SECINDAY * 31, "/", COOKIEDOMAIN);
header("Location: " . BASEURL . SCRIPT);
dbDisconnect();
exit;
} else {
addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 0);
printLoginPageWithSkin($authtype);
printHTMLFooter();
dbDisconnect();
exit;
}
}
$affil = $row['name'];
# create VCL userid
$userid = "{$username}@{$affil}";
if ($row['shibonly']) {
$userdata = updateShibUser($userid);
updateShibGroups($userdata['id'], $_SERVER['affiliation']);
$usernid = $userdata['id'];
} else {
$usernid = getUserlistID($userid, 1);
if (is_null($usernid)) {
$tmp = updateShibUser($userid);
$usernid = $tmp['id'];
}
}
$affilid = getAffiliationID($affil);
addLoginLog($userid, 'shibboleth', $affilid, 1);
# uncomment the following and change EXAMPLE1 to match your needs to add all
# users from a specific affiliation to a particular user group
/*if($affil == 'EXAMPLE1') {
$gid = getUserGroupID('All EXAMPLE1 Users', $affilid);
$query = "INSERT IGNORE INTO usergroupmembers "
. "(userid, usergroupid) "
. "VALUES ($usernid, $gid)";
doQuery($query, 307);
}*/
if (array_key_exists('Shib-logouturl', $_SERVER)) {
$logouturl = $_SERVER['Shib-logouturl'];
} else {
$logouturl = '';
}
# save data to shibauth table
