$tab['reports']['local'] = getConfigVar('enterprise');
if (getConfigVar('DB_VERSION') != CODE_VERSION) {
echo '<p align=justify>This Racktables installation seems to be ' . 'just upgraded to version ' . CODE_VERSION . ', while the ' . 'database version is ' . getConfigVar('DB_VERSION') . '.<br>No user will be ' . 'either authenticated or shown any page until the upgrade is ' . "finished.<br>Follow <a href='?module=upgrade'>this link</a> and " . 'authenticate as administrator to finish the upgrade.</p>';
exit(1);
}
if (!mb_internal_encoding('UTF-8')) {
throw new RackTablesError('Failed setting multibyte string encoding to UTF-8', RackTablesError::INTERNAL);
}
$rackCodeCache = loadScript('RackCodeCache');
if ($rackCodeCache == NULL or !strlen($rackCodeCache)) {
$rackCode = getRackCode(loadScript('RackCode'));
saveScript('RackCodeCache', base64_encode(serialize($rackCode)));
} else {
$rackCode = unserialize(base64_decode($rackCodeCache));
if ($rackCode === FALSE) {
saveScript('RackCodeCache', '');
$rackCode = getRackCode(loadScript('RackCode'));
}
}
// avoid notices being thrown
date_default_timezone_set(getConfigVar('DATETIME_ZONE'));
// Depending on the 'result' value the 'load' carries either the
// parse tree or error message. The latter case is a bug, because
// RackCode saving function was supposed to validate its input.
if ($rackCode['result'] != 'ACK') {
throw new RackTablesError($rackCode['load'], RackTablesError::INTERNAL);
}
$rackCode = $rackCode['load'];
// Only call buildPredicateTable() once and save the result, because it will remain
// constant during one execution for constraints processing.
$pTable = buildPredicateTable($rackCode);
function saveRackCode()
{
assertStringArg('rackcode');
// For the test to succeed, unescape LFs, strip CRs.
$newcode = dos2unix($_REQUEST['rackcode']);
$parseTree = getRackCode($newcode);
if ($parseTree['result'] != 'ACK') {
showFuncMessage(__FUNCTION__, 'ERR1', array($parseTree['load']));
return;
}
saveScript('RackCode', $newcode);
saveScript('RackCodeCache', base64_encode(serialize($parseTree)));
showFuncMessage(__FUNCTION__, 'OK');
}
function commitUpdateSLBDefConf($data)
{
saveScript('DefaultVSConfig', $data['vs']);
saveScript('DefaultRSConfig', $data['rs']);
}
function authenticated_via_ldap_cache($username, $password, &$ldap_displayname)
{
global $LDAP_options, $auto_tags;
// Destroy the cache each time config changes.
if (sha1(serialize($LDAP_options)) != loadScript('LDAPConfigHash')) {
discardLDAPCache();
saveScript('LDAPConfigHash', sha1(serialize($LDAP_options)));
}
$oldinfo = acquireLDAPCache($username, sha1($password), $LDAP_options['cache_expiry']);
if ($oldinfo === NULL) {
// On cache miss execute complete procedure and return the result. In case
// of successful authentication put a record into cache.
$newinfo = queryLDAPServer($username, $password);
if ($newinfo['result'] == 'ACK') {
$ldap_displayname = $newinfo['displayed_name'];
foreach ($newinfo['memberof'] as $autotag) {
$auto_tags[] = array('tag' => $autotag);
}
replaceLDAPCacheRecord($username, sha1($password), $newinfo['displayed_name'], $newinfo['memberof']);
releaseLDAPCache();
discardLDAPCache($LDAP_options['cache_expiry']);
return TRUE;
}
releaseLDAPCache();
return FALSE;
}
// cache HIT
// There are two confidence levels of cache hits: "certain" and "uncertain". In either case
// expect authentication success, unless it's well-timed to perform a retry,
// which may sometimes bring a NAK decision.
if ($oldinfo['success_age'] < $LDAP_options['cache_refresh'] or $oldinfo['retry_age'] < $LDAP_options['cache_retry']) {
releaseLDAPCache();
$ldap_displayname = $oldinfo['displayed_name'];
foreach ($oldinfo['memberof'] as $autotag) {
$auto_tags[] = array('tag' => $autotag);
}
return TRUE;
}
// Either refresh threshold or retry threshold reached.
$newinfo = queryLDAPServer($username, $password);
switch ($newinfo['result']) {
case 'ACK':
// refresh existing record
$ldap_displayname = $newinfo['displayed_name'];
foreach ($newinfo['memberof'] as $autotag) {
$auto_tags[] = array('tag' => $autotag);
}
replaceLDAPCacheRecord($username, sha1($password), $newinfo['displayed_name'], $newinfo['memberof']);
releaseLDAPCache();
discardLDAPCache($LDAP_options['cache_expiry']);
return TRUE;
case 'NAK':
// The record isn't valid any more.
deleteLDAPCacheRecord($username);
releaseLDAPCache();
discardLDAPCache($LDAP_options['cache_expiry']);
return FALSE;
case 'CAN':
// retry failed, do nothing, use old value till next retry
$ldap_displayname = $oldinfo['displayed_name'];
foreach ($oldinfo['memberof'] as $autotag) {
$auto_tags[] = array('tag' => $autotag);
}
touchLDAPCacheRecord($username);
releaseLDAPCache();
discardLDAPCache($LDAP_options['cache_expiry']);
return TRUE;
default:
throw new RackTablesError('structure error', RackTablesError::INTERNAL);
}
// This is never reached.
return FALSE;
}
function queryLDAPServer($username, $password)
{
global $LDAP_options;
if (extension_loaded('ldap') === FALSE) {
throw new RackTablesError('LDAP misconfiguration. LDAP PHP Module is not installed.', RackTablesError::MISCONFIGURED);
}
$ldap_cant_connect_codes = array(-1, -5, -11);
$last_successful_server = loadScript('LDAPLastSuccessfulServer');
$success_server = NULL;
$servers = preg_split("/\\s+/", $LDAP_options['server'], NULL, PREG_SPLIT_NO_EMPTY);
if (isset($last_successful_server) && in_array($last_successful_server, $servers)) {
// Use last successful server first
$servers = array_diff($servers, array($last_successful_server));
array_unshift($servers, $last_successful_server);
}
// Try to connect to each server until first success
foreach ($servers as $server) {
$connect = @ldap_connect($server, array_fetch($LDAP_options, 'port', 389));
if ($connect === FALSE) {
continue;
}
ldap_set_option($connect, LDAP_OPT_NETWORK_TIMEOUT, array_fetch($LDAP_options, 'server_alive_timeout', 2));
// If use_tls configuration option is set, then try establish TLS session instead of ldap_bind
if (isset($LDAP_options['use_tls']) && $LDAP_options['use_tls'] >= 1) {
$tls = ldap_start_tls($connect);
if ($LDAP_options['use_tls'] >= 2 && $tls == FALSE) {
if (in_array(ldap_errno($connect), $ldap_cant_connect_codes)) {
continue;
} else {
throw new RackTablesError('LDAP misconfiguration: LDAP TLS required but not successfully negotiated.', RackTablesError::MISCONFIGURED);
}
}
$success_server = $server;
break;
} else {
if (@ldap_bind($connect) || !in_array(ldap_errno($connect), $ldap_cant_connect_codes)) {
$success_server = $server;
// Cleanup after check. This connection will be used below
@ldap_unbind($connect);
$connect = ldap_connect($server, array_fetch($LDAP_options, 'port', 389));
break;
}
}
}
if (!isset($success_server)) {
return array('result' => 'CAN');
}
if ($LDAP_options['cache_expiry'] != 0 && $last_successful_server !== $success_server) {
saveScript('LDAPLastSuccessfulServer', $success_server);
}
if (array_key_exists('options', $LDAP_options) and is_array($LDAP_options['options'])) {
foreach ($LDAP_options['options'] as $opt_code => $opt_value) {
ldap_set_option($connect, $opt_code, $opt_value);
}
}
// Decide on the username we will actually authenticate for.
if (isset($LDAP_options['domain']) and strlen($LDAP_options['domain'])) {
$auth_user_name = $username . "@" . $LDAP_options['domain'];
} elseif (isset($LDAP_options['search_dn']) and strlen($LDAP_options['search_dn']) and isset($LDAP_options['search_attr']) and strlen($LDAP_options['search_attr'])) {
// If a search_bind_rdn is supplied, bind to that and use it to search.
// This is required unless a server offers anonymous searching.
// Using bind again on the connection works as expected.
// The password is optional as it might be optional on server, too.
if (isset($LDAP_options['search_bind_rdn']) && strlen($LDAP_options['search_bind_rdn'])) {
$search_bind = @ldap_bind($connect, $LDAP_options['search_bind_rdn'], isset($LDAP_options['search_bind_password']) ? $LDAP_options['search_bind_password'] : NULL);
if ($search_bind === FALSE) {
throw new RackTablesError('LDAP misconfiguration. You have specified a search_bind_rdn ' . (isset($LDAP_options['search_bind_password']) ? 'with' : 'without') . ' a search_bind_password, but the server refused it with: ' . ldap_error($connect), RackTablesError::MISCONFIGURED);
}
}
$results = @ldap_search($connect, $LDAP_options['search_dn'], '(' . $LDAP_options['search_attr'] . "={$username})", array("dn"));
if ($results === FALSE) {
return array('result' => 'CAN');
}
if (@ldap_count_entries($connect, $results) != 1) {
@ldap_close($connect);
return array('result' => 'NAK');
}
$info = @ldap_get_entries($connect, $results);
ldap_free_result($results);
$auth_user_name = $info[0]['dn'];
} else {
throw new RackTablesError('LDAP misconfiguration. Cannon build username for authentication.', RackTablesError::MISCONFIGURED);
}
$bind = @ldap_bind($connect, $auth_user_name, $password);
if ($bind === FALSE) {
switch (ldap_errno($connect)) {
case 49:
// LDAP_INVALID_CREDENTIALS
return array('result' => 'NAK');
default:
return array('result' => 'CAN');
}
}
// preliminary decision may change during searching
$ret = array('result' => 'ACK', 'displayed_name' => '', 'memberof' => array());
// Some servers deny anonymous search, thus search (if requested) only after binding.
// Displayed name only makes sense for authenticated users anyway.
if (isset($LDAP_options['displayname_attrs']) and strlen($LDAP_options['displayname_attrs']) and isset($LDAP_options['search_dn']) and strlen($LDAP_options['search_dn']) and isset($LDAP_options['search_attr']) and strlen($LDAP_options['search_attr'])) {
$results = @ldap_search($connect, $LDAP_options['search_dn'], '(' . $LDAP_options['search_attr'] . "={$username})", array_merge(array($LDAP_options['group_attr']), explode(' ', $LDAP_options['displayname_attrs'])));
if (@ldap_count_entries($connect, $results) != 1) {
@ldap_close($connect);
return array('result' => 'NAK');
}
$info = @ldap_get_entries($connect, $results);
ldap_free_result($results);
$space = '';
foreach (explode(' ', $LDAP_options['displayname_attrs']) as $attr) {
if (isset($info[0][$attr])) {
$ret['displayed_name'] .= $space . $info[0][$attr][0];
$space = ' ';
}
}
// Pull group membership, if any was returned.
if (isset($info[0][$LDAP_options['group_attr']])) {
for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++) {
if (preg_match($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches) and validTagName('$lgcn_' . $matches[1], TRUE)) {
$ret['memberof'][] = '$lgcn_' . $matches[1];
}
}
}
}
@ldap_close($connect);
return $ret;
}
function authenticated_via_ldap_cache($username, $password, &$ldap_displayname)
{
global $LDAP_options, $auto_tags;
// Destroy the cache each time config changes.
if (sha1(serialize($LDAP_options)) != loadScript('LDAPConfigHash')) {
discardLDAPCache();
saveScript('LDAPConfigHash', sha1(serialize($LDAP_options)));
}
$user_data = array();
// fill auto_tags and ldap_displayname from this array
$password_hash = sha1($password);
// first try to get cache row without locking it (quick way)
$cache_row = fetchLDAPCacheRow($username);
if (isLDAPCacheValid($cache_row, $password_hash, TRUE)) {
$user_data = $cache_row;
} else {
// cache miss or expired. Try to lock LDAPCache for $username
$cache_row = acquireLDAPCache($username);
if (isLDAPCacheValid($cache_row, $password_hash, TRUE)) {
$user_data = $cache_row;
} else {
$ldap_answer = queryLDAPServer($username, $password);
switch ($ldap_answer['result']) {
case 'ACK':
replaceLDAPCacheRecord($username, $password_hash, $ldap_answer['displayed_name'], $ldap_answer['memberof']);
$user_data = $ldap_answer;
break;
case 'NAK':
// The record isn't valid any more.
// TODO: negative result caching
deleteLDAPCacheRecord($username);
break;
case 'CAN':
// LDAP query failed, use old value till next retry
if (isLDAPCacheValid($cache_row, $password_hash, FALSE)) {
touchLDAPCacheRecord($username);
$user_data = $cache_row;
} else {
deleteLDAPCacheRecord($username);
}
break;
default:
throw new RackTablesError('structure error', RackTablesError::INTERNAL);
}
}
releaseLDAPCache();
discardLDAPCache($LDAP_options['cache_expiry']);
// clear expired rows of other users
}
if ($user_data) {
$ldap_displayname = $user_data['displayed_name'];
foreach ($user_data['memberof'] as $autotag) {
$auto_tags[] = array('tag' => $autotag);
}
return TRUE;
}
return FALSE;
}
define('DOING_AJAX', true);
define('WP_ADMIN', true);
if (!isset($_POST['action'])) {
die('-15');
}
@header('Content-Type: text/html; charset=' . get_option('blog_charset'));
send_nosniff_header();
do_action('admin_init');
if (!is_user_logged_in()) {
die('-14');
} else {
//if user admin
if ($user_level > 9) {
if (isset($_POST['action'])) {
if ($_POST['action'] == 'savecss') {
if (isset($_POST['data'])) {
saveScript($_POST['data'], "css");
}
} else {
if ($_POST['action'] == 'savejs') {
if (isset($_POST['data'])) {
saveScript(stripslashes($_POST['data']), "js");
}
}
}
}
}
}
} else {
echo 'Please do not try this any more. Thanks.';
}
