public static function authenticate($entitySignature, $identityKey, $resourceKey, $authKey, $identity, $resource) { $tag = "Sentry::authenticate()"; Log::notice("{$tag}: <entitySignature={$entitySignature}, {$identityKey}={$identity}, {$resourceKey}={$resource}>"); // TODO: (?) check users session for cached permissions try { $sentryBP = BlueprintReader::read($entitySignature); $entityDAO = new EntityDAO($sentryBP); $keys = array("{$identityKey}", "{$resourceKey}"); $values = array("{$identity}", "{$resource}"); $matches = $entityDAO->findWhere($keys, $values); if (0 == count($matches)) { Log::debug("{$tag}: No permission record was found."); return false; } else { if (1 == count($matches)) { // found a matching permission record $entity = $matches[0]; // extract value of $authKey field $authValue = $entity->get($authKey); // test for boolean values if (empty($authValue) || $authValue == 0 || $authValue == "0" || strtoupper($authValue) == "NO" || strtoupper($authValue) == "FALSE") { Log::debug("{$tag}: {$identityKey} {$identity} does not have permission to access {$resourceKey} {$resource}"); return false; } else { if ($authValue == 1 || $authValue == "1" || strtoupper($authValue) == "YES" || strtoupper($authValue) == "TRUE") { Log::debug("{$tag}: {$identityKey} {$identity} has permission to access {$resourceKey} {$resource}"); return true; } } } else { if (1 < count($matches)) { Log::warning("{$tag}: ! More than one permission record was found."); return false; } } } } catch (Exception $e) { Log::error("{$tag}: " . $e->getMessage()); return false; } }
$login_key = @$_POST["login_key"]; $passwd_key = @$_POST["passwd_key"]; $login = @$_POST["login"]; $passwd = @$_POST["passwd"]; // Init Defaults if (empty($destination)) { $destination = "/"; } // Debug Log::debug("* domain = {$domain}"); Log::debug("* destination = {$destination}"); Log::debug("* login = {$login}"); // Lookup Member by Login $memberBP = BlueprintReader::read($entity_blueprint); $memberDAO = new EntityDAO($memberBP); $matches = $memberDAO->findWhere($login_key, $login); if (count($matches) == 1) { $member = $matches[0]; $member_id = $member->getId(); // Throttle the login attempts $num_failed_attempts = 0; if (BPConfig::$login_throttle_enabled) { $loginThrottleTable = substr(BPConfig::$login_throttle_blueprint, 0, strpos(BPConfig::$login_throttle_blueprint, ".")); $query = "SELECT * FROM " . $loginThrottleTable . " WHERE (" . BPConfig::$login_throttle_field_id . "={$member_id}) AND (time >= (UTC_TIMESTAMP() - INTERVAL " . BPConfig::$login_throttle_lockout_period . " SECOND) )"; $sql = new DatabaseQuery($query); $sql->doQuery(); $num_failed_attempts = $sql->get_num_rows(); } if ($num_failed_attempts >= BPConfig::$login_throttle_lockout_attempts) { Log::warning("* THROTTLE LOCKOUT: " . $num_failed_attempts . " failed login attempts during the last " . BPConfig::$login_throttle_lockout_period . " seconds"); $status = "error";
private function test_access_list_rule_ownership($rule, $identity, $listRows) { $tag = "Guardian: test_access_list_rule_ownership()"; Log::debug("{$tag}"); $ownerIdentifier = (string) $rule; $keyPath = $rule["keyPath"]; $identityKeyPath = $rule["identityKeyPath"]; list($ownershipTable, $ownershipField) = explode(".", $keyPath); list($identityTable, $identityField) = explode(".", $identityKeyPath); list($ownerIdentifierTable, $ownerIdentifierField) = explode(".", $ownerIdentifier); Log::debug("{$tag}: Rule requires ownership of " . count($listRows) . " list item(s) from keyPath '{$keyPath}'"); if ($ownershipTable == $identityTable) { // TEST FOR DIRECT OWNERSHIP BY IDENTITY (of each listRow) foreach ($listRows as $row) { $entityId = $row->id; $owner_id = $row->columns["{$ownershipField}"]; Log::debug("{$tag}: Testing list rows {$entityId} with {$ownershipField}={$owner_id}"); if ($owner_id == $identity) { Log::debug("{$tag}: {$ownershipTable} with ID {$entityId} is owned by requestor"); // Continue testing next row } else { Log::debug("{$tag}: {$ownershipTable} with ID {$entityId} is not owned by requestor"); return false; } } // If processing has reached this point, all rows are owned by the requestor Log::debug("{$tag}: All {$ownershipTable} rows are owned by requestor"); return true; } else { if (!empty($ownerIdentifier)) { // TEST FOR INDIRECT OWNERSHIP BY AFFILIATION (of each listRow) // Lookup the "group" that owns this record (in $keyPath) // Verify that the requestor is Affiliated with this group try { // Query for the "affiliations" of "identity" from "ownerIdentifierTable" // The results from this query can be reused to test ownership of each listRow $ownerIdentifierBP = BlueprintReader::read($ownerIdentifierTable . ".entity.xml"); $ownerIdentifierDAO = new EntityDAO($ownerIdentifierBP); // "id's" are not defined as "fields" in a blueprint; therefore if "identityField" references an "id", we should do a direct load if ($identityField == "id") { $affiliationObj = $ownerIdentifierDAO->load($identity); $affiliations = array($affiliationObj); } else { $affilations = $ownerIdentifierDAO->findWhere("{$identityField}", "{$identity}"); } foreach ($listRows as $row) { $entityId = $row->id; $owner_id = $row->columns["{$ownershipField}"]->value; Log::debug("Rule requires ownership through affiliation with '{$owner_id}' from keyPath '{$ownerIdentifier}'"); // NOTE: // "affiliations" may be defined in such a way that each identity has multiple affiliations // check each matching affiliation for this identity if (count($affiliations > 0)) { for ($i = 0; $i < count($affiliations); $i++) { $affiliationObj = $affiliations[0]; $_affiliation = $affiliationObj->get($ownerIdentifierField); if ($_affiliation == $owner_id) { Log::debug("{$tag}: Found matching affiliation '{$_affiliation}' for entityId={$entityId}"); // Continue checking the next listRow } } } else { Log::debug("{$tag}: No affiliation records matching this identity"); return false; } } // END: foreach($listRow as $row) // If processing has reached this point, all rows are owned by the requestor Log::debug("{$tag}: All {$ownershipTable} rows are owned by the requestor"); return true; } catch (Exception $e) { Log::error("{$tag}: Caught: " . $e->getMessage()); return false; } } else { Log::error("{$tag}: Invalid <Ownership> rule"); return false; } } }
$domain = @$_GET["domain"]; $destination = @$_GET["destination"]; // Init Defaults if (empty($destination)) { $destination = "/"; } // Debug Log::debug("* domain = {$domain}"); Log::debug("* destination = {$destination}"); if (Login::loggedIn($domain)) { // Retrieve 'login' from users Login Session $login = Login::who($domain); // Retrieve member data $memberBP = BlueprintReader::read("Member.entity.xml"); $memberDAO = new EntityDAO($memberBP); $matches = $memberDAO->findWhere("login", $login); if (count($matches) > 0) { $member = $matches[0]; // Add data to the users session Session::user("member_id", $member->getId()); // Required by Guardian // Forward user Log::debug("* REDIRECTING TO: {$destination}\n"); header("location: {$destination}"); exit; } else { // Should never happen, since users password was just checked Log::error("* Member with login '{$login}' was not found."); $content->addHtml("<strong>Login Error</strong><br/>"); $content->addHtml("Message: Member with login '{$login}' was not found."); $content->addFile("login.frm");