public function toggleDisclaimer($actionName, $httpVars, $fileVars)
 {
     $u = AuthService::getLoggedUser();
     $u->personalRole->setParameterValue("action.disclaimer", "DISCLAIMER_ACCEPTED", $httpVars["validate"] == "true" ? "yes" : "no", AJXP_REPO_SCOPE_ALL);
     if ($httpVars["validate"] == "true") {
         $u->removeLock();
         $u->save("superuser");
         AuthService::updateUser($u);
         ConfService::switchUserToActiveRepository($u);
         $force = $u->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
         $passId = -1;
         if ($force != "" && $u->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
             $passId = $force;
         }
         $res = ConfService::switchUserToActiveRepository($u, $passId);
         if (!$res) {
             AuthService::disconnect();
             AJXP_XMLWriter::header();
             AJXP_XMLWriter::requireAuth(true);
             AJXP_XMLWriter::close();
         }
         ConfService::getInstance()->invalidateLoadedRepositories();
     } else {
         $u->setLock("validate_disclaimer");
         $u->save("superuser");
         AuthService::disconnect();
         AJXP_XMLWriter::header();
         AJXP_XMLWriter::requireAuth(true);
         AJXP_XMLWriter::close();
     }
 }
 function tryToLogUser(&$httpVars, $isLast = false)
 {
     if (!isset($httpVars["get_action"]) || $httpVars["get_action"] != "login") {
         return false;
     }
     $rememberLogin = "";
     $rememberPass = "";
     $secureToken = "";
     $loggedUser = null;
     include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php";
     if (AuthService::suspectBruteForceLogin() && (!isset($httpVars["captcha_code"]) || !CaptchaProvider::checkCaptchaResult($httpVars["captcha_code"]))) {
         $loggingResult = -4;
     } else {
         $userId = isset($httpVars["userid"]) ? AJXP_Utils::sanitize($httpVars["userid"], AJXP_SANITIZE_EMAILCHARS) : null;
         $userPass = isset($httpVars["password"]) ? trim($httpVars["password"]) : null;
         $rememberMe = isset($httpVars["remember_me"]) && $httpVars["remember_me"] == "true" ? true : false;
         $cookieLogin = isset($httpVars["cookie_login"]) ? true : false;
         $loggingResult = AuthService::logUser($userId, $userPass, false, $cookieLogin, $httpVars["login_seed"]);
         if ($rememberMe && $loggingResult == 1) {
             $rememberLogin = "******";
             $rememberPass = "******";
         }
         if ($loggingResult == 1) {
             session_regenerate_id(true);
             $secureToken = AuthService::generateSecureToken();
         }
         if ($loggingResult < 1 && AuthService::suspectBruteForceLogin()) {
             $loggingResult = -4;
             // Force captcha reload
         }
     }
     $loggedUser = AuthService::getLoggedUser();
     if ($loggedUser != null) {
         $force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
         $passId = -1;
         if (isset($httpVars["tmp_repository_id"])) {
             $passId = $httpVars["tmp_repository_id"];
         } else {
             if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
                 $passId = $force;
             }
         }
         $res = ConfService::switchUserToActiveRepository($loggedUser, $passId);
         if (!$res) {
             AuthService::disconnect();
             $loggingResult = -3;
         }
     }
     if ($loggedUser != null && (AuthService::hasRememberCookie() || isset($rememberMe) && $rememberMe == true)) {
         AuthService::refreshRememberCookie($loggedUser);
     }
     AJXP_XMLWriter::header();
     AJXP_XMLWriter::loggingResult($loggingResult, $rememberLogin, $rememberPass, $secureToken);
     AJXP_XMLWriter::close();
     if ($loggingResult > 0 || $isLast) {
         exit;
     }
 }
Exemple #3
0
if (AuthService::usersEnabled()) {
    $httpVars = array_merge($_GET, $_POST);
    AuthService::logUser(null, null);
    // Check that current user can access current repository, try to switch otherwise.
    $loggedUser = AuthService::getLoggedUser();
    if ($loggedUser == null) {
        // Try prelogging user if the session expired but the logging data is in fact still present
        // For example, for basic_http auth.
        AuthService::preLogUser(isset($httpVars["remote_session"]) ? $httpVars["remote_session"] : "");
        $loggedUser = AuthService::getLoggedUser();
        if ($loggedUser == null) {
            $requireAuth = true;
        }
    }
    if ($loggedUser != null) {
        $res = ConfService::switchUserToActiveRepository($loggedUser, isset($httpVars["tmp_repository_id"]) ? $httpVars["tmp_repository_id"] : "-1");
        if (!$res) {
            AuthService::disconnect();
            $requireAuth = true;
        }
    }
} else {
    AJXP_Logger::debug(ConfService::getCurrentRepositoryId());
}
//Set language
$loggedUser = AuthService::getLoggedUser();
if ($loggedUser != null && $loggedUser->getPref("lang") != "") {
    ConfService::setLanguage($loggedUser->getPref("lang"));
} else {
    if (isset($_COOKIE["AJXP_lang"])) {
        ConfService::setLanguage($_COOKIE["AJXP_lang"]);
 function tryToLogUser(&$httpVars, $isLast = false)
 {
     $checkNonce = $this->pluginConf["CHECK_NONCE"] === true;
     $token = $this->detectVar($httpVars, "cyphered_token");
     $tokenInc = $this->detectVar($httpVars, "cyphered_token_inc");
     if (empty($token) || $checkNonce && empty($tokenInc)) {
         return false;
     }
     if (!$checkNonce) {
         $decoded = $this->decrypt($this->pluginConf["PRIVATE_KEY"], $token);
     } else {
         $decoded = $this->decrypt($this->pluginConf["PRIVATE_KEY"] . ":" . $tokenInc, $token);
     }
     if ($decoded == null) {
         return false;
     }
     $data = unserialize($decoded);
     if (empty($data) || !is_array($data) || !isset($data["user_id"]) || !isset($data["user_pwd"])) {
         $this->logDebug(__FUNCTION__, "Cyphered Token found but wrong deserizalized data");
         return false;
     }
     if (AuthService::getLoggedUser() != null) {
         $currentUser = AuthService::getLoggedUser()->getId();
         if ($currentUser != $data["user_id"]) {
             AuthService::disconnect();
         }
     }
     $this->logDebug(__FUNCTION__, "Trying to log user " . $data["user_id"] . " from cyphered token");
     $userId = $data["user_id"];
     if ($checkNonce) {
         $keys = $this->getLastKeys();
         $lastInc = 0;
         if (isset($keys[$userId])) {
             $lastInc = $keys[$userId];
         }
         if ($tokenInc <= $lastInc) {
             $this->logDebug(__FUNCTION__, "Key was already used for this user id");
             return false;
         }
     }
     $res = AuthService::logUser($data["user_id"], $data["user_pwd"], false, false, -1);
     if ($res > 0) {
         $this->logDebug(__FUNCTION__, "Success");
         if ($checkNonce) {
             $keys[$userId] = $tokenInc;
             $this->storeLastKeys($keys);
         }
         $loggedUser = AuthService::getLoggedUser();
         $force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
         $passId = -1;
         if (isset($httpVars["tmp_repository_id"])) {
             $passId = $httpVars["tmp_repository_id"];
         } else {
             if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
                 $passId = $force;
             }
         }
         ConfService::switchUserToActiveRepository($loggedUser, $passId);
         return true;
     }
     $this->logDebug(__FUNCTION__, "Wrong result " . $res);
     return false;
 }
Exemple #5
0
}
if (AuthService::usersEnabled() && !empty($optUser)) {
    $seed = AuthService::generateSeed();
    if ($seed != -1) {
        $optPass = md5(md5($optPass) . $seed);
    }
    $loggingResult = AuthService::logUser($optUser, $optPass, isset($optToken), false, $seed);
    // Check that current user can access current repository, try to switch otherwise.
    $loggedUser = AuthService::getLoggedUser();
    if ($loggedUser != null && $detectedUser !== false && $loggedUser->isAdmin()) {
        AuthService::disconnect();
        AuthService::logUser($detectedUser, "empty", true, false, "");
        $loggedUser = AuthService::getLoggedUser();
    }
    if ($loggedUser != null) {
        $res = ConfService::switchUserToActiveRepository($loggedUser, $optRepoId);
        if (!$res) {
            AuthService::disconnect();
            $requireAuth = true;
        }
    }
    if (isset($loggingResult) && $loggingResult != 1) {
        AJXP_XMLWriter::header();
        AJXP_XMLWriter::loggingResult($loggingResult, false, false, "");
        AJXP_XMLWriter::close();
        if ($optStatusFile) {
            file_put_contents($optStatusFile, "ERROR:No user logged");
        }
    }
} else {
    AJXP_Logger::debug(ConfService::getCurrentRepositoryId());
 public function switchAction($action, $httpVars, $fileVars)
 {
     if (!isset($this->actions[$action])) {
         return;
     }
     $mess = ConfService::getMessages();
     switch ($action) {
         case "login":
             if (!AuthService::usersEnabled()) {
                 return;
             }
             $rememberLogin = "";
             $rememberPass = "";
             $secureToken = "";
             $loggedUser = null;
             include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php";
             if (AuthService::suspectBruteForceLogin() && (!isset($httpVars["captcha_code"]) || !CaptchaProvider::checkCaptchaResult($httpVars["captcha_code"]))) {
                 $loggingResult = -4;
             } else {
                 $userId = isset($httpVars["userid"]) ? trim($httpVars["userid"]) : null;
                 $userPass = isset($httpVars["password"]) ? trim($httpVars["password"]) : null;
                 $rememberMe = isset($httpVars["remember_me"]) && $httpVars["remember_me"] == "true" ? true : false;
                 $cookieLogin = isset($httpVars["cookie_login"]) ? true : false;
                 $loggingResult = AuthService::logUser($userId, $userPass, false, $cookieLogin, $httpVars["login_seed"]);
                 if ($rememberMe && $loggingResult == 1) {
                     $rememberLogin = "******";
                     $rememberPass = "******";
                     $loggedUser = AuthService::getLoggedUser();
                 }
                 if ($loggingResult == 1) {
                     session_regenerate_id(true);
                     $secureToken = AuthService::generateSecureToken();
                 }
                 if ($loggingResult < 1 && AuthService::suspectBruteForceLogin()) {
                     $loggingResult = -4;
                     // Force captcha reload
                 }
             }
             $loggedUser = AuthService::getLoggedUser();
             if ($loggedUser != null) {
                 $force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
                 $passId = -1;
                 if (isset($httpVars["tmp_repository_id"])) {
                     $passId = $httpVars["tmp_repository_id"];
                 } else {
                     if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
                         $passId = $force;
                     }
                 }
                 $res = ConfService::switchUserToActiveRepository($loggedUser, $passId);
                 if (!$res) {
                     AuthService::disconnect();
                     $loggingResult = -3;
                 }
             }
             if ($loggedUser != null && (AuthService::hasRememberCookie() || isset($rememberMe) && $rememberMe == true)) {
                 AuthService::refreshRememberCookie($loggedUser);
             }
             AJXP_XMLWriter::header();
             AJXP_XMLWriter::loggingResult($loggingResult, $rememberLogin, $rememberPass, $secureToken);
             AJXP_XMLWriter::close();
             break;
             //------------------------------------
             //	CHANGE USER PASSWORD
             //------------------------------------
         //------------------------------------
         //	CHANGE USER PASSWORD
         //------------------------------------
         case "pass_change":
             $userObject = AuthService::getLoggedUser();
             if ($userObject == null || $userObject->getId() == "guest") {
                 header("Content-Type:text/plain");
                 print "SUCCESS";
                 break;
             }
             $oldPass = $httpVars["old_pass"];
             $newPass = $httpVars["new_pass"];
             $passSeed = $httpVars["pass_seed"];
             if (strlen($newPass) < ConfService::getCoreConf("PASSWORD_MINLENGTH", "auth")) {
                 header("Content-Type:text/plain");
                 print "PASS_ERROR";
                 break;
             }
             if (AuthService::checkPassword($userObject->getId(), $oldPass, false, $passSeed)) {
                 AuthService::updatePassword($userObject->getId(), $newPass);
                 if ($userObject->getLock() == "pass_change") {
                     $userObject->removeLock();
                     $userObject->save("superuser");
                 }
             } else {
                 header("Content-Type:text/plain");
                 print "PASS_ERROR";
                 break;
             }
             header("Content-Type:text/plain");
             print "SUCCESS";
             break;
         case "logout":
             AuthService::disconnect();
             $loggingResult = 2;
             session_destroy();
             AJXP_XMLWriter::header();
             AJXP_XMLWriter::loggingResult($loggingResult, null, null, null);
             AJXP_XMLWriter::close();
             break;
         case "get_seed":
             $seed = AuthService::generateSeed();
             if (AuthService::suspectBruteForceLogin()) {
                 HTMLWriter::charsetHeader('application/json');
                 print json_encode(array("seed" => $seed, "captcha" => true));
             } else {
                 HTMLWriter::charsetHeader("text/plain");
                 print $seed;
             }
             //exit(0);
             break;
         case "get_secure_token":
             HTMLWriter::charsetHeader("text/plain");
             print AuthService::generateSecureToken();
             //exit(0);
             break;
         case "get_captcha":
             include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php";
             CaptchaProvider::sendCaptcha();
             //exit(0) ;
             break;
         case "back":
             AJXP_XMLWriter::header("url");
             echo AuthService::getLogoutAddress(false);
             AJXP_XMLWriter::close("url");
             //exit(1);
             break;
         default:
             break;
     }
     return "";
 }
 public function postVerificationCode($action, $httpVars, $fileVars)
 {
     if ($action != "duo_post_verification_code") {
         return;
     }
     $u = AuthService::getLoggedUser();
     if ($u == null) {
         return;
     }
     $sigResponse = $httpVars["sig_response"];
     require_once $this->getBaseDir() . "/duo_php/duo_web.php";
     $appUnique = $this->getFilteredOption("DUO_AUTH_AKEY");
     $iKey = $this->getFilteredOption("DUO_AUTH_IKEY");
     $sKey = $this->getFilteredOption("DUO_AUTH_SKEY");
     $verif = Duo::verifyResponse($iKey, $sKey, $appUnique, $sigResponse);
     if ($verif != null && $verif == $u->getId()) {
         $u->removeLock();
         $u->save("superuser");
         $u->recomputeMergedRole();
         AuthService::updateUser($u);
         ConfService::switchUserToActiveRepository($u);
         $force = $u->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
         $passId = -1;
         if ($force != "" && $u->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
             $passId = $force;
         }
         $res = ConfService::switchUserToActiveRepository($u, $passId);
         if (!$res) {
             AuthService::disconnect();
             AJXP_XMLWriter::header();
             AJXP_XMLWriter::requireAuth(true);
             AJXP_XMLWriter::close();
         }
     } else {
         AuthService::disconnect();
         AJXP_XMLWriter::header();
         AJXP_XMLWriter::requireAuth(true);
         AJXP_XMLWriter::close();
     }
 }
 function tryToLogUser(&$httpVars, $isLast = false)
 {
     if (isset($_SESSION["CURRENT_MINISITE"])) {
         return false;
     }
     $this->loadConfig();
     if (isset($_SESSION['AUTHENTICATE_BY_CAS'])) {
         $flag = $_SESSION['AUTHENTICATE_BY_CAS'];
     } else {
         $flag = 0;
     }
     $pgtIou = !empty($httpVars['pgtIou']);
     $logged = isset($_SESSION['LOGGED_IN_BY_CAS']);
     $enre = !empty($httpVars['put_action_enable_redirect']);
     $ticket = !empty($httpVars['ticket']);
     $pgt = !empty($_SESSION['phpCAS']['pgt']);
     $clientModeTicketPendding = isset($_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING']);
     if ($this->cas_modify_login_page) {
         if ($flag == 0 && $enre && !$logged && !$pgtIou) {
             $_SESSION['AUTHENTICATE_BY_CAS'] = 1;
         } elseif ($flag == 1 && !$enre && !$logged && !$pgtIou && !$ticket && !$pgt) {
             $_SESSION['AUTHENTICATE_BY_CAS'] = 0;
         } elseif ($flag == 1 && $enre && !$logged && !$pgtIou) {
             $_SESSION['AUTHENTICATE_BY_CAS'] = 1;
         } elseif ($pgtIou || $pgt) {
             $_SESSION['AUTHENTICATE_BY_CAS'] = 1;
         } elseif ($ticket) {
             $_SESSION['AUTHENTICATE_BY_CAS'] = 1;
             $_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING'] = 1;
         } elseif ($logged && $pgtIou) {
             $_SESSION['AUTHENTICATE_BY_CAS'] = 2;
         } else {
             $_SESSION['AUTHENTICATE_BY_CAS'] = 0;
         }
         if ($_SESSION['AUTHENTICATE_BY_CAS'] < 1) {
             if ($clientModeTicketPendding) {
                 unset($_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING']);
             } else {
                 return false;
             }
         }
     }
     /**
      * Depend on phpCAS mode configuration
      */
     switch ($this->cas_mode) {
         case PHPCAS_MODE_CLIENT:
             if ($this->checkConfigurationForClientMode()) {
                 AJXP_Logger::info(__FUNCTION__, "Start phpCAS mode Client: ", "sucessfully");
                 phpCAS::client(CAS_VERSION_2_0, $this->cas_server, $this->cas_port, $this->cas_uri, false);
                 if (!empty($this->cas_certificate_path)) {
                     phpCAS::setCasServerCACert($this->cas_certificate_path);
                 } else {
                     phpCAS::setNoCasServerValidation();
                 }
                 /**
                  * Debug
                  */
                 if ($this->cas_debug_mode) {
                     // logfile name by date:
                     $today = getdate();
                     $file_path = AJXP_DATA_PATH . '/logs/phpcas_' . $today['year'] . '-' . $today['month'] . '-' . $today['mday'] . '.txt';
                     empty($this->cas_debug_file) ? $file_path : ($file_path = $this->cas_debug_file);
                     phpCAS::setDebug($file_path);
                 }
                 phpCAS::forceAuthentication();
             } else {
                 AJXP_Logger::error(__FUNCTION__, "Could not start phpCAS mode CLIENT, please verify the configuration", "");
                 return false;
             }
             break;
         case PHPCAS_MODE_PROXY:
             /**
              * If in login page, user click on login via CAS, the page will be reload with manuallyredirectocas is set.
              * Or force redirect to cas login page even the force redirect is set in configuration of this module
              *
              */
             if ($this->checkConfigurationForProxyMode()) {
                 AJXP_Logger::info(__FUNCTION__, "Start phpCAS mode Proxy: ", "sucessfully");
                 /**
                  * init phpCAS in mode proxy
                  */
                 phpCAS::proxy(CAS_VERSION_2_0, $this->cas_server, $this->cas_port, $this->cas_uri, false);
                 if (!empty($this->cas_certificate_path)) {
                     phpCAS::setCasServerCACert($this->cas_certificate_path);
                 } else {
                     phpCAS::setNoCasServerValidation();
                 }
                 /**
                  * Debug
                  */
                 if ($this->cas_debug_mode) {
                     // logfile name by date:
                     $today = getdate();
                     $file_path = AJXP_DATA_PATH . '/logs/phpcas_' . $today['year'] . '-' . $today['month'] . '-' . $today['mday'] . '.txt';
                     empty($this->cas_debug_file) ? $file_path : ($file_path = $this->cas_debug_file);
                     phpCAS::setDebug($file_path);
                 }
                 if (!empty($this->cas_setFixedCallbackURL)) {
                     phpCAS::setFixedCallbackURL($this->cas_setFixedCallbackURL);
                 }
                 //
                 /**
                  * PTG storage
                  */
                 $this->setPTGStorage();
                 phpCAS::forceAuthentication();
                 /**
                  * Get proxy ticket (PT) for SAMBA to authentication at CAS via pam_cas
                  * In fact, we can use any other service. Of course, it should be enabled in CAS
                  *
                  */
                 $err_code = null;
                 $serviceURL = $this->cas_proxied_service;
                 AJXP_Logger::debug(__FUNCTION__, "Try to get proxy ticket for service: ", $serviceURL);
                 $res = phpCAS::serviceSMB($serviceURL, $err_code);
                 if (!empty($res)) {
                     $_SESSION['PROXYTICKET'] = $res;
                     AJXP_Logger::info(__FUNCTION__, "Get Proxy ticket successfully ", "");
                 } else {
                     AJXP_Logger::info(__FUNCTION__, "Could not get Proxy ticket. ", "");
                 }
                 break;
             } else {
                 AJXP_Logger::error(__FUNCTION__, "Could not start phpCAS mode PROXY, please verify the configuration", "");
                 return false;
             }
         default:
             return false;
             break;
     }
     AJXP_Logger::debug(__FUNCTION__, "Call phpCAS::getUser() after forceAuthentication ", "");
     $cas_user = phpCAS::getUser();
     if (!AuthService::userExists($cas_user) && $this->is_AutoCreateUser) {
         AuthService::createUser($cas_user, openssl_random_pseudo_bytes(20));
     }
     if (AuthService::userExists($cas_user)) {
         $res = AuthService::logUser($cas_user, "", true);
         if ($res > 0) {
             AJXP_Safe::storeCredentials($cas_user, $_SESSION['PROXYTICKET']);
             $_SESSION['LOGGED_IN_BY_CAS'] = true;
             if (!empty($this->cas_additional_role)) {
                 $userObj = ConfService::getConfStorageImpl()->createUserObject($cas_user);
                 $roles = $userObj->getRoles();
                 $cas_RoleID = $this->cas_additional_role;
                 $userObj->addRole(AuthService::getRole($cas_RoleID, true));
                 AuthService::updateUser($userObj);
             }
             // try to log to DEFAULT START REPO
             $userObj->recomputeMergedRole();
             $loggedUser = $userObj;
             $force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
             $passId = -1;
             if (isset($httpVars["tmp_repository_id"])) {
                 $passId = $httpVars["tmp_repository_id"];
             } else {
                 if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
                     $passId = $force;
                 }
             }
             ConfService::switchUserToActiveRepository($loggedUser, $passId);
             return true;
         }
     }
     return false;
 }