/** Database authentication */ function databaseAuthenticate($email, $password, $SessionCachePolicy, $rememberme) { global $loginerror; $loginerror = ''; include dirname(__DIR__) . '/config/config.php'; $db = pdo_connect("{$CDASH_DB_HOST}", "{$CDASH_DB_LOGIN}", "{$CDASH_DB_PASS}"); pdo_select_db("{$CDASH_DB_NAME}", $db); $sql = 'SELECT id,password FROM ' . qid('user') . " WHERE email='" . pdo_real_escape_string($email) . "'"; $result = pdo_query("{$sql}"); if (pdo_num_rows($result) == 0) { pdo_free_result($result); $loginerror = 'Wrong email or password.'; return false; } $user_array = pdo_fetch_array($result); $pass = $user_array['password']; // Check if the account is locked out. if (accountIsLocked($user_array['id'])) { return false; } // External authentication if ($password === null && isset($CDASH_EXTERNAL_AUTH) && $CDASH_EXTERNAL_AUTH) { // create the session array $sessionArray = array('login' => $login, 'password' => 'this is not a valid password', 'passwd' => $user_array['password'], 'ID' => session_id(), 'valid' => 1, 'loginid' => $user_array['id']); $_SESSION['cdash'] = $sessionArray; pdo_free_result($result); return true; // authentication succeeded } elseif (md5($password) == $pass) { // Authentication is successful. if ($rememberme) { setRememberMeCookie($user_array['id']); } session_name('CDash'); session_cache_limiter($SessionCachePolicy); session_set_cookie_params($CDASH_COOKIE_EXPIRATION_TIME); @ini_set('session.gc_maxlifetime', $CDASH_COOKIE_EXPIRATION_TIME + 600); session_start(); // create the session array if (isset($_SESSION['cdash']['password'])) { $password = $_SESSION['cdash']['password']; } $sessionArray = array('login' => $email, 'passwd' => $pass, 'ID' => session_id(), 'valid' => 1, 'loginid' => $user_array['id']); $_SESSION['cdash'] = $sessionArray; checkForExpiredPassword(); clearUnsuccessfulAttempts($user_array['id']); return true; } incrementUnsuccessfulAttempts($user_array['id']); $loginerror = 'Wrong email or password.'; return false; }
/** Google authentication */ function googleAuthenticate($code) { $state = getGoogleAuthenticateState(); if ($state === false) { return; } include dirname(__DIR__) . '/config/config.php'; global $CDASH_DB_HOST, $CDASH_DB_LOGIN, $CDASH_DB_PASS, $CDASH_DB_NAME; $SessionCachePolicy = 'private_no_expire'; // initialize the session session_name('CDash'); session_cache_limiter($SessionCachePolicy); session_set_cookie_params($CDASH_COOKIE_EXPIRATION_TIME); @ini_set('session.gc_maxlifetime', $CDASH_COOKIE_EXPIRATION_TIME + 600); session_start(); // check that the anti-forgery token is valid if ($state->csrfToken != $_SESSION['cdash']['csrfToken']) { add_log('state anti-forgery token mismatch: ' . $state->csrfToken . ' vs ' . $_SESSION['cdash']['csrfToken'], 'googleAuthenticate', LOG_ERR); return; } $redirectURI = strtok(get_server_URI(false), '?'); // The return value of get_server_URI can be inconsistent. // It simply returns $CDASH_BASE_URL if that variable is set, yielding a // return value like http://mydomain.com/CDash. // If this variable is not set, then it will return the full URI including // the current script, ie // http://mydomain.com/CDash/googleauth_callback.php. // // Make sure that redirectURI contains the path to our callback script. if (strpos($redirectURI, 'googleauth_callback.php') === false) { $redirectURI .= '/googleauth_callback.php'; } try { $config = new Google_Config(); if ($CDASH_MEMCACHE_ENABLED) { $config->setCacheClass('Google_Cache_Memcache'); list($server, $port) = $CDASH_MEMCACHE_SERVER; $config->setClassConfig('Google_Cache_Memcache', 'host', $server); $config->setClassConfig('Google_Cache_Memcache', 'port', $port); } $client = new Google_Client($config); $client->setClientId($GOOGLE_CLIENT_ID); $client->setClientSecret($GOOGLE_CLIENT_SECRET); $client->setRedirectUri($redirectURI); $client->authenticate($_GET['code']); $oauth = new Google_Service_Oauth2($client); $me = $oauth->userinfo->get(); $tokenResponse = json_decode($client->getAccessToken()); } catch (Google_Auth_Exception $e) { add_log('Google access token request failed: ' . $e->getMessage(), 'googleAuthenticate', LOG_ERR); return; } // Check if this email address appears in our user database $email = strtolower($me->getEmail()); $db = pdo_connect("{$CDASH_DB_HOST}", "{$CDASH_DB_LOGIN}", "{$CDASH_DB_PASS}"); pdo_select_db("{$CDASH_DB_NAME}", $db); $sql = 'SELECT id,password FROM ' . qid('user') . " WHERE email='" . pdo_real_escape_string($email) . "'"; $result = pdo_query("{$sql}"); if (pdo_num_rows($result) == 0) { // if no match is found, redirect to pre-filled out registration page pdo_free_result($result); $firstname = $me->getGivenName(); $lastname = $me->getFamilyName(); header("Location: register.php?firstname={$firstname}&lastname={$lastname}&email={$email}"); return false; } $user_array = pdo_fetch_array($result); $pass = $user_array['password']; if ($state->rememberMe) { require_once 'include/login_functions.php'; setRememberMeCookie($user_array['id']); } $sessionArray = array('login' => $email, 'passwd' => $user_array['password'], 'ID' => session_id(), 'valid' => 1, 'loginid' => $user_array['id']); $_SESSION['cdash'] = $sessionArray; session_write_close(); pdo_free_result($result); header("Location: {$state->requestedURI}"); return true; // authentication succeeded }