public static function authenticate($entitySignature, $identityKey, $resourceKey, $authKey, $identity, $resource)
{
$tag = "Sentry::authenticate()";
Log::notice("{$tag}: <entitySignature={$entitySignature}, {$identityKey}={$identity}, {$resourceKey}={$resource}>");
// TODO: (?) check users session for cached permissions
try {
$sentryBP = BlueprintReader::read($entitySignature);
$entityDAO = new EntityDAO($sentryBP);
$keys = array("{$identityKey}", "{$resourceKey}");
$values = array("{$identity}", "{$resource}");
$matches = $entityDAO->findWhere($keys, $values);
if (0 == count($matches)) {
Log::debug("{$tag}: No permission record was found.");
return false;
} else {
if (1 == count($matches)) {
// found a matching permission record
$entity = $matches[0];
// extract value of $authKey field
$authValue = $entity->get($authKey);
// test for boolean values
if (empty($authValue) || $authValue == 0 || $authValue == "0" || strtoupper($authValue) == "NO" || strtoupper($authValue) == "FALSE") {
Log::debug("{$tag}: {$identityKey} {$identity} does not have permission to access {$resourceKey} {$resource}");
return false;
} else {
if ($authValue == 1 || $authValue == "1" || strtoupper($authValue) == "YES" || strtoupper($authValue) == "TRUE") {
Log::debug("{$tag}: {$identityKey} {$identity} has permission to access {$resourceKey} {$resource}");
return true;
}
}
} else {
if (1 < count($matches)) {
Log::warning("{$tag}: ! More than one permission record was found.");
return false;
}
}
}
} catch (Exception $e) {
Log::error("{$tag}: " . $e->getMessage());
return false;
}
}
$login_key = @$_POST["login_key"];
$passwd_key = @$_POST["passwd_key"];
$login = @$_POST["login"];
$passwd = @$_POST["passwd"];
// Init Defaults
if (empty($destination)) {
$destination = "/";
}
// Debug
Log::debug("* domain = {$domain}");
Log::debug("* destination = {$destination}");
Log::debug("* login = {$login}");
// Lookup Member by Login
$memberBP = BlueprintReader::read($entity_blueprint);
$memberDAO = new EntityDAO($memberBP);
$matches = $memberDAO->findWhere($login_key, $login);
if (count($matches) == 1) {
$member = $matches[0];
$member_id = $member->getId();
// Throttle the login attempts
$num_failed_attempts = 0;
if (BPConfig::$login_throttle_enabled) {
$loginThrottleTable = substr(BPConfig::$login_throttle_blueprint, 0, strpos(BPConfig::$login_throttle_blueprint, "."));
$query = "SELECT * FROM " . $loginThrottleTable . " WHERE (" . BPConfig::$login_throttle_field_id . "={$member_id}) AND (time >= (UTC_TIMESTAMP() - INTERVAL " . BPConfig::$login_throttle_lockout_period . " SECOND) )";
$sql = new DatabaseQuery($query);
$sql->doQuery();
$num_failed_attempts = $sql->get_num_rows();
}
if ($num_failed_attempts >= BPConfig::$login_throttle_lockout_attempts) {
Log::warning("* THROTTLE LOCKOUT: " . $num_failed_attempts . " failed login attempts during the last " . BPConfig::$login_throttle_lockout_period . " seconds");
$status = "error";
private function test_access_list_rule_ownership($rule, $identity, $listRows)
{
$tag = "Guardian: test_access_list_rule_ownership()";
Log::debug("{$tag}");
$ownerIdentifier = (string) $rule;
$keyPath = $rule["keyPath"];
$identityKeyPath = $rule["identityKeyPath"];
list($ownershipTable, $ownershipField) = explode(".", $keyPath);
list($identityTable, $identityField) = explode(".", $identityKeyPath);
list($ownerIdentifierTable, $ownerIdentifierField) = explode(".", $ownerIdentifier);
Log::debug("{$tag}: Rule requires ownership of " . count($listRows) . " list item(s) from keyPath '{$keyPath}'");
if ($ownershipTable == $identityTable) {
// TEST FOR DIRECT OWNERSHIP BY IDENTITY (of each listRow)
foreach ($listRows as $row) {
$entityId = $row->id;
$owner_id = $row->columns["{$ownershipField}"];
Log::debug("{$tag}: Testing list rows {$entityId} with {$ownershipField}={$owner_id}");
if ($owner_id == $identity) {
Log::debug("{$tag}: {$ownershipTable} with ID {$entityId} is owned by requestor");
// Continue testing next row
} else {
Log::debug("{$tag}: {$ownershipTable} with ID {$entityId} is not owned by requestor");
return false;
}
}
// If processing has reached this point, all rows are owned by the requestor
Log::debug("{$tag}: All {$ownershipTable} rows are owned by requestor");
return true;
} else {
if (!empty($ownerIdentifier)) {
// TEST FOR INDIRECT OWNERSHIP BY AFFILIATION (of each listRow)
// Lookup the "group" that owns this record (in $keyPath)
// Verify that the requestor is Affiliated with this group
try {
// Query for the "affiliations" of "identity" from "ownerIdentifierTable"
// The results from this query can be reused to test ownership of each listRow
$ownerIdentifierBP = BlueprintReader::read($ownerIdentifierTable . ".entity.xml");
$ownerIdentifierDAO = new EntityDAO($ownerIdentifierBP);
// "id's" are not defined as "fields" in a blueprint; therefore if "identityField" references an "id", we should do a direct load
if ($identityField == "id") {
$affiliationObj = $ownerIdentifierDAO->load($identity);
$affiliations = array($affiliationObj);
} else {
$affilations = $ownerIdentifierDAO->findWhere("{$identityField}", "{$identity}");
}
foreach ($listRows as $row) {
$entityId = $row->id;
$owner_id = $row->columns["{$ownershipField}"]->value;
Log::debug("Rule requires ownership through affiliation with '{$owner_id}' from keyPath '{$ownerIdentifier}'");
// NOTE:
// "affiliations" may be defined in such a way that each identity has multiple affiliations
// check each matching affiliation for this identity
if (count($affiliations > 0)) {
for ($i = 0; $i < count($affiliations); $i++) {
$affiliationObj = $affiliations[0];
$_affiliation = $affiliationObj->get($ownerIdentifierField);
if ($_affiliation == $owner_id) {
Log::debug("{$tag}: Found matching affiliation '{$_affiliation}' for entityId={$entityId}");
// Continue checking the next listRow
}
}
} else {
Log::debug("{$tag}: No affiliation records matching this identity");
return false;
}
}
// END: foreach($listRow as $row)
// If processing has reached this point, all rows are owned by the requestor
Log::debug("{$tag}: All {$ownershipTable} rows are owned by the requestor");
return true;
} catch (Exception $e) {
Log::error("{$tag}: Caught: " . $e->getMessage());
return false;
}
} else {
Log::error("{$tag}: Invalid <Ownership> rule");
return false;
}
}
}
$domain = @$_GET["domain"];
$destination = @$_GET["destination"];
// Init Defaults
if (empty($destination)) {
$destination = "/";
}
// Debug
Log::debug("* domain = {$domain}");
Log::debug("* destination = {$destination}");
if (Login::loggedIn($domain)) {
// Retrieve 'login' from users Login Session
$login = Login::who($domain);
// Retrieve member data
$memberBP = BlueprintReader::read("Member.entity.xml");
$memberDAO = new EntityDAO($memberBP);
$matches = $memberDAO->findWhere("login", $login);
if (count($matches) > 0) {
$member = $matches[0];
// Add data to the users session
Session::user("member_id", $member->getId());
// Required by Guardian
// Forward user
Log::debug("* REDIRECTING TO: {$destination}\n");
header("location: {$destination}");
exit;
} else {
// Should never happen, since users password was just checked
Log::error("* Member with login '{$login}' was not found.");
$content->addHtml("<strong>Login Error</strong><br/>");
$content->addHtml("Message: Member with login '{$login}' was not found.");
$content->addFile("login.frm");
