function localLogin($userid, $passwd, $authtype) { global $HTMLheader, $phpVer, $authMechs; if (validateLocalAccount($userid, $passwd)) { addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 1); //set cookie $cookie = getAuthCookieData("{$userid}@local"); if (version_compare(PHP_VERSION, "5.2", ">=") == true) { setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN, 0, 1); } else { setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN); } //load main page setcookie("VCLSKIN", "default", time() + SECINDAY * 31, "/", COOKIEDOMAIN); header("Location: " . BASEURL . SCRIPT); dbDisconnect(); exit; } else { addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 0); printLoginPageWithSkin($authtype); printHTMLFooter(); dbDisconnect(); exit; } }
function checkAccess() { global $mode, $user, $viewmode, $actionFunction, $vcldquerykey, $authMechs; global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers; global $inContinuation, $docreaders, $userlookupUsers; if ($mode == "vcldquery") { $key = processInputVar("key", ARG_STRING); if ($key != $vcldquerykey) { print "Access denied\n"; dbDisconnect(); exit; } } elseif ($mode == 'xmlrpccall') { // double check for SSL if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1); if (!($user = getUserInfo($xmluser))) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $xmlpass = $_SERVER['HTTP_X_PASS']; if (get_magic_quotes_gpc()) { $xmlpass = stripslashes($xmlpass); } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); /* code for version 1 should probably be removed in VCL 2.2 */ if ($apiver == 1) { $query = "SELECT x.id " . "FROM xmlrpcKey x, " . "user u " . "WHERE x.ownerid = u.id AND " . "u.unityid = '{$xmluser}' AND " . "x.key = '{$xmlpass}' AND " . "x.active = 1"; $qh = doQuery($query, 101); if (!(mysql_num_rows($qh) == 1)) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $row = mysql_fetch_assoc($qh); $user['xmlrpckeyid'] = $row['id']; } elseif ($apiver == 2) { $authtype = ""; foreach ($authMechs as $key => $authmech) { if ($authmech['affiliationid'] == $user['affiliationid']) { $authtype = $key; break; } } /*if(empty($authtype)) { print "No authentication mechanism found for passed in X-User"; dbDisconnect(); exit; }*/ if ($authMechs[$authtype]['type'] == 'ldap') { $ds = ldap_connect("ldaps://{$authMechs[$authtype]['server']}/"); if (!$ds) { printXMLRPCerror(5); # failed to connect to auth server dbDisconnect(); exit; } ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); $ldapuser = sprintf($authMechs[$authtype]['userid'], $user['unityid']); $res = ldap_bind($ds, $ldapuser, $xmlpass); if (!$res) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) { $rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass); if (empty($rc) || $rc['passfail'] == 'fail') { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($authMechs[$authtype]['type'] == 'local') { if (!validateLocalAccount($user['unityid'], $xmlpass)) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } else { printXMLRPCerror(6); # unable to auth passed in X-User dbDisconnect(); exit; } } else { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif ($mode == 'xmlrpcaffiliations') { // double check for SSL, not really required for this mode, but it keeps things consistant if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); if ($apiver != 1 && $apiver != 2) { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif (!empty($mode)) { if (!in_array($mode, $actions['entry']) && !$inContinuation) { $mode = "main"; $actionFunction = "main"; return; } else { if (!$inContinuation) { # check that user has access to this area switch ($mode) { case 'viewRequests': if (!in_array("imageCheckOut", $user["privileges"]) && !in_array("imageAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'blockRequest': if ($viewmode != ADMIN_DEVELOPER) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewGroups': if (!in_array("groupAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'selectImageOption': if (!in_array("imageAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewSchedules': if (!in_array("scheduleAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'selectComputers': if (!in_array("computerAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'selectMgmtnodeOption': if (!in_array("mgmtNodeAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'pickTimeTable': $computermetadata = getUserComputerMetaData(); if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewNodes': if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'userLookup': if ($viewmode != ADMIN_DEVELOPER && !in_array($user['id'], $userlookupUsers)) { $mode = ""; $actionFunction = "main"; return; } break; case 'editVMInfo': if (!in_array("computerAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewdocs': if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"]) && !in_array($user['id'], $docreaders)) { $mode = ""; $actionFunction = "main"; return; } break; } } } } }
function processUserPrefsInput($checks = 1) { global $submitErr, $submitErrMsg, $user; $return = array(); $defaultres = $user["width"] . 'x' . $user["height"]; $return["preferredname"] = processInputVar("preferredname", ARG_STRING, $user["preferredname"]); $return["resolution"] = processInputVar("resolution", ARG_STRING, $defaultres); $return["bpp"] = processInputVar("bpp", ARG_NUMERIC, $user["bpp"]); $return["audiomode"] = processInputVar("audiomode", ARG_STRING, $user["audiomode"]); $return["mapdrives"] = processInputVar("mapdrives", ARG_NUMERIC, $user["mapdrives"]); $return["mapprinters"] = processInputVar("mapprinters", ARG_NUMERIC, $user["mapprinters"]); $return["mapserial"] = processInputVar("mapserial", ARG_NUMERIC, $user["mapserial"]); $return["rdpport"] = processInputVar("rdpport", ARG_NUMERIC, 3389); if (!$checks) { return $return; } if (strlen($return["preferredname"]) > 25) { $submitErr |= PREFNAMEERR; $submitErrMsg[PREFNAMEERR] = i("Preferred name can only be up to 25 characters"); } if (!preg_match('/^[a-zA-Z ]*$/', $return["preferredname"])) { $submitErr |= PREFNAMEERR; $submitErrMsg[PREFNAMEERR] = i("Preferred name can only contain letters and spaces"); } if ($user['affiliation'] == 'Local' && array_key_exists('newpassword', $_POST)) { $return['newpassword'] = $_POST['newpassword']; $confirmpwd = $_POST['confirmpassword']; $curr = $_POST['currentpassword']; if (get_magic_quotes_gpc()) { $return['newpassword'] = stripslashes($return['newpassword']); $confirmpwd = stripslashes($confirmpwd); $curr = stripslashes($curr); } if (!empty($return['newpassword']) && !empty($confirmpwd) && !validateLocalAccount($user['unityid'], $curr)) { $submitErr |= LOCALPASSWORDERR; $submitErrMsg[LOCALPASSWORDERR] = i("Password incorrect"); } elseif (empty($return['newpassword']) && !empty($confirmpwd) || !empty($return['newpassword']) && empty($confirmpwd) || $return['newpassword'] != $confirmpwd) { $submitErr |= LOCALPASSWORDERR; $submitErrMsg[LOCALPASSWORDERR] = i("Passwords do not match"); } } if ($return['rdpport'] != $user['rdpport']) { $requests = getUserRequests('all'); $nochange = 0; foreach ($requests as $req) { if (preg_match('/^(3|8|24|25|26|27|28|29)$/', $req['currstateid']) || $req['currstateid'] == 14 && preg_match('/^(3|8|24|25|26|27|28|29)$/', $req['laststateid'])) { $nochange = 1; break; } } if ($nochange) { $submitErr |= RDPPORTERR; $submitErrMsg[RDPPORTERR] = i("RDP Port cannot be changed while you have active reservations"); } } if (!($submitErr & RDPPORTERR) && ($return['rdpport'] < 1024 || $return['rdpport'] > 65535)) { $submitErr |= RDPPORTERR; $submitErrMsg[RDPPORTERR] = i("RDP Port must be between 1024 and 65535"); } return $return; }
function checkAccess() { global $mode, $user, $actionFunction, $authMechs; global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers; global $inContinuation, $docreaders, $apiValidateFunc; if ($mode == 'xmlrpccall') { // double check for SSL if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1); if (!($user = getUserInfo($xmluser))) { // if first call to getUserInfo fails, try calling with $noupdate set if (!($user = getUserInfo($xmluser, 1))) { $testid = $xmluser; $affilid = DEFAULT_AFFILID; getAffilidAndLogin($testid, $affilid); addLoginLog($testid, 'unknown', $affilid, 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } if (!array_key_exists('HTTP_X_PASS', $_SERVER) || strlen($_SERVER['HTTP_X_PASS']) == 0) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $xmlpass = $_SERVER['HTTP_X_PASS']; if (get_magic_quotes_gpc()) { $xmlpass = stripslashes($xmlpass); } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); if ($apiver == 1) { printXMLRPCerror(8); # unsupported API version dbDisconnect(); exit; } elseif ($apiver == 2) { $authtype = ""; foreach ($authMechs as $key => $authmech) { if ($authmech['affiliationid'] == $user['affiliationid']) { $authtype = $key; break; } } if (empty($authtype)) { print "No authentication mechanism found for passed in X-User"; dbDisconnect(); exit; } if ($authMechs[$authtype]['type'] == 'ldap') { $auth = $authMechs[$authtype]; $ds = ldap_connect("ldaps://{$auth['server']}/"); if (!$ds) { printXMLRPCerror(5); # failed to connect to auth server dbDisconnect(); exit; } ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); if ($auth['lookupuserbeforeauth']) { # in this case, we have to look up what part of the tree the user is in # before we can actually look up the user if (array_key_exists('masterlogin', $auth) && strlen($auth['masterlogin'])) { $res = ldap_bind($ds, $auth['masterlogin'], $auth['masterpwd']); } else { $res = ldap_bind($ds); } if (!$res) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(5); # failed to connect to auth server dbDisconnect(); exit; } $search = ldap_search($ds, $auth['binddn'], "{$auth['lookupuserfield']}={$user['unityid']}", array('dn'), 0, 3, 15); if ($search) { $tmpdata = ldap_get_entries($ds, $search); if (!$tmpdata['count'] || !array_key_exists('dn', $tmpdata[0])) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $ldapuser = $tmpdata[0]['dn']; } else { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } else { $ldapuser = sprintf($auth['userid'], $user['unityid']); } $res = ldap_bind($ds, $ldapuser, $xmlpass); if (!$res) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 1); } elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) { $rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass); if (empty($rc) || $rc['passfail'] == 'fail') { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($authMechs[$authtype]['type'] == 'local') { if (!validateLocalAccount($user['unityid'], $xmlpass)) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($authMechs[$authtype]['type'] == 'redirect') { $affilid = $authMechs[$authtype]['affiliationid']; if (!(isset($apiValidateFunc) && is_array($apiValidateFunc) && array_key_exists($affilid, $apiValidateFunc) && $apiValidateFunc[$affilid]($xmluser, $xmlpass))) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } else { printXMLRPCerror(6); # unable to auth passed in X-User dbDisconnect(); exit; } } else { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif ($mode == 'xmlrpcaffiliations') { // double check for SSL, not really required for this mode, but it keeps things consistant if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); if ($apiver == 1) { printXMLRPCerror(8); # unsupported API version dbDisconnect(); exit; } elseif ($apiver != 2) { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif (!empty($mode)) { if (!in_array($mode, $actions['entry']) && !$inContinuation) { $mode = "main"; $actionFunction = "main"; return; } else { if (!$inContinuation) { # check that user has access to this area switch ($mode) { case 'viewGroups': if (!in_array("groupAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'serverProfiles': if (!in_array("serverProfileAdmin", $user["privileges"]) && !in_array("serverCheckOut", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'pickTimeTable': $computermetadata = getUserComputerMetaData(); if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewNodes': if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'userLookup': if (!checkUserHasPerm('User Lookup (global)') && !checkUserHasPerm('User Lookup (affiliation only)')) { $mode = ""; $actionFunction = "main"; return; } break; case 'editVMInfo': if (!in_array("computerAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'siteMaintenance': if (!checkUserHasPerm('Schedule Site Maintenance')) { $mode = ""; $actionFunction = "main"; return; } break; case 'dashboard': if (!checkUserHasPerm('View Dashboard (global)') && !checkUserHasPerm('View Dashboard (affiliation only)')) { $mode = ""; $actionFunction = "main"; return; } break; } } } } }
function processUserPrefsInput($checks = 1) { global $submitErr, $submitErrMsg, $user; $return = array(); $defaultres = $user["width"] . 'x' . $user["height"]; $return["preferredname"] = processInputVar("preferredname", ARG_STRING, $user["preferredname"]); $return["resolution"] = processInputVar("resolution", ARG_STRING, $defaultres); $return["bpp"] = processInputVar("bpp", ARG_NUMERIC, $user["bpp"]); $return["audiomode"] = processInputVar("audiomode", ARG_STRING, $user["audiomode"]); $return["mapdrives"] = processInputVar("mapdrives", ARG_NUMERIC, $user["mapdrives"]); $return["mapprinters"] = processInputVar("mapprinters", ARG_NUMERIC, $user["mapprinters"]); $return["mapserial"] = processInputVar("mapserial", ARG_NUMERIC, $user["mapserial"]); $return['unityid'] = "{$user['unityid']}@{$user['affiliation']}"; if (!$checks) { return $return; } if (strlen($return["preferredname"]) > 25) { $submitErr |= PREFNAMEERR; $submitErrMsg[PREFNAMEERR] = "Preferred name can only be up to 25 characters"; } if (!ereg('^[a-zA-Z ]*$', $return["preferredname"])) { $submitErr |= PREFNAMEERR; $submitErrMsg[PREFNAMEERR] = "Preferred name can only contain letters and spaces"; } if (array_key_exists('unityid', $return) && !validateUserid($return['unityid'])) { $submitErr |= VIEWASUSERERR; $submitErrMsg[VIEWASUSERERR] = "Invalid user id"; } if ($user['affiliation'] == 'Local') { $return['newpassword'] = $_POST['newpassword']; $confirmpwd = $_POST['confirmpassword']; $curr = $_POST['currentpassword']; if (get_magic_quotes_gpc()) { $return['newpassword'] = stripslashes($return['newpassword']); $confirmpwd = stripslashes($confirmpwd); $curr = stripslashes($curr); } if (!empty($return['newpassword']) && !empty($confirmpwd) && !validateLocalAccount($user['unityid'], $curr)) { $submitErr |= LOCALPASSWORDERR; $submitErrMsg[LOCALPASSWORDERR] = "Password incorrect"; } elseif (empty($return['newpassword']) && !empty($confirmpwd) || !empty($return['newpassword']) && empty($confirmpwd) || $return['newpassword'] != $confirmpwd) { $submitErr |= LOCALPASSWORDERR; $submitErrMsg[LOCALPASSWORDERR] = "Passwords do not match"; } } return $return; }