function localLogin($userid, $passwd, $authtype)
{
global $HTMLheader, $phpVer, $authMechs;
if (validateLocalAccount($userid, $passwd)) {
addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 1);
//set cookie
$cookie = getAuthCookieData("{$userid}@local");
if (version_compare(PHP_VERSION, "5.2", ">=") == true) {
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN, 0, 1);
} else {
setcookie("VCLAUTH", "{$cookie['data']}", 0, "/", COOKIEDOMAIN);
}
//load main page
setcookie("VCLSKIN", "default", time() + SECINDAY * 31, "/", COOKIEDOMAIN);
header("Location: " . BASEURL . SCRIPT);
dbDisconnect();
exit;
} else {
addLoginLog($userid, $authtype, $authMechs[$authtype]['affiliationid'], 0);
printLoginPageWithSkin($authtype);
printHTMLFooter();
dbDisconnect();
exit;
}
}
function checkAccess()
{
global $mode, $user, $viewmode, $actionFunction, $vcldquerykey, $authMechs;
global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers;
global $inContinuation, $docreaders, $userlookupUsers;
if ($mode == "vcldquery") {
$key = processInputVar("key", ARG_STRING);
if ($key != $vcldquerykey) {
print "Access denied\n";
dbDisconnect();
exit;
}
} elseif ($mode == 'xmlrpccall') {
// double check for SSL
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1);
if (!($user = getUserInfo($xmluser))) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$xmlpass = $_SERVER['HTTP_X_PASS'];
if (get_magic_quotes_gpc()) {
$xmlpass = stripslashes($xmlpass);
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
/* code for version 1 should probably be removed in VCL 2.2 */
if ($apiver == 1) {
$query = "SELECT x.id " . "FROM xmlrpcKey x, " . "user u " . "WHERE x.ownerid = u.id AND " . "u.unityid = '{$xmluser}' AND " . "x.key = '{$xmlpass}' AND " . "x.active = 1";
$qh = doQuery($query, 101);
if (!(mysql_num_rows($qh) == 1)) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$row = mysql_fetch_assoc($qh);
$user['xmlrpckeyid'] = $row['id'];
} elseif ($apiver == 2) {
$authtype = "";
foreach ($authMechs as $key => $authmech) {
if ($authmech['affiliationid'] == $user['affiliationid']) {
$authtype = $key;
break;
}
}
/*if(empty($authtype)) {
print "No authentication mechanism found for passed in X-User";
dbDisconnect();
exit;
}*/
if ($authMechs[$authtype]['type'] == 'ldap') {
$ds = ldap_connect("ldaps://{$authMechs[$authtype]['server']}/");
if (!$ds) {
printXMLRPCerror(5);
# failed to connect to auth server
dbDisconnect();
exit;
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$ldapuser = sprintf($authMechs[$authtype]['userid'], $user['unityid']);
$res = ldap_bind($ds, $ldapuser, $xmlpass);
if (!$res) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) {
$rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass);
if (empty($rc) || $rc['passfail'] == 'fail') {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($authMechs[$authtype]['type'] == 'local') {
if (!validateLocalAccount($user['unityid'], $xmlpass)) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(6);
# unable to auth passed in X-User
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif ($mode == 'xmlrpcaffiliations') {
// double check for SSL, not really required for this mode, but it keeps things consistant
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
if ($apiver != 1 && $apiver != 2) {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif (!empty($mode)) {
if (!in_array($mode, $actions['entry']) && !$inContinuation) {
$mode = "main";
$actionFunction = "main";
return;
} else {
if (!$inContinuation) {
# check that user has access to this area
switch ($mode) {
case 'viewRequests':
if (!in_array("imageCheckOut", $user["privileges"]) && !in_array("imageAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'blockRequest':
if ($viewmode != ADMIN_DEVELOPER) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewGroups':
if (!in_array("groupAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'selectImageOption':
if (!in_array("imageAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewSchedules':
if (!in_array("scheduleAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'selectComputers':
if (!in_array("computerAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'selectMgmtnodeOption':
if (!in_array("mgmtNodeAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'pickTimeTable':
$computermetadata = getUserComputerMetaData();
if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewNodes':
if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'userLookup':
if ($viewmode != ADMIN_DEVELOPER && !in_array($user['id'], $userlookupUsers)) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'editVMInfo':
if (!in_array("computerAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewdocs':
if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"]) && !in_array($user['id'], $docreaders)) {
$mode = "";
$actionFunction = "main";
return;
}
break;
}
}
}
}
}
function processUserPrefsInput($checks = 1)
{
global $submitErr, $submitErrMsg, $user;
$return = array();
$defaultres = $user["width"] . 'x' . $user["height"];
$return["preferredname"] = processInputVar("preferredname", ARG_STRING, $user["preferredname"]);
$return["resolution"] = processInputVar("resolution", ARG_STRING, $defaultres);
$return["bpp"] = processInputVar("bpp", ARG_NUMERIC, $user["bpp"]);
$return["audiomode"] = processInputVar("audiomode", ARG_STRING, $user["audiomode"]);
$return["mapdrives"] = processInputVar("mapdrives", ARG_NUMERIC, $user["mapdrives"]);
$return["mapprinters"] = processInputVar("mapprinters", ARG_NUMERIC, $user["mapprinters"]);
$return["mapserial"] = processInputVar("mapserial", ARG_NUMERIC, $user["mapserial"]);
$return["rdpport"] = processInputVar("rdpport", ARG_NUMERIC, 3389);
if (!$checks) {
return $return;
}
if (strlen($return["preferredname"]) > 25) {
$submitErr |= PREFNAMEERR;
$submitErrMsg[PREFNAMEERR] = i("Preferred name can only be up to 25 characters");
}
if (!preg_match('/^[a-zA-Z ]*$/', $return["preferredname"])) {
$submitErr |= PREFNAMEERR;
$submitErrMsg[PREFNAMEERR] = i("Preferred name can only contain letters and spaces");
}
if ($user['affiliation'] == 'Local' && array_key_exists('newpassword', $_POST)) {
$return['newpassword'] = $_POST['newpassword'];
$confirmpwd = $_POST['confirmpassword'];
$curr = $_POST['currentpassword'];
if (get_magic_quotes_gpc()) {
$return['newpassword'] = stripslashes($return['newpassword']);
$confirmpwd = stripslashes($confirmpwd);
$curr = stripslashes($curr);
}
if (!empty($return['newpassword']) && !empty($confirmpwd) && !validateLocalAccount($user['unityid'], $curr)) {
$submitErr |= LOCALPASSWORDERR;
$submitErrMsg[LOCALPASSWORDERR] = i("Password incorrect");
} elseif (empty($return['newpassword']) && !empty($confirmpwd) || !empty($return['newpassword']) && empty($confirmpwd) || $return['newpassword'] != $confirmpwd) {
$submitErr |= LOCALPASSWORDERR;
$submitErrMsg[LOCALPASSWORDERR] = i("Passwords do not match");
}
}
if ($return['rdpport'] != $user['rdpport']) {
$requests = getUserRequests('all');
$nochange = 0;
foreach ($requests as $req) {
if (preg_match('/^(3|8|24|25|26|27|28|29)$/', $req['currstateid']) || $req['currstateid'] == 14 && preg_match('/^(3|8|24|25|26|27|28|29)$/', $req['laststateid'])) {
$nochange = 1;
break;
}
}
if ($nochange) {
$submitErr |= RDPPORTERR;
$submitErrMsg[RDPPORTERR] = i("RDP Port cannot be changed while you have active reservations");
}
}
if (!($submitErr & RDPPORTERR) && ($return['rdpport'] < 1024 || $return['rdpport'] > 65535)) {
$submitErr |= RDPPORTERR;
$submitErrMsg[RDPPORTERR] = i("RDP Port must be between 1024 and 65535");
}
return $return;
}
function checkAccess()
{
global $mode, $user, $actionFunction, $authMechs;
global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers;
global $inContinuation, $docreaders, $apiValidateFunc;
if ($mode == 'xmlrpccall') {
// double check for SSL
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1);
if (!($user = getUserInfo($xmluser))) {
// if first call to getUserInfo fails, try calling with $noupdate set
if (!($user = getUserInfo($xmluser, 1))) {
$testid = $xmluser;
$affilid = DEFAULT_AFFILID;
getAffilidAndLogin($testid, $affilid);
addLoginLog($testid, 'unknown', $affilid, 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
}
if (!array_key_exists('HTTP_X_PASS', $_SERVER) || strlen($_SERVER['HTTP_X_PASS']) == 0) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$xmlpass = $_SERVER['HTTP_X_PASS'];
if (get_magic_quotes_gpc()) {
$xmlpass = stripslashes($xmlpass);
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
if ($apiver == 1) {
printXMLRPCerror(8);
# unsupported API version
dbDisconnect();
exit;
} elseif ($apiver == 2) {
$authtype = "";
foreach ($authMechs as $key => $authmech) {
if ($authmech['affiliationid'] == $user['affiliationid']) {
$authtype = $key;
break;
}
}
if (empty($authtype)) {
print "No authentication mechanism found for passed in X-User";
dbDisconnect();
exit;
}
if ($authMechs[$authtype]['type'] == 'ldap') {
$auth = $authMechs[$authtype];
$ds = ldap_connect("ldaps://{$auth['server']}/");
if (!$ds) {
printXMLRPCerror(5);
# failed to connect to auth server
dbDisconnect();
exit;
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
if ($auth['lookupuserbeforeauth']) {
# in this case, we have to look up what part of the tree the user is in
# before we can actually look up the user
if (array_key_exists('masterlogin', $auth) && strlen($auth['masterlogin'])) {
$res = ldap_bind($ds, $auth['masterlogin'], $auth['masterpwd']);
} else {
$res = ldap_bind($ds);
}
if (!$res) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(5);
# failed to connect to auth server
dbDisconnect();
exit;
}
$search = ldap_search($ds, $auth['binddn'], "{$auth['lookupuserfield']}={$user['unityid']}", array('dn'), 0, 3, 15);
if ($search) {
$tmpdata = ldap_get_entries($ds, $search);
if (!$tmpdata['count'] || !array_key_exists('dn', $tmpdata[0])) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$ldapuser = $tmpdata[0]['dn'];
} else {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} else {
$ldapuser = sprintf($auth['userid'], $user['unityid']);
}
$res = ldap_bind($ds, $ldapuser, $xmlpass);
if (!$res) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 1);
} elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) {
$rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass);
if (empty($rc) || $rc['passfail'] == 'fail') {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($authMechs[$authtype]['type'] == 'local') {
if (!validateLocalAccount($user['unityid'], $xmlpass)) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($authMechs[$authtype]['type'] == 'redirect') {
$affilid = $authMechs[$authtype]['affiliationid'];
if (!(isset($apiValidateFunc) && is_array($apiValidateFunc) && array_key_exists($affilid, $apiValidateFunc) && $apiValidateFunc[$affilid]($xmluser, $xmlpass))) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(6);
# unable to auth passed in X-User
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif ($mode == 'xmlrpcaffiliations') {
// double check for SSL, not really required for this mode, but it keeps things consistant
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
if ($apiver == 1) {
printXMLRPCerror(8);
# unsupported API version
dbDisconnect();
exit;
} elseif ($apiver != 2) {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif (!empty($mode)) {
if (!in_array($mode, $actions['entry']) && !$inContinuation) {
$mode = "main";
$actionFunction = "main";
return;
} else {
if (!$inContinuation) {
# check that user has access to this area
switch ($mode) {
case 'viewGroups':
if (!in_array("groupAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'serverProfiles':
if (!in_array("serverProfileAdmin", $user["privileges"]) && !in_array("serverCheckOut", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'pickTimeTable':
$computermetadata = getUserComputerMetaData();
if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewNodes':
if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'userLookup':
if (!checkUserHasPerm('User Lookup (global)') && !checkUserHasPerm('User Lookup (affiliation only)')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'editVMInfo':
if (!in_array("computerAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'siteMaintenance':
if (!checkUserHasPerm('Schedule Site Maintenance')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'dashboard':
if (!checkUserHasPerm('View Dashboard (global)') && !checkUserHasPerm('View Dashboard (affiliation only)')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
}
}
}
}
}
function processUserPrefsInput($checks = 1)
{
global $submitErr, $submitErrMsg, $user;
$return = array();
$defaultres = $user["width"] . 'x' . $user["height"];
$return["preferredname"] = processInputVar("preferredname", ARG_STRING, $user["preferredname"]);
$return["resolution"] = processInputVar("resolution", ARG_STRING, $defaultres);
$return["bpp"] = processInputVar("bpp", ARG_NUMERIC, $user["bpp"]);
$return["audiomode"] = processInputVar("audiomode", ARG_STRING, $user["audiomode"]);
$return["mapdrives"] = processInputVar("mapdrives", ARG_NUMERIC, $user["mapdrives"]);
$return["mapprinters"] = processInputVar("mapprinters", ARG_NUMERIC, $user["mapprinters"]);
$return["mapserial"] = processInputVar("mapserial", ARG_NUMERIC, $user["mapserial"]);
$return['unityid'] = "{$user['unityid']}@{$user['affiliation']}";
if (!$checks) {
return $return;
}
if (strlen($return["preferredname"]) > 25) {
$submitErr |= PREFNAMEERR;
$submitErrMsg[PREFNAMEERR] = "Preferred name can only be up to 25 characters";
}
if (!ereg('^[a-zA-Z ]*$', $return["preferredname"])) {
$submitErr |= PREFNAMEERR;
$submitErrMsg[PREFNAMEERR] = "Preferred name can only contain letters and spaces";
}
if (array_key_exists('unityid', $return) && !validateUserid($return['unityid'])) {
$submitErr |= VIEWASUSERERR;
$submitErrMsg[VIEWASUSERERR] = "Invalid user id";
}
if ($user['affiliation'] == 'Local') {
$return['newpassword'] = $_POST['newpassword'];
$confirmpwd = $_POST['confirmpassword'];
$curr = $_POST['currentpassword'];
if (get_magic_quotes_gpc()) {
$return['newpassword'] = stripslashes($return['newpassword']);
$confirmpwd = stripslashes($confirmpwd);
$curr = stripslashes($curr);
}
if (!empty($return['newpassword']) && !empty($confirmpwd) && !validateLocalAccount($user['unityid'], $curr)) {
$submitErr |= LOCALPASSWORDERR;
$submitErrMsg[LOCALPASSWORDERR] = "Password incorrect";
} elseif (empty($return['newpassword']) && !empty($confirmpwd) || !empty($return['newpassword']) && empty($confirmpwd) || $return['newpassword'] != $confirmpwd) {
$submitErr |= LOCALPASSWORDERR;
$submitErrMsg[LOCALPASSWORDERR] = "Passwords do not match";
}
}
return $return;
}
