public function toggleDisclaimer($actionName, $httpVars, $fileVars)
{
$u = AuthService::getLoggedUser();
$u->personalRole->setParameterValue("action.disclaimer", "DISCLAIMER_ACCEPTED", $httpVars["validate"] == "true" ? "yes" : "no", AJXP_REPO_SCOPE_ALL);
if ($httpVars["validate"] == "true") {
$u->removeLock();
$u->save("superuser");
AuthService::updateUser($u);
ConfService::switchUserToActiveRepository($u);
$force = $u->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
$passId = -1;
if ($force != "" && $u->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
$passId = $force;
}
$res = ConfService::switchUserToActiveRepository($u, $passId);
if (!$res) {
AuthService::disconnect();
AJXP_XMLWriter::header();
AJXP_XMLWriter::requireAuth(true);
AJXP_XMLWriter::close();
}
ConfService::getInstance()->invalidateLoadedRepositories();
} else {
$u->setLock("validate_disclaimer");
$u->save("superuser");
AuthService::disconnect();
AJXP_XMLWriter::header();
AJXP_XMLWriter::requireAuth(true);
AJXP_XMLWriter::close();
}
}
function tryToLogUser(&$httpVars, $isLast = false)
{
if (!isset($httpVars["get_action"]) || $httpVars["get_action"] != "login") {
return false;
}
$rememberLogin = "";
$rememberPass = "";
$secureToken = "";
$loggedUser = null;
include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php";
if (AuthService::suspectBruteForceLogin() && (!isset($httpVars["captcha_code"]) || !CaptchaProvider::checkCaptchaResult($httpVars["captcha_code"]))) {
$loggingResult = -4;
} else {
$userId = isset($httpVars["userid"]) ? AJXP_Utils::sanitize($httpVars["userid"], AJXP_SANITIZE_EMAILCHARS) : null;
$userPass = isset($httpVars["password"]) ? trim($httpVars["password"]) : null;
$rememberMe = isset($httpVars["remember_me"]) && $httpVars["remember_me"] == "true" ? true : false;
$cookieLogin = isset($httpVars["cookie_login"]) ? true : false;
$loggingResult = AuthService::logUser($userId, $userPass, false, $cookieLogin, $httpVars["login_seed"]);
if ($rememberMe && $loggingResult == 1) {
$rememberLogin = "******";
$rememberPass = "******";
}
if ($loggingResult == 1) {
session_regenerate_id(true);
$secureToken = AuthService::generateSecureToken();
}
if ($loggingResult < 1 && AuthService::suspectBruteForceLogin()) {
$loggingResult = -4;
// Force captcha reload
}
}
$loggedUser = AuthService::getLoggedUser();
if ($loggedUser != null) {
$force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
$passId = -1;
if (isset($httpVars["tmp_repository_id"])) {
$passId = $httpVars["tmp_repository_id"];
} else {
if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
$passId = $force;
}
}
$res = ConfService::switchUserToActiveRepository($loggedUser, $passId);
if (!$res) {
AuthService::disconnect();
$loggingResult = -3;
}
}
if ($loggedUser != null && (AuthService::hasRememberCookie() || isset($rememberMe) && $rememberMe == true)) {
AuthService::refreshRememberCookie($loggedUser);
}
AJXP_XMLWriter::header();
AJXP_XMLWriter::loggingResult($loggingResult, $rememberLogin, $rememberPass, $secureToken);
AJXP_XMLWriter::close();
if ($loggingResult > 0 || $isLast) {
exit;
}
}
if (AuthService::usersEnabled()) {
$httpVars = array_merge($_GET, $_POST);
AuthService::logUser(null, null);
// Check that current user can access current repository, try to switch otherwise.
$loggedUser = AuthService::getLoggedUser();
if ($loggedUser == null) {
// Try prelogging user if the session expired but the logging data is in fact still present
// For example, for basic_http auth.
AuthService::preLogUser(isset($httpVars["remote_session"]) ? $httpVars["remote_session"] : "");
$loggedUser = AuthService::getLoggedUser();
if ($loggedUser == null) {
$requireAuth = true;
}
}
if ($loggedUser != null) {
$res = ConfService::switchUserToActiveRepository($loggedUser, isset($httpVars["tmp_repository_id"]) ? $httpVars["tmp_repository_id"] : "-1");
if (!$res) {
AuthService::disconnect();
$requireAuth = true;
}
}
} else {
AJXP_Logger::debug(ConfService::getCurrentRepositoryId());
}
//Set language
$loggedUser = AuthService::getLoggedUser();
if ($loggedUser != null && $loggedUser->getPref("lang") != "") {
ConfService::setLanguage($loggedUser->getPref("lang"));
} else {
if (isset($_COOKIE["AJXP_lang"])) {
ConfService::setLanguage($_COOKIE["AJXP_lang"]);
function tryToLogUser(&$httpVars, $isLast = false)
{
$checkNonce = $this->pluginConf["CHECK_NONCE"] === true;
$token = $this->detectVar($httpVars, "cyphered_token");
$tokenInc = $this->detectVar($httpVars, "cyphered_token_inc");
if (empty($token) || $checkNonce && empty($tokenInc)) {
return false;
}
if (!$checkNonce) {
$decoded = $this->decrypt($this->pluginConf["PRIVATE_KEY"], $token);
} else {
$decoded = $this->decrypt($this->pluginConf["PRIVATE_KEY"] . ":" . $tokenInc, $token);
}
if ($decoded == null) {
return false;
}
$data = unserialize($decoded);
if (empty($data) || !is_array($data) || !isset($data["user_id"]) || !isset($data["user_pwd"])) {
$this->logDebug(__FUNCTION__, "Cyphered Token found but wrong deserizalized data");
return false;
}
if (AuthService::getLoggedUser() != null) {
$currentUser = AuthService::getLoggedUser()->getId();
if ($currentUser != $data["user_id"]) {
AuthService::disconnect();
}
}
$this->logDebug(__FUNCTION__, "Trying to log user " . $data["user_id"] . " from cyphered token");
$userId = $data["user_id"];
if ($checkNonce) {
$keys = $this->getLastKeys();
$lastInc = 0;
if (isset($keys[$userId])) {
$lastInc = $keys[$userId];
}
if ($tokenInc <= $lastInc) {
$this->logDebug(__FUNCTION__, "Key was already used for this user id");
return false;
}
}
$res = AuthService::logUser($data["user_id"], $data["user_pwd"], false, false, -1);
if ($res > 0) {
$this->logDebug(__FUNCTION__, "Success");
if ($checkNonce) {
$keys[$userId] = $tokenInc;
$this->storeLastKeys($keys);
}
$loggedUser = AuthService::getLoggedUser();
$force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
$passId = -1;
if (isset($httpVars["tmp_repository_id"])) {
$passId = $httpVars["tmp_repository_id"];
} else {
if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
$passId = $force;
}
}
ConfService::switchUserToActiveRepository($loggedUser, $passId);
return true;
}
$this->logDebug(__FUNCTION__, "Wrong result " . $res);
return false;
}
}
if (AuthService::usersEnabled() && !empty($optUser)) {
$seed = AuthService::generateSeed();
if ($seed != -1) {
$optPass = md5(md5($optPass) . $seed);
}
$loggingResult = AuthService::logUser($optUser, $optPass, isset($optToken), false, $seed);
// Check that current user can access current repository, try to switch otherwise.
$loggedUser = AuthService::getLoggedUser();
if ($loggedUser != null && $detectedUser !== false && $loggedUser->isAdmin()) {
AuthService::disconnect();
AuthService::logUser($detectedUser, "empty", true, false, "");
$loggedUser = AuthService::getLoggedUser();
}
if ($loggedUser != null) {
$res = ConfService::switchUserToActiveRepository($loggedUser, $optRepoId);
if (!$res) {
AuthService::disconnect();
$requireAuth = true;
}
}
if (isset($loggingResult) && $loggingResult != 1) {
AJXP_XMLWriter::header();
AJXP_XMLWriter::loggingResult($loggingResult, false, false, "");
AJXP_XMLWriter::close();
if ($optStatusFile) {
file_put_contents($optStatusFile, "ERROR:No user logged");
}
}
} else {
AJXP_Logger::debug(ConfService::getCurrentRepositoryId());
public function switchAction($action, $httpVars, $fileVars)
{
if (!isset($this->actions[$action])) {
return;
}
$mess = ConfService::getMessages();
switch ($action) {
case "login":
if (!AuthService::usersEnabled()) {
return;
}
$rememberLogin = "";
$rememberPass = "";
$secureToken = "";
$loggedUser = null;
include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php";
if (AuthService::suspectBruteForceLogin() && (!isset($httpVars["captcha_code"]) || !CaptchaProvider::checkCaptchaResult($httpVars["captcha_code"]))) {
$loggingResult = -4;
} else {
$userId = isset($httpVars["userid"]) ? trim($httpVars["userid"]) : null;
$userPass = isset($httpVars["password"]) ? trim($httpVars["password"]) : null;
$rememberMe = isset($httpVars["remember_me"]) && $httpVars["remember_me"] == "true" ? true : false;
$cookieLogin = isset($httpVars["cookie_login"]) ? true : false;
$loggingResult = AuthService::logUser($userId, $userPass, false, $cookieLogin, $httpVars["login_seed"]);
if ($rememberMe && $loggingResult == 1) {
$rememberLogin = "******";
$rememberPass = "******";
$loggedUser = AuthService::getLoggedUser();
}
if ($loggingResult == 1) {
session_regenerate_id(true);
$secureToken = AuthService::generateSecureToken();
}
if ($loggingResult < 1 && AuthService::suspectBruteForceLogin()) {
$loggingResult = -4;
// Force captcha reload
}
}
$loggedUser = AuthService::getLoggedUser();
if ($loggedUser != null) {
$force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
$passId = -1;
if (isset($httpVars["tmp_repository_id"])) {
$passId = $httpVars["tmp_repository_id"];
} else {
if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
$passId = $force;
}
}
$res = ConfService::switchUserToActiveRepository($loggedUser, $passId);
if (!$res) {
AuthService::disconnect();
$loggingResult = -3;
}
}
if ($loggedUser != null && (AuthService::hasRememberCookie() || isset($rememberMe) && $rememberMe == true)) {
AuthService::refreshRememberCookie($loggedUser);
}
AJXP_XMLWriter::header();
AJXP_XMLWriter::loggingResult($loggingResult, $rememberLogin, $rememberPass, $secureToken);
AJXP_XMLWriter::close();
break;
//------------------------------------
// CHANGE USER PASSWORD
//------------------------------------
//------------------------------------
// CHANGE USER PASSWORD
//------------------------------------
case "pass_change":
$userObject = AuthService::getLoggedUser();
if ($userObject == null || $userObject->getId() == "guest") {
header("Content-Type:text/plain");
print "SUCCESS";
break;
}
$oldPass = $httpVars["old_pass"];
$newPass = $httpVars["new_pass"];
$passSeed = $httpVars["pass_seed"];
if (strlen($newPass) < ConfService::getCoreConf("PASSWORD_MINLENGTH", "auth")) {
header("Content-Type:text/plain");
print "PASS_ERROR";
break;
}
if (AuthService::checkPassword($userObject->getId(), $oldPass, false, $passSeed)) {
AuthService::updatePassword($userObject->getId(), $newPass);
if ($userObject->getLock() == "pass_change") {
$userObject->removeLock();
$userObject->save("superuser");
}
} else {
header("Content-Type:text/plain");
print "PASS_ERROR";
break;
}
header("Content-Type:text/plain");
print "SUCCESS";
break;
case "logout":
AuthService::disconnect();
$loggingResult = 2;
session_destroy();
AJXP_XMLWriter::header();
AJXP_XMLWriter::loggingResult($loggingResult, null, null, null);
AJXP_XMLWriter::close();
break;
case "get_seed":
$seed = AuthService::generateSeed();
if (AuthService::suspectBruteForceLogin()) {
HTMLWriter::charsetHeader('application/json');
print json_encode(array("seed" => $seed, "captcha" => true));
} else {
HTMLWriter::charsetHeader("text/plain");
print $seed;
}
//exit(0);
break;
case "get_secure_token":
HTMLWriter::charsetHeader("text/plain");
print AuthService::generateSecureToken();
//exit(0);
break;
case "get_captcha":
include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php";
CaptchaProvider::sendCaptcha();
//exit(0) ;
break;
case "back":
AJXP_XMLWriter::header("url");
echo AuthService::getLogoutAddress(false);
AJXP_XMLWriter::close("url");
//exit(1);
break;
default:
break;
}
return "";
}
public function postVerificationCode($action, $httpVars, $fileVars)
{
if ($action != "duo_post_verification_code") {
return;
}
$u = AuthService::getLoggedUser();
if ($u == null) {
return;
}
$sigResponse = $httpVars["sig_response"];
require_once $this->getBaseDir() . "/duo_php/duo_web.php";
$appUnique = $this->getFilteredOption("DUO_AUTH_AKEY");
$iKey = $this->getFilteredOption("DUO_AUTH_IKEY");
$sKey = $this->getFilteredOption("DUO_AUTH_SKEY");
$verif = Duo::verifyResponse($iKey, $sKey, $appUnique, $sigResponse);
if ($verif != null && $verif == $u->getId()) {
$u->removeLock();
$u->save("superuser");
$u->recomputeMergedRole();
AuthService::updateUser($u);
ConfService::switchUserToActiveRepository($u);
$force = $u->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
$passId = -1;
if ($force != "" && $u->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
$passId = $force;
}
$res = ConfService::switchUserToActiveRepository($u, $passId);
if (!$res) {
AuthService::disconnect();
AJXP_XMLWriter::header();
AJXP_XMLWriter::requireAuth(true);
AJXP_XMLWriter::close();
}
} else {
AuthService::disconnect();
AJXP_XMLWriter::header();
AJXP_XMLWriter::requireAuth(true);
AJXP_XMLWriter::close();
}
}
function tryToLogUser(&$httpVars, $isLast = false)
{
if (isset($_SESSION["CURRENT_MINISITE"])) {
return false;
}
$this->loadConfig();
if (isset($_SESSION['AUTHENTICATE_BY_CAS'])) {
$flag = $_SESSION['AUTHENTICATE_BY_CAS'];
} else {
$flag = 0;
}
$pgtIou = !empty($httpVars['pgtIou']);
$logged = isset($_SESSION['LOGGED_IN_BY_CAS']);
$enre = !empty($httpVars['put_action_enable_redirect']);
$ticket = !empty($httpVars['ticket']);
$pgt = !empty($_SESSION['phpCAS']['pgt']);
$clientModeTicketPendding = isset($_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING']);
if ($this->cas_modify_login_page) {
if ($flag == 0 && $enre && !$logged && !$pgtIou) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 1;
} elseif ($flag == 1 && !$enre && !$logged && !$pgtIou && !$ticket && !$pgt) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 0;
} elseif ($flag == 1 && $enre && !$logged && !$pgtIou) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 1;
} elseif ($pgtIou || $pgt) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 1;
} elseif ($ticket) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 1;
$_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING'] = 1;
} elseif ($logged && $pgtIou) {
$_SESSION['AUTHENTICATE_BY_CAS'] = 2;
} else {
$_SESSION['AUTHENTICATE_BY_CAS'] = 0;
}
if ($_SESSION['AUTHENTICATE_BY_CAS'] < 1) {
if ($clientModeTicketPendding) {
unset($_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING']);
} else {
return false;
}
}
}
/**
* Depend on phpCAS mode configuration
*/
switch ($this->cas_mode) {
case PHPCAS_MODE_CLIENT:
if ($this->checkConfigurationForClientMode()) {
AJXP_Logger::info(__FUNCTION__, "Start phpCAS mode Client: ", "sucessfully");
phpCAS::client(CAS_VERSION_2_0, $this->cas_server, $this->cas_port, $this->cas_uri, false);
if (!empty($this->cas_certificate_path)) {
phpCAS::setCasServerCACert($this->cas_certificate_path);
} else {
phpCAS::setNoCasServerValidation();
}
/**
* Debug
*/
if ($this->cas_debug_mode) {
// logfile name by date:
$today = getdate();
$file_path = AJXP_DATA_PATH . '/logs/phpcas_' . $today['year'] . '-' . $today['month'] . '-' . $today['mday'] . '.txt';
empty($this->cas_debug_file) ? $file_path : ($file_path = $this->cas_debug_file);
phpCAS::setDebug($file_path);
}
phpCAS::forceAuthentication();
} else {
AJXP_Logger::error(__FUNCTION__, "Could not start phpCAS mode CLIENT, please verify the configuration", "");
return false;
}
break;
case PHPCAS_MODE_PROXY:
/**
* If in login page, user click on login via CAS, the page will be reload with manuallyredirectocas is set.
* Or force redirect to cas login page even the force redirect is set in configuration of this module
*
*/
if ($this->checkConfigurationForProxyMode()) {
AJXP_Logger::info(__FUNCTION__, "Start phpCAS mode Proxy: ", "sucessfully");
/**
* init phpCAS in mode proxy
*/
phpCAS::proxy(CAS_VERSION_2_0, $this->cas_server, $this->cas_port, $this->cas_uri, false);
if (!empty($this->cas_certificate_path)) {
phpCAS::setCasServerCACert($this->cas_certificate_path);
} else {
phpCAS::setNoCasServerValidation();
}
/**
* Debug
*/
if ($this->cas_debug_mode) {
// logfile name by date:
$today = getdate();
$file_path = AJXP_DATA_PATH . '/logs/phpcas_' . $today['year'] . '-' . $today['month'] . '-' . $today['mday'] . '.txt';
empty($this->cas_debug_file) ? $file_path : ($file_path = $this->cas_debug_file);
phpCAS::setDebug($file_path);
}
if (!empty($this->cas_setFixedCallbackURL)) {
phpCAS::setFixedCallbackURL($this->cas_setFixedCallbackURL);
}
//
/**
* PTG storage
*/
$this->setPTGStorage();
phpCAS::forceAuthentication();
/**
* Get proxy ticket (PT) for SAMBA to authentication at CAS via pam_cas
* In fact, we can use any other service. Of course, it should be enabled in CAS
*
*/
$err_code = null;
$serviceURL = $this->cas_proxied_service;
AJXP_Logger::debug(__FUNCTION__, "Try to get proxy ticket for service: ", $serviceURL);
$res = phpCAS::serviceSMB($serviceURL, $err_code);
if (!empty($res)) {
$_SESSION['PROXYTICKET'] = $res;
AJXP_Logger::info(__FUNCTION__, "Get Proxy ticket successfully ", "");
} else {
AJXP_Logger::info(__FUNCTION__, "Could not get Proxy ticket. ", "");
}
break;
} else {
AJXP_Logger::error(__FUNCTION__, "Could not start phpCAS mode PROXY, please verify the configuration", "");
return false;
}
default:
return false;
break;
}
AJXP_Logger::debug(__FUNCTION__, "Call phpCAS::getUser() after forceAuthentication ", "");
$cas_user = phpCAS::getUser();
if (!AuthService::userExists($cas_user) && $this->is_AutoCreateUser) {
AuthService::createUser($cas_user, openssl_random_pseudo_bytes(20));
}
if (AuthService::userExists($cas_user)) {
$res = AuthService::logUser($cas_user, "", true);
if ($res > 0) {
AJXP_Safe::storeCredentials($cas_user, $_SESSION['PROXYTICKET']);
$_SESSION['LOGGED_IN_BY_CAS'] = true;
if (!empty($this->cas_additional_role)) {
$userObj = ConfService::getConfStorageImpl()->createUserObject($cas_user);
$roles = $userObj->getRoles();
$cas_RoleID = $this->cas_additional_role;
$userObj->addRole(AuthService::getRole($cas_RoleID, true));
AuthService::updateUser($userObj);
}
// try to log to DEFAULT START REPO
$userObj->recomputeMergedRole();
$loggedUser = $userObj;
$force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1);
$passId = -1;
if (isset($httpVars["tmp_repository_id"])) {
$passId = $httpVars["tmp_repository_id"];
} else {
if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) {
$passId = $force;
}
}
ConfService::switchUserToActiveRepository($loggedUser, $passId);
return true;
}
}
return false;
}
