public function toggleDisclaimer($actionName, $httpVars, $fileVars) { $u = AuthService::getLoggedUser(); $u->personalRole->setParameterValue("action.disclaimer", "DISCLAIMER_ACCEPTED", $httpVars["validate"] == "true" ? "yes" : "no", AJXP_REPO_SCOPE_ALL); if ($httpVars["validate"] == "true") { $u->removeLock(); $u->save("superuser"); AuthService::updateUser($u); ConfService::switchUserToActiveRepository($u); $force = $u->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1); $passId = -1; if ($force != "" && $u->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) { $passId = $force; } $res = ConfService::switchUserToActiveRepository($u, $passId); if (!$res) { AuthService::disconnect(); AJXP_XMLWriter::header(); AJXP_XMLWriter::requireAuth(true); AJXP_XMLWriter::close(); } ConfService::getInstance()->invalidateLoadedRepositories(); } else { $u->setLock("validate_disclaimer"); $u->save("superuser"); AuthService::disconnect(); AJXP_XMLWriter::header(); AJXP_XMLWriter::requireAuth(true); AJXP_XMLWriter::close(); } }
function tryToLogUser(&$httpVars, $isLast = false) { if (!isset($httpVars["get_action"]) || $httpVars["get_action"] != "login") { return false; } $rememberLogin = ""; $rememberPass = ""; $secureToken = ""; $loggedUser = null; include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php"; if (AuthService::suspectBruteForceLogin() && (!isset($httpVars["captcha_code"]) || !CaptchaProvider::checkCaptchaResult($httpVars["captcha_code"]))) { $loggingResult = -4; } else { $userId = isset($httpVars["userid"]) ? AJXP_Utils::sanitize($httpVars["userid"], AJXP_SANITIZE_EMAILCHARS) : null; $userPass = isset($httpVars["password"]) ? trim($httpVars["password"]) : null; $rememberMe = isset($httpVars["remember_me"]) && $httpVars["remember_me"] == "true" ? true : false; $cookieLogin = isset($httpVars["cookie_login"]) ? true : false; $loggingResult = AuthService::logUser($userId, $userPass, false, $cookieLogin, $httpVars["login_seed"]); if ($rememberMe && $loggingResult == 1) { $rememberLogin = "******"; $rememberPass = "******"; } if ($loggingResult == 1) { session_regenerate_id(true); $secureToken = AuthService::generateSecureToken(); } if ($loggingResult < 1 && AuthService::suspectBruteForceLogin()) { $loggingResult = -4; // Force captcha reload } } $loggedUser = AuthService::getLoggedUser(); if ($loggedUser != null) { $force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1); $passId = -1; if (isset($httpVars["tmp_repository_id"])) { $passId = $httpVars["tmp_repository_id"]; } else { if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) { $passId = $force; } } $res = ConfService::switchUserToActiveRepository($loggedUser, $passId); if (!$res) { AuthService::disconnect(); $loggingResult = -3; } } if ($loggedUser != null && (AuthService::hasRememberCookie() || isset($rememberMe) && $rememberMe == true)) { AuthService::refreshRememberCookie($loggedUser); } AJXP_XMLWriter::header(); AJXP_XMLWriter::loggingResult($loggingResult, $rememberLogin, $rememberPass, $secureToken); AJXP_XMLWriter::close(); if ($loggingResult > 0 || $isLast) { exit; } }
if (AuthService::usersEnabled()) { $httpVars = array_merge($_GET, $_POST); AuthService::logUser(null, null); // Check that current user can access current repository, try to switch otherwise. $loggedUser = AuthService::getLoggedUser(); if ($loggedUser == null) { // Try prelogging user if the session expired but the logging data is in fact still present // For example, for basic_http auth. AuthService::preLogUser(isset($httpVars["remote_session"]) ? $httpVars["remote_session"] : ""); $loggedUser = AuthService::getLoggedUser(); if ($loggedUser == null) { $requireAuth = true; } } if ($loggedUser != null) { $res = ConfService::switchUserToActiveRepository($loggedUser, isset($httpVars["tmp_repository_id"]) ? $httpVars["tmp_repository_id"] : "-1"); if (!$res) { AuthService::disconnect(); $requireAuth = true; } } } else { AJXP_Logger::debug(ConfService::getCurrentRepositoryId()); } //Set language $loggedUser = AuthService::getLoggedUser(); if ($loggedUser != null && $loggedUser->getPref("lang") != "") { ConfService::setLanguage($loggedUser->getPref("lang")); } else { if (isset($_COOKIE["AJXP_lang"])) { ConfService::setLanguage($_COOKIE["AJXP_lang"]);
function tryToLogUser(&$httpVars, $isLast = false) { $checkNonce = $this->pluginConf["CHECK_NONCE"] === true; $token = $this->detectVar($httpVars, "cyphered_token"); $tokenInc = $this->detectVar($httpVars, "cyphered_token_inc"); if (empty($token) || $checkNonce && empty($tokenInc)) { return false; } if (!$checkNonce) { $decoded = $this->decrypt($this->pluginConf["PRIVATE_KEY"], $token); } else { $decoded = $this->decrypt($this->pluginConf["PRIVATE_KEY"] . ":" . $tokenInc, $token); } if ($decoded == null) { return false; } $data = unserialize($decoded); if (empty($data) || !is_array($data) || !isset($data["user_id"]) || !isset($data["user_pwd"])) { $this->logDebug(__FUNCTION__, "Cyphered Token found but wrong deserizalized data"); return false; } if (AuthService::getLoggedUser() != null) { $currentUser = AuthService::getLoggedUser()->getId(); if ($currentUser != $data["user_id"]) { AuthService::disconnect(); } } $this->logDebug(__FUNCTION__, "Trying to log user " . $data["user_id"] . " from cyphered token"); $userId = $data["user_id"]; if ($checkNonce) { $keys = $this->getLastKeys(); $lastInc = 0; if (isset($keys[$userId])) { $lastInc = $keys[$userId]; } if ($tokenInc <= $lastInc) { $this->logDebug(__FUNCTION__, "Key was already used for this user id"); return false; } } $res = AuthService::logUser($data["user_id"], $data["user_pwd"], false, false, -1); if ($res > 0) { $this->logDebug(__FUNCTION__, "Success"); if ($checkNonce) { $keys[$userId] = $tokenInc; $this->storeLastKeys($keys); } $loggedUser = AuthService::getLoggedUser(); $force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1); $passId = -1; if (isset($httpVars["tmp_repository_id"])) { $passId = $httpVars["tmp_repository_id"]; } else { if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) { $passId = $force; } } ConfService::switchUserToActiveRepository($loggedUser, $passId); return true; } $this->logDebug(__FUNCTION__, "Wrong result " . $res); return false; }
} if (AuthService::usersEnabled() && !empty($optUser)) { $seed = AuthService::generateSeed(); if ($seed != -1) { $optPass = md5(md5($optPass) . $seed); } $loggingResult = AuthService::logUser($optUser, $optPass, isset($optToken), false, $seed); // Check that current user can access current repository, try to switch otherwise. $loggedUser = AuthService::getLoggedUser(); if ($loggedUser != null && $detectedUser !== false && $loggedUser->isAdmin()) { AuthService::disconnect(); AuthService::logUser($detectedUser, "empty", true, false, ""); $loggedUser = AuthService::getLoggedUser(); } if ($loggedUser != null) { $res = ConfService::switchUserToActiveRepository($loggedUser, $optRepoId); if (!$res) { AuthService::disconnect(); $requireAuth = true; } } if (isset($loggingResult) && $loggingResult != 1) { AJXP_XMLWriter::header(); AJXP_XMLWriter::loggingResult($loggingResult, false, false, ""); AJXP_XMLWriter::close(); if ($optStatusFile) { file_put_contents($optStatusFile, "ERROR:No user logged"); } } } else { AJXP_Logger::debug(ConfService::getCurrentRepositoryId());
public function switchAction($action, $httpVars, $fileVars) { if (!isset($this->actions[$action])) { return; } $mess = ConfService::getMessages(); switch ($action) { case "login": if (!AuthService::usersEnabled()) { return; } $rememberLogin = ""; $rememberPass = ""; $secureToken = ""; $loggedUser = null; include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php"; if (AuthService::suspectBruteForceLogin() && (!isset($httpVars["captcha_code"]) || !CaptchaProvider::checkCaptchaResult($httpVars["captcha_code"]))) { $loggingResult = -4; } else { $userId = isset($httpVars["userid"]) ? trim($httpVars["userid"]) : null; $userPass = isset($httpVars["password"]) ? trim($httpVars["password"]) : null; $rememberMe = isset($httpVars["remember_me"]) && $httpVars["remember_me"] == "true" ? true : false; $cookieLogin = isset($httpVars["cookie_login"]) ? true : false; $loggingResult = AuthService::logUser($userId, $userPass, false, $cookieLogin, $httpVars["login_seed"]); if ($rememberMe && $loggingResult == 1) { $rememberLogin = "******"; $rememberPass = "******"; $loggedUser = AuthService::getLoggedUser(); } if ($loggingResult == 1) { session_regenerate_id(true); $secureToken = AuthService::generateSecureToken(); } if ($loggingResult < 1 && AuthService::suspectBruteForceLogin()) { $loggingResult = -4; // Force captcha reload } } $loggedUser = AuthService::getLoggedUser(); if ($loggedUser != null) { $force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1); $passId = -1; if (isset($httpVars["tmp_repository_id"])) { $passId = $httpVars["tmp_repository_id"]; } else { if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) { $passId = $force; } } $res = ConfService::switchUserToActiveRepository($loggedUser, $passId); if (!$res) { AuthService::disconnect(); $loggingResult = -3; } } if ($loggedUser != null && (AuthService::hasRememberCookie() || isset($rememberMe) && $rememberMe == true)) { AuthService::refreshRememberCookie($loggedUser); } AJXP_XMLWriter::header(); AJXP_XMLWriter::loggingResult($loggingResult, $rememberLogin, $rememberPass, $secureToken); AJXP_XMLWriter::close(); break; //------------------------------------ // CHANGE USER PASSWORD //------------------------------------ //------------------------------------ // CHANGE USER PASSWORD //------------------------------------ case "pass_change": $userObject = AuthService::getLoggedUser(); if ($userObject == null || $userObject->getId() == "guest") { header("Content-Type:text/plain"); print "SUCCESS"; break; } $oldPass = $httpVars["old_pass"]; $newPass = $httpVars["new_pass"]; $passSeed = $httpVars["pass_seed"]; if (strlen($newPass) < ConfService::getCoreConf("PASSWORD_MINLENGTH", "auth")) { header("Content-Type:text/plain"); print "PASS_ERROR"; break; } if (AuthService::checkPassword($userObject->getId(), $oldPass, false, $passSeed)) { AuthService::updatePassword($userObject->getId(), $newPass); if ($userObject->getLock() == "pass_change") { $userObject->removeLock(); $userObject->save("superuser"); } } else { header("Content-Type:text/plain"); print "PASS_ERROR"; break; } header("Content-Type:text/plain"); print "SUCCESS"; break; case "logout": AuthService::disconnect(); $loggingResult = 2; session_destroy(); AJXP_XMLWriter::header(); AJXP_XMLWriter::loggingResult($loggingResult, null, null, null); AJXP_XMLWriter::close(); break; case "get_seed": $seed = AuthService::generateSeed(); if (AuthService::suspectBruteForceLogin()) { HTMLWriter::charsetHeader('application/json'); print json_encode(array("seed" => $seed, "captcha" => true)); } else { HTMLWriter::charsetHeader("text/plain"); print $seed; } //exit(0); break; case "get_secure_token": HTMLWriter::charsetHeader("text/plain"); print AuthService::generateSecureToken(); //exit(0); break; case "get_captcha": include_once AJXP_BIN_FOLDER . "/class.CaptchaProvider.php"; CaptchaProvider::sendCaptcha(); //exit(0) ; break; case "back": AJXP_XMLWriter::header("url"); echo AuthService::getLogoutAddress(false); AJXP_XMLWriter::close("url"); //exit(1); break; default: break; } return ""; }
public function postVerificationCode($action, $httpVars, $fileVars) { if ($action != "duo_post_verification_code") { return; } $u = AuthService::getLoggedUser(); if ($u == null) { return; } $sigResponse = $httpVars["sig_response"]; require_once $this->getBaseDir() . "/duo_php/duo_web.php"; $appUnique = $this->getFilteredOption("DUO_AUTH_AKEY"); $iKey = $this->getFilteredOption("DUO_AUTH_IKEY"); $sKey = $this->getFilteredOption("DUO_AUTH_SKEY"); $verif = Duo::verifyResponse($iKey, $sKey, $appUnique, $sigResponse); if ($verif != null && $verif == $u->getId()) { $u->removeLock(); $u->save("superuser"); $u->recomputeMergedRole(); AuthService::updateUser($u); ConfService::switchUserToActiveRepository($u); $force = $u->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1); $passId = -1; if ($force != "" && $u->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) { $passId = $force; } $res = ConfService::switchUserToActiveRepository($u, $passId); if (!$res) { AuthService::disconnect(); AJXP_XMLWriter::header(); AJXP_XMLWriter::requireAuth(true); AJXP_XMLWriter::close(); } } else { AuthService::disconnect(); AJXP_XMLWriter::header(); AJXP_XMLWriter::requireAuth(true); AJXP_XMLWriter::close(); } }
function tryToLogUser(&$httpVars, $isLast = false) { if (isset($_SESSION["CURRENT_MINISITE"])) { return false; } $this->loadConfig(); if (isset($_SESSION['AUTHENTICATE_BY_CAS'])) { $flag = $_SESSION['AUTHENTICATE_BY_CAS']; } else { $flag = 0; } $pgtIou = !empty($httpVars['pgtIou']); $logged = isset($_SESSION['LOGGED_IN_BY_CAS']); $enre = !empty($httpVars['put_action_enable_redirect']); $ticket = !empty($httpVars['ticket']); $pgt = !empty($_SESSION['phpCAS']['pgt']); $clientModeTicketPendding = isset($_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING']); if ($this->cas_modify_login_page) { if ($flag == 0 && $enre && !$logged && !$pgtIou) { $_SESSION['AUTHENTICATE_BY_CAS'] = 1; } elseif ($flag == 1 && !$enre && !$logged && !$pgtIou && !$ticket && !$pgt) { $_SESSION['AUTHENTICATE_BY_CAS'] = 0; } elseif ($flag == 1 && $enre && !$logged && !$pgtIou) { $_SESSION['AUTHENTICATE_BY_CAS'] = 1; } elseif ($pgtIou || $pgt) { $_SESSION['AUTHENTICATE_BY_CAS'] = 1; } elseif ($ticket) { $_SESSION['AUTHENTICATE_BY_CAS'] = 1; $_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING'] = 1; } elseif ($logged && $pgtIou) { $_SESSION['AUTHENTICATE_BY_CAS'] = 2; } else { $_SESSION['AUTHENTICATE_BY_CAS'] = 0; } if ($_SESSION['AUTHENTICATE_BY_CAS'] < 1) { if ($clientModeTicketPendding) { unset($_SESSION['AUTHENTICATE_BY_CAS_CLIENT_MOD_TICKET_PENDDING']); } else { return false; } } } /** * Depend on phpCAS mode configuration */ switch ($this->cas_mode) { case PHPCAS_MODE_CLIENT: if ($this->checkConfigurationForClientMode()) { AJXP_Logger::info(__FUNCTION__, "Start phpCAS mode Client: ", "sucessfully"); phpCAS::client(CAS_VERSION_2_0, $this->cas_server, $this->cas_port, $this->cas_uri, false); if (!empty($this->cas_certificate_path)) { phpCAS::setCasServerCACert($this->cas_certificate_path); } else { phpCAS::setNoCasServerValidation(); } /** * Debug */ if ($this->cas_debug_mode) { // logfile name by date: $today = getdate(); $file_path = AJXP_DATA_PATH . '/logs/phpcas_' . $today['year'] . '-' . $today['month'] . '-' . $today['mday'] . '.txt'; empty($this->cas_debug_file) ? $file_path : ($file_path = $this->cas_debug_file); phpCAS::setDebug($file_path); } phpCAS::forceAuthentication(); } else { AJXP_Logger::error(__FUNCTION__, "Could not start phpCAS mode CLIENT, please verify the configuration", ""); return false; } break; case PHPCAS_MODE_PROXY: /** * If in login page, user click on login via CAS, the page will be reload with manuallyredirectocas is set. * Or force redirect to cas login page even the force redirect is set in configuration of this module * */ if ($this->checkConfigurationForProxyMode()) { AJXP_Logger::info(__FUNCTION__, "Start phpCAS mode Proxy: ", "sucessfully"); /** * init phpCAS in mode proxy */ phpCAS::proxy(CAS_VERSION_2_0, $this->cas_server, $this->cas_port, $this->cas_uri, false); if (!empty($this->cas_certificate_path)) { phpCAS::setCasServerCACert($this->cas_certificate_path); } else { phpCAS::setNoCasServerValidation(); } /** * Debug */ if ($this->cas_debug_mode) { // logfile name by date: $today = getdate(); $file_path = AJXP_DATA_PATH . '/logs/phpcas_' . $today['year'] . '-' . $today['month'] . '-' . $today['mday'] . '.txt'; empty($this->cas_debug_file) ? $file_path : ($file_path = $this->cas_debug_file); phpCAS::setDebug($file_path); } if (!empty($this->cas_setFixedCallbackURL)) { phpCAS::setFixedCallbackURL($this->cas_setFixedCallbackURL); } // /** * PTG storage */ $this->setPTGStorage(); phpCAS::forceAuthentication(); /** * Get proxy ticket (PT) for SAMBA to authentication at CAS via pam_cas * In fact, we can use any other service. Of course, it should be enabled in CAS * */ $err_code = null; $serviceURL = $this->cas_proxied_service; AJXP_Logger::debug(__FUNCTION__, "Try to get proxy ticket for service: ", $serviceURL); $res = phpCAS::serviceSMB($serviceURL, $err_code); if (!empty($res)) { $_SESSION['PROXYTICKET'] = $res; AJXP_Logger::info(__FUNCTION__, "Get Proxy ticket successfully ", ""); } else { AJXP_Logger::info(__FUNCTION__, "Could not get Proxy ticket. ", ""); } break; } else { AJXP_Logger::error(__FUNCTION__, "Could not start phpCAS mode PROXY, please verify the configuration", ""); return false; } default: return false; break; } AJXP_Logger::debug(__FUNCTION__, "Call phpCAS::getUser() after forceAuthentication ", ""); $cas_user = phpCAS::getUser(); if (!AuthService::userExists($cas_user) && $this->is_AutoCreateUser) { AuthService::createUser($cas_user, openssl_random_pseudo_bytes(20)); } if (AuthService::userExists($cas_user)) { $res = AuthService::logUser($cas_user, "", true); if ($res > 0) { AJXP_Safe::storeCredentials($cas_user, $_SESSION['PROXYTICKET']); $_SESSION['LOGGED_IN_BY_CAS'] = true; if (!empty($this->cas_additional_role)) { $userObj = ConfService::getConfStorageImpl()->createUserObject($cas_user); $roles = $userObj->getRoles(); $cas_RoleID = $this->cas_additional_role; $userObj->addRole(AuthService::getRole($cas_RoleID, true)); AuthService::updateUser($userObj); } // try to log to DEFAULT START REPO $userObj->recomputeMergedRole(); $loggedUser = $userObj; $force = $loggedUser->mergedRole->filterParameterValue("core.conf", "DEFAULT_START_REPOSITORY", AJXP_REPO_SCOPE_ALL, -1); $passId = -1; if (isset($httpVars["tmp_repository_id"])) { $passId = $httpVars["tmp_repository_id"]; } else { if ($force != "" && $loggedUser->canSwitchTo($force) && !isset($httpVars["tmp_repository_id"]) && !isset($_SESSION["PENDING_REPOSITORY_ID"])) { $passId = $force; } } ConfService::switchUserToActiveRepository($loggedUser, $passId); return true; } } return false; }