function checkAccess()
{
global $mode, $user, $viewmode, $actionFunction, $vcldquerykey, $authMechs;
global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers;
global $inContinuation, $docreaders, $userlookupUsers;
if ($mode == "vcldquery") {
$key = processInputVar("key", ARG_STRING);
if ($key != $vcldquerykey) {
print "Access denied\n";
dbDisconnect();
exit;
}
} elseif ($mode == 'xmlrpccall') {
// double check for SSL
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1);
if (!($user = getUserInfo($xmluser))) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$xmlpass = $_SERVER['HTTP_X_PASS'];
if (get_magic_quotes_gpc()) {
$xmlpass = stripslashes($xmlpass);
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
/* code for version 1 should probably be removed in VCL 2.2 */
if ($apiver == 1) {
$query = "SELECT x.id " . "FROM xmlrpcKey x, " . "user u " . "WHERE x.ownerid = u.id AND " . "u.unityid = '{$xmluser}' AND " . "x.key = '{$xmlpass}' AND " . "x.active = 1";
$qh = doQuery($query, 101);
if (!(mysql_num_rows($qh) == 1)) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$row = mysql_fetch_assoc($qh);
$user['xmlrpckeyid'] = $row['id'];
} elseif ($apiver == 2) {
$authtype = "";
foreach ($authMechs as $key => $authmech) {
if ($authmech['affiliationid'] == $user['affiliationid']) {
$authtype = $key;
break;
}
}
/*if(empty($authtype)) {
print "No authentication mechanism found for passed in X-User";
dbDisconnect();
exit;
}*/
if ($authMechs[$authtype]['type'] == 'ldap') {
$ds = ldap_connect("ldaps://{$authMechs[$authtype]['server']}/");
if (!$ds) {
printXMLRPCerror(5);
# failed to connect to auth server
dbDisconnect();
exit;
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$ldapuser = sprintf($authMechs[$authtype]['userid'], $user['unityid']);
$res = ldap_bind($ds, $ldapuser, $xmlpass);
if (!$res) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) {
$rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass);
if (empty($rc) || $rc['passfail'] == 'fail') {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($authMechs[$authtype]['type'] == 'local') {
if (!validateLocalAccount($user['unityid'], $xmlpass)) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(6);
# unable to auth passed in X-User
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif ($mode == 'xmlrpcaffiliations') {
// double check for SSL, not really required for this mode, but it keeps things consistant
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
if ($apiver != 1 && $apiver != 2) {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif (!empty($mode)) {
if (!in_array($mode, $actions['entry']) && !$inContinuation) {
$mode = "main";
$actionFunction = "main";
return;
} else {
if (!$inContinuation) {
# check that user has access to this area
switch ($mode) {
case 'viewRequests':
if (!in_array("imageCheckOut", $user["privileges"]) && !in_array("imageAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'blockRequest':
if ($viewmode != ADMIN_DEVELOPER) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewGroups':
if (!in_array("groupAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'selectImageOption':
if (!in_array("imageAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewSchedules':
if (!in_array("scheduleAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'selectComputers':
if (!in_array("computerAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'selectMgmtnodeOption':
if (!in_array("mgmtNodeAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'pickTimeTable':
$computermetadata = getUserComputerMetaData();
if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewNodes':
if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'userLookup':
if ($viewmode != ADMIN_DEVELOPER && !in_array($user['id'], $userlookupUsers)) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'editVMInfo':
if (!in_array("computerAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewdocs':
if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"]) && !in_array($user['id'], $docreaders)) {
$mode = "";
$actionFunction = "main";
return;
}
break;
}
}
}
}
}
function checkAccess()
{
global $mode, $user, $actionFunction, $authMechs;
global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers;
global $inContinuation, $docreaders, $apiValidateFunc;
if ($mode == 'xmlrpccall') {
// double check for SSL
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1);
if (!($user = getUserInfo($xmluser))) {
// if first call to getUserInfo fails, try calling with $noupdate set
if (!($user = getUserInfo($xmluser, 1))) {
$testid = $xmluser;
$affilid = DEFAULT_AFFILID;
getAffilidAndLogin($testid, $affilid);
addLoginLog($testid, 'unknown', $affilid, 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
}
if (!array_key_exists('HTTP_X_PASS', $_SERVER) || strlen($_SERVER['HTTP_X_PASS']) == 0) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$xmlpass = $_SERVER['HTTP_X_PASS'];
if (get_magic_quotes_gpc()) {
$xmlpass = stripslashes($xmlpass);
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
if ($apiver == 1) {
printXMLRPCerror(8);
# unsupported API version
dbDisconnect();
exit;
} elseif ($apiver == 2) {
$authtype = "";
foreach ($authMechs as $key => $authmech) {
if ($authmech['affiliationid'] == $user['affiliationid']) {
$authtype = $key;
break;
}
}
if (empty($authtype)) {
print "No authentication mechanism found for passed in X-User";
dbDisconnect();
exit;
}
if ($authMechs[$authtype]['type'] == 'ldap') {
$auth = $authMechs[$authtype];
$ds = ldap_connect("ldaps://{$auth['server']}/");
if (!$ds) {
printXMLRPCerror(5);
# failed to connect to auth server
dbDisconnect();
exit;
}
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
if ($auth['lookupuserbeforeauth']) {
# in this case, we have to look up what part of the tree the user is in
# before we can actually look up the user
if (array_key_exists('masterlogin', $auth) && strlen($auth['masterlogin'])) {
$res = ldap_bind($ds, $auth['masterlogin'], $auth['masterpwd']);
} else {
$res = ldap_bind($ds);
}
if (!$res) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(5);
# failed to connect to auth server
dbDisconnect();
exit;
}
$search = ldap_search($ds, $auth['binddn'], "{$auth['lookupuserfield']}={$user['unityid']}", array('dn'), 0, 3, 15);
if ($search) {
$tmpdata = ldap_get_entries($ds, $search);
if (!$tmpdata['count'] || !array_key_exists('dn', $tmpdata[0])) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
$ldapuser = $tmpdata[0]['dn'];
} else {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} else {
$ldapuser = sprintf($auth['userid'], $user['unityid']);
}
$res = ldap_bind($ds, $ldapuser, $xmlpass);
if (!$res) {
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0);
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 1);
} elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) {
$rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass);
if (empty($rc) || $rc['passfail'] == 'fail') {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($authMechs[$authtype]['type'] == 'local') {
if (!validateLocalAccount($user['unityid'], $xmlpass)) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} elseif ($authMechs[$authtype]['type'] == 'redirect') {
$affilid = $authMechs[$authtype]['affiliationid'];
if (!(isset($apiValidateFunc) && is_array($apiValidateFunc) && array_key_exists($affilid, $apiValidateFunc) && $apiValidateFunc[$affilid]($xmluser, $xmlpass))) {
printXMLRPCerror(3);
# access denied
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(6);
# unable to auth passed in X-User
dbDisconnect();
exit;
}
} else {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif ($mode == 'xmlrpcaffiliations') {
// double check for SSL, not really required for this mode, but it keeps things consistant
if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") {
printXMLRPCerror(4);
# must have SSL enabled
dbDisconnect();
exit;
}
$apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1);
if ($apiver == 1) {
printXMLRPCerror(8);
# unsupported API version
dbDisconnect();
exit;
} elseif ($apiver != 2) {
printXMLRPCerror(7);
# unknown API version
dbDisconnect();
exit;
}
} elseif (!empty($mode)) {
if (!in_array($mode, $actions['entry']) && !$inContinuation) {
$mode = "main";
$actionFunction = "main";
return;
} else {
if (!$inContinuation) {
# check that user has access to this area
switch ($mode) {
case 'viewGroups':
if (!in_array("groupAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'serverProfiles':
if (!in_array("serverProfileAdmin", $user["privileges"]) && !in_array("serverCheckOut", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'pickTimeTable':
$computermetadata = getUserComputerMetaData();
if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'viewNodes':
if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'userLookup':
if (!checkUserHasPerm('User Lookup (global)') && !checkUserHasPerm('User Lookup (affiliation only)')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'editVMInfo':
if (!in_array("computerAdmin", $user["privileges"])) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'siteMaintenance':
if (!checkUserHasPerm('Schedule Site Maintenance')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
case 'dashboard':
if (!checkUserHasPerm('View Dashboard (global)') && !checkUserHasPerm('View Dashboard (affiliation only)')) {
$mode = "";
$actionFunction = "main";
return;
}
break;
}
}
}
}
}
