function checkAccess() { global $mode, $user, $viewmode, $actionFunction, $vcldquerykey, $authMechs; global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers; global $inContinuation, $docreaders, $userlookupUsers; if ($mode == "vcldquery") { $key = processInputVar("key", ARG_STRING); if ($key != $vcldquerykey) { print "Access denied\n"; dbDisconnect(); exit; } } elseif ($mode == 'xmlrpccall') { // double check for SSL if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1); if (!($user = getUserInfo($xmluser))) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $xmlpass = $_SERVER['HTTP_X_PASS']; if (get_magic_quotes_gpc()) { $xmlpass = stripslashes($xmlpass); } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); /* code for version 1 should probably be removed in VCL 2.2 */ if ($apiver == 1) { $query = "SELECT x.id " . "FROM xmlrpcKey x, " . "user u " . "WHERE x.ownerid = u.id AND " . "u.unityid = '{$xmluser}' AND " . "x.key = '{$xmlpass}' AND " . "x.active = 1"; $qh = doQuery($query, 101); if (!(mysql_num_rows($qh) == 1)) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $row = mysql_fetch_assoc($qh); $user['xmlrpckeyid'] = $row['id']; } elseif ($apiver == 2) { $authtype = ""; foreach ($authMechs as $key => $authmech) { if ($authmech['affiliationid'] == $user['affiliationid']) { $authtype = $key; break; } } /*if(empty($authtype)) { print "No authentication mechanism found for passed in X-User"; dbDisconnect(); exit; }*/ if ($authMechs[$authtype]['type'] == 'ldap') { $ds = ldap_connect("ldaps://{$authMechs[$authtype]['server']}/"); if (!$ds) { printXMLRPCerror(5); # failed to connect to auth server dbDisconnect(); exit; } ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); $ldapuser = sprintf($authMechs[$authtype]['userid'], $user['unityid']); $res = ldap_bind($ds, $ldapuser, $xmlpass); if (!$res) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) { $rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass); if (empty($rc) || $rc['passfail'] == 'fail') { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($authMechs[$authtype]['type'] == 'local') { if (!validateLocalAccount($user['unityid'], $xmlpass)) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } else { printXMLRPCerror(6); # unable to auth passed in X-User dbDisconnect(); exit; } } else { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif ($mode == 'xmlrpcaffiliations') { // double check for SSL, not really required for this mode, but it keeps things consistant if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); if ($apiver != 1 && $apiver != 2) { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif (!empty($mode)) { if (!in_array($mode, $actions['entry']) && !$inContinuation) { $mode = "main"; $actionFunction = "main"; return; } else { if (!$inContinuation) { # check that user has access to this area switch ($mode) { case 'viewRequests': if (!in_array("imageCheckOut", $user["privileges"]) && !in_array("imageAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'blockRequest': if ($viewmode != ADMIN_DEVELOPER) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewGroups': if (!in_array("groupAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'selectImageOption': if (!in_array("imageAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewSchedules': if (!in_array("scheduleAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'selectComputers': if (!in_array("computerAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'selectMgmtnodeOption': if (!in_array("mgmtNodeAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'pickTimeTable': $computermetadata = getUserComputerMetaData(); if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewNodes': if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'userLookup': if ($viewmode != ADMIN_DEVELOPER && !in_array($user['id'], $userlookupUsers)) { $mode = ""; $actionFunction = "main"; return; } break; case 'editVMInfo': if (!in_array("computerAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewdocs': if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"]) && !in_array($user['id'], $docreaders)) { $mode = ""; $actionFunction = "main"; return; } break; } } } } }
function checkAccess() { global $mode, $user, $actionFunction, $authMechs; global $itecsauthkey, $ENABLE_ITECSAUTH, $actions, $noHTMLwrappers; global $inContinuation, $docreaders, $apiValidateFunc; if ($mode == 'xmlrpccall') { // double check for SSL if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $xmluser = processInputData($_SERVER['HTTP_X_USER'], ARG_STRING, 1); if (!($user = getUserInfo($xmluser))) { // if first call to getUserInfo fails, try calling with $noupdate set if (!($user = getUserInfo($xmluser, 1))) { $testid = $xmluser; $affilid = DEFAULT_AFFILID; getAffilidAndLogin($testid, $affilid); addLoginLog($testid, 'unknown', $affilid, 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } if (!array_key_exists('HTTP_X_PASS', $_SERVER) || strlen($_SERVER['HTTP_X_PASS']) == 0) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $xmlpass = $_SERVER['HTTP_X_PASS']; if (get_magic_quotes_gpc()) { $xmlpass = stripslashes($xmlpass); } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); if ($apiver == 1) { printXMLRPCerror(8); # unsupported API version dbDisconnect(); exit; } elseif ($apiver == 2) { $authtype = ""; foreach ($authMechs as $key => $authmech) { if ($authmech['affiliationid'] == $user['affiliationid']) { $authtype = $key; break; } } if (empty($authtype)) { print "No authentication mechanism found for passed in X-User"; dbDisconnect(); exit; } if ($authMechs[$authtype]['type'] == 'ldap') { $auth = $authMechs[$authtype]; $ds = ldap_connect("ldaps://{$auth['server']}/"); if (!$ds) { printXMLRPCerror(5); # failed to connect to auth server dbDisconnect(); exit; } ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); if ($auth['lookupuserbeforeauth']) { # in this case, we have to look up what part of the tree the user is in # before we can actually look up the user if (array_key_exists('masterlogin', $auth) && strlen($auth['masterlogin'])) { $res = ldap_bind($ds, $auth['masterlogin'], $auth['masterpwd']); } else { $res = ldap_bind($ds); } if (!$res) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(5); # failed to connect to auth server dbDisconnect(); exit; } $search = ldap_search($ds, $auth['binddn'], "{$auth['lookupuserfield']}={$user['unityid']}", array('dn'), 0, 3, 15); if ($search) { $tmpdata = ldap_get_entries($ds, $search); if (!$tmpdata['count'] || !array_key_exists('dn', $tmpdata[0])) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } $ldapuser = $tmpdata[0]['dn']; } else { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } else { $ldapuser = sprintf($auth['userid'], $user['unityid']); } $res = ldap_bind($ds, $ldapuser, $xmlpass); if (!$res) { addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 0); printXMLRPCerror(3); # access denied dbDisconnect(); exit; } addLoginLog($user['unityid'], $authtype, $user['affiliationid'], 1); } elseif ($ENABLE_ITECSAUTH && $authMechs[$authtype]['affiliationid'] == getAffiliationID('ITECS')) { $rc = ITECSAUTH_validateUser($itecsauthkey, $user['unityid'], $xmlpass); if (empty($rc) || $rc['passfail'] == 'fail') { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($authMechs[$authtype]['type'] == 'local') { if (!validateLocalAccount($user['unityid'], $xmlpass)) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } elseif ($authMechs[$authtype]['type'] == 'redirect') { $affilid = $authMechs[$authtype]['affiliationid']; if (!(isset($apiValidateFunc) && is_array($apiValidateFunc) && array_key_exists($affilid, $apiValidateFunc) && $apiValidateFunc[$affilid]($xmluser, $xmlpass))) { printXMLRPCerror(3); # access denied dbDisconnect(); exit; } } else { printXMLRPCerror(6); # unable to auth passed in X-User dbDisconnect(); exit; } } else { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif ($mode == 'xmlrpcaffiliations') { // double check for SSL, not really required for this mode, but it keeps things consistant if (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != "on") { printXMLRPCerror(4); # must have SSL enabled dbDisconnect(); exit; } $apiver = processInputData($_SERVER['HTTP_X_APIVERSION'], ARG_NUMERIC, 1); if ($apiver == 1) { printXMLRPCerror(8); # unsupported API version dbDisconnect(); exit; } elseif ($apiver != 2) { printXMLRPCerror(7); # unknown API version dbDisconnect(); exit; } } elseif (!empty($mode)) { if (!in_array($mode, $actions['entry']) && !$inContinuation) { $mode = "main"; $actionFunction = "main"; return; } else { if (!$inContinuation) { # check that user has access to this area switch ($mode) { case 'viewGroups': if (!in_array("groupAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'serverProfiles': if (!in_array("serverProfileAdmin", $user["privileges"]) && !in_array("serverCheckOut", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'pickTimeTable': $computermetadata = getUserComputerMetaData(); if (!count($computermetadata["platforms"]) || !count($computermetadata["schedules"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'viewNodes': if (!in_array("userGrant", $user["privileges"]) && !in_array("resourceGrant", $user["privileges"]) && !in_array("nodeAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'userLookup': if (!checkUserHasPerm('User Lookup (global)') && !checkUserHasPerm('User Lookup (affiliation only)')) { $mode = ""; $actionFunction = "main"; return; } break; case 'editVMInfo': if (!in_array("computerAdmin", $user["privileges"])) { $mode = ""; $actionFunction = "main"; return; } break; case 'siteMaintenance': if (!checkUserHasPerm('Schedule Site Maintenance')) { $mode = ""; $actionFunction = "main"; return; } break; case 'dashboard': if (!checkUserHasPerm('View Dashboard (global)') && !checkUserHasPerm('View Dashboard (affiliation only)')) { $mode = ""; $actionFunction = "main"; return; } break; } } } } }