Commit eb03dc1a authored by Ad Schellevis's avatar Ad Schellevis Committed by Franco Fichtner

(legacy) cleanups related to auth.inc (remove unused, move single usage, isset issues)

parent f97a2b0f
...@@ -335,7 +335,7 @@ function local_sync_accounts() ...@@ -335,7 +335,7 @@ function local_sync_accounts()
if ($fd) { if ($fd) {
while (!feof($fd)) { while (!feof($fd)) {
$line = explode(':',fgets($fd)); $line = explode(':',fgets($fd));
if (((!strncmp($line[0], '_', 1)) || ($line[2] < 2000) || ($line[2] > 65000))) { if ( count($line) < 3 || !strncmp($line[0], '_', 1) || $line[2] < 2000 || $line[2] > 65000) {
continue; continue;
} }
/* /*
...@@ -354,13 +354,7 @@ function local_sync_accounts() ...@@ -354,13 +354,7 @@ function local_sync_accounts()
if ($fd) { if ($fd) {
while (!feof($fd)) { while (!feof($fd)) {
$line = explode(':',fgets($fd)); $line = explode(':',fgets($fd));
if (!strncmp($line[0], '_', 1)) { if (count($line) < 3 || !strncmp($line[0], '_', 1) || $line[2] < 2000 || $line[2] > 65000 ) {
continue;
}
if ($line[2] < 2000) {
continue;
}
if ($line[2] > 65000) {
continue; continue;
} }
mwexecf('/usr/sbin/pw groupdel %s', $line[2]); mwexecf('/usr/sbin/pw groupdel %s', $line[2]);
...@@ -1186,17 +1180,10 @@ function radius_backed($username, $passwd, $authcfg, &$attributes = array()) ...@@ -1186,17 +1180,10 @@ function radius_backed($username, $passwd, $authcfg, &$attributes = array())
return $ret; return $ret;
} }
function get_user_expiration_date($username) {
$user = getUserEntry($username);
if (isset($user['expires'])) {
return $user['expires'];
}
}
function is_account_expired($username) { function is_account_expired($username) {
$expirydate = get_user_expiration_date($username); $user = getUserEntry($username);
if ($expirydate) { if (isset($user['expires']) && !empty($user['expires'])) {
if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($expirydate)))) if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($user['expires']))))
return true; return true;
} }
...@@ -1296,138 +1283,4 @@ function authenticate_user($username, $password, $authcfg = NULL, &$attributes = ...@@ -1296,138 +1283,4 @@ function authenticate_user($username, $password, $authcfg = NULL, &$attributes =
return $authenticated; return $authenticated;
} }
function session_auth() {
global $config, $_SESSION;
// Handle HTTPS httponly and secure flags
$currentCookieParams = session_get_cookie_params();
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
NULL,
($config['system']['webgui']['protocol'] == "https"),
true
);
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
// Detect protocol change
if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol'])
return false;
/* Validate incoming login request */
if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
if (isset($config['system']['webgui']['authmode'])) {
$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
} else {
$authcfg = null;
}
if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) ||
authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
// Generate a new id to avoid session fixation
session_regenerate_id();
$_SESSION['Logged_In'] = "True";
$_SESSION['Username'] = $_POST['usernamefld'];
$_SESSION['last_access'] = time();
$_SESSION['protocol'] = $config['system']['webgui']['protocol'];
if (!isset($config['system']['webgui']['quietlogin'])) {
log_error(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
}
if (isset($_POST['postafterlogin']))
return true;
else {
header("Location: {$_SERVER['REQUEST_URI']}");
}
exit;
} else {
/* give the user an error message */
$_SESSION['Login_Error'] = _('Wrong username or password.');
log_error("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}");
if (isAjax()) {
echo "showajaxmessage('{$_SESSION['Login_Error']}');";
return;
}
}
}
/* Show login page if they aren't logged in */
if (empty($_SESSION['Logged_In']))
return false;
/* If session timeout isn't set, we don't mark sessions stale */
if (!isset($config['system']['webgui']['session_timeout'])) {
/* Default to 4 hour timeout if one is not set */
if ($_SESSION['last_access'] < (time() - 14400)) {
$_GET['logout'] = true;
$_SESSION['Logout'] = true;
} else
$_SESSION['last_access'] = time();
} else if (intval($config['system']['webgui']['session_timeout']) == 0) {
/* only update if it wasn't ajax */
if (!isAjax())
$_SESSION['last_access'] = time();
} else {
/* Check for stale session */
if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
$_GET['logout'] = true;
$_SESSION['Logout'] = true;
} else {
/* only update if it wasn't ajax */
if (!isAjax())
$_SESSION['last_access'] = time();
}
}
/* user hit the logout button */
if (isset($_GET['logout'])) {
if ($_SESSION['Logout'])
log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
else
log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
/* wipe out $_SESSION */
$_SESSION = array();
if (isset($_COOKIE[session_name()]))
setcookie(session_name(), '', time()-42000, '/');
/* and destroy it */
session_destroy();
$scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]);
$scriptElms = count($scriptName);
$scriptName = $scriptName[$scriptElms-1];
if (isAjax())
return false;
/* redirect to page the user is on, it'll prompt them to login again */
header("Location: {$scriptName}");
return false;
}
return true;
}
/**
* do a basic authentication, uses $_SERVER['HTTP_AUTHORIZATION'] to validate user.
* @param $http_auth_header http_authorization header content
* @return bool
*/
function http_basic_auth($http_auth_header)
{
$tags=explode(" ", $http_auth_header) ;
if (count($tags) >= 2) {
$userinfo= explode(":", base64_decode($tags[1])) ;
if (count($userinfo)>=2) {
return authenticate_user($userinfo[0], $userinfo[1]);
}
}
// not authenticated
return false;
}
...@@ -32,6 +32,124 @@ ...@@ -32,6 +32,124 @@
include_once("auth.inc"); include_once("auth.inc");
include_once("priv.inc"); include_once("priv.inc");
function session_auth() {
global $config, $_SESSION;
// Handle HTTPS httponly and secure flags
$currentCookieParams = session_get_cookie_params();
session_set_cookie_params(
$currentCookieParams["lifetime"],
$currentCookieParams["path"],
NULL,
($config['system']['webgui']['protocol'] == "https"),
true
);
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
// Detect protocol change
if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol'])
return false;
/* Validate incoming login request */
if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
if (isset($config['system']['webgui']['authmode'])) {
$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
} else {
$authcfg = null;
}
if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) ||
authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
// Generate a new id to avoid session fixation
session_regenerate_id();
$_SESSION['Logged_In'] = "True";
$_SESSION['Username'] = $_POST['usernamefld'];
$_SESSION['last_access'] = time();
$_SESSION['protocol'] = $config['system']['webgui']['protocol'];
if (!isset($config['system']['webgui']['quietlogin'])) {
log_error(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
}
if (isset($_POST['postafterlogin']))
return true;
else {
header("Location: {$_SERVER['REQUEST_URI']}");
}
exit;
} else {
/* give the user an error message */
$_SESSION['Login_Error'] = _('Wrong username or password.');
log_error("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}");
if (isAjax()) {
echo "showajaxmessage('{$_SESSION['Login_Error']}');";
return;
}
}
}
/* Show login page if they aren't logged in */
if (empty($_SESSION['Logged_In']))
return false;
/* If session timeout isn't set, we don't mark sessions stale */
if (!isset($config['system']['webgui']['session_timeout'])) {
/* Default to 4 hour timeout if one is not set */
if ($_SESSION['last_access'] < (time() - 14400)) {
$_GET['logout'] = true;
$_SESSION['Logout'] = true;
} else
$_SESSION['last_access'] = time();
} else if (intval($config['system']['webgui']['session_timeout']) == 0) {
/* only update if it wasn't ajax */
if (!isAjax())
$_SESSION['last_access'] = time();
} else {
/* Check for stale session */
if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
$_GET['logout'] = true;
$_SESSION['Logout'] = true;
} else {
/* only update if it wasn't ajax */
if (!isAjax())
$_SESSION['last_access'] = time();
}
}
/* user hit the logout button */
if (isset($_GET['logout'])) {
if ($_SESSION['Logout'])
log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
else
log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
/* wipe out $_SESSION */
$_SESSION = array();
if (isset($_COOKIE[session_name()]))
setcookie(session_name(), '', time()-42000, '/');
/* and destroy it */
session_destroy();
$scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]);
$scriptElms = count($scriptName);
$scriptName = $scriptName[$scriptElms-1];
if (isAjax())
return false;
/* redirect to page the user is on, it'll prompt them to login again */
header("Location: {$scriptName}");
return false;
}
return true;
}
/* Authenticate user - exit if failed */ /* Authenticate user - exit if failed */
if (!session_auth()) { if (!session_auth()) {
display_login_form(); display_login_form();
......
...@@ -29,6 +29,25 @@ ...@@ -29,6 +29,25 @@
require_once("xmlrpc.inc"); require_once("xmlrpc.inc");
require_once("auth.inc"); require_once("auth.inc");
/**
* do a basic authentication, uses $_SERVER['HTTP_AUTHORIZATION'] to validate user.
* @param $http_auth_header http_authorization header content
* @return bool
*/
function http_basic_auth($http_auth_header)
{
$tags=explode(" ", $http_auth_header) ;
if (count($tags) >= 2) {
$userinfo= explode(":", base64_decode($tags[1])) ;
if (count($userinfo)>=2) {
return authenticate_user($userinfo[0], $userinfo[1]);
}
}
// not authenticated
return false;
}
/** /**
* Simple XML-RPC server using IXR_Library * Simple XML-RPC server using IXR_Library
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment