From bc8d264778480b2ca2340d32c67401956351f534 Mon Sep 17 00:00:00 2001 From: SJ Date: Thu, 19 Feb 2015 15:17:20 +0100 Subject: [PATCH] revised auth procedure to support 4eyes auth --- webui/controller/login/ga.php | 16 ++- webui/controller/login/login.php | 4 + webui/model/user/auth.php | 178 ++++++++++++++++++------------- 3 files changed, 121 insertions(+), 77 deletions(-) diff --git a/webui/controller/login/ga.php b/webui/controller/login/ga.php index d51cd254..e7812a3b 100644 --- a/webui/controller/login/ga.php +++ b/webui/controller/login/ga.php @@ -37,13 +37,25 @@ class ControllerLoginGA extends Controller { $GA = new PHPGangsta_GoogleAuthenticator(); - $settings = $this->model_user_prefs->get_ga_settings($session->get('username')); + $data = $session->get("auth_data"); + + if(!isset($data['username'])) { + header("Location: " . SITE_URL . "/login.php"); + exit; + } + + $settings = $this->model_user_prefs->get_ga_settings($data['username']); if(strlen($this->request->post['ga_code']) > 5 && $GA->verifyCode($settings['ga_secret'], $this->request->post['ga_code'], 2)) { + syslog(LOG_INFO, "GA auth successful for " . $data['username']); + $session->set("ga_block", ""); - $this->model_user_prefs->get_user_preferences($session->get('username')); + $this->model_user_auth->apply_user_auth_session($data); + $session->remove("auth_data"); + + $this->model_user_prefs->get_user_preferences($session->get($data['username'])); if(ENABLE_SAAS == 1) { $this->model_saas_customer->online($session->get('email')); diff --git a/webui/controller/login/login.php b/webui/controller/login/login.php index 43d0b5e0..620427ef 100644 --- a/webui/controller/login/login.php +++ b/webui/controller/login/login.php @@ -48,6 +48,10 @@ class ControllerLoginLogin extends Controller { exit; } else { + $data = $session->get("auth_data"); + $this->model_user_auth->apply_user_auth_session($data); + $session->remove("auth_data"); + $this->model_user_prefs->get_user_preferences($session->get('username')); if(ENABLE_SAAS == 1) { diff --git a/webui/model/user/auth.php b/webui/model/user/auth.php index 613977c2..bdebae00 100644 --- a/webui/model/user/auth.php +++ b/webui/model/user/auth.php @@ -2,20 +2,55 @@ class ModelUserAuth extends Model { + public function apply_user_auth_session($data = array()) { + $session = Registry::get('session'); + + $session->set("username", $data['username']); + $session->set("uid", $data['uid']); + $session->set("admin_user", $data['admin_user']); + $session->set("email", $data['username']); + $session->set("domain", $data['domain']); + $session->set("realname", $data['realname']); + + $session->set("auditdomains", $data['auditdomains']); + $session->set("emails", $data['emails']); + + $session->set("folders", $data['folders']); + $session->set("extra_folders", $data['extra_folders']); + } + + public function checkLogin($username = '', $password = '') { $session = Registry::get('session'); $ok = 0; + $data = array(); + + $data['username'] = ''; + $data['uid'] = -1; + $data['admin_user'] = 0; + $data['email'] = ''; + $data['domain'] = ''; + $data['realname'] = ''; + $data['auditdomains'] = array(); + $data['emails'] = array(); + $data['folders'] = array(); + $data['extra_folders'] = array(); + if($username == '' || $password == '') { return 0; } if(ENABLE_LDAP_AUTH == 1) { - $ok = $this->checkLoginAgainstLDAP($username, $password); + $ok = $this->checkLoginAgainstLDAP($username, $password, $data); if($ok == 1) { return $ok; } } +/* + * TODO: test the CUSTOM_EMAIL_QUERY_FUNCTION feature! + */ + if(ENABLE_IMAP_AUTH == 1) { require 'Zend/Mail/Protocol/Imap.php'; - $ok = $this->checkLoginAgainstIMAP($username, $password); + $ok = $this->checkLoginAgainstIMAP($username, $password, $data); if($ok == 1) { if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) { @@ -28,7 +63,7 @@ class ModelUserAuth extends Model { if(ENABLE_POP3_AUTH == 1) { require 'Zend/Mail/Protocol/Pop3.php'; - $ok = $this->checkLoginAgainstPOP3($username, $password); + $ok = $this->checkLoginAgainstPOP3($username, $password, $data); if($ok == 1) { if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) { @@ -56,32 +91,30 @@ class ModelUserAuth extends Model { AUDIT(ACTION_LOGIN_FAILED, $username, '', '', 'failed auth against user table'); } - if($ok == 0 && strlen($query->row['dn']) > 3) { - $ok = $this->checkLoginAgainstFallbackLDAP($query->row, $password); - } - if($ok == 1) { - $session->set("username", $username); - $session->set("uid", $query->row['uid']); - $session->set("admin_user", $query->row['isadmin']); - $session->set("email", $username); - $session->set("domain", $query->row['domain']); - $session->set("realname", $query->row['realname']); + $data['username'] = $username; + $data['uid'] = $query->row['uid']; + $data['admin_user'] = $query->row['isadmin']; + $data['email'] = $username; + $data['domain'] = $query->row['domain']; + $data['realname'] = $query->row['realname']; - $session->set("auditdomains", $this->model_user_user->get_users_all_domains($query->row['uid'])); + $data['auditdomains'] = $this->model_user_user->get_users_all_domains($query->row['uid']); if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) { call_user_func(CUSTOM_EMAIL_QUERY_FUNCTION, $username); } else { - $session->set("emails", $this->model_user_user->get_users_all_email_addresses($query->row['uid'])); + $data['emails'] = $this->model_user_user->get_users_all_email_addresses($query->row['uid']); } - $session->set("folders", $this->model_folder_folder->get_all_folder_ids($query->row['uid'])); - $session->set("extra_folders", $this->model_folder_folder->get_all_extra_folder_ids($query->row['uid'])); + $data['folders'] = $this->model_folder_folder->get_all_folder_ids($query->row['uid']); + $data['extra_folders'] = $this->model_folder_folder->get_all_extra_folder_ids($query->row['uid']); - $this->is_ga_code_needed(); + $session->set("auth_data", $data); + + $this->is_ga_code_needed($username); return 1; } @@ -90,14 +123,14 @@ class ModelUserAuth extends Model { } - private function checkLoginAgainstLDAP($username = '', $password = '') { + private function checkLoginAgainstLDAP($username = '', $password = '', $data = array()) { $a = array(); $ret = 0; if(ENABLE_SAAS == 1) { $params = $this->model_saas_ldap->get_ldap_params_by_email($username); foreach($params as $param) { - $ret = $this->checkLoginAgainstLDAP_real($username, $password, $param); + $ret = $this->checkLoginAgainstLDAP_real($username, $password, $data, $param); syslog(LOG_INFO, "ldap auth result against " . $param['ldap_host'] . " / " . $param['ldap_type'] . ": $ret"); @@ -105,14 +138,14 @@ class ModelUserAuth extends Model { } } else { - $ret = $this->checkLoginAgainstLDAP_real($username, $password); + $ret = $this->checkLoginAgainstLDAP_real($username, $password, $data); } return $ret; } - private function checkLoginAgainstLDAP_real($username = '', $password = '', $a = array()) { + private function checkLoginAgainstLDAP_real($username = '', $password = '', $data = array(), $a = array()) { $ldap_type = ''; $ldap_host = LDAP_HOST; @@ -176,7 +209,9 @@ class ModelUserAuth extends Model { $extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails); $emails = array_merge($emails, $extra_emails); - $this->add_session_vars($a['cn'], $username, $emails, $role); + $data = $this->fix_user_data($a['cn'], $username, $emails, $role); + + $session->set("auth_data", $data); AUDIT(ACTION_LOGIN, $username, '', '', 'successful auth against LDAP'); @@ -264,10 +299,19 @@ class ModelUserAuth extends Model { } - private function add_session_vars($name = '', $email = '', $emails = array(), $role = 0) { - $session = Registry::get('session'); + private function fix_user_data($name = '', $email = '', $emails = array(), $role = 0) { + $data = array(); - $a = explode("@", $email); + $data['username'] = $email; + $data['uid'] = -1; + $data['admin_user'] = $role; + $data['email'] = $email; + $data['domain'] = ''; + $data['realname'] = $name; + $data['auditdomains'] = $this->model_domain_domain->get_your_all_domains_by_email($email); + $data['emails'] = $emails; + $data['folders'] = array(); + $data['extra_folders'] = array(); $uid = $this->model_user_user->get_uid_by_email($email); if($uid < 1) { @@ -275,54 +319,16 @@ class ModelUserAuth extends Model { $query = $this->db->query("INSERT INTO " . TABLE_EMAIL . " (uid, email) VALUES(?,?)", array($uid, $email)); } + $data['uid'] = $uid; - $session->set("username", $email); - $session->set("uid", $uid); + $a = explode("@", $email); + $data['domain'] = $a[1]; - if($role > 0) { - $session->set("admin_user", $role); - } else { - $session->set("admin_user", 0); - } - - $session->set("email", $email); - $session->set("domain", $a[1]); - $session->set("realname", $name); - - $session->set("auditdomains", $this->model_domain_domain->get_your_all_domains_by_email($email)); - $session->set("emails", $emails); - $session->set("folders", array()); - $session->set("extra_folders", array()); - - $this->is_ga_code_needed(); + return $data; } - private function checkLoginAgainstFallbackLDAP($user = array(), $password = '') { - if($password == '' || !isset($user['username']) || !isset($user['domain']) || !isset($user['dn']) || strlen($user['domain']) < 2){ return 0; } - - $query = $this->db->query("SELECT remotehost, basedn FROM " . TABLE_REMOTE . " WHERE remotedomain=?", array($user['domain'])); - - if($query->num_rows != 1) { return 0; } - - $ldap = new LDAP($query->row['remotehost'], $user['dn'], $password); - - if($ldap->is_bind_ok()) { - $this->change_password($user['username'], $password); - - AUDIT(ACTION_LOGIN, $user['username'], '', '', 'changed password in local table'); - - return 1; - } - else { - AUDIT(ACTION_LOGIN_FAILED, $user['username'], '', '', 'failed bind to ' . $query->row['remotehost'], $user['dn']); - } - - return 0; - } - - - private function checkLoginAgainstIMAP($username = '', $password = '') { + private function checkLoginAgainstIMAP($username = '', $password = '', $data = array()) { $session = Registry::get('session'); $emails = array($username); @@ -342,7 +348,14 @@ class ModelUserAuth extends Model { $extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails); $emails = array_merge($emails, $extra_emails); - $this->add_session_vars($username, $username, $emails, 0); + $data['username'] = $username; + $data['email'] = $username; + $data['emails'] = $emails; + $data['role'] = 0; + + $data = $this->fix_user_data($username, $username, $emails, 0); + + $session->set("auth_data", $data); $session->set("password", $password); @@ -353,7 +366,7 @@ class ModelUserAuth extends Model { } - private function checkLoginAgainstPOP3($username = '', $password = '') { + private function checkLoginAgainstPOP3($username = '', $password = '', $data = array()) { $rc = 0; $emails = array($username); @@ -371,7 +384,11 @@ class ModelUserAuth extends Model { $extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails); $emails = array_merge($emails, $extra_emails); - $this->add_session_vars($username, $username, $emails, 0); + $data = $this->fix_user_data($username, $username, $emails, 0); + + $session = Registry::get('session'); + $session->set("auth_data", $data); + $rc = 1; } catch (Zend_Mail_Protocol_Exception $e) {} @@ -432,7 +449,8 @@ class ModelUserAuth extends Model { if($this->check_ldap_membership($ldap_auditor_member_dn, $query->rows) == 1) { $role = 2; } if($this->check_ldap_membership($ldap_admin_member_dn, $query->rows) == 1) { $role = 1; } - $this->add_session_vars($a['cn'], $username, $emails, $role); + $data = $this->fix_user_data($a['cn'], $username, $emails, $role); + $this->apply_user_auth_session($data); $this->model_user_prefs->get_user_preferences($username); @@ -465,10 +483,10 @@ class ModelUserAuth extends Model { } - private function is_ga_code_needed() { + private function is_ga_code_needed($username = '') { $session = Registry::get('session'); - $query = $this->db->query("SELECT ga_enabled FROM " . TABLE_USER_SETTINGS . " WHERE username=?", array($session->get("username"))); + $query = $this->db->query("SELECT ga_enabled FROM " . TABLE_USER_SETTINGS . " WHERE username=?", array($username)); if(isset($query->row['ga_enabled']) && $query->row['ga_enabled'] == 1) { $session->set("ga_block", 1); @@ -476,6 +494,16 @@ class ModelUserAuth extends Model { } + public function is_four_eye_auth_needed() { + $session = Registry::get('session'); + + if(1 == FOUR_EYES_LOGIN_FOR_AUDITOR && 2 == $session->get("admin_user")) { + $session->set("four_eyes", 1); + } + + } + + public function change_password($username = '', $password = '') { if($username == "" || $password == ""){ return 0; }