mirror of
https://bitbucket.org/jsuto/piler.git
synced 2024-12-26 04:50:11 +01:00
revised auth procedure to support 4eyes auth
This commit is contained in:
SJ
parent
c1e525b931
commit
bc8d264778
@ -37,13 +37,25 @@ class ControllerLoginGA extends Controller {
|
|||||||
|
|
||||||
$GA = new PHPGangsta_GoogleAuthenticator();
|
$GA = new PHPGangsta_GoogleAuthenticator();
|
||||||
|
|
||||||
$settings = $this->model_user_prefs->get_ga_settings($session->get('username'));
|
$data = $session->get("auth_data");
|
||||||
|
|
||||||
|
if(!isset($data['username'])) {
|
||||||
|
header("Location: " . SITE_URL . "/login.php");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
$settings = $this->model_user_prefs->get_ga_settings($data['username']);
|
||||||
|
|
||||||
if(strlen($this->request->post['ga_code']) > 5 && $GA->verifyCode($settings['ga_secret'], $this->request->post['ga_code'], 2)) {
|
if(strlen($this->request->post['ga_code']) > 5 && $GA->verifyCode($settings['ga_secret'], $this->request->post['ga_code'], 2)) {
|
||||||
|
|
||||||
|
syslog(LOG_INFO, "GA auth successful for " . $data['username']);
|
||||||
|
|
||||||
$session->set("ga_block", "");
|
$session->set("ga_block", "");
|
||||||
|
|
||||||
$this->model_user_prefs->get_user_preferences($session->get('username'));
|
$this->model_user_auth->apply_user_auth_session($data);
|
||||||
|
$session->remove("auth_data");
|
||||||
|
|
||||||
|
$this->model_user_prefs->get_user_preferences($session->get($data['username']));
|
||||||
|
|
||||||
if(ENABLE_SAAS == 1) {
|
if(ENABLE_SAAS == 1) {
|
||||||
$this->model_saas_customer->online($session->get('email'));
|
$this->model_saas_customer->online($session->get('email'));
|
||||||
|
|||||||
@ -48,6 +48,10 @@ class ControllerLoginLogin extends Controller {
|
|||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
$data = $session->get("auth_data");
|
||||||
|
$this->model_user_auth->apply_user_auth_session($data);
|
||||||
|
$session->remove("auth_data");
|
||||||
|
|
||||||
$this->model_user_prefs->get_user_preferences($session->get('username'));
|
$this->model_user_prefs->get_user_preferences($session->get('username'));
|
||||||
|
|
||||||
if(ENABLE_SAAS == 1) {
|
if(ENABLE_SAAS == 1) {
|
||||||
|
|||||||
@ -2,20 +2,55 @@
|
|||||||
|
|
||||||
class ModelUserAuth extends Model {
|
class ModelUserAuth extends Model {
|
||||||
|
|
||||||
|
public function apply_user_auth_session($data = array()) {
|
||||||
|
$session = Registry::get('session');
|
||||||
|
|
||||||
|
$session->set("username", $data['username']);
|
||||||
|
$session->set("uid", $data['uid']);
|
||||||
|
$session->set("admin_user", $data['admin_user']);
|
||||||
|
$session->set("email", $data['username']);
|
||||||
|
$session->set("domain", $data['domain']);
|
||||||
|
$session->set("realname", $data['realname']);
|
||||||
|
|
||||||
|
$session->set("auditdomains", $data['auditdomains']);
|
||||||
|
$session->set("emails", $data['emails']);
|
||||||
|
|
||||||
|
$session->set("folders", $data['folders']);
|
||||||
|
$session->set("extra_folders", $data['extra_folders']);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
public function checkLogin($username = '', $password = '') {
|
public function checkLogin($username = '', $password = '') {
|
||||||
$session = Registry::get('session');
|
$session = Registry::get('session');
|
||||||
$ok = 0;
|
$ok = 0;
|
||||||
|
|
||||||
|
$data = array();
|
||||||
|
|
||||||
|
$data['username'] = '';
|
||||||
|
$data['uid'] = -1;
|
||||||
|
$data['admin_user'] = 0;
|
||||||
|
$data['email'] = '';
|
||||||
|
$data['domain'] = '';
|
||||||
|
$data['realname'] = '';
|
||||||
|
$data['auditdomains'] = array();
|
||||||
|
$data['emails'] = array();
|
||||||
|
$data['folders'] = array();
|
||||||
|
$data['extra_folders'] = array();
|
||||||
|
|
||||||
if($username == '' || $password == '') { return 0; }
|
if($username == '' || $password == '') { return 0; }
|
||||||
|
|
||||||
if(ENABLE_LDAP_AUTH == 1) {
|
if(ENABLE_LDAP_AUTH == 1) {
|
||||||
$ok = $this->checkLoginAgainstLDAP($username, $password);
|
$ok = $this->checkLoginAgainstLDAP($username, $password, $data);
|
||||||
if($ok == 1) { return $ok; }
|
if($ok == 1) { return $ok; }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* TODO: test the CUSTOM_EMAIL_QUERY_FUNCTION feature!
|
||||||
|
*/
|
||||||
|
|
||||||
if(ENABLE_IMAP_AUTH == 1) {
|
if(ENABLE_IMAP_AUTH == 1) {
|
||||||
require 'Zend/Mail/Protocol/Imap.php';
|
require 'Zend/Mail/Protocol/Imap.php';
|
||||||
$ok = $this->checkLoginAgainstIMAP($username, $password);
|
$ok = $this->checkLoginAgainstIMAP($username, $password, $data);
|
||||||
|
|
||||||
if($ok == 1) {
|
if($ok == 1) {
|
||||||
if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) {
|
if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) {
|
||||||
@ -28,7 +63,7 @@ class ModelUserAuth extends Model {
|
|||||||
|
|
||||||
if(ENABLE_POP3_AUTH == 1) {
|
if(ENABLE_POP3_AUTH == 1) {
|
||||||
require 'Zend/Mail/Protocol/Pop3.php';
|
require 'Zend/Mail/Protocol/Pop3.php';
|
||||||
$ok = $this->checkLoginAgainstPOP3($username, $password);
|
$ok = $this->checkLoginAgainstPOP3($username, $password, $data);
|
||||||
|
|
||||||
if($ok == 1) {
|
if($ok == 1) {
|
||||||
if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) {
|
if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) {
|
||||||
@ -56,32 +91,30 @@ class ModelUserAuth extends Model {
|
|||||||
AUDIT(ACTION_LOGIN_FAILED, $username, '', '', 'failed auth against user table');
|
AUDIT(ACTION_LOGIN_FAILED, $username, '', '', 'failed auth against user table');
|
||||||
}
|
}
|
||||||
|
|
||||||
if($ok == 0 && strlen($query->row['dn']) > 3) {
|
|
||||||
$ok = $this->checkLoginAgainstFallbackLDAP($query->row, $password);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
if($ok == 1) {
|
if($ok == 1) {
|
||||||
$session->set("username", $username);
|
$data['username'] = $username;
|
||||||
$session->set("uid", $query->row['uid']);
|
$data['uid'] = $query->row['uid'];
|
||||||
$session->set("admin_user", $query->row['isadmin']);
|
$data['admin_user'] = $query->row['isadmin'];
|
||||||
$session->set("email", $username);
|
$data['email'] = $username;
|
||||||
$session->set("domain", $query->row['domain']);
|
$data['domain'] = $query->row['domain'];
|
||||||
$session->set("realname", $query->row['realname']);
|
$data['realname'] = $query->row['realname'];
|
||||||
|
|
||||||
$session->set("auditdomains", $this->model_user_user->get_users_all_domains($query->row['uid']));
|
$data['auditdomains'] = $this->model_user_user->get_users_all_domains($query->row['uid']);
|
||||||
|
|
||||||
if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) {
|
if(CUSTOM_EMAIL_QUERY_FUNCTION && function_exists(CUSTOM_EMAIL_QUERY_FUNCTION)) {
|
||||||
call_user_func(CUSTOM_EMAIL_QUERY_FUNCTION, $username);
|
call_user_func(CUSTOM_EMAIL_QUERY_FUNCTION, $username);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$session->set("emails", $this->model_user_user->get_users_all_email_addresses($query->row['uid']));
|
$data['emails'] = $this->model_user_user->get_users_all_email_addresses($query->row['uid']);
|
||||||
}
|
}
|
||||||
|
|
||||||
$session->set("folders", $this->model_folder_folder->get_all_folder_ids($query->row['uid']));
|
$data['folders'] = $this->model_folder_folder->get_all_folder_ids($query->row['uid']);
|
||||||
$session->set("extra_folders", $this->model_folder_folder->get_all_extra_folder_ids($query->row['uid']));
|
$data['extra_folders'] = $this->model_folder_folder->get_all_extra_folder_ids($query->row['uid']);
|
||||||
|
|
||||||
$this->is_ga_code_needed();
|
$session->set("auth_data", $data);
|
||||||
|
|
||||||
|
$this->is_ga_code_needed($username);
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
@ -90,14 +123,14 @@ class ModelUserAuth extends Model {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private function checkLoginAgainstLDAP($username = '', $password = '') {
|
private function checkLoginAgainstLDAP($username = '', $password = '', $data = array()) {
|
||||||
$a = array();
|
$a = array();
|
||||||
$ret = 0;
|
$ret = 0;
|
||||||
|
|
||||||
if(ENABLE_SAAS == 1) {
|
if(ENABLE_SAAS == 1) {
|
||||||
$params = $this->model_saas_ldap->get_ldap_params_by_email($username);
|
$params = $this->model_saas_ldap->get_ldap_params_by_email($username);
|
||||||
foreach($params as $param) {
|
foreach($params as $param) {
|
||||||
$ret = $this->checkLoginAgainstLDAP_real($username, $password, $param);
|
$ret = $this->checkLoginAgainstLDAP_real($username, $password, $data, $param);
|
||||||
|
|
||||||
syslog(LOG_INFO, "ldap auth result against " . $param['ldap_host'] . " / " . $param['ldap_type'] . ": $ret");
|
syslog(LOG_INFO, "ldap auth result against " . $param['ldap_host'] . " / " . $param['ldap_type'] . ": $ret");
|
||||||
|
|
||||||
@ -105,14 +138,14 @@ class ModelUserAuth extends Model {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$ret = $this->checkLoginAgainstLDAP_real($username, $password);
|
$ret = $this->checkLoginAgainstLDAP_real($username, $password, $data);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $ret;
|
return $ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private function checkLoginAgainstLDAP_real($username = '', $password = '', $a = array()) {
|
private function checkLoginAgainstLDAP_real($username = '', $password = '', $data = array(), $a = array()) {
|
||||||
|
|
||||||
$ldap_type = '';
|
$ldap_type = '';
|
||||||
$ldap_host = LDAP_HOST;
|
$ldap_host = LDAP_HOST;
|
||||||
@ -176,7 +209,9 @@ class ModelUserAuth extends Model {
|
|||||||
$extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails);
|
$extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails);
|
||||||
$emails = array_merge($emails, $extra_emails);
|
$emails = array_merge($emails, $extra_emails);
|
||||||
|
|
||||||
$this->add_session_vars($a['cn'], $username, $emails, $role);
|
$data = $this->fix_user_data($a['cn'], $username, $emails, $role);
|
||||||
|
|
||||||
|
$session->set("auth_data", $data);
|
||||||
|
|
||||||
AUDIT(ACTION_LOGIN, $username, '', '', 'successful auth against LDAP');
|
AUDIT(ACTION_LOGIN, $username, '', '', 'successful auth against LDAP');
|
||||||
|
|
||||||
@ -264,10 +299,19 @@ class ModelUserAuth extends Model {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private function add_session_vars($name = '', $email = '', $emails = array(), $role = 0) {
|
private function fix_user_data($name = '', $email = '', $emails = array(), $role = 0) {
|
||||||
$session = Registry::get('session');
|
$data = array();
|
||||||
|
|
||||||
$a = explode("@", $email);
|
$data['username'] = $email;
|
||||||
|
$data['uid'] = -1;
|
||||||
|
$data['admin_user'] = $role;
|
||||||
|
$data['email'] = $email;
|
||||||
|
$data['domain'] = '';
|
||||||
|
$data['realname'] = $name;
|
||||||
|
$data['auditdomains'] = $this->model_domain_domain->get_your_all_domains_by_email($email);
|
||||||
|
$data['emails'] = $emails;
|
||||||
|
$data['folders'] = array();
|
||||||
|
$data['extra_folders'] = array();
|
||||||
|
|
||||||
$uid = $this->model_user_user->get_uid_by_email($email);
|
$uid = $this->model_user_user->get_uid_by_email($email);
|
||||||
if($uid < 1) {
|
if($uid < 1) {
|
||||||
@ -275,54 +319,16 @@ class ModelUserAuth extends Model {
|
|||||||
$query = $this->db->query("INSERT INTO " . TABLE_EMAIL . " (uid, email) VALUES(?,?)", array($uid, $email));
|
$query = $this->db->query("INSERT INTO " . TABLE_EMAIL . " (uid, email) VALUES(?,?)", array($uid, $email));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$data['uid'] = $uid;
|
||||||
|
|
||||||
$session->set("username", $email);
|
$a = explode("@", $email);
|
||||||
$session->set("uid", $uid);
|
$data['domain'] = $a[1];
|
||||||
|
|
||||||
if($role > 0) {
|
return $data;
|
||||||
$session->set("admin_user", $role);
|
|
||||||
} else {
|
|
||||||
$session->set("admin_user", 0);
|
|
||||||
}
|
|
||||||
|
|
||||||
$session->set("email", $email);
|
|
||||||
$session->set("domain", $a[1]);
|
|
||||||
$session->set("realname", $name);
|
|
||||||
|
|
||||||
$session->set("auditdomains", $this->model_domain_domain->get_your_all_domains_by_email($email));
|
|
||||||
$session->set("emails", $emails);
|
|
||||||
$session->set("folders", array());
|
|
||||||
$session->set("extra_folders", array());
|
|
||||||
|
|
||||||
$this->is_ga_code_needed();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private function checkLoginAgainstFallbackLDAP($user = array(), $password = '') {
|
private function checkLoginAgainstIMAP($username = '', $password = '', $data = array()) {
|
||||||
if($password == '' || !isset($user['username']) || !isset($user['domain']) || !isset($user['dn']) || strlen($user['domain']) < 2){ return 0; }
|
|
||||||
|
|
||||||
$query = $this->db->query("SELECT remotehost, basedn FROM " . TABLE_REMOTE . " WHERE remotedomain=?", array($user['domain']));
|
|
||||||
|
|
||||||
if($query->num_rows != 1) { return 0; }
|
|
||||||
|
|
||||||
$ldap = new LDAP($query->row['remotehost'], $user['dn'], $password);
|
|
||||||
|
|
||||||
if($ldap->is_bind_ok()) {
|
|
||||||
$this->change_password($user['username'], $password);
|
|
||||||
|
|
||||||
AUDIT(ACTION_LOGIN, $user['username'], '', '', 'changed password in local table');
|
|
||||||
|
|
||||||
return 1;
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
AUDIT(ACTION_LOGIN_FAILED, $user['username'], '', '', 'failed bind to ' . $query->row['remotehost'], $user['dn']);
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
private function checkLoginAgainstIMAP($username = '', $password = '') {
|
|
||||||
$session = Registry::get('session');
|
$session = Registry::get('session');
|
||||||
$emails = array($username);
|
$emails = array($username);
|
||||||
|
|
||||||
@ -342,7 +348,14 @@ class ModelUserAuth extends Model {
|
|||||||
$extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails);
|
$extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails);
|
||||||
$emails = array_merge($emails, $extra_emails);
|
$emails = array_merge($emails, $extra_emails);
|
||||||
|
|
||||||
$this->add_session_vars($username, $username, $emails, 0);
|
$data['username'] = $username;
|
||||||
|
$data['email'] = $username;
|
||||||
|
$data['emails'] = $emails;
|
||||||
|
$data['role'] = 0;
|
||||||
|
|
||||||
|
$data = $this->fix_user_data($username, $username, $emails, 0);
|
||||||
|
|
||||||
|
$session->set("auth_data", $data);
|
||||||
|
|
||||||
$session->set("password", $password);
|
$session->set("password", $password);
|
||||||
|
|
||||||
@ -353,7 +366,7 @@ class ModelUserAuth extends Model {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private function checkLoginAgainstPOP3($username = '', $password = '') {
|
private function checkLoginAgainstPOP3($username = '', $password = '', $data = array()) {
|
||||||
$rc = 0;
|
$rc = 0;
|
||||||
$emails = array($username);
|
$emails = array($username);
|
||||||
|
|
||||||
@ -371,7 +384,11 @@ class ModelUserAuth extends Model {
|
|||||||
$extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails);
|
$extra_emails = $this->model_user_user->get_email_addresses_from_groups($emails);
|
||||||
$emails = array_merge($emails, $extra_emails);
|
$emails = array_merge($emails, $extra_emails);
|
||||||
|
|
||||||
$this->add_session_vars($username, $username, $emails, 0);
|
$data = $this->fix_user_data($username, $username, $emails, 0);
|
||||||
|
|
||||||
|
$session = Registry::get('session');
|
||||||
|
$session->set("auth_data", $data);
|
||||||
|
|
||||||
$rc = 1;
|
$rc = 1;
|
||||||
}
|
}
|
||||||
catch (Zend_Mail_Protocol_Exception $e) {}
|
catch (Zend_Mail_Protocol_Exception $e) {}
|
||||||
@ -432,7 +449,8 @@ class ModelUserAuth extends Model {
|
|||||||
if($this->check_ldap_membership($ldap_auditor_member_dn, $query->rows) == 1) { $role = 2; }
|
if($this->check_ldap_membership($ldap_auditor_member_dn, $query->rows) == 1) { $role = 2; }
|
||||||
if($this->check_ldap_membership($ldap_admin_member_dn, $query->rows) == 1) { $role = 1; }
|
if($this->check_ldap_membership($ldap_admin_member_dn, $query->rows) == 1) { $role = 1; }
|
||||||
|
|
||||||
$this->add_session_vars($a['cn'], $username, $emails, $role);
|
$data = $this->fix_user_data($a['cn'], $username, $emails, $role);
|
||||||
|
$this->apply_user_auth_session($data);
|
||||||
|
|
||||||
$this->model_user_prefs->get_user_preferences($username);
|
$this->model_user_prefs->get_user_preferences($username);
|
||||||
|
|
||||||
@ -465,10 +483,10 @@ class ModelUserAuth extends Model {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private function is_ga_code_needed() {
|
private function is_ga_code_needed($username = '') {
|
||||||
$session = Registry::get('session');
|
$session = Registry::get('session');
|
||||||
|
|
||||||
$query = $this->db->query("SELECT ga_enabled FROM " . TABLE_USER_SETTINGS . " WHERE username=?", array($session->get("username")));
|
$query = $this->db->query("SELECT ga_enabled FROM " . TABLE_USER_SETTINGS . " WHERE username=?", array($username));
|
||||||
|
|
||||||
if(isset($query->row['ga_enabled']) && $query->row['ga_enabled'] == 1) {
|
if(isset($query->row['ga_enabled']) && $query->row['ga_enabled'] == 1) {
|
||||||
$session->set("ga_block", 1);
|
$session->set("ga_block", 1);
|
||||||
@ -476,6 +494,16 @@ class ModelUserAuth extends Model {
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public function is_four_eye_auth_needed() {
|
||||||
|
$session = Registry::get('session');
|
||||||
|
|
||||||
|
if(1 == FOUR_EYES_LOGIN_FOR_AUDITOR && 2 == $session->get("admin_user")) {
|
||||||
|
$session->set("four_eyes", 1);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
public function change_password($username = '', $password = '') {
|
public function change_password($username = '', $password = '') {
|
||||||
if($username == "" || $password == ""){ return 0; }
|
if($username == "" || $password == ""){ return 0; }
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user