FOSSology  3.2.0rc1
Open Source License Compliance by Open Source Software
core-auth.php
1 <?php
2 /***********************************************************
3  * Copyright (C) 2008-2013 Hewlett-Packard Development Company, L.P.
4  * Copyright (C) 2015 Siemens AG
5  * Copyright (C) 2020 Robert Bosch GmbH, Dineshkumar Devarajan <Devarajan.Dineshkumar@in.bosch.com>
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of the GNU General Public License
9  * version 2 as published by the Free Software Foundation.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License along
17  * with this program; if not, write to the Free Software Foundation, Inc.,
18  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
19  ***********************************************************/
20 
21 use Fossology\Lib\Auth\Auth;
22 use Fossology\Lib\Dao\UserDao;
23 use Fossology\Lib\Db\DbManager;
24 use Symfony\Component\HttpFoundation\Session\Session;
25 use Symfony\Component\HttpFoundation\RedirectResponse;
26 
27 define("TITLE_CORE_AUTH", _("Login"));
28 
29 class core_auth extends FO_Plugin
30 {
31  public static $origReferer;
33  private $dbManager;
35  private $userDao;
37  private $session;
39  private $authExternal;
40 
41  function __construct()
42  {
43  $this->Name = "auth";
44  $this->Title = TITLE_CORE_AUTH;
45  $this->PluginLevel = 1000; /* make this run first! */
46  $this->LoginFlag = 0;
47  parent::__construct();
48 
49  global $container;
50  $this->dbManager = $container->get("db.manager");
51  $this->userDao = $container->get('dao.user');
52  $this->session = $container->get('session');
53  $this->authExternal = auth_external_check();
54  }
55 
59  public function staticValue()
60  {
61  return self::$origReferer;
62  }
63 
71  function Install()
72  {
73  return $this->userDao->updateUserTable();
74  }
75 
80  function PostInitialize()
81  {
82  global $SysConf;
83 
84  /* if Site Minder enabled core-auth will be disabled*/
85  if (siteminder_check() != -1) {
86  return (0);
87  }
88 
89  if (!$this->session->isStarted()) {
90  $this->session->setName('Login');
91  $this->session->start();
92  }
93 
94  //--------- Authentification external connection for auto-login-----------
95  if ($this->authExternal !== false && $this->authExternal['useAuthExternal']) {
96  $this->checkUsernameAndPassword($this->authExternal['loginAuthExternal'], $this->authExternal['passwordAuthExternal']);
97  }
98 
99  if (array_key_exists('selectMemberGroup', $_POST)) {
100  $selectedGroupId = intval($_POST['selectMemberGroup']);
101  $this->userDao->setDefaultGroupMembership(intval($_SESSION[Auth::USER_ID]), $selectedGroupId);
102  $_SESSION[Auth::GROUP_ID] = $selectedGroupId;
103  $this->session->set(Auth::GROUP_ID, $selectedGroupId);
104  $SysConf['auth'][Auth::GROUP_ID] = $selectedGroupId;
105  }
106 
107  if (array_key_exists(Auth::USER_ID, $_SESSION)) {
108  $SysConf['auth'][Auth::USER_ID] = $_SESSION[Auth::USER_ID];
109  }
110  if (array_key_exists(Auth::GROUP_ID, $_SESSION)) {
111  $SysConf['auth'][Auth::GROUP_ID] = $_SESSION[Auth::GROUP_ID];
112  }
113 
114  $Now = time();
115  /* Logins older than 60 secs/min * 480 min = 8 hr are auto-logout */
116  if (!empty($_SESSION['time']) && @$_SESSION['time'] + (60 * 480) < $Now) {
117  $this->updateSession("");
118  }
119 
120  $_SESSION['time'] = $Now;
121  if (empty($_SESSION['ip'])) {
122  $_SESSION['ip'] = $this->getIP();
123  } else if ((@$_SESSION['checkip'] == 1) && (@$_SESSION['ip'] != $this->getIP())) {
124  /* Sessions are not transferable. */
125  $this->updateSession("");
126  $_SESSION['ip'] = $this->getIP();
127  }
128 
129  if (@$_SESSION[Auth::USER_NAME]) {
130  /* Recheck the user in case he is suddenly blocked or changed. */
131  if (empty($_SESSION['time_check'])) {
132  $_SESSION['time_check'] = time() + (480 * 60);
133  }
134  if (time() >= @$_SESSION['time_check']) {
135  $row = $this->userDao->getUserAndDefaultGroupByUserName(@$_SESSION[Auth::USER_NAME]);
136  /* Check for instant logouts */
137  if (empty($row['user_pass'])) {
138  $row = "";
139  }
140  $this->updateSession($row);
141  }
142  } else {
143  $this->updateSession("");
144  }
145 
146  /* Disable all plugins with >= level access */
147  plugin_disable($_SESSION[Auth::USER_LEVEL]);
148  $this->State = PLUGIN_STATE_READY;
149  } // GetIP()
150 
156  function updateSession($userRow)
157  {
158  global $SysConf;
159 
160  if (empty($userRow)) {
161  $userRow = $this->userDao->getUserAndDefaultGroupByUserName('Default User');
162  }
163 
164  $_SESSION[Auth::USER_ID] = $userRow['user_pk'];
165  $SysConf['auth'][Auth::USER_ID] = $userRow['user_pk'];
166  $this->session->set(Auth::USER_ID, $userRow['user_pk']);
167  $_SESSION[Auth::USER_NAME] = $userRow['user_name'];
168  $this->session->set(Auth::USER_NAME, $userRow['user_name']);
169  $_SESSION['Folder'] = $userRow['root_folder_fk'];
170  $_SESSION[Auth::USER_LEVEL] = $userRow['user_perm'];
171  $this->session->set(Auth::USER_LEVEL, $userRow['user_perm']);
172  $_SESSION['UserEmail'] = $userRow['user_email'];
173  $_SESSION['UserEnote'] = $userRow['email_notify'];
174  $_SESSION[Auth::GROUP_ID] = $userRow['group_fk'];
175  $SysConf['auth'][Auth::GROUP_ID] = $userRow['group_fk'];
176  $this->session->set(Auth::GROUP_ID, $userRow['group_fk']);
177  $_SESSION['GroupName'] = $userRow['group_name'];
178  }
179 
186  function getIP()
187  {
188  /* NOTE: This can be easily defeated wtih fake HTTP headers. */
189  $Vars = array('HTTP_CLIENT_IP', 'HTTP_X_COMING_FROM', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED');
190  foreach ($Vars as $V) {
191  if (!empty($_SERVER[$V])) {
192  return ($_SERVER[$V]);
193  }
194  }
195  return (@$_SERVER['REMOTE_ADDR']);
196  }
197 
201  public function Output()
202  {
203  $userName = GetParm("username", PARM_TEXT);
204  $password = GetParm("password", PARM_TEXT);
205  $timezone = GetParm("timezone", PARM_TEXT);
206  if (empty($timezone) || strpos($timezone,"Unknown") == true) {
207  $timezone = date_default_timezone_get();
208  }
209  $_SESSION['timezone'] = $timezone;
210  $referrer = GetParm("HTTP_REFERER", PARM_TEXT);
211  if (empty($referrer)) {
212  $referrer = GetArrayVal('HTTP_REFERER', $_SERVER);
213  }
214  $referrerQuery = parse_url($referrer,PHP_URL_QUERY);
215  if ($referrerQuery) {
216  $params = array();
217  parse_str($referrerQuery,$params);
218  if (array_key_exists('mod', $params) && $params['mod'] == $this->Name) {
219  $referrer = Traceback_uri();
220  }
221  }
222 
223  $validLogin = $this->checkUsernameAndPassword($userName, $password);
224  if ($validLogin) {
225  return new RedirectResponse($referrer);
226  }
227 
228  $initPluginId = plugin_find_id("init");
229  if ($initPluginId >= 0) {
230  global $Plugins;
231  $this->vars['info'] = $Plugins[$initPluginId]->infoFirstTimeUsage();
232  }
233 
234  if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != "off") {
235  $this->vars['protocol'] = "HTTPS";
236  } else {
237  $this->vars['protocol'] = preg_replace("@/.*@", "", @$_SERVER['SERVER_PROTOCOL']);
238  }
239 
240  $this->vars['referrer'] = $referrer;
241  $this->vars['loginFailure'] = !empty($userName) || !empty($password);
242  if (!empty($userName) && $userName!='Default User') {
243  $this->vars['userName'] = $userName;
244  }
245  return $this->render('login.html.twig',$this->vars);
246  }
247 
251  function OutputOpen()
252  {
253  if (array_key_exists('User', $_SESSION) && $_SESSION['User'] != "Default User") {
254  $this->updateSession("");
255  $Uri = Traceback_uri();
256  header("Location: $Uri");
257  exit;
258  }
259  parent::OutputOpen();
260  }
261 
267  function checkUsernameAndPassword($userName, $password)
268  {
269  $user_exists=true;
270  /* Check the user for external authentication */
271  if ($this->authExternal !== false && $this->authExternal['useAuthExternal']) {
272  $username = $this->authExternal['loginAuthExternal'];
273  /* checking if user exists */
274  try {
275  $this->userDao->getUserAndDefaultGroupByUserName($username);
276  } catch (Exception $e) {
277  $user_exists=false;
278  }
279  if (! $user_exists && $GLOBALS['SysConf']['EXT_AUTH']['CONF_EXT_AUTH_NEW_USER_AUTO_CREATE']) {
280  /* If user does not exist then we create it */
281  $User = trim(str_replace("'", "''", $this->authExternal['loginAuthExternal']));
282  $Pass = $this->authExternal['passwordAuthExternal'] ;
283  $Seed = rand() . rand();
284  $Hash = sha1($Seed . $Pass);
285  $Desc = $this->authExternal['descriptionAuthExternal'];
286  $Perm = 3;
287  $Folder = 1;
288  $Email_notify = "y";
289  $Email = $this->authExternal['emailAuthExternal'];
290  /* Set default list of agents when a new user is created */
291  $agentList = $GLOBALS['SysConf']['EXT_AUTH']['CONF_EXT_AUTH_NEW_USER_AGENT_LIST'];
292  add_user($User, $Desc, $Seed, $Hash, $Perm, $Email, $Email_notify, $agentList, $Folder);
293  }
294  }
295 
296  if (empty($userName) || $userName == 'Default User') {
297  return false;
298  }
299  try {
300  $row = $this->userDao->getUserAndDefaultGroupByUserName($userName);
301  } catch (Exception $e) {
302  return false;
303  }
304 
305  if (empty($row['user_name'])) {
306  return false;
307  }
308 
309  /* Check the password -- only if a password exists */
310  if (! empty($row['user_seed']) && ! empty($row['user_pass'])) {
311  $passwordHash = sha1($row['user_seed'] . $password);
312  if (strcmp($passwordHash, $row['user_pass']) != 0) {
313  return false;
314  }
315  } else if (! empty($row['user_seed'])) {
316  /* Seed with no password hash = no login */
317  return false;
318  } else if (!empty($password)) {
319  /* empty password required */
320  return false;
321  }
322 
323  /* If you make it here, then username and password were good! */
324  $this->updateSession($row);
325 
326  $_SESSION['time_check'] = time() + (480 * 60);
327  /* No specified permission means ALL permission */
328  if ("X" . $row['user_perm'] == "X") {
329  $_SESSION[Auth::USER_LEVEL] = PLUGIN_DB_ADMIN;
330  } else {
331  $_SESSION[Auth::USER_LEVEL] = $row['user_perm'];
332  }
333  $_SESSION['checkip'] = GetParm("checkip", PARM_STRING);
334  /* Check for the no-popup flag */
335  if (GetParm("nopopup", PARM_INTEGER) == 1) {
336  $_SESSION['NoPopup'] = 1;
337  } else {
338  $_SESSION['NoPopup'] = 0;
339  }
340  return true;
341  }
342 }
343 
344 $NewPlugin = new core_auth();
core_auth\PostInitialize
PostInitialize()
This is where the magic for Authentication happens.
Definition: core-auth.php:80
Traceback_uri
Traceback_uri()
Get the URI without query to this location.
Definition: common-parm.php:108
PARM_TEXT
const PARM_TEXT
Definition: common-parm.php:31
PLUGIN_DB_ADMIN
#define PLUGIN_DB_ADMIN
Plugin requires admin level permission on DB.
Definition: libfossology.h:51
core_auth\updateSession
updateSession($userRow)
Set $_SESSION and $SysConf user variables.
Definition: core-auth.php:156
add_user
add_user($User, $Desc, $Seed, $Hash, $Perm, $Email, $Email_notify, $agentList, $Folder, $default_bucketpool_fk='')
Add a user.
Definition: common-users.php:44
core_auth
Definition: core-auth.php:29
State
Definition: state.hpp:26
GetParm
GetParm($parameterName, $parameterType)
This function will retrieve the variables and check data types.
Definition: common-parm.php:57
PARM_STRING
const PARM_STRING
Definition: common-parm.php:29
core_auth\Output
Output()
This is only called when the user logs out.
Definition: core-auth.php:201
siteminder_check
siteminder_check()
Check if SiteMinder is enabled.
Definition: common-auth.php:33
core_auth\getIP
getIP()
Retrieve the user&#39;s IP address. Some proxy systems pass forwarded IP address info. This ensures that someone who steals the cookie won&#39;t gain access unless they come from the same IP.
Definition: core-auth.php:186
PARM_INTEGER
const PARM_INTEGER
Definition: common-parm.php:25
dbManager
fo_dbManager * dbManager
fo_dbManager object
Definition: process.c:28
FO_Plugin
This is the Plugin class. All plugins should:
Definition: FO_Plugin.php:67
core_auth\OutputOpen
OutputOpen()
perform logout
Definition: core-auth.php:251
core_auth\Install
Install()
Only used during installation. This may be called multiple times. Used to ensure the DB has the right...
Definition: core-auth.php:71
auth_external_check
auth_external_check()
Check if the external HTTP authentication is enabled. The mapping variables should be configured in f...
Definition: common-auth.php:50
GetArrayVal
GetArrayVal($Key, $Arr)
Get the value from a array(map)
Definition: common-ui.php:143
core_auth\checkUsernameAndPassword
checkUsernameAndPassword($userName, $password)
See if a username/password is valid.
Definition: core-auth.php:267
trim
char * trim(char *ptext)
Trimming whitespace.
Definition: fossconfig.c:695
core_auth\staticValue
staticValue()
getter to retreive value of static var
Definition: core-auth.php:59
FO_Plugin\render
render($templateName, $vars=null)
Definition: FO_Plugin.php:442