forked from Business/AccountHub
		
	
		
			
				
	
	
		
			412 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
			
		
		
	
	
			412 lines
		
	
	
		
			13 KiB
		
	
	
	
		
			PHP
		
	
	
	
	
	
| <?php
 | |
| 
 | |
| /**
 | |
|  * Authentication and account functions
 | |
|  */
 | |
| use Base32\Base32;
 | |
| use OTPHP\TOTP;
 | |
| use LdapTools\LdapManager;
 | |
| use LdapTools\Object\LdapObjectType;
 | |
| use LdapTools\Connection\ADResponseCodes;
 | |
| 
 | |
| $ldap = new LdapManager($ldap_config);
 | |
| 
 | |
| ////////////////////////////////////////////////////////////////////////////////
 | |
| //                           Account handling                                 //
 | |
| ////////////////////////////////////////////////////////////////////////////////
 | |
| 
 | |
| /**
 | |
|  * Add a user to the system.  /!\ Assumes input is OK /!\
 | |
|  * @param string $username Username, saved in lowercase.
 | |
|  * @param string $password Password, will be hashed before saving.
 | |
|  * @param string $realname User's real legal name
 | |
|  * @param string $email User's email address.
 | |
|  * @param string $phone1 Phone number #1
 | |
|  * @param string $phone2 Phone number #2
 | |
|  * @param string $type Account type
 | |
|  * @return int The new user's ID number in the database.
 | |
|  */
 | |
| function adduser($username, $password, $realname, $email = null, $phone1 = "", $phone2 = "", $type) {
 | |
|     global $database;
 | |
|     $database->insert('accounts', [
 | |
|         'username' => strtolower($username),
 | |
|         'password' => (is_null($password) ? null : encryptPassword($password)),
 | |
|         'realname' => $realname,
 | |
|         'email' => $email,
 | |
|         'phone1' => $phone1,
 | |
|         'phone2' => $phone2,
 | |
|         'acctstatus' => 1,
 | |
|         'accttype' => $type
 | |
|     ]);
 | |
|     //var_dump($database->error());
 | |
|     return $database->id();
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Get where a user's account actually is.
 | |
|  * @param string $username
 | |
|  * @return string "LDAP", "LOCAL", "LDAP_ONLY", or "NONE".
 | |
|  */
 | |
| function account_location($username) {
 | |
|     global $database;
 | |
|     $username = strtolower($username);
 | |
|     $user_exists = user_exists_local($username);
 | |
|     if (!$user_exists && !LDAP_ENABLED) {
 | |
|         return false;
 | |
|     }
 | |
|     if ($user_exists) {
 | |
|         $userinfo = $database->select('accounts', ['password'], ['username' => $username])[0];
 | |
|         // if password empty, it's an LDAP user
 | |
|         if (is_empty($userinfo['password']) && LDAP_ENABLED) {
 | |
|             return "LDAP";
 | |
|         } else if (is_empty($userinfo['password']) && !LDAP_ENABLED) {
 | |
|             return "NONE";
 | |
|         } else {
 | |
|             return "LOCAL";
 | |
|         }
 | |
|     } else {
 | |
|         if (user_exists_ldap($username)) {
 | |
|             return "LDAP_ONLY";
 | |
|         } else {
 | |
|             return "NONE";
 | |
|         }
 | |
|     }
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Checks the given credentials against the database.
 | |
|  * @param string $username
 | |
|  * @param string $password
 | |
|  * @return boolean True if OK, else false
 | |
|  */
 | |
| function authenticate_user($username, $password, &$errormsg) {
 | |
|     global $database;
 | |
|     global $ldap;
 | |
|     $username = strtolower($username);
 | |
|     if (is_empty($username) || is_empty($password)) {
 | |
|         return false;
 | |
|     }
 | |
|     $loc = account_location($username, $password);
 | |
|     if ($loc == "NONE") {
 | |
|         return false;
 | |
|     } else if ($loc == "LOCAL") {
 | |
|         $hash = $database->select('accounts', ['password'], ['username' => $username, "LIMIT" => 1])[0]['password'];
 | |
|         return (comparePassword($password, $hash));
 | |
|     } else if ($loc == "LDAP") {
 | |
|         return authenticate_user_ldap($username, $password, $errormsg) === TRUE;
 | |
|     } else if ($loc == "LDAP_ONLY") {
 | |
|         try {
 | |
|             if (authenticate_user_ldap($username, $password) === TRUE) {
 | |
|                 $user = $ldap->getRepository('user')->findOneByUsername($username);
 | |
|                 //var_dump($user);
 | |
|                 adduser($user->getUsername(), null, $user->getName(), ($user->hasEmailAddress() ? $user->getEmailAddress() : null), "", "", 2);
 | |
|                 return true;
 | |
|             } else {
 | |
|                 return false;
 | |
|             }
 | |
|         } catch (Exception $e) {
 | |
|             sendError("LDAP error: " . $e->getMessage());
 | |
|         }
 | |
|     } else {
 | |
|         return false;
 | |
|     }
 | |
| }
 | |
| 
 | |
| function user_exists($username) {
 | |
|     return account_location($username) !== "NONE";
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Check if a username exists in the local database.
 | |
|  * @param String $username
 | |
|  */
 | |
| function user_exists_local($username) {
 | |
|     global $database;
 | |
|     $username = strtolower($username);
 | |
|     return $database->has('accounts', ['username' => $username, "LIMIT" => QUERY_LIMIT]);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Get the account status: NORMAL, TERMINATED, LOCKED_OR_DISABLED,
 | |
|  * CHANGE_PASSWORD, ALERT_ON_ACCESS, or OTHER
 | |
|  * @global $database $database
 | |
|  * @param string $username
 | |
|  * @param string $password
 | |
|  * @return string
 | |
|  */
 | |
| function get_account_status($username) {
 | |
|     global $database;
 | |
|     $username = strtolower($username);
 | |
|     $loc = account_location($username);
 | |
|     if ($loc == "LOCAL") {
 | |
|         $statuscode = $database->select('accounts', [
 | |
|                     '[>]acctstatus' => [
 | |
|                         'acctstatus' => 'statusid'
 | |
|                     ]
 | |
|                         ], [
 | |
|                     'accounts.acctstatus',
 | |
|                     'acctstatus.statuscode'
 | |
|                         ], [
 | |
|                     'username' => $username,
 | |
|                     "LIMIT" => 1
 | |
|                         ]
 | |
|                 )[0]['statuscode'];
 | |
|         return $statuscode;
 | |
|     } else if ($loc == "LDAP" || $loc == "LDAP_ONLY") {
 | |
|         return get_account_status_ldap($username);
 | |
|     } else {
 | |
|         // account isn't setup properly
 | |
|         return "OTHER";
 | |
|     }
 | |
| }
 | |
| 
 | |
| ////////////////////////////////////////////////////////////////////////////////
 | |
| //                              Login handling                                //
 | |
| ////////////////////////////////////////////////////////////////////////////////
 | |
| 
 | |
| /**
 | |
|  * Setup $_SESSION values to log in a user
 | |
|  * @param string $username
 | |
|  */
 | |
| function doLoginUser($username, $password) {
 | |
|     global $database;
 | |
|     $username = strtolower($username);
 | |
|     $userinfo = $database->select('accounts', ['email', 'uid', 'realname'], ['username' => $username])[0];
 | |
|     $_SESSION['username'] = $username;
 | |
|     $_SESSION['uid'] = $userinfo['uid'];
 | |
|     $_SESSION['email'] = $userinfo['email'];
 | |
|     $_SESSION['realname'] = $userinfo['realname'];
 | |
|     $_SESSION['password'] = $password; // needed for things like EWS
 | |
|     $_SESSION['loggedin'] = true;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Send an alert email to the system admin
 | |
|  * 
 | |
|  * Used when an account with the status ALERT_ON_ACCESS logs in
 | |
|  * @param String $username the account username
 | |
|  */
 | |
| function sendLoginAlertEmail($username) {
 | |
|     // TODO: add email code
 | |
| }
 | |
| 
 | |
| function insertAuthLog($type, $uid = null, $data = "") {
 | |
|     global $database;
 | |
|     // find IP address
 | |
|     $ip = "";
 | |
|     if (isset($_SERVER["HTTP_CF_CONNECTING_IP"])) {
 | |
|         $ip = $_SERVER["HTTP_CF_CONNECTING_IP"];
 | |
|     } else if (isset($_SERVER["HTTP_CLIENT_IP"])) {
 | |
|         $ip = $_SERVER["HTTP_CLIENT_IP"];
 | |
|     } else if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) {
 | |
|         $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
 | |
|     } else if (isset($_SERVER["HTTP_X_FORWARDED"])) {
 | |
|         $ip = $_SERVER["HTTP_X_FORWARDED"];
 | |
|     } else if (isset($_SERVER["HTTP_FORWARDED_FOR"])) {
 | |
|         $ip = $_SERVER["HTTP_FORWARDED_FOR"];
 | |
|     } else if (isset($_SERVER["HTTP_FORWARDED"])) {
 | |
|         $ip = $_SERVER["HTTP_FORWARDED"];
 | |
|     } else if (isset($_SERVER["REMOTE_ADDR"])) {
 | |
|         $ip = $_SERVER["REMOTE_ADDR"];
 | |
|     } else {
 | |
|         $ip = "NOT FOUND";
 | |
|     }
 | |
|     $database->insert("authlog", ['#logtime' => 'NOW()', 'logtype' => $type, 'uid' => $uid, 'ip' => $ip, 'otherdata' => $data]);
 | |
| }
 | |
| 
 | |
| function verifyReCaptcha($response) {
 | |
|     try {
 | |
|         $client = new GuzzleHttp\Client();
 | |
| 
 | |
|         $response = $client
 | |
|                 ->request('POST', "https://www.google.com/recaptcha/api/siteverify", [
 | |
|             'form_params' => [
 | |
|                 'secret' => RECAPTCHA_SECRET_KEY,
 | |
|                 'response' => $response
 | |
|             ]
 | |
|         ]);
 | |
| 
 | |
|         if ($response->getStatusCode() != 200) {
 | |
|             return false;
 | |
|         }
 | |
| 
 | |
|         $resp = json_decode($response->getBody(), TRUE);
 | |
|         if ($resp['success'] === true) {
 | |
|             return true;
 | |
|         } else {
 | |
|             return false;
 | |
|         }
 | |
|     } catch (Exception $e) {
 | |
|         return false;
 | |
|     }
 | |
| }
 | |
| 
 | |
| ////////////////////////////////////////////////////////////////////////////////
 | |
| //                              LDAP handling                                 //
 | |
| ////////////////////////////////////////////////////////////////////////////////
 | |
| 
 | |
| /**
 | |
|  * Checks the given credentials against the LDAP server.
 | |
|  * @param string $username
 | |
|  * @param string $password
 | |
|  * @return mixed True if OK, else false or the error code from the server
 | |
|  */
 | |
| function authenticate_user_ldap($username, $password, &$errormsg) {
 | |
|     global $ldap;
 | |
|     if (is_empty($username) || is_empty($password)) {
 | |
|         return false;
 | |
|     }
 | |
|     $username = strtolower($username);
 | |
|     try {
 | |
|         $msg = "";
 | |
|         $code = 0;
 | |
|         if ($ldap->authenticate($username, $password, $msg, $code) === TRUE) {
 | |
|             $errormsg = $msg;
 | |
|             return true;
 | |
|         } else {
 | |
|             $errormsg = $msg;
 | |
|             return $msg;
 | |
|         }
 | |
|     } catch (Exception $e) {
 | |
|         sendError("LDAP error: " . $e->getMessage());
 | |
|     }
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Check if a username exists on the LDAP server.
 | |
|  * @global type $ldap_config
 | |
|  * @param type $username
 | |
|  * @return boolean true if yes, else false
 | |
|  */
 | |
| function user_exists_ldap($username) {
 | |
|     global $ldap;
 | |
|     try {
 | |
|         $username = strtolower($username);
 | |
|         $lqb = $ldap->buildLdapQuery();
 | |
|         $result = $lqb->fromUsers()
 | |
|                 ->where(['username' => $username])
 | |
|                 ->getLdapQuery()
 | |
|                 ->getResult();
 | |
|         if (count($result) > 0) {
 | |
|             return true;
 | |
|         }
 | |
|         return false;
 | |
|     } catch (Exception $e) {
 | |
|         return false;
 | |
|     }
 | |
| }
 | |
| 
 | |
| function get_account_status_ldap($username) {
 | |
|     global $ldap;
 | |
|     try {
 | |
|         $username = strtolower($username);
 | |
|         $normal = $ldap->buildLdapQuery()
 | |
|                 ->fromUsers()
 | |
|                 ->where(['enabled' => true, 'passwordMustChange' => false, 'locked' => false, 'disabled' => false, 'username' => $username])
 | |
|                 ->getLdapQuery()
 | |
|                 ->getResult();
 | |
|         if (count($normal) == 1) {
 | |
|             return "NORMAL";
 | |
|         }
 | |
|         $disabled = $ldap->buildLdapQuery()
 | |
|                 ->fromUsers()
 | |
|                 ->where(['disabled' => true, 'username' => $username])
 | |
|                 ->getLdapQuery()
 | |
|                 ->getResult();
 | |
|         $locked = $ldap->buildLdapQuery()
 | |
|                 ->fromUsers()
 | |
|                 ->where(['locked' => true, 'username' => $username])
 | |
|                 ->getLdapQuery()
 | |
|                 ->getResult();
 | |
|         if (count($disabled) == 1 || count($locked) == 1) {
 | |
|             return "LOCKED_OR_DISABLED";
 | |
|         }
 | |
|         $passwordExpired = $ldap->buildLdapQuery()
 | |
|                 ->fromUsers()
 | |
|                 ->where(['passwordMustChange' => true, 'username' => $username])
 | |
|                 ->getLdapQuery()
 | |
|                 ->getResult();
 | |
|         if (count($passwordExpired) == 1) {
 | |
|             return "CHANGE_PASSWORD";
 | |
|         }
 | |
|         $other = $ldap->buildLdapQuery()
 | |
|                 ->fromUsers()
 | |
|                 ->where(['username' => $username])
 | |
|                 ->getLdapQuery()
 | |
|                 ->getResult();
 | |
|         if (count($other) == 0) {
 | |
|             return false;
 | |
|         } else {
 | |
|             return "OTHER";
 | |
|         }
 | |
|     } catch (Exception $e) {
 | |
|         sendError("LDAP error: " . $e->getMessage());
 | |
|     }
 | |
| }
 | |
| 
 | |
| ////////////////////////////////////////////////////////////////////////////////
 | |
| //                          2-factor authentication                           //
 | |
| ////////////////////////////////////////////////////////////////////////////////
 | |
| 
 | |
| /**
 | |
|  * Check if a user has TOTP setup
 | |
|  * @global $database $database
 | |
|  * @param string $username
 | |
|  * @return boolean true if TOTP secret exists, else false
 | |
|  */
 | |
| function userHasTOTP($username) {
 | |
|     global $database;
 | |
|     $username = strtolower($username);
 | |
|     $secret = $database->select('accounts', 'authsecret', ['username' => $username])[0];
 | |
|     if (is_empty($secret)) {
 | |
|         return false;
 | |
|     }
 | |
|     return true;
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Generate a TOTP secret for the given user.
 | |
|  * @param string $username
 | |
|  * @return string OTP provisioning URI (for generating a QR code)
 | |
|  */
 | |
| function newTOTP($username) {
 | |
|     global $database;
 | |
|     $username = strtolower($username);
 | |
|     $secret = random_bytes(20);
 | |
|     $encoded_secret = Base32::encode($secret);
 | |
|     $userdata = $database->select('accounts', ['email', 'authsecret', 'realname'], ['username' => $username])[0];
 | |
|     $totp = new TOTP((is_null($userdata['email']) ? $userdata['realname'] : $userdata['email']), $encoded_secret);
 | |
|     $totp->setIssuer(SYSTEM_NAME);
 | |
|     return $totp->getProvisioningUri();
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Save a TOTP secret for the user.
 | |
|  * @global $database $database
 | |
|  * @param string $username
 | |
|  * @param string $secret
 | |
|  */
 | |
| function saveTOTP($username, $secret) {
 | |
|     global $database;
 | |
|     $username = strtolower($username);
 | |
|     $database->update('accounts', ['authsecret' => $secret], ['username' => $username]);
 | |
| }
 | |
| 
 | |
| /**
 | |
|  * Verify a TOTP multiauth code
 | |
|  * @global $database
 | |
|  * @param string $username
 | |
|  * @param int $code
 | |
|  * @return boolean true if it's legit, else false
 | |
|  */
 | |
| function verifyTOTP($username, $code) {
 | |
|     global $database;
 | |
|     $username = strtolower($username);
 | |
|     $userdata = $database->select('accounts', ['email', 'authsecret'], ['username' => $username])[0];
 | |
|     if (is_empty($userdata['authsecret'])) {
 | |
|         return false;
 | |
|     }
 | |
|     $totp = new TOTP(null, $userdata['authsecret']);
 | |
|     return $totp->verify($code);
 | |
| }
 |