[platal.git] / include / xorg / session.inc.php

<?php
/***************************************************************************
 *  Copyright (C) 2003-2007 Polytechnique.org                              *
 *  http://opensource.polytechnique.org/                                   *
 *                                                                         *
 *  This program is free software; you can redistribute it and/or modify   *
 *  it under the terms of the GNU General Public License as published by   *
 *  the Free Software Foundation; either version 2 of the License, or      *
 *  (at your option) any later version.                                    *
 *                                                                         *
 *  This program is distributed in the hope that it will be useful,        *
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
 *  GNU General Public License for more details.                           *
 *                                                                         *
 *  You should have received a copy of the GNU General Public License      *
 *  along with this program; if not, write to the Free Software            *
 *  Foundation, Inc.,                                                      *
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
 ***************************************************************************/

require_once 'xorg.misc.inc.php';

class XorgSession
{
    // {{{ public static function init

    public static function init() 
    {
        S::init();
        if (!S::has('uid')) {
            try_cookie();
        }
        if (check_ip('dangerous') && S::has('uid')) {
            $_SESSION['log']->log("view_page", $_SERVER['REQUEST_URI']);
        }
    }

    // }}}
    // {{{ public static function destroy()

    public static function destroy()
    {
        S::destroy();
        XorgSession::init();
    }

    // }}}
    // {{{ public static function doAuth()

    public static function doAuth($new_name = false)
    {
        global $globals;
        if (S::identified()) { // ok, c'est bon, on n'a rien � faire
            return true;
        }

        if (!Env::has('username') || !Env::has('response')
        ||  !S::has('challenge'))
        {
            return false;
        }

        // si on vient de recevoir une identification par passwordpromptscreen.tpl
        // ou passwordpromptscreenlogged.tpl
        if (S::has('suid')) {
            $suid = S::v('suid');
            $login = $uname = $suid['forlife'];
            $redirect = false;
        } else {
            $uname = Env::v('username');

            if (Env::v('domain') == "alias") {
                $res = XDB::query(
                    "SELECT redirect
                       FROM virtual
                 INNER JOIN virtual_redirect USING(vid)
                      WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom);
                $redirect = $res->fetchOneCell();
                if ($redirect) {
                    $login = substr($redirect, 0, strpos($redirect, '@'));
                } else {
                    $login = "";
                }
            } else {
                $login = $uname;
                $redirect = false;
            }
        }

        $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
        $res   = XDB::query(
                    "SELECT  u.user_id, u.password
                       FROM  auth_user_md5 AS u
                 INNER JOIN  aliases       AS a ON ( a.id=u.user_id AND type!='homonyme' )
                      WHERE  a.$field = {?} AND u.perms IN('admin','user')", $login);

        $logger = S::v('log');
        if (list($uid, $password) = $res->fetchOneRow()) {
            require_once('secure_hash.inc.php');
            $expected_response = hash_encrypt("$uname:$password:".S::v('challenge'));
            // le password de la base est peut-�tre encore encod� en md5
            if (Env::v('response') != $expected_response) {
                $new_password = hash_xor(Env::v('xorpass'), $password);
                $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge'));
                if (Env::v('response') == $expected_response) {
                      XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}",
                                   $new_password, $uid);
                }
            }
            if (Env::v('response') == $expected_response) {
                if (Env::has('domain')) {
                    if (($domain = Env::v('domain', 'login')) == 'alias') {
                        setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0);
                    } else {
                        setcookie('ORGdomain', '', (time()-3600), '/', '', 0);
                    }
                    // pour que la modification soit effective dans le reste de la page
                    $_COOKIE['ORGdomain'] = $domain;
                }

                S::kill('challenge');
                if ($logger) {
                    $logger->log('auth_ok');
                }
                if (!start_connexion($uid, true)) {
                    return false;
                }
                if (Env::v('remember', 'false') == 'true') {
                    $cookie = hash_encrypt(S::v('password'));
                    setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0);
                    if ($logger) {
                        $logger->log("cookie_on");
                    }
                } else {
                    setcookie('ORGaccess', '', time() - 3600, '/', '', 0);

                    if ($logger) {
                        $logger->log("cookie_off");
                    }
                }
                return true;
            } elseif ($logger) {
                $logger->log('auth_fail','bad password');
            }
        } elseif ($logger) {
            $logger->log('auth_fail','bad login');
        }

        return false;
    }

    // }}}
    // {{{ public static function doAuthCookie()

    /** Try to do a cookie-based authentication.
     *
     * @param page the calling page (by reference)
     */
    public static function doAuthCookie()
    {
        if (S::logged()) {
            return true;
        }

        if (Env::has('username') and Env::has('response')) {
            return XorgSession::doAuth();
        }

        if ($r = try_cookie()) {
            return XorgSession::doAuth(($r > 0));
        }

        return false;
    }

    // }}}
}

// {{{ function try_cookie()

/** r�alise la r�cup�ration de $_SESSION pour qqn avec cookie
 * @return  int     0 if all OK, -1 if no cookie, 1 if cookie with bad hash,
 *                  -2 should not happen
 */
function try_cookie()
{
    if (Cookie::v('ORGaccess') == '' or !Cookie::has('ORGuid')) {
        return -1;
    }

    $res = @XDB::query(
            "SELECT user_id,password FROM auth_user_md5
              WHERE user_id = {?} AND perms IN('admin','user')",
            Cookie::i('ORGuid'));

    if ($res->numRows() != 0) {
        list($uid, $password) = $res->fetchOneRow();
        require_once('secure_hash.inc.php');
        $expected_value       = hash_encrypt($password);
        if ($expected_value == Cookie::v('ORGaccess')) {
            if (!start_connexion($uid, false)) {
                return -3;
            }
            return 0;
        } else {
            return 1;
        }
    }

    return -2;
}

// }}}
// {{{ function start_connexion()

/** place les variables de session d�pendants de auth_user_md5
 * et met � jour les dates de derni�re connexion si n�cessaire
 * @return void
 * @see controlpermanent.inc.php controlauthentication.inc.php
 */
function start_connexion ($uid, $identified)
{
    $res  = XDB::query("
    SELECT  u.user_id AS uid, prenom, nom, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme,
                UNIX_TIMESTAMP(s.start) AS lastlogin, s.host, a.alias AS forlife, a2.alias AS bestalias,
                q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash
          FROM  auth_user_md5   AS u
    INNER JOIN  auth_user_quick AS q  USING(user_id)
    INNER JOIN  aliases         AS a  ON (u.user_id = a.id AND a.type='a_vie')
    INNER JOIN  aliases         AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags))
     LEFT JOIN  logger.sessions AS s  ON (s.uid=u.user_id AND s.suid=0)
         WHERE  u.user_id = {?} AND u.perms IN('admin','user')
      ORDER BY  s.start DESC
         LIMIT  1", $uid);
    $sess = $res->fetchOneAssoc();
    $suid = S::v('suid');

    if ($suid) {
        $logger = new CoreLogger($uid, $suid);
        $logger->log("suid_start", S::v('forlife')." by {$suid['uid']}");
        $sess['suid'] = $suid;
        $sess['perms'] = $_SESSION['perms'];
    } else {
        $logger = S::v('log', new CoreLogger($uid));
        $logger->log("connexion", Env::v('n'));
        setcookie('ORGuid', $uid, (time()+25920000), '/', '', 0);
    }

    $_SESSION         = array_merge($_SESSION, $sess);
    $_SESSION['log']  = $logger;
    $_SESSION['auth'] = ($identified ? AUTH_MDP : AUTH_COOKIE);
    if (check_ip('unsafe')) {
        send_warning_mail("Une IP surveillee a tente de se connecter");
        if (check_ip('ban')) {
            $_SESSION = array();
            global $page;
            $page->trig("Une erreur est survenue lors de la proc�dure d'authentification. "
                       ."Merci de contacter au plus vite "
                       ."<a href='mailto:support@polytechnique.org'>support@polytechnique.org</a>");
            return false;
        }
    }
    set_skin();
    check_redirect();
    return true;
}

// }}}

function set_skin()
{
    global $globals;
    if (S::logged() && !S::has('skin')) {
        $uid = S::v('uid');
    $res = XDB::query("SELECT  skin_tpl
                             FROM  auth_user_quick AS a
                       INNER JOIN  skins           AS s ON a.skin = s.id
                            WHERE  user_id = {?} AND skin_tpl != ''", $uid);
    if ($_SESSION['skin'] = $res->fetchOneCell()) {
            return;
        }
    }
}

// vim:set et sw=4 sts=4 sws=4 foldmethod=marker:
?>
Commit	Line	Data
0337d704	1	<?php
0337d704	2	/***************************************************************************
5ddeb07c	3	* Copyright (C) 2003-2007 Polytechnique.org *
0337d704	4	* http://opensource.polytechnique.org/ *
	5	* *
	6	* This program is free software; you can redistribute it and/or modify *
	7	* it under the terms of the GNU General Public License as published by *
	8	* the Free Software Foundation; either version 2 of the License, or *
	9	* (at your option) any later version. *
	10	* *
	11	* This program is distributed in the hope that it will be useful, *
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
	14	* GNU General Public License for more details. *
	15	* *
	16	* You should have received a copy of the GNU General Public License *
	17	* along with this program; if not, write to the Free Software *
	18	* Foundation, Inc., *
	19	* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
	20	***************************************************************************/
	21
5480a216	22	require_once 'xorg.misc.inc.php';
5480a216	23
4869f665	24	class XorgSession
0337d704	25	{
6995a9b9	26	// {{{ public static function init
4869f665	27
5480a216	28	public static function init()
5480a216	29	{
cab08090	30	S::init();
5480a216	31	if (!S::has('uid')) {
	32	try_cookie();
	33	}
	34	if (check_ip('dangerous') && S::has('uid')) {
	35	$_SESSION['log']->log("view_page", $_SERVER['REQUEST_URI']);
0337d704	36	}
0337d704	37	}
	38
	39	// }}}
6995a9b9	40	// {{{ public static function destroy()
cab08090	41
5480a216	42	public static function destroy()
5480a216	43	{
cab08090	44	S::destroy();
0337d704	45	XorgSession::init();
0337d704	46	}
cab08090	47
0337d704	48	// }}}
6995a9b9	49	// {{{ public static function doAuth()
0337d704	50
6995a9b9	51	public static function doAuth($new_name = false)
0337d704	52	{
e74411f7	53	global $globals;
	54	if (S::identified()) { // ok, c'est bon, on n'a rien � faire
	55	return true;
	56	}
0337d704	57
63528107	58	if (!Env::has('username') \|\| !Env::has('response')
	59	\|\| !S::has('challenge'))
	60	{
	61	return false;
	62	}
	63
	64	// si on vient de recevoir une identification par passwordpromptscreen.tpl
	65	// ou passwordpromptscreenlogged.tpl
e74411f7	66	if (S::has('suid')) {
	67	$suid = S::v('suid');
	68	$login = $uname = $suid['forlife'];
	69	$redirect = false;
	70	} else {
	71	$uname = Env::v('username');
	72
	73	if (Env::v('domain') == "alias") {
	74	$res = XDB::query(
	75	"SELECT redirect
	76	FROM virtual
	77	INNER JOIN virtual_redirect USING(vid)
	78	WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom);
	79	$redirect = $res->fetchOneCell();
	80	if ($redirect) {
	81	$login = substr($redirect, 0, strpos($redirect, '@'));
	82	} else {
	83	$login = "";
	84	}
0337d704	85	} else {
e74411f7	86	$login = $uname;
e74411f7	87	$redirect = false;
0337d704	88	}
63528107	89	}
cab08090	90
63528107	91	$field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
	92	$res = XDB::query(
	93	"SELECT u.user_id, u.password
	94	FROM auth_user_md5 AS u
	95	INNER JOIN aliases AS a ON ( a.id=u.user_id AND type!='homonyme' )
	96	WHERE a.$field = {?} AND u.perms IN('admin','user')", $login);
	97
1a013db7	98	$logger = S::v('log');
63528107	99	if (list($uid, $password) = $res->fetchOneRow()) {
e74411f7	100	require_once('secure_hash.inc.php');
	101	$expected_response = hash_encrypt("$uname:$password:".S::v('challenge'));
	102	// le password de la base est peut-�tre encore encod� en md5
	103	if (Env::v('response') != $expected_response) {
	104	$new_password = hash_xor(Env::v('xorpass'), $password);
	105	$expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge'));
	106	if (Env::v('response') == $expected_response) {
	107	XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}",
	108	$new_password, $uid);
	109	}
	110	}
	111	if (Env::v('response') == $expected_response) {
63528107	112	if (Env::has('domain')) {
5e2307dc	113	if (($domain = Env::v('domain', 'login')) == 'alias') {
63528107	114	setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0);
	115	} else {
	116	setcookie('ORGdomain', '', (time()-3600), '/', '', 0);
0337d704	117	}
63528107	118	// pour que la modification soit effective dans le reste de la page
	119	$_COOKIE['ORGdomain'] = $domain;
	120	}
cab08090	121
63528107	122	S::kill('challenge');
	123	if ($logger) {
	124	$logger->log('auth_ok');
	125	}
5480a216	126	if (!start_connexion($uid, true)) {
	127	return false;
	128	}
5e2307dc	129	if (Env::v('remember', 'false') == 'true') {
63528107	130	$cookie = hash_encrypt(S::v('password'));
63528107	131	setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0);
cab08090	132	if ($logger) {
63528107	133	$logger->log("cookie_on");
0337d704	134	}
63528107	135	} else {
63528107	136	setcookie('ORGaccess', '', time() - 3600, '/', '', 0);
cab08090	137
63528107	138	if ($logger) {
63528107	139	$logger->log("cookie_off");
0337d704	140	}
0337d704	141	}
e74411f7	142	return true;
e74411f7	143	} elseif ($logger) {
63528107	144	$logger->log('auth_fail','bad password');
0337d704	145	}
63528107	146	} elseif ($logger) {
	147	$logger->log('auth_fail','bad login');
	148	}
b0b937fd	149
63528107	150	return false;
0337d704	151	}
	152
	153	// }}}
6995a9b9	154	// {{{ public static function doAuthCookie()
0337d704	155
	156	/** Try to do a cookie-based authentication.
	157	*
	158	* @param page the calling page (by reference)
	159	*/
6995a9b9	160	public static function doAuthCookie()
0337d704	161	{
5480a216	162	if (S::logged()) {
5480a216	163	return true;
0337d704	164	}
0337d704	165
5480a216	166	if (Env::has('username') and Env::has('response')) {
5480a216	167	return XorgSession::doAuth();
0337d704	168	}
0337d704	169
5480a216	170	if ($r = try_cookie()) {
5480a216	171	return XorgSession::doAuth(($r > 0));
0337d704	172	}
f6ce9a88	173
f6ce9a88	174	return false;
0337d704	175	}
	176
	177	// }}}
0337d704	178	}
0337d704	179
0337d704	180	// {{{ function try_cookie()
	181
	182	/** r�alise la r�cup�ration de $_SESSION pour qqn avec cookie
	183	* @return int 0 if all OK, -1 if no cookie, 1 if cookie with bad hash,
	184	* -2 should not happen
	185	*/
	186	function try_cookie()
	187	{
5e2307dc	188	if (Cookie::v('ORGaccess') == '' or !Cookie::has('ORGuid')) {
5480a216	189	return -1;
0337d704	190	}
0337d704	191
08cce2ff	192	$res = @XDB::query(
aa5f19ae	193	"SELECT user_id,password FROM auth_user_md5
	194	WHERE user_id = {?} AND perms IN('admin','user')",
	195	Cookie::i('ORGuid'));
	196
0337d704	197	if ($res->numRows() != 0) {
5480a216	198	list($uid, $password) = $res->fetchOneRow();
	199	require_once('secure_hash.inc.php');
	200	$expected_value = hash_encrypt($password);
	201	if ($expected_value == Cookie::v('ORGaccess')) {
	202	if (!start_connexion($uid, false)) {
	203	return -3;
	204	}
	205	return 0;
	206	} else {
0337d704	207	return 1;
	208	}
	209	}
	210
	211	return -2;
	212	}
	213
	214	// }}}
	215	// {{{ function start_connexion()
	216
	217	/** place les variables de session d�pendants de auth_user_md5
	218	* et met � jour les dates de derni�re connexion si n�cessaire
	219	* @return void
	220	* @see controlpermanent.inc.php controlauthentication.inc.php
	221	*/
	222	function start_connexion ($uid, $identified)
	223	{
08cce2ff	224	$res = XDB::query("
e74411f7	225	SELECT u.user_id AS uid, prenom, nom, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme,
0337d704	226	UNIX_TIMESTAMP(s.start) AS lastlogin, s.host, a.alias AS forlife, a2.alias AS bestalias,
	227	q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash
	228	FROM auth_user_md5 AS u
	229	INNER JOIN auth_user_quick AS q USING(user_id)
e74411f7	230	INNER JOIN aliases AS a ON (u.user_id = a.id AND a.type='a_vie')
5480a216	231	INNER JOIN aliases AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags))
0337d704	232	LEFT JOIN logger.sessions AS s ON (s.uid=u.user_id AND s.suid=0)
	233	WHERE u.user_id = {?} AND u.perms IN('admin','user')
	234	ORDER BY s.start DESC
	235	LIMIT 1", $uid);
	236	$sess = $res->fetchOneAssoc();
cab08090	237	$suid = S::v('suid');
cab08090	238
0337d704	239	if ($suid) {
e74411f7	240	$logger = new CoreLogger($uid, $suid);
e74411f7	241	$logger->log("suid_start", S::v('forlife')." by {$suid['uid']}");
0337d704	242	$sess['suid'] = $suid;
e74411f7	243	$sess['perms'] = $_SESSION['perms'];
0337d704	244	} else {
c4271d38	245	$logger = S::v('log', new CoreLogger($uid));
b7d19878	246	$logger->log("connexion", Env::v('n'));
0337d704	247	setcookie('ORGuid', $uid, (time()+25920000), '/', '', 0);
	248	}
	249
aa5f19ae	250	$_SESSION = array_merge($_SESSION, $sess);
0337d704	251	$_SESSION['log'] = $logger;
0337d704	252	$_SESSION['auth'] = ($identified ? AUTH_MDP : AUTH_COOKIE);
5480a216	253	if (check_ip('unsafe')) {
	254	send_warning_mail("Une IP surveillee a tente de se connecter");
	255	if (check_ip('ban')) {
	256	$_SESSION = array();
	257	global $page;
	258	$page->trig("Une erreur est survenue lors de la proc�dure d'authentification. "
	259	."Merci de contacter au plus vite "
	260	."<a href='mailto:support@polytechnique.org'>support@polytechnique.org</a>");
	261	return false;
	262	}
	263	}
0337d704	264	set_skin();
ccdbc270	265	check_redirect();
5480a216	266	return true;
0337d704	267	}
	268
	269	// }}}
0337d704	270
	271	function set_skin()
	272	{
	273	global $globals;
63528107	274	if (S::logged() && !S::has('skin')) {
cab08090	275	$uid = S::v('uid');
e74411f7	276	$res = XDB::query("SELECT skin_tpl
63528107	277	FROM auth_user_quick AS a
	278	INNER JOIN skins AS s ON a.skin = s.id
	279	WHERE user_id = {?} AND skin_tpl != ''", $uid);
e74411f7	280	if ($_SESSION['skin'] = $res->fetchOneCell()) {
0337d704	281	return;
	282	}
	283	}
0337d704	284	}
0337d704	285
0337d704	286	// vim:set et sw=4 sts=4 sws=4 foldmethod=marker:
0337d704	287	?>