[platal.git] / include / xorg / session.inc.php

<?php
/***************************************************************************
 *  Copyright (C) 2003-2007 Polytechnique.org                              *
 *  http://opensource.polytechnique.org/                                   *
 *                                                                         *
 *  This program is free software; you can redistribute it and/or modify   *
 *  it under the terms of the GNU General Public License as published by   *
 *  the Free Software Foundation; either version 2 of the License, or      *
 *  (at your option) any later version.                                    *
 *                                                                         *
 *  This program is distributed in the hope that it will be useful,        *
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
 *  GNU General Public License for more details.                           *
 *                                                                         *
 *  You should have received a copy of the GNU General Public License      *
 *  along with this program; if not, write to the Free Software            *
 *  Foundation, Inc.,                                                      *
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
 ***************************************************************************/

require_once 'xorg.misc.inc.php';

class XorgSession
{
    // {{{ public static function init

    public static function init()
    {
        S::init();
        if (!S::has('uid')) {
            try_cookie();
        }
        if ((check_ip('dangerous') && S::has('uid')) || check_account()) {
            $_SESSION['log']->log("view_page", $_SERVER['REQUEST_URI']);
        }
    }

    // }}}
    // {{{ public static function destroy()

    public static function destroy()
    {
        S::destroy();
        XorgSession::init();
    }

    // }}}
    // {{{ public static function doAuth()

    public static function doAuth($new_name = false)
    {
        global $globals;
        if (S::identified()) { // ok, c'est bon, on n'a rien à faire
            return true;
        }

        if (!Env::has('username') || !Env::has('response')
        ||  !S::has('challenge'))
        {
            return false;
        }

        // si on vient de recevoir une identification par passwordpromptscreen.tpl
        // ou passwordpromptscreenlogged.tpl
        if (S::has('suid')) {
            $suid = S::v('suid');
            $login = $uname = $suid['forlife'];
            $redirect = false;
        } else {
            $uname = Env::v('username');

            if (Env::v('domain') == "alias") {
                $res = XDB::query(
                    "SELECT redirect
                       FROM virtual
                 INNER JOIN virtual_redirect USING(vid)
                      WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom);
                $redirect = $res->fetchOneCell();
                if ($redirect) {
                    $login = substr($redirect, 0, strpos($redirect, '@'));
                } else {
                    $login = "";
                }
            } else {
                $login = $uname;
                $redirect = false;
            }
        }

        $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
        $res   = XDB::query(
                    "SELECT  u.user_id, u.password
                       FROM  auth_user_md5 AS u
                 INNER JOIN  aliases       AS a ON ( a.id=u.user_id AND type!='homonyme' )
                      WHERE  a.$field = {?} AND u.perms IN('admin','user')", $login);

        $logger = S::v('log');
        if (list($uid, $password) = $res->fetchOneRow()) {
            require_once('secure_hash.inc.php');
            $expected_response = hash_encrypt("$uname:$password:".S::v('challenge'));
            // le password de la base est peut-être encore encodé en md5
            if (Env::v('response') != $expected_response) {
                $new_password = hash_xor(Env::v('xorpass'), $password);
                $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge'));
                if (Env::v('response') == $expected_response) {
                      XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}",
                                   $new_password, $uid);
                }
            }
            if (Env::v('response') == $expected_response) {
                if (Env::has('domain')) {
                    if (($domain = Env::v('domain', 'login')) == 'alias') {
                        setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0);
                    } else {
                        setcookie('ORGdomain', '', (time()-3600), '/', '', 0);
                    }
                    // pour que la modification soit effective dans le reste de la page
                    $_COOKIE['ORGdomain'] = $domain;
                }

                S::kill('challenge');
                if ($logger) {
                    $logger->log('auth_ok');
                }
                if (!start_connexion($uid, true)) {
                    return false;
                }
                if (Env::v('remember', 'false') == 'true') {
                    $cookie = hash_encrypt(S::v('password'));
                    setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0);
                    if ($logger) {
                        $logger->log("cookie_on");
                    }
                } else {
                    setcookie('ORGaccess', '', time() - 3600, '/', '', 0);

                    if ($logger) {
                        $logger->log("cookie_off");
                    }
                }
                return true;
            } elseif ($logger) {
                $logger->log('auth_fail','bad password');
            }
        } elseif ($logger) {
            $logger->log('auth_fail','bad login');
        }

        return false;
    }

    // }}}
    // {{{ public static function doAuthCookie()

    /** Try to do a cookie-based authentication.
     *
     * @param page the calling page (by reference)
     */
    public static function doAuthCookie()

    {
        if (S::logged()) {
            return true;
        }

        if (Env::has('username') and Env::has('response')) {
            return XorgSession::doAuth();
        }

        if ($r = try_cookie()) {
            return XorgSession::doAuth(($r > 0));
        }

        return false;
    }

    // }}}
    // {{{ public static function make_perms()

    public static function &make_perms($perm)
    {
        $flags = new FlagSet();
        if ($perm == 'disabled' || $perm == 'ext') {
            return $flags;
        }
        $flags->addFlag(PERMS_USER);
        if ($perm == 'admin') {
            $flags->addFlag(PERMS_ADMIN);
        }
        return $flags;
    }

    // }}}
}

// {{{ function try_cookie()

/** réalise la récupération de $_SESSION pour qqn avec cookie
 * @return  int     0 if all OK, -1 if no cookie, 1 if cookie with bad hash,
 *                  -2 should not happen
 */
function try_cookie()
{
    if (Cookie::v('ORGaccess') == '' or !Cookie::has('ORGuid')) {
        return -1;
    }

    $res = @XDB::query(
            "SELECT user_id,password FROM auth_user_md5
              WHERE user_id = {?} AND perms IN('admin','user')",
            Cookie::i('ORGuid'));

    if ($res->numRows() != 0) {
        list($uid, $password) = $res->fetchOneRow();
        require_once('secure_hash.inc.php');
        $expected_value       = hash_encrypt($password);
        if ($expected_value == Cookie::v('ORGaccess')) {
            if (!start_connexion($uid, false)) {
                return -3;
            }
            return 0;
        } else {
            return 1;
        }
    }

    return -2;
}

// }}}
// {{{ function start_connexion()

/** place les variables de session dépendants de auth_user_md5
 * et met à jour les dates de dernière connexion si nécessaire
 * @return void
 * @see controlpermanent.inc.php controlauthentication.inc.php
 */
function start_connexion ($uid, $identified)
{
    $res  = XDB::query("
        SELECT  u.user_id AS uid, prenom, nom, nom_usage, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme,
                UNIX_TIMESTAMP(s.start) AS lastlogin, s.host, a.alias AS forlife, a2.alias AS bestalias,
                q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash,
                FIND_IN_SET('watch', u.flags) AS watch_account, q.last_version
          FROM  auth_user_md5   AS u
    INNER JOIN  auth_user_quick AS q  USING(user_id)
    INNER JOIN  aliases         AS a  ON (u.user_id = a.id AND a.type='a_vie')
    INNER JOIN  aliases         AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags))
     LEFT JOIN  logger.sessions AS s  ON (s.uid=u.user_id AND s.suid=0)
         WHERE  u.user_id = {?} AND u.perms IN('admin','user')
      ORDER BY  s.start DESC
         LIMIT  1", $uid);
    $sess = $res->fetchOneAssoc();
    $suid = S::v('suid');

    if ($suid) {
        $logger = new CoreLogger($uid, $suid['uid']);
        $logger->log("suid_start", S::v('forlife')." by {$suid['uid']}");
        $sess['suid'] = $suid;
    } else {
        $logger = S::v('log', new CoreLogger($uid));
        $logger->log("connexion", Env::v('n'));
        setcookie('ORGuid', $uid, (time()+25920000), '/', '', 0);
    }

    $_SESSION         = array_merge($_SESSION, $sess);
    $_SESSION['log']  = $logger;
    $_SESSION['auth'] = ($identified ? AUTH_MDP : AUTH_COOKIE);
    $_SESSION['perms'] =& XorgSession::make_perms($_SESSION['perms']);
    $mail_subject = null;
    if (check_account()) {
        $mail_subject = "Connexion d'un utilisateur surveillé";
    }
    if (check_ip('unsafe')) {
        if ($mail_subject) {
            $mail_subject .= ' - ';
        }
        $mail_subject .= "Une IP surveillee a tente de se connecter";
        if (check_ip('ban')) {
            send_warning_mail($mail_subject);
            $_SESSION = array();
            $_SESSION['perms'] = new FlagSet();
            global $page;
            $newpage = false;
            if (!$page) {
                require_once 'xorg.inc.php';
                new_skinned_page('platal/index.tpl');
                $newpage = true;
            }
            $page->trig("Une erreur est survenue lors de la procédure d'authentification. "
                       ."Merci de contacter au plus vite "
                       ."<a href='mailto:support@polytechnique.org'>support@polytechnique.org</a>");
            if ($newpage) {
                $page->run();
            }
            return false;
        }
    }
    if ($mail_subject) {
        send_warning_mail($mail_subject);
    }
    set_skin();
    check_redirect();
    return true;
}

// }}}

function set_skin()
{
    global $globals;
    if (S::logged() && !S::has('skin')) {
        $uid = S::v('uid');
    $res = XDB::query("SELECT  skin_tpl
                             FROM  auth_user_quick AS a
                       INNER JOIN  skins           AS s ON a.skin = s.id
                            WHERE  user_id = {?} AND skin_tpl != ''", $uid);
    if ($_SESSION['skin'] = $res->fetchOneCell()) {
            return;
        }
    }
}

// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
?>
Commit	Line	Data
0337d704	1	<?php
0337d704	2	/***************************************************************************
5ddeb07c	3	* Copyright (C) 2003-2007 Polytechnique.org *
0337d704	4	* http://opensource.polytechnique.org/ *
	5	* *
	6	* This program is free software; you can redistribute it and/or modify *
	7	* it under the terms of the GNU General Public License as published by *
	8	* the Free Software Foundation; either version 2 of the License, or *
	9	* (at your option) any later version. *
	10	* *
	11	* This program is distributed in the hope that it will be useful, *
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
	14	* GNU General Public License for more details. *
	15	* *
	16	* You should have received a copy of the GNU General Public License *
	17	* along with this program; if not, write to the Free Software *
	18	* Foundation, Inc., *
	19	* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
	20	***************************************************************************/
	21
5480a216	22	require_once 'xorg.misc.inc.php';
5480a216	23
4869f665	24	class XorgSession
0337d704	25	{
6995a9b9	26	// {{{ public static function init
4869f665	27
eaf30d86	28	public static function init()
5480a216	29	{
cab08090	30	S::init();
5480a216	31	if (!S::has('uid')) {
	32	try_cookie();
	33	}
0be07aa6	34	if ((check_ip('dangerous') && S::has('uid')) \|\| check_account()) {
5480a216	35	$_SESSION['log']->log("view_page", $_SERVER['REQUEST_URI']);
0337d704	36	}
0337d704	37	}
	38
	39	// }}}
6995a9b9	40	// {{{ public static function destroy()
cab08090	41
5480a216	42	public static function destroy()
5480a216	43	{
cab08090	44	S::destroy();
0337d704	45	XorgSession::init();
0337d704	46	}
cab08090	47
0337d704	48	// }}}
6995a9b9	49	// {{{ public static function doAuth()
0337d704	50
6995a9b9	51	public static function doAuth($new_name = false)
0337d704	52	{
e74411f7	53	global $globals;
a7de4ef7	54	if (S::identified()) { // ok, c'est bon, on n'a rien à faire
e74411f7	55	return true;
e74411f7	56	}
0337d704	57
63528107	58	if (!Env::has('username') \|\| !Env::has('response')
	59	\|\| !S::has('challenge'))
	60	{
	61	return false;
	62	}
	63
	64	// si on vient de recevoir une identification par passwordpromptscreen.tpl
	65	// ou passwordpromptscreenlogged.tpl
e74411f7	66	if (S::has('suid')) {
	67	$suid = S::v('suid');
	68	$login = $uname = $suid['forlife'];
	69	$redirect = false;
	70	} else {
	71	$uname = Env::v('username');
	72
	73	if (Env::v('domain') == "alias") {
	74	$res = XDB::query(
	75	"SELECT redirect
	76	FROM virtual
	77	INNER JOIN virtual_redirect USING(vid)
	78	WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom);
	79	$redirect = $res->fetchOneCell();
	80	if ($redirect) {
	81	$login = substr($redirect, 0, strpos($redirect, '@'));
	82	} else {
	83	$login = "";
	84	}
0337d704	85	} else {
e74411f7	86	$login = $uname;
e74411f7	87	$redirect = false;
0337d704	88	}
63528107	89	}
cab08090	90
63528107	91	$field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
	92	$res = XDB::query(
	93	"SELECT u.user_id, u.password
	94	FROM auth_user_md5 AS u
	95	INNER JOIN aliases AS a ON ( a.id=u.user_id AND type!='homonyme' )
	96	WHERE a.$field = {?} AND u.perms IN('admin','user')", $login);
	97
1a013db7	98	$logger = S::v('log');
63528107	99	if (list($uid, $password) = $res->fetchOneRow()) {
e74411f7	100	require_once('secure_hash.inc.php');
e74411f7	101	$expected_response = hash_encrypt("$uname:$password:".S::v('challenge'));
a7de4ef7	102	// le password de la base est peut-être encore encodé en md5
e74411f7	103	if (Env::v('response') != $expected_response) {
	104	$new_password = hash_xor(Env::v('xorpass'), $password);
	105	$expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge'));
	106	if (Env::v('response') == $expected_response) {
	107	XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}",
	108	$new_password, $uid);
	109	}
	110	}
	111	if (Env::v('response') == $expected_response) {
63528107	112	if (Env::has('domain')) {
5e2307dc	113	if (($domain = Env::v('domain', 'login')) == 'alias') {
63528107	114	setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0);
	115	} else {
	116	setcookie('ORGdomain', '', (time()-3600), '/', '', 0);
0337d704	117	}
63528107	118	// pour que la modification soit effective dans le reste de la page
	119	$_COOKIE['ORGdomain'] = $domain;
	120	}
cab08090	121
63528107	122	S::kill('challenge');
	123	if ($logger) {
	124	$logger->log('auth_ok');
	125	}
5480a216	126	if (!start_connexion($uid, true)) {
	127	return false;
	128	}
5e2307dc	129	if (Env::v('remember', 'false') == 'true') {
63528107	130	$cookie = hash_encrypt(S::v('password'));
63528107	131	setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0);
cab08090	132	if ($logger) {
63528107	133	$logger->log("cookie_on");
0337d704	134	}
63528107	135	} else {
63528107	136	setcookie('ORGaccess', '', time() - 3600, '/', '', 0);
cab08090	137
63528107	138	if ($logger) {
63528107	139	$logger->log("cookie_off");
0337d704	140	}
0337d704	141	}
e74411f7	142	return true;
e74411f7	143	} elseif ($logger) {
63528107	144	$logger->log('auth_fail','bad password');
0337d704	145	}
63528107	146	} elseif ($logger) {
	147	$logger->log('auth_fail','bad login');
	148	}
b0b937fd	149
63528107	150	return false;
0337d704	151	}
	152
	153	// }}}
6995a9b9	154	// {{{ public static function doAuthCookie()
0337d704	155
	156	/** Try to do a cookie-based authentication.
	157	*
	158	* @param page the calling page (by reference)
	159	*/
6995a9b9	160	public static function doAuthCookie()
eaf30d86	161
0337d704	162	{
5480a216	163	if (S::logged()) {
5480a216	164	return true;
0337d704	165	}
0337d704	166
5480a216	167	if (Env::has('username') and Env::has('response')) {
5480a216	168	return XorgSession::doAuth();
0337d704	169	}
0337d704	170
5480a216	171	if ($r = try_cookie()) {
5480a216	172	return XorgSession::doAuth(($r > 0));
0337d704	173	}
f6ce9a88	174
f6ce9a88	175	return false;
0337d704	176	}
	177
	178	// }}}
bf517daf	179	// {{{ public static function make_perms()
	180
	181	public static function &make_perms($perm)
	182	{
	183	$flags = new FlagSet();
	184	if ($perm == 'disabled' \|\| $perm == 'ext') {
	185	return $flags;
	186	}
	187	$flags->addFlag(PERMS_USER);
	188	if ($perm == 'admin') {
	189	$flags->addFlag(PERMS_ADMIN);
	190	}
	191	return $flags;
	192	}
	193
	194	// }}}
0337d704	195	}
0337d704	196
0337d704	197	// {{{ function try_cookie()
0337d704	198
a7de4ef7	199	/** réalise la récupération de $_SESSION pour qqn avec cookie
0337d704	200	* @return int 0 if all OK, -1 if no cookie, 1 if cookie with bad hash,
	201	* -2 should not happen
	202	*/
	203	function try_cookie()
	204	{
5e2307dc	205	if (Cookie::v('ORGaccess') == '' or !Cookie::has('ORGuid')) {
5480a216	206	return -1;
0337d704	207	}
0337d704	208
08cce2ff	209	$res = @XDB::query(
aa5f19ae	210	"SELECT user_id,password FROM auth_user_md5
	211	WHERE user_id = {?} AND perms IN('admin','user')",
	212	Cookie::i('ORGuid'));
	213
0337d704	214	if ($res->numRows() != 0) {
5480a216	215	list($uid, $password) = $res->fetchOneRow();
	216	require_once('secure_hash.inc.php');
	217	$expected_value = hash_encrypt($password);
	218	if ($expected_value == Cookie::v('ORGaccess')) {
	219	if (!start_connexion($uid, false)) {
	220	return -3;
	221	}
	222	return 0;
	223	} else {
0337d704	224	return 1;
	225	}
	226	}
	227
	228	return -2;
	229	}
	230
	231	// }}}
	232	// {{{ function start_connexion()
	233
a7de4ef7	234	/** place les variables de session dépendants de auth_user_md5
a7de4ef7	235	* et met à jour les dates de dernière connexion si nécessaire
0337d704	236	* @return void
	237	* @see controlpermanent.inc.php controlauthentication.inc.php
	238	*/
	239	function start_connexion ($uid, $identified)
	240	{
08cce2ff	241	$res = XDB::query("
e4df055c	242	SELECT u.user_id AS uid, prenom, nom, nom_usage, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme,
0337d704	243	UNIX_TIMESTAMP(s.start) AS lastlogin, s.host, a.alias AS forlife, a2.alias AS bestalias,
0be07aa6	244	q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash,
6ce5dee4	245	FIND_IN_SET('watch', u.flags) AS watch_account, q.last_version
0337d704	246	FROM auth_user_md5 AS u
0337d704	247	INNER JOIN auth_user_quick AS q USING(user_id)
e74411f7	248	INNER JOIN aliases AS a ON (u.user_id = a.id AND a.type='a_vie')
5480a216	249	INNER JOIN aliases AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags))
0337d704	250	LEFT JOIN logger.sessions AS s ON (s.uid=u.user_id AND s.suid=0)
	251	WHERE u.user_id = {?} AND u.perms IN('admin','user')
	252	ORDER BY s.start DESC
	253	LIMIT 1", $uid);
	254	$sess = $res->fetchOneAssoc();
cab08090	255	$suid = S::v('suid');
cab08090	256
0337d704	257	if ($suid) {
9ffe0e77	258	$logger = new CoreLogger($uid, $suid['uid']);
e74411f7	259	$logger->log("suid_start", S::v('forlife')." by {$suid['uid']}");
0337d704	260	$sess['suid'] = $suid;
0337d704	261	} else {
c4271d38	262	$logger = S::v('log', new CoreLogger($uid));
b7d19878	263	$logger->log("connexion", Env::v('n'));
0337d704	264	setcookie('ORGuid', $uid, (time()+25920000), '/', '', 0);
	265	}
	266
aa5f19ae	267	$_SESSION = array_merge($_SESSION, $sess);
0337d704	268	$_SESSION['log'] = $logger;
0337d704	269	$_SESSION['auth'] = ($identified ? AUTH_MDP : AUTH_COOKIE);
bf517daf	270	$_SESSION['perms'] =& XorgSession::make_perms($_SESSION['perms']);
0be07aa6	271	$mail_subject = null;
	272	if (check_account()) {
	273	$mail_subject = "Connexion d'un utilisateur surveillé";
	274	}
5480a216	275	if (check_ip('unsafe')) {
0be07aa6	276	if ($mail_subject) {
	277	$mail_subject .= ' - ';
	278	}
	279	$mail_subject .= "Une IP surveillee a tente de se connecter";
5480a216	280	if (check_ip('ban')) {
ee71ba92	281	send_warning_mail($mail_subject);
5480a216	282	$_SESSION = array();
ef42a9d6	283	$_SESSION['perms'] = new FlagSet();
5480a216	284	global $page;
ef42a9d6	285	$newpage = false;
	286	if (!$page) {
	287	require_once 'xorg.inc.php';
	288	new_skinned_page('platal/index.tpl');
	289	$newpage = true;
	290	}
a7de4ef7	291	$page->trig("Une erreur est survenue lors de la procédure d'authentification. "
5480a216	292	."Merci de contacter au plus vite "
5480a216	293	."<a href='mailto:support@polytechnique.org'>support@polytechnique.org</a>");
ef42a9d6	294	if ($newpage) {
	295	$page->run();
	296	}
5480a216	297	return false;
	298	}
	299	}
0be07aa6	300	if ($mail_subject) {
	301	send_warning_mail($mail_subject);
	302	}
0337d704	303	set_skin();
ccdbc270	304	check_redirect();
5480a216	305	return true;
0337d704	306	}
	307
	308	// }}}
0337d704	309
	310	function set_skin()
	311	{
	312	global $globals;
63528107	313	if (S::logged() && !S::has('skin')) {
cab08090	314	$uid = S::v('uid');
e74411f7	315	$res = XDB::query("SELECT skin_tpl
63528107	316	FROM auth_user_quick AS a
	317	INNER JOIN skins AS s ON a.skin = s.id
	318	WHERE user_id = {?} AND skin_tpl != ''", $uid);
e74411f7	319	if ($_SESSION['skin'] = $res->fetchOneCell()) {
0337d704	320	return;
	321	}
	322	}
0337d704	323	}
0337d704	324
a7de4ef7	325	// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
0337d704	326	?>