| 1 | <?php |
| 2 | /*************************************************************************** |
| 3 | * Copyright (C) 2003-2010 Polytechnique.org * |
| 4 | * http://opensource.polytechnique.org/ * |
| 5 | * * |
| 6 | * This program is free software; you can redistribute it and/or modify * |
| 7 | * it under the terms of the GNU General Public License as published by * |
| 8 | * the Free Software Foundation; either version 2 of the License, or * |
| 9 | * (at your option) any later version. * |
| 10 | * * |
| 11 | * This program is distributed in the hope that it will be useful, * |
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of * |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * |
| 14 | * GNU General Public License for more details. * |
| 15 | * * |
| 16 | * You should have received a copy of the GNU General Public License * |
| 17 | * along with this program; if not, write to the Free Software * |
| 18 | * Foundation, Inc., * |
| 19 | * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA * |
| 20 | ***************************************************************************/ |
| 21 | |
| 22 | class XorgSession extends PlSession |
| 23 | { |
| 24 | const INVALID_USER = -2; |
| 25 | const NO_COOKIE = -1; |
| 26 | const COOKIE_SUCCESS = 0; |
| 27 | const INVALID_COOKIE = 1; |
| 28 | |
| 29 | public function __construct() |
| 30 | { |
| 31 | parent::__construct(); |
| 32 | } |
| 33 | |
| 34 | public function startAvailableAuth() |
| 35 | { |
| 36 | if (!S::logged()) { |
| 37 | switch ($this->tryCookie()) { |
| 38 | case self::COOKIE_SUCCESS: |
| 39 | if (!$this->start(AUTH_COOKIE)) { |
| 40 | return false; |
| 41 | } |
| 42 | break; |
| 43 | |
| 44 | case self::INVALID_USER: |
| 45 | case self::INVALID_COOKIE: |
| 46 | return false; |
| 47 | } |
| 48 | } |
| 49 | if ((check_ip('dangerous') && S::has('uid')) || check_account()) { |
| 50 | S::logger()->log("view_page", $_SERVER['REQUEST_URI']); |
| 51 | } |
| 52 | return true; |
| 53 | } |
| 54 | |
| 55 | /** Check the cookie and set the associated uid in the auth_by_cookie session variable. |
| 56 | */ |
| 57 | private function tryCookie() |
| 58 | { |
| 59 | S::kill('auth_by_cookie'); |
| 60 | if (Cookie::v('access') == '' || !Cookie::has('uid')) { |
| 61 | return self::NO_COOKIE; |
| 62 | } |
| 63 | |
| 64 | $res = XDB::query('SELECT uid, password |
| 65 | FROM accounts |
| 66 | WHERE uid = {?} AND state = \'active\'', |
| 67 | Cookie::i('uid')); |
| 68 | if ($res->numRows() != 0) { |
| 69 | list($uid, $password) = $res->fetchOneRow(); |
| 70 | if (sha1($password) == Cookie::v('access')) { |
| 71 | S::set('auth_by_cookie', $uid); |
| 72 | return self::COOKIE_SUCCESS; |
| 73 | } else { |
| 74 | return self::INVALID_COOKIE; |
| 75 | } |
| 76 | } |
| 77 | return self::INVALID_USER; |
| 78 | } |
| 79 | |
| 80 | private function checkPassword($uname, $login, $response, $login_type) |
| 81 | { |
| 82 | if ($login_type == 'alias') { |
| 83 | $res = XDB::query('SELECT a.uid, a.password |
| 84 | FROM accounts AS a |
| 85 | INNER JOIN aliases AS l ON (l.uid = a.uid AND l.type != \'homonyme\') |
| 86 | WHERE l.alias = {?} AND a.state = \'active\'', |
| 87 | $login); |
| 88 | } else { |
| 89 | $res = XDB::query('SELECT uid, password |
| 90 | FROM accounts |
| 91 | WHERE ' . $login_type . ' = {?}', |
| 92 | $login); |
| 93 | } |
| 94 | if (list($uid, $password) = $res->fetchOneRow()) { |
| 95 | $expected_response = sha1("$uname:$password:" . S::v('challenge')); |
| 96 | /* Deprecates len(password) > 10 conversion. */ |
| 97 | if ($response != $expected_response) { |
| 98 | if (!S::logged()) { |
| 99 | Platal::page()->trigError('Mot de passe ou nom d\'utilisateur invalide'); |
| 100 | } else { |
| 101 | Platal::page()->trigError('Mot de passe invalide'); |
| 102 | } |
| 103 | S::logger($uid)->log('auth_fail', 'bad password'); |
| 104 | return null; |
| 105 | } |
| 106 | return $uid; |
| 107 | } |
| 108 | Platal::page()->trigError('Mot de passe ou nom d\'utilisateur invalide'); |
| 109 | return null; |
| 110 | } |
| 111 | |
| 112 | |
| 113 | /** Check auth. |
| 114 | */ |
| 115 | protected function doAuth($level) |
| 116 | { |
| 117 | global $globals; |
| 118 | |
| 119 | /* Cookie authentication |
| 120 | */ |
| 121 | if ($level == AUTH_COOKIE && !S::has('auth_by_cookie')) { |
| 122 | $this->tryCookie(); |
| 123 | } |
| 124 | if ($level == AUTH_COOKIE && S::has('auth_by_cookie')) { |
| 125 | if (!S::logged()) { |
| 126 | S::set('auth', AUTH_COOKIE); |
| 127 | } |
| 128 | return User::getSilentWithUID(S::i('auth_by_cookie')); |
| 129 | } |
| 130 | |
| 131 | |
| 132 | /* We want to do auth... we must have infos from a form. |
| 133 | */ |
| 134 | if (!Post::has('username') || !Post::has('response') || !S::has('challenge')) { |
| 135 | return null; |
| 136 | } |
| 137 | |
| 138 | /** We come from an authentication form. |
| 139 | */ |
| 140 | if (S::suid()) { |
| 141 | $login = $uname = S::suid('uid'); |
| 142 | $loginType = 'uid'; |
| 143 | $redirect = false; |
| 144 | } else { |
| 145 | $uname = Post::v('username'); |
| 146 | if (Post::s('domain') == "alias") { |
| 147 | $res = XDB::query('SELECT redirect |
| 148 | FROM virtual |
| 149 | INNER JOIN virtual_redirect USING(vid) |
| 150 | WHERE alias LIKE {?}', |
| 151 | $uname . '@' . $globals->mail->alias_dom); |
| 152 | $redirect = $res->fetchOneCell(); |
| 153 | if ($redirect) { |
| 154 | $login = substr($redirect, 0, strpos($redirect, '@')); |
| 155 | } else { |
| 156 | $login = ''; |
| 157 | } |
| 158 | $loginType = 'alias'; |
| 159 | } else if (Post::s('domain') == "ax") { |
| 160 | $login = $uname; |
| 161 | $redirect = false; |
| 162 | $loginType = 'hruid'; |
| 163 | } else { |
| 164 | $login = $uname; |
| 165 | $redirect = false; |
| 166 | $loginType = is_numeric($uname) ? 'uid' : 'alias'; |
| 167 | } |
| 168 | } |
| 169 | |
| 170 | $uid = $this->checkPassword($uname, $login, Post::v('response'), $loginType); |
| 171 | if (!is_null($uid) && S::suid()) { |
| 172 | if (S::suid('uid') == $uid) { |
| 173 | $uid = S::i('uid'); |
| 174 | } else { |
| 175 | $uid = null; |
| 176 | } |
| 177 | } |
| 178 | if (!is_null($uid)) { |
| 179 | S::set('auth', AUTH_MDP); |
| 180 | if (!S::suid()) { |
| 181 | if (Post::has('domain')) { |
| 182 | $domain = Post::v('domain', 'login'); |
| 183 | if ($domain == 'alias') { |
| 184 | Cookie::set('domain', 'alias', 300); |
| 185 | } else if ($domain == 'ax') { |
| 186 | Cookie::set('domain', 'ax', 300); |
| 187 | } else { |
| 188 | Cookie::kill('domain'); |
| 189 | } |
| 190 | } |
| 191 | } |
| 192 | S::kill('challenge'); |
| 193 | S::logger($uid)->log('auth_ok'); |
| 194 | } |
| 195 | return User::getSilentWithUID($uid); |
| 196 | } |
| 197 | |
| 198 | protected function startSessionAs($user, $level) |
| 199 | { |
| 200 | if ((!is_null(S::user()) && S::user()->id() != $user->id()) |
| 201 | || (S::has('uid') && S::i('uid') != $user->id())) { |
| 202 | return false; |
| 203 | } else if (S::has('uid')) { |
| 204 | return true; |
| 205 | } |
| 206 | if ($level == AUTH_SUID) { |
| 207 | S::set('auth', AUTH_MDP); |
| 208 | } |
| 209 | |
| 210 | // Loads uid and hruid into the session for developement conveniance. |
| 211 | $_SESSION = array_merge($_SESSION, array('uid' => $user->id(), 'hruid' => $user->hruid, 'token' => $user->token, 'user' => $user)); |
| 212 | |
| 213 | // Starts the session's logger, and sets up the permanent cookie. |
| 214 | if (S::suid()) { |
| 215 | S::logger()->log("suid_start", S::v('hruid') . ' by ' . S::suid('hruid')); |
| 216 | } else { |
| 217 | S::logger()->saveLastSession(); |
| 218 | Cookie::set('uid', $user->id(), 300); |
| 219 | |
| 220 | if (S::i('auth_by_cookie') == $user->id() || Post::v('remember', 'false') == 'true') { |
| 221 | $this->setAccessCookie(false, S::i('auth_by_cookie') != $user->id()); |
| 222 | } else { |
| 223 | $this->killAccessCookie(); |
| 224 | } |
| 225 | } |
| 226 | |
| 227 | // Finalizes the session setup. |
| 228 | $this->makePerms($user->perms, $user->is_admin); |
| 229 | $this->securityChecks(); |
| 230 | $this->setSkin(); |
| 231 | $this->updateNbNotifs(); |
| 232 | check_redirect(); |
| 233 | |
| 234 | // We should not have to use this private data anymore |
| 235 | S::kill('auth_by_cookie'); |
| 236 | return true; |
| 237 | } |
| 238 | |
| 239 | private function securityChecks() |
| 240 | { |
| 241 | $mail_subject = array(); |
| 242 | if (check_account()) { |
| 243 | $mail_subject[] = 'Connexion d\'un utilisateur surveillé'; |
| 244 | } |
| 245 | if (check_ip('unsafe')) { |
| 246 | $mail_subject[] = 'Une IP surveillee a tente de se connecter'; |
| 247 | if (check_ip('ban')) { |
| 248 | send_warning_mail(implode(' - ', $mail_subject)); |
| 249 | $this->destroy(); |
| 250 | Platal::page()->kill('Une erreur est survenue lors de la procédure d\'authentification. ' |
| 251 | . 'Merci de contacter au plus vite ' |
| 252 | . '<a href="mailto:support@polytechnique.org">support@polytechnique.org</a>'); |
| 253 | return false; |
| 254 | } |
| 255 | } |
| 256 | if (count($mail_subject)) { |
| 257 | send_warning_mail(implode(' - ', $mail_subject)); |
| 258 | } |
| 259 | } |
| 260 | |
| 261 | public function tokenAuth($login, $token) |
| 262 | { |
| 263 | $res = XDB::query('SELECT a.uid, a.hruid |
| 264 | FROM accounts AS a |
| 265 | WHERE a.token = {?} AND a.hruid = {?} AND a.state = \'active\'', |
| 266 | $token, $login); |
| 267 | if ($res->numRows() == 1) { |
| 268 | return new User(null, $res->fetchOneAssoc()); |
| 269 | } |
| 270 | return null; |
| 271 | } |
| 272 | |
| 273 | protected function makePerms($perm, $is_admin) |
| 274 | { |
| 275 | S::set('perms', User::makePerms($perm, $is_admin)); |
| 276 | } |
| 277 | |
| 278 | public function setSkin() |
| 279 | { |
| 280 | if (S::logged() && (!S::has('skin') || S::suid())) { |
| 281 | $res = XDB::query('SELECT skin_tpl |
| 282 | FROM accounts AS a |
| 283 | INNER JOIN skins AS s on (a.skin = s.id) |
| 284 | WHERE a.uid = {?} AND skin_tpl != \'\'', S::i('uid')); |
| 285 | S::set('skin', $res->fetchOneCell()); |
| 286 | } |
| 287 | } |
| 288 | |
| 289 | public function loggedLevel() |
| 290 | { |
| 291 | return AUTH_COOKIE; |
| 292 | } |
| 293 | |
| 294 | public function sureLevel() |
| 295 | { |
| 296 | return AUTH_MDP; |
| 297 | } |
| 298 | |
| 299 | |
| 300 | public function updateNbNotifs() |
| 301 | { |
| 302 | require_once 'notifs.inc.php'; |
| 303 | $user = S::user(); |
| 304 | $n = Watch::getCount($user); |
| 305 | S::set('notifs', $n); |
| 306 | } |
| 307 | |
| 308 | public function setAccessCookie($replace = false, $log = true) { |
| 309 | if (S::suid() || ($replace && !Cookie::blank('access'))) { |
| 310 | return; |
| 311 | } |
| 312 | Cookie::set('access', sha1(S::user()->password()), 300, true); |
| 313 | if ($log) { |
| 314 | S::logger()->log('cookie_on'); |
| 315 | } |
| 316 | } |
| 317 | |
| 318 | public function killAccessCookie($log = true) { |
| 319 | Cookie::kill('access'); |
| 320 | if ($log) { |
| 321 | S::logger()->log('cookie_off'); |
| 322 | } |
| 323 | } |
| 324 | |
| 325 | public function killLoginFormCookies() { |
| 326 | Cookie::kill('uid'); |
| 327 | Cookie::kill('domain'); |
| 328 | } |
| 329 | } |
| 330 | |
| 331 | // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8: |
| 332 | ?> |