From e6b347d916832e3a91fd5043dd30e8eff4db4747 Mon Sep 17 00:00:00 2001
From: Alex Orluc <alex.orluc@maarch.org>
Date: Thu, 26 Apr 2018 16:28:34 +0200
Subject: [PATCH] FIX #6321 fix log with login mode ldap
---
apps/maarch_entreprise/smartphone/log.php | 258 ++++++++++++++--------
1 file changed, 166 insertions(+), 92 deletions(-)
diff --git a/apps/maarch_entreprise/smartphone/log.php b/apps/maarch_entreprise/smartphone/log.php
index ea2eb774603..4d917f2bcbc 100755
--- a/apps/maarch_entreprise/smartphone/log.php
+++ b/apps/maarch_entreprise/smartphone/log.php
@@ -1,5 +1,6 @@
<?php
+
/**
* File : log.php
*
@@ -15,32 +16,62 @@
if (file_exists('../../core/init.php')) {
include_once '../../core/init.php';
}
-require_once('core' . DIRECTORY_SEPARATOR . 'class' . DIRECTORY_SEPARATOR . 'class_functions.php');
-require_once('core' . DIRECTORY_SEPARATOR . 'class' . DIRECTORY_SEPARATOR . 'class_db_pdo.php');
-require_once('core' . DIRECTORY_SEPARATOR . 'class' . DIRECTORY_SEPARATOR . 'class_core_tools.php');
+require_once 'core'.DIRECTORY_SEPARATOR.'class'.DIRECTORY_SEPARATOR.'class_functions.php';
+require_once 'core'.DIRECTORY_SEPARATOR.'class'.DIRECTORY_SEPARATOR.'class_db.php';
+require_once 'core'.DIRECTORY_SEPARATOR.'class'.DIRECTORY_SEPARATOR.'class_core_tools.php';
$core = new core_tools();
$core->load_lang();
+$func = new functions();
$_SESSION['error'] = '';
-if (isset($_REQUEST['login'])) {
- $login = functions::wash($_REQUEST['login'], 'no', _THE_ID, 'yes');
+if (isset($_SESSION['web_cas_url'])) {
+ include_once 'apps/maarch_entreprise/tools/phpCAS/CAS.php';
+
+ phpCAS::client(constant($_SESSION['cas_version']), $_SESSION['cas_serveur'], (int) $_SESSION['cas_port'], $_SESSION['cas_context'], true);
+
+ if (!empty($_SESSION['cas_certificate'])) {
+ phpCAS::setCasServerCACert($_SESSION['cas_certificate']);
+ } else {
+ phpCAS::setNoCasServerValidation();
+ }
+
+ phpCAS::forceAuthentication();
+ $Id = phpCAS::getUser();
+
+ if (!empty($_SESSION['cas_id_separator'])) {
+ $tmpId = explode($_SESSION['cas_id_separator'], $Id);
+ $login = $tmpId[0];
+ } else {
+ $login = $Id;
+ }
+
+ $_REQUEST['pass'] = 'maarch';
+} elseif (!empty($_SESSION['ozwillo']['userId'])) {
+ $login = $_SESSION['ozwillo']['userId'];
+ $_REQUEST['pass'] = 'maarch';
+} elseif (!empty($_SESSION['sso']['userId'])) {
+ $login = $_SESSION['sso']['userId'];
+ $_REQUEST['pass'] = 'maarch';
+} elseif (isset($_REQUEST['login'])) {
+ $login = $func->wash($_REQUEST['login'], 'no', _THE_ID, 'yes');
} else {
$login = '';
}
if (isset($_REQUEST['pass'])) {
- $password = functions::wash($_REQUEST['pass'], 'no', _PASSWORD_FOR_USER, 'yes');
+ $password = $func->wash($_REQUEST['pass'], 'no', _PASSWORD_FOR_USER, 'yes');
} else {
$password = '';
}
if (isset($_REQUEST['ra_code'])) {
- $ra_code = functions::wash($_REQUEST['ra_code'], 'no', _RA_CODE, 'yes');
+ $ra_code = $func->wash($_REQUEST['ra_code'], 'no', _RA_CODE, 'yes');
} else {
$ra_code = '';
}
require_once 'core/class/class_security.php';
-require_once 'apps/' . $_SESSION['config']['app_id']
- . '/class/class_business_app_tools.php';
+require_once 'core/class/class_request.php';
+require_once 'apps/'.$_SESSION['config']['app_id']
+ .'/class/class_business_app_tools.php';
$sec = new security();
$businessAppTools = new business_app_tools();
@@ -63,29 +94,35 @@ if (count($_SESSION['config']) <= 0) {
$core->load_menu($_SESSION['modules']);
}
- if ($_SESSION['config']['ldap'] == 'true' && $login <> 'superadmin') {
+if (!empty($_SESSION['error'])) {
+ header(
+ 'location: '.$_SESSION['config']['businessappurl']
+ .'index.php?display=true&page=login'
+ );
+ exit();
+} else {
+ if ($_SESSION['config']['ldap'] == 'true' && $login != 'superadmin') {
//Extraction de /root/config dans le fichier de conf
- if (file_exists($_SESSION['config']['corepath']
- . '/custom/' . $_SESSION['custom_override_id']
- . '/modules/ldap/xml/config.xml')
+ if (file_exists($_SESSION['config']['corepath']
+ .'/custom/'.$_SESSION['custom_override_id']
+ .'/modules/ldap/xml/config.xml')
) {
- $pathtoConfig = $_SESSION['config']['corepath']
- . '/custom/' . $_SESSION['custom_override_id']
- . '/modules/ldap/xml/config.xml';
+ $pathtoConfig = $_SESSION['config']['corepath']
+ .'/custom/'.$_SESSION['custom_override_id']
+ .'/modules/ldap/xml/config.xml';
} else {
- $pathtoConfig = $_SESSION['config']['corepath']
- . 'modules/ldap/xml/config.xml';
+ $pathtoConfig = $_SESSION['config']['corepath']
+ .'modules/ldap/xml/config.xml';
}
- $ldapConf = new DomDocument();
+ $ldapConf = new DomDocument();
try {
- if (!@$ldapConf->load($pathtoConfig))
- {
+ if (!@$ldapConf->load($pathtoConfig)) {
throw new Exception(
'Impossible de charger le document : '
- . $pathtoConfig
+ .$pathtoConfig
);
}
- } catch(Exception $e) {
+ } catch (Exception $e) {
exit($e->getMessage());
}
@@ -96,135 +133,172 @@ if (count($_SESSION['config']) <= 0) {
}
//On inclus la class LDAP qui correspond à l'annuaire
- if (!include $_SESSION['config']['corepath'] . 'modules/ldap/class/class_adLDAP.php')
- {
- exit('Impossible de charger class_' . $_SESSION['config']['corepath']
- . 'modules/ldap/class/class_adLDAP.php'."\n");
+ if (strtolower($type_ldap) == 'openldap') {
+ $classLdap = 'class_openLDAP.php';
+ } else {
+ $classLdap = 'class_adLDAP.php';
+ }
+
+ //customized or not
+ if (!@include $_SESSION['config']['corepath'].'/custom/'.$_SESSION['custom_override_id'].'/modules/ldap/class/'.$classLdap) {
+ if (!@include $_SESSION['config']['corepath'].'modules/ldap/class/'.$classLdap) {
+ exit('Impossible de charger class_'.$_SESSION['config']['corepath'].'/modules/ldap/class/'.$classLdap."\n");
+ }
}
-
- if ($prefix_login <> '') {
- $login_admin = $prefix_login . "\\" . $login_admin;
+
+ if ($prefix_login != '') {
+ $login_admin = $prefix_login.'\\'.$login_admin;
}
-
+
//Try to create a new ldap instance
- try {
- $ad = new LDAP($domain, $login_admin, $pass, $ssl);
- } catch(Exception $conFailure) {
- echo $conFailure->getMessage();
- exit;
+ if (strtolower($type_ldap) == 'openldap') {
+ try {
+ $ad = new LDAP($domain, $login_admin, $pass, $ssl, $hostname);
+ } catch (Exception $conFailure) {
+ echo functions::xssafe($conFailure->getMessage());
+ exit;
+ }
+ } else {
+ try {
+ $ad = new LDAP($domain, $login_admin, $pass, $ssl);
+ } catch (Exception $conFailure) {
+ echo functions::xssafe($conFailure->getMessage());
+ exit;
+ }
}
-
- if ($prefix_login <> '') {
- $loginToAd = $prefix_login . "\\" . $login;
+
+ if ($prefix_login != '') {
+ $loginToAd = $prefix_login.'\\'.$login;
} else {
$loginToAd = $login;
}
-
- if ($ad -> authenticate($loginToAd, $password)) {
- $db = new Database();
-
- $login = end(explode('\\', $login));
-
- $query = "SELECT * FROM users WHERE user_id ILIKE ?";
- $stmt = $db->query($query,array($login));
-
- if ($stmt->fetchObject()) {
+
+ if ($ad->authenticate($loginToAd, $password)) {
+ //TODO: protect sql injection with PDO
+ require_once 'core/class/class_db_pdo.php';
+
+ // Instantiate database.
+ $database = new Database();
+ $stmt = $database->query(
+ 'SELECT * FROM users WHERE user_id ILIKE ?',
+ array($login)
+ ); //permet de rechercher les utilisateurs dans le LDAP sans prendre en compte la casse
+ $result = $stmt->fetch();
+
+ if ($result) {
$_SESSION['error'] = '';
$res = $sec->login($login, $password, 'ldap');
$_SESSION['user'] = $res['user'];
- if (empty($_SESSION['error'])) {
+ if ($res['error'] == '') {
+ \SrcCore\models\SecurityModel::setCookieAuth(['userId' => $login]);
+ } else {
$_SESSION['error'] = $res['error'];
}
$core->load_menu($_SESSION['modules']);
header('location: smartphone/index.php?page=welcome');
exit();
} else {
- $_SESSION['error'] = _NO_LOGIN_OR_PSW_BY_LDAP . '...';
+ $_SESSION['error'] = _BAD_LOGIN_OR_PSW;
header(
- 'location: ' . $_SESSION['config']['businessappurl']
- . 'index.php?display=true&page=login'
+ 'location: '.$_SESSION['config']['businessappurl']
+ .'index.php?display=true&page=login'
);
exit;
}
} else {
- $_SESSION['error'] = _BAD_LOGIN_OR_PSW . ' (ad authenticate) ...';
+ $_SESSION['error'] = _BAD_LOGIN_OR_PSW;
header(
- 'location: ' . $_SESSION['config']['businessappurl']
- . 'index.php?display=true&page=login'
+ 'location: '.$_SESSION['config']['businessappurl']
+ .'index.php?display=true&page=login'
);
exit;
}
- }
- else {
- if (empty($login) || empty($password)) {
- $_SESSION['error'] = _BAD_LOGIN_OR_PSW . '...';
+ } elseif (isset($_REQUEST['ra_code'])) {
+ if (empty($login) || empty($password) || empty($ra_code)) {
+ $_SESSION['error'] = _IP_NOT_ALLOWED;
header(
- 'location: ' . $_SESSION['config']['businessappurl']
- . 'index.php?display=true&page=login'
+ 'location: '.$_SESSION['config']['businessappurl']
+ .'index.php?display=true&page=login'
);
exit;
} else {
$_SESSION['error'] = '';
- if ($ra_code != '') $res = $sec->login($login, $password, false, $ra_code);
- else $res = $sec->login($login, $password);
-
- if (!$sec->test_allowed_ip() && $ra_code == ''){
- $_SESSION['error'] = _TRYING_TO_CONNECT_FROM_NOT_ALLOWED_IP;
- $sec->generateRaCode($login, $password);
- exit();
- }
-
- //$core->show_array($res);exit();
+ $res = $sec->login($login, $password, false, $ra_code);
+ //$core->show_array($res);
$_SESSION['user'] = $res['user'];
if ($res['error'] == '') {
- // $businessAppTools->load_app_var_session($_SESSION['user']);
+ // $businessAppTools->load_app_var_session($_SESSION['user']);
//$core->load_var_session($_SESSION['modules'], $_SESSION['user']);
$core->load_menu($_SESSION['modules']);
- // exit;
+ // exit;
}
- else {
+ if (empty($_SESSION['error'])) {
$_SESSION['error'] = $res['error'];
- header(
- 'location: ' . $_SESSION['config']['businessappurl']
- . 'index.php?display=true&page=login'
- );
- exit();
}
-
- /*$pathToIPFilter = '';
- if(file_exists($_SESSION['config']['corepath'].'custom'.DIRECTORY_SEPARATOR.$_SESSION['custom_override_id'].DIRECTORY_SEPARATOR.'apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml')){
+ header(
+ 'location: '.$_SESSION['config']['businessappurl'].$res['url']
+ );
+ exit();
+ }
+ } else {
+ if (empty($login) || empty($password)) {
+ $_SESSION['error'] = _BAD_LOGIN_OR_PSW.'...';
+ header(
+ 'location: '.$_SESSION['config']['businessappurl']
+ .'index.php?display=true&page=login'
+ );
+ exit;
+ } else {
+ $_SESSION['error'] = '';
+ $res = $sec->login($login, $password);
+ //$core->show_array($res);
+ $_SESSION['user'] = $res['user'];
+ if ($res['error'] == '') {
+ \SrcCore\models\SecurityModel::setCookieAuth(['userId' => $login]);
+ // $businessAppTools->load_app_var_session($_SESSION['user']);
+ //$core->load_var_session($_SESSION['modules'], $_SESSION['user']);
+ $core->load_menu($_SESSION['modules']);
+ // exit;
+ } else {
+ $_SESSION['error'] = $res['error'];
+ }
+
+ $pathToIPFilter = '';
+ if (file_exists($_SESSION['config']['corepath'].'custom'.DIRECTORY_SEPARATOR.$_SESSION['custom_override_id'].DIRECTORY_SEPARATOR.'apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml')) {
$pathToIPFilter = $_SESSION['config']['corepath'].'custom'.DIRECTORY_SEPARATOR.$_SESSION['custom_override_id'].DIRECTORY_SEPARATOR.'apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml';
} elseif (file_exists('apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml')) {
$pathToIPFilter = 'apps'.DIRECTORY_SEPARATOR.$_SESSION['config']['app_id'].DIRECTORY_SEPARATOR.'xml'.DIRECTORY_SEPARATOR.'ip_filter.xml';
- }
- else {
+ } else {
$ipArray = array();
$ipArray['enabled'] = 'false';
$ipArray['duration'] = '0';
}
$ipArray = array();
- $ipArray = functions::object2array(simplexml_load_file($pathToIPFilter));
+ $ipArray = $func->object2array(simplexml_load_file($pathToIPFilter));
//print_r($ipArray);
if ($ipArray['enabled'] == 'true') {
$isAllowed = false;
- if($ipArray['IP'] <> '') {
+ if ($ipArray['IP'] != '') {
$isAllowed = preg_match($ipArray['IP'], $_SERVER['REMOTE_ADDR']);
}
-
+
if (empty($_SESSION['error'])) {
$_SESSION['error'] = $res['error'];
}
if (!$isAllowed && $res['error'] == '') {
if ($ipArray['duration'] == 0) {
$_SESSION['error'] = _IP_NOT_ALLOWED_NO_RA_CODE;
- }
- else {
+ } else {
$_SESSION['error'] = _IP_NOT_ALLOWED;
}
$res['url'] = 'index.php?display=true&page=login';
}
- }*/
- header('location: smartphone/index.php?page=welcome');
+ }
+ if ($_SESSION['user']['UserId'] == 'superadmin') {
+ $res['url'] .= '?administration=true';
+ }
+ header('location: smartphone/index.php?page=welcome');
exit();
}
}
+}
--
GitLab