tce_functions_authorization.php 15.1 KB
Newer Older
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
1
2
3
4
<?php
//============================================================+
// File name   : tce_functions_authorization.php
// Begin       : 2001-09-26
tecnickcom's avatar
tecnickcom committed
5
// Last Update : 2013-07-02
nick's avatar
nick committed
6
//
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
7
8
9
10
11
12
// Description : Functions for Authorization / LOGIN
//
// Author: Nicola Asuni
//
// (c) Copyright:
//               Nicola Asuni
Nick's avatar
Nick committed
13
//               Tecnick.com LTD
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
14
15
16
//               www.tecnick.com
//               info@tecnick.com
//
nick's avatar
nick committed
17
// License:
Nicola Asuni's avatar
Nicola Asuni committed
18
//    Copyright (C) 2004-2013 Nicola Asuni - Tecnick.com LTD
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
19
20
21
22
//    See LICENSE.TXT file for more information.
//============================================================+

/**
nick's avatar
nick committed
23
 * @file
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 * Functions for Authorization / LOGIN
 * @package com.tecnick.tcexam.shared
 * @author Nicola Asuni
 * @since 2001-09-26
 */

/**
 * Returns XHTML / CSS formatted string for login form.<br>
 * The CSS classes used are:
 * <ul>
 * <li>div.login_form : container for login box</li>
 * <li>div.login_form div.login_row : container for label + input field or button</li>
 * <li>div.login_form div.login_row span.label : container for input label</li>
 * <li>div.login_form div.login_row span.formw : container for input form</li>
 * </ul>
 * @param faction String action attribute
 * @param fid String form ID attribute
 * @param fmethod String method attribute (get/post)
 * @param fenctype String enctype attribute
 * @param username String user name
 * @return XHTML string for login form
 */
Nicola Asuni's avatar
Nicola Asuni committed
46
function F_loginForm($faction, $fid, $fmethod, $fenctype, $username) {
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
47
48
49
50
51
52
53
	global $l;
	require_once('../config/tce_config.php');
	require_once('../../shared/config/tce_user_registration.php');
	$str = '';
	$str .= '<div class="container">'.K_NEWLINE;
	if (K_USRREG_ENABLED) {
		$str .= '<small><a href="../../public/code/tce_user_registration.php" title="'.$l['t_user_registration'].'">'.$l['w_user_registration_link'].'</a></small>'.K_NEWLINE;
nick's avatar
nick committed
54
	}
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
55
56
57
	$str .= '<div class="tceformbox">'.K_NEWLINE;
	$str .= '<form action="'.$faction.'" method="'.$fmethod.'" id="'.$fid.'" enctype="'.$fenctype.'">'.K_NEWLINE;
	// user name
Nick's avatar
Nick committed
58
	$str .= getFormRowTextInput('xuser_name', $l['w_username'], $l['h_login_name'], '', $username, '', 255, false, false, false, '');
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
59
	// password
Nick's avatar
Nick committed
60
	$str .= getFormRowTextInput('xuser_password', $l['w_password'], $l['h_password'], '', '', '', 255, false, false, true, '');
Nicola Asuni's avatar
Nicola Asuni committed
61
62
63
64
	// One Time Password code (OTP)
	if (K_OTP_LOGIN) {
		$str .= getFormRowTextInput('xuser_otpcode', $l['w_otpcode'], $l['h_otpcode'], '', '', '', 255, false, false, true, '');
	}
nicolaasuni's avatar
nicolaasuni committed
65
66
67
68
69
70
	if (defined('K_PASSWORD_RESET') AND K_PASSWORD_RESET) {
		// print a link to password reset page
		$str .= '<div class="row">'.K_NEWLINE;
		$str .= '<span class="formw"><a href="../../public/code/tce_password_reset.php" title="'.$l['h_reset_password'].'" style="font-size:90%;">'.$l['w_forgot_password'].'</a></span>'.K_NEWLINE;
		$str .= '</div>'.K_NEWLINE;
	}
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
71
72
73
	// buttons
	$str .= '<div class="row">'.K_NEWLINE;
	$str .= '<input type="submit" name="login" id="login" value="'.$l['w_login'].'" title="'.$l['h_login_button'].'" />'.K_NEWLINE;
Nicola Asuni's avatar
Nicola Asuni committed
74
	// the following field is used to check if the form has been submitted
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
	$str .= '<input type="hidden" name="logaction" id="logaction" value="login" />'.K_NEWLINE;
	$str .= '</div>'.K_NEWLINE;
	$str .= '</form>'.K_NEWLINE;
	$str .= '</div>'.K_NEWLINE;
	$str .= '<div class="pagehelp">'.$l['hp_login'].'</div>'.K_NEWLINE;
	$str .= '</div>'.K_NEWLINE;
	return $str;
}

/**
 * Display login page.
 * NOTE: This function calls exit() after execution.
 */
function F_login_form() {
	global $l, $thispage_title;
	global $xuser_name, $xuser_password;
	require_once('../config/tce_config.php');
nicolaasuni's avatar
nicolaasuni committed
92
	// HTTP-Basic authentication
nick's avatar
nick committed
93
	require_once('../../shared/config/tce_httpbasic.php');
nick's avatar
nick committed
94
95
96
97
98
99
100
101
102
	if (K_HTTPBASIC_ENABLED AND (!isset($_SESSION['logout']) OR !$_SESSION['logout'])) {
		// force HTTP Basic Authentication
		header('WWW-Authenticate: Basic realm="TCExam"');
		header('HTTP/1.0 401 Unauthorized');
		require_once('../code/tce_page_header.php');
		F_print_error('WARNING', $l['m_authorization_denied']);
		require_once('../code/tce_page_footer.php');
		exit(); //break page here
	}
nicolaasuni's avatar
nicolaasuni committed
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
	// Shibboleth authentication
	require_once('../../shared/config/tce_shibboleth.php');
	if (K_SHIBBOLETH_ENABLED AND (!isset($_SESSION['logout']) OR !$_SESSION['logout'])) {
		// redirect to Shibboleth Login Page
		header('Location: '.K_SHIBBOLETH_LOGIN);
		// html redirect
		echo '<'.'?xml version="1.0" encoding="'.$l['a_meta_charset'].'"?'.'>'.K_NEWLINE;
		echo '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">'.K_NEWLINE;
		echo '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="'.$l['a_meta_language'].'" lang="'.$l['a_meta_language'].'" dir="'.$l['a_meta_dir'].'">'.K_NEWLINE;
		echo '<head>'.K_NEWLINE;
		echo '<title>LOGIN</title>'.K_NEWLINE;
		echo '<meta http-equiv="refresh" content="0" />'.K_NEWLINE; //reload page
		echo '</head>'.K_NEWLINE;
		echo '<body>'.K_NEWLINE;
		echo '<a href="'.K_SHIBBOLETH_LOGIN.'">LOGIN</a>'.K_NEWLINE;
		echo '</body>'.K_NEWLINE;
		echo '</html>'.K_NEWLINE;
		exit(); //break page here
	}
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
122
123
124
	require_once('../../shared/code/tce_functions_form.php');
	$thispage_title = $l['t_login_form']; //set page title
	require_once('../code/tce_page_header.php');
Nicola Asuni's avatar
Nicola Asuni committed
125
	echo F_loginForm($_SERVER['SCRIPT_NAME'], 'form_login', 'post', 'multipart/form-data', $xuser_name);
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
	require_once('../code/tce_page_footer.php');
	exit(); //break page here
}


/**
 * Display logout form.
 * @return XHTML string for logout form.
 */
function F_logout_form() {
	global $l;
	require_once('../config/tce_config.php');
	require_once('../../shared/code/tce_functions_form.php');
	$str = K_NEWLINE;
	$str .= '<div class="container">'.K_NEWLINE;
	$str .= '<div class="tceformbox">'.K_NEWLINE;
	$str .= '<form action="../code/tce_logout.php" method="post" id="form_logout" enctype="multipart/form-data">'.K_NEWLINE;
	// description
	$str .= '<div class="row">'.K_NEWLINE;
	$str .= $l['d_logout_desc'].K_NEWLINE;
	$str .= '</div>'.K_NEWLINE;
	// buttons
	$str .= '<div class="row">'.K_NEWLINE;
	// the following field is used to check if form has been submitted
	$str .= '<input type="hidden" name="current_page" id="current_page" value="'.$_SERVER['SCRIPT_NAME'].'" />'.K_NEWLINE;
	$str .= '<input type="hidden" name="logaction" id="logaction" value="" />'.K_NEWLINE;
	$str .= '<input type="submit" name="login" id="login" value="'.$l['w_logout'].'" />'.K_NEWLINE;
	$str .= '</div>'.K_NEWLINE;
	$str .= '</form>'.K_NEWLINE;
	$str .= '</div>'.K_NEWLINE;
	return $str;
}

/**
 * Display logout page.
 * NOTE: This function calls exit() after execution.
 */
function F_logout_page() {
	global $l, $thispage_title;
	require_once('../config/tce_config.php');
	$thispage_title = $l['t_logout_form']; // set page title
	require_once('../code/tce_page_header.php');
	echo F_logout_form();
	require_once('../code/tce_page_footer.php');
	exit();
}

/**
 * Returns true if the current user is authorized to update and delete the selected database record.
 * @author Nicola Asuni
 * @since 2006-03-11
nick's avatar
nick committed
177
178
179
180
 * @param $table (string) table to be modified
 * @param $field_id_name (string) name of the main ID field of the table
 * @param $value_id (int) value of the ID field of the table
 * @param $field_user_id (string) name of the foreign key to to user_id
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
181
182
183
184
185
 * @return boolean true if the user is authorized, false otherwise
 */
function F_isAuthorizedUser($table, $field_id_name, $value_id, $field_user_id) {
	global $l,$db;
	require_once('../config/tce_config.php');
tecnickcom's avatar
tecnickcom committed
186
187
	$table = F_escape_sql($db, $table);
	$field_id_name = F_escape_sql($db, $field_id_name);
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
188
	$value_id = intval($value_id);
tecnickcom's avatar
tecnickcom committed
189
	$field_user_id = F_escape_sql($db, $field_user_id);
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
190
191
	$user_id = intval($_SESSION['session_user_id']);
	// check for administrator
Nicola Asuni's avatar
Nicola Asuni committed
192
	if (defined('K_AUTH_ADMINISTRATOR') AND ($_SESSION['session_user_level'] >= K_AUTH_ADMINISTRATOR)) {
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
		return true;
	}
	// check for original author
	if (F_count_rows($table.' WHERE '.$field_id_name.'='.$value_id.' AND '.$field_user_id.'='.$user_id.' LIMIT 1') > 0) {
		return true;
	}
	// check for author's groups
	// get author ID
	$author_id = 0;
	$sql = 'SELECT '.$field_user_id.' FROM '.$table.' WHERE '.$field_id_name.'='.$value_id.' LIMIT 1';
	if($r = F_db_query($sql, $db)) {
		if($m = F_db_fetch_array($r)) {
			$author_id = $m[0];
		}
	} else {
		F_display_db_error();
	}
nick's avatar
nick committed
210
	if (($author_id > 1)
211
212
		AND (F_count_rows(K_TABLE_USERGROUP.' LEFT JOIN '. K_TABLE_GROUPS.' ON usrgrp_group_id = group_id
			WHERE usrgrp_user_id = '.$user_id.' AND group_type = \'B\'
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
213
214
215
216
217
218
219
220
221
222
			LIMIT 1') > 0)) {
		return true;
	}
	return false;
}

/**
 * Returns a comma separated string of ID of the users that belong to the same groups.
 * @author Nicola Asuni
 * @since 2006-03-11
nick's avatar
nick committed
223
 * @param $user_id (int) user ID
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
224
225
226
227
228
229
230
 * @return string
 */
function F_getAuthorizedUsers($user_id) {
	global $l,$db;
	require_once('../config/tce_config.php');
	$str = ''; // string to return
	$user_id = intval($user_id);
231
232
	$sql1 = 'SELECT usrgrp_group_id FROM '.K_TABLE_USERGROUP.' LEFT JOIN '. K_TABLE_GROUPS.' ON usrgrp_group_id = group_id
			WHERE usrgrp_user_id = '.$user_id.' AND group_type = \'B\' ';
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
233
234
235
	$sql = 'SELECT tb.usrgrp_user_id
		FROM '.K_TABLE_USERGROUP.' AS ta, '.K_TABLE_USERGROUP.' AS tb
		WHERE ta.usrgrp_group_id=tb.usrgrp_group_id
236
			AND ta.usrgrp_group_id IN ('.$sql1.')';
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
237
238
239
240
241
242
243
244
245
246
247
248
	if($r = F_db_query($sql, $db)) {
		while($m = F_db_fetch_array($r)) {
			$str .= $m[0].',';
		}
	} else {
		F_display_db_error();
	}
	// add the user
	$str .= $user_id;
	return $str;
}

Nicola Asuni's avatar
Nicola Asuni committed
249
250
251
252
253
254
255
256
257
258
/**
 * Sync user groups with the ones specified on the configuration file for alternate authentication.
 * @param $usrid (int) ID of the user to update.
 * @param $grpids (mixed) Group ID or comma separated list of group IDs (0=all available groups).
 * @author Nicola Asuni
 * @since 2012-09-11
 */
function F_syncUserGroups($usrid, $grpids) {
	global $l,$db;
	require_once('../config/tce_config.php');
Nicola Asuni's avatar
Nicola Asuni committed
259
	$usrid = intval($usrid);
Nicola Asuni's avatar
Nicola Asuni committed
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
	// select new group IDs
	$newgrps = array();
	if (is_string($grpids)) {
		// comma separated list of group IDs
		$newgrps = explode(',', $grpids);
		array_walk($newgrps, 'intval');
		$newgrps = array_unique($newgrps, SORT_NUMERIC);
	} elseif ($grpids == 0) {
		// all available groups
		$sqlg = 'SELECT group_id FROM '.K_TABLE_GROUPS.'';
		if ($rg = F_db_query($sqlg, $db)) {
			while ($mg = F_db_fetch_array($rg)) {
				$newgrps[] = $mg['group_id'];
			}
		} else {
			F_display_db_error();
		}
	} elseif ($grpids > 0) {
		// single default group
		$newgrps[] = intval($grpids);
	}
	if (empty($newgrps)) {
		return;
	}
	// select existing group IDs
	$usrgrps = array();
	$sqlu = 'SELECT usrgrp_group_id FROM '.K_TABLE_USERGROUP.' WHERE usrgrp_user_id='.$usrid.'';
	if ($ru = F_db_query($sqlu, $db)) {
		while ($mu = F_db_fetch_array($ru)) {
Nicola Asuni's avatar
Nicola Asuni committed
289
			$usrgrps[] = $mu['usrgrp_group_id'];
Nicola Asuni's avatar
Nicola Asuni committed
290
291
292
293
294
		}
	} else {
		F_display_db_error();
	}
	// extract missing groups
Nicola Asuni's avatar
Nicola Asuni committed
295
	$diffgrps = array_values(array_diff($newgrps, $usrgrps));
Nicola Asuni's avatar
Nicola Asuni committed
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
	// add missing groups
	foreach ($diffgrps as $grpid) {
		if ($grpid > 0) {
			// add user to default user groups
			$sql = 'INSERT INTO '.K_TABLE_USERGROUP.' (
				usrgrp_user_id,
				usrgrp_group_id
				) VALUES (
				\''.$usrid.'\',
				\''.$grpid.'\'
				)';
			if (!$r = F_db_query($sql, $db)) {
				F_display_db_error();
			}
		}
	}
}

Nicola Asuni's avatar
Nicola Asuni committed
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
/**
 * Check if the client has a valid SSL certificate.
 * @return true if the client has a valid SSL certificate, false otherwise.
 * @author Nicola Asuni
 * @since 2013-03-26
 */
function F_isSslCertificateValid() {
	if (!isset($_SERVER['SSL_CLIENT_M_SERIAL']) // The serial of the client certificate
		OR !isset($_SERVER['SSL_CLIENT_I_DN']) // Issuer DN of client's certificate
		OR !isset($_SERVER['SSL_CLIENT_V_END']) // Validity of server's certificate (end time)
		OR !isset($_SERVER['SSL_CLIENT_VERIFY']) // NONE, SUCCESS, GENEROUS or FAILED:reason
		OR ($_SERVER['SSL_CLIENT_VERIFY'] !== 'SUCCESS')
		OR !isset($_SERVER['SSL_CLIENT_V_REMAIN']) // Number of days until client's certificate expires
		OR ($_SERVER['SSL_CLIENT_V_REMAIN'] <= 0)) {
		// invalid certificate
		return false;
	}
	// valid certificate
	return true;
}

tecnickcom's avatar
tecnickcom committed
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
/**
 * Get the hash code of the specified SSL certificate
 * @param string $cert String containing the certificate data.
 * @param boolean $pkcs12 Set this variable to true if the certificate is in PKCS12 format.
 * @return array containing the hash code and the validity end date in unix epoch.
 * @author Nicola Asuni
 * @since 2013-07-01
 */
function F_getSSLCertificateHash($cert, $pkcs12=false) {
	if ($pkcs12) {
		$certs = array();
		openssl_pkcs12_read($cert, $certs, '');
		$cert = $certs['cert'];
	}
	$ssldata = openssl_x509_parse($cert);
	$sslhash = '';
	$sslhash .= isset($ssldata['serialNumber'])?bcdechex($ssldata['serialNumber']):'';
	$sslhash .= isset($ssldata['issuer']['C'])?$ssldata['issuer']['C']:'';
	$sslhash .= isset($ssldata['issuer']['ST'])?$ssldata['issuer']['ST']:'';
	$sslhash .= isset($ssldata['issuer']['O'])?$ssldata['issuer']['O']:'';
	$sslhash .= isset($ssldata['issuer']['OU'])?$ssldata['issuer']['OU']:'';
	$sslhash .= isset($ssldata['issuer']['CN'])?$ssldata['issuer']['CN']:'';
	$sslhash .= isset($ssldata['issuer']['emailAddress'])?$ssldata['issuer']['emailAddress']:'';
	$sslhash .= isset($ssldata['subject']['C'])?$ssldata['subject']['C']:'';
	$sslhash .= isset($ssldata['subject']['ST'])?$ssldata['subject']['ST']:'';
	$sslhash .= isset($ssldata['subject']['O'])?$ssldata['subject']['O']:'';
	$sslhash .= isset($ssldata['subject']['OU'])?$ssldata['subject']['OU']:'';
	$sslhash .= isset($ssldata['subject']['CN'])?$ssldata['subject']['CN']:'';
	$sslhash .= isset($ssldata['subject']['emailAddress'])?$ssldata['subject']['emailAddress']:'';
	if (isset($ssldata['validTo_time_t'])) {
		$endtime = $ssldata['validTo_time_t'];
	} else {
		$endtime = time();
	}
	$sslhash .= $endtime;
	return array(md5($sslhash), date(K_TIMESTAMP_FORMAT, $endtime));
}

/**
 * Get the hash code for the client certificate
 * @return string containing the hash code.
 * @author Nicola Asuni
 * @since 2013-07-01
 */
function F_getSSLClientHash() {
	$crthash = '';
	$crthash .= isset($_SERVER['SSL_CLIENT_M_SERIAL'])?strtoupper($_SERVER['SSL_CLIENT_M_SERIAL']):'';
	$crthash .= isset($_SERVER['SSL_CLIENT_I_DN_C'])?$_SERVER['SSL_CLIENT_I_DN_C']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_I_DN_ST'])?$_SERVER['SSL_CLIENT_I_DN_ST']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_I_DN_O'])?$_SERVER['SSL_CLIENT_I_DN_O']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_I_DN_OU'])?$_SERVER['SSL_CLIENT_I_DN_OU']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_I_DN_CN'])?$_SERVER['SSL_CLIENT_I_DN_CN']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_I_DN_Email'])?$_SERVER['SSL_CLIENT_I_DN_Email']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_S_DN_C'])?$_SERVER['SSL_CLIENT_S_DN_C']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_S_DN_ST'])?$_SERVER['SSL_CLIENT_S_DN_ST']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_S_DN_O'])?$_SERVER['SSL_CLIENT_S_DN_O']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_S_DN_OU'])?$_SERVER['SSL_CLIENT_S_DN_OU']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_S_DN_CN'])?$_SERVER['SSL_CLIENT_S_DN_CN']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_S_DN_Email'])?$_SERVER['SSL_CLIENT_S_DN_Email']:'';
	$crthash .= isset($_SERVER['SSL_CLIENT_V_END'])?strtotime($_SERVER['SSL_CLIENT_V_END']):'';
	return md5($crthash);
}

nicolaasuni's avatar
9.0.026    
nicolaasuni committed
398
//============================================================+
nick's avatar
nick committed
399
// END OF FILE
nicolaasuni's avatar
9.0.026    
nicolaasuni committed
400
//============================================================+