aboutsummaryrefslogtreecommitdiffstats
path: root/mayor-orig/www/include
diff options
context:
space:
mode:
authorM.Gergo2019-01-20 11:48:48 +0100
committerM.Gergo2019-01-20 11:48:48 +0100
commitf70027ffbedce10f412868a7bf9b0b67b113f1b1 (patch)
treefbcc48049f1e66fe3ec66a0f3d8eee47bb400cdb /mayor-orig/www/include
parente6988247360fa98b85915a38803d018dd353df00 (diff)
downloadmayor-f70027ffbedce10f412868a7bf9b0b67b113f1b1.tar.gz
mayor-f70027ffbedce10f412868a7bf9b0b67b113f1b1.zip
Rev: 4423
Diffstat (limited to 'mayor-orig/www/include')
-rw-r--r--mayor-orig/www/include/base/log.php2
-rw-r--r--mayor-orig/www/include/base/login.php23
-rw-r--r--mayor-orig/www/include/base/rights.php69
-rw-r--r--mayor-orig/www/include/modules/auth/base/token.php116
-rw-r--r--mayor-orig/www/include/modules/portal/share/hirek.php1
-rw-r--r--mayor-orig/www/include/modules/session/accountInfo.php16
-rw-r--r--mayor-orig/www/include/share/auth/base.php6
-rw-r--r--mayor-orig/www/include/share/session/base.php8
-rw-r--r--mayor-orig/www/include/share/session/close.php2
9 files changed, 209 insertions, 34 deletions
diff --git a/mayor-orig/www/include/base/log.php b/mayor-orig/www/include/base/log.php
index 0b8f6fd1..14e214a9 100644
--- a/mayor-orig/www/include/base/log.php
+++ b/mayor-orig/www/include/base/log.php
@@ -5,7 +5,7 @@
function naploz($aCode)
function szamlal($policy,$page)
*/
-
+ define('CLIENTIPADDRESS',_clientIp());
function _clientIp() {
return ($_SERVER['HTTP_X_FORWARDED_FOR']!='')?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR'];
}
diff --git a/mayor-orig/www/include/base/login.php b/mayor-orig/www/include/base/login.php
index da3217a9..4624a92a 100644
--- a/mayor-orig/www/include/base/login.php
+++ b/mayor-orig/www/include/base/login.php
@@ -1,6 +1,6 @@
<?php
- if ($action == 'mayorGlobalLogin' || $action == 'facebooklogin' || $action== 'googleapilogin') {
+ if ($sessionMode===2 || $action == 'mayorGlobalLogin' || $action == 'facebooklogin' || $action== 'googleapilogin') {
$toPolicy = readVariable($_REQUEST['toPolicy'], 'enum', 'private', $POLICIES);
$policyOrderIndex = readVariable($_POST['policyOrderIndex'], 'id', 0);
@@ -46,6 +46,15 @@
$userAccount = $GOOGLEAPIDATA['userAccount'];
$googleapiAuth = true;
}
+ } elseif ($sessionMode===2) {
+ $MAYORAPIDATA = mayorApiAuth();
+ if ($MAYORAPIDATA!==false && $MAYORAPIDATA['userAccount']!="") {
+ $userAccount = $MAYORAPIDATA['userAccount'];
+ $toPolicy = $MAYORAPIDATA['toPolicy'];
+ $mayorapiAuth = true;
+ } else {
+ unsetTokenCookies(); // + unregister token
+ }
} else {
$userPassword = readVariable($_POST['userPassword'], 'string');
// $userAccount = readVariable($_POST['userAccount'], 'regexp', null, array("^([a-z]|[A-Z]|[0-9]| |\.|,|_|[űáéúőóüöíŰÁÉÚŐÓÜÖÍäÄ]|-|@)*$"));
@@ -56,7 +65,7 @@
if (is_array($AUTH[$toPolicy]['allowOnly']) && !in_array($userAccount,$AUTH[$toPolicy]['allowOnly'])) $userAccount='';
if ($sessionID != '') $accountInformation['sessionID'] = $sessionID;
- if ($userAccount != '' and ($userPassword != '' or $fbAuth===true or $googleapiAuth===true)) {
+ if ($userAccount != '' and ($userPassword != '' or $fbAuth===true or $googleapiAuth===true or $mayorapiAuth === true)) {
for ($i=0; $i<count($__POLICYORDER[$policyOrderIndex]); $i++) {
$toPolicy=$__POLICYORDER[$policyOrderIndex][$i];
@@ -84,6 +93,15 @@
$_SESSION['alert'][] = 'info:A google azonosító nincs még összekötve! Először lépj be a MaYoR-ba, és kezdeményezd!';
continue;;
}
+ } elseif ($mayorapiAuth===true) {
+ if ($MAYORAPIDATA['toPolicy'] == $toPolicy) {
+ $result = _AUTH_SUCCESS; // az authentikációt a mayorApiAuth() csinálta
+ $accountInformation['cn'] = $MAYORAPIDATA['userCn'];
+ // $accountInformation['mail'] = $MAYORAPIDATA['userEmail'];
+ $accountInformation['studyId'] = $MAYORAPIDATA['studyId'];
+ } else {
+ continue;;
+ }
} else {
$result = userAuthentication($userAccount, $userPassword, $accountInformation, $toPolicy); // ??? toPolicy benne van az AccountInformation-ben!!! Ldap backend only?
}
@@ -93,6 +111,7 @@
if ($result === _AUTH_SUCCESS) {
$_SESSION['alert'] = array();
$sessionID = newSession($accountInformation, $toPolicy);
+ if ($mayorapiAuth!==true) generateAuthToken(array('userAccount'=>$userAccount, 'policy'=>$toPolicy, 'userCn'=>$accountInformation['cn'], 'studyId'=>$accountInformation['studyId'])); // --TODO untrusted clients
if ($toSkin == '') $toSkin = $skin;
header('Location: '.location("index.php?page=$toPage&sub=$toSub&f=$toF&sessionID=$sessionID&policy=$toPolicy&lang=$lang&skin=$toSkin", array('alertOLD')));
break;
diff --git a/mayor-orig/www/include/base/rights.php b/mayor-orig/www/include/base/rights.php
index 1f3eed0f..dc6b7aa7 100644
--- a/mayor-orig/www/include/base/rights.php
+++ b/mayor-orig/www/include/base/rights.php
@@ -1,4 +1,9 @@
<?php
+
+// --TODO-- ez nem ide való!
+require_once('include/modules/auth/base/token.php');
+
+
/*
Module: base
@@ -43,16 +48,14 @@ function sessionCookieEncode($sessionID,$now,$extra='')
{
if ($extra=='') $extra = uniqid(rand(), true);
$extraHash=sessionHash('ripemd160',$extra);
-// pwHash added
-// $value = base64_encode(strtotime($now).'g'.$extraHash);
$pwHash = sessionHash('ripemd160',uniqid(rand(), true));
$value = base64_encode(strtotime($now).'g'.$extraHash.'g'.$pwHash);
- return array('name'=>md5($sessionID), 'value'=>$value, 'store'=> $extraHash, 'pwHash'=>$pwHash);
+ return array('name'=>($sessionID), 'value'=>$value, 'store'=> $extraHash, 'pwHash'=>$pwHash);
}
function sessionCookieDecode($sessionID)
{
- return explode('g',base64_decode($_COOKIE[md5($sessionID)]));
+ return explode('g',base64_decode($_COOKIE[($sessionID)]));
}
function pseudoTokenGenerator() {
@@ -68,10 +71,8 @@ function pseudoTokenGenerator() {
# Azonosított user ellenőrzése a session tábla alapján
######################################################################
-
-
function validUser($sessionID,$policy,$skin='',$lang='') {
-
+ global $page;
if (_RUNLEVEL === 'cron') {
define('_USERPASSWORD','MaYoR-cron');
define('_USERACCOUNT','MaYoR-cron');
@@ -82,31 +83,25 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
return true;
}
+// if ($sessionID == '' || $MAYORAPIAUTH['valid']!==true) {
if ($sessionID == '') {
-
- if ($policy == _POLICY) {
+ $MAYORAPIAUTH = mayorApiAuth(); // van-e hosszulejáratu session-je
+ if ($policy == _POLICY && $MAYORAPIAUTH['valid']!==true) {
define('_USERPASSWORD','');
define('_USERACCOUNT','');
define('_USERCN','');
define('_STUDYID','');
-// define('_SKIN',$skin);
define('_LANG',$lang);
define('_SESSIONID','');
}
return false;
-
} else {
$lr = db_connect('login', array('fv' => 'validUser'));
if ($lr === false) die('A keretrendeszer adatbázisa nem érhető el! (validUser)');
// ha nem tudta beállítani a sütit, akkor az $_sc üres lesz így a dt feltétel 1970-01-01, ami nem gond.
-// pwHash
-// list($_sessionDt,$_sessionCookie) = sessionCookieDecode($sessionID);
list($_sessionDt,$_sessionCookie,$_sessionPwHash) = sessionCookieDecode($sessionID);
-// pwHash
-// $query = "SELECT userAccount, userCn, studyId, decode(userPassword, '"._MYSQL_ENCODE_STR."'), skin, lang, activity, dt
-// FROM session WHERE sessionID='%s' AND policy='%s'";
$query = "SELECT userAccount, userCn, studyId, aes_decrypt(userPassword, '%s'), skin, lang, activity, dt
FROM session WHERE sessionID='%s' AND policy='%s'"; // [SECURITY-002] quickfix from marton.drotos@sztaki.hu
@@ -116,12 +111,30 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
$query .= " AND sessionCookie='%s'";
$ret = db_query($query, array('fv' => 'validUser', 'modul' => 'login', 'result' => 'indexed', 'values' => array($_sessionPwHash, $sessionID, $policy, $_sessionCookie)), $lr);
-
$num = count($ret);
+ $sessionMode = 1;
+
+ // ha nincs találat, nézzük meg, van-e a kliensnek hosszú lejáratú tokenje, kivéve, ha ...
+ if ($num !== 1 && $page!='password') {
+ $MAYORAPIAUTH = mayorApiAuth();
+ if ($MAYORAPIAUTH['valid'] === true) {
+ global $sessionMode;
+ $sessionMode = 2;
+ // reauth AS:
+ $toPolicy = $MAYORAPIAUTH['policy'];
+ $userAccount = $MAYORAPIAUTH['userAccount'];
+ $userCn = $MAYORAPIAUTH['userCn'];
+ $studyId = $MAYORAPIAUTH['studyId'];
+ $userPassword = '';
+ $lang = _DEFAULT_LANG;
+ } else {
+ unsetTokenCookies();
+ }
+ } // --token vizsgálat vége
+
if ($num == 1) {
- list($userAccount, $userCn, $studyId, $userPassword, $savedSkin, $lang, $activity, $dt) = array_values($ret[0]);
- /* PDA */
+ if ($sessionMode == 1) list($userAccount, $userCn, $studyId, $userPassword, $savedSkin, $lang, $activity, $dt) = array_values($ret[0]);
global $SKINS;
if (_USER_AGENT!=='ppc' && @in_array($savedSkin,$SKINS) ) $skin=$savedSkin;
if ($policy == _POLICY) {
@@ -133,7 +146,8 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
define('_LANG',$lang);
define('_SESSIONID',$sessionID);
}
- // Aktivitás figyelése!
+
+ // Aktivitás figyelése! // hopp, nem biztos, hogy van session!
$query = "UPDATE session SET activity = NOW() WHERE sessionID = '%s'";
db_query($query, array('fv' => 'validUser', 'modul' => 'login', 'values' => array($sessionID)), $lr);
db_close($lr);
@@ -247,7 +261,10 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
unset($_POST['action']);
unset($action);
}
- } else { // klasszikus ellenőrzés, fallback // TODO BEGIN DEPRECATED BLOCK
+ } else { // klasszikus ellenőrzés, fallback
+ echo 'FATAL ERROR 696';
+ die();
+ /*
// $_JSON['result'] = false; // ITT gátolhatjuk a működést
if ($_COOKIE[__SALTNAME]=='') { // a session átállásig - ez semmitől nem véd, adott nevű sütit generálni bárki tud
$_SESSION['alert'][] = 'message:not_valid_form:no cookie'.$_SESSION[__SALTNAME];
@@ -264,13 +281,17 @@ function validUser($sessionID,$policy,$skin='',$lang='') {
unset($_POST['action']);
unset($action);
}
+ */
} // END DEPRECATED BLOCK
}
// eredeti post kezelés + ETAG prevent cache
if (($_SERVER['HTTPS']!=='on') || (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']!='' && substr($_SERVER['HTTP_REFERER'],4,1)!=='s')) $_ssl = false; else $_ssl=true;
- if (@setcookie(__SALTNAME,__SALTVALUE,time()+60*60*_SESSION_MAX_IDLE_TIME,'/','',$_ssl, true) == false) {
- $_SESSION['alert'][] = 'message:no_cookie:unabletoset';
- }
+
+//4400 if (@setcookie('xxxDEPRECATEDxxx_'.__SALTNAME,__SALTVALUE,time()+60*60*_SESSION_MAX_IDLE_TIME,'/','',$_ssl, true) == false) {
+//4400 $_SESSION['alert'][] = 'message:no_cookie:unabletoset';
+//4400 }
+
+
/* /XSRF2 previous revision: r4138 */
// betöltjük az össes config-ot... (lásd még widgets)
diff --git a/mayor-orig/www/include/modules/auth/base/token.php b/mayor-orig/www/include/modules/auth/base/token.php
new file mode 100644
index 00000000..72cbcffb
--- /dev/null
+++ b/mayor-orig/www/include/modules/auth/base/token.php
@@ -0,0 +1,116 @@
+<?php
+
+ function generateAuthToken($accountData) {
+
+ if (!defined('AUTHTOKENENABLED') || AUTHTOKENENABLED!==true) return false;
+
+ if (version_compare(PHP_VERSION,'5.3.0')>=0) {
+ $selector = bin2hex(openssl_random_pseudo_bytes(8));
+ $token = openssl_random_pseudo_bytes(32);
+ } elseif (version_compare(PHP_VERSION,'7.0.0')>=0) {
+ $selector = bin2hex(random_bytes(8));
+ $token = random_bytes(32);
+ } else {
+ return false; // nem támogatjuk
+ }
+
+ if (isset($_COOKIE['t_selector'])===true && isset($_COOKIE['t_validator'])===true) return true; // már van selector/validator elmentve
+
+ $lr = db_connect('login');
+ db_start_trans($lr);
+
+ $q = "DELETE FROM authToken WHERE expires <= NOW() - INTERVAL 10 DAY";
+ db_query($q, array('debug'=>false,'fv' => 'na', 'modul'=>'login', 'result'=>'delete'),$lr);
+
+ $q = "INSERT INTO authToken (policy, userAccount,
+ userCn, studyId,
+ selector, token, expires, activity, ipAddress) VALUES ('%s', '%s', '%s', '%s', '%s','%s',NOW() + INTERVAL 30 DAY,NOW(),'%s')";
+ $v = array($accountData['policy'], $accountData['userAccount'],
+ $accountData['userCn'], $accountData['studyId'],
+ $selector,
+ hash('sha256', $token),
+ CLIENTIPADDRESS
+ );
+ $Id = db_query($q, array('debug'=>false,'fv' => 'na', 'modul'=>'login', 'result'=>'insert', 'values'=>$v),$lr);
+ db_commit($lr);
+ db_close($lr);
+
+ if ($Id !== false) {
+ setcookie('t_selector',$selector,time()+604800*5,'/','',TRUE,TRUE);
+ setcookie('t_validator',bin2hex($token),time()+604800*5,'/','',TRUE,TRUE);
+ $_SESSION['mayorapiauth'] = true;
+ return true;
+ } else {
+ return false;
+ }
+ }
+
+ function unsetTokenCookies() { // + MS_*
+ $selector = readVariable($_COOKIE['t_selector'], 'string', readVariable($_GET['t_selector'], 'hexa', null));
+ if ($selector!='') {
+ $q = "DELETE FROM authToken WHERE selector='%s'";
+ $values = array($selector);
+ db_query($q, array('debug'=>false,'fv' => 'na', 'modul'=>'login', 'result'=>'delete', 'values'=>$values),$lr);
+ }
+ setcookie('t_selector','',time() - 3600,'/','',TRUE,TRUE);
+ setcookie('t_validator','',time() - 3600,'/','',TRUE,TRUE);
+ if (is_array($_COOKIE)) {
+ foreach($_COOKIE as $key => $value) {
+ if (substr($key,0,3) == 'MS_') {
+ setcookie($key,'',time() - 3600,'/','',TRUE,TRUE);
+ }
+ }
+ }
+ $_SESSION['mayorapiauth'] = false;
+ }
+
+ function mayorApiAuth() {
+
+ // $MAYORAPIDATA tömb feltöltése
+ $selector = readVariable($_COOKIE['t_selector'], 'string', readVariable($_GET['t_selector'], 'hexa', null));
+ $validator = readVariable($_COOKIE['t_validator'], 'string', readVariable($_GET['t_validator'], 'hexa', null));
+ if ($selector!='' && $validator!='') {
+ $q = "SELECT * FROM authToken WHERE selector = '%s' AND expires >= NOW()";
+ $r = db_query($q, array('fv'=>'rights/xltoken','modul'=>'login','result'=>'record','values'=>array($selector)));
+ }
+ if (is_array($r)) {
+ $calc = hash('sha256', hex2bin($validator));
+ if (hash_equals($calc, $r['token'])) { // valid token
+ global $sessionMode;
+ $sessionMode = 2;
+ // reauth AS:
+ $toPolicy = $r['policy'];
+ $userAccount = $r['userAccount'];
+ $userCn = $r['userCn'];
+ $studyId = $r['studyId'];
+ $userPassword = ''; // ???
+ $lang = _DEFAULT_LANG;
+ $data = $r;
+ $_SESSION['mayorapiauth'] = true;
+ $q = "UPDATE authToken SET activity=NOW(), ipAddress='%s' WHERE selector = '%s'";
+ $v = array(CLIENTIPADDRESS,$selector);
+ db_query($q, array('fv'=>'rights/xltoken','modul'=>'login','result'=>'update','values'=>$v));
+ return array('userAccount'=>$data['userAccount'],'toPolicy'=>$data['policy'],'studyId'=>$data['studyId'],'userCn'=>$data['userCn'],'valid'=>true);
+ } else {
+ unsetTokenCookies();
+ }
+ } else {
+ unsetTokenCookies();
+ }
+ return false;
+ }
+
+ function getMyActivity() {
+ $q = "SELECT ipAddress,activity FROM authToken WHERE userAccount ='%s' AND policy='%s'";
+ $v = array(_USERACCOUNT,_POLICY);
+ return db_query($q, array('fv'=>'rights/getMyActivity','modul'=>'login','result'=>'indexed','values'=>$v));
+ }
+
+ function revokeTokens() {
+ unsetTokenCookies();
+ $q = "DELETE FROM authToken WHERE userAccount ='%s' AND policy='%s'";
+ $v = array(_USERACCOUNT,_POLICY);
+ return db_query($q, array('fv'=>'rights/revokeTokens','modul'=>'login','result'=>'delete','values'=>$v));
+ }
+
+?>
diff --git a/mayor-orig/www/include/modules/portal/share/hirek.php b/mayor-orig/www/include/modules/portal/share/hirek.php
index f9a64f62..5aa3bdc9 100644
--- a/mayor-orig/www/include/modules/portal/share/hirek.php
+++ b/mayor-orig/www/include/modules/portal/share/hirek.php
@@ -14,6 +14,7 @@
}
function getHirek($SET = array('all'=>true,'tolDt'=>'', 'igDt'=>'', 'id' => '', 'flag'=>array(), 'class'=>array(), 'cid'=>array(), 'limit'=>'', 'lang'=>'hu_HU') ) {
+
$tolDt = $SET['tolDt']; $igDt = $SET['igDt'];
if ($tolDt!='') $W[] = "kdt<='$tolDt'";
if ($igDt!='') $W[] = "vdt>='$igDt'";
diff --git a/mayor-orig/www/include/modules/session/accountInfo.php b/mayor-orig/www/include/modules/session/accountInfo.php
index b670312f..b14a8edb 100644
--- a/mayor-orig/www/include/modules/session/accountInfo.php
+++ b/mayor-orig/www/include/modules/session/accountInfo.php
@@ -56,6 +56,22 @@
}
+ function createEduroamSettings($ADAT) {
+
+ $q = "INSERT INTO eduroam (userAccount,policy,eduroamUID,eduroamPASSWORD,eduroamAFFILIATION,eduroamDOMAIN)
+ VALUES ('%s','%s','%s','%s','%s','%s')";
+ $values = array(
+ $ADAT['userAccount'],
+ $ADAT['policy'],
+ $ADAT['eduroamUID'],
+ $ADAT['eduroamPASSWORD'],
+ $ADAT['eduroamAFFILIATION'],
+ $ADAT['eduroamDOMAIN'],
+ );
+ $res = db_query($q, array('modul'=>'login','values'=>$values));
+ return $res;
+ }
+
function getEduroamSettings($userAccount,$toPolicy,$ADAT) {
$res = false;
diff --git a/mayor-orig/www/include/share/auth/base.php b/mayor-orig/www/include/share/auth/base.php
index 9b4fa21a..8ff27f5e 100644
--- a/mayor-orig/www/include/share/auth/base.php
+++ b/mayor-orig/www/include/share/auth/base.php
@@ -93,7 +93,7 @@
db_query($query, array('fv' => 'newSession', 'modul' => 'login', 'values' => array($sessionID, $policy)), $lr);
}
$now = date('Y-m-d H:i:s');
- $_SC = sessionCookieEncode($sessionID, $now);
+ $_SC = sessionCookieEncode($sessionID, $now); // TODO
$_studyId = ($studyId=='') ? 'NULL' : $studyId;
if ($studyId=='') {
$query="INSERT INTO session
@@ -109,9 +109,7 @@
db_query($query, array('fv' => 'newSession', 'modul' => 'login', 'values' => $v), $lr);
db_close($lr);
- // Megjegyzés: a sessionID elhashelése nem jelent semmiféle védelmet, így tökéletesen megfelelő az md5 is
- // értékénél viszont a $now alkalmazása tökéletesen hibás, hiszen a lejárati dátumból 1:1-ben reprodukálható
-
+ // Megjegyzés: a sessionID elhashelése nem jelent semmiféle védelmet, így tökéletesen megfelelő a gyenge hash is, de now alkalmazása hibás
setcookie($_SC['name'],$_SC['value'],time()+60*60*_SESSION_MAX_TIME,'/','',_SECURECOOKIE);
return $sessionID;
diff --git a/mayor-orig/www/include/share/session/base.php b/mayor-orig/www/include/share/session/base.php
index 706a9ef9..337c72df 100644
--- a/mayor-orig/www/include/share/session/base.php
+++ b/mayor-orig/www/include/share/session/base.php
@@ -115,9 +115,11 @@
db_query($q, array('fv' => 'cache', 'modul' => 'login', 'result' => 'indexed', 'values'=>$v));
}
-
-
-
+ function _clearSessionCache($sessionID) {
+ $q = "DELETE FROM `cache` WHERE sessionID IN ('%s','%s')";
+ $v = array(_SESSIONID,$sessionID);
+ db_query($q, array('debug'=>false,'fv' => 'cache', 'modul' => 'login', 'result' => 'indexed', 'values'=>$v));
+ }
######################################################
# getBackendAttrs - az adott policy backend-jéhez tartozó attribútumok - session modul
diff --git a/mayor-orig/www/include/share/session/close.php b/mayor-orig/www/include/share/session/close.php
index 146a038e..2c321ef0 100644
--- a/mayor-orig/www/include/share/session/close.php
+++ b/mayor-orig/www/include/share/session/close.php
@@ -30,6 +30,8 @@
function closeSession($sessionID = '') {
// _SESSIONID csak validUser esetén van, de mi lehet, hogy másik policy-ből jöttünk!
if ($sessionID == '') $sessionID = $_REQUEST['sessionID'];
+ _clearSessionCache($sessionID);
+ unsetTokenCookies();
$q = "DELETE FROM session WHERE sessionID='%s'";
return db_query($q, array('fv' => 'closeSession', 'modul' => 'login', 'result' => 'affected rows', 'values' => array($sessionID)));
}