From 36ff2b2b7fd89e05497051a911a80dad5f22e59f Mon Sep 17 00:00:00 2001 From: Isabel Jenkins Date: Mon, 2 Oct 2017 17:03:00 +0100 Subject: [PATCH] Updated PHP for LDAP auth --- webclient/config.php | 3 +- webclient/imageproxy.php | 35 +++++++ webclient/index.php | 2 +- webclient/poll.php | 16 ++- webclient/startup.php | 210 ++++++++++++++++++--------------------- 5 files changed, 143 insertions(+), 123 deletions(-) create mode 100644 webclient/imageproxy.php diff --git a/webclient/config.php b/webclient/config.php index 5e7980b5..51116abd 100644 --- a/webclient/config.php +++ b/webclient/config.php @@ -1,7 +1,6 @@ diff --git a/webclient/index.php b/webclient/index.php index cb0aab8a..44869e26 100644 --- a/webclient/index.php +++ b/webclient/index.php @@ -23,7 +23,7 @@ if (!isset($mwsess)) { if ($_REQUEST['sucssite_loggedin']=="true" && $action!="logout") { require("startup.php"); } else { - echo 'Post requests only to this url'; + echo 'nope'; exit; } } diff --git a/webclient/poll.php b/webclient/poll.php index a9d7783c..144623f2 100644 --- a/webclient/poll.php +++ b/webclient/poll.php @@ -1,12 +1,11 @@ diff --git a/webclient/startup.php b/webclient/startup.php index 0e9781a7..32db816f 100644 --- a/webclient/startup.php +++ b/webclient/startup.php @@ -7,140 +7,120 @@ $password = trim($_REQUEST['password']); // Preliminary checks -// Have we been passed SUCSsite cookies? -// If not, test that the login details make sense. -if (@$_REQUEST['sucssite_loggedin']!="true") { - if (empty($username) || empty($password)) { - echo json_encode((object) ['error' => 'username and password must both be not empty']); - exit; - } +// Test that the login details make sense. +if (empty($username) || empty($password)) { + echo json_encode((object) ['error' => 'username and password must both be not empty']); +} - if (ctype_alnum($username) === FALSE) { - echo json_encode((object) ['error' => 'alphanumeric usernames only']); - exit; - } +if (!preg_match("/^[a-z][a-z0-9_]*$/", $username)) { + echo json_encode((object) ['error' => 'invalid characters in username']); + exit; } -// Have we been asked to create a new Milliways account? -// If so, make sure that the password supplied is suitable. -if ($action=="create") { - $pass1 = @$_REQUEST['password1']; - $pass2 = @$_REQUEST['password2']; - - if ($pass1 != $pass2) { - echo json_encode((object) ['error' => 'Passwords don\'t match - please try again']); - exit; - } +login($mwpoll, $username, $password, true); - if (empty($pass1)) { - echo json_encode((object) ['error' => 'Password cannot be blank']); - exit; - } - - if (ctype_alnum($pass1) === FALSE) { - echo json_encode((object) ['error' => 'Milliways passwords can only contain alphanumeric characters']); - exit; - } +function login($mwpoll, $username, $password, $continue) { + $desc = array( + 0 => array("pipe", "r"), + 1 => array("pipe", "w"), + ); + $pipes = array(); - if (strlen($pass1) < 6) { - echo json_encode((object) ['error' => 'Milliways passwords must be 6 characters or more']); - exit; - } -} - -$desc = array( - 0 => array("pipe", "r"), - 1 => array("pipe", "w"), -); -$pipes = array(); - -// Have we got SUCSsite cookies? -// And no login attempt? -// If so, fetch the user details and try to log in without a password. -if (@$_REQUEST['sucssite_loggedin']=="true" && empty($username)) { - - // Do we appear to be in the SUCSsite environment? - // There's only any point trying if we do. - if (file_exists("../settings.php")) { - // Do the bare minimum of SUCSsite init to retrieve the username for the session we've been passed - include("../settings.php"); - // Initialise the database - require("/usr/share/php/adodb/adodb.inc.php"); - $DB = NewADOConnection('postgres9'); - $DB->Connect('dbname='.$dbname.' user=apache'); - $DB->SetFetchMode(ADODB_FETCH_ASSOC); - - // Include the session library - require($base."lib/session.php"); - $session = new Session; - // $smarty->assign("session", $session); // This line might be useful? - $realuser = $session->username; - - if ($action == "create") { - $p = proc_open($mwpoll." -q -a -u ".$realuser." -s", $desc, $pipes); - } else { - $p = proc_open($mwpoll." -q -u ".$realuser." -s", $desc, $pipes); - } - $mode = "sucssite"; - } -} else { - // If not, try logging in with a password. $p = proc_open($mwpoll." -q -u $username", $desc, $pipes); - $mode = "password"; -} -if (empty($p)) { - echo "

No

"; - exit; -} - -if ($p === FALSE) { - echo json_encode((object) ['error' => 'failed to exec mwpoll']); - exit; -} + if (empty($p)) { + echo "

No

"; + exit; + } -if ($mode == "sucssite" && @$_REQUEST['sucssite_loggedin']=="true" && empty($username)) { - // If we have a sucssite session cookie, use that - fwrite($pipes[0], trim($_REQUEST['sucssite_session'])."\n"); - if ($action="create") { - fwrite($pipes[0], $pass1."\n"); + if ($p === FALSE) { + echo json_encode((object) ['error' => 'failed to exec mwpoll']); + exit; } -} else { + // Try logging on using username and password if (fwrite($pipes[0], $password."\n") === FALSE) { echo "Error writing to mwpoll\n"; } -} -$pid = fgets($pipes[1]); -if ($pid === FALSE) { - echo "error reading pid.\n"; -} + $pid = fgets($pipes[1]); + if ($pid === FALSE) { + echo "error reading pid.\n"; + exit; + } -$pid = trim($pid); -if (!is_numeric($pid)) { - if (substr($pid, -10) =="not found.") { - // User doesn't exist - ask for a Milliways password so we can create them! - echo json_encode((object) ['error' => $pid]); - exit; + $pid = trim($pid); + if (!is_numeric($pid)) { + if (preg_match('/not found/', $pid)) { + if ($continue) { + createUser($mwpoll, $username, $password); + } + exit; + } else { + echo json_encode((object) ['error' => 'Bad response: pid=$pid']); + exit; + } } + + $auth = fgets($pipes[1]); - echo json_encode((object) ['error' => 'Bad response: pid=$pid']); - exit; -} + if ($auth === FALSE) { + echo "Error reading auth string\n"; + } -$auth = fgets($pipes[1]); + $sess = array ( + "pid" => $pid, + "auth" => $auth, + "username" => $username + ); -if ($auth === FALSE) { - echo "Error reading auth string\n"; + $mwsess = serialize($sess); + echo "success:" . $mwsess; } -$sess = array ( - "pid" => $pid, - "auth" => $auth, - "username" => $username -); - -$mwsess = serialize($sess); -echo "success:" . $mwsess; +function createUser($mwpoll, $username, $password) { + // SUCS LDAP Server + $sucsLDAPServer = 'silver.sucs.swan.ac.uk'; + // Bind String + $sucsBindDn = "uid=$username,ou=People,dc=sucs,dc=org"; + + // Try and connect to Silver + $ldapconnSUCS = ldap_connect($sucsLDAPServer) or die("Could not connect to SUCS LDAP server."); + + if ($ldapconnSUCS) { + // Try and bind to SUCS LDAP. Using @ to suppress PHP warining on failure + $ldapbindSUCS = @ldap_bind($ldapconnSUCS, $sucsBindDn, $password); + + if ($ldapbindSUCS) { + $desc = array( + 0 => array("pipe", "r"), + 1 => array("pipe", "w"), + ); + $pipes = array(); + // Authed to SUCS lets try and create the user + $p = proc_open($mwpoll." -q -a -u $username -s", $desc, $pipes); + fwrite($pipes[0], $password . "\n"); + fwrite($pipes[0], $password . "\n"); + fclose($pipes[0]); + $pid = fgets($pipes[1]); + if ($pid === FALSE) { + echo json_encode((object) ['error' => 'Error reading pid']); + } + + $auth = fgets($pipes[1]); + fclose($pipes[1]); + proc_close($p); + if ($auth === FALSE) { + login($mwpoll, $username, $password, false); + } + exit; + } else { + echo json_encode((object) ['error' => 'Failed to auth to SUCS']); + exit; + } + } else { + echo json_encode((object) ['error' => 'Failed to connect to SUCS LDAP']); + exit; + } +} ?> -- GitLab