mirror of
https://github.com/fusionpbx/fusionpbx.git
synced 2026-02-02 22:19:19 +00:00
Add mutli-factor authentication.
This commit is contained in:
markjcrane
@@ -11,14 +11,10 @@ class authentication {
|
||||
/**
|
||||
* Define variables and their scope
|
||||
*/
|
||||
public $debug;
|
||||
public $db;
|
||||
public $domain_uuid;
|
||||
public $domain_name;
|
||||
public $username;
|
||||
public $password;
|
||||
public $plugins;
|
||||
public $key;
|
||||
|
||||
/**
|
||||
* Called when the object is created
|
||||
@@ -43,16 +39,21 @@ class authentication {
|
||||
*/
|
||||
public function validate() {
|
||||
|
||||
//set the default authentication method to the database
|
||||
if (!is_array($_SESSION['authentication']['methods'])) {
|
||||
$_SESSION['authentication']['methods'][] = 'database';
|
||||
}
|
||||
|
||||
//get the domain_name and domain_uuid
|
||||
if (!isset($this->domain_name) || !isset($this->domain_uuid)) {
|
||||
$this->get_domain();
|
||||
}
|
||||
|
||||
//start the session if its not started
|
||||
if (session_status() === PHP_SESSION_NONE) {
|
||||
session_start();
|
||||
}
|
||||
|
||||
//set the default authentication method to the database
|
||||
if (!is_array($_SESSION['authentication']['methods'])) {
|
||||
$_SESSION['authentication']['methods'][] = 'database';
|
||||
}
|
||||
|
||||
//automatically block multiple authentication failures
|
||||
if (!isset($_SESSION['users']['max_retry']['numeric'])) {
|
||||
$_SESSION['users']['max_retry']['numeric'] = 5;
|
||||
@@ -88,52 +89,328 @@ class authentication {
|
||||
|
||||
//use the authentication plugins
|
||||
foreach ($_SESSION['authentication']['methods'] as $name) {
|
||||
|
||||
//already processed the plugin move to the next plugin
|
||||
if ($_SESSION['authentication']['plugin'][$name]['authorized']) {
|
||||
continue;
|
||||
}
|
||||
|
||||
//prepare variables
|
||||
$class_name = "plugin_".$name;
|
||||
$base = realpath(dirname(__FILE__)) . "/plugins";
|
||||
$plugin = $base."/".$name.".php";
|
||||
|
||||
//process the plugin
|
||||
if (file_exists($plugin)) {
|
||||
include_once $plugin;
|
||||
$object = new $class_name();
|
||||
$object->debug = $this->debug;
|
||||
$object->domain_name = $this->domain_name;
|
||||
$object->domain_uuid = $this->domain_uuid;
|
||||
if (strlen($this->key) > 0) {
|
||||
if ($plugin == 'database' && isset($this->key)) {
|
||||
$object->key = $this->key;
|
||||
}
|
||||
if (strlen($this->username) > 0) {
|
||||
if ($plugin == 'database' && isset($this->username)) {
|
||||
$object->username = $this->username;
|
||||
$object->password = $this->password;
|
||||
}
|
||||
$array = $object->$name();
|
||||
|
||||
$id = $array["plugin"];
|
||||
$result['plugin'] = $array["plugin"];
|
||||
$result['domain_name'] = $array["domain_name"];
|
||||
$result['username'] = $array["username"];
|
||||
if ($this->debug) {
|
||||
$result["password"] = $this->password;
|
||||
}
|
||||
$result['user_uuid'] = $array["user_uuid"];
|
||||
$result['contact_uuid'] = $array["contact_uuid"];
|
||||
$result['domain_uuid'] = $array["domain_uuid"];
|
||||
$result['authorized'] = $array["authorized"];
|
||||
if (count($_SESSION['authentication']['methods']) > 1) {
|
||||
$result['results'][] = $array;
|
||||
|
||||
//save the result to the authentication plugin
|
||||
$_SESSION['authentication']['plugin'][$name] = $result;
|
||||
}
|
||||
}
|
||||
|
||||
//make sure all plugins are in the array
|
||||
foreach ($_SESSION['authentication']['methods'] as $name) {
|
||||
if (!isset($_SESSION['authentication']['plugin'][$name]['authorized'])) {
|
||||
$_SESSION['authentication']['plugin'][$name]['plugin'] = $name;
|
||||
$_SESSION['authentication']['plugin'][$name]['domain_name'] = $_SESSION['domain_name'];
|
||||
$_SESSION['authentication']['plugin'][$name]['domain_uuid'] = $_SESSION['domain_uuid'];
|
||||
$_SESSION['authentication']['plugin'][$name]['username'] = $_SESSION['username'];
|
||||
$_SESSION['authentication']['plugin'][$name]['user_uuid'] = $_SESSION['user_uuid'];
|
||||
$_SESSION['authentication']['plugin'][$name]['authorized'] = 0;
|
||||
}
|
||||
}
|
||||
|
||||
//debug information
|
||||
//view_array($_SESSION['authentication'], false);
|
||||
|
||||
//set authorized to false if any authentication method failed
|
||||
$authorized = false;
|
||||
if (is_array($_SESSION['authentication']['plugin'])) {
|
||||
foreach($_SESSION['authentication']['plugin'] as $row) {
|
||||
if ($row["authorized"]) {
|
||||
$authorized = true;
|
||||
}
|
||||
|
||||
if ($result["authorized"] == "true") {
|
||||
//add the username to the session
|
||||
$_SESSION['username'] = $result["username"];
|
||||
|
||||
//end the loop
|
||||
else {
|
||||
$authorized = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//result array
|
||||
$result["plugin"] = "database";
|
||||
$result["domain_name"] = $_SESSION['domain_name'];
|
||||
if (!isset($_SESSION['username'])) {
|
||||
$result["username"] = $_SESSION['username'];
|
||||
}
|
||||
if (!isset($_SESSION['user_uuid'])) {
|
||||
$result["user_uuid"] = $_SESSION['user_uuid'];
|
||||
}
|
||||
$result["domain_uuid"] = $_SESSION['domain_uuid'];
|
||||
if (!isset($_SESSION['contact_uuid'])) {
|
||||
$result["contact_uuid"] = $_SESSION['contact_uuid'];
|
||||
}
|
||||
$result["authorized"] = $authorized;
|
||||
|
||||
//add user logs
|
||||
if (file_exists($_SERVER["PROJECT_ROOT"]."/core/user_logs/app_config.php")) {
|
||||
if ($result["authorized"]) {
|
||||
user_logs::add($result);
|
||||
}
|
||||
|
||||
//debug information
|
||||
//if ($row["authorized"]) {
|
||||
// echo "authorized: true\n";
|
||||
//}
|
||||
//else {
|
||||
// echo "authorized: false\n";
|
||||
//}
|
||||
|
||||
//user is authorized - get user settings, check user cidr
|
||||
if ($authorized) {
|
||||
|
||||
//set a session variable to indicate authorized is set to true
|
||||
$_SESSION['authorized'] = true;
|
||||
|
||||
//add the username to the session //username seesion could be set soone when check_auth uses an authorized session variable instead
|
||||
$_SESSION['username'] = $result["username"];
|
||||
|
||||
//get the user settings
|
||||
$sql = "select * from v_user_settings ";
|
||||
$sql .= "where domain_uuid = :domain_uuid ";
|
||||
$sql .= "and user_uuid = :user_uuid ";
|
||||
$sql .= "and user_setting_enabled = 'true' ";
|
||||
$parameters['domain_uuid'] = $result["domain_uuid"];
|
||||
$parameters['user_uuid'] = $result["user_uuid"];
|
||||
$database = new database;
|
||||
$user_settings = $database->select($sql, $parameters, 'all');
|
||||
unset($sql, $parameters);
|
||||
|
||||
//build the user cidr array
|
||||
if (is_array($user_settings) && @sizeof($user_settings) != 0) {
|
||||
foreach ($user_settings as $row) {
|
||||
if ($row['user_setting_category'] == "domain" && $row['user_setting_subcategory'] == "cidr" && $row['user_setting_name'] == "array") {
|
||||
$cidr_array[] = $row['user_setting_value'];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
//check to see if user address is in the cidr array
|
||||
if (isset($cidr_array) && !defined('STDIN')) {
|
||||
$found = false;
|
||||
foreach($cidr_array as $cidr) {
|
||||
if (check_cidr($cidr, $_SERVER['REMOTE_ADDR'])) {
|
||||
$found = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (!$found) {
|
||||
//destroy session
|
||||
session_unset();
|
||||
session_destroy();
|
||||
|
||||
//send http 403
|
||||
header('HTTP/1.0 403 Forbidden', true, 403);
|
||||
|
||||
//exit the code
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
//set the session variables
|
||||
$_SESSION["domain_uuid"] = $result["domain_uuid"];
|
||||
//$_SESSION["domain_name"] = $result["domain_name"];
|
||||
$_SESSION["user_uuid"] = $result["user_uuid"];
|
||||
$_SESSION["context"] = $result['domain_name'];
|
||||
|
||||
//user session array
|
||||
$_SESSION["user"]["domain_uuid"] = $result["domain_uuid"];
|
||||
$_SESSION["user"]["domain_name"] = $result["domain_name"];
|
||||
$_SESSION["user"]["user_uuid"] = $result["user_uuid"];
|
||||
$_SESSION["user"]["username"] = $result["username"];
|
||||
$_SESSION["user"]["contact_uuid"] = $result["contact_uuid"];
|
||||
|
||||
//get the groups assigned to the user and then set the groups in $_SESSION["groups"]
|
||||
$sql = "select ";
|
||||
$sql .= "u.user_group_uuid, ";
|
||||
$sql .= "u.domain_uuid, ";
|
||||
$sql .= "u.user_uuid, ";
|
||||
$sql .= "u.group_uuid, ";
|
||||
$sql .= "g.group_name, ";
|
||||
$sql .= "g.group_level ";
|
||||
$sql .= "from ";
|
||||
$sql .= "v_user_groups as u, ";
|
||||
$sql .= "v_groups as g ";
|
||||
$sql .= "where u.domain_uuid = :domain_uuid ";
|
||||
$sql .= "and u.user_uuid = :user_uuid ";
|
||||
$sql .= "and u.group_uuid = g.group_uuid ";
|
||||
$parameters['domain_uuid'] = $_SESSION["domain_uuid"];
|
||||
$parameters['user_uuid'] = $_SESSION["user_uuid"];
|
||||
$database = new database;
|
||||
$result = $database->select($sql, $parameters, 'all');
|
||||
$_SESSION["groups"] = $result;
|
||||
$_SESSION["user"]["groups"] = $result;
|
||||
unset($sql, $parameters);
|
||||
|
||||
//get the users group level
|
||||
$_SESSION["user"]["group_level"] = 0;
|
||||
foreach ($_SESSION['user']['groups'] as $row) {
|
||||
if ($_SESSION["user"]["group_level"] < $row['group_level']) {
|
||||
$_SESSION["user"]["group_level"] = $row['group_level'];
|
||||
}
|
||||
}
|
||||
|
||||
//get the permissions assigned to the groups that the user is a member of set the permissions in $_SESSION['permissions']
|
||||
if (is_array($_SESSION["groups"]) && @sizeof($_SESSION["groups"]) != 0) {
|
||||
$x = 0;
|
||||
$sql = "select distinct(permission_name) from v_group_permissions ";
|
||||
$sql .= "where (domain_uuid = :domain_uuid or domain_uuid is null) ";
|
||||
foreach ($_SESSION["groups"] as $field) {
|
||||
if (strlen($field['group_name']) > 0) {
|
||||
$sql_where_or[] = "group_name = :group_name_".$x;
|
||||
$parameters['group_name_'.$x] = $field['group_name'];
|
||||
$x++;
|
||||
}
|
||||
}
|
||||
if (is_array($sql_where_or) && @sizeof($sql_where_or) != 0) {
|
||||
$sql .= "and (".implode(' or ', $sql_where_or).") ";
|
||||
}
|
||||
$sql .= "and permission_assigned = 'true' ";
|
||||
$parameters['domain_uuid'] = $_SESSION["domain_uuid"];
|
||||
$database = new database;
|
||||
$result = $database->select($sql, $parameters, 'all');
|
||||
if (is_array($result) && @sizeof($result) != 0) {
|
||||
foreach ($result as $row) {
|
||||
$_SESSION['permissions'][$row["permission_name"]] = true;
|
||||
$_SESSION["user"]["permissions"][$row["permission_name"]] = true;
|
||||
}
|
||||
}
|
||||
unset($sql, $parameters, $result, $row);
|
||||
}
|
||||
|
||||
//get the domains
|
||||
if (file_exists($_SERVER["PROJECT_ROOT"]."/app/domains/app_config.php") && !is_cli()){
|
||||
require_once "app/domains/resources/domains.php";
|
||||
}
|
||||
|
||||
//get the user settings
|
||||
if (is_array($user_settings) && @sizeof($user_settings) != 0) {
|
||||
foreach ($user_settings as $row) {
|
||||
$name = $row['user_setting_name'];
|
||||
$category = $row['user_setting_category'];
|
||||
$subcategory = $row['user_setting_subcategory'];
|
||||
if (strlen($row['user_setting_value']) > 0) {
|
||||
if (strlen($subcategory) == 0) {
|
||||
//$$category[$name] = $row['domain_setting_value'];
|
||||
if ($name == "array") {
|
||||
$_SESSION[$category][] = $row['user_setting_value'];
|
||||
}
|
||||
else {
|
||||
$_SESSION[$category][$name] = $row['user_setting_value'];
|
||||
}
|
||||
}
|
||||
else {
|
||||
//$$category[$subcategory][$name] = $row['domain_setting_value'];
|
||||
if ($name == "array") {
|
||||
$_SESSION[$category][$subcategory][] = $row['user_setting_value'];
|
||||
}
|
||||
else {
|
||||
$_SESSION[$category][$subcategory][$name] = $row['user_setting_value'];
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
unset($user_settings);
|
||||
|
||||
//get the extensions that are assigned to this user
|
||||
if (file_exists($_SERVER["PROJECT_ROOT"]."/app/extensions/app_config.php")) {
|
||||
if (isset($_SESSION["user"]) && is_uuid($_SESSION["user_uuid"]) && is_uuid($_SESSION["domain_uuid"]) && !isset($_SESSION['user']['extension'])) {
|
||||
//get the user extension list
|
||||
$_SESSION['user']['extension'] = null;
|
||||
$sql = "select ";
|
||||
$sql .= "e.extension_uuid, ";
|
||||
$sql .= "e.extension, ";
|
||||
$sql .= "e.number_alias, ";
|
||||
$sql .= "e.user_context, ";
|
||||
$sql .= "e.outbound_caller_id_name, ";
|
||||
$sql .= "e.outbound_caller_id_number, ";
|
||||
$sql .= "e.description ";
|
||||
$sql .= "from ";
|
||||
$sql .= "v_extension_users as u, ";
|
||||
$sql .= "v_extensions as e ";
|
||||
$sql .= "where ";
|
||||
$sql .= "e.domain_uuid = :domain_uuid ";
|
||||
$sql .= "and e.extension_uuid = u.extension_uuid ";
|
||||
$sql .= "and u.user_uuid = :user_uuid ";
|
||||
$sql .= "and e.enabled = 'true' ";
|
||||
$sql .= "order by ";
|
||||
$sql .= "e.extension asc ";
|
||||
$parameters['domain_uuid'] = $_SESSION['domain_uuid'];
|
||||
$parameters['user_uuid'] = $_SESSION['user_uuid'];
|
||||
$database = new database;
|
||||
$result = $database->select($sql, $parameters, 'all');
|
||||
if (is_array($result) && @sizeof($result) != 0) {
|
||||
foreach($result as $x => $row) {
|
||||
//set the destination
|
||||
$destination = $row['extension'];
|
||||
if (strlen($row['number_alias']) > 0) {
|
||||
$destination = $row['number_alias'];
|
||||
}
|
||||
|
||||
//build the user array
|
||||
$_SESSION['user']['extension'][$x]['user'] = $row['extension'];
|
||||
$_SESSION['user']['extension'][$x]['number_alias'] = $row['number_alias'];
|
||||
$_SESSION['user']['extension'][$x]['destination'] = $destination;
|
||||
$_SESSION['user']['extension'][$x]['extension_uuid'] = $row['extension_uuid'];
|
||||
$_SESSION['user']['extension'][$x]['outbound_caller_id_name'] = $row['outbound_caller_id_name'];
|
||||
$_SESSION['user']['extension'][$x]['outbound_caller_id_number'] = $row['outbound_caller_id_number'];
|
||||
$_SESSION['user']['extension'][$x]['user_context'] = $row['user_context'];
|
||||
$_SESSION['user']['extension'][$x]['description'] = $row['description'];
|
||||
|
||||
//set the context
|
||||
$_SESSION['user']['user_context'] = $row["user_context"];
|
||||
$_SESSION['user_context'] = $row["user_context"];
|
||||
}
|
||||
}
|
||||
unset($sql, $parameters, $result, $row);
|
||||
}
|
||||
}
|
||||
|
||||
//set the time zone
|
||||
if (!isset($_SESSION["time_zone"]["user"])) { $_SESSION["time_zone"]["user"] = null; }
|
||||
if (strlen($_SESSION["time_zone"]["user"]) == 0) {
|
||||
//set the domain time zone as the default time zone
|
||||
date_default_timezone_set($_SESSION['domain']['time_zone']['name']);
|
||||
}
|
||||
else {
|
||||
//set the user defined time zone
|
||||
date_default_timezone_set($_SESSION["time_zone"]["user"]);
|
||||
}
|
||||
|
||||
} //authorized true
|
||||
|
||||
//return the result
|
||||
return $result;
|
||||
}
|
||||
@@ -152,6 +429,7 @@ class authentication {
|
||||
if (count($username_array) > 1) {
|
||||
//get the domain name
|
||||
$domain_name = $username_array[count($username_array) -1];
|
||||
|
||||
//check if the domain from the username exists then set the domain_uuid
|
||||
$domain_exists = false;
|
||||
foreach ($_SESSION['domains'] as $row) {
|
||||
@@ -161,12 +439,14 @@ class authentication {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
//if the domain exists then set domain_name and update the username
|
||||
if ($domain_exists) {
|
||||
$this->domain_name = $domain_name;
|
||||
$this->username = substr($_REQUEST["username"], 0, -(strlen($domain_name)+1));
|
||||
$_SESSION['domain_uuid'] = $this->domain_uuid;
|
||||
}
|
||||
|
||||
//unset the domain name variable
|
||||
unset($domain_name);
|
||||
}
|
||||
@@ -196,7 +476,6 @@ class authentication {
|
||||
|
||||
//set the setting arrays
|
||||
$obj = new domains();
|
||||
$obj->db = $db;
|
||||
$obj->set();
|
||||
|
||||
//set the domain settings
|
||||
|
||||
Reference in New Issue
Block a user