From 127adbf7a5bd4adb3714ed1b0e341d1add072468 Mon Sep 17 00:00:00 2001 From: Mark Crane Date: Sat, 28 Mar 2015 11:37:56 +0000 Subject: [PATCH] Get a new set of default and domain settings for use when http_domain_filter is set to false. Remove debug numbers from access denied messages in provisioning and remove other redundant code. --- app/provision/index.php | 229 +++++++++++++++++++--------------- resources/classes/domains.php | 11 -- 2 files changed, 126 insertions(+), 114 deletions(-) diff --git a/app/provision/index.php b/app/provision/index.php index c983a265d6..a6e7237129 100644 --- a/app/provision/index.php +++ b/app/provision/index.php @@ -78,6 +78,96 @@ openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0); //get the domain name $domain_name = $_SESSION['domains'][$domain_uuid]['domain_name']; + + //set the PDO error mode + $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); + + //get the default settings + $sql = "select * from v_default_settings "; + $sql .= "where default_setting_enabled = 'true' "; + try { + $prep_statement = $db->prepare($sql . " order by default_setting_order asc "); + $prep_statement->execute(); + } + catch(PDOException $e) { + $prep_statement = $db->prepare($sql); + $prep_statement->execute(); + } + $result = $prep_statement->fetchAll(PDO::FETCH_NAMED); + //unset the previous settings + foreach ($result as $row) { + unset($_SESSION[$row['default_setting_category']]); + } + //set the settings as a session + foreach ($result as $row) { + $name = $row['default_setting_name']; + $category = $row['default_setting_category']; + $subcategory = $row['default_setting_subcategory']; + if (strlen($subcategory) == 0) { + if ($name == "array") { + $_SESSION[$category][] = $row['default_setting_value']; + } + else { + $_SESSION[$category][$name] = $row['default_setting_value']; + } + } else { + if ($name == "array") { + $_SESSION[$category][$subcategory][] = $row['default_setting_value']; + } + else { + $_SESSION[$category][$subcategory]['uuid'] = $row['default_setting_uuid']; + $_SESSION[$category][$subcategory][$name] = $row['default_setting_value']; + } + } + } + + //get the domains settings + if (strlen($_SESSION["domain_uuid"]) > 0) { + $sql = "select * from v_domain_settings "; + $sql .= "where domain_uuid = '" . $domain_uuid . "' "; + $sql .= "and domain_setting_enabled = 'true' "; + try { + $prep_statement = $db->prepare($sql . " order by domain_setting_order asc "); + $prep_statement->execute(); + } + catch(PDOException $e) { + $prep_statement = $db->prepare($sql); + $prep_statement->execute(); + } + $result = $prep_statement->fetchAll(PDO::FETCH_NAMED); + //unset the arrays that domains are overriding + foreach ($result as $row) { + $name = $row['domain_setting_name']; + $category = $row['domain_setting_category']; + $subcategory = $row['domain_setting_subcategory']; + if ($name == "array") { + unset($_SESSION[$category][$subcategory]); + } + } + //set the settings as a session + foreach ($result as $row) { + $name = $row['domain_setting_name']; + $category = $row['domain_setting_category']; + $subcategory = $row['domain_setting_subcategory']; + if (strlen($subcategory) == 0) { + //$$category[$name] = $row['domain_setting_value']; + if ($name == "array") { + $_SESSION[$category][] = $row['domain_setting_value']; + } + else { + $_SESSION[$category][$name] = $row['domain_setting_value']; + } + } else { + //$$category[$subcategory][$name] = $row['domain_setting_value']; + if ($name == "array") { + $_SESSION[$category][$subcategory][] = $row['domain_setting_value']; + } + else { + $_SESSION[$category][$subcategory][$name] = $row['domain_setting_value']; + } + } + } + } } else { //get the domain_name @@ -106,7 +196,7 @@ openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0); //check if provisioning has been enabled if ($provision["enabled"] != "true") { - echo "access denied 1"; + echo "access denied"; exit; } @@ -114,7 +204,7 @@ openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0); if (strlen($_SERVER['auth_server']) > 0) { $result = send_http_request($_SERVER['auth_server'], 'mac='.check_str($_REQUEST['mac']).'&secret='.check_str($_REQUEST['secret'])); if ($result == "false") { - echo "access denied 2"; + echo "access denied"; exit; } } @@ -137,113 +227,46 @@ openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0); } } if (!$found) { - echo "access denied 3"; + echo "access denied"; exit; } } -//Digest or Basic - $sql_device = "select device_template from v_devices where device_mac_address='$mac' and device_provision_enable='true'"; - $prep_statement_device = $db->prepare($sql_device); - $prep_statement_device->execute(); - $result_device = $prep_statement_device->fetchAll(PDO::FETCH_NAMED); - foreach($result_device as $row_device) { - $device_template = $row_device["device_template"]; +//http authentication + if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) { + if (!isset($_SERVER['PHP_AUTH_USER'])) { + header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"'); + header('HTTP/1.0 401 Unauthorized'); + header("Content-Type: text/plain"); + echo 'Authorization Required'; + exit; + } else { + if ($_SERVER['PHP_AUTH_USER'] == $provision["http_auth_username"] && $_SERVER['PHP_AUTH_PW'] == $provision["http_auth_password"]) { + //authorized + } + else { + //access denied + header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"'); + unset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']); + usleep(rand(1000000,3000000));//1-3 seconds. + echo 'Authorization Required'; + exit; + } + } } - unset($result_device, $prep_statement_device); - syslog(LOG_INFO, "template: $device_template"); - switch ($device_template){ - case "linksys/spa2102": - case "linksys/spa3102": - case "linksys/spa921": - case "linksys/spa942": - case "cisco/spa112": - case "cisco/spa502g": - case "cisco/spa504g": - case "cisco/spa509g": - case "cisco/spa301": - case "cisco/spa514g": - case "cisco/spa512g": - case "cisco/spa501g": - case "cisco/spa525g": - case "cisco/spa508g": - case "cisco/spa122": - case "cisco/spa303": - syslog(LOG_INFO, "using digest authentication"); - if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) { - if (empty($_SERVER['PHP_AUTH_DIGEST'])) { - header('HTTP/1.1 401 Unauthorized'); - header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name']. - '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"'); - - echo 'Authorization Required'; - exit; - } - else{ - if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']))){ - header('HTTP/1.1 401 Unauthorized'); - header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name']. - '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"'); - echo 'Authorization Required'; - exit; - } - - $A1 = md5($provision["http_auth_username"] . ':' . $_SESSION['domain_name'] . ':' . $provision["http_auth_password"]); - $A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']); - $valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2); - syslog(LOG_INFO, "valid_response: $valid_response"); - syslog(LOG_INFO, "data[response]".$data['response']); - if ($data['response'] != $valid_response){ - header('HTTP/1.1 401 Unauthorized'); - header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name']. - '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"'); - - echo 'Authorization Required'; - exit; - } - } - } - break; - defaut: - syslog(LOG_INFO, "using basic authentication"); - //http authentication - //http://www.php.net/manual/en/features.http-auth.php - if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) { - if (!isset($_SERVER['PHP_AUTH_USER'])) { - header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"'); - header('HTTP/1.0 401 Unauthorized'); - header("Content-Type: text/plain"); - echo 'Authorization Required'; - exit; - } else { - if ($_SERVER['PHP_AUTH_USER'] == $provision["http_auth_username"] && $_SERVER['PHP_AUTH_PW'] == $provision["http_auth_password"]) { - //authorized - } - else { - //access denied - header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"'); - unset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']); - usleep(rand(1000000,3000000));//1-3 seconds. - echo 'Authorization Required'; - exit; - } - } - } - - //if password was defined in the system -> variables page then require the password. - if (strlen($provision['password']) > 0) { - //deny access if the password doesn't match - if ($provision['password'] != check_str($_REQUEST['password'])) { - //log the failed auth attempt to the system, to be available for fail2ban. - openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); - syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] provision attempt bad password for ".check_str($_REQUEST['mac'])); - closelog(); - usleep(rand(1000000,3000000));//1-3 seconds. - echo "access denied 4"; - return; - } - } +//if password was defined in the system -> variables page then require the password. + if (strlen($provision['password']) > 0) { + //deny access if the password doesn't match + if ($provision['password'] != check_str($_REQUEST['password'])) { + //log the failed auth attempt to the system, to be available for fail2ban. + openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); + syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] provision attempt bad password for ".check_str($_REQUEST['mac'])); + closelog(); + usleep(rand(1000000,3000000));//1-3 seconds. + echo "access denied 4"; + return; + } } //output template to string for header processing diff --git a/resources/classes/domains.php b/resources/classes/domains.php index dcc161d73c..f6d4fc4eea 100644 --- a/resources/classes/domains.php +++ b/resources/classes/domains.php @@ -32,17 +32,6 @@ //set the global variable global $db; - //clear the sessions - unset($_SESSION['contact']); - unset($_SESSION['domain']); - unset($_SESSION['email']); - unset($_SESSION['ldap']); - unset($_SESSION['login']); - unset($_SESSION['provision']); - unset($_SESSION['security']); - unset($_SESSION['server']); - unset($_SESSION['switch']); - //set the PDO error mode $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);