nsinnovations/fusionpbx
2
0
Fork 0
mirror of https://github.com/fusionpbx/fusionpbx.git synced 2026-01-03 10:23:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Get a new set of default and domain settings for use when http_domain_filter is set to false. Remove debug numbers from access denied messages in provisioning and remove other redundant code.

Browse Source
This commit is contained in:
Mark Crane
2015-03-28 11:37:56 +00:00
parent c6933842e6
commit cd3d93a1fd
2 changed files with 126 additions and 114 deletions
Download Patch File Download Diff File Expand all files Collapse all files

229
app/provision/index.php
View File

@@ -78,6 +78,96 @@ openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0);
//get the domain name
$domain_name = $_SESSION['domains'][$domain_uuid]['domain_name'];
//set the PDO error mode
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
//get the default settings
$sql = "select * from v_default_settings ";
$sql .= "where default_setting_enabled = 'true' ";
try {
$prep_statement = $db->prepare($sql . " order by default_setting_order asc ");
$prep_statement->execute();
}
catch(PDOException $e) {
$prep_statement = $db->prepare($sql);
$prep_statement->execute();
}
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
//unset the previous settings
foreach ($result as $row) {
unset($_SESSION[$row['default_setting_category']]);
}
//set the settings as a session
foreach ($result as $row) {
$name = $row['default_setting_name'];
$category = $row['default_setting_category'];
$subcategory = $row['default_setting_subcategory'];
if (strlen($subcategory) == 0) {
if ($name == "array") {
$_SESSION[$category][] = $row['default_setting_value'];
}
else {
$_SESSION[$category][$name] = $row['default_setting_value'];
}
} else {
if ($name == "array") {
$_SESSION[$category][$subcategory][] = $row['default_setting_value'];
}
else {
$_SESSION[$category][$subcategory]['uuid'] = $row['default_setting_uuid'];
$_SESSION[$category][$subcategory][$name] = $row['default_setting_value'];
}
}
}
//get the domains settings
if (strlen($_SESSION["domain_uuid"]) > 0) {
$sql = "select * from v_domain_settings ";
$sql .= "where domain_uuid = '" . $domain_uuid . "' ";
$sql .= "and domain_setting_enabled = 'true' ";
try {
$prep_statement = $db->prepare($sql . " order by domain_setting_order asc ");
$prep_statement->execute();
}
catch(PDOException $e) {
$prep_statement = $db->prepare($sql);
$prep_statement->execute();
}
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
//unset the arrays that domains are overriding
foreach ($result as $row) {
$name = $row['domain_setting_name'];
$category = $row['domain_setting_category'];
$subcategory = $row['domain_setting_subcategory'];
if ($name == "array") {
unset($_SESSION[$category][$subcategory]);
}
}
//set the settings as a session
foreach ($result as $row) {
$name = $row['domain_setting_name'];
$category = $row['domain_setting_category'];
$subcategory = $row['domain_setting_subcategory'];
if (strlen($subcategory) == 0) {
//$$category[$name] = $row['domain_setting_value'];
if ($name == "array") {
$_SESSION[$category][] = $row['domain_setting_value'];
}
else {
$_SESSION[$category][$name] = $row['domain_setting_value'];
}
} else {
//$$category[$subcategory][$name] = $row['domain_setting_value'];
if ($name == "array") {
$_SESSION[$category][$subcategory][] = $row['domain_setting_value'];
}
else {
$_SESSION[$category][$subcategory][$name] = $row['domain_setting_value'];
}
}
}
}
}
else {
//get the domain_name
@@ -106,7 +196,7 @@ openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0);
//check if provisioning has been enabled
if ($provision["enabled"] != "true") {
echo "access denied 1";
echo "access denied";
exit;
}
@@ -114,7 +204,7 @@ openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0);
if (strlen($_SERVER['auth_server']) > 0) {
$result = send_http_request($_SERVER['auth_server'], 'mac='.check_str($_REQUEST['mac']).'&secret='.check_str($_REQUEST['secret']));
if ($result == "false") {
echo "access denied 2";
echo "access denied";
exit;
}
}
@@ -137,113 +227,46 @@ openlog("fusion-provisioning", LOG_PID | LOG_PERROR, LOG_LOCAL0);
}
}
if (!$found) {
echo "access denied 3";
echo "access denied";
exit;
}
}
//Digest or Basic
$sql_device = "select device_template from v_devices where device_mac_address='$mac' and device_provision_enable='true'";
$prep_statement_device = $db->prepare($sql_device);
$prep_statement_device->execute();
$result_device = $prep_statement_device->fetchAll(PDO::FETCH_NAMED);
foreach($result_device as $row_device) {
$device_template = $row_device["device_template"];
//http authentication
if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) {
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"');
header('HTTP/1.0 401 Unauthorized');
header("Content-Type: text/plain");
echo 'Authorization Required';
exit;
} else {
if ($_SERVER['PHP_AUTH_USER'] == $provision["http_auth_username"] && $_SERVER['PHP_AUTH_PW'] == $provision["http_auth_password"]) {
//authorized
}
else {
//access denied
header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"');
unset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
usleep(rand(1000000,3000000));//1-3 seconds.
echo 'Authorization Required';
exit;
}
}
}
unset($result_device, $prep_statement_device);
syslog(LOG_INFO, "template: $device_template");
switch ($device_template){
case "linksys/spa2102":
case "linksys/spa3102":
case "linksys/spa921":
case "linksys/spa942":
case "cisco/spa112":
case "cisco/spa502g":
case "cisco/spa504g":
case "cisco/spa509g":
case "cisco/spa301":
case "cisco/spa514g":
case "cisco/spa512g":
case "cisco/spa501g":
case "cisco/spa525g":
case "cisco/spa508g":
case "cisco/spa122":
case "cisco/spa303":
syslog(LOG_INFO, "using digest authentication");
if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) {
if (empty($_SERVER['PHP_AUTH_DIGEST'])) {
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name'].
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"');
echo 'Authorization Required';
exit;
}
else{
if (!($data = http_digest_parse($_SERVER['PHP_AUTH_DIGEST']))){
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name'].
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"');
echo 'Authorization Required';
exit;
}
$A1 = md5($provision["http_auth_username"] . ':' . $_SESSION['domain_name'] . ':' . $provision["http_auth_password"]);
$A2 = md5($_SERVER['REQUEST_METHOD'].':'.$data['uri']);
$valid_response = md5($A1.':'.$data['nonce'].':'.$data['nc'].':'.$data['cnonce'].':'.$data['qop'].':'.$A2);
syslog(LOG_INFO, "valid_response: $valid_response");
syslog(LOG_INFO, "data[response]".$data['response']);
if ($data['response'] != $valid_response){
header('HTTP/1.1 401 Unauthorized');
header('WWW-Authenticate: Digest realm="'.$_SESSION['domain_name'].
'",qop="auth",nonce="'.uniqid().'",opaque="'.md5($_SESSION['domain_name']).'"');
echo 'Authorization Required';
exit;
}
}
}
break;
defaut:
syslog(LOG_INFO, "using basic authentication");
//http authentication
//http://www.php.net/manual/en/features.http-auth.php
if (strlen($provision["http_auth_username"]) > 0 && strlen($provision["http_auth_password"]) > 0) {
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"');
header('HTTP/1.0 401 Unauthorized');
header("Content-Type: text/plain");
echo 'Authorization Required';
exit;
} else {
if ($_SERVER['PHP_AUTH_USER'] == $provision["http_auth_username"] && $_SERVER['PHP_AUTH_PW'] == $provision["http_auth_password"]) {
//authorized
}
else {
//access denied
header('WWW-Authenticate: Basic realm="'.$_SESSION['domain_name']." ".date('r').'"');
unset($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']);
usleep(rand(1000000,3000000));//1-3 seconds.
echo 'Authorization Required';
exit;
}
}
}
//if password was defined in the system -> variables page then require the password.
if (strlen($provision['password']) > 0) {
//deny access if the password doesn't match
if ($provision['password'] != check_str($_REQUEST['password'])) {
//log the failed auth attempt to the system, to be available for fail2ban.
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] provision attempt bad password for ".check_str($_REQUEST['mac']));
closelog();
usleep(rand(1000000,3000000));//1-3 seconds.
echo "access denied 4";
return;
}
}
//if password was defined in the system -> variables page then require the password.
if (strlen($provision['password']) > 0) {
//deny access if the password doesn't match
if ($provision['password'] != check_str($_REQUEST['password'])) {
//log the failed auth attempt to the system, to be available for fail2ban.
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] provision attempt bad password for ".check_str($_REQUEST['mac']));
closelog();
usleep(rand(1000000,3000000));//1-3 seconds.
echo "access denied 4";
return;
}
}
//output template to string for header processing

11
resources/classes/domains.php
View File

@@ -32,17 +32,6 @@
//set the global variable
global $db;
//clear the sessions
unset($_SESSION['contact']);
unset($_SESSION['domain']);
unset($_SESSION['email']);
unset($_SESSION['ldap']);
unset($_SESSION['login']);
unset($_SESSION['provision']);
unset($_SESSION['security']);
unset($_SESSION['server']);
unset($_SESSION['switch']);
//set the PDO error mode
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);