Home Explore Help
Sign In
fusionpbx
/
fusionpbx-framework
mirror of https://github.com/fusionpbx/fusionpbx-framework.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: aab1b7d772
Branches Tags
fusionpbx-frame...
/
core
/
authentication
/
resources
/
classes
/
plugins
/
database.php

database.php 12 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335 
  1. <?php
    2. 

  2. /*
    3. 

  3. 	FusionPBX
    4. 

  4. 	Version: MPL 1.1
    5. 

  5. 

  6. 	The contents of this file are subject to the Mozilla Public License Version
    7. 

  7. 	1.1 (the "License"); you may not use this file except in compliance with
    8. 

  8. 	the License. You may obtain a copy of the License at
    9. 

  9. 	http://www.mozilla.org/MPL/
    10. 

  10. 

  11. 	Software distributed under the License is distributed on an "AS IS" basis,
    12. 

  12. 	WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
    13. 

  13. 	for the specific language governing rights and limitations under the
    14. 

  14. 	License.
    15. 

  15. 

  16. 	The Original Code is FusionPBX
    17. 

  17. 

  18. 	The Initial Developer of the Original Code is
    19. 

  19. 	Mark J Crane <[email protected]>
    20. 

  20. 	Portions created by the Initial Developer are Copyright (C) 2008-2023
    21. 

  21. 	the Initial Developer. All Rights Reserved.
    22. 

  22. 

  23. 	Contributor(s):
    24. 

  24. 	Mark J Crane <[email protected]>
    25. 

  25. */
    26. 

  26. 

  27. /**
    28. 

  28.  * plugin_database
    29. 

  29.  *
    30. 

  30.  * @method plugin_database validates the authentication using information from the database
    31. 

  31.  */
    32. 

  32. class plugin_database {
    33. 

  33. 

  34. 	/**
    35. 

  35. 	 * Define variables and their scope
    36. 

  36. 	 */
    37. 

  37. 	public $domain_name;
    38. 

  38. 	public $domain_uuid;
    39. 

  39. 	public $user_uuid;
    40. 

  40. 	public $contact_uuid;
    41. 

  41. 	public $username;
    42. 

  42. 	public $password;
    43. 

  43. 	public $key;
    44. 

  44. 	public $debug;
    45. 

  45. 	public $user_email;
    46. 

  46. 

  47. 	/**
    48. 

  48. 	 * database checks the local database to authenticate the user or key
    49. 

  49. 	 * @return array [authorized] => true or false
    50. 

  50. 	 */
    51. 

  51. 	function database() {
    52. 

  52. 

  53. 		//pre-process some settings
    54. 

  54. 			$settings['theme']['favicon'] = !empty($_SESSION['theme']['favicon']['text']) ? $_SESSION['theme']['favicon']['text'] : PROJECT_PATH.'/themes/default/favicon.ico';
    55. 

  55. 			$settings['login']['destination'] = !empty($_SESSION['login']['destination']['text']) ? $_SESSION['login']['destination']['text'] : '';
    56. 

  56. 			$settings['users']['unique'] = !empty($_SESSION['users']['unique']['text']) ? $_SESSION['users']['unique']['text'] : '';
    57. 

  57. 			$settings['theme']['logo'] = !empty($_SESSION['theme']['logo']['text']) ? $_SESSION['theme']['logo']['text'] : PROJECT_PATH.'/themes/default/images/logo_login.png';
    58. 

  58. 			$settings['theme']['login_logo_width'] = !empty($_SESSION['theme']['login_logo_width']['text']) ? $_SESSION['theme']['login_logo_width']['text'] : 'auto; max-width: 300px';
    59. 

  59. 			$settings['theme']['login_logo_height'] = !empty($_SESSION['theme']['login_logo_height']['text']) ? $_SESSION['theme']['login_logo_height']['text'] : 'auto; max-height: 300px';
    60. 

  60. 			$settings['theme']['message_delay'] = isset($_SESSION['theme']['message_delay']) ? 1000 * (float) $_SESSION['theme']['message_delay'] : 3000;
    61. 

  61. 			$settings['theme']['background_video'] = isset($_SESSION['theme']['background_video'][0]) ? $_SESSION['theme']['background_video'][0] : null;
    62. 

  62. 

  63. 		//already authorized
    64. 

  64. 			if (isset($_SESSION['authentication']['plugin']['database']) && $_SESSION['authentication']['plugin']['database']["authorized"]) {
    65. 

  65. 				return;
    66. 

  66. 			}
    67. 

  67. 			else {
    68. 

  68. 				if (isset($_SESSION['authentication']['plugin']['database']) && !$_SESSION['authentication']['plugin']['database']["authorized"]) {
    69. 

  69. 					//authorized false
    70. 

  70. 				}
    71. 

  71. 			}
    72. 

  72. 

  73. 		//show the authentication code view
    74. 

  74. 			if (empty($_REQUEST["username"]) && empty($_REQUEST["key"])) {
    75. 

  75. 

  76. 				//get the domain
    77. 

  77. 					$domain_array = explode(":", $_SERVER["HTTP_HOST"]);
    78. 

  78. 					$domain_name = $domain_array[0];
    79. 

  79. 

  80. 				//temp directory
    81. 

  81. 					$_SESSION['server']['temp']['dir'] = '/tmp';
    82. 

  82. 

  83. 				//create token
    84. 

  84. 					//$object = new token;
    85. 

  85. 					//$token = $object->create('login');
    86. 

  86. 

  87. 				//add multi-lingual support
    88. 

  88. 					$language = new text;
    89. 

  89. 					$text = $language->get(null, '/core/authentication');
    90. 

  90. 

  91. 				//initialize a template object
    92. 

  92. 					$view = new template();
    93. 

  93. 					$view->engine = 'smarty';
    94. 

  94. 					$view->template_dir = $_SERVER["DOCUMENT_ROOT"].PROJECT_PATH.'/core/authentication/resources/views/';
    95. 

  95. 					$view->cache_dir = $_SESSION['server']['temp']['dir'];
    96. 

  96. 					$view->init();
    97. 

  97. 

  98. 				//add translations
    99. 

  99. 					$view->assign("login_title", $text['button-login']);
    100. 

  100. 					$view->assign("label_username", $text['label-username']);
    101. 

  101. 					$view->assign("label_password", $text['label-password']);
    102. 

  102. 					$view->assign("button_login", $text['button-login']);
    103. 

  103. 

  104. 				//assign default values to the template
    105. 

  105. 					$view->assign("project_path", PROJECT_PATH);
    106. 

  106. 					$view->assign("login_destination_url", $settings['login']['destination']);
    107. 

  107. 					$view->assign("favicon", $settings['theme']['favicon']);
    108. 

  108. 					$view->assign("login_logo_width", $settings['theme']['login_logo_width']);
    109. 

  109. 					$view->assign("login_logo_height", $settings['theme']['login_logo_height']);
    110. 

  110. 					$view->assign("login_logo_source", $settings['theme']['logo']);
    111. 

  111. 					$view->assign("message_delay", $settings['theme']['message_delay']);
    112. 

  112. 					$view->assign("background_video", $settings['theme']['background_video']);
    113. 

  113.  					//if (!empty($_SESSION['authentication']['plugin']['database']['authorized']) && $_SESSION['authentication']['plugin']['database']['authorized'] == 1 && !empty($_SESSION['username'])) {
    114. 

  114. 					if (!empty($_SESSION['username'])) {
    115. 

  115. 						$view->assign("login_password_description", $text['label-password_description']);
    116. 

  116. 						$view->assign("username", $_SESSION['username']);
    117. 

  117. 						$view->assign("button_cancel", $text['button-cancel']);
    118. 

  118. 					}
    119. 

  119. 

  120. 				//messages
    121. 

  121. 					$view->assign('messages', message::html(true, '		'));
    122. 

  122. 

  123. 				//add the token name and hash to the view
    124. 

  124. 					//$view->assign("token_name", $token['name']);
    125. 

  125. 					//$view->assign("token_hash", $token['hash']);
    126. 

  126. 

  127. 				//show the views
    128. 

  128. 					$content = $view->render('login.htm');
    129. 

  129. 					echo $content;
    130. 

  130. 					exit;
    131. 

  131. 			}
    132. 

  132. 

  133. 		//validate the token
    134. 

  134. 			//$token = new token;
    135. 

  135. 			//if (!$token->validate($_SERVER['PHP_SELF'])) {
    136. 

  136. 			//	message::add($text['message-invalid_token'],'negative');
    137. 

  137. 			//	header('Location: domains.php');
    138. 

  138. 			//	exit;
    139. 

  139. 			//}
    140. 

  140. 

  141. 		//add the authentication details
    142. 

  142. 			if (isset($_REQUEST["username"])) {
    143. 

  143. 				$this->username = $_REQUEST["username"];
    144. 

  144. 				$_SESSION['username'] = $this->username;
    145. 

  145. 			}
    146. 

  146. 			if (isset($_REQUEST["password"])) {
    147. 

  147. 				$this->password = $_REQUEST["password"];
    148. 

  148. 			}
    149. 

  149. 			if (isset($_SESSION['username'])) {
    150. 

  150. 				$this->username = $_SESSION['username'];
    151. 

  151. 			}
    152. 

  152. 			if (isset($_REQUEST["key"])) {
    153. 

  153. 				$this->key = $_REQUEST["key"];
    154. 

  154. 			}
    155. 

  155. 

  156. 		//get the domain name
    157. 

  157. 			$auth = new authentication;
    158. 

  158. 			$auth->get_domain();
    159. 

  159. 			$this->domain_uuid = $_SESSION['domain_uuid'] ?? null;
    160. 

  160. 			$this->domain_name = $_SESSION['domain_name'] ?? null;
    161. 

  161. 			$this->username = $_SESSION['username'] ?? null;
    162. 

  162. 

  163. 		//debug information
    164. 

  164. 			//echo "domain_uuid: ".$this->domain_uuid."<br />\n";
    165. 

  165. 			//echo "domain_name: ".$this->domain_name."<br />\n";
    166. 

  166. 			//echo "username: ".$this->username."<br />\n";
    167. 

  167. 

  168. 		//set the default status
    169. 

  169. 			$user_authorized = false;
    170. 

  170. 

  171. 		//check the username and password if they don't match then redirect to the login
    172. 

  172. 			$sql = "select u.user_uuid, u.contact_uuid, u.username, u.password, ";
    173. 

  173. 			$sql .= "u.user_email, u.salt, u.api_key, u.domain_uuid, d.domain_name ";
    174. 

  174. 			$sql .= "from v_users as u, v_domains as d ";
    175. 

  175. 			$sql .= "where u.domain_uuid = d.domain_uuid ";
    176. 

  176. 			$sql .= "and (user_type = 'default' or user_type is null) ";
    177. 

  177. 			if (isset($this->key) && strlen($this->key) > 30) {
    178. 

  178. 				$sql .= "and u.api_key = :api_key ";
    179. 

  179. 				$parameters['api_key'] = $this->key;
    180. 

  180. 			}
    181. 

  181. 			else {
    182. 

  182. 				$sql .= "and (\n";
    183. 

  183. 				$sql .= "	lower(u.username) = lower(:username)\n";
    184. 

  184. 				$sql .= "	or lower(u.user_email) = lower(:username)\n";
    185. 

  185. 				$sql .= ")\n";
    186. 

  186. 				$parameters['username'] = $this->username;
    187. 

  187. 			}
    188. 

  188. 			if ($settings['users']['unique'] === "global") {
    189. 

  189. 				//unique username - global (example: email address)
    190. 

  190. 			}
    191. 

  191. 			else {
    192. 

  192. 				//unique username - per domain
    193. 

  193. 				$sql .= "and u.domain_uuid = :domain_uuid ";
    194. 

  194. 				$parameters['domain_uuid'] = $this->domain_uuid;
    195. 

  195. 			}
    196. 

  196. 			$sql .= "and (user_enabled = 'true' or user_enabled is null) ";
    197. 

  197. 			$database = new database;
    198. 

  198. 			$row = $database->select($sql, $parameters, 'row');
    199. 

  199. 			if (!empty($row) && is_array($row) && @sizeof($row) != 0) {
    200. 

  200. 

  201. 				//validate the password
    202. 

  202. 					$valid_password = false;
    203. 

  203. 					if (isset($this->key) && strlen($this->key) > 30 && $this->key === $row["api_key"]) {
    204. 

  204. 						$valid_password = true;
    205. 

  205. 					}
    206. 

  206. 					else if (substr($row["password"], 0, 1) === '$') {
    207. 

  207. 						if (isset($this->password) && !empty($this->password)) {
    208. 

  208. 							if (password_verify($this->password, $row["password"])) {
    209. 

  209. 								$valid_password = true;
    210. 

  210. 							}
    211. 

  211. 						}
    212. 

  212. 					}
    213. 

  213. 					else {
    214. 

  214. 						//deprecated - compare the password provided by the user with the one in the database
    215. 

  215. 						if (md5($row["salt"].$this->password) === $row["password"]) {
    216. 

  216. 							$row["password"] = crypt($this->password, '$1$'.$password_salt.'$');
    217. 

  217. 							$valid_password = true;
    218. 

  218. 						}
    219. 

  219. 					}
    220. 

  220. 

  221. 				//set the domain and user settings
    222. 

  222. 					if ($valid_password) {
    223. 

  223. 						//set the domain_uuid
    224. 

  224. 							$this->domain_uuid = $row["domain_uuid"];
    225. 

  225. 							$this->domain_name = $row["domain_name"];
    226. 

  226. 

  227. 						//set the domain session variables
    228. 

  228. 							$_SESSION["domain_uuid"] = $this->domain_uuid;
    229. 

  229. 							$_SESSION["domain_name"] = $this->domain_name;
    230. 

  230. 

  231. 						//set the domain setting
    232. 

  232. 							if ($settings['users']['unique'] === "global" && $row["domain_uuid"] !== $this->domain_uuid) {
    233. 

  233. 								$domain = new domains();
    234. 

  234. 								$domain->set();
    235. 

  235. 							}
    236. 

  236. 

  237. 						//set the variables
    238. 

  238. 							$this->user_uuid = $row['user_uuid'];
    239. 

  239. 							$this->username = $row['username'];
    240. 

  240. 							$this->user_email = $row['user_email'];
    241. 

  241. 							$this->contact_uuid = $row['contact_uuid'];
    242. 

  242. 

  243. 						//debug info
    244. 

  244. 							//echo "user_uuid ".$this->user_uuid."<br />\n";
    245. 

  245. 							//echo "username ".$this->username."<br />\n";
    246. 

  246. 							//echo "contact_uuid ".$this->contact_uuid."<br />\n";
    247. 

  247. 

  248. 						//set a few session variables
    249. 

  249. 							$_SESSION["user_uuid"] = $row['user_uuid'];
    250. 

  250. 							$_SESSION["username"] = $row['username'];
    251. 

  251. 							$_SESSION["user_email"] = $row['user_email'];
    252. 

  252. 							$_SESSION["contact_uuid"] = $row["contact_uuid"];
    253. 

  253. 					}
    254. 

  254. 

  255. 				//check to to see if the the password hash needs to be updated
    256. 

  256. 					if ($valid_password) {
    257. 

  257. 						//set the password hash cost
    258. 

  258. 						$options = array('cost' => 10);
    259. 

  259. 

  260. 						//check if a newer hashing algorithm is available or the cost has changed
    261. 

  261. 						if (password_needs_rehash($row["password"], PASSWORD_DEFAULT, $options)) {
    262. 

  262. 

  263. 							//build user insert array
    264. 

  264. 								$array['users'][0]['user_uuid'] = $this->user_uuid;
    265. 

  265. 								$array['users'][0]['domain_uuid'] = $this->domain_uuid;
    266. 

  266. 								$array['users'][0]['user_email'] = $this->user_email;
    267. 

  267. 								$array['users'][0]['password'] = password_hash($this->password, PASSWORD_DEFAULT, $options);
    268. 

  268. 								$array['users'][0]['salt'] = null;
    269. 

  269. 

  270. 							//build user group insert array
    271. 

  271. 								$array['user_groups'][0]['user_group_uuid'] = uuid();
    272. 

  272. 								$array['user_groups'][0]['domain_uuid'] = $this->domain_uuid;
    273. 

  273. 								$array['user_groups'][0]['group_name'] = 'user';
    274. 

  274. 								$array['user_groups'][0]['user_uuid'] = $this->user_uuid;
    275. 

  275. 

  276. 							//grant temporary permissions
    277. 

  277. 								$p = new permissions;
    278. 

  278. 								$p->add('user_edit', 'temp');
    279. 

  279. 

  280. 							//execute insert
    281. 

  281. 								$database = new database;
    282. 

  282. 								$database->app_name = 'authentication';
    283. 

  283. 								$database->app_uuid = 'a8a12918-69a4-4ece-a1ae-3932be0e41f1';
    284. 

  284. 								$database->save($array);
    285. 

  285. 								unset($array);
    286. 

  286. 

  287. 							//revoke temporary permissions
    288. 

  288. 								$p->delete('user_edit', 'temp');
    289. 

  289. 

  290. 						}
    291. 

  291. 

  292. 					}
    293. 

  293. 					else {
    294. 

  294. 						//clear authentication session
    295. 

  295. 						if (empty($_SESSION['authentication']['methods']) || !is_array($_SESSION['authentication']['methods']) || sizeof($_SESSION['authentication']['methods']) == 0) {
    296. 

  296. 							unset($_SESSION['authentication']);
    297. 

  297. 						}
    298. 

  298. 

  299. 						// clear username
    300. 

  300. 						if (!empty($_REQUEST["password"])) {
    301. 

  301. 							unset($_SESSION['username'], $_REQUEST['username'], $_POST['username']);
    302. 

  302. 							unset($_SESSION['authentication']);
    303. 

  303. 						}
    304. 

  304. 					}
    305. 

  305. 

  306. 					//result array
    307. 

  307. 					if ($valid_password) {
    308. 

  308. 						$result["plugin"] = "database";
    309. 

  309. 						$result["domain_name"] = $this->domain_name;
    310. 

  310. 						$result["username"] = $this->username;
    311. 

  311. 						$result["user_uuid"] = $this->user_uuid;
    312. 

  312. 						$result["domain_uuid"] = $_SESSION['domain_uuid'];
    313. 

  313. 						$result["contact_uuid"] = $this->contact_uuid;
    314. 

  314. 						$result["user_email"] = $this->user_email;
    315. 

  315. 						$result["sql"] = $sql;
    316. 

  316. 						$result["authorized"] = $valid_password;
    317. 

  317. 					}
    318. 

  318. 

  319. 					//return the results
    320. 

  320. 					return $result ?? false;
    321. 

  321. 

  322. 			}
    323. 

  323. 			else {
    324. 

  324. 

  325. 				unset($_SESSION['username'], $_REQUEST['username'], $_POST['username']);
    326. 

  326. 				unset($_SESSION['authentication']);
    327. 

  327. 

  328. 			}
    329. 

  329. 

  330. 		return;
    331. 

  331. 

  332. 	}
    333. 

  333. }
    334. 

  334. 

  335. ?>
    336.