PageRenderTime 17ms CodeModel.GetById 2ms app.highlight 12ms RepoModel.GetById 1ms app.codeStats 0ms

/index.php

https://github.com/obenauer/equilibrium
PHP | 418 lines | 272 code | 89 blank | 57 comment | 62 complexity | 24bfc3dac07afe2b9f0859291190453b MD5 | raw file
  1<?php
  2// Copyright 2008, St. Jude Children's Research Hospital.
  3// Written by Dr. John Obenauer, john.obenauer@stjude.org.
  4
  5// This file is part of Equilibrium.  Equilibrium is free software:
  6// you can redistribute it and/or modify it under the terms of the
  7// GNU General Public License as published by the Free Software
  8// Foundation, either version 2 of the License, or (at your option)
  9// any later version.
 10
 11// Equilibrium is distributed in the hope that it will be useful,
 12// but WITHOUT ANY WARRANTY; without even the implied warranty of
 13// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 14// GNU General Public License for more details.
 15
 16// You should have received a copy of the GNU General Public License
 17// along with Equilibrium.  If not, see <http://www.gnu.org/licenses/>.
 18
 19require("config.php");
 20
 21// Check for passed arguments
 22if (isset($_REQUEST['action'])) {
 23    $action = $_REQUEST['action'];
 24} else {
 25    $action = "login";
 26}
 27
 28if (isset($_REQUEST['cmd'])) {
 29    $cmd = $_REQUEST['cmd'];
 30} else {
 31    $cmd = "";
 32}
 33
 34if (isset($_REQUEST['user'])) {
 35    $user = $_REQUEST['user'];
 36} else {
 37    $user = "";
 38}
 39
 40if (isset($_REQUEST['pass'])) {
 41    $pass = $_REQUEST['pass'];
 42} else {
 43    $pass = "";
 44}
 45
 46if (isset($_REQUEST['error'])) {
 47    $error = $_REQUEST['error'];
 48    $action = "error";
 49} else {
 50    $error = "";
 51}
 52
 53// Declare PHP functions
 54//require("equilibrium.php");
 55function authenticate_local($user, $pass) {
 56
 57    global $userid;
 58    global $login;
 59    global $fullname;
 60    global $authentication;
 61    global $staff;
 62    global $admin;
 63
 64    $conn = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD)
 65        or die ("Cannot connect to database. " . mysql_error() . "\n<br>");
 66    mysql_select_db(DB_DATABASE);
 67    $query = "SELECT user_id, login, first_name, last_name, " .
 68        "staff_flag, admin_priv, authentication " .
 69        "FROM users WHERE login = \"$user\" " .
 70        "AND password = PASSWORD(\"$pass\") ";
 71    $result = mysql_query ($query, $conn)
 72        or die ("Error in query: $query " . mysql_error() . "\n<br>");
 73    if (mysql_num_rows($result) == 1) {
 74
 75        if ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
 76
 77            if ($row['authentication'] == "local") {
 78
 79                // User has been authenticated; set privileges
 80                $userid = $row['user_id'];
 81                $login = $row['login'];
 82                if ($row['first_name']) {
 83                    $fullname = $row['first_name'] . " " . $row['last_name'];
 84                } else {
 85                    $fullname = $row['last_name'];
 86                }
 87                $authentication = $row['authentication'];
 88                $staff = $row['staff_flag'];
 89                $admin = $row['admin_priv'];
 90                mysql_free_result($result);
 91                mysql_close($conn);
 92                return 1;
 93
 94            } else if ($row['authentication'] == 'LDAP') {
 95
 96                // Local authentication not allowed for this user
 97                mysql_free_result($result);
 98                mysql_close($conn);
 99                return 0;
100            }
101
102        }
103
104        // User failed authentication -- authentication type unknown
105        mysql_free_result($result);
106        mysql_close($conn);
107        return 0;
108
109    } else {
110
111        // User failed authentication -- not found in local database
112        mysql_free_result($result);
113        mysql_close($conn);
114
115        return 0;
116    }
117
118}
119
120function authenticate_ldap($user, $pass) {
121
122    // Do not allow blank passwords
123    if ($pass == "") {
124        return 0;
125    }
126
127    // Connect to LDAP
128    $conn = ldap_connect(LDAP_SERVER_ADDRESS, LDAP_PORT);
129    if (!$conn) {
130        die("Error: Could not connect to LDAP server " . LDAP_SERVER . ".\n");
131    }
132    ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
133    ldap_set_option($conn, LDAP_OPT_REFERRALS, 0);
134
135    // Bind LDAP server
136    $bind = ldap_bind($conn, LDAP_USER_NAME, LDAP_PASSWORD);
137    if (!$bind) {
138        die("Error: Could not BIND to LDAP server ->" . LDAP_SERVER . 
139            " on port " . LDAP_PORT);
140    }
141
142    // Query LDAP for this user
143    $authenticated = false;
144    $query = 'samaccountname=' . $user;
145    $fields = array("ou", "sn", "givenname", "mail", "memberof", "samaccountname", 
146        "department", "description", "initials");
147    $search = ldap_search($conn, LDAP_BASE_DN, $query, $fields);
148    if ($search !== false) {
149        $result = @ldap_get_entries($conn, $search);
150        if (!$result) {
151            $authenticated = false;
152        } else {
153            if ($result['count'] == 0) {
154                // This username was not found; authentication failed
155                $authenticated = false;
156            } else {
157
158                // Username found in LDAP; check that password matches
159                if ($result[0])
160                {
161
162                    if (@ldap_bind($conn, $result[0]['dn'], $pass) )
163                    {
164                        // Password matches; authentication successful
165                        $authenticated = true;
166
167                    } else {
168
169                        // Failed authentication
170                        $authenticated = false;
171
172                    }
173                }
174            }
175        }
176    }
177
178    // Close LDAP connection
179    ldap_close($conn);
180
181    if ($authenticated) {
182
183        // User has St. Jude credentials; check local database for access
184        global $userid;
185        global $login;
186        global $fullname;
187        global $authentication;
188        global $staff;
189        global $admin;
190        
191        // If user is already in local database, retrieve settings
192        $conn = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD)
193            or die ("Cannot connect to database. " . mysql_error() . "\n<br>");
194        mysql_select_db(DB_DATABASE);
195        $query = "SELECT user_id, login, first_name, last_name, " .
196            "staff_flag, admin_priv, authentication " .
197            "FROM users WHERE login = \"$user\" ";
198        $result = mysql_query ($query, $conn)
199            or die ("Error in query: $query " . mysql_error() . "\n<br>");
200        if (mysql_num_rows($result) == 1) {
201    
202            if ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
203
204                // Verify that LDAP authentication is allowed for this user
205                if ($row['authentication'] == "LDAP") {
206
207                    // User has been authenticated; set privileges
208                    $userid = $row['user_id'];
209                    $login = $row['login'];
210                    if ($row['first_name']) {
211                        $fullname = $row['first_name'] . " " . $row['last_name'];
212                    } else {
213                        $fullname = $row['last_name'];
214                    }
215                    $authentication = $row['authentication'];
216                    $staff = $row['staff_flag'];
217                    $admin = $row['admin_priv'];
218                    mysql_free_result($result);
219                    mysql_close($conn);
220                    return 1;
221
222                } else if ($row['authentication'] == 'local') {
223
224                    // User failed authentication -- wrong auth type
225                    mysql_free_result($result);
226                    mysql_close($conn);
227                    return 0;
228                }
229        
230                // User failed authentication -- unknown auth type
231                mysql_free_result($result);
232                mysql_close($conn);
233                return 0;
234
235            } else {
236
237                // User failed authentication -- not found in local database
238                mysql_free_result($result);
239                mysql_close($conn);
240                return 0;
241
242            }
243    
244    
245        } else {
246            
247            // If user is not in local database, deny access
248            mysql_free_result($result);
249            mysql_close($conn);
250            return 0;
251        }
252        
253    } else {
254
255        // User failed authentication
256        return 0;
257    }
258
259}
260
261// Commands that don't generate HTML output
262switch($cmd) {
263
264    case "authenticate":
265
266        // Initialize variables
267        $userid = 0;
268        $login = "";
269        $fullname = "";
270        $staff = "N";
271        $admin = "N";
272        
273        if ($use_ldap == "Y") {
274        
275            // Authenticate some users locally (like admin)
276            $status = authenticate_local($user, $pass);
277        
278            // If local authentication fails, try LDAP
279            if ($status == 0) {
280                $status = authenticate_ldap($user, $pass);
281            }
282        
283        } else {
284        
285            // Authenticate all users locally (like admin)
286            $status = authenticate_local($user, $pass);
287            
288        }
289
290        if ($status == 1) {
291        
292            // User authenticated, so start a session
293            session_start();
294            session_register("SESSION");
295            session_register("SESSION_USERID");
296            session_register("SESSION_LOGIN");
297            session_register("SESSION_USER");
298            session_register("SESSION_STAFF");
299            session_register("SESSION_ADMIN");
300            $_SESSION['SESSION_USERID'] = $userid;
301            $_SESSION['SESSION_LOGIN'] = $login;
302            $_SESSION['SESSION_USER'] = $fullname;
303            $_SESSION['SESSION_STAFF'] = $staff;
304            $_SESSION['SESSION_ADMIN'] = $admin;
305        
306            // Send user to protected page
307            header("Location: $main_page");
308            exit();
309        
310        } else {
311        
312            // User not authenticated
313            header("Location: index.php?error=1");
314            exit();
315        }
316        
317        break;
318
319    case "logout":
320
321        // Destroy all session variables
322        session_start();
323        session_destroy();
324        
325        // Redirect browser to login page
326        header("Location: index.php");
327
328        break;
329
330}
331
332// Start HTML and declare Javascript functions
333$activepage = "";
334//require("header.php");
335
336// Main functions of page
337switch($action) {
338    case "error":
339
340        if ($error == 1) {
341        
342            printf("<html><head><title>Login Failure</title></head>\n");
343            printf("<body bgcolor='%s'>\n", $background_color);
344            printf("<h2>Login Failed</h2>\n");
345            printf("<p>Either your username, password, or both are not recognized.</p>\n");
346            printf("<a href='index.php'>Try again</a>\n");
347            printf("</body></html>\n");
348        
349        } else if ($error == 2) {
350        
351            printf("<html><head><title>Authorization Required</title></head>\n");
352            printf("<body bgcolor='%s'>\n", $background_color);
353            printf("<h2>Authorization Required</h2>\n");
354            printf("<p>You must <a href='index.php'>log in</a> to access this page.  \n");
355            printf("Your session may have timed out.</p>\n");
356            printf("</body></html>\n");
357        
358        } else {
359        
360            printf("<html><head><title>Authentication Error</title></head>\n");
361            printf("<body bgcolor='%s'>\n", $background_color);
362            printf("<h2>Authentication Error</h2>\n");
363            printf("<p>The system was not able to authenticate your username ");
364            printf("and password.  ");
365            printf("If you were previously logged in, your session may have ");
366            printf("timed out.</p>\n");
367            printf("<a href='index.php'>Log in again</a>\n");
368            printf("</body></html>\n");
369        
370        }
371
372        break;
373    case "":
374        break;
375    case "":
376        break;
377    case "":
378        break;
379    case "login":
380
381        // Show login page
382        printf("<html><head><title>%s Projects Database</title></head>\n", 
383            $organization_name);
384        printf("<body bgcolor='%s'>\n", $background_color);
385        printf("<h2>%s Projects Database</h2>\n", $organization_name);
386        printf("<table><tr><td>\n");
387        printf("  <table cellspacing='5' cellpadding='5'>\n");
388        printf("    <form action=\"index.php\" method='POST'>\n");
389        printf("    <input type='hidden' name='cmd' value='authenticate'>\n");
390        printf("      <tr><td>Username</td><td><input type='text' name='user' ");
391        printf("id='username' size='20'></td></tr>\n");
392        printf("      <tr><td>Password</td><td><input type='password' ");
393        printf("name='pass' size='20'</td></tr>\n");
394        printf("      <tr><td colspan='2' align='center'>");
395        printf("<input type='submit' name='submit' value='Log In'></td></tr>\n");
396        printf("    </form>\n");
397        printf("  </table>\n");
398        printf("</td>\n");
399
400        // Optional: include an image on login page
401        //printf("<td><img src=''></td>\n");
402
403        printf("</tr></table>\n");
404
405        // Set focus to username text box
406        printf("<script type='text/javascript'>\n");
407        printf("  document.getElementById('username').value = '';\n");
408        printf("  document.getElementById('username').focus();\n");
409        printf("</script>\n");
410        printf("</body></html>\n");
411
412        break;
413}
414
415// End page
416//require("footer.php");
417?>
418