0
|
1 |
<?php
|
|
2 |
|
|
3 |
// hook into auth
|
|
4 |
$plugins->attachHook('login_process_userdata_json', 'return yubikey_auth_hook_json($userinfo, $req["level"], @$req["remember"]);');
|
|
5 |
// hook into special page init
|
|
6 |
$plugins->attachHook('session_started', 'yubikey_add_special_pages();');
|
|
7 |
|
|
8 |
function yubikey_auth_hook_json(&$userdata, $level, $remember)
|
|
9 |
{
|
|
10 |
global $db, $session, $paths, $template, $plugins; // Common objects
|
|
11 |
global $lang;
|
|
12 |
|
|
13 |
$do_validate_otp = false;
|
|
14 |
$do_validate_user = false;
|
|
15 |
$do_validate_pass = false;
|
|
16 |
|
|
17 |
$user_flag = ( $level >= USER_LEVEL_CHPREF ) ? YK_SEC_ELEV_USERNAME : YK_SEC_NORMAL_USERNAME;
|
|
18 |
$pass_flag = ( $level >= USER_LEVEL_CHPREF ) ? YK_SEC_ELEV_PASSWORD : YK_SEC_NORMAL_PASSWORD;
|
|
19 |
|
|
20 |
$auth_log_prefix = ( $level >= USER_LEVEL_CHPREF ) ? 'admin_' : '';
|
|
21 |
|
|
22 |
if ( !empty($userdata['username']) )
|
|
23 |
{
|
|
24 |
// get flags
|
|
25 |
$q = $db->sql_query('SELECT user_id, user_yubikey_flags FROM ' . table_prefix . "users WHERE " . ENANO_SQLFUNC_LOWERCASE . "(username) = '" . $db->escape(strtolower($userdata['username'])) . "';");
|
|
26 |
if ( !$q )
|
|
27 |
$db->die_json();
|
|
28 |
|
|
29 |
if ( $db->numrows() < 1 )
|
|
30 |
{
|
|
31 |
// Username not found - let the main login function handle it
|
|
32 |
$db->free_result();
|
|
33 |
return null;
|
|
34 |
}
|
|
35 |
list($user_id, $flags) = $db->fetchrow_num();
|
|
36 |
$flags = intval($flags);
|
|
37 |
// At the point the username is validated.
|
|
38 |
$do_validate_user = false;
|
|
39 |
$do_validate_pass = $flags & $pass_flag;
|
|
40 |
if ( empty($userdata['yubikey_otp']) )
|
|
41 |
{
|
|
42 |
// no OTP was provided
|
|
43 |
// make sure the user has allowed logging in with no OTP
|
|
44 |
if ( !($flags & YK_SEC_ALLOW_NO_OTP) )
|
|
45 |
{
|
|
46 |
// We also might have no Yubikeys enrolled.
|
|
47 |
$q = $db->sql_query('SELECT 1 FROM ' . table_prefix . "yubikey WHERE user_id = $user_id;");
|
|
48 |
if ( !$q )
|
|
49 |
$db->die_json();
|
|
50 |
|
|
51 |
if ( $db->numrows() > 0 )
|
|
52 |
{
|
|
53 |
// Yep at least one key is enrolled.
|
|
54 |
// I don't think these should be logged because they'll usually just be innocent mistakes.
|
|
55 |
$db->free_result();
|
|
56 |
return array(
|
|
57 |
'mode' => 'error',
|
|
58 |
'error' => 'yubiauth_err_must_have_otp'
|
|
59 |
);
|
|
60 |
}
|
|
61 |
// Nope, no keys enrolled, user hasn't enabled Yubikey support
|
|
62 |
$db->free_result();
|
|
63 |
}
|
|
64 |
// we're ok, use normal password auth
|
|
65 |
return null;
|
|
66 |
}
|
|
67 |
else
|
|
68 |
{
|
|
69 |
// user did enter an OTP
|
|
70 |
$do_validate_otp = true;
|
|
71 |
}
|
|
72 |
}
|
|
73 |
else if ( !empty($userdata['yubikey_otp']) )
|
|
74 |
{
|
|
75 |
// we have an OTP, but no username to work with
|
|
76 |
$yubi_uid = substr($userdata['yubikey_otp'], 0, 12);
|
|
77 |
if ( !preg_match('/^[cbdefghijklnrtuv]{12}$/', $yubi_uid ) )
|
|
78 |
{
|
|
79 |
return array(
|
|
80 |
'mode' => 'error',
|
|
81 |
'error' => 'yubiauth_err_invalid_otp'
|
|
82 |
);
|
|
83 |
}
|
|
84 |
$q = $db->sql_query('SELECT u.user_id, u.username, u.user_yubikey_flags FROM ' . table_prefix . "users AS u\n"
|
|
85 |
. " LEFT JOIN " . table_prefix . "yubikey AS y\n"
|
|
86 |
. " ON ( y.user_id = u.user_id )\n"
|
|
87 |
. " WHERE y.yubi_uid = '$yubi_uid'\n"
|
|
88 |
. " GROUP BY u.user_yubikey_flags;");
|
|
89 |
if ( !$q )
|
|
90 |
$db->_die();
|
|
91 |
|
|
92 |
if ( $db->numrows() < 1 )
|
|
93 |
{
|
|
94 |
if ( !$do_validate_pass )
|
|
95 |
$session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n"
|
|
96 |
. ' (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \'(Yubikey)\', '
|
|
97 |
. '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
|
|
98 |
|
|
99 |
return array(
|
|
100 |
'mode' => 'error',
|
|
101 |
'error' => 'yubiauth_err_key_not_authorized'
|
|
102 |
);
|
|
103 |
}
|
|
104 |
|
|
105 |
list($user_id, $username, $flags) = $db->fetchrow_num();
|
|
106 |
$do_validate_otp = true;
|
|
107 |
$do_validate_user = $flags & $user_flag;
|
|
108 |
$do_validate_pass = $flags & $pass_flag;
|
|
109 |
}
|
|
110 |
else
|
|
111 |
{
|
|
112 |
// Nothing - no username or OTP. This request can't be used; throw it out.
|
|
113 |
return array(
|
|
114 |
'mode' => 'error',
|
|
115 |
'error' => 'yubiauth_err_nothing_provided'
|
|
116 |
);
|
|
117 |
}
|
|
118 |
if ( $do_validate_otp )
|
|
119 |
{
|
|
120 |
// We need to validate the OTP.
|
|
121 |
$otp_check = yubikey_validate_otp($userdata['yubikey_otp']);
|
|
122 |
if ( !$otp_check['success'] )
|
|
123 |
{
|
|
124 |
if ( !$do_validate_pass )
|
|
125 |
$session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n"
|
|
126 |
. ' (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \'(Yubikey)\', '
|
|
127 |
. '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
|
|
128 |
return array(
|
|
129 |
'mode' => 'error',
|
|
130 |
'error' => 'yubiauth_err_' . $otp_check['error']
|
|
131 |
);
|
|
132 |
}
|
|
133 |
}
|
|
134 |
if ( $do_validate_user )
|
|
135 |
{
|
|
136 |
if ( empty($username) )
|
|
137 |
{
|
|
138 |
return array(
|
|
139 |
'mode' => 'error',
|
|
140 |
'error' => 'yubiauth_err_must_have_username'
|
|
141 |
);
|
|
142 |
}
|
|
143 |
if ( strtolower($username) !== strtolower($userdata['username']) )
|
|
144 |
{
|
|
145 |
// Username incorrect
|
|
146 |
if ( !$do_validate_pass )
|
|
147 |
$session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n"
|
|
148 |
. ' (\'security\', \'' . $auth_log_prefix . 'auth_bad\', '.time().', \''.enano_date('d M Y h:i a').'\', \'(Yubikey)\', '
|
|
149 |
. '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
|
|
150 |
return array(
|
|
151 |
'mode' => 'error',
|
|
152 |
'error' => 'invalid_credentials'
|
|
153 |
);
|
|
154 |
}
|
|
155 |
}
|
|
156 |
// Do we need to have the password validated?
|
|
157 |
if ( $do_validate_pass )
|
|
158 |
{
|
|
159 |
// Yes; return and let the login API continue
|
|
160 |
return null;
|
|
161 |
}
|
|
162 |
else
|
|
163 |
{
|
|
164 |
// No password required; validated, issue session key
|
|
165 |
$session->sql('INSERT INTO ' . table_prefix . "logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES\n"
|
|
166 |
. ' (\'security\', \'' . $auth_log_prefix . 'auth_good\', '.time().', \''.enano_date('d M Y h:i a').'\', \'' . $db->escape($userdata['username']) . '\', '
|
|
167 |
. '\''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
|
|
168 |
|
|
169 |
$q = $db->sql_query('SELECT password FROM ' . table_prefix . "users WHERE user_id = $user_id;");
|
|
170 |
if ( !$q )
|
|
171 |
$db->_die();
|
|
172 |
|
|
173 |
list($password) = $db->fetchrow_num();
|
|
174 |
$db->free_result();
|
|
175 |
|
|
176 |
$session->register_session($user_id, $userdata['username'], $password, $level, $remember);
|
|
177 |
return true;
|
|
178 |
}
|
|
179 |
}
|
|
180 |
|
|
181 |
function yubikey_add_special_pages()
|
|
182 |
{
|
|
183 |
global $db, $session, $paths, $template, $plugins; // Common objects
|
|
184 |
global $lang;
|
|
185 |
|
|
186 |
$paths->add_page(array(
|
|
187 |
'name' => $lang->get('yubiauth_specialpage_yubikey'),
|
|
188 |
'urlname' => 'Yubikey',
|
|
189 |
'namespace' => 'Special',
|
|
190 |
'visible' => 0, 'protected' => 0, 'comments_on' => 0, 'special' => 0
|
|
191 |
));
|
|
192 |
}
|
|
193 |
|
|
194 |
function page_Special_Yubikey()
|
|
195 |
{
|
|
196 |
global $db, $session, $paths, $template, $plugins; // Common objects
|
|
197 |
|
|
198 |
header('Content-type: text/javascript');
|
|
199 |
/*
|
|
200 |
if ( isset($_GET['validate_otp']) )
|
|
201 |
{
|
|
202 |
echo enano_json_encode(yubikey_validate_otp($_GET['validate_otp']));
|
|
203 |
return true;
|
|
204 |
}
|
|
205 |
*/
|
|
206 |
if ( isset($_GET['get_flags']) || isset($_POST['get_flags']) )
|
|
207 |
{
|
|
208 |
$yubi_uid = substr($_REQUEST['get_flags'], 0, 12);
|
|
209 |
if ( !preg_match('/^[cbdefghijklnrtuv]{12}$/', $yubi_uid) )
|
|
210 |
{
|
|
211 |
return print enano_json_encode(array(
|
|
212 |
'mode' => 'error',
|
|
213 |
'error' => 'invalid_otp'
|
|
214 |
));
|
|
215 |
}
|
|
216 |
$q = $db->sql_query('SELECT u.user_yubikey_flags FROM ' . table_prefix . "users AS u\n"
|
|
217 |
. " LEFT JOIN " . table_prefix . "yubikey AS y\n"
|
|
218 |
. " ON ( y.user_id = u.user_id )\n"
|
|
219 |
. " WHERE y.yubi_uid = '$yubi_uid'\n"
|
|
220 |
. " GROUP BY u.user_yubikey_flags;");
|
|
221 |
if ( !$q )
|
|
222 |
$db->_die();
|
|
223 |
|
|
224 |
if ( $db->numrows() < 1 )
|
|
225 |
{
|
|
226 |
return print enano_json_encode(array(
|
|
227 |
'mode' => 'error',
|
|
228 |
'error' => 'key_not_authorized'
|
|
229 |
));
|
|
230 |
}
|
|
231 |
|
|
232 |
list($flags) = $db->fetchrow_num();
|
|
233 |
|
|
234 |
echo enano_json_encode(array(
|
|
235 |
// We strip YK_SEC_ALLOW_NO_OTP here for security reasons.
|
|
236 |
'flags' => intval($flags & ~YK_SEC_ALLOW_NO_OTP)
|
|
237 |
));
|
|
238 |
|
|
239 |
return true;
|
|
240 |
}
|
|
241 |
}
|
|
242 |
|