From ad1d2910ca34f0d69be10b637a4294a400beceb8 Mon Sep 17 00:00:00 2001
From: Jon Langseth <jon.langseth@lilug.no>
Date: Wed, 18 Jan 2012 21:52:26 +0100
Subject: [PATCH] First stab at auth. Flow-changes to make things sort'a work

---
 api/alias.php                      |  3 +
 api/auth.php                       | 61 ++++++++++++++++++++
 api/config.php.sample              |  1 -
 api/domain.php                     |  3 +
 api/lib/auth.php                   | 13 -----
 api/lib/auth_base.php              | 63 ++++++++++++++++++++
 api/lib/auth_plugins/permitall.php | 92 ++++++++++++++++++++++++++++++
 api/lib/user_functions.php         |  7 ++-
 api/numbers.php                    |  4 +-
 api/phone.php                      |  2 +
 api/user.php                       |  2 +
 11 files changed, 235 insertions(+), 16 deletions(-)
 create mode 100644 api/auth.php
 delete mode 100644 api/lib/auth.php
 create mode 100644 api/lib/auth_base.php
 create mode 100644 api/lib/auth_plugins/permitall.php

diff --git a/api/alias.php b/api/alias.php
index 6451b2e..5bbdbf2 100644
--- a/api/alias.php
+++ b/api/alias.php
@@ -1,5 +1,6 @@
 <?php
 require_once('config.php');
+require_once('lib/auth_base.php');
 require_once('lib/user_functions.php');
 require_once('lib/number_functions.php');
 require_once('lib/common_functions.php');
@@ -19,6 +20,8 @@ if ( !$config['sql_link'] )
 	exit;
 }
 
+token_auth();
+
 //*************************************************************************************	
 	switch ( $_SERVER['PATH_INFO'] )
 	{
diff --git a/api/auth.php b/api/auth.php
new file mode 100644
index 0000000..38b1560
--- /dev/null
+++ b/api/auth.php
@@ -0,0 +1,61 @@
+<?php
+require_once('config.php');
+require_once('lib/auth_base.php');
+require_once('lib/common_functions.php');
+require_once('lib/db_functions.php');
+require_once('lib/domain_functions.php');
+
+$config = get_config();
+
+$config['sql_link'] = @mysql_connect( 
+	$config['sql_server'],
+	$config['sql_username'],
+	$config['sql_password']
+);
+if ( !$config['sql_link'] )
+{
+	print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.'));
+	exit;
+}
+
+//*************************************************************************************	
+	switch ( $_SERVER['PATH_INFO'] )
+	{
+		case "/list_users":
+			// List valid API user-acounts.
+			// Fail with notauthorized if current authentication
+			// does not have write access.
+		case "/authorize_user":
+			// Add or update a valid back-end user in authorization
+			// if the current authentication has write access.
+			// Since the user exists in backend, the only
+			// needed parameters should be username and access level
+			// If the authorization does not exist, add it.
+			// If the user is already authorized, replace access level.
+		case "/add_user":
+			// Add user to backend if backend is read-write and
+			// the current authentication has write access.
+		case "/update_user":
+			// Update the given user in the backend, if the backend
+			// is read-write, and the current authentication has
+			// write access.
+		case "/remove_user":
+			// Delete user from backend if backend is read-write
+			// and the current authentication has write access.
+		case "/list_apikeys":
+			// List valid API keys.
+			// Fail is current authorization does not have write access.
+		case "/new_apikey":
+			// If the current authorization has write access, create
+			// a new API key with requested access (ro/rw).
+		case "/remove_apikey":
+			// If the current authorization has write access,
+			// remove the given API key.
+			print json_encode ( array( 'response' => 'notimplemented') );
+			break;
+		default:
+			print json_encode ( array( 'response' => 'invalid') );
+	}
+//*************************************************************************************	
+mysql_close( $config['sql_link'] );
+?>
diff --git a/api/config.php.sample b/api/config.php.sample
index 66d03dc..f123978 100644
--- a/api/config.php.sample
+++ b/api/config.php.sample
@@ -1,6 +1,5 @@
 <?php
 
-require_once('lib/auth.php');
 function get_config()
 {
 	return array(
diff --git a/api/domain.php b/api/domain.php
index b91a347..7c8a797 100644
--- a/api/domain.php
+++ b/api/domain.php
@@ -1,5 +1,6 @@
 <?php
 require_once('config.php');
+require_once('lib/auth_base.php');
 require_once('lib/common_functions.php');
 require_once('lib/db_functions.php');
 require_once('lib/domain_functions.php');
@@ -17,6 +18,8 @@ if ( !$config['sql_link'] )
 	exit;
 }
 
+token_auth();
+
 //*************************************************************************************	
 	switch ( $_SERVER['PATH_INFO'] )
 	{
diff --git a/api/lib/auth.php b/api/lib/auth.php
deleted file mode 100644
index 2f8f9cf..0000000
--- a/api/lib/auth.php
+++ /dev/null
@@ -1,13 +0,0 @@
-<?php
-
-function token_auth( )
-{
-	return true;
-}
-
-if (! token_auth() )
-{
-	print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Not authorized') );
-	exit;
-}
-?>
diff --git a/api/lib/auth_base.php b/api/lib/auth_base.php
new file mode 100644
index 0000000..ae8a5eb
--- /dev/null
+++ b/api/lib/auth_base.php
@@ -0,0 +1,63 @@
+<?php
+require_once('config.php');
+
+$config = get_config();
+
+/*******************************
+* Load authentication plugin ..
+*******************************/
+if ( preg_match('/^\w+$/', $config['auth_backend']))
+{
+	if ( !@include_once ( 'lib/auth_plugins/' . $config['auth_backend'] . ".php" ) )
+	{  print json_encode( array( 'response' => 'error', 'cause' => 'auth-load' ) ); exit; }
+}
+else
+{  print json_encode( array( 'response' => 'error', 'cause' => 'config-error' ) ); exit; }
+/*******************************/
+
+function check_authkey ( $key )
+{
+	global $config;
+	if ( $key == "6327c08b70f9" ) return true;
+	return false;
+
+}
+
+function new_key(  )
+{
+	// Basically this is at the moment a slightly modified
+	// version of generate_password() from user_functiions.php
+	// The behaviour/output of this function is expected to change
+	// so using generate_password() directly does not make sense...
+	$length = 16;
+	$string = "";
+	 while ( strlen( $string ) < $length )
+	 {
+		$string .= crypt( substr(sha1(rand()), 0, $length) );
+		$string = preg_replace( '/\W/', '', $string);
+	 }
+	return substr( $string, 0, $length );
+}
+
+function simple_authfail()
+{
+	print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Not authorized') );
+	exit;
+}
+
+function token_auth( )
+{
+	global $_GET;
+
+	if ( array_key_exists('auth_key', $_GET ) )
+	{ if ( ! check_authkey($_GET['auth_key'] ) ) simple_authfail(); }
+	else simple_authfail();
+}
+
+function can_write ( )
+{
+	// Stub, to be called on any API nodes taht write data in the DB.
+	return true;
+}
+
+?>
diff --git a/api/lib/auth_plugins/permitall.php b/api/lib/auth_plugins/permitall.php
new file mode 100644
index 0000000..24a1ad4
--- /dev/null
+++ b/api/lib/auth_plugins/permitall.php
@@ -0,0 +1,92 @@
+<?php
+/*
+	permitall.php is a sample authentication plugin
+	that responds with 'accept' regardless of what
+	usernames and passwords are passed to it.
+
+	This plugin should serve as a sample plugin:
+	all authentication plugins must implement
+	all functions defined here.
+
+	NOTE that the auth-plugins are for authentication
+	only, and is not doing any kind of authorization.
+
+	NOTE that the auth-plugins handle user
+	authentication for API functions....
+
+*/
+
+// Is the backend readonly?
+function authmethod_readonly ()
+{
+	// Each auth-plugin must specify if users can
+	// be modified in the backend by responding to
+	// the authmethod_readonly with a true/false.
+	//
+	// By returning false to a readonly-poll, the
+	// plugin should be able to add users to the
+	// backend, and also must be able to change
+	// user data and passwords.
+	return true;
+}
+
+// Fetch user geckos (basic display info)
+function authuser_getinfo ( $username )
+{
+	$user['name']     = "Default User";
+	$user['email']    = "example@example.com";
+	return $user;
+}
+
+// Update geckos-info for user in backend
+function authuser_setinfo ( $username, $name, $email )
+{
+	// RW plugins should return false on failure,
+	// and true on success updating user information
+	// RO plugins should always return false
+	return false;
+}
+
+// Change a user-password in the backend
+function authuser_password ( $username, $password )
+{
+	// RW plugins should return false on failure,
+	// and true on success updating user information
+	// RO plugins should always return false
+	return false;
+}
+
+// Add a user to the backend
+function authuser_add ( $username, $name, $email, $password )
+{
+	// RW plugins should return false on failure,
+	// and true on success updating user information
+	// RO plugins should always return false
+	return false;
+}
+
+// Remove a user from the backend.
+function authuser_delete ( $username )
+{
+	// RW plugins should return false on failure,
+	// and true on success updating user information
+	// RO plugins should always return false
+	return false;
+}
+
+// Username+password verification. Basically "login"
+function authuser_verify ( $username, $password )
+{
+	// This plugin will always accept.
+	// A real plugin should naturally perform strong user
+	// verification. 
+	//
+	// Valid return values from this function:
+	//  * -1 -> Failure (e.g. backend not available)
+	//  * 0  -> username/password rejected
+	//  * 1  -> username/password accepted
+
+	return 1;
+}
+
+?>
diff --git a/api/lib/user_functions.php b/api/lib/user_functions.php
index 3a53c88..e22412a 100644
--- a/api/lib/user_functions.php
+++ b/api/lib/user_functions.php
@@ -5,11 +5,16 @@ require_once('lib/db_functions.php');
 
 $config = get_config();
 
+// Default length 24 characters to provide a long password
+// that still is short enough that Cisco SPA phones can use it
 function generate_password( $length = 24 )
 {
 	$string = "";
 	 while ( strlen( $string ) < $length )
-		$string .= substr(md5(rand().rand()), 0, $length);
+	 {
+		$string .= crypt(substr(md5(rand().rand()), 0, $length));
+		$string = preg_replace( '/\W/', '', $string);
+	 }
 	return substr( $string, 0, $length );
 
 }
diff --git a/api/numbers.php b/api/numbers.php
index e9fc796..7874394 100644
--- a/api/numbers.php
+++ b/api/numbers.php
@@ -1,6 +1,6 @@
 <?php
 require_once('config.php');
-//require_once('lib/user_functions.php');
+require_once('lib/auth_base.php');
 require_once('lib/common_functions.php');
 require_once('lib/db_functions.php');
 require_once('lib/number_functions.php');
@@ -18,6 +18,8 @@ if ( !$config['sql_link'] )
 	exit;
 }
 
+token_auth();
+
 //*************************************************************************************	
 	switch ( $_SERVER['PATH_INFO'] )
 	{
diff --git a/api/phone.php b/api/phone.php
index 9437d66..a47c494 100644
--- a/api/phone.php
+++ b/api/phone.php
@@ -1,5 +1,6 @@
 <?php
 require_once('config.php');
+require_once('lib/auth_base.php');
 require_once('lib/user_functions.php');
 require_once('lib/common_functions.php');
 require_once('lib/db_functions.php');
@@ -17,6 +18,7 @@ if ( !$config['sql_link'] )
 	print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.'));
 	exit;
 }
+token_auth();
 
 //*************************************************************************************	
 	switch ( $_SERVER['PATH_INFO'] )
diff --git a/api/user.php b/api/user.php
index 1014317..a601d77 100644
--- a/api/user.php
+++ b/api/user.php
@@ -1,5 +1,6 @@
 <?php
 require_once('config.php');
+require_once('lib/auth_base.php');
 require_once('lib/user_functions.php');
 require_once('lib/common_functions.php');
 require_once('lib/db_functions.php');
@@ -18,6 +19,7 @@ if ( !$config['sql_link'] )
 	print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.'));
 	exit;
 }
+token_auth();
 
 //*************************************************************************************	
 	switch ( $_SERVER['PATH_INFO'] )
-- 
2.39.2