X-Git-Url: https://git.defcon.no/?a=blobdiff_plain;f=api%2Fauth.php;h=451581321a03b1f6e233d73713f73ad8a34388b5;hb=87cde98c94c33708506b8e94db43726393df5dfa;hp=1513aae2d7585dd948c387f439e1a240abca605a;hpb=6496a650839b71ea7bfaab1b3b461886de4475a8;p=hermes

diff --git a/api/auth.php b/api/auth.php
index 1513aae..4515813 100644
--- a/api/auth.php
+++ b/api/auth.php
@@ -1,4 +1,30 @@
 <?php
+/*
+#  Copyright (c) 2012, GjÃ¸vik University College
+#  All rights reserved.
+
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions are met:
+#      * Redistributions of source code must retain the above copyright
+#        notice, this list of conditions and the following disclaimer.
+#      * Redistributions in binary form must reproduce the above copyright
+#        notice, this list of conditions and the following disclaimer in the
+#        documentation and/or other materials provided with the distribution.
+#      * Neither the name of the GjÃ¸vik University College nor the
+#        names of its contributors may be used to endorse or promote products
+#        derived from this software without specific prior written permission.
+#       
+#  THIS SOFTWARE IS PROVIDED BY GjÃ¸vik University College ''AS IS'' AND ANY
+#  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+#  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+#  DISCLAIMED. IN NO EVENT SHALL GjÃ¸vik University College BE LIABLE FOR ANY
+#  DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+#  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+#  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+#  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+#  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
 require_once('config.php');
 require_once('lib/auth_base.php');
 require_once('lib/common_functions.php');
@@ -32,13 +58,13 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou
 			$type = false;
 			$authid = false;
 
-			if ( array_key_exists('username', $_GET) 
-				&& array_key_exists('password', $_GET) )
+			if ( array_key_exists('username', $_POST) 
+				&& array_key_exists('password', $_POST) )
 			{
-				if ( 1 == authuser_verify( sql_clean($_GET['username']), sql_clean($_GET['password'])))
+				if ( 1 == authuser_verify( sql_clean($_POST['username']), sql_clean($_POST['password'])))
 				{
 					$type = "user";
-					$authid = $_GET['username'];
+					$authid = $_POST['username'];
 				}
 				else
 				{
@@ -46,12 +72,12 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou
 					exit;
 				}
 			}
-			else if ( array_key_exists('api_key', $_GET) )
+			else if ( array_key_exists('api_key', $_POST) )
 			{
-				if ( verify_apikey( sql_clean( $_GET['api_key'] ) ) == 1 )
+				if ( verify_apikey( sql_clean( $_POST['api_key'] ) ) == 1 )
 				{
 					$type = "key";
-					$authid = $_GET['api_key'];
+					$authid = $_POST['api_key'];
 				}
 				else
 				{
@@ -72,8 +98,8 @@ if ( ( $_SERVER['PATH_INFO'] == "/login" ) || ( $_SERVER['PATH_INFO'] == "/logou
 			// De-authenticate/deauthorize the ongoing session.
 			// I.e. destroy session data, remove session cookies.
 			$session_name = "";
-			if ( array_key_exists('session', $_GET ) )
-				$session_name = $_GET['session'];
+			if ( array_key_exists('session', $_POST ) )
+				$session_name = $_POST['session'];
 			session_name($session_name);
 			session_start();
 			clear_credentials($session_name);
@@ -101,7 +127,7 @@ else
 			// The ping required a valid session...
 			// A successful ping returns a 'response' => 'pong'
 			// along with the new auth_key.
-			$session_name = $_GET['session'];
+			$session_name = $_POST['session'];
 			$authid = $_SESSION['authid'];
 			$auth_key = update_authkey( $session_name, $authid );
 			print json_encode( array( 'response' => 'pong', 'auth_key' => $auth_key ));
@@ -112,11 +138,11 @@ else
 			if ( ! can_write() )
 				simple_authfail();
 
-			if ( array_key_exists('host_ip', $_GET )
-				&& array_key_exists('access', $_GET ))
+			if ( array_key_exists('host_ip', $_POST )
+				&& array_key_exists('access', $_POST ))
 			{
-				$host = $_GET['host_ip'];
-				$access = $_GET['access'];
+				$host = $_POST['host_ip'];
+				$access = $_POST['access'];
 
 				if (! preg_match("/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/", $host) || ! authlevel_value( $access ) )
 				{
@@ -130,7 +156,7 @@ else
 					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
 					break;
 				}
-				print json_encode( array( 'response' => 'ok', 'key' => $key, 'host' => $host, 'access' => authlevel_name( $level ) ) );
+				print json_encode( array( 'response' => 'ok', 'key' => $key, 'host' => $host, 'access' => authlevel_name( get_authorization( "key", $key ) ) ) );
 				break;
 			}
 			else print json_encode ( array( 'response' => 'invalid') );
@@ -141,9 +167,9 @@ else
 			if ( ! can_write() )
 				simple_authfail();
 
-			if ( array_key_exists('api_key', $_GET ) )
+			if ( array_key_exists('api_key', $_POST ) )
 			{
-				$key = sql_clean( $_GET['api_key'] );
+				$key = sql_clean( $_POST['api_key'] );
 				// Perform a key-verification, skipping host/remote-address check.
 				if ( ! verify_apikey( $key, true ) )
 				{
@@ -175,16 +201,89 @@ else
 			// needed parameters should be username and access level
 			// If the authorization does not exist, add it.
 			// If the user is already authorized, replace access level.
+			if ( ! can_write() )
+				simple_authfail();
+
+			if ( array_key_exists('username', $_POST )
+				&& array_key_exists('access', $_POST ))
+			{
+				$user = $_POST['username'];
+				$access = $_POST['access'];
+				$level = authlevel_value( $access );
+
+				if ( ! $level )
+				{
+					print json_encode ( array( 'response' => 'invalid', 'cause' => 'parameters' ) );
+					break;	
+				}
+				if ( ! authuser_getinfo( $user ) )
+				{
+					print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
+					break;
+				}
+
+				if ( ! update_authorization( "user", $user, $level ) )
+				{
+					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
+					break;
+				}
+
+				print json_encode( array( 'response' => 'ok', 'user' => $user, 'access' => authlevel_name( get_authorization( "user", $user ) ) ) );
+				break;
+			}
+			else print json_encode ( array( 'response' => 'invalid') );
+			break;	
+
 		case "/remove_user":
 			// If the current authentication has write access:
 			// Remove authorization for the given users.
 			// Delete user from backend if backend is read-write.
+			if ( ! can_write() )
+				simple_authfail();
+
+			if ( array_key_exists('username', $_POST ))
+			{
+				$user = $_POST['username'];
+
+				$t_level = get_authorization( "user", $user ); 
+
+				if ( $t_level && ! remove_authorization( $user ) )
+				{
+					print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
+					break;
+				}
+				if ( ! authmethod_readonly() )
+				{
+					if ( !authuser_getinfo( $user ) )
+					{
+						print json_encode( array ( 'response' => 'failed', 'cause' => 'nonexistant'));
+						break;
+					}
+					if ( !authuser_delete( $user ) )
+					{
+						print json_encode( array( 'response' => 'failed', 'cause' => 'error', 'detail' => 'Database error.'));
+						break;
+					}
+				}
+
+				print json_encode( array( 'response' => 'ok', 'user' => $user ) );
+				break;
+			}
+			else print json_encode ( array( 'response' => 'invalid') );
+			break;	
+
 		case "/list_users":
 			// List valid API user-acounts.
 			// Fail with notauthorized if current authentication
 			// does not have write access.
 			// Should not return users from backend, 
 			// but should only return users with authorization.
+			if ( ! can_write() )
+				simple_authfail();
+			$list = list_authusers();
+			print json_encode( array( 'response' => 'ok', 'list' => $list ) );
+			break;
+
 		case "/add_user":
 			// Add user to backend if backend is read-write and
 			// the current authentication has write access.