X-Git-Url: https://git.defcon.no/?a=blobdiff_plain;f=api%2Flib%2Fauth_base.php;h=0bf65f75eea7900dbc4dc0c5209f9e50545e4c85;hb=87cde98c94c33708506b8e94db43726393df5dfa;hp=97e557f9d4e63e0878f0dd50b93549ef718296f1;hpb=6496a650839b71ea7bfaab1b3b461886de4475a8;p=hermes

diff --git a/api/lib/auth_base.php b/api/lib/auth_base.php
index 97e557f..0bf65f7 100644
--- a/api/lib/auth_base.php
+++ b/api/lib/auth_base.php
@@ -1,4 +1,30 @@
 <?php
+/*
+#  Copyright (c) 2012, GjÃ¸vik University College
+#  All rights reserved.
+
+#  Redistribution and use in source and binary forms, with or without
+#  modification, are permitted provided that the following conditions are met:
+#      * Redistributions of source code must retain the above copyright
+#        notice, this list of conditions and the following disclaimer.
+#      * Redistributions in binary form must reproduce the above copyright
+#        notice, this list of conditions and the following disclaimer in the
+#        documentation and/or other materials provided with the distribution.
+#      * Neither the name of the GjÃ¸vik University College nor the
+#        names of its contributors may be used to endorse or promote products
+#        derived from this software without specific prior written permission.
+#  
+#  THIS SOFTWARE IS PROVIDED BY GjÃ¸vik University College ''AS IS'' AND ANY
+#  EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+#  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+#  DISCLAIMED. IN NO EVENT SHALL GjÃ¸vik University College BE LIABLE FOR ANY
+#  DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+#  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+#  LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+#  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+#  (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+#  SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
 require_once('config.php');
 
 $config = get_config();
@@ -73,17 +99,17 @@ function simple_authfail()
 
 function token_auth( )
 {
-	global $_GET;
+	global $_POST;
 
 	// TODO: Part of ping/pong requirement.
 	// Run a function to clear all authkeys older than 5 minutes.
 	expire_authkeys();
 
-	if ( array_key_exists('session', $_GET ) 
-	     && array_key_exists('auth_key', $_GET ) )
+	if ( array_key_exists('session', $_POST ) 
+	     && array_key_exists('auth_key', $_POST ) )
 	{ 
-		if ( ! check_session($_GET['session'] ) ) simple_authfail();
-		if ( ! check_authkey($_GET['auth_key'] ) ) simple_authfail(); 
+		if ( ! check_session($_POST['session'] ) ) simple_authfail();
+		if ( ! check_authkey($_POST['auth_key'] ) ) simple_authfail(); 
 	}
 	else simple_authfail();
 }
@@ -112,7 +138,7 @@ function expire_authkeys()
 	$query = sprintf("SELECT session, sessid FROM %s WHERE `last` < DATE_SUB( NOW(), INTERVAL %d MINUTE)",
 		$config['sessionkeys_table'],
 		$config['sessionkey_lifetime']);
-	$result = sql_dbquery( $config['provision_db'], $query );
+	$result = sql_dbquery( $config['hermes_db'], $query );
 	while ( $row = @mysql_fetch_row( $result ) )
 	{
 		remove_session( $row[0], $row[1] );
@@ -122,7 +148,7 @@ function expire_authkeys()
 		$config['sessionkeys_table'],
 		$config['sessionkey_lifetime']);
 
-	sql_dbexec( $config['provision_db'], $query );
+	sql_dbexec( $config['hermes_db'], $query );
 }
 
 function update_authkey ( $session, $authid )
@@ -146,7 +172,7 @@ function update_authkey ( $session, $authid )
 		sql_clean($remote),
 		sql_clean($key),
 		sql_clean($key));
-	if ( ! sql_dbexec( $config['provision_db'], $query ) )
+	if ( ! sql_dbexec( $config['hermes_db'], $query ) )
 	{
 		mysql_error();
 	}
@@ -214,7 +240,7 @@ function clear_credentials($name)
 	$query = sprintf("DELETE FROM %s WHERE `session` = '%s'",
 		$config['sessionkeys_table'],
 		sql_clean($name));
-	sql_dbexec( $config['provision_db'], $query );
+	sql_dbexec( $config['hermes_db'], $query );
 
 	return false;
 }
@@ -252,14 +278,14 @@ function add_apikey ( $host, $level )
 
 	// Try to add the new key to authorizations first. If this
 	// fails, there will be the least amount of data to clean up ...
-	if ( ! update_authorization( $key, $level ) ) return false;
+	if ( ! update_authorization( "key", $key, $level ) ) return false;
 
 	$query = sprintf("INSERT INTO %s ( host, apikey ) VALUES ( '%s', '%s' )",
 		$config['apikeys_table'],
 		sql_clean($host),
 		sql_clean($key));
 
-	if ( ! sql_dbexec( $config['provision_db'], $query ) ) return false;
+	if ( ! sql_dbexec( $config['hermes_db'], $query ) ) return false;
 	return $key;
 }
 
@@ -272,7 +298,7 @@ function remove_apikey( $key )
 	$query = sprintf("DELETE FROM %s WHERE apikey = '%s'",
 		$config['apikeys_table'],
 		sql_clean($key) );
-	if ( ! sql_dbexec( $config['provision_db'], $query ) ) return false;
+	if ( ! sql_dbexec( $config['hermes_db'], $query ) ) return false;
 
 	return true;
 }
@@ -284,7 +310,7 @@ function verify_apikey( $key, $skip_hostcheck = false )
 	$query = sprintf("SELECT host FROM %s WHERE apikey = '%s'",
 		$config['apikeys_table'],
 		sql_clean($key) );
-	$row = sql_dbquery_single( $config['provision_db'], $query );
+	$row = sql_dbquery_single( $config['hermes_db'], $query );
 	if  (!$row) return false;
 	$host = $row['host'];
 
@@ -301,11 +327,12 @@ function list_apikeys ()
 	global $config;
 	$query = sprintf("SELECT k.apikey AS apikey, k.host AS host, 
 				a.access_level AS access_level 
-				FROM %s k INNER JOIN %s a ON k.apikey = a.authid",
+				FROM %s k INNER JOIN %s a ON k.apikey = a.authid
+				WHERE a.type = 'key'",
 			$config['apikeys_table'], 
 			$config['authorizations_table']);
 	$list = array();
-	$result = sql_dbquery( $config['provision_db'], $query);
+	$result = sql_dbquery( $config['hermes_db'], $query);
 	if ( ! $result ) return $list; 
 	while ( $row = @mysql_fetch_assoc( $result ) )
 	{
@@ -318,16 +345,51 @@ function list_apikeys ()
 	return $list;
 
 }
-function update_authorization( $authid, $level )
+
+function list_authusers ()
+{
+	global $config;
+	$query = sprintf("SELECT authid, access_level
+				FROM %s
+				WHERE type = 'user'",
+			$config['authorizations_table']);
+	$list = array();
+	$result = sql_dbquery( $config['hermes_db'], $query);
+	if ( ! $result ) return $list; 
+	while ( $row = @mysql_fetch_assoc( $result ) )
+	{
+		$username = $row['authid'];
+		$user_data = authuser_getinfo( $username );
+
+		// TODO: Remove invalid users here?
+		if ( ! $user_data ) continue;
+
+		array_push( $list, array(
+			'user' => $username,
+			'name' => $user_data['name'],
+			'email' => $user_data['email'],
+			'level' => authlevel_name( $row['access_level'] )
+		));
+	}
+	return $list;
+
+}
+
+
+
+function update_authorization( $type, $authid, $level )
 {
 	global $config;
 	if ( !is_numeric($level) ) return false;
-	$query = sprintf("INSERT INTO %s ( authid, access_level ) VALUES ( '%s', %d )
+	if ( ($type != "key") && ($type != "user") ) return false;
+
+	$query = sprintf("INSERT INTO %s ( authid, type, access_level ) VALUES ( '%s', '%s', %d )
 			ON DUPLICATE KEY UPDATE access_level=%d",
 		$config['authorizations_table'],
 		sql_clean($authid),
+		$type,
 		$level, $level);
-	if ( ! sql_dbexec( $config['provision_db'], $query ) ) return false;
+	if ( ! sql_dbexec( $config['hermes_db'], $query ) ) return false;
 	return true;
 }
 
@@ -338,7 +400,7 @@ function remove_authorization( $authid )
 		$config['authorizations_table'],
 		sql_clean($authid) );
 	//print $query . "\n\n";
-	if ( ! sql_dbexec( $config['provision_db'], $query ) ) return false;
+	if ( ! sql_dbexec( $config['hermes_db'], $query ) ) return false;
 	return true;
 }
 
@@ -348,7 +410,7 @@ function get_authorization( $type, $authid )
 	global $config;
 
 	// If API-key is used, but key fails verification, write is impossible.
-	if ( ( $type == "key" ) && ( ! verify_apikey( $authid ) ) )
+	if ( ( $type == "key" ) && ( ! verify_apikey( $authid, true ) ) )
 		return false;
 
 	// If User-login is used, but backend is unable to provide info, fail.
@@ -362,7 +424,7 @@ function get_authorization( $type, $authid )
 	$query = sprintf("SELECT access_level FROM %s  WHERE authid = '%s'",
 		$config['authorizations_table'],
 		sql_clean($authid) );
-	$row = sql_dbquery_single( $config['provision_db'], $query );
+	$row = sql_dbquery_single( $config['hermes_db'], $query );
 	if  (!$row) return false;
 	$level = $row['access_level'];
 	return $level;
@@ -373,7 +435,7 @@ function can_write ( )
 	// Stub, to be called on any API nodes that write data in the DB.
 	$authid = $_SESSION['authid'];
 	$type   = $_SESSION['type'];
-	
+
 	$level = get_authorization( $type, $authid );
 	if ( $level >= authlevel_value('read_write') ) return $level;
 	else return false;