From: Jon Langseth Date: Wed, 18 Jan 2012 20:52:26 +0000 (+0100) Subject: First stab at auth. Flow-changes to make things sort'a work X-Git-Url: https://git.defcon.no/?a=commitdiff_plain;h=ad1d2910ca34f0d69be10b637a4294a400beceb8;p=hermes First stab at auth. Flow-changes to make things sort'a work --- diff --git a/api/alias.php b/api/alias.php index 6451b2e..5bbdbf2 100644 --- a/api/alias.php +++ b/api/alias.php @@ -1,5 +1,6 @@ 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.')); + exit; +} + +//************************************************************************************* + switch ( $_SERVER['PATH_INFO'] ) + { + case "/list_users": + // List valid API user-acounts. + // Fail with notauthorized if current authentication + // does not have write access. + case "/authorize_user": + // Add or update a valid back-end user in authorization + // if the current authentication has write access. + // Since the user exists in backend, the only + // needed parameters should be username and access level + // If the authorization does not exist, add it. + // If the user is already authorized, replace access level. + case "/add_user": + // Add user to backend if backend is read-write and + // the current authentication has write access. + case "/update_user": + // Update the given user in the backend, if the backend + // is read-write, and the current authentication has + // write access. + case "/remove_user": + // Delete user from backend if backend is read-write + // and the current authentication has write access. + case "/list_apikeys": + // List valid API keys. + // Fail is current authorization does not have write access. + case "/new_apikey": + // If the current authorization has write access, create + // a new API key with requested access (ro/rw). + case "/remove_apikey": + // If the current authorization has write access, + // remove the given API key. + print json_encode ( array( 'response' => 'notimplemented') ); + break; + default: + print json_encode ( array( 'response' => 'invalid') ); + } +//************************************************************************************* +mysql_close( $config['sql_link'] ); +?> diff --git a/api/config.php.sample b/api/config.php.sample index 66d03dc..f123978 100644 --- a/api/config.php.sample +++ b/api/config.php.sample @@ -1,6 +1,5 @@ 'failed', 'cause' => 'unauthorized', 'description' => 'Not authorized') ); - exit; -} -?> diff --git a/api/lib/auth_base.php b/api/lib/auth_base.php new file mode 100644 index 0000000..ae8a5eb --- /dev/null +++ b/api/lib/auth_base.php @@ -0,0 +1,63 @@ + 'error', 'cause' => 'auth-load' ) ); exit; } +} +else +{ print json_encode( array( 'response' => 'error', 'cause' => 'config-error' ) ); exit; } +/*******************************/ + +function check_authkey ( $key ) +{ + global $config; + if ( $key == "6327c08b70f9" ) return true; + return false; + +} + +function new_key( ) +{ + // Basically this is at the moment a slightly modified + // version of generate_password() from user_functiions.php + // The behaviour/output of this function is expected to change + // so using generate_password() directly does not make sense... + $length = 16; + $string = ""; + while ( strlen( $string ) < $length ) + { + $string .= crypt( substr(sha1(rand()), 0, $length) ); + $string = preg_replace( '/\W/', '', $string); + } + return substr( $string, 0, $length ); +} + +function simple_authfail() +{ + print json_encode( array( 'response' => 'failed', 'cause' => 'unauthorized', 'description' => 'Not authorized') ); + exit; +} + +function token_auth( ) +{ + global $_GET; + + if ( array_key_exists('auth_key', $_GET ) ) + { if ( ! check_authkey($_GET['auth_key'] ) ) simple_authfail(); } + else simple_authfail(); +} + +function can_write ( ) +{ + // Stub, to be called on any API nodes taht write data in the DB. + return true; +} + +?> diff --git a/api/lib/auth_plugins/permitall.php b/api/lib/auth_plugins/permitall.php new file mode 100644 index 0000000..24a1ad4 --- /dev/null +++ b/api/lib/auth_plugins/permitall.php @@ -0,0 +1,92 @@ + Failure (e.g. backend not available) + // * 0 -> username/password rejected + // * 1 -> username/password accepted + + return 1; +} + +?> diff --git a/api/lib/user_functions.php b/api/lib/user_functions.php index 3a53c88..e22412a 100644 --- a/api/lib/user_functions.php +++ b/api/lib/user_functions.php @@ -5,11 +5,16 @@ require_once('lib/db_functions.php'); $config = get_config(); +// Default length 24 characters to provide a long password +// that still is short enough that Cisco SPA phones can use it function generate_password( $length = 24 ) { $string = ""; while ( strlen( $string ) < $length ) - $string .= substr(md5(rand().rand()), 0, $length); + { + $string .= crypt(substr(md5(rand().rand()), 0, $length)); + $string = preg_replace( '/\W/', '', $string); + } return substr( $string, 0, $length ); } diff --git a/api/numbers.php b/api/numbers.php index e9fc796..7874394 100644 --- a/api/numbers.php +++ b/api/numbers.php @@ -1,6 +1,6 @@ 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.')); exit; } +token_auth(); //************************************************************************************* switch ( $_SERVER['PATH_INFO'] ) diff --git a/api/user.php b/api/user.php index 1014317..a601d77 100644 --- a/api/user.php +++ b/api/user.php @@ -1,5 +1,6 @@ 'failed', 'cause' => 'error', 'detail' => 'Database connection failed.')); exit; } +token_auth(); //************************************************************************************* switch ( $_SERVER['PATH_INFO'] )