From bae8b3e877512740864ffd1e08820b41c71cf72b Mon Sep 17 00:00:00 2001 From: Daniel Stefan Haischt Date: Sun, 9 Sep 2007 21:47:15 +0000 Subject: * added initial release of user- and groupmanager stuff (now being called authng) * this is just a working, unfinished version. It does not work as expected right now. --- packages/authng/pkg/authng.inc | 78 +++++ packages/authng/pkg/authng.xml | 194 ++++++++++++ packages/authng/pkg/authng_authgui.inc | 287 ++++++++++++++++++ packages/authng/pkg/authng_authmethods.inc | 222 ++++++++++++++ packages/authng/pkg/authng_backends.inc | 234 ++++++++++++++ packages/authng/pkg/authng_classdefs.inc | 466 ++++++++++++++++++++++++++++ packages/authng/pkg/authng_peers.inc | 471 +++++++++++++++++++++++++++++ 7 files changed, 1952 insertions(+) create mode 100644 packages/authng/pkg/authng.inc create mode 100644 packages/authng/pkg/authng.xml create mode 100644 packages/authng/pkg/authng_authgui.inc create mode 100644 packages/authng/pkg/authng_authmethods.inc create mode 100644 packages/authng/pkg/authng_backends.inc create mode 100644 packages/authng/pkg/authng_classdefs.inc create mode 100644 packages/authng/pkg/authng_peers.inc (limited to 'packages/authng/pkg') diff --git a/packages/authng/pkg/authng.inc b/packages/authng/pkg/authng.inc new file mode 100644 index 00000000..a9b95838 --- /dev/null +++ b/packages/authng/pkg/authng.inc @@ -0,0 +1,78 @@ + + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +require_once("authng_authmethods.inc"); +require_once("authng_backends.inc"); +require_once("authng_peers.inc"); + +// TODO: Define user- and groupindex array + +// get principal store type from config.xml +$principalStore = $config['system']['webgui']['principal_store']; +// get PeerFactory instance +$peerFactory =& PeerFactory::getInstance(); +// get the actual UserPeer that holds the user index +$userPeer =& $peerFactory->getUserPeerByPrincipalStore($principalStore); +// get the actual GroupPeer that holds the user index +$groupPeer =& $peerFactory->getGroupPeerByPrincipalStore($principalStore); +// get AuthMethodFactory instance +$authMethodFactory =& AuthMethodFactory::getInstance(); +// get BackendFactory instance +$backendFactory =& BackendFactory::getInstance(); +// get the actual auth method +$authMethod =& $authMethodFactory->getAuthMethodByName($config['system']['webgui']['auth_method']); +// get the actual backend +$backend =& $backendFactory->getBackendByName($config['system']['webgui']['backing_method']); + +function syncPackageAuthNG() { +} + +function installPackageAuthNG() { + mwexec("cd / && /usr/bin/patch < /usr/local/pkg/authng-pfSenseHead.diff"); + mwexec("cd / && /usr/bin/patch < /usr/local/pkg/authng-fbegin.inc.diff"); + mwexec("cd / && /usr/bin/patch < /usr/local/pkg/authng-guiconfig.inc.diff"); + mwexec("cd / && /usr/bin/patch < /usr/local/pkg/authng-globals.inc.diff"); +} + +function deinstallPackageAuthNG() { + mwexec("cd / && /usr/bin/patch -R < /usr/local/pkg/authng-pfSenseHead.diff"); + mwexec("cd / && /usr/bin/patch -R < /usr/local/pkg/authng-fbegin.inc.diff"); + mwexec("cd / && /usr/bin/patch -R < /usr/local/pkg/authng-guiconfig.inc.diff"); + mwexec("cd / && /usr/bin/patch -R < /usr/local/pkg/authng-globals.inc.diff"); +} +?> \ No newline at end of file diff --git a/packages/authng/pkg/authng.xml b/packages/authng/pkg/authng.xml new file mode 100644 index 00000000..cebcea93 --- /dev/null +++ b/packages/authng/pkg/authng.xml @@ -0,0 +1,194 @@ + + + + + + + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + + This package provides a user- and groupmanager which + allows to add arbitrary groups to the system and assign + them to a particular group. + + Permission control is provided on a per group basis. + + + This package is supposed to be run on RELENG based pfSense systems. + + Currently there are no FAQ items provided. + authng + 1.0 + System: User Manager + /usr/local/pkg/authng.inc + + + Auth Manager +
System
+ /system_usermanager.php + + + + + ['installedpackages']['authng']['config'] + + + /usr/local/www/ + 0755 + http://www.pfsense.com/packages/config/authng/www/php/system_usermanager.php + + + /usr/local/www/ + 0755 + http://www.pfsense.com/packages/config/authng/www/php/system_usermanager_edit.php + + + /usr/local/www/ + 0755 + http://www.pfsense.com/packages/config/authng/www/php/system_usermanager_settings.php + + + /usr/local/www/ + 0755 + http://www.pfsense.com/packages/config/authng/www/php/system_groupmanager.php + + + /usr/local/www/ + 0755 + http://www.pfsense.com/packages/config/authng/www/php/head.inc + + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/pkg/authng_classdefs.inc + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/pkg/authng_peers.inc + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/pkg/authng.inc + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/pkg/authng_backends.inc + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/pkg/authng_authmethods.inc + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/pkg/authng_authgui.inc + + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/diff/authng-pfSenseHead.diff + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/diff/authng-fbegin.inc.diff + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/diff/authng-globals.inc.diff + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/authng/diff/authng-guiconfig.inc.diff + + + + /usr/bin/ + 0755 + http://www.pfsense.com/packages/config/authng/bin/patch + + + + + syncPackageAuthNG(); + + + installPackageAuthNG(); + + + deinstallPackageAuthNG(); + + diff --git a/packages/authng/pkg/authng_authgui.inc b/packages/authng/pkg/authng_authgui.inc new file mode 100644 index 00000000..0556883e --- /dev/null +++ b/packages/authng/pkg/authng_authgui.inc @@ -0,0 +1,287 @@ + + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +require_once("authng.inc"); + +/* Authenticate user - exit if failed (we should have a callback for this maybe) */ +if (empty($authMethod)) { print "auth_method missing!\n"; } +if (empty($backend)) { print "backing_method missing!\n"; } +if (!$authMethod->authenticate($backend)) { exit; } + +/* scriptname is set in headjs.php if the user did try to access a page other + * than index.php without beeing logged in. + */ +if (isset($_POST['scriptname']) && isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER'])) { + pfSenseHeader("{$_POST['scriptname']}"); + exit; +} + +$allowed = array(); + +// Once here, the user has authenticated with the web server. +// Now, we give them access only to the appropriate pages for their group. +if (!(isSystemAdmin($HTTP_SERVER_VARS['AUTH_USER']))) { + $allowed[] = ''; + if (isset($config['system']['group'][$groupindex[$config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']]]['pages'][0]['page'])) { + $useridx = $userindex[$HTTP_SERVER_VARS['AUTH_USER']]; + $grouidx = $groupindex[$config['system']['user'][$useridx]]; + $allowed = &$config['system']['group'][$groupidx]['pages'][0]['page']; + } + + $group = $config['system']['user'][$userindex[$HTTP_SERVER_VARS['AUTH_USER']]]['groupname']; + /* get the group homepage, to be able to forward + * the user to this particular PHP page. + */ + getGroupHomePage($group) == "" ? $home = "/index.php" : $home = "/" . getGroupHomePage($group); + + /* okay but if the user realy tries to explicitely access a particular + * page, set $home to that page instead. + */ + if (isset($_POST['scriptname']) && $_POST['scriptname'] <> "/" && $_POST['scriptname'] <> "/index.php") + $home = basename($_POST['scriptname']); + + // If the user is attempting to hit the default page, set it to specifically look for /index.php. + // Without this, any user would have access to the index page. + //if ($_SERVER['SCRIPT_NAME'] == '/') + // $_SERVER['SCRIPT_NAME'] = $home; + + // Strip the leading / from the currently requested PHP page + if (!in_array(basename($_SERVER['SCRIPT_NAME']),$allowed)) { + // The currently logged in user is not allowed to access the page + // they are attempting to go to. Redirect them to an allowed page. + + if(stristr($_SERVER['SCRIPT_NAME'],"sajax")) { + echo "||Access to AJAX has been disallowed for this user."; + exit; + } + + if ($home <> "" && in_array($home, $allowed)) { + pfSenseHeader("{$home}"); + exit; + } else { + header("HTTP/1.0 401 Unauthorized"); + header("Status: 401 Unauthorized"); + + echo display_error_form("401", "401 Unauthorized. Authorization required."); + exit; + } + } + + if (isset($_SESSION['Logged_In'])) { + /* + * only forward if the user has just logged in + * TODO: session auth based - may be an issue. + */ + if ($_SERVER['SCRIPT_NAME'] <> $home && empty($_SESSION['First_Visit'])) { + $_SESSION['First_Visit'] = "False"; + pfSenseHeader("{$home}"); + exit; + } + } +} + +function display_error_form($http_code, $desc) { + global $g; + + $htmlstr = << + + + + An error occurred: {$http_code} + + + + + + + + + +
+

 

+

{$desc}

+
+ + + +EOD; + + return $htmlstr; +} + +function display_login_form() { + require_once("globals.inc"); + global $g; + + if(isAjax()) { + if (isset($_POST['login'])) { + if($_SESSION['Logged_In'] <> "True") { + isset($_SESSION['Login_Error']) ? $login_error = $_SESSION['Login_Error'] : $login_error = "unknown reason"; + echo "showajaxmessage('Invalid login ({$login_error}).');"; + } + if (file_exists("{$g['tmp_path']}/webconfigurator.lock")) { + $whom = file_get_contents("{$g['tmp_path']}/webconfigurator.lock"); + echo "showajaxmessage('This device is currently beeing maintained by: {$whom}.');"; + } + } + exit; + } + +?> + + + + + + <?=gettext("Login"); ?> + + + + + + + + + + + +
+

 

+
+
+

+ + :   + + +

+

+ + :   + + +

+ + + + + +

" tabindex="3" />
+
+
+ + + \ No newline at end of file diff --git a/packages/authng/pkg/authng_authmethods.inc b/packages/authng/pkg/authng_authmethods.inc new file mode 100644 index 00000000..15e15566 --- /dev/null +++ b/packages/authng/pkg/authng_authmethods.inc @@ -0,0 +1,222 @@ + + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +class AbstractAuthMethod { + function authenticate($backend) { + trigger_error('AbstractAuthMethod::authenticate() needs to be overridden in a subclass.', E_USER_ERROR); + } +} + +class BasicAuthMethod extends AbstractAuthMethod { + function authenticate($backend) { + global $HTTP_SERVER_VARS; + + /* Check for AUTH_USER */ + if ($HTTP_SERVER_VARS['PHP_AUTH_USER'] <> "") { + $HTTP_SERVER_VARS['AUTH_USER'] = $HTTP_SERVER_VARS['PHP_AUTH_USER']; + $HTTP_SERVER_VARS['AUTH_PW'] = $HTTP_SERVER_VARS['PHP_AUTH_PW']; + } + if (!isset($HTTP_SERVER_VARS['AUTH_USER'])) { + require_once("authng_authgui.inc"); + header("WWW-Authenticate: Basic realm=\".\""); + header("HTTP/1.0 401 Unauthorized"); + display_error_form("401", gettext("You must enter valid credentials to access this resource.")); + exit; + } else { + return $backend($HTTP_SERVER_VARS['AUTH_USER'],$HTTP_SERVER_VARS['AUTH_PW']); + } + } +} + +class SessionAuthMethod extends AbstractAuthMethod { + function authenticate($backend) { + global $g, $HTTP_SERVER_VARS, $userindex, $config; + + session_start(); + + /* Validate incoming login request */ + if (isset($_POST['login'])) { + if ($backend($_POST['usernamefld'], $_POST['passwordfld'])) { + $_SESSION['Logged_In'] = "True"; + $_SESSION['Username'] = $_POST['usernamefld']; + $_SESSION['last_access'] = time(); + } else { + $_SESSION['Login_Error'] = "Username or password incorrect."; + } + } + + /* Show login page if they aren't logged in */ + if (empty($_SESSION['Logged_In'])) { + + /* Don't display login forms to AJAX */ + if (isAjax()) + return false; + + require_once("authng_authgui.inc"); + display_login_form(); + return false; + } else { + /* If session timeout isn't set, we don't mark sessions stale */ + if (!isset($config['system']['webgui']['session_timeout']) or + $config['system']['webgui']['session_timeout'] == 0 or + $config['system']['webgui']['session_timeout'] == "") + $_SESSION['last_access'] = time(); + else + /* Check for stale session */ + if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) + $_GET['logout'] = true; + else + /* only update if it wasn't ajax */ + if (!isAjax()) + $_SESSION['last_access'] = time(); + + /* user hit the logout button */ + if (isset($_GET['logout'])) { + if (hasLockAbility($_SESSION['Username'])) { + unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock"); + } + + /* wipe out $_SESSION */ + $_SESSION = array(); + + if (isset($_COOKIE[session_name()])) { + setcookie(session_name(), '', time()-42000, '/'); + } + + /* and destroy it */ + session_destroy(); + + $scriptName = split("/", $_SERVER["SCRIPT_FILENAME"]); + $scriptElms = count($scriptName); + $scriptName = $scriptName[$scriptElms-1]; + + if (isAjax()) + return false; + + /* redirect to page the user is on, it'll prompt them to login again */ + pfSenseHeader($scriptName); + + return false; + + /* user wants to explicitely delete the log file. + * Requires a particular privilege. + */ + } else if ($_GET['deletelock'] && hasLockAbility($_SESSION['Username'])) { + unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock"); + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + + /* this is for debugging purpose if you do not want to use Ajax + * to submit a HTML form. It basically disables the observation + * of the submit event and hence does not trigger Ajax. + */ + } else if ($_GET['disable_ajax']) { + $_SESSION['NO_AJAX'] = "True"; + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + + /* Same to re-enable Ajax. + */ + } else if ($_GET['enable_ajax']) { + unset($_SESSION['NO_AJAX']); + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + + /* user wants to explicitely create a lock. + * Requires a particular privilege. + */ + } else if ($_GET['createlock'] && hasLockAbility($_SESSION['Username'])) { + $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w"); + fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" . + getRealName($_SESSION['Username']) . ")"); + fclose($fd); + /* if the user did delete the lock manually, do not + * re-create it while the session is valide. + */ + $_SESSION['Lock_Created'] = "True"; + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + + /* proceed with the login process */ + } else { + /* if the user is allowed to create a lock, + * create it once per session. + */ + if (hasLockAbility($_SESSION['Username']) && + ! isset($_SESSION['Lock_Created'])) { + + $fd = fopen("{$g['tmp_path']}/webconfigurator.lock", "w"); + fputs($fd, "{$_SERVER['REMOTE_ADDR']} (" . + getRealName($_SESSION['Username']) . ")"); + fclose($fd); + /* if the user did delete the lock manually, do not + * re-create it while the session is valide. + */ + $_SESSION['Lock_Created'] = "True"; + + /* give regular users a chance to automatically invalidate + * a lock if its older than a particular time. + */ + } else if (! hasLockAbility($_SESSION['Username']) && + file_exists("{$g['tmp_path']}/webconfigurator.lock")) { + + $offset = 12; //hours + $mtime = filemtime("{$g['tmp_path']}/webconfigurator.lock"); + $now_minus_offset = mktime(date("H") - $offset, 0, 0, date("m"), date("d"), date("Y")); + + if (($mtime - $now_minus_offset) < $mtime) { + require_once("auth/authgui.inc"); + display_login_form(); + return false; + } else { + /* file is older than mtime + offset which may + * indicate a stale lockfile, hence we are going + * to remove it. + */ + unlink_if_exists("{$g['tmp_path']}/webconfigurator.lock"); + } + } + + $HTTP_SERVER_VARS['AUTH_USER'] = $_SESSION['Username']; + return true; + } // end if + } // end if + } // end function +} + +?> \ No newline at end of file diff --git a/packages/authng/pkg/authng_backends.inc b/packages/authng/pkg/authng_backends.inc new file mode 100644 index 00000000..1b58e6c1 --- /dev/null +++ b/packages/authng/pkg/authng_backends.inc @@ -0,0 +1,234 @@ + + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +class AbstractBackend { + function authenticate($username, $passwd) { + trigger_error('AbstractBackend::authenticate() needs to be overridden in a subclass.', E_USER_ERROR); + } +} + +class HtpasswdBackend extends AbstractBackend { + function HtpasswdBackend() { + } + + function authenticate($username, $passd) { + $authfile = file("/var/run/htpasswd"); + + /* sanity check to ensure that /usr/local/www/.htpasswd doesn't exist */ + unlink_if_exists("/usr/local/www/.htpasswd"); + + $matches=""; + if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile)))) + return false; + + /* Get crypted password */ + preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches); + $pass = $matches[1]; + $salt = $matches[2]; + + /* Encrypt entered password with salt + * And finally validate password + */ + if ($pass == crypt($passwd, $salt)) + return true; + else + return false; + } +} + +class PasswdBackend extends AbstractBackend { + function PasswdBackend() { + } + + function authenticate($username, $passd) { + $authfile = file("/etc/master.passwd"); + + $matches=""; + + /* Check to see if user even exists */ + if(!($line = array_shift(preg_grep("/^$username:.*$/", $authfile)))) + return false; + + /* Get crypted password */ + preg_match("/^$username:((\\$1\\$[.\d\w_\/]{8}\\$)[.\d\w_\/]{22})$/", $line, $matches); + $pass = $matches[1]; + $salt = $matches[2]; + + /* Encrypt entered password with salt + * And finally validate password + */ + if ($pass == crypt($passwd, $salt)) + return true; + else + return false; + } +} + +class PamBackend extends AbstractBackend { + function PamBackend() { + } + + function authenticate($username, $passd) { + /* we do not support blank pwds, don't we? */ + if ($username == "" || passwd == "") { return false; } + + if(! extension_loaded( 'pam_auth' )) { + if(! @dl( 'pam_auth.so' )) { + return false; + } else { + /* no php file no auth, sorry */ + if (! file_exists("/etc/pam.d/php")) { + if (! file_exists("/etc/pam.d")) { mkdir("/etc/pam.d"); } + + $pam_php = <<addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret']); + } + + if (!$rauth->start()) { + $retvalue['auth_val'] = 1; + $retvalue['error'] = $rauth->getError(); + if ($debug) + printf("Radius start: %s", $retvalue['error']); + } + + // XXX - billm - somewhere in here we need to handle securid challenge/response + + // Send request + $result = $rauth->send(); + + if (PEAR::isError($result)) { + $retvalue['auth_val'] = 1; + $retvalue['error'] = $result->getMessage(); + if ($debug) + printf("Radius send failed: %s", $retvalue['error']); + } else if ($result === true) { + $retvalue['auth_val'] = 2; + if ($debug) + printf (gettext("Radius Auth succeeded")); + $ret = true; + } else { + $retvalue['auth_val'] = 3; + if ($debug) + printf (gettext("Radius Auth rejected")); + } + // close OO RADIUS_AUTHENTICATION + $rauth->close(); + + return $ret; + } // end function +} + +class LdapBackend extends AbstractBackend { + function LdapBackend() { + } + + function authenticate($username, $passwd) { + $ldapserver = $config['system']['ldap']['server']; + $ldapport = isset($config['system']['ldap']['port']) ? $config['system']['ldap']['server'] : 389; + $retval = false; + + $connection = ldap_connect($ldapserver, $ldapport) + or die("Could not connect to $ldaphost"); + + if ($connection) { + $bind = ldap_bind($connection); + + if ($bind) { + $basedn = $config['system']['ldap']['basedn']; + $result = ldap_search($connection, $basedn, "uid={$username}"); + $info = ldap_get_entries($connection, $result); + $userPassword = $info[0]['userPassword']; + + if ($userPassword == $passwd) { + $retval = true; + } else { + $retval = false; + } + } // end if + } // end if + + return $retval; + } +} +?> \ No newline at end of file diff --git a/packages/authng/pkg/authng_classdefs.inc b/packages/authng/pkg/authng_classdefs.inc new file mode 100644 index 00000000..a61361b3 --- /dev/null +++ b/packages/authng/pkg/authng_classdefs.inc @@ -0,0 +1,466 @@ + + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +class SingletonInterface extends Object { + function __construct() { + // Perform object initialization here. + } + + function &__getInstanceImp($name) { + static $instances = array(); + if (!isset($instances[$name])) { + $instances[$name] = new $name(); // No changes necessary here. + } + return $instances[$name]; + } + + function &getInstance() { + trigger_error('SingletonInterface::getInstance() needs to be overridden in a subclass.', E_USER_ERROR); + } +} + +class AuthMethodFactory extends SingletonInterface { + function __construct() { + // Perform object initialization here. + parent::__construct(); + } + + function &getInstance() { + return parent::__getInstanceImp('AuthMethodFactory'); + } + + function &getBackendByName($name) { + $result = null; + + /* Each name links to an entry in config.xml + * Example: session + */ + switch ($name) { + case "htpasswd": + $result = new HtpasswdBackend(); + break; + case "pam": + $result = new PamBackend(); + break; + case "radius": + $result = new RadiusBackend(); + break; + case "passwd": + $result = new PasswdBackend(); + break; + case "ldap": + $result = new LdapBackend(); + break; + default: + } + + return $result; + } +} + +class BackendFactory extends SingletonInterface { + function __construct() { + // Perform object initialization here. + parent::__construct(); + } + + function &getInstance() { + return parent::__getInstanceImp('BackendFactory'); + } + + function &getAuthMethodByName($name) { + $result = null; + + /* Each name links to an entry in config.xml + * Example: htpasswd + */ + switch ($name) { + case "session": + $result = new SessionAuthMethod(); + break; + case "basic": + $result = new BasicAuthMethod(); + break; + default: + } + + return $result; + } +} + +class AuthngAuxiliary { + /* ========================================================================== */ + /* == Auxiliary Functions == */ + /* ========================================================================== */ + function &getSystemAdminNames() { + global $config, $g, $userindex; + $adminUsers = array(); + + if (is_array($config['system']['user'])) { + foreach($config['system']['user'] as $user){ + if (isSystemAdmin($user['name'])) { + $adminUsers[] = $user['name']; + } + } // end foreach + } // end if + + return $adminUsers; + } // end function + + function assignUID($username = "") { + global $userindex, $config, $g; + + if ($username == "") { return; } + + $nextuid = $config['system']['nextuid']; + $user =& $config['system']['user'][$userindex[$username]]; + + if (empty($user['uid'])) { + $user['uid'] = $nextuid; + $nextuid++; + $config['system']['nextuid'] = $nextuid; + + write_config(); + + return $user; + } // end if + } // end function +} + +class AuthngPrivilege { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + var $id; + var $name; + var $description; + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function AuthngPrivilege() { + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + function getId() { + return $this->id; + } + + function setId($id) { + $this->id = $id; + } + + function getName() { + return $this->name; + } + + function setName($name) { + $this->name = $name; + } + + function getDescription() { + return $this->description; + } + + function setDescription($desc) { + $this->description = $desc; + } +} + +class SystemPrivileges { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + var $privileges = array(); + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function SystemPrivileges() { + $newPriv = new Privilege(); + $newPriv->setId("lockwc"); + $newPriv->setName("Lock webConfigurator"); + $newPriv->setDescription("Indicates whether this user will lock access to the webConfigurator for other users."); + + $this->privileges[$newPriv->getId()] = $newPriv; + + $newPriv = new Privilege(); + $newPriv->setId("lock-ipages"); + $newPriv->setName("Lock individual pages"); + $newPriv->setDescription("Indicates whether this user will lock individual " . + "HTML pages after having accessed a particular page" . + "(the lock will be freed if the user leaves or " . + "saves the page form)."); + + $this->privileges[$newPriv->getId()] = $newPriv; + + $newPriv = new Privilege(); + $newPriv->setId("hasshell"); + $newPriv->setName("Has shell access"); + $newPriv->setDescription("Indicates whether this user is able to login for " . + "example via SSH."); + + $this->privileges[$newPriv->getId()] = $newPriv; + + $newPriv = new Privilege(); + $newPriv->setId("copyfiles"); + $newPriv->setName("Is allowed to copy files"); + $newPriv->setDescription("Indicates whether this user is allowed to copy files " . + "onto the {$g['product_name']} appliance via SCP/SFTP. " . + "If you are going to use this privilege, you must install " . + "scponly on the appliance (Hint: pkg_add -r scponly)."); + + $this->privileges[$newPriv->getId()] = $newPriv; + + $newPriv = new Privilege(); + $newPriv->setId("isroot"); + $newPriv->setName("Is root user"); + $newPriv->setDescription("This user is associated with the UNIX root user " . + "(you should associate this privilege only with one " . + "single user)."); + + $this->privileges[$newPriv->getId()] = $newPriv; + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + function getPrivileges() { + return $this->privileges; + } + + function setPrivileges($privs) { + $this->privileges = $privs; + } + + function getPrivilegeById($id) { + return $this->privileges[$id]; + } + + function setPrivilegeById($privilege, $id) { + return $this->privileges[$id] = $privilege; + } +} + +class AuthngUser { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + var $name; + var $fullname; + var $scope; + var $groupname; + var $password; + var $uid; + var $systemAdmin = false; + var $unixRoot = false; + var $privileges = array(); + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function AuthngUser() { + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + function isSystemAdmin() { + return $this->systemAdmin; + } + + function setIsSystemAdmin($flag = false) { + $this->systemAdmin = $flag; + } + + function isUNIXRoot() { + return $this->unixRoot; + } + + function setIsUNIXRoot($flag = false) { + $this->unixRoot = $flag; + } + + function getName() { + return $this->name; + } + + function setName($name) { + $this->name = $name; + } + + function getFullname() { + return $this->fullname; + } + + function setFullname($name) { + $this->fullname = $name; + } + + function getScope() { + return $this->scope; + } + + function setScope($scope) { + $this->scope = $scope; + } + + function getGroupname() { + return $this->groupname; + } + + function setGroupname($name) { + $this->groupname = $name; + } + + function getPassword() { + return $this->password; + } + + function setPassword($pwd) { + $this->password = $pwd; + } + + function getUid() { + return $this->uid; + } + + function setUid($uid) { + $this->uid = $uid; + } + + function getPrivileges() { + return $this->privileges; + } + + function setPrivileges($privs) { + $this->privileges = $privs; + } + + function addPrivilege($priv) { + $this->privileges[] = $priv; + } +} + +class AuthngGroup { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + var $name; + var $description; + var $scope; + var $pages = array(); + var $home; + var $gid; + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function AuthngGroup() { + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + function getName() { + return $this->name; + } + + function setName($name) { + $this->name = $name; + } + + function getDescription() { + return $this->description; + } + + function setDescription($desc) { + $this->description = $desc; + } + + function getScope() { + return $this->scope; + } + + function setScope($scope) { + $this->scope = $scope; + } + + function getPages() { + return $this->pages; + } + + function setPages($pages) { + $this->pages = $pages; + } + function getHome() { + return $this->home; + } + + function setHome($home) { + $this->home = $home; + } + + function getGid() { + return $this->gid; + } + + function setGid($gid) { + $this->gid = $gid; + } + + function addPage($page) { + $this->pages[] = $page; + } +} + +?> \ No newline at end of file diff --git a/packages/authng/pkg/authng_peers.inc b/packages/authng/pkg/authng_peers.inc new file mode 100644 index 00000000..cc75c94c --- /dev/null +++ b/packages/authng/pkg/authng_peers.inc @@ -0,0 +1,471 @@ + + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +require_once("authng_classdefs"); + +class PeerFactory extends SingletonInterface { + function __construct() { + // Perform object initialization here. + parent::__construct(); + } + + function &getInstance() { + return parent::__getInstanceImp('PeerFactory'); + } + + function &getGroupPeerByPrincipalStore($store) { + $result = null; + + /* Each name links to an entry in config.xml + * Example: xml + */ + switch ($name) { + case "xml": + $result = new XMLGroupPeer(); + break; + case "ldap": + trigger_error('PeerFactory::getGroupPeerByPrincipal() LDAP peer type is not supported.', E_USER_ERROR); + break; + case "db": + trigger_error('PeerFactory::getGroupPeerByPrincipal() DB peer type is not supported.', E_USER_ERROR); + break; + default: + } + + return $result; + } + + function &getUserPeerByPrincipalStore($store) { + $result = null; + + /* Each name links to an entry in config.xml + * Example: xml + */ + switch ($name) { + case "xml": + $result = new XMLUserPeer(); + break; + case "ldap": + trigger_error('PeerFactory::getGroupPeerByPrincipal() LDAP peer type is not supported.', E_USER_ERROR); + break; + case "db": + trigger_error('PeerFactory::getGroupPeerByPrincipal() DB peer type is not supported.', E_USER_ERROR); + break; + default: + } + + return $result; + } +} + +/** + * @author Daniel S. Haischt + * @abstract + */ +class AbstractPrivilegePeer { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + var $privilege_index; + var $privileges; + var $userPeer; + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function AbstractPrivilegePeer() { + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + function setUserPeer($peer) { + $this->userPeer = $peer; + } + + function getUserPeer() { + return $this->userPeer; + } + + /** + * @return mixed int array of priv indexes + */ + function getPrivilegeIndex() { + return $this->privilege_index; + } + + /** + * @param string a priv name + * @return int the index that corresponds to a username + */ + function getPrivilegeIndexByID($id) { + return $this->privilege_index[$id]; + } + + /** + * @param int an index + * @return mixed an instance of AuthngPrivilege + */ + function getPrivilegeByIndex($index) { + return $this->privileges[$index]; + } +} + +/** + * @author Daniel S. Haischt + * @abstract + */ +class AbstractUserPeer { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + var $user_index; + var $users; + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function AbstractUserPeer() { + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + /** + * @return mixed int array of user indexes + */ + function getUserIndex() { + return $this->user_index; + } + + /** + * @param string a username + * @return int the index that corresponds to a username + */ + function getUserIndexByName($username) { + return $this->user_index[$username]; + } + + /** + * @param int an index + * @return mixed an instance of AuthngUser + */ + function getUserByIndex($index) { + return $this->users[$index]; + } +} + +/** + * @author Daniel S. Haischt + * @abstract + */ +class AbstractGroupPeer { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + var $group_index; + var $groups; + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function AbstractGroupPeer() { + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + function getGroupIndex() { + return $this->group_index; + } + + function getGroupIndexByName($groupname) { + return $this->group_index[$groupname]; + } + + function getGroupByIndex($index) { + return $this->groups[$index]; + } +} + +/** + * @author Daniel S. Haischt + */ +class XMLPrivilegePeer extends AbstractPrivilegePeer { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function XMLPrivilegePeer($userPeer) { + global $g, $config; + + parent::AbstractPrivilegePeer(); + + $this->setUserPeer($peer); + + foreach ($peer->users as $userent) { + foreach ($userent->getPrivileges() as $privent) { + $this->privileges[$userent->getName()] = $privent; + } + } + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + /* ========================================================================== */ + /* == Helper Methods == */ + /* ========================================================================== */ + + function addPrivilegeFromEnt(&$ent) { + $newPrivilege = new AuthngUser(); + $newPrivilege->setId($ent['id']); + $newPrivilege->setName($ent['name']); + $newPrivilege->setDescription($ent['description']); + $newPrivilege->setPassword($ent['password']); + $newPrivilege->setUid($ent['uid']); + + $this->privileges[] = $newPrivilege; + } + + function setPrivilegeID($id, $name, $username) { + $userid = getPrivilegeIndexByName($username); + $user = $config['system']['user'][$userid]; + } + + function setFullName($id, $name) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['fullname'] = $name; + } + + function setGroupName($id, $name) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['groupname'] = $name; + } + + function setPassword($id, $pwd) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['password'] = $pwd; + } + + function setUid($id, $uid) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['uid'] = $uid; + } +} + +/** + * @author Daniel S. Haischt + */ +class XMLUserPeer extends AbstractUserPeer { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function XMLUserPeer() { + global $g, $config; + + parent::AbstractUserPeer(); + + if (isset($config['system']['user'])) { + $i = 0; + + foreach($config['system']['user'] as $userent) { + $this->user_index[$userent['name']] = $i; + $i++; + } + } + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + /* ========================================================================== */ + /* == Helper Methods == */ + /* ========================================================================== */ + + function addUserFromEnt(&$ent) { + $newUser = new AuthngUser(); + $newUser->setName($ent['name']); + $newUser->setFullname($ent['fullname']); + $newUser->setGroupname($ent['groupname']); + $newUser->setPassword($ent['password']); + $newUser->setUid($ent['uid']); + + if ($ent['priv'] && is_array($ent['priv'])) { + foreach ($ent['priv'] as $privent) { + $newPrivilege = new Privilege(); + $newPrivilege->setId($privent['id']); + $newPrivilege->setName($privent['name']); + $newPrivilege->setDescription($privent['description']); + + $newUser->addPrivilege($newPrivilege); + } + } + + $this->users[] = $newUser; + } + + function setUserName($id, $name) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['name'] = $name; + } + + function setFullName($id, $name) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['fullname'] = $name; + } + + function setGroupName($id, $name) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['groupname'] = $name; + } + + function setPassword($id, $pwd) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['password'] = $pwd; + } + + function setUid($id, $uid) { + $userid = getUserIndexByName($id); + $config['system']['user'][$userid]['uid'] = $uid; + } +} + +/** + * @author Daniel S. Haischt + */ +class XMLGroupPeer extends AbstractGroupPeer { + /* ========================================================================== */ + /* == Class Members == */ + /* ========================================================================== */ + + /* ========================================================================== */ + /* == Constructor == */ + /* ========================================================================== */ + + function XMLGroupPeer() { + global $g, $config; + + parent::AbstractGroupPeer(); + + if (isset($config['system']['group'])) { + $i = 0; + + foreach($config['system']['group'] as $groupent) { + $this->group_index[$groupent['name']] = $i; + $i++; + } + } + } + + /* ========================================================================== */ + /* == Accessors == */ + /* ========================================================================== */ + + /* ========================================================================== */ + /* == Helper Methods == */ + /* ========================================================================== */ + + function addGroupFromEnt(&$ent) { + $newGoup = new AuthngGroup(); + $newGoup->setName($ent['name']); + $newGoup->setDescription($ent['description']); + $newGoup->setScope($ent['scope']); + $newGoup->setHome($ent['home']); + $newGoup->setGid($ent['gid']); + + if ($ent['pages'] && is_array($ent['gid'])) { + foreach ($ent['pages'] as $pageent) { + $newGoup->addPage($pageent); + } + } + + $this->groups[] = $newGoup; + } + + function setGroupName($id, $name) { + $groupid = getGroupIndexByName($id); + $config['system']['group'][$groupid]['name'] = $name; + } + + function setGroupDescription($id, $desc) { + $groupid = getGroupIndexByName($id); + $config['system']['group'][$groupid]['description'] = $desc; + } + + function setGroupScope($id, $scope) { + $groupid = getGroupIndexByName($id); + $config['system']['group'][$groupid]['scope'] = $scope; + } + + function setGroupHome($id, $home) { + $groupid = getGroupIndexByName($id); + $config['system']['group'][$groupid]['home'] = $home; + } + + function setGroupGid($id, $gid) { + $groupid = getGroupIndexByName($id); + $config['system']['group'][$groupid]['gid'] = $gid; + } + + function addPageToGroup($id, $page) { + $groupid = getGroupIndexByName($id); + $config['system']['group'][$groupid]['pages'][] = $page; + } +} +?> -- cgit v1.2.3