LibreNMS/Authentication/MysqlAuthorizer.php

<?php

namespace LibreNMS\Authentication;

use LibreNMS\Exceptions\AuthenticationException;
use Phpass\PasswordHash;

class MysqlAuthorizer extends AuthorizerBase
{
    protected static $HAS_AUTH_USERMANAGEMENT = 1;
    protected static $CAN_UPDATE_USER = 1;
    protected static $CAN_UPDATE_PASSWORDS = 1;

    public function authenticate($username, $password)
    {
        $encrypted_old = md5($password);
        $row           = dbFetchRow('SELECT username,password FROM `users` WHERE `username`= ?', array($username));
        if ($row['username'] && $row['username'] == $username) {
            // Migrate from old, unhashed password
            if ($row['password'] == $encrypted_old) {
                $row_type = dbFetchRow('DESCRIBE users password');
                if ($row_type['Type'] == 'varchar(34)') {
                    $this->changePassword($username, $password);
                }

                return true;
            } elseif (substr($row['password'], 0, 3) == '$1$') {
                $row_type = dbFetchRow('DESCRIBE users password');
                if ($row_type['Type'] == 'varchar(60)') {
                    if ($row['password'] == crypt($password, $row['password'])) {
                        $this->changePassword($username, $password);
                    }
                }
            }

            $hasher = new PasswordHash(8, false);
            if ($hasher->CheckPassword($password, $row['password'])) {
                return true;
            }
        }//end if

        throw new AuthenticationException();
    }//end authenticate()


    public function reauthenticate($sess_id, $token)
    {
        return $this->checkRememberMe($sess_id, $token);
    }//end reauthenticate()


    public function canUpdatePasswords($username = '')
    {
        /*
         * By default allow the password to be modified, unless the existing
         * user is explicitly prohibited to do so.
         */

        if (!static::$CAN_UPDATE_PASSWORDS) {
            return 0;
        } elseif (empty($username) || !$this->userExists($username)) {
            return 1;
        } else {
            return dbFetchCell('SELECT can_modify_passwd FROM users WHERE username = ?', array($username));
        }
    }

    public function changePassword($username, $password)
    {
        // check if updating passwords is allowed (mostly for classes that extend this)
        if (!static::$CAN_UPDATE_PASSWORDS) {
            return 0;
        }

        $hasher    = new PasswordHash(8, false);
        $encrypted = $hasher->HashPassword($password);
        return dbUpdate(array('password' => $encrypted), 'users', '`username` = ?', array($username));
    }//end changepassword()

    public function addUser($username, $password, $level = 0, $email = '', $realname = '', $can_modify_passwd = 1, $description = '')
    {
        if (!$this->userExists($username)) {
            $hasher    = new PasswordHash(8, false);
            $encrypted = $hasher->HashPassword($password);
            $userid    = dbInsert(array('username' => $username, 'password' => $encrypted, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description), 'users');
            if ($userid == false) {
                return false;
            } else {
                foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc', array($userid)) as $notif) {
                    dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1), 'notifications_attribs');
                }
            }
            return $userid;
        } else {
            return false;
        }
    }//end adduser()


    public function userExists($username, $throw_exception = false)
    {
        return (bool)dbFetchCell('SELECT COUNT(*) FROM users WHERE username = ?', array($username));
    }

    public function getUserlevel($username)
    {
        return dbFetchCell('SELECT `level` FROM `users` WHERE `username` = ?', array($username));
    }//end getUserlevel()


    public function getUserid($username)
    {
        return dbFetchCell('SELECT `user_id` FROM `users` WHERE `username` = ?', array($username));
    }//end getUserid()


    public function deleteUser($userid)
    {
        dbDelete('bill_perms', '`user_id` =  ?', array($userid));
        dbDelete('devices_perms', '`user_id` =  ?', array($userid));
        dbDelete('ports_perms', '`user_id` =  ?', array($userid));
        dbDelete('users_prefs', '`user_id` =  ?', array($userid));
        dbDelete('users', '`user_id` =  ?', array($userid));

        return dbDelete('users', '`user_id` =  ?', array($userid));
    }//end deluser()


    public function getUserlist()
    {
        return dbFetchRows('SELECT * FROM `users` ORDER BY `username`');
    }//end getUserlist()


    public function getUser($user_id)
    {
        return dbFetchRow('SELECT * FROM `users` WHERE `user_id` = ?', array($user_id));
    }//end getUser()


    public function updateUser($user_id, $realname, $level, $can_modify_passwd, $email)
    {
        dbUpdate(array('realname' => $realname, 'level' => $level, 'can_modify_passwd' => $can_modify_passwd, 'email' => $email), 'users', '`user_id` = ?', array($user_id));
    }//end updateUser()
}
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`<?php`

			`namespace LibreNMS\Authentication;`

			`use LibreNMS\Exceptions\AuthenticationException;`
			`use Phpass\PasswordHash;`

			`class MysqlAuthorizer extends AuthorizerBase`
			`{`
			`protected static $HAS_AUTH_USERMANAGEMENT = 1;`
			`protected static $CAN_UPDATE_USER = 1;`
refactor: Share code between all mysql based authorizers (#8174) * Share code between all mysql based authorizers I plan to update the mysql password encryption and this will allow the code to be changed in a single location. It also reduces a lot of duplication. * Fix tests, I suspect reauthenticate will work for these... Do not allow password updates for several authorizers 2018-02-06 15:20:34 -06:00			`protected static $CAN_UPDATE_PASSWORDS = 1;`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00
			`public function authenticate($username, $password)`
			`{`
			`$encrypted_old = md5($password);`
fix: Remove faulty memcached code (not related to distributed polling) (#7881) 2017-12-10 14:40:45 -06:00			$row = dbFetchRow('SELECT username,password FROM `users` WHERE `username`= ?', array($username));
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`if ($row['username'] && $row['username'] == $username) {`
			`// Migrate from old, unhashed password`
			`if ($row['password'] == $encrypted_old) {`
			`$row_type = dbFetchRow('DESCRIBE users password');`
			`if ($row_type['Type'] == 'varchar(34)') {`
			`$this->changePassword($username, $password);`
			`}`

			`return true;`
			`} elseif (substr($row['password'], 0, 3) == '$1$') {`
			`$row_type = dbFetchRow('DESCRIBE users password');`
			`if ($row_type['Type'] == 'varchar(60)') {`
			`if ($row['password'] == crypt($password, $row['password'])) {`
			`$this->changePassword($username, $password);`
			`}`
			`}`
			`}`

			`$hasher = new PasswordHash(8, false);`
			`if ($hasher->CheckPassword($password, $row['password'])) {`
			`return true;`
			`}`
			`}//end if`

			`throw new AuthenticationException();`
			`}//end authenticate()`


			`public function reauthenticate($sess_id, $token)`
			`{`
			`return $this->checkRememberMe($sess_id, $token);`
			`}//end reauthenticate()`


			`public function canUpdatePasswords($username = '')`
			`{`
			`/*`
			`* By default allow the password to be modified, unless the existing`
			`* user is explicitly prohibited to do so.`
			`*/`

refactor: Share code between all mysql based authorizers (#8174) * Share code between all mysql based authorizers I plan to update the mysql password encryption and this will allow the code to be changed in a single location. It also reduces a lot of duplication. * Fix tests, I suspect reauthenticate will work for these... Do not allow password updates for several authorizers 2018-02-06 15:20:34 -06:00			`if (!static::$CAN_UPDATE_PASSWORDS) {`
			`return 0;`
			`} elseif (empty($username) \|\| !$this->userExists($username)) {`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`return 1;`
			`} else {`
fix: Remove faulty memcached code (not related to distributed polling) (#7881) 2017-12-10 14:40:45 -06:00			`return dbFetchCell('SELECT can_modify_passwd FROM users WHERE username = ?', array($username));`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`}`
refactor: Share code between all mysql based authorizers (#8174) * Share code between all mysql based authorizers I plan to update the mysql password encryption and this will allow the code to be changed in a single location. It also reduces a lot of duplication. * Fix tests, I suspect reauthenticate will work for these... Do not allow password updates for several authorizers 2018-02-06 15:20:34 -06:00			`}`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00
			`public function changePassword($username, $password)`
			`{`
refactor: Share code between all mysql based authorizers (#8174) * Share code between all mysql based authorizers I plan to update the mysql password encryption and this will allow the code to be changed in a single location. It also reduces a lot of duplication. * Fix tests, I suspect reauthenticate will work for these... Do not allow password updates for several authorizers 2018-02-06 15:20:34 -06:00			`// check if updating passwords is allowed (mostly for classes that extend this)`
			`if (!static::$CAN_UPDATE_PASSWORDS) {`
			`return 0;`
			`}`

refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`$hasher = new PasswordHash(8, false);`
			`$encrypted = $hasher->HashPassword($password);`
			return dbUpdate(array('password' => $encrypted), 'users', '`username` = ?', array($username));
			`}//end changepassword()`

			`public function addUser($username, $password, $level = 0, $email = '', $realname = '', $can_modify_passwd = 1, $description = '')`
			`{`
			`if (!$this->userExists($username)) {`
			`$hasher = new PasswordHash(8, false);`
			`$encrypted = $hasher->HashPassword($password);`
			`$userid = dbInsert(array('username' => $username, 'password' => $encrypted, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description), 'users');`
			`if ($userid == false) {`
			`return false;`
			`} else {`
			`foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc', array($userid)) as $notif) {`
			`dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1), 'notifications_attribs');`
			`}`
			`}`
			`return $userid;`
			`} else {`
			`return false;`
			`}`
			`}//end adduser()`


			`public function userExists($username, $throw_exception = false)`
			`{`
refactor: Share code between all mysql based authorizers (#8174) * Share code between all mysql based authorizers I plan to update the mysql password encryption and this will allow the code to be changed in a single location. It also reduces a lot of duplication. * Fix tests, I suspect reauthenticate will work for these... Do not allow password updates for several authorizers 2018-02-06 15:20:34 -06:00			`return (bool)dbFetchCell('SELECT COUNT(*) FROM users WHERE username = ?', array($username));`
			`}`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00
			`public function getUserlevel($username)`
			`{`
fix: Remove faulty memcached code (not related to distributed polling) (#7881) 2017-12-10 14:40:45 -06:00			return dbFetchCell('SELECT `level` FROM `users` WHERE `username` = ?', array($username));
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`}//end getUserlevel()`


			`public function getUserid($username)`
			`{`
fix: Remove faulty memcached code (not related to distributed polling) (#7881) 2017-12-10 14:40:45 -06:00			return dbFetchCell('SELECT `user_id` FROM `users` WHERE `username` = ?', array($username));
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`}//end getUserid()`


			`public function deleteUser($userid)`
			`{`
			dbDelete('bill_perms', '`user_id` = ?', array($userid));
			dbDelete('devices_perms', '`user_id` = ?', array($userid));
			dbDelete('ports_perms', '`user_id` = ?', array($userid));
			dbDelete('users_prefs', '`user_id` = ?', array($userid));
			dbDelete('users', '`user_id` = ?', array($userid));

			return dbDelete('users', '`user_id` = ?', array($userid));
			`}//end deluser()`


			`public function getUserlist()`
			`{`
			return dbFetchRows('SELECT * FROM `users` ORDER BY `username`');
			`}//end getUserlist()`


			`public function getUser($user_id)`
			`{`
fix: Remove faulty memcached code (not related to distributed polling) (#7881) 2017-12-10 14:40:45 -06:00			return dbFetchRow('SELECT * FROM `users` WHERE `user_id` = ?', array($user_id));
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`}//end getUser()`


			`public function updateUser($user_id, $realname, $level, $can_modify_passwd, $email)`
			`{`
			dbUpdate(array('realname' => $realname, 'level' => $level, 'can_modify_passwd' => $can_modify_passwd, 'email' => $email), 'users', '`user_id` = ?', array($user_id));
			`}//end updateUser()`
			`}`