html/includes/authentication/http-auth.inc.php

<?php

use LibreNMS\Exceptions\AuthenticationException;
use Phpass\PasswordHash;

function init_auth()
{
}

function authenticate($username, $password)
{
    if (user_exists($username)) {
        return true;
    }

    throw new AuthenticationException('No matching user found and http_auth_guest is not set');
}


function reauthenticate($sess_id, $token)
{
    return false;
}


function passwordscanchange($username = '')
{
    return 0;
}


function changepassword($username, $newpassword)
{
    // Not supported
}


function auth_usermanagement()
{
    return 1;
}


function adduser($username, $password, $level, $email = '', $realname = '', $can_modify_passwd = 1, $description = '')
{
    if (!user_exists($username)) {
        $hasher    = new PasswordHash(8, false);
        $encrypted = $hasher->HashPassword($password);
        $userid    = dbInsert(array('username' => $username, 'password' => $encrypted, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description), 'users');
        if ($userid == false) {
            return false;
        } else {
            foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc', array($userid)) as $notif) {
                dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1), 'notifications_attribs');
            }
        }
        return $userid;
    } else {
        return false;
    }
}


function user_exists($username)
{
    global $config;

    $query = 'SELECT COUNT(*) FROM `users` WHERE `username`=?';
    $params = array($username);

    if (isset($config['http_auth_guest'])) {
        $query .=  ' OR `username`=?';
        $params[] = $config['http_auth_guest'];
    }

    return dbFetchCell($query, $params) > 0;
}


function get_userlevel($username)
{
    global $config;

    $user_level = dbFetchCell('SELECT `level` FROM `users` WHERE `username`=?', array($username));

    if ($user_level) {
        return $user_level;
    }

    if (isset($config['http_auth_guest'])) {
        return dbFetchCell('SELECT `level` FROM `users` WHERE `username`=?', array($config['http_auth_guest']));
    }

    return 0;
}


function get_userid($username)
{
    global $config;

    $user_id = dbFetchCell('SELECT `user_id` FROM `users` WHERE `username`=?', array($username));

    if ($user_id) {
        return $user_id;
    }

    if (isset($config['http_auth_guest'])) {
        return dbFetchCell('SELECT `user_id` FROM `users` WHERE `username`=?', array($config['http_auth_guest']));
    }

    return -1;
}


function deluser($username)
{
    // Not supported
    return 0;
}


function get_userlist()
{
    return dbFetchRows('SELECT * FROM `users`');
}


function can_update_users()
{
    // supported so return 1
    return 1;
}


function get_user($user_id)
{
    return dbFetchRow('SELECT * FROM `users` WHERE `user_id` = ?', array($user_id));
}


function update_user($user_id, $realname, $level, $can_modify_passwd, $email)
{
    dbUpdate(array('realname' => $realname, 'level' => $level, 'can_modify_passwd' => $can_modify_passwd, 'email' => $email), 'users', '`user_id` = ?', array($user_id));
}
auth modules! please test http-auth again, i haven't, but i think i got it right... git-svn-id: http://www.observium.org/svn/observer/trunk@973 61d68cd4-352d-0410-923a-c4978735b2b8 2010-02-28 13:04:07 +00:00			`<?php`

fix: Improve authentication load time and security (#6615) * fix: minimize session open time page/graphs speedup part 2 Write close the session as soon as we no longer need to write to it. Prevents the session from blocking other requests. Do not run through full authentication functions if the session is already authenticated. Removes password from the session as well as some items to prevent session fixation from #4608. WARNING: This will cause issues for ad/ldap users who do not have a bind user configured! * Do no erase username when using cookie auth. Properly close the session in ajax_setresolution.php * write close the session as soon as possible in ajax_setresolution.php * Remove session regeneration. It is not compatible with the current code and would require more changes. * Totally refactor authentication. Extract code to functions for re-use and improved readability * Use exceptions for authentication and error logging Tested: mysql, ad_auth with and without bind user * fix a couple scrutinizer issues * fix reauthenticate in radius 2017-05-15 22:18:23 -05:00			`use LibreNMS\Exceptions\AuthenticationException;`
refactor: use Composer to manage php dependencies (#5216) 2017-01-01 03:37:15 -06:00			`use Phpass\PasswordHash;`

refactor: finish logic and definition separation (#6883) Clean up rewrites to only have function definitions Move authentication initialization into a function 2017-07-03 15:38:58 -05:00			`function init_auth()`
			`{`
			`}`

PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function authenticate($username, $password)`
			`{`
fix: Fixed http-auth not honouring http_auth_guest (#6699) * fix: Fixed http-auth not honouring http_auth_guest * Always fall back to http_auth_guest. Make sure $username is set, otherwise, we won't try to authenticate. * reverted elseif to default to http-auth-guest * Update authenticate.inc.php simplify logic 2017-05-23 08:40:57 +01:00			`if (user_exists($username)) {`
			`return true;`
auth modules! please test http-auth again, i haven't, but i think i got it right... git-svn-id: http://www.observium.org/svn/observer/trunk@973 61d68cd4-352d-0410-923a-c4978735b2b8 2010-02-28 13:04:07 +00:00			`}`
fix: Fixed http-auth not honouring http_auth_guest (#6699) * fix: Fixed http-auth not honouring http_auth_guest * Always fall back to http_auth_guest. Make sure $username is set, otherwise, we won't try to authenticate. * reverted elseif to default to http-auth-guest * Update authenticate.inc.php simplify logic 2017-05-23 08:40:57 +01:00
			`throw new AuthenticationException('No matching user found and http_auth_guest is not set');`
auth modules! please test http-auth again, i haven't, but i think i got it right... git-svn-id: http://www.observium.org/svn/observer/trunk@973 61d68cd4-352d-0410-923a-c4978735b2b8 2010-02-28 13:04:07 +00:00			`}`

Revert "Updated to remove passwords from sessions" (#4422) 2016-09-13 15:10:42 +01:00
fix: Improve authentication load time and security (#6615) * fix: minimize session open time page/graphs speedup part 2 Write close the session as soon as we no longer need to write to it. Prevents the session from blocking other requests. Do not run through full authentication functions if the session is already authenticated. Removes password from the session as well as some items to prevent session fixation from #4608. WARNING: This will cause issues for ad/ldap users who do not have a bind user configured! * Do no erase username when using cookie auth. Properly close the session in ajax_setresolution.php * write close the session as soon as possible in ajax_setresolution.php * Remove session regeneration. It is not compatible with the current code and would require more changes. * Totally refactor authentication. Extract code to functions for re-use and improved readability * Use exceptions for authentication and error logging Tested: mysql, ad_auth with and without bind user * fix a couple scrutinizer issues * fix reauthenticate in radius 2017-05-15 22:18:23 -05:00			`function reauthenticate($sess_id, $token)`
Revert "Updated to remove passwords from sessions" (#4422) 2016-09-13 15:10:42 +01:00			`{`
fix: Improve authentication load time and security (#6615) * fix: minimize session open time page/graphs speedup part 2 Write close the session as soon as we no longer need to write to it. Prevents the session from blocking other requests. Do not run through full authentication functions if the session is already authenticated. Removes password from the session as well as some items to prevent session fixation from #4608. WARNING: This will cause issues for ad/ldap users who do not have a bind user configured! * Do no erase username when using cookie auth. Properly close the session in ajax_setresolution.php * write close the session as soon as possible in ajax_setresolution.php * Remove session regeneration. It is not compatible with the current code and would require more changes. * Totally refactor authentication. Extract code to functions for re-use and improved readability * Use exceptions for authentication and error logging Tested: mysql, ad_auth with and without bind user * fix a couple scrutinizer issues * fix reauthenticate in radius 2017-05-15 22:18:23 -05:00			`return false;`
Revert "Updated to remove passwords from sessions" (#4422) 2016-09-13 15:10:42 +01:00			`}`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function passwordscanchange($username = '')`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`return 0;`
change password option in the auth modules, not used in the webinterface yet git-svn-id: http://www.observium.org/svn/observer/trunk@990 61d68cd4-352d-0410-923a-c4978735b2b8 2010-03-06 00:00:05 +00:00			`}`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function changepassword($username, $newpassword)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`// Not supported`
change password option in the auth modules, not used in the webinterface yet git-svn-id: http://www.observium.org/svn/observer/trunk@990 61d68cd4-352d-0410-923a-c4978735b2b8 2010-03-06 00:00:05 +00:00			`}`
remove dead map.php code, rename some .inc to .inc.php files, general trailing space cleanup part 1, some reindent. No expected functionality change whatsoever ;) git-svn-id: http://www.observium.org/svn/observer/trunk@1824 61d68cd4-352d-0410-923a-c4978735b2b8 2011-03-12 08:50:47 +00:00
Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function auth_usermanagement()`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`return 1;`
MOAR AUTHMODULE, with some parts left to do... git-svn-id: http://www.observium.org/svn/observer/trunk@991 61d68cd4-352d-0410-923a-c4978735b2b8 2010-03-06 01:10:05 +00:00			`}`
remove dead map.php code, rename some .inc to .inc.php files, general trailing space cleanup part 1, some reindent. No expected functionality change whatsoever ;) git-svn-id: http://www.observium.org/svn/observer/trunk@1824 61d68cd4-352d-0410-923a-c4978735b2b8 2011-03-12 08:50:47 +00:00
Fix coding style part 2 2015-07-13 20:10:26 +02:00
fix: move user preferences dashboard and twofactor out of users table (#6286) * fix: move user preferences dashboard and twofactor out of users table This allows them to work with any authentication method Add set_user_pref() and get_user_pref() helper functions * fix edit users for other users * Fix updated_at default timestamp * Update and rename 183.sql to 184.sql * removed commented out debug 2017-04-01 16:18:00 -05:00			`function adduser($username, $password, $level, $email = '', $realname = '', $can_modify_passwd = 1, $description = '')`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`{`
Updated adduser to check for existing user and use password hashing 2014-10-06 18:39:48 +01:00			`if (!user_exists($username)) {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$hasher = new PasswordHash(8, false);`
Updated adduser to check for existing user and use password hashing 2014-10-06 18:39:48 +01:00			`$encrypted = $hasher->HashPassword($password);`
fix: move user preferences dashboard and twofactor out of users table (#6286) * fix: move user preferences dashboard and twofactor out of users table This allows them to work with any authentication method Add set_user_pref() and get_user_pref() helper functions * fix edit users for other users * Fix updated_at default timestamp * Update and rename 183.sql to 184.sql * removed commented out debug 2017-04-01 16:18:00 -05:00			`$userid = dbInsert(array('username' => $username, 'password' => $encrypted, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description), 'users');`
fix rest of the authmodules 2015-11-21 12:25:34 +00:00			`if ($userid == false) {`
			`return false;`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`} else {`
			`foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc', array($userid)) as $notif) {`
			`dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1), 'notifications_attribs');`
fix rest of the authmodules 2015-11-21 12:25:34 +00:00			`}`
			`}`
			`return $userid;`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`} else {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`return false;`
Updated adduser to check for existing user and use password hashing 2014-10-06 18:39:48 +01:00			`}`
MOAR AUTHMODULE, with some parts left to do... git-svn-id: http://www.observium.org/svn/observer/trunk@991 61d68cd4-352d-0410-923a-c4978735b2b8 2010-03-06 01:10:05 +00:00			`}`
remove dead map.php code, rename some .inc to .inc.php files, general trailing space cleanup part 1, some reindent. No expected functionality change whatsoever ;) git-svn-id: http://www.observium.org/svn/observer/trunk@1824 61d68cd4-352d-0410-923a-c4978735b2b8 2011-03-12 08:50:47 +00:00
MOAR AUTHMODULE, with some parts left to do... git-svn-id: http://www.observium.org/svn/observer/trunk@991 61d68cd4-352d-0410-923a-c4978735b2b8 2010-03-06 01:10:05 +00:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function user_exists($username)`
			`{`
fix: Fixed http-auth not honouring http_auth_guest (#6699) * fix: Fixed http-auth not honouring http_auth_guest * Always fall back to http_auth_guest. Make sure $username is set, otherwise, we won't try to authenticate. * reverted elseif to default to http-auth-guest * Update authenticate.inc.php simplify logic 2017-05-23 08:40:57 +01:00			`global $config;`

fix: issues with http-auth when the guest user is created before the intended user (#7000) 2017-07-10 15:48:24 -05:00			$query = 'SELECT COUNT(*) FROM `users` WHERE `username`=?';
			`$params = array($username);`

			`if (isset($config['http_auth_guest'])) {`
			$query .= ' OR `username`=?';
			`$params[] = $config['http_auth_guest'];`
			`}`

			`return dbFetchCell($query, $params) > 0;`
userlevel via authmodule git-svn-id: http://www.observium.org/svn/observer/trunk@992 61d68cd4-352d-0410-923a-c4978735b2b8 2010-03-06 01:15:52 +00:00			`}`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function get_userlevel($username)`
			`{`
fix: Fixed http-auth not honouring http_auth_guest (#6699) * fix: Fixed http-auth not honouring http_auth_guest * Always fall back to http_auth_guest. Make sure $username is set, otherwise, we won't try to authenticate. * reverted elseif to default to http-auth-guest * Update authenticate.inc.php simplify logic 2017-05-23 08:40:57 +01:00			`global $config;`

fix: issues with http-auth when the guest user is created before the intended user (#7000) 2017-07-10 15:48:24 -05:00			$user_level = dbFetchCell('SELECT `level` FROM `users` WHERE `username`=?', array($username));

			`if ($user_level) {`
			`return $user_level;`
			`}`

			`if (isset($config['http_auth_guest'])) {`
			return dbFetchCell('SELECT `level` FROM `users` WHERE `username`=?', array($config['http_auth_guest']));
			`}`

			`return 0;`
more working less sucking git-svn-id: http://www.observium.org/svn/observer/trunk@994 61d68cd4-352d-0410-923a-c4978735b2b8 2010-03-06 01:22:09 +00:00			`}`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function get_userid($username)`
			`{`
fix: Fixed http-auth not honouring http_auth_guest (#6699) * fix: Fixed http-auth not honouring http_auth_guest * Always fall back to http_auth_guest. Make sure $username is set, otherwise, we won't try to authenticate. * reverted elseif to default to http-auth-guest * Update authenticate.inc.php simplify logic 2017-05-23 08:40:57 +01:00			`global $config;`

fix: issues with http-auth when the guest user is created before the intended user (#7000) 2017-07-10 15:48:24 -05:00			$user_id = dbFetchCell('SELECT `user_id` FROM `users` WHERE `username`=?', array($username));

			`if ($user_id) {`
			`return $user_id;`
			`}`

			`if (isset($config['http_auth_guest'])) {`
			return dbFetchCell('SELECT `user_id` FROM `users` WHERE `username`=?', array($config['http_auth_guest']));
			`}`

			`return -1;`
r1984: BIG BROTHER RELEASE // Move user deletion code into authentication module git-svn-id: http://www.observium.org/svn/observer/trunk@1984 61d68cd4-352d-0410-923a-c4978735b2b8 2011-03-28 10:48:43 +00:00			`}`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function deluser($username)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`// Not supported`
			`return 0;`
add get_userlist function, pull from LDAP in case of LDAP backend -- now awaiting fix of edituser page git-svn-id: http://www.observium.org/svn/observer/trunk@2545 61d68cd4-352d-0410-923a-c4978735b2b8 2011-09-22 16:46:30 +00:00			`}`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function get_userlist()`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			return dbFetchRows('SELECT * FROM `users`');
Updated edit user screen so you can now update details 2014-03-10 23:50:16 +00:00			`}`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function can_update_users()`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`// supported so return 1`
			`return 1;`
Updated edit user screen so you can now update details 2014-03-10 23:50:16 +00:00			`}`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function get_user($user_id)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			return dbFetchRow('SELECT * FROM `users` WHERE `user_id` = ?', array($user_id));
Updated edit user screen so you can now update details 2014-03-10 23:50:16 +00:00			`}`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function update_user($user_id, $realname, $level, $can_modify_passwd, $email)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			dbUpdate(array('realname' => $realname, 'level' => $level, 'can_modify_passwd' => $can_modify_passwd, 'email' => $email), 'users', '`user_id` = ?', array($user_id));
			`}`