search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Highway to PSR2
[openemr.git] / library / authentication / login_operations.php
blob003361c10b42cb63ca27514ffa15293b7f1dcae6
1 <?php
2 /**
3 * This is a library of commonly used functions for managing data for authentication
4 *
5 * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
6 *
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
17 *
18 * @package OpenEMR
19 * @author Kevin Yeh <kevin.y@integralemr.com>
20 * @link http://www.open-emr.org
21 */
22
23 require_once("$srcdir/authentication/common_operations.php");
24
25
26
27 /**
28 *
29 * @param type $username
30 * @param type $password password is passed by reference so that it can be "cleared out"
31 * as soon as we are done with it.
32 * @param type $provider
33 */
34 function validate_user_password($username, &$password, $provider)
35 {
36 $ip=$_SERVER['REMOTE_ADDR'];
37
38 $valid=false;
39
40 //Active Directory Authentication added by shachar zilbershlag <shaharzi@matrix.co.il>
41 if ($GLOBALS['use_active_directory']) {
42 $valid = active_directory_validation($username, $password);
43 $_SESSION['active_directory_auth'] = $valid;
44 } else {
45 $getUserSecureSQL= " SELECT " . implode(",", array(COL_ID,COL_PWD,COL_SALT))
46 ." FROM ".TBL_USERS_SECURE
47 ." WHERE BINARY ".COL_UNM."=?";
48 // Use binary keyword to require case sensitive username match
49 $userSecure=privQuery($getUserSecureSQL, array($username));
50 if (is_array($userSecure)) {
51 $phash=oemr_password_hash($password, $userSecure[COL_SALT]);
52 if ($phash!=$userSecure[COL_PWD]) {
53 return false;
54 }
55
56 $valid=true;
57 } else {
58 if ((!isset($GLOBALS['password_compatibility'])||$GLOBALS['password_compatibility'])) { // use old password scheme if allowed.
59 $getUserSQL="select username,id, password from users where BINARY username = ?";
60 $userInfo = privQuery($getUserSQL, array($username));
61 if ($userInfo===false) {
62 return false;
63 }
64
65 $username=$userInfo['username'];
66 $dbPasswordLen=strlen($userInfo['password']);
67 if ($dbPasswordLen==32) {
68 $phash=md5($password);
69 $valid=$phash==$userInfo['password'];
70 } else if ($dbPasswordLen==40) {
71 $phash=sha1($password);
72 $valid=$phash==$userInfo['password'];
73 }
74
75 if ($valid) {
76 $phash=initializePassword($username, $userInfo['id'], $password);
77 purgeCompatabilityPassword($username, $userInfo['id']);
78 $_SESSION['relogin'] = 1;
79 } else {
80 return false;
81 }
82 }
83 }
84 }
85
86 $getUserSQL="select id, authorized, see_auth".
87 ", active ".
88 " from users where BINARY username = ?";
89 $userInfo = privQuery($getUserSQL, array($username));
90
91 if ($userInfo['active'] != 1) {
92 newEvent('login', $username, $provider, 0, "failure: $ip. user not active or not found in users table");
93 $password='';
94 return false;
95 }
96
97 // Done with the cleartext password at this point!
98 $password='';
99 if ($valid) {
100 if ($authGroup = privQuery("select * from groups where user=? and name=?", array($username,$provider))) {
101 $_SESSION['authUser'] = $username;
102 $_SESSION['authPass'] = $phash;
103 $_SESSION['authGroup'] = $authGroup['name'];
104 $_SESSION['authUserID'] = $userInfo['id'];
105 $_SESSION['authProvider'] = $provider;
106 $_SESSION['authId'] = $userInfo{'id'};
107 $_SESSION['userauthorized'] = $userInfo['authorized'];
108 // Some users may be able to authorize without being providers:
109 if ($userInfo['see_auth'] > '2') {
110 $_SESSION['userauthorized'] = '1';
111 }
112
113 newEvent('login', $username, $provider, 1, "success: $ip");
114 $valid=true;
115 } else {
116 newEvent('login', $username, $provider, 0, "failure: $ip. user not in group: $provider");
117 $valid=false;
118 }
119 }
120
121 return $valid;
122 }
123
124 function verify_user_gacl_group($user)
125 {
126 global $phpgacl_location;
127 if (isset($phpgacl_location)) {
128 if (acl_get_group_titles($user) == 0) {
129 newEvent('login', $user, $provider, 0, "failure: $ip. user not in any phpGACL groups. (bad username?)");
130 return false;
131 }
132 }
133
134 return true;
135 }
136
137 /* Validation of user and password using active directory. */
138 function active_directory_validation($user, $pass)
139 {
140 $valid = false;
141
142 // Create class instance
143 $ad = new Adldap\Adldap();
144
145 // Create a configuration array.
146 $config = array(
147 // Your account suffix, for example: jdoe@corp.acme.org
148 'account_suffix' => $GLOBALS['account_suffix'],
149
150 // You can use the host name or the IP address of your controllers.
151 'domain_controllers' => [$GLOBALS['domain_controllers']],
152
153 // Your base DN.
154 'base_dn' => $GLOBALS['base_dn'],
155
156 // The account to use for querying / modifying users. This
157 // does not need to be an actual admin account.
158 'admin_username' => $user,
159 'admin_password' => $pass,
160 );
161
162 // Add a connection provider to Adldap.
163 $ad->addProvider($config);
164
165 // If a successful connection is made, the provider will be returned.
166 try {
167 $prov = $ad->connect();
168 $valid = $prov->auth()->attempt($user, $pass);
169 } catch (Exception $e) {
170 }
171
172 return $valid;
173 }
Mirror of official OpenEMR Sourceforge repository