library/authentication/login_operations.php

   1 <?php
   2 /**
   3  * This is a library of commonly used functions for managing data for authentication
   4  *
   5  * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 3
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author  Kevin Yeh <kevin.y@integralemr.com>
  20  * @link    http://www.open-emr.org
  21  */
  22
  23 require_once("$srcdir/authentication/common_operations.php");
  24
  25
  26
  27 /**
  28  *
  29  * @param type $username
  30  * @param type $password    password is passed by reference so that it can be "cleared out"
  31  *                          as soon as we are done with it.
  32  * @param type $provider
  33  */
  34 function validate_user_password($username,&$password,$provider)
  35 {
  36     $ip=$_SERVER['REMOTE_ADDR'];
  37
  38     $valid=false;
  39     $getUserSecureSQL= " SELECT " . implode(",",array(COL_ID,COL_PWD,COL_SALT))
  40                        ." FROM ".TBL_USERS_SECURE
  41                        ." WHERE BINARY ".COL_UNM."=?";
  42                        // Use binary keyword to require case sensitive username match
  43     $userSecure=privQuery($getUserSecureSQL,array($username));
  44     if(is_array($userSecure))
  45     {
  46         $phash=oemr_password_hash($password,$userSecure[COL_SALT]);
  47         if($phash!=$userSecure[COL_PWD])
  48         {
  49
  50             return false;
  51         }
  52         $valid=true;
  53     }
  54     else
  55     {
  56         if((!isset($GLOBALS['password_compatibility'])||$GLOBALS['password_compatibility']))           // use old password scheme if allowed.
  57         {
  58             $getUserSQL="select username,id, password from users where BINARY username = ?";
  59             $userInfo = privQuery($getUserSQL,array($username));
  60             if($userInfo===false)
  61             {
  62                 return false;
  63             }
  64
  65             $username=$userInfo['username'];
  66             $dbPasswordLen=strlen($userInfo['password']);
  67             if($dbPasswordLen==32)
  68             {
  69                 $phash=md5($password);
  70                 $valid=$phash==$userInfo['password'];
  71             }
  72             else if($dbPasswordLen==40)
  73             {
  74                 $phash=sha1($password);
  75                 $valid=$phash==$userInfo['password'];
  76             }
  77             if($valid)
  78             {
  79                 initializePassword($username,$userInfo['id'],$password);
  80                 purgeCompatabilityPassword($username,$userInfo['id']);
  81                 $_SESSION['relogin'] = 1;
  82             }
  83             else
  84             {
  85                 return false;
  86             }
  87     }
  88
  89     }
  90     $getUserSQL="select id, authorized, see_auth".
  91                         ", cal_ui, active ".
  92                         " from users where BINARY username = ?";
  93     $userInfo = privQuery($getUserSQL,array($username));
  94
  95     if ($userInfo['active'] != 1) {
  96         newEvent( 'login', $username, $provider, 0, "failure: $ip. user not active or not found in users table");
  97         $password='';
  98         return false;
  99     }
 100     // Done with the cleartext password at this point!
 101     $password='';
 102     if($valid)
 103     {
 104         if ($authGroup = privQuery("select * from groups where user=? and name=?",array($username,$provider)))
 105         {
 106             $_SESSION['authUser'] = $username;
 107             $_SESSION['authGroup'] = $authGroup['name'];
 108             $_SESSION['authUserID'] = $userInfo['id'];
 109             $_SESSION['authProvider'] = $provider;
 110             $_SESSION['authId'] = $userInfo{'id'};
 111             $_SESSION['cal_ui'] = $userInfo['cal_ui'];
 112             $_SESSION['userauthorized'] = $userInfo['authorized'];
 113             // Some users may be able to authorize without being providers:
 114             if ($userInfo['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
 115             newEvent( 'login', $username, $provider, 1, "success: $ip");
 116             $valid=true;
 117         } else {
 118             newEvent( 'login', $username, $provider, 0, "failure: $ip. user not in group: $provider");
 119             $valid=false;
 120         }
 121
 122
 123
 124     }
 125     return $valid;
 126 }
 127
 128 function verify_user_gacl_group($user)
 129 {
 130     global $phpgacl_location;
 131     if (isset ($phpgacl_location)) {
 132       if (acl_get_group_titles($user) == 0) {
 133           newEvent( 'login', $user, $provider, 0, "failure: $ip. user not in any phpGACL groups. (bad username?)");
 134           return false;
 135       }
 136     }
 137     return true;
 138 }
 139 ?>