library/authentication/login_operations.php

   1 <?php
   2 /**
   3  * This is a library of commonly used functions for managing data for authentication
   4  *
   5  * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
   6  *
   7  * LICENSE: This program is free software; you can redistribute it and/or
   8  * modify it under the terms of the GNU General Public License
   9  * as published by the Free Software Foundation; either version 3
  10  * of the License, or (at your option) any later version.
  11  * This program is distributed in the hope that it will be useful,
  12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14  * GNU General Public License for more details.
  15  * You should have received a copy of the GNU General Public License
  16  * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
  17  *
  18  * @package OpenEMR
  19  * @author  Kevin Yeh <kevin.y@integralemr.com>
  20  * @link    http://www.open-emr.org
  21  */
  22
  23 require_once("$srcdir/authentication/common_operations.php");
  24
  25
  26
  27 /**
  28  *
  29  * @param type $username
  30  * @param type $password    password is passed by reference so that it can be "cleared out"
  31  *                          as soon as we are done with it.
  32  * @param type $provider
  33  */
  34 function validate_user_password($username,&$password,$provider)
  35 {
  36     $ip=$_SERVER['REMOTE_ADDR'];
  37
  38     $valid=false;
  39     $getUserSecureSQL= " SELECT " . implode(",",array(COL_ID,COL_PWD,COL_SALT))
  40                        ." FROM ".TBL_USERS_SECURE
  41                        ." WHERE BINARY ".COL_UNM."=?";
  42                        // Use binary keyword to require case sensitive username match
  43     $userSecure=privQuery($getUserSecureSQL,array($username));
  44     if(is_array($userSecure))
  45     {
  46         $phash=password_hash($password,$userSecure[COL_SALT]);
  47         if($phash!=$userSecure[COL_PWD])
  48         {
  49
  50             return false;
  51         }
  52         $valid=true;
  53     }
  54     else
  55     {
  56         if((!isset($GLOBALS['password_compatibility'])||$GLOBALS['password_compatibility']))           // use old password scheme if allowed.
  57         {
  58             $getUserSQL="select id, password from users where username = ?";
  59             $userInfo = privQuery($getUserSQL,array($username));
  60             $dbPasswordLen=strlen($userInfo['password']);
  61             if($dbPasswordLen==32)
  62             {
  63                 $phash=md5($password);
  64                 $valid=$phash==$userInfo['password'];
  65             }
  66             else if($dbPasswordLen==40)
  67             {
  68                 $phash=sha1($password);
  69                 $valid=$phash==$userInfo['password'];
  70             }
  71             if($valid)
  72             {
  73                 initializePassword($username,$userInfo['id'],$password);
  74                 purgeCompatabilityPassword($username,$userInfo['id']);
  75                 $_SESSION['relogin'] = 1;
  76             }
  77             else
  78             {
  79                 return false;
  80             }
  81     }
  82
  83     }
  84     $getUserSQL="select id, authorized, see_auth".
  85                         ", cal_ui, active ".
  86                         " from users where BINARY username = ?";
  87     $userInfo = privQuery($getUserSQL,array($username));
  88
  89     if ($userInfo['active'] != 1) {
  90         newEvent( 'login', $username, $provider, 0, "failure: $ip. user not active or not found in users table");
  91         $password='';
  92         return false;
  93     }
  94     // Done with the cleartext password at this point!
  95     $password='';
  96     if($valid)
  97     {
  98         if ($authGroup = privQuery("select * from groups where user=? and name=?",array($username,$provider)))
  99         {
 100             $_SESSION['authUser'] = $username;
 101             $_SESSION['authGroup'] = $authGroup['name'];
 102             $_SESSION['authUserID'] = $userInfo['id'];
 103             $_SESSION['authProvider'] = $provider;
 104             $_SESSION['authId'] = $userInfo{'id'};
 105             $_SESSION['cal_ui'] = $userInfo['cal_ui'];
 106             $_SESSION['userauthorized'] = $userInfo['authorized'];
 107             // Some users may be able to authorize without being providers:
 108             if ($userInfo['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
 109             newEvent( 'login', $username, $provider, 1, "success: $ip");
 110             $valid=true;
 111         } else {
 112             newEvent( 'login', $username, $provider, 0, "failure: $ip. user not in group: $provider");
 113             $valid=false;
 114         }
 115
 116
 117
 118     }
 119     return $valid;
 120 }
 121
 122 function verify_user_gacl_group($user)
 123 {
 124     global $phpgacl_location;
 125     if (isset ($phpgacl_location)) {
 126       if (acl_get_group_titles($user) == 0) {
 127           newEvent( 'login', $user, $provider, 0, "failure: $ip. user not in any phpGACL groups. (bad username?)");
 128           return false;
 129       }
 130     }
 131     return true;
 132 }
 133 ?>