search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
remove unused calendar styles
[openemr.git] / library / authentication / login_operations.php
blobd3fdc47c40a0710c8de66054f7384a5803063ab2
1 <?php
2 /**
3 * This is a library of commonly used functions for managing data for authentication
4 *
5 * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
6 *
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
17 *
18 * @package OpenEMR
19 * @author Kevin Yeh <kevin.y@integralemr.com>
20 * @link http://www.open-emr.org
21 */
22
23 require_once("$srcdir/authentication/common_operations.php");
24
25
26
27 /**
28 *
29 * @param type $username
30 * @param type $password password is passed by reference so that it can be "cleared out"
31 * as soon as we are done with it.
32 * @param type $provider
33 */
34 function validate_user_password($username,&$password,$provider)
35 {
36 $ip=$_SERVER['REMOTE_ADDR'];
37
38 $valid=false;
39
40 //Active Directory Authentication added by shachar zilbershlag <shaharzi@matrix.co.il>
41 if($GLOBALS['use_active_directory'])
42 {
43 $valid = active_directory_validation($username, $password);
44 $_SESSION['active_directory_auth'] = $valid;
45 }
46 else
47 {
48 $getUserSecureSQL= " SELECT " . implode(",",array(COL_ID,COL_PWD,COL_SALT))
49 ." FROM ".TBL_USERS_SECURE
50 ." WHERE BINARY ".COL_UNM."=?";
51 // Use binary keyword to require case sensitive username match
52 $userSecure=privQuery($getUserSecureSQL,array($username));
53 if(is_array($userSecure))
54 {
55 $phash=oemr_password_hash($password,$userSecure[COL_SALT]);
56 if($phash!=$userSecure[COL_PWD])
57 {
58
59 return false;
60 }
61 $valid=true;
62 }
63 else
64 {
65 if((!isset($GLOBALS['password_compatibility'])||$GLOBALS['password_compatibility'])) // use old password scheme if allowed.
66 {
67 $getUserSQL="select username,id, password from users where BINARY username = ?";
68 $userInfo = privQuery($getUserSQL,array($username));
69 if($userInfo===false)
70 {
71 return false;
72 }
73
74 $username=$userInfo['username'];
75 $dbPasswordLen=strlen($userInfo['password']);
76 if($dbPasswordLen==32)
77 {
78 $phash=md5($password);
79 $valid=$phash==$userInfo['password'];
80 }
81 else if($dbPasswordLen==40)
82 {
83 $phash=sha1($password);
84 $valid=$phash==$userInfo['password'];
85 }
86 if($valid)
87 {
88 $phash=initializePassword($username,$userInfo['id'],$password);
89 purgeCompatabilityPassword($username,$userInfo['id']);
90 $_SESSION['relogin'] = 1;
91 }
92 else
93 {
94 return false;
95 }
96 }
97
98 }
99 }
100 $getUserSQL="select id, authorized, see_auth".
101 ", active ".
102 " from users where BINARY username = ?";
103 $userInfo = privQuery($getUserSQL,array($username));
104
105 if ($userInfo['active'] != 1) {
106 newEvent( 'login', $username, $provider, 0, "failure: $ip. user not active or not found in users table");
107 $password='';
108 return false;
109 }
110 // Done with the cleartext password at this point!
111 $password='';
112 if($valid)
113 {
114 if ($authGroup = privQuery("select * from groups where user=? and name=?",array($username,$provider)))
115 {
116 $_SESSION['authUser'] = $username;
117 $_SESSION['authPass'] = $phash;
118 $_SESSION['authGroup'] = $authGroup['name'];
119 $_SESSION['authUserID'] = $userInfo['id'];
120 $_SESSION['authProvider'] = $provider;
121 $_SESSION['authId'] = $userInfo{'id'};
122 $_SESSION['userauthorized'] = $userInfo['authorized'];
123 // Some users may be able to authorize without being providers:
124 if ($userInfo['see_auth'] > '2') $_SESSION['userauthorized'] = '1';
125 newEvent( 'login', $username, $provider, 1, "success: $ip");
126 $valid=true;
127 } else {
128 newEvent( 'login', $username, $provider, 0, "failure: $ip. user not in group: $provider");
129 $valid=false;
130 }
131
132
133
134 }
135 return $valid;
136 }
137
138 function verify_user_gacl_group($user)
139 {
140 global $phpgacl_location;
141 if (isset ($phpgacl_location)) {
142 if (acl_get_group_titles($user) == 0) {
143 newEvent( 'login', $user, $provider, 0, "failure: $ip. user not in any phpGACL groups. (bad username?)");
144 return false;
145 }
146 }
147 return true;
148 }
149
150 /* Validation of user and password using active directory. */
151 function active_directory_validation($user, $pass)
152 {
153 $valid = false;
154
155 // Create class instance
156 $ad = new Adldap\Adldap();
157
158 // Create a configuration array.
159 $config = array(
160 // Your account suffix, for example: jdoe@corp.acme.org
161 'account_suffix' => $GLOBALS['account_suffix'],
162
163 // You can use the host name or the IP address of your controllers.
164 'domain_controllers' => [$GLOBALS['domain_controllers']],
165
166 // Your base DN.
167 'base_dn' => $GLOBALS['base_dn'],
168
169 // The account to use for querying / modifying users. This
170 // does not need to be an actual admin account.
171 'admin_username' => $user,
172 'admin_password' => $pass,
173 );
174
175 // Add a connection provider to Adldap.
176 $ad->addProvider($config);
177
178 // If a successful connection is made, the provider will be returned.
179 try
180 {
181 $prov = $ad->connect();
182 $valid = $prov->auth()->attempt($user, $pass);
183 }
184 catch(Exception $e)
185 {
186
187 }
188 return $valid;
189 }
190 ?>
Mirror of official OpenEMR Sourceforge repository