search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
log ip improve (#1928)
[openemr.git] / library / authentication / login_operations.php
bloba821ba9bdee39f929b21fdf88b0dc4df37d33131
1 <?php
2 /**
3 * This is a library of commonly used functions for managing data for authentication
4 *
5 * Copyright (C) 2013 Kevin Yeh <kevin.y@integralemr.com> and OEMR <www.oemr.org>
6 *
7 * LICENSE: This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * as published by the Free Software Foundation; either version 3
10 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program. If not, see <http://opensource.org/licenses/gpl-license.php>;.
17 *
18 * @package OpenEMR
19 * @author Kevin Yeh <kevin.y@integralemr.com>
20 * @link http://www.open-emr.org
21 */
22
23 require_once("$srcdir/authentication/common_operations.php");
24
25
26
27 /**
28 *
29 * @param type $username
30 * @param type $password password is passed by reference so that it can be "cleared out"
31 * as soon as we are done with it.
32 * @param type $provider
33 */
34 function validate_user_password($username, &$password, $provider)
35 {
36 $ip = collectIpAddresses();
37
38 $valid=false;
39
40 //Active Directory Authentication added by shachar zilbershlag <shaharzi@matrix.co.il>
41 if ($GLOBALS['use_active_directory']) {
42 $valid = active_directory_validation($username, $password);
43 $_SESSION['active_directory_auth'] = $valid;
44 } else {
45 $getUserSecureSQL= " SELECT " . implode(",", array(COL_ID,COL_PWD,COL_SALT))
46 ." FROM ".TBL_USERS_SECURE
47 ." WHERE BINARY ".COL_UNM."=?";
48 // Use binary keyword to require case sensitive username match
49 $userSecure=privQuery($getUserSecureSQL, array($username));
50 if (is_array($userSecure)) {
51 $phash=oemr_password_hash($password, $userSecure[COL_SALT]);
52 if ($phash!=$userSecure[COL_PWD]) {
53 return false;
54 }
55
56 $valid=true;
57 } else {
58 if ((!isset($GLOBALS['password_compatibility'])||$GLOBALS['password_compatibility'])) { // use old password scheme if allowed.
59 $getUserSQL="select username,id, password from users where BINARY username = ?";
60 $userInfo = privQuery($getUserSQL, array($username));
61 if ($userInfo===false) {
62 return false;
63 }
64
65 $username=$userInfo['username'];
66 $dbPasswordLen=strlen($userInfo['password']);
67 if ($dbPasswordLen==32) {
68 $phash=md5($password);
69 $valid=$phash==$userInfo['password'];
70 } else if ($dbPasswordLen==40) {
71 $phash=sha1($password);
72 $valid=$phash==$userInfo['password'];
73 }
74
75 if ($valid) {
76 $phash=initializePassword($username, $userInfo['id'], $password);
77 purgeCompatabilityPassword($username, $userInfo['id']);
78 $_SESSION['relogin'] = 1;
79 } else {
80 return false;
81 }
82 }
83 }
84 }
85
86 $getUserSQL="select id, authorized, see_auth".
87 ", active ".
88 " from users where BINARY username = ?";
89 $userInfo = privQuery($getUserSQL, array($username));
90
91 if ($userInfo['active'] != 1) {
92 newEvent('login', $username, $provider, 0, "failure: " . $ip['ip_string'] . ". user not active or not found in users table");
93 $password='';
94 return false;
95 }
96
97 // Done with the cleartext password at this point!
98 $password='';
99 if ($valid) {
100 if ($authGroup = privQuery("select * from `groups` where user=? and name=?", array($username,$provider))) {
101 $_SESSION['authUser'] = $username;
102 $_SESSION['authPass'] = $phash;
103 $_SESSION['authGroup'] = $authGroup['name'];
104 $_SESSION['authUserID'] = $userInfo['id'];
105 $_SESSION['authProvider'] = $provider;
106 $_SESSION['authId'] = $userInfo{'id'};
107 $_SESSION['userauthorized'] = $userInfo['authorized'];
108 // Some users may be able to authorize without being providers:
109 if ($userInfo['see_auth'] > '2') {
110 $_SESSION['userauthorized'] = '1';
111 }
112
113 newEvent('login', $username, $provider, 1, "success: " . $ip['ip_string']);
114 $valid=true;
115 } else {
116 newEvent('login', $username, $provider, 0, "failure: " . $ip['ip_string'] . ". user not in group: $provider");
117 $valid=false;
118 }
119 }
120
121 return $valid;
122 }
123
124 function verify_user_gacl_group($user)
125 {
126 global $phpgacl_location;
127
128 $ip = collectIpAddresses();
129
130 if (isset($phpgacl_location)) {
131 if (acl_get_group_titles($user) == 0) {
132 newEvent('login', $user, $provider, 0, "failure: " . $ip['ip_string'] . ". user not in any phpGACL groups. (bad username?)");
133 return false;
134 }
135 }
136
137 return true;
138 }
139
140 /* Validation of user and password using active directory. */
141 function active_directory_validation($user, $pass)
142 {
143 $valid = false;
144
145 // Create class instance
146 $ad = new Adldap\Adldap();
147
148 // Create a configuration array.
149 $config = array(
150 // Your account suffix, for example: jdoe@corp.acme.org
151 'account_suffix' => $GLOBALS['account_suffix'],
152
153 // You can use the host name or the IP address of your controllers.
154 'domain_controllers' => [$GLOBALS['domain_controllers']],
155
156 // Your base DN.
157 'base_dn' => $GLOBALS['base_dn'],
158
159 // The account to use for querying / modifying users. This
160 // does not need to be an actual admin account.
161 'admin_username' => $user,
162 'admin_password' => $pass,
163 );
164
165 // Add a connection provider to Adldap.
166 $ad->addProvider($config);
167
168 // If a successful connection is made, the provider will be returned.
169 try {
170 $prov = $ad->connect();
171 $valid = $prov->auth()->attempt($user, $pass);
172 } catch (Exception $e) {
173 }
174
175 return $valid;
176 }
Mirror of official OpenEMR Sourceforge repository