From: paulr Date: Mon, 6 Dec 2010 15:01:10 +0000 (+1100) Subject: Freeradius users script added X-Git-Url: http://git.pjr.cc/?a=commitdiff_plain;h=d4590a3f34021216c9da29786922fddaf804d113;p=ga4php.git Freeradius users script added actions added to admin_actions working radius client using __FILE__ php keywords --- diff --git a/authserver/authd/authd.php b/authserver/authd/authd.php index 67036a7..e0f7296 100644 --- a/authserver/authd/authd.php +++ b/authserver/authd/authd.php @@ -36,6 +36,26 @@ if($pid == -1) { while(true) { msg_receive($sr_queue, 0, $msg_type, 16384, $msg); switch($msg_type) { + case MSG_DELETE_USER_TOKEN: + $username = $msg["username"]; + + $sql = "select users_otk from users where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + $otkid = ""; + foreach($res as $row) { + $otkid = $row["users_otk"]; + } + if($otkid!="") { + unlink("otks/$otkid.png"); + } + + $sql = "update users set users_tokendata='',users_otk='' where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + + msg_send($cl_queue, MSG_DELETE_USER_TOKEN, true); + break; case MSG_AUTH_USER_TOKEN: echo "Call to auth user token\n"; // minimal checking, we leav it up to authenticateUser to do the real @@ -89,9 +109,9 @@ if($pid == -1) { $hand = fopen("otks/$otk.png", "rb"); $data = fread($hand, filesize("otks/$otk.png")); fclose($hand); - //unlink("otks/$otk.png"); - //$sql = "update users set users_otk='' where users_username='$username'"; - //$dbo->query($sql); + unlink("otks/$otk.png"); + $sql = "update users set users_otk='' where users_username='$username'"; + $dbo->query($sql); error_log("senting otk, fsize: ".filesize("otks/$otk.png")." $otk "); msg_send($cl_queue, MSG_GET_OTK_PNG, $data); } @@ -106,7 +126,7 @@ if($pid == -1) { $username = $msg["username"]; $tokentype="HOTP"; if(isset($msg["tokentype"])) { - $tokentype="HOTP"; + $tokentype=$msg["tokentype"]; } $hexkey = ""; if(isset($msg["hexkey"])) { @@ -134,6 +154,19 @@ if($pid == -1) { } else { $username = $msg["username"]; global $myga; + + $sql = "select users_otk from users where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + $otkid = ""; + foreach($res as $row) { + $otkid = $row["users_otk"]; + } + if($otkid!="") { + unlink("otks/$otkid.png"); + } + + $sql = "delete from users where users_username='$username'"; $dbo = getDatabase(); $dbo->query($sql); diff --git a/authserver/lib/authClient.php b/authserver/lib/authClient.php index 62419bd..c5ef6dd 100644 --- a/authserver/lib/authClient.php +++ b/authserver/lib/authClient.php @@ -233,6 +233,33 @@ class GAAuthClient { return $msg; } + function deleteUserToken($username) { + + global $MSG_QUEUE_KEY_ID_SERVER, $MSG_QUEUE_KEY_ID_CLIENT; + + if(!msg_queue_exists($MSG_QUEUE_KEY_ID_SERVER)) { + return false; + } + + if(!msg_queue_exists($MSG_QUEUE_KEY_ID_CLIENT)) { + return false; + } + + // TODO we need to setup a client queue sem lock here + + $cl_queue = msg_get_queue($MSG_QUEUE_KEY_ID_CLIENT); + $sr_queue = msg_get_queue($MSG_QUEUE_KEY_ID_SERVER); + + + $message["username"] = $username; + + msg_send($sr_queue, MSG_DELETE_USER_TOKEN, $message, true, true, $msg_err); + + msg_receive($cl_queue, 0, $msg_type, 16384, $msg); + + return $msg; + } + function addUser($username, $tokentype="", $hexkey="") { global $MSG_QUEUE_KEY_ID_SERVER, $MSG_QUEUE_KEY_ID_CLIENT; diff --git a/authserver/lib/lib.php b/authserver/lib/lib.php index 689389a..02be059 100644 --- a/authserver/lib/lib.php +++ b/authserver/lib/lib.php @@ -15,10 +15,10 @@ define("MSG_SET_USER_TOKEN_TYPE", 8); define("MSG_GET_USERS", 9); define("MSG_GET_OTK_PNG", 10); define("MSG_GET_OTK_ID", 11); +define("MSG_DELETE_USER_TOKEN", 12); -if(file_exists("../../lib/ga4php.php")) require_once("../../lib/ga4php.php"); -if(file_exists("../lib/ga4php.php")) require_once("../lib/ga4php.php"); - +// messy +require_once(dirname(__FILE__)."/../../lib/ga4php.php"); function generateRandomString() { @@ -100,9 +100,11 @@ class gaasGA extends GoogleAuthenticator { $res = $dbObject->query($sql); if($res->fetchColumn() > 0) { // do update + error_log("doing userdata update"); $sql = "update users set users_tokendata='$data' where users_username='$username'"; } else { // do insert + error_log("doing user data create"); $sql = "insert into users values (NULL, '$username', '', '', '$data', '')"; } diff --git a/authserver/usercmd.php b/authserver/usercmd.php index d19fa54..3c094db 100644 --- a/authserver/usercmd.php +++ b/authserver/usercmd.php @@ -43,9 +43,11 @@ if(!isset($argv[1])) { switch($argv[1]) { case "radauth": if($myAC->authUserToken($argv[2], $argv[3])==1) { - return 0; + syslog(LOG_WARNING, "Got good request for user, ".$argv[2]); + exit(0); } else { - return 255; + syslog(LOG_WARNING, "Got bad request for user, ".$argv[2]); + exit(255); } break; case "getotk": diff --git a/authserver/www/admin.php b/authserver/www/admin.php index e214751..b35a227 100644 --- a/authserver/www/admin.php +++ b/authserver/www/admin.php @@ -17,10 +17,59 @@ require_once("admin_actions.php"); if($loggedin) { ?>

GAAS Manager

-Welcome to the Google Authenticator Authentication Server Manager Application
+Welcome to the Google Authenticator Authentication Server Manager Application - Show Help
+ +".$_REQUEST["message"].""; +} +if(isset($_REQUEST["error"])) { + echo "".$_REQUEST["error"].""; +} + + +if(isset($_REQUEST["showhelp"])) { + echo "
"; + ?> +On this page, you create users and manage their tokens and passwords. A few notes,
+
  • Passwords are *ONLY* for this page, if you assign a password to a user they can login here +and edit anyone, including you +
  • OTK/One-Time-Keys are the QRcode for provisioning a GA token, it can only be viewed once +and once viewed is deleted. If you need a new one, you need to delete the user and re-create. + + +

    Editing user,


    +
    +"> + + + + +
    Real Name:">
    Password:
    Confirm Password:
    + +
    +
    +

    Custom Tokens - doesnt work yet


    +For assiging in a user-created or hardware tokens
    +Token Key (hex)
    +Token Type +
    + +
    +

    Users

    - +getUsers(); foreach($users as $user) { @@ -29,25 +78,28 @@ foreach($users as $user) { if($user["realname"] == "") $realname = ""; else $realname = $user["realname"]; - if($user["haspass"]) $haspass = "Yes Delete Password"; - else $haspass = "No "; + if($user["haspass"]) $haspass = "Yes Delete Password"; + else $haspass = "No"; - if($user["hastoken"]) $hastoken = "Yes"; - else $hastoken = "No"; + if($user["hastoken"]) $hastoken = "Yes Re-Create (hotp)Re-Create (totp)Delete"; + else $hastoken = "No Create (hotp)Create (totp)"; if($user["otk"]!="") $otk = "Get"; else $otk = "Already Claimed"; $delete = "Delete"; - echo ""; - echo ""; -} + echo ""; + echo ""; + echo ""; +} ?>
    UsernameRealNameHas Password?Has Token?One Time KeyUpdateDelete
    UsernameRealNameHas Password?Has Token?One Time KeyDelete
    $username$haspass$hastoken$otk$delete
    $username$realname$haspass$hastoken$otk$delete

    Create User(s) - Enter a comma seperated list of names:

    Radius Clients

    Not yet implemented -
    Logout +
    Logout Home GAAS Manager Login Login Failed"; + echo "".$_REQUEST["message"].""; +} +if(isset($_REQUEST["error"])) { + echo "".$_REQUEST["error"].""; } ?>
    @@ -91,5 +146,5 @@ if(isset($_REQUEST["message"])) {
    \ No newline at end of file diff --git a/authserver/www/admin_actions.php b/authserver/www/admin_actions.php index bddbc55..e5ddb11 100644 --- a/authserver/www/admin_actions.php +++ b/authserver/www/admin_actions.php @@ -10,6 +10,34 @@ else $loggedin = false; if(isset($_REQUEST["action"])) { switch($_REQUEST["action"]) { + case "recreatehotptoken": + $username = $_REQUEST["username"]; + $myAC->addUser($username, "HOTP"); + header("Location: ?message=".urlencode("seemed to work?")); + break; + case "recreatetotptoken": + $username = $_REQUEST["username"]; + $myAC->addUser($username, "TOTP"); + header("Location: ?message=".urlencode("seemed to work?")); + break; + case "deletetoken": + $username = $_REQUEST["username"]; + $myAC->deleteUserToken($username); + header("Location: ?message=".urlencode("seemed to work?")); + break; + case "edituser": + $username = $_REQUEST["username"]; + if($_REQUEST["original_real"] != $_REQUEST["realname"]) { + $myAC->setUserRealName($username, $_REQUEST["realname"]); + } + if($_REQUEST["password"] != "") { + if($_REQUEST["password"]!=$_REQUEST["password_conf"]) { + header("Location: ?message=confirmfalse"); + } else { + $myAC->setUserPass($username, $_REQUEST["password"]); + } + } + break; case "login": $username = $_REQUEST["username"]; $password = $_REQUEST["password"]; @@ -19,7 +47,7 @@ if(isset($_REQUEST["action"])) { $_SESSION["username"] = $username; header("Location: admin.php"); } else { - header("Location: admin.php?message=loginfail"); + header("Location: admin.php?error=".urlencode("Login Failed")); } exit(0); diff --git a/authserver/www/index.php b/authserver/www/index.php index c8824b8..723163a 100644 --- a/authserver/www/index.php +++ b/authserver/www/index.php @@ -26,6 +26,8 @@ Token Code:
    Hi user +
    Logout + diff --git a/authserver/www/user_actions.php b/authserver/www/user_actions.php index 8947432..6b763b6 100644 --- a/authserver/www/user_actions.php +++ b/authserver/www/user_actions.php @@ -7,7 +7,7 @@ $myAC = new GAAuthClient(); $loggedin = false; session_start(); -if(isset($_SESSION["loggedin"])) if($_SESSION["loggedin"]) { +if(isset($_SESSION["user_loggedin"])) if($_SESSION["user_loggedin"]) { $loggedin = true; } else { $loggedin = false; @@ -23,7 +23,7 @@ if(isset($_REQUEST["action"])) { if($myAC->authUserToken($username, $token)) { - $_SESSION["loggedin"] = true; + $_SESSION["user_loggedin"] = true; $_SESSION["username"] = $username; header("Location: index.php"); } else { @@ -31,6 +31,13 @@ if(isset($_REQUEST["action"])) { header("Location: index.php?message=loginfail"); } break; + case "logout": + $_SESSION["user_loggedin"] = false; + $_SESSION["username"] = ""; + header("Location: admin.php"); + exit(0); + break; + } } ?> \ No newline at end of file diff --git a/contrib/freeradius-users b/contrib/freeradius-users new file mode 100644 index 0000000..5b338ae --- /dev/null +++ b/contrib/freeradius-users @@ -0,0 +1,5 @@ +The following three lines is what my freeradius users command looks like - pretty darn simple really + +DEFAULT Auth-Type := Accept + Exec-Program-Wait = "/usr/bin/php /home/paulr/src/eclipse-workspace/ga4php/authserver/usercmd.php radauth %{User-Name} %{User-Password}", + Fall-Through = Yes