From ee45b81ae7117097934cacc0c129565fddb49fc4 Mon Sep 17 00:00:00 2001 From: paulr Date: Tue, 8 Feb 2011 01:22:30 +1100 Subject: [PATCH] time to re-code the auth server from scratch --- archive/authserver_v1.0/authd/.gitignore | 4 + archive/authserver_v1.0/authd/authd.php | 479 +++++++++++++++++++++++++ archive/authserver_v1.0/create1000users.php | 35 ++ archive/authserver_v1.0/lib/.gitignore | 1 + archive/authserver_v1.0/lib/authClient.php | 190 ++++++++++ archive/authserver_v1.0/lib/lib.php | 183 ++++++++++ archive/authserver_v1.0/usercmd.php | 171 +++++++++ archive/authserver_v1.0/www/admin.php | 200 ++++++++++ archive/authserver_v1.0/www/admin_actions.php | 147 ++++++++ archive/authserver_v1.0/www/index.php | 107 ++++++ archive/authserver_v1.0/www/user_actions.php | 52 +++ authserver/authd/authd.php | 479 ------------------------- authserver/create1000users.php | 35 -- authserver/lib/.gitignore | 1 - authserver/lib/authClient.php | 190 ---------- authserver/lib/lib.php | 183 ---------- authserver/usercmd.php | 171 --------- authserver/www/admin.php | 200 ---------- authserver/www/admin_actions.php | 147 -------- authserver/www/index.php | 107 ------ authserver/www/user_actions.php | 52 --- 21 files changed, 1569 insertions(+), 1565 deletions(-) create mode 100644 archive/authserver_v1.0/authd/.gitignore create mode 100644 archive/authserver_v1.0/authd/authd.php create mode 100644 archive/authserver_v1.0/create1000users.php create mode 100644 archive/authserver_v1.0/lib/.gitignore create mode 100644 archive/authserver_v1.0/lib/authClient.php create mode 100644 archive/authserver_v1.0/lib/lib.php create mode 100644 archive/authserver_v1.0/usercmd.php create mode 100644 archive/authserver_v1.0/www/admin.php create mode 100644 archive/authserver_v1.0/www/admin_actions.php create mode 100644 archive/authserver_v1.0/www/index.php create mode 100644 archive/authserver_v1.0/www/user_actions.php delete mode 100644 authserver/authd/authd.php delete mode 100644 authserver/create1000users.php delete mode 100644 authserver/lib/.gitignore delete mode 100644 authserver/lib/authClient.php delete mode 100644 authserver/lib/lib.php delete mode 100644 authserver/usercmd.php delete mode 100644 authserver/www/admin.php delete mode 100644 authserver/www/admin_actions.php delete mode 100644 authserver/www/index.php delete mode 100644 authserver/www/user_actions.php diff --git a/archive/authserver_v1.0/authd/.gitignore b/archive/authserver_v1.0/authd/.gitignore new file mode 100644 index 0000000..12fa23c --- /dev/null +++ b/archive/authserver_v1.0/authd/.gitignore @@ -0,0 +1,4 @@ +/gaasdata.sqlite +/otks +/gaasdata.sqlite +/otks diff --git a/archive/authserver_v1.0/authd/authd.php b/archive/authserver_v1.0/authd/authd.php new file mode 100644 index 0000000..aa78a73 --- /dev/null +++ b/archive/authserver_v1.0/authd/authd.php @@ -0,0 +1,479 @@ +query($sql); + $clients = ""; + $i=0; + foreach($res as $row) { + // $sql = 'CREATE TABLE "radclients" ("rad_id" INTEGER PRIMARY KEY AUTOINCREMENT,"rad_name" TEXT, "rad_ip" TEXT, "rad_secret" TEXT, "rad_desc" TEXT);'; + $clients[$i]["name"] = $row["rad_name"]; + $clients[$i]["ip"] = $row["rad_ip"]; + $clients[$i]["secret"] = $row["rad_secret"]; + $clients[$i]["desc"] = $row["rad_desc"]; + $i++; + } + $data_returned = $clients; + break; + case MSG_REMOVE_RADIUS_CLIENT: + // it should send us a client by rad_name - doesnt work yet + $client = $msg["clientname"]; + $sql = "delete from radclients where rad_name='$client'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + updateRadius(); + $data_returned = true; + break; + case MSG_ADD_RADIUS_CLIENT: + //echo "in addradclient\n"; + $client = $msg["clientname"]; + $clientsecret = $msg["clientsecret"]; + $clientip = $msg["clientip"]; + $clientdesc = $msg["clientdescription"]; + $dbo = getDatabase(); + + // check for existing clients with same name + $sql = "select * from radclients where rad_name='$client'"; + //echo "doing select, $sql\n"; + $res = $dbo->query($sql); + if($res->fetchColumn() > 0) { + $data_returned = "name"; + + } else { + // check for existing clients with same ip + $sql = "select * from radclients where rad_ip='$clientip'"; + $res = $dbo->query($sql); + //echo "doing select, $sql\n"; + if($res->fetchColumn() > 0) { + $data_returned = "ip"; + + } else { + $sql = "insert into radclients values (NULL, '$client', '$clientip', '$clientsecret', '$clientdesc')"; + $res = $dbo->query($sql); + updateRadius(); + $data_returned = true; + break; + } + } + break; + case MSG_DELETE_USER_TOKEN: + $username = $msg["username"]; + + $sql = "select users_otk from users where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + $otkid = ""; + foreach($res as $row) { + $otkid = $row["users_otk"]; + } + if($otkid!="") { + global $BASE_DIR; + unlink("$BASE_DIR/authserver/authd/otks/$otkid.png"); + } + + $sql = "update users set users_tokendata='',users_otk='' where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + + $data_returned = true; + break; + case MSG_AUTH_USER_TOKEN: + //echo "Call to auth user token\n"; + // minimal checking, we leav it up to authenticateUser to do the real + // checking + if(!isset($msg["username"])) $msg["username"] = ""; + if(!isset($msg["passcode"])) $msg["passcode"] = ""; + $username = $msg["username"]; + $passcode = $msg["passcode"]; + global $myga; + $authval = $myga->authenticateUser($username, $passcode); + $data_returned = $authval; + break; + case MSG_GET_OTK_ID: + if(!isset($msg["username"])) { + msg_send($cl_queue, MSG_GET_OTK_ID, false); + } else { + $username = $msg["username"]; + $sql = "select users_otk from users where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + $otkid = ""; + foreach($res as $row) { + $otkid = $row["users_otk"]; + } + + if($otkid == "") { + $data_returned = false; + } else { + $data_returned = $otkid; + } + } + break; + case MSG_GET_OTK_PNG: + if(!isset($msg["otk"])) { + msg_send($cl_queue, MSG_GET_OTK_PNG, false); + } else { + $otk = $msg["otk"]; + $sql = "select users_username from users where users_otk='$otk'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + $username = ""; + foreach($res as $row) { + $username = $row["users_username"]; + } + + if($username == "") { + $data_returned = false; + + } else if($username != $msg["username"]) { + $data_returned = false; + } else { + global $BASE_DIR; + $hand = fopen("$BASE_DIR/authserver/authd/otks/$otk.png", "rb"); + $data = fread($hand, filesize("$BASE_DIR/authserver/authd/otks/$otk.png")); + fclose($hand); + unlink("$BASE_DIR/authserver/authd/otks/$otk.png"); + $sql = "update users set users_otk='' where users_username='$username'"; + $dbo->query($sql); + error_log("senting otk, fsize: ".filesize("$BASE_DIR/authserver/authd/otks/$otk.png")." $otk "); + $data_returned = $data; + } + } + + break; + case MSG_SYNC_TOKEN: + if(!isset($msg["username"])) { + $data_returned = false; + } else { + $tokenone = $msg["tokenone"]; + $tokentwo = $msg["tokentwo"]; + + $data_returned = $myga->resyncCode($msg["username"], $tokenone, $tokentwo); + } + + break; + case MSG_GET_TOKEN_TYPE: + if(!isset($msg["username"])) { + $data_returned = false; + } else { + $data_returned = $myga->getTokenType($msg["username"]); + } + break; + case MSG_ADD_USER_TOKEN: + //echo "Call to add user token\n"; + if(!isset($msg["username"])) { + $data_returned = false; + } else { + global $BASE_DIR; + $username = $msg["username"]; + $tokentype="TOTP"; + if(isset($msg["tokentype"])) { + $tokentype=$msg["tokentype"]; + } + $hexkey = ""; + if(isset($msg["hexkey"])) { + $hexkey = $msg["hexkey"]; + } + global $myga; + $myga->setUser($username, $tokentype, "", $hexkey); + + $url = $myga->createUrl($username); + //echo "Url was: $url\n"; + if(!file_exists("$BASE_DIR/authserver/authd/otks")) mkdir("$BASE_DIR/authserver/authd/otks"); + $otk = generateRandomString(); + system("qrencode -o $BASE_DIR/authserver/authd/otks/$otk.png '$url'"); + + $sql = "update users set users_otk='$otk' where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + + $data_returned = true; + } + break; + case MSG_DELETE_USER: + //echo "Call to del user\n"; + if(!isset($msg["username"])) { + $data_returned = false; + } else { + $username = $msg["username"]; + global $myga; + + $sql = "select users_otk from users where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + $otkid = ""; + foreach($res as $row) { + $otkid = $row["users_otk"]; + } + if($otkid!="") { + unlink("otks/$otkid.png"); + } + + + $sql = "delete from users where users_username='$username'"; + $dbo = getDatabase(); + $dbo->query($sql); + + $data_returned = true; + } + break; + case MSG_AUTH_USER_PASSWORD: + // TODO + //echo "Call to auth user pass\n"; + if(!isset($msg["username"])) { + $data_returned = false; + break; + } + if(!isset($msg["password"])) { + $data_returned = false; + break; + } + + $username = $msg["username"]; + $password = $msg["password"]; + $sql = "select users_password from users where users_username='$username'"; + $dbo = getDatabase(); + $res = $dbo->query($sql); + $pass = ""; + foreach($res as $row) { + $pass = $row["users_password"]; + } + + // TODO now do auth + $ourpass = hash('sha512', $password); + //echo "ourpass: $ourpass\nourhash: $pass\n"; + if($ourpass == $pass) { + $data_returned = true; + + } else { + $data_returned = false; + + } + + break; + case MSG_SET_USER_PASSWORD: + //echo "how on earth is that happening Call to set user pass, wtf?\n"; + // TODO + //print_r($msg); + if(!isset($msg["username"])) { + $data_returned = false; + //echo "in break 1\n"; + break; + } + if(!isset($msg["password"])) { + $data_returned = false; + //echo "in break 1\n"; + break; + } + + $username = $msg["username"]; + $password = $msg["password"]; + + //echo "would set pass for $username, to $password\n"; + if($password == "") $pass = ""; + else $pass = hash('sha512', $password); + + $dbo = getDatabase(); + //echo "in set user pass for $username, $pass\n"; + $sql = "update users set users_password='$pass' where users_username='$username'"; + + $dbo->query($sql); + + $data_returned = true; + + + // these are irrelavent yet + // TODO now set pass + break; + case MSG_SET_USER_REALNAME: + //echo "Call to set user realname\n"; + // TODO + if(!isset($msg["username"])) { + $data_returned = false; + break; + } + if(!isset($msg["realname"])) { + $data_returned = false; + break; + } + + $username = $msg["username"]; + $realname = $msg["realname"]; + $sql = "update users set users_realname='$realname' where users_username='$username'"; + $dbo = getDatabase(); + + $dbo->query($sql); + + $data_returned = true; + + // TODO now set real name + break; + case MSG_SET_USER_TOKEN: + // TODO + //echo "Call to set user token\n"; + if(!isset($msg["username"])) { + $data_returned = false; + break; + } + if(!isset($msg["tokenstring"])) { + $data_returned = false; + break; + } + + global $myga; + $username = $msg["username"]; + $token = $msg["tokenstring"]; + $return = $myga->setUserKey($username, $token); + $data_returned = $return; + + // TODO now set token + break; + case MSG_SET_USER_TOKEN_TYPE: + // TODO + //echo "Call to set user token type\n"; + if(!isset($msg["username"])) { + $data_returned = false; + break; + } + if(!isset($msg["tokentype"])) { + $data_returned = false; + break; + } + + $username = $msg["username"]; + $tokentype = $msg["tokentype"]; + global $myga; + $data_returned = $myga->setTokenType($username, $tokentype); + + // TODO now set token + break; + case MSG_GET_USERS: + // TODO this needs to be better + $sql = "select * from users order by users_username"; + + $dbo = getDatabase(); + $res = $dbo->query($sql); + + $users = ""; + $i = 0; + foreach($res as $row) { + $users[$i]["username"] = $row["users_username"]; + $users[$i]["realname"] = $row["users_realname"]; + if($row["users_password"]!="") { + $users[$i]["haspass"] = true; + } else { + $users[$i]["haspass"] = false; + } + //echo "user: ".$users[$i]["username"]." has tdata: \"".$row["users_tokendata"]."\"\n"; + if($row["users_tokendata"]!="") { + $users[$i]["hastoken"] = true; + } else { + $users[$i]["hastoken"] = false; + } + + if($row["users_otk"]!="") { + $users[$i]["otk"] = $row["users_otk"]; + } else { + $users[$i]["otk"] = ""; + } + $i++; + } + $data_returned = $users; + + // TODO now set token + break; + + } + + $d_comp["type"] = $msg_type; + $d_comp["data"] = $data_returned; + + $realdata_returning = "AS:".base64_encode(serialize($d_comp)).":EOD"; + + socket_send($data_socket, $realdata_returning, strlen($realdata_returning), 0); + socket_close($data_socket); + + // now our child exits? + return 0; + } + // otherwise return to the accept loop + } +} + +?> diff --git a/archive/authserver_v1.0/create1000users.php b/archive/authserver_v1.0/create1000users.php new file mode 100644 index 0000000..0be09b9 --- /dev/null +++ b/archive/authserver_v1.0/create1000users.php @@ -0,0 +1,35 @@ +addUser($username); +} +?> diff --git a/archive/authserver_v1.0/lib/.gitignore b/archive/authserver_v1.0/lib/.gitignore new file mode 100644 index 0000000..571001f --- /dev/null +++ b/archive/authserver_v1.0/lib/.gitignore @@ -0,0 +1 @@ +/ga4php.php diff --git a/archive/authserver_v1.0/lib/authClient.php b/archive/authserver_v1.0/lib/authClient.php new file mode 100644 index 0000000..81143ae --- /dev/null +++ b/archive/authserver_v1.0/lib/authClient.php @@ -0,0 +1,190 @@ +sendReceive(MSG_ADD_RADIUS_CLIENT, $message); + } + + function deleteRadiusClient($clientname) { + $message["clientname"] = $clientname; + + return $this->sendReceive(MSG_REMOVE_RADIUS_CLIENT, $message); + + } + + function getRadiusClients() { + return $this->sendReceive(MSG_GET_RADIUS_CLIENTS, ""); + } + + + function syncUserToken($username, $tokenone, $tokentwo) { + $message["username"] = $username; + $message["tokenone"] = $tokenone; + $message["tokentwo"] = $tokentwo; + + return $this->sendReceive(MSG_SYNC_TOKEN, $messgae); + } + + function getUserTokenType($username) { + $message["username"] = $username; + + return $this->sendReceive(MSG_GET_TOKEN_TYPE, $message); + } + + function setUserToken($username, $token) { + $message["username"] = $username; + $message["tokenstring"] = $token; + + return $this->sendReceive(MSG_GET_USER_TOKEN, $message); + } + + function setUserPass($username, $password) { + $message["username"] = $username; + $message["password"] = $password; + + return $this->sendReceive(MSG_SET_USER_PASSWORD, $message); + } + + function getOtkID($username) { + $message["username"] = $username; + + return $this->sendReceive(MSG_GET_OTK_ID, $message); + } + + function getOtkPng($username, $otk) { + $message["otk"] = $otk; + $message["username"] = $username; + + return $this->sendReceive(MSG_GET_OTK_PNG, $message); + } + + function authUserPass($username, $password) { + $message["username"] = $username; + $message["password"] = $password; + + return $this->sendReceive(MSG_AUTH_USER_PASSWORD, $message); + } + + function deleteUser($username) { + $message["username"] = $username; + + return $this->sendReceive(MSG_DELETE_USER, $message); + } + + function setUserRealName($username, $realname) { + $message["username"] = $username; + $message["realname"] = $realname; + + return $this->sendReceive(MSG_SET_USER_REALNAME, $message); + } + + function getUsers() { + return $this->sendReceive(MSG_GET_USERS, ""); + } + + function authUserToken($username, $passcode) { + $message["username"] = $username; + $message["passcode"] = $passcode; + + return $this->sendReceive(MSG_AUTH_USER_TOKEN, $message); + } + + function deleteUserToken($username) { + $message["username"] = $username; + + return $this->sendReceive(MSG_DELETE_USER_TOKEN, $message); + } + + function addUser($username, $tokentype="", $hexkey="") { + $message["username"] = $username; + if($tokentype!="") $message["tokentype"] = $tokentype; + if($hexkey!="") $message["hexkey"] = $hexkey; + + return $this->sendReceive(MSG_ADD_USER_TOKEN, $message); + } + + function setUserTokenType($username, $tokentype) { + $message["username"] = $username; + $message["tokentype"] = $tokentype; + + return $this->sendReceive(MSG_SET_USER_TOKEN_TYPE, $message); + } +} + +?> diff --git a/archive/authserver_v1.0/lib/lib.php b/archive/authserver_v1.0/lib/lib.php new file mode 100644 index 0000000..6ae1d81 --- /dev/null +++ b/archive/authserver_v1.0/lib/lib.php @@ -0,0 +1,183 @@ +query($sql); + foreach($res as $row) { + $cname = $row["rad_name"]; + $cip = $row["rad_ip"]; + $csec = $row["rad_secret"]; + $lines = "client $cname {\nipaddr = $cip\nsecret = $csec\nrequire_message_authenticator = no\n}\n\n"; + fwrite($hand, $lines); + } + fclose($hand); + // not yet + //system($reloadinit); +} + + +function getDatabase() +{ + $dbobject = false; + global $BASE_DIR; + if(file_exists("$BASE_DIR/authserver/authd/gaasdata.sqlite")) { + try { + $dbobject = new PDO("sqlite:$BASE_DIR/authserver/authd/gaasdata.sqlite"); + } catch(PDOException $exep) { + error_log("execpt on db open"); + } + } else { + try { + $dbobject = new PDO("sqlite:$BASE_DIR/authserver/authd/gaasdata.sqlite"); + } catch(PDOException $exep) { + error_log("execpt on db open"); + } + $sql = 'CREATE TABLE "users" ("users_id" INTEGER PRIMARY KEY AUTOINCREMENT,"users_username" TEXT, "users_realname" TEXT, "users_password" TEXT, "users_tokendata" TEXT, "users_otk" TEXT);'; + $dbobject->query($sql); + $sql = 'CREATE TABLE "radclients" ("rad_id" INTEGER PRIMARY KEY AUTOINCREMENT,"rad_name" TEXT, "rad_ip" TEXT, "rad_secret" TEXT, "rad_desc" TEXT);'; + $dbobject->query($sql); + $sql = 'CREATE TABLE "hardwaretokens" ("tok_id" INTEGER PRIMARY KEY AUTOINCREMENT,"tok_name" TEXT, "tok_key" TEXT, "tok_type" TEXT);'; + $dbobject->query($sql); + } + + return $dbobject; +} + +function closeDatabase($db) { + // doesnt do anything yet +} + +class gaasGA extends GoogleAuthenticator { + function getData($username) { + //echo "called into getdata\n"; + + // get our database connection + $dbObject = getDatabase(); + + // set the sql for retreiving the data + $sql = "select users_tokendata from users where users_username='$username'"; + + // run the query + $result = $dbObject->query($sql); + + // check the result + //echo "next1\n"; + if(!$result) return false; + + // now just retreieve all the data (there should only be one, but whatever) + //echo "next2\n"; + $tokendata = false; + foreach($result as $row) { + $tokendata = $row["users_tokendata"]; + } + + //echo "next3, $username, $tokendata\n"; + // now we have our data, we just return it. If we got no data + // we'll just return false by default + return $tokendata; + + // and there you have it, simple eh? + } + + + function putData($username, $data) { + // get our database connection + $dbObject = getDatabase(); + + // we need to check if the user exists, and if so put the data, if not create the data + $sql = "select * from users where users_username='$username'"; + $res = $dbObject->query($sql); + if($res->fetchColumn() > 0) { + // do update + //error_log("doing userdata update"); + $sql = "update users set users_tokendata='$data' where users_username='$username'"; + } else { + // do insert + //error_log("doing user data create"); + $sql = "insert into users values (NULL, '$username', '', '', '$data', '')"; + } + + if($dbObject->query($sql)) { + return true; + } else { + return false; + } + + } + + function getUsers() { + // get our database connection + $dbObject = getDatabase(); + + // now the sql again + $sql = "select users_username from users"; + + // run the query + $result = $dbObject->query($sql); + + // iterate over the results - we expect a simple array containing + // a list of usernames + $i = 0; + $users = array(); + foreach($result as $row) { + $users[$i] = $row["username"]; + $i++; + } + + // now return the list + return $users; + } +} + +?> diff --git a/archive/authserver_v1.0/usercmd.php b/archive/authserver_v1.0/usercmd.php new file mode 100644 index 0000000..d24157e --- /dev/null +++ b/archive/authserver_v1.0/usercmd.php @@ -0,0 +1,171 @@ + - returns token code url\n"; + echo "\tauth: auth - returns 0/1 for pass/fail\n"; + echo "\tdelete: delete - deletes user\n"; + echo "\tauthpass: authpass - returns 0/1 for pass/fail\n"; + echo "\tsetpass: setpass - sets a password for a user (x to remove pass)\n"; + echo "\tsetname: setname - sets the real name for a user\n"; + echo "\tsettoken: settoken - sets the key (hex) for a token\n"; + echo "\tsettype: settype - sets a token type for a user\n"; + echo "\tgetusers: getusers - gets a list of users\n"; + echo "\tgetotk: getotk - gets the OTKID for a key\n"; + echo "\tradauth: radauth - for radius, only returns a code\n"; + echo "\tsynctoken: synctoken - resync's a hotp token based on two token codes\n"; + echo "\ttokentype: tokentype - gets the token type for a user\n"; + echo "\taddradclient: addradclient \"\"- adds a radius client\n"; + echo "\trmradclient: rmradclient - removes a radius client with the name \n"; + echo "\tgetradclients: getradclients - returns a list of radius clients\n"; + return 0; +} + +switch($argv[1]) { + case "rmradclient": + $msg = $myAC->deleteRadiusClient($argv[2]); + if($msg) { + echo "Successfully deleted\n"; + } + break; + case "getradclients": + $msg = $myAC->getRadiusClients(); + foreach($msg as $client) { + if($client["desc"]=="") $desc = "no description set"; + else $desc = $client["desc"]; + echo $client["name"]." is ".$client["ip"].", $desc\n"; + } + break; + case "addradclient": + $msg = $myAC->addRadiusClient($argv[2], $argv[3], $argv[4], $argv[5]); + if($msg === true) { + echo "Added successfully\n"; + } else if ($msg == "name") { + echo "Client with same name exists already\n"; + } else if ($msg == "ip") { + echo "Client with same IP already exists\n"; + } + break; + case "tokentype": + $msg = $myAC->getUserTokenType($argv[2]); + echo "token type: $msg\n"; + break; + case "synctoken": + if($myAC->syncUserToken($argv[2], $argv[3], $argv[4])) { + echo "Token synced\n"; + } else { + echo "Token not synced\n"; + } + break; + case "radauth": + if($myAC->authUserToken($argv[2], $argv[3])==1) { + syslog(LOG_WARNING, "Got good request for user, ".$argv[2]); + exit(0); + } else { + syslog(LOG_WARNING, "Got bad request for user, ".$argv[2]); + exit(255); + } + break; + case "getotk": + $val = $myAC->getOtkID($argv[2]); + if($val === false) { + echo "Failure\n"; + } else { + echo "$val\n"; + } + break; + case "auth": + if($myAC->authUserToken($argv[2], $argv[3])==1) { + echo "Pass!\n"; + } else { + echo "Fail!\n"; + } + break; + case "add": + $return = $myAC->addUser($argv[2]); + if($return) { + echo "Created user, ".$argv[2]."\n"; + } else { + echo "Failed to create user, ".$argv[2]."\n"; + } + + break; + case "delete": + $res = $myAC->deleteUser($argv[2]); + if($res) { + echo "Deleted\n"; + } else { + echo "Failure?\n"; + } + break; + case "authpass": + $ret = $myAC->authUserPass($argv[2], $argv[3]); + if($ret) echo "Authenticated\n"; + else echo "Failed\n"; + break; + case "setpass": + $res = $myAC->setUserPass($argv[2], $argv[3]); + if($res) echo "Password Set\n"; + else echo "Failure?\n"; + break; + case "setname": + $ret = $myAC->setUserRealName($argv[2], $argv[3]); + if($ret) echo "Real Name Set\n"; + else echo "Failure?\n"; + break; + case "settoken": + $ret = $myAC->setUserToken($argv[2], $argv[3]); + if($ret) echo "Token Set\n"; + else echo "Failure?\n"; + break; + case "settype": + $ret = $myAC->setUserTokenType($argv[2], $argv[3]); + if($ret) echo "Token Type Set\n"; + else echo "Failure?\n"; + break; + case "getusers": + $users = $myAC->getUsers(); + foreach($users as $user) { + if($user["realname"] != "") $realname = $user["realname"]; + else $realname = "- Not Set -"; + + if($user["haspass"]) $haspass = "Yes"; + else $haspass = "No"; + + if($user["hastoken"]) $hastoken = "Yes"; + else $hastoken = "No"; + + echo "Username: ".$user["username"]."\n"; + echo "\tReal Name: ".$realname."\n"; + echo "\tHas Password?: ".$haspass."\n"; + echo "\tHas Token?: ".$hastoken."\n\n"; + } + break; + default: + echo "See the usage...\n"; +} +?> \ No newline at end of file diff --git a/archive/authserver_v1.0/www/admin.php b/archive/authserver_v1.0/www/admin.php new file mode 100644 index 0000000..d277772 --- /dev/null +++ b/archive/authserver_v1.0/www/admin.php @@ -0,0 +1,200 @@ + +

GAAS Manager

+Welcome to the Google Authenticator Authentication Server Manager Application - Show Help
+ +".$_REQUEST["message"].""; +} +if(isset($_REQUEST["error"])) { + echo "".$_REQUEST["error"].""; +} + + +if(isset($_REQUEST["showhelp"])) { + echo "
"; + ?> +On this page, you create users and manage their tokens and passwords. A few notes,
+
  • Passwords are *ONLY* for this page, if you assign a password to a user they can login here +and edit anyone, including you +
  • OTK/One-Time-Keys are the QRcode for provisioning a GA token, it can only be viewed once +and once viewed is deleted. If you need a new one, you need to re-create a key. +
  • TOTP tokens are time based tokens that change every 30 seconds, HOTP tokens are event tokens +that change everytime they are used or generated +
  • In the OTK, the "Get (User URL)" link is a link you can send to a user to retrieve their key + + +

    Editing user,


    +
    +"> + + + + +
    Real Name:">
    Password:
    Confirm Password:
    + +
    +getUserTokenType($username)=="HOTP") { +?> +
    +

    Resync Tokens

    + + + +
    Token One
    Token Two
    + +
    + + +
    +

    Custom Tokens


    +For assiging in a user-created or hardware tokens.
    +If you assign a token this way, any previous token is removed and forever gone.
    +Token Key (hex)
    +Token Type +
    + +
    + +this page is for editing radius clients, it doesnt exist yet.. What you need to do is delete the client and re-add it... go back + + +

    Users

    + + +getUsers(); +foreach($users as $user) { + $username = $user["username"]; + + if($user["realname"] == "") $realname = ""; + else $realname = $user["realname"]; + + if($user["haspass"]) $haspass = "Yes Delete Password"; + else $haspass = "No"; + + if($user["otk"]=="deleted") $otk = "OTK Was Not Picked Up"; + else if($user["otk"]!="") $otk = "Get (admin)Get (User URL)"; + else $otk = "Already Claimed"; + + if($user["hastoken"]) $hastoken = "Yes Re-Create (HOTP)Re-Create (TOTP)Delete"; + else { + $hastoken = "No Create (HOTP)Create (TOTP)"; + if($user["otk"]!="deleted")$otk = "No Token Exists"; + } + + $delete = "Delete"; + + echo ""; + echo ""; + echo ""; +} +?> +
    UsernameRealNameHas Password?Has Token?One Time KeyDelete
    $username$realname$haspass$hastoken$otk$delete

    +
    Create User(s) - Enter a comma seperated list of usernames:
    + +Got One Time Key for user $username, this one-time-key can only be retrieved once, after that it is deleted
    "; + echo "\"one
    "; +} + +?> +

    Radius Clients

    + + +getRadiusClients(); +foreach($msg as $client) { + if($client["desc"]=="") $desc = "no description set"; + else $desc = $client["desc"]; + $clientname = $client["name"]; + $clientip = $client["ip"]; + echo ""; +} +?> +
    NameIP AddressDescriptionDelete
    $clientname$clientip$descDelete
    +
    +

    Add a Radius Client

    +
    + + + + + +
    Client Name
    Client IP
    Client Secret
    Client Description
    + +
    +
    Logout Home + + +

    GAAS Manager Login

    +".$_REQUEST["message"].""; +} +if(isset($_REQUEST["error"])) { + echo "".$_REQUEST["error"].""; +} +?> +
    + + + + +
    Username
    Password
    +
    + \ No newline at end of file diff --git a/archive/authserver_v1.0/www/admin_actions.php b/archive/authserver_v1.0/www/admin_actions.php new file mode 100644 index 0000000..3be1ae0 --- /dev/null +++ b/archive/authserver_v1.0/www/admin_actions.php @@ -0,0 +1,147 @@ +deleteRadiusClient($clientname); + header("Location: ?message=".urlencode("Client Deleted")); + exit(0); + break; + case "addradclient": + $clientname = $_REQUEST["clientname"]; + $clientip = $_REQUEST["clientip"]; + $clientsecret = $_REQUEST["clientsecret"]; + $clientdesc = $_REQUEST["clientdesc"]; + $ret = $myAC->addRadiusClient($clientname, $clientip, $clientsecret, $clientdesc); + if($ret === true) { + header("Location: ?message=".urlencode("Client Added")); + } else if ($ret == "name") { + header("Location: ?error=".urlencode("Client Name Already Existed")); + } else if ($ret == "ip") { + header("Location: ?error=".urlencode("Client IP Already Existed")); + } + exit(0); + break; + case "customtoken": + $ttype = $_REQUEST["tokentype"]; + $tkey = $_REQUEST["tokenkey"]; + $username = $_REQUEST["username"]; + $ret1 = $myAC->setUserTokenType($username, $ttype); + $ret2 = $myAC->setUserToken($username, $tkey); + error_log("got, $ret1, $ret2..."); + break; + case "synctoken": + $username = $_REQUEST["username"]; + $tokenone = $_REQUEST["tokenone"]; + $tokentwo = $_REQUEST["tokentwo"]; + $retval = $myAC->syncUserToken($username, $tokenone, $tokentwo); + error_log("retval: $retval"); + if($retval) { + header("Location: ?message=".urlencode("token synced")); + exit(0); + } else { + header("Location: ?error=".urlencode("token not synced")); + exit(0); + } + + break; + case "recreatehotptoken": + $username = $_REQUEST["username"]; + $myAC->addUser($username, "HOTP"); + header("Location: ?message=".urlencode("seemed to work?")); + break; + case "recreatetotptoken": + $username = $_REQUEST["username"]; + $myAC->addUser($username, "TOTP"); + header("Location: ?message=".urlencode("seemed to work?")); + break; + case "deletetoken": + $username = $_REQUEST["username"]; + $myAC->deleteUserToken($username); + header("Location: ?message=".urlencode("seemed to work?")); + break; + case "edituser": + $username = $_REQUEST["username"]; + if($_REQUEST["original_real"] != $_REQUEST["realname"]) { + $myAC->setUserRealName($username, $_REQUEST["realname"]); + } + if($_REQUEST["password"] != "") { + if($_REQUEST["password"]!=$_REQUEST["password_conf"]) { + header("Location: ?message=confirmfalse"); + } else { + $myAC->setUserPass($username, $_REQUEST["password"]); + } + } + break; + case "login": + $username = $_REQUEST["username"]; + $password = $_REQUEST["password"]; + + if($myAC->authUserPass($username, $password)) { + $_SESSION["loggedin"] = true; + $_SESSION["username"] = $username; + header("Location: admin.php"); + } else { + header("Location: admin.php?error=".urlencode("Login Failed")); + } + + exit(0); + break; + case "logout": + $_SESSION["loggedin"] = false; + $_SESSION["username"] = ""; + header("Location: admin.php"); + exit(0); + break; + case "createuser": + $username = $_REQUEST["username"]; + $users = explode(",",$username); + foreach($users as $user) { + $user = trim($user); + error_log("createing, $user\n"); + if($user != "" && strlen($user)>2) $myAC->addUser($user); + } + header("Location: admin.php"); + exit(0); + break; + case "update": + error_log("would update"); + $err = print_r($_REQUEST, true); + error_log("req: $err\n"); + $username = $_REQUEST["username"]; + if($_REQUEST["realname"]!="") { + $myAC->setUserRealName($username, $_REQUEST["realname"]); + } + if($_REQUEST["password"]!= "") { + $myAC->setUserPass($username, $_REQUEST["password"]); + } + break; + case "delete": + $username = $_REQUEST["username"]; + $myAC->deleteUser($username); + break; + case "deletepass": + $username = $_REQUEST["username"]; + $myAC->setUserPass($username, ""); + break; + case "getotkimg": + $otk = $_REQUEST["otk"]; + $username = $_REQUEST["username"]; + error_log("requesting otk, $otk"); + $otk_img = $myAC->getOtkPng($username,$otk); + header("Content-type: image/png"); + echo $otk_img; + exit(0); + break; + } +} +?> \ No newline at end of file diff --git a/archive/authserver_v1.0/www/index.php b/archive/authserver_v1.0/www/index.php new file mode 100644 index 0000000..cff7fa3 --- /dev/null +++ b/archive/authserver_v1.0/www/index.php @@ -0,0 +1,107 @@ +getUsers(); + $realname = ""; + $otk = ""; + foreach($users as $user) { + if($user["username"] == $username) { + $realname = $user["realname"]; + $otk = $user["otk"]; + } + } + + if($realname == "") $realname = $username; + if($otk == "") { +?> + +Hello , we're sorry, but your One Time Key has
    +already been picked up or you dont currently have a token. If you believe
    +this in error, please contact the site admin immediately as it could mean
    +your key has been compromised.
    + + + +Hello , we're sorry, but your One Time Key ID is not +the correct one, the URL you have been sent may be in error, please check with the site admin + + + +Hello , welcome to the One Time Key retreival site. Here is your
    +One Time Key. Do not save this anywhere as it will compromise your account
    +
  • Point your phones camera at the screen +
  • Watch the display until it locks onto the code +
  • Once the code has been scanned, the phone should return to the Google Authenticator with a 6 digit number presented, or a "get code" button.

    +
    + +Once you have the key, you may try logging into the user site here + + + +Hello , welcome to the One Time Key retreival site. Before we present
    +your key, you must have your phone ready to accept it as the key can only be presented once.
    +If your phone is not ready to accept the key, the key needs to be regenerated, so only proceed
    +if you phone is on, you have clicked on "scan account barcode" and the phone is ready to
    +scan the code.
    +
    +If you are ready to proceed, click here. + + + +

    Welcome to the GAAS User Site

    +".$_REQUEST["message"].""; +} +if(isset($_REQUEST["error"])) { + echo "".$_REQUEST["error"].""; +} + +if(!$loggedin) { +?> +
    +Username:
    +Token Code:
    + +
    + + + +Welcome, you have successfully logged into the
    +user site, but there is no content here to view.
    +Later, this site will be where you might resync your
    +token or change pin codes and the like
    + + +
    Logout + + + diff --git a/archive/authserver_v1.0/www/user_actions.php b/archive/authserver_v1.0/www/user_actions.php new file mode 100644 index 0000000..28852cf --- /dev/null +++ b/archive/authserver_v1.0/www/user_actions.php @@ -0,0 +1,52 @@ +getOtkPng($username,$otkid); + header("Content-type: image/png"); + echo $otk_img; + exit(0); + break; + case "login": + error_log("being login"); + $username = $_REQUEST["username"]; + $token = $_REQUEST["tokencode"]; + + if($myAC->authUserToken($username, $token)) { + + $_SESSION["user_loggedin"] = true; + $_SESSION["username"] = $username; + header("Location: index.php"); + } else { + error_log("login failed, $username, $token"); + header("Location: index.php?error=".urlencode("Login Failed")); + } + break; + case "logout": + $_SESSION["user_loggedin"] = false; + $_SESSION["username"] = ""; + header("Location: index.php?message=".urlencode("logged out")); + exit(0); + break; + + } +} +?> diff --git a/authserver/authd/authd.php b/authserver/authd/authd.php deleted file mode 100644 index aa78a73..0000000 --- a/authserver/authd/authd.php +++ /dev/null @@ -1,479 +0,0 @@ -query($sql); - $clients = ""; - $i=0; - foreach($res as $row) { - // $sql = 'CREATE TABLE "radclients" ("rad_id" INTEGER PRIMARY KEY AUTOINCREMENT,"rad_name" TEXT, "rad_ip" TEXT, "rad_secret" TEXT, "rad_desc" TEXT);'; - $clients[$i]["name"] = $row["rad_name"]; - $clients[$i]["ip"] = $row["rad_ip"]; - $clients[$i]["secret"] = $row["rad_secret"]; - $clients[$i]["desc"] = $row["rad_desc"]; - $i++; - } - $data_returned = $clients; - break; - case MSG_REMOVE_RADIUS_CLIENT: - // it should send us a client by rad_name - doesnt work yet - $client = $msg["clientname"]; - $sql = "delete from radclients where rad_name='$client'"; - $dbo = getDatabase(); - $res = $dbo->query($sql); - updateRadius(); - $data_returned = true; - break; - case MSG_ADD_RADIUS_CLIENT: - //echo "in addradclient\n"; - $client = $msg["clientname"]; - $clientsecret = $msg["clientsecret"]; - $clientip = $msg["clientip"]; - $clientdesc = $msg["clientdescription"]; - $dbo = getDatabase(); - - // check for existing clients with same name - $sql = "select * from radclients where rad_name='$client'"; - //echo "doing select, $sql\n"; - $res = $dbo->query($sql); - if($res->fetchColumn() > 0) { - $data_returned = "name"; - - } else { - // check for existing clients with same ip - $sql = "select * from radclients where rad_ip='$clientip'"; - $res = $dbo->query($sql); - //echo "doing select, $sql\n"; - if($res->fetchColumn() > 0) { - $data_returned = "ip"; - - } else { - $sql = "insert into radclients values (NULL, '$client', '$clientip', '$clientsecret', '$clientdesc')"; - $res = $dbo->query($sql); - updateRadius(); - $data_returned = true; - break; - } - } - break; - case MSG_DELETE_USER_TOKEN: - $username = $msg["username"]; - - $sql = "select users_otk from users where users_username='$username'"; - $dbo = getDatabase(); - $res = $dbo->query($sql); - $otkid = ""; - foreach($res as $row) { - $otkid = $row["users_otk"]; - } - if($otkid!="") { - global $BASE_DIR; - unlink("$BASE_DIR/authserver/authd/otks/$otkid.png"); - } - - $sql = "update users set users_tokendata='',users_otk='' where users_username='$username'"; - $dbo = getDatabase(); - $res = $dbo->query($sql); - - $data_returned = true; - break; - case MSG_AUTH_USER_TOKEN: - //echo "Call to auth user token\n"; - // minimal checking, we leav it up to authenticateUser to do the real - // checking - if(!isset($msg["username"])) $msg["username"] = ""; - if(!isset($msg["passcode"])) $msg["passcode"] = ""; - $username = $msg["username"]; - $passcode = $msg["passcode"]; - global $myga; - $authval = $myga->authenticateUser($username, $passcode); - $data_returned = $authval; - break; - case MSG_GET_OTK_ID: - if(!isset($msg["username"])) { - msg_send($cl_queue, MSG_GET_OTK_ID, false); - } else { - $username = $msg["username"]; - $sql = "select users_otk from users where users_username='$username'"; - $dbo = getDatabase(); - $res = $dbo->query($sql); - $otkid = ""; - foreach($res as $row) { - $otkid = $row["users_otk"]; - } - - if($otkid == "") { - $data_returned = false; - } else { - $data_returned = $otkid; - } - } - break; - case MSG_GET_OTK_PNG: - if(!isset($msg["otk"])) { - msg_send($cl_queue, MSG_GET_OTK_PNG, false); - } else { - $otk = $msg["otk"]; - $sql = "select users_username from users where users_otk='$otk'"; - $dbo = getDatabase(); - $res = $dbo->query($sql); - $username = ""; - foreach($res as $row) { - $username = $row["users_username"]; - } - - if($username == "") { - $data_returned = false; - - } else if($username != $msg["username"]) { - $data_returned = false; - } else { - global $BASE_DIR; - $hand = fopen("$BASE_DIR/authserver/authd/otks/$otk.png", "rb"); - $data = fread($hand, filesize("$BASE_DIR/authserver/authd/otks/$otk.png")); - fclose($hand); - unlink("$BASE_DIR/authserver/authd/otks/$otk.png"); - $sql = "update users set users_otk='' where users_username='$username'"; - $dbo->query($sql); - error_log("senting otk, fsize: ".filesize("$BASE_DIR/authserver/authd/otks/$otk.png")." $otk "); - $data_returned = $data; - } - } - - break; - case MSG_SYNC_TOKEN: - if(!isset($msg["username"])) { - $data_returned = false; - } else { - $tokenone = $msg["tokenone"]; - $tokentwo = $msg["tokentwo"]; - - $data_returned = $myga->resyncCode($msg["username"], $tokenone, $tokentwo); - } - - break; - case MSG_GET_TOKEN_TYPE: - if(!isset($msg["username"])) { - $data_returned = false; - } else { - $data_returned = $myga->getTokenType($msg["username"]); - } - break; - case MSG_ADD_USER_TOKEN: - //echo "Call to add user token\n"; - if(!isset($msg["username"])) { - $data_returned = false; - } else { - global $BASE_DIR; - $username = $msg["username"]; - $tokentype="TOTP"; - if(isset($msg["tokentype"])) { - $tokentype=$msg["tokentype"]; - } - $hexkey = ""; - if(isset($msg["hexkey"])) { - $hexkey = $msg["hexkey"]; - } - global $myga; - $myga->setUser($username, $tokentype, "", $hexkey); - - $url = $myga->createUrl($username); - //echo "Url was: $url\n"; - if(!file_exists("$BASE_DIR/authserver/authd/otks")) mkdir("$BASE_DIR/authserver/authd/otks"); - $otk = generateRandomString(); - system("qrencode -o $BASE_DIR/authserver/authd/otks/$otk.png '$url'"); - - $sql = "update users set users_otk='$otk' where users_username='$username'"; - $dbo = getDatabase(); - $res = $dbo->query($sql); - - $data_returned = true; - } - break; - case MSG_DELETE_USER: - //echo "Call to del user\n"; - if(!isset($msg["username"])) { - $data_returned = false; - } else { - $username = $msg["username"]; - global $myga; - - $sql = "select users_otk from users where users_username='$username'"; - $dbo = getDatabase(); - $res = $dbo->query($sql); - $otkid = ""; - foreach($res as $row) { - $otkid = $row["users_otk"]; - } - if($otkid!="") { - unlink("otks/$otkid.png"); - } - - - $sql = "delete from users where users_username='$username'"; - $dbo = getDatabase(); - $dbo->query($sql); - - $data_returned = true; - } - break; - case MSG_AUTH_USER_PASSWORD: - // TODO - //echo "Call to auth user pass\n"; - if(!isset($msg["username"])) { - $data_returned = false; - break; - } - if(!isset($msg["password"])) { - $data_returned = false; - break; - } - - $username = $msg["username"]; - $password = $msg["password"]; - $sql = "select users_password from users where users_username='$username'"; - $dbo = getDatabase(); - $res = $dbo->query($sql); - $pass = ""; - foreach($res as $row) { - $pass = $row["users_password"]; - } - - // TODO now do auth - $ourpass = hash('sha512', $password); - //echo "ourpass: $ourpass\nourhash: $pass\n"; - if($ourpass == $pass) { - $data_returned = true; - - } else { - $data_returned = false; - - } - - break; - case MSG_SET_USER_PASSWORD: - //echo "how on earth is that happening Call to set user pass, wtf?\n"; - // TODO - //print_r($msg); - if(!isset($msg["username"])) { - $data_returned = false; - //echo "in break 1\n"; - break; - } - if(!isset($msg["password"])) { - $data_returned = false; - //echo "in break 1\n"; - break; - } - - $username = $msg["username"]; - $password = $msg["password"]; - - //echo "would set pass for $username, to $password\n"; - if($password == "") $pass = ""; - else $pass = hash('sha512', $password); - - $dbo = getDatabase(); - //echo "in set user pass for $username, $pass\n"; - $sql = "update users set users_password='$pass' where users_username='$username'"; - - $dbo->query($sql); - - $data_returned = true; - - - // these are irrelavent yet - // TODO now set pass - break; - case MSG_SET_USER_REALNAME: - //echo "Call to set user realname\n"; - // TODO - if(!isset($msg["username"])) { - $data_returned = false; - break; - } - if(!isset($msg["realname"])) { - $data_returned = false; - break; - } - - $username = $msg["username"]; - $realname = $msg["realname"]; - $sql = "update users set users_realname='$realname' where users_username='$username'"; - $dbo = getDatabase(); - - $dbo->query($sql); - - $data_returned = true; - - // TODO now set real name - break; - case MSG_SET_USER_TOKEN: - // TODO - //echo "Call to set user token\n"; - if(!isset($msg["username"])) { - $data_returned = false; - break; - } - if(!isset($msg["tokenstring"])) { - $data_returned = false; - break; - } - - global $myga; - $username = $msg["username"]; - $token = $msg["tokenstring"]; - $return = $myga->setUserKey($username, $token); - $data_returned = $return; - - // TODO now set token - break; - case MSG_SET_USER_TOKEN_TYPE: - // TODO - //echo "Call to set user token type\n"; - if(!isset($msg["username"])) { - $data_returned = false; - break; - } - if(!isset($msg["tokentype"])) { - $data_returned = false; - break; - } - - $username = $msg["username"]; - $tokentype = $msg["tokentype"]; - global $myga; - $data_returned = $myga->setTokenType($username, $tokentype); - - // TODO now set token - break; - case MSG_GET_USERS: - // TODO this needs to be better - $sql = "select * from users order by users_username"; - - $dbo = getDatabase(); - $res = $dbo->query($sql); - - $users = ""; - $i = 0; - foreach($res as $row) { - $users[$i]["username"] = $row["users_username"]; - $users[$i]["realname"] = $row["users_realname"]; - if($row["users_password"]!="") { - $users[$i]["haspass"] = true; - } else { - $users[$i]["haspass"] = false; - } - //echo "user: ".$users[$i]["username"]." has tdata: \"".$row["users_tokendata"]."\"\n"; - if($row["users_tokendata"]!="") { - $users[$i]["hastoken"] = true; - } else { - $users[$i]["hastoken"] = false; - } - - if($row["users_otk"]!="") { - $users[$i]["otk"] = $row["users_otk"]; - } else { - $users[$i]["otk"] = ""; - } - $i++; - } - $data_returned = $users; - - // TODO now set token - break; - - } - - $d_comp["type"] = $msg_type; - $d_comp["data"] = $data_returned; - - $realdata_returning = "AS:".base64_encode(serialize($d_comp)).":EOD"; - - socket_send($data_socket, $realdata_returning, strlen($realdata_returning), 0); - socket_close($data_socket); - - // now our child exits? - return 0; - } - // otherwise return to the accept loop - } -} - -?> diff --git a/authserver/create1000users.php b/authserver/create1000users.php deleted file mode 100644 index 0be09b9..0000000 --- a/authserver/create1000users.php +++ /dev/null @@ -1,35 +0,0 @@ -addUser($username); -} -?> diff --git a/authserver/lib/.gitignore b/authserver/lib/.gitignore deleted file mode 100644 index 571001f..0000000 --- a/authserver/lib/.gitignore +++ /dev/null @@ -1 +0,0 @@ -/ga4php.php diff --git a/authserver/lib/authClient.php b/authserver/lib/authClient.php deleted file mode 100644 index 81143ae..0000000 --- a/authserver/lib/authClient.php +++ /dev/null @@ -1,190 +0,0 @@ -sendReceive(MSG_ADD_RADIUS_CLIENT, $message); - } - - function deleteRadiusClient($clientname) { - $message["clientname"] = $clientname; - - return $this->sendReceive(MSG_REMOVE_RADIUS_CLIENT, $message); - - } - - function getRadiusClients() { - return $this->sendReceive(MSG_GET_RADIUS_CLIENTS, ""); - } - - - function syncUserToken($username, $tokenone, $tokentwo) { - $message["username"] = $username; - $message["tokenone"] = $tokenone; - $message["tokentwo"] = $tokentwo; - - return $this->sendReceive(MSG_SYNC_TOKEN, $messgae); - } - - function getUserTokenType($username) { - $message["username"] = $username; - - return $this->sendReceive(MSG_GET_TOKEN_TYPE, $message); - } - - function setUserToken($username, $token) { - $message["username"] = $username; - $message["tokenstring"] = $token; - - return $this->sendReceive(MSG_GET_USER_TOKEN, $message); - } - - function setUserPass($username, $password) { - $message["username"] = $username; - $message["password"] = $password; - - return $this->sendReceive(MSG_SET_USER_PASSWORD, $message); - } - - function getOtkID($username) { - $message["username"] = $username; - - return $this->sendReceive(MSG_GET_OTK_ID, $message); - } - - function getOtkPng($username, $otk) { - $message["otk"] = $otk; - $message["username"] = $username; - - return $this->sendReceive(MSG_GET_OTK_PNG, $message); - } - - function authUserPass($username, $password) { - $message["username"] = $username; - $message["password"] = $password; - - return $this->sendReceive(MSG_AUTH_USER_PASSWORD, $message); - } - - function deleteUser($username) { - $message["username"] = $username; - - return $this->sendReceive(MSG_DELETE_USER, $message); - } - - function setUserRealName($username, $realname) { - $message["username"] = $username; - $message["realname"] = $realname; - - return $this->sendReceive(MSG_SET_USER_REALNAME, $message); - } - - function getUsers() { - return $this->sendReceive(MSG_GET_USERS, ""); - } - - function authUserToken($username, $passcode) { - $message["username"] = $username; - $message["passcode"] = $passcode; - - return $this->sendReceive(MSG_AUTH_USER_TOKEN, $message); - } - - function deleteUserToken($username) { - $message["username"] = $username; - - return $this->sendReceive(MSG_DELETE_USER_TOKEN, $message); - } - - function addUser($username, $tokentype="", $hexkey="") { - $message["username"] = $username; - if($tokentype!="") $message["tokentype"] = $tokentype; - if($hexkey!="") $message["hexkey"] = $hexkey; - - return $this->sendReceive(MSG_ADD_USER_TOKEN, $message); - } - - function setUserTokenType($username, $tokentype) { - $message["username"] = $username; - $message["tokentype"] = $tokentype; - - return $this->sendReceive(MSG_SET_USER_TOKEN_TYPE, $message); - } -} - -?> diff --git a/authserver/lib/lib.php b/authserver/lib/lib.php deleted file mode 100644 index 6ae1d81..0000000 --- a/authserver/lib/lib.php +++ /dev/null @@ -1,183 +0,0 @@ -query($sql); - foreach($res as $row) { - $cname = $row["rad_name"]; - $cip = $row["rad_ip"]; - $csec = $row["rad_secret"]; - $lines = "client $cname {\nipaddr = $cip\nsecret = $csec\nrequire_message_authenticator = no\n}\n\n"; - fwrite($hand, $lines); - } - fclose($hand); - // not yet - //system($reloadinit); -} - - -function getDatabase() -{ - $dbobject = false; - global $BASE_DIR; - if(file_exists("$BASE_DIR/authserver/authd/gaasdata.sqlite")) { - try { - $dbobject = new PDO("sqlite:$BASE_DIR/authserver/authd/gaasdata.sqlite"); - } catch(PDOException $exep) { - error_log("execpt on db open"); - } - } else { - try { - $dbobject = new PDO("sqlite:$BASE_DIR/authserver/authd/gaasdata.sqlite"); - } catch(PDOException $exep) { - error_log("execpt on db open"); - } - $sql = 'CREATE TABLE "users" ("users_id" INTEGER PRIMARY KEY AUTOINCREMENT,"users_username" TEXT, "users_realname" TEXT, "users_password" TEXT, "users_tokendata" TEXT, "users_otk" TEXT);'; - $dbobject->query($sql); - $sql = 'CREATE TABLE "radclients" ("rad_id" INTEGER PRIMARY KEY AUTOINCREMENT,"rad_name" TEXT, "rad_ip" TEXT, "rad_secret" TEXT, "rad_desc" TEXT);'; - $dbobject->query($sql); - $sql = 'CREATE TABLE "hardwaretokens" ("tok_id" INTEGER PRIMARY KEY AUTOINCREMENT,"tok_name" TEXT, "tok_key" TEXT, "tok_type" TEXT);'; - $dbobject->query($sql); - } - - return $dbobject; -} - -function closeDatabase($db) { - // doesnt do anything yet -} - -class gaasGA extends GoogleAuthenticator { - function getData($username) { - //echo "called into getdata\n"; - - // get our database connection - $dbObject = getDatabase(); - - // set the sql for retreiving the data - $sql = "select users_tokendata from users where users_username='$username'"; - - // run the query - $result = $dbObject->query($sql); - - // check the result - //echo "next1\n"; - if(!$result) return false; - - // now just retreieve all the data (there should only be one, but whatever) - //echo "next2\n"; - $tokendata = false; - foreach($result as $row) { - $tokendata = $row["users_tokendata"]; - } - - //echo "next3, $username, $tokendata\n"; - // now we have our data, we just return it. If we got no data - // we'll just return false by default - return $tokendata; - - // and there you have it, simple eh? - } - - - function putData($username, $data) { - // get our database connection - $dbObject = getDatabase(); - - // we need to check if the user exists, and if so put the data, if not create the data - $sql = "select * from users where users_username='$username'"; - $res = $dbObject->query($sql); - if($res->fetchColumn() > 0) { - // do update - //error_log("doing userdata update"); - $sql = "update users set users_tokendata='$data' where users_username='$username'"; - } else { - // do insert - //error_log("doing user data create"); - $sql = "insert into users values (NULL, '$username', '', '', '$data', '')"; - } - - if($dbObject->query($sql)) { - return true; - } else { - return false; - } - - } - - function getUsers() { - // get our database connection - $dbObject = getDatabase(); - - // now the sql again - $sql = "select users_username from users"; - - // run the query - $result = $dbObject->query($sql); - - // iterate over the results - we expect a simple array containing - // a list of usernames - $i = 0; - $users = array(); - foreach($result as $row) { - $users[$i] = $row["username"]; - $i++; - } - - // now return the list - return $users; - } -} - -?> diff --git a/authserver/usercmd.php b/authserver/usercmd.php deleted file mode 100644 index d24157e..0000000 --- a/authserver/usercmd.php +++ /dev/null @@ -1,171 +0,0 @@ - - returns token code url\n"; - echo "\tauth: auth - returns 0/1 for pass/fail\n"; - echo "\tdelete: delete - deletes user\n"; - echo "\tauthpass: authpass - returns 0/1 for pass/fail\n"; - echo "\tsetpass: setpass - sets a password for a user (x to remove pass)\n"; - echo "\tsetname: setname - sets the real name for a user\n"; - echo "\tsettoken: settoken - sets the key (hex) for a token\n"; - echo "\tsettype: settype - sets a token type for a user\n"; - echo "\tgetusers: getusers - gets a list of users\n"; - echo "\tgetotk: getotk - gets the OTKID for a key\n"; - echo "\tradauth: radauth - for radius, only returns a code\n"; - echo "\tsynctoken: synctoken - resync's a hotp token based on two token codes\n"; - echo "\ttokentype: tokentype - gets the token type for a user\n"; - echo "\taddradclient: addradclient \"\"- adds a radius client\n"; - echo "\trmradclient: rmradclient - removes a radius client with the name \n"; - echo "\tgetradclients: getradclients - returns a list of radius clients\n"; - return 0; -} - -switch($argv[1]) { - case "rmradclient": - $msg = $myAC->deleteRadiusClient($argv[2]); - if($msg) { - echo "Successfully deleted\n"; - } - break; - case "getradclients": - $msg = $myAC->getRadiusClients(); - foreach($msg as $client) { - if($client["desc"]=="") $desc = "no description set"; - else $desc = $client["desc"]; - echo $client["name"]." is ".$client["ip"].", $desc\n"; - } - break; - case "addradclient": - $msg = $myAC->addRadiusClient($argv[2], $argv[3], $argv[4], $argv[5]); - if($msg === true) { - echo "Added successfully\n"; - } else if ($msg == "name") { - echo "Client with same name exists already\n"; - } else if ($msg == "ip") { - echo "Client with same IP already exists\n"; - } - break; - case "tokentype": - $msg = $myAC->getUserTokenType($argv[2]); - echo "token type: $msg\n"; - break; - case "synctoken": - if($myAC->syncUserToken($argv[2], $argv[3], $argv[4])) { - echo "Token synced\n"; - } else { - echo "Token not synced\n"; - } - break; - case "radauth": - if($myAC->authUserToken($argv[2], $argv[3])==1) { - syslog(LOG_WARNING, "Got good request for user, ".$argv[2]); - exit(0); - } else { - syslog(LOG_WARNING, "Got bad request for user, ".$argv[2]); - exit(255); - } - break; - case "getotk": - $val = $myAC->getOtkID($argv[2]); - if($val === false) { - echo "Failure\n"; - } else { - echo "$val\n"; - } - break; - case "auth": - if($myAC->authUserToken($argv[2], $argv[3])==1) { - echo "Pass!\n"; - } else { - echo "Fail!\n"; - } - break; - case "add": - $return = $myAC->addUser($argv[2]); - if($return) { - echo "Created user, ".$argv[2]."\n"; - } else { - echo "Failed to create user, ".$argv[2]."\n"; - } - - break; - case "delete": - $res = $myAC->deleteUser($argv[2]); - if($res) { - echo "Deleted\n"; - } else { - echo "Failure?\n"; - } - break; - case "authpass": - $ret = $myAC->authUserPass($argv[2], $argv[3]); - if($ret) echo "Authenticated\n"; - else echo "Failed\n"; - break; - case "setpass": - $res = $myAC->setUserPass($argv[2], $argv[3]); - if($res) echo "Password Set\n"; - else echo "Failure?\n"; - break; - case "setname": - $ret = $myAC->setUserRealName($argv[2], $argv[3]); - if($ret) echo "Real Name Set\n"; - else echo "Failure?\n"; - break; - case "settoken": - $ret = $myAC->setUserToken($argv[2], $argv[3]); - if($ret) echo "Token Set\n"; - else echo "Failure?\n"; - break; - case "settype": - $ret = $myAC->setUserTokenType($argv[2], $argv[3]); - if($ret) echo "Token Type Set\n"; - else echo "Failure?\n"; - break; - case "getusers": - $users = $myAC->getUsers(); - foreach($users as $user) { - if($user["realname"] != "") $realname = $user["realname"]; - else $realname = "- Not Set -"; - - if($user["haspass"]) $haspass = "Yes"; - else $haspass = "No"; - - if($user["hastoken"]) $hastoken = "Yes"; - else $hastoken = "No"; - - echo "Username: ".$user["username"]."\n"; - echo "\tReal Name: ".$realname."\n"; - echo "\tHas Password?: ".$haspass."\n"; - echo "\tHas Token?: ".$hastoken."\n\n"; - } - break; - default: - echo "See the usage...\n"; -} -?> \ No newline at end of file diff --git a/authserver/www/admin.php b/authserver/www/admin.php deleted file mode 100644 index d277772..0000000 --- a/authserver/www/admin.php +++ /dev/null @@ -1,200 +0,0 @@ - -

    GAAS Manager

    -Welcome to the Google Authenticator Authentication Server Manager Application - Show Help
    - -".$_REQUEST["message"].""; -} -if(isset($_REQUEST["error"])) { - echo "".$_REQUEST["error"].""; -} - - -if(isset($_REQUEST["showhelp"])) { - echo "
    "; - ?> -On this page, you create users and manage their tokens and passwords. A few notes,
    -
  • Passwords are *ONLY* for this page, if you assign a password to a user they can login here -and edit anyone, including you -
  • OTK/One-Time-Keys are the QRcode for provisioning a GA token, it can only be viewed once -and once viewed is deleted. If you need a new one, you need to re-create a key. -
  • TOTP tokens are time based tokens that change every 30 seconds, HOTP tokens are event tokens -that change everytime they are used or generated -
  • In the OTK, the "Get (User URL)" link is a link you can send to a user to retrieve their key - - -

    Editing user,


    -
    -"> - - - - -
    Real Name:">
    Password:
    Confirm Password:
    - -
    -getUserTokenType($username)=="HOTP") { -?> -
    -

    Resync Tokens

    - - - -
    Token One
    Token Two
    - -
    - - -
    -

    Custom Tokens


    -For assiging in a user-created or hardware tokens.
    -If you assign a token this way, any previous token is removed and forever gone.
    -Token Key (hex)
    -Token Type -
    - -
    - -this page is for editing radius clients, it doesnt exist yet.. What you need to do is delete the client and re-add it... go back - - -

    Users

    - - -getUsers(); -foreach($users as $user) { - $username = $user["username"]; - - if($user["realname"] == "") $realname = ""; - else $realname = $user["realname"]; - - if($user["haspass"]) $haspass = "Yes Delete Password"; - else $haspass = "No"; - - if($user["otk"]=="deleted") $otk = "OTK Was Not Picked Up"; - else if($user["otk"]!="") $otk = "Get (admin)Get (User URL)"; - else $otk = "Already Claimed"; - - if($user["hastoken"]) $hastoken = "Yes Re-Create (HOTP)Re-Create (TOTP)Delete"; - else { - $hastoken = "No Create (HOTP)Create (TOTP)"; - if($user["otk"]!="deleted")$otk = "No Token Exists"; - } - - $delete = "Delete"; - - echo ""; - echo ""; - echo ""; -} -?> -
    UsernameRealNameHas Password?Has Token?One Time KeyDelete
    $username$realname$haspass$hastoken$otk$delete

    -
    Create User(s) - Enter a comma seperated list of usernames:
    - -Got One Time Key for user $username, this one-time-key can only be retrieved once, after that it is deleted
    "; - echo "\"one
    "; -} - -?> -

    Radius Clients

    - - -getRadiusClients(); -foreach($msg as $client) { - if($client["desc"]=="") $desc = "no description set"; - else $desc = $client["desc"]; - $clientname = $client["name"]; - $clientip = $client["ip"]; - echo ""; -} -?> -
    NameIP AddressDescriptionDelete
    $clientname$clientip$descDelete
    -
    -

    Add a Radius Client

    -
    - - - - - -
    Client Name
    Client IP
    Client Secret
    Client Description
    - -
    -
    Logout Home - - -

    GAAS Manager Login

    -".$_REQUEST["message"].""; -} -if(isset($_REQUEST["error"])) { - echo "".$_REQUEST["error"].""; -} -?> -
    - - - - -
    Username
    Password
    -
    - \ No newline at end of file diff --git a/authserver/www/admin_actions.php b/authserver/www/admin_actions.php deleted file mode 100644 index 3be1ae0..0000000 --- a/authserver/www/admin_actions.php +++ /dev/null @@ -1,147 +0,0 @@ -deleteRadiusClient($clientname); - header("Location: ?message=".urlencode("Client Deleted")); - exit(0); - break; - case "addradclient": - $clientname = $_REQUEST["clientname"]; - $clientip = $_REQUEST["clientip"]; - $clientsecret = $_REQUEST["clientsecret"]; - $clientdesc = $_REQUEST["clientdesc"]; - $ret = $myAC->addRadiusClient($clientname, $clientip, $clientsecret, $clientdesc); - if($ret === true) { - header("Location: ?message=".urlencode("Client Added")); - } else if ($ret == "name") { - header("Location: ?error=".urlencode("Client Name Already Existed")); - } else if ($ret == "ip") { - header("Location: ?error=".urlencode("Client IP Already Existed")); - } - exit(0); - break; - case "customtoken": - $ttype = $_REQUEST["tokentype"]; - $tkey = $_REQUEST["tokenkey"]; - $username = $_REQUEST["username"]; - $ret1 = $myAC->setUserTokenType($username, $ttype); - $ret2 = $myAC->setUserToken($username, $tkey); - error_log("got, $ret1, $ret2..."); - break; - case "synctoken": - $username = $_REQUEST["username"]; - $tokenone = $_REQUEST["tokenone"]; - $tokentwo = $_REQUEST["tokentwo"]; - $retval = $myAC->syncUserToken($username, $tokenone, $tokentwo); - error_log("retval: $retval"); - if($retval) { - header("Location: ?message=".urlencode("token synced")); - exit(0); - } else { - header("Location: ?error=".urlencode("token not synced")); - exit(0); - } - - break; - case "recreatehotptoken": - $username = $_REQUEST["username"]; - $myAC->addUser($username, "HOTP"); - header("Location: ?message=".urlencode("seemed to work?")); - break; - case "recreatetotptoken": - $username = $_REQUEST["username"]; - $myAC->addUser($username, "TOTP"); - header("Location: ?message=".urlencode("seemed to work?")); - break; - case "deletetoken": - $username = $_REQUEST["username"]; - $myAC->deleteUserToken($username); - header("Location: ?message=".urlencode("seemed to work?")); - break; - case "edituser": - $username = $_REQUEST["username"]; - if($_REQUEST["original_real"] != $_REQUEST["realname"]) { - $myAC->setUserRealName($username, $_REQUEST["realname"]); - } - if($_REQUEST["password"] != "") { - if($_REQUEST["password"]!=$_REQUEST["password_conf"]) { - header("Location: ?message=confirmfalse"); - } else { - $myAC->setUserPass($username, $_REQUEST["password"]); - } - } - break; - case "login": - $username = $_REQUEST["username"]; - $password = $_REQUEST["password"]; - - if($myAC->authUserPass($username, $password)) { - $_SESSION["loggedin"] = true; - $_SESSION["username"] = $username; - header("Location: admin.php"); - } else { - header("Location: admin.php?error=".urlencode("Login Failed")); - } - - exit(0); - break; - case "logout": - $_SESSION["loggedin"] = false; - $_SESSION["username"] = ""; - header("Location: admin.php"); - exit(0); - break; - case "createuser": - $username = $_REQUEST["username"]; - $users = explode(",",$username); - foreach($users as $user) { - $user = trim($user); - error_log("createing, $user\n"); - if($user != "" && strlen($user)>2) $myAC->addUser($user); - } - header("Location: admin.php"); - exit(0); - break; - case "update": - error_log("would update"); - $err = print_r($_REQUEST, true); - error_log("req: $err\n"); - $username = $_REQUEST["username"]; - if($_REQUEST["realname"]!="") { - $myAC->setUserRealName($username, $_REQUEST["realname"]); - } - if($_REQUEST["password"]!= "") { - $myAC->setUserPass($username, $_REQUEST["password"]); - } - break; - case "delete": - $username = $_REQUEST["username"]; - $myAC->deleteUser($username); - break; - case "deletepass": - $username = $_REQUEST["username"]; - $myAC->setUserPass($username, ""); - break; - case "getotkimg": - $otk = $_REQUEST["otk"]; - $username = $_REQUEST["username"]; - error_log("requesting otk, $otk"); - $otk_img = $myAC->getOtkPng($username,$otk); - header("Content-type: image/png"); - echo $otk_img; - exit(0); - break; - } -} -?> \ No newline at end of file diff --git a/authserver/www/index.php b/authserver/www/index.php deleted file mode 100644 index cff7fa3..0000000 --- a/authserver/www/index.php +++ /dev/null @@ -1,107 +0,0 @@ -getUsers(); - $realname = ""; - $otk = ""; - foreach($users as $user) { - if($user["username"] == $username) { - $realname = $user["realname"]; - $otk = $user["otk"]; - } - } - - if($realname == "") $realname = $username; - if($otk == "") { -?> - -Hello , we're sorry, but your One Time Key has
    -already been picked up or you dont currently have a token. If you believe
    -this in error, please contact the site admin immediately as it could mean
    -your key has been compromised.
    - - - -Hello , we're sorry, but your One Time Key ID is not -the correct one, the URL you have been sent may be in error, please check with the site admin - - - -Hello , welcome to the One Time Key retreival site. Here is your
    -One Time Key. Do not save this anywhere as it will compromise your account
    -
  • Point your phones camera at the screen -
  • Watch the display until it locks onto the code -
  • Once the code has been scanned, the phone should return to the Google Authenticator with a 6 digit number presented, or a "get code" button.

    -
    - -Once you have the key, you may try logging into the user site here - - - -Hello , welcome to the One Time Key retreival site. Before we present
    -your key, you must have your phone ready to accept it as the key can only be presented once.
    -If your phone is not ready to accept the key, the key needs to be regenerated, so only proceed
    -if you phone is on, you have clicked on "scan account barcode" and the phone is ready to
    -scan the code.
    -
    -If you are ready to proceed, click here. - - - -

    Welcome to the GAAS User Site

    -".$_REQUEST["message"].""; -} -if(isset($_REQUEST["error"])) { - echo "".$_REQUEST["error"].""; -} - -if(!$loggedin) { -?> -
    -Username:
    -Token Code:
    - -
    - - - -Welcome, you have successfully logged into the
    -user site, but there is no content here to view.
    -Later, this site will be where you might resync your
    -token or change pin codes and the like
    - - -
    Logout - - - diff --git a/authserver/www/user_actions.php b/authserver/www/user_actions.php deleted file mode 100644 index 28852cf..0000000 --- a/authserver/www/user_actions.php +++ /dev/null @@ -1,52 +0,0 @@ -getOtkPng($username,$otkid); - header("Content-type: image/png"); - echo $otk_img; - exit(0); - break; - case "login": - error_log("being login"); - $username = $_REQUEST["username"]; - $token = $_REQUEST["tokencode"]; - - if($myAC->authUserToken($username, $token)) { - - $_SESSION["user_loggedin"] = true; - $_SESSION["username"] = $username; - header("Location: index.php"); - } else { - error_log("login failed, $username, $token"); - header("Location: index.php?error=".urlencode("Login Failed")); - } - break; - case "logout": - $_SESSION["user_loggedin"] = false; - $_SESSION["username"] = ""; - header("Location: index.php?message=".urlencode("logged out")); - exit(0); - break; - - } -} -?> -- 1.7.0.4