gaas/lib/gaasdMessages.php

   1 <?php
   2
   3 // this file defines all the messages used by gaaasd
   4
   5 // there are only really two status messages at this point - "init" meaning we have no been defined yet
   6 // and "running" meaning we have been defined
   7 function gaasStatus_server($messages)
   8 {
   9         global $initState, $backEnd;
  10
  11         $return = "init";
  12         if($initState != false && $backEnd != "") {
  13                 $return = "running";
  14                 $be = confGetVal("backend");
  15                 if($be == "AD") {
  16                         $dom = confGetVal("ad.domain");
  17                         $user = confGetVal("ad.user");
  18                         $client = confGetVal("ad.clientdef");
  19                         $admin = confGetVal("ad.admindef");
  20                         $return .= " - AD integrated to $dom, GAASD Username: $user, Clients Group: $client, Admins Group: $admin";
  21                 } else {
  22                         $return .= " - internal database";
  23                 }
  24
  25         }
  26
  27
  28
  29         return $return;
  30 }
  31
  32
  33 function gaasInitServer_server($msg)
  34 {
  35         global $initState, $backEnd;
  36
  37         error_log("Init server called\n");
  38         // here we "init" the server, if we're ad, we attempt to connect to AD and if it all works
  39         // we then create the db
  40         // $m["backend"] = "AD|IN";
  41         // AD expects:
  42         // $m["domain"] = "somedomain.com";
  43         // $m["user"] = "someuser";
  44         // $m["pass"] = "somepassword";
  45         // $m["userdef"] = "user definition paramaters";
  46         // IN expects
  47         // $m["user"] = "someuser";
  48         // $m["pass"] = "somepass";
  49         echo "initstate is $initState";
  50         if($initState) {
  51                 echo "true\n";
  52         } else {
  53                 echo "false\n";
  54         }
  55         if($initState) {
  56                 error_log("init server called when server already init'd\n");
  57                 return false;
  58         }
  59
  60         if($msg["backend"] == "AD") {
  61                 $backEnd = "AD";
  62                 // attempt connect to AD, verify creds
  63                 $addom = $msg["domain"];
  64                 $adlogin = $msg["user"];
  65                 $adpass = $msg["pass"];
  66                 $adclientdef = $msg["clientdef"];
  67                 $adadmindef = $msg["admindef"];
  68
  69                 // now wee test our logins...
  70                 // first look up the domain name stuff
  71                 $servers = dns_get_record("_gc._tcp.$addom");
  72                 if(count($servers)<1) {
  73                         echo "AD servers cant be found, fail!\n";
  74                 }
  75
  76                 // we should check all servers, but lets just go with 0 for now
  77                 $res =  adTestLogin($addom, $adlogin, $adpass);
  78                 if(!$res) {
  79                         return false;
  80                 }
  81
  82
  83                 // then
  84                 createDB();
  85                 confSetVal("ad.domain", $addom);
  86                 confSetVal("ad.user", $adlogin);
  87                 confSetVal("ad.pass", $adpass);
  88                 confSetVal("ad.encryptionkey", generateHexString(32));
  89                 confSetVal("ad.clientdef", $adclientdef);
  90                 confSetVal("ad.admindef", $adadmindef);
  91                 confSetVal("backend", "AD");
  92                 confSetVal("defaulttokentype", "TOTP");
  93
  94                 $initState = true;
  95                 $backEnd = "AD";
  96
  97                 // and that should be it... i think cept im in a forked erg.. lets assume it works, need pain i do not.
  98                 return true;
  99         } else if($msg["backend"] == "IN") {
 100                 // this ones simpler
 101                 $backEnd = "IN";
 102                 createDB();
 103
 104                 // create the user in the db
 105                 $username = $msg["user"];
 106                 $password = $msg["pass"];
 107
 108                 $myga = new gaasdGA();
 109                 $myga->setUser($username);
 110
 111                 if($password == "") $pass = "";
 112                 else $pass = hash('sha512', $password);
 113
 114                 $db = getDB();
 115                 $db->query($sql = "update users set users_password='$pass' where users_username='$username'");
 116
 117                 $initState = "running";
 118                 return true;
 119         } else {
 120                 return false;
 121         }
 122 }
 123
 124
 125 function gaasSetADLogin_server($msg)
 126 {
 127         global $initState, $backEnd;
 128
 129         if($initState != "running") {
 130                 return "not in running init state";
 131         }
 132
 133         if($backEnd != "AD") {
 134                 return "not setup as AD client";
 135         }
 136
 137         $addom = $msg["domain"];
 138         $adlogin = $msg["user"];
 139         $adpass = $msg["pass"];
 140
 141         $res = adTestLogin($addmo, $adlogin, $adpass);
 142         if($res != 0) {
 143                 return "not able to connect to AD with given cred's";
 144         }
 145
 146         confSetVal("ad.domain", $addom);
 147         confSetVal("ad.user", $adlogin);
 148         confSetVal("ad.pass", $adpass);
 149
 150         return true;
 151
 152 }
 153
 154 function gaasSetAdminGroup_server($msg)
 155 {
 156         if(confGetVal("backend") == "AD") {
 157                 confSetVal("ad.admindef", $msg["admingroup"]);
 158         } else return false;
 159
 160         return true;
 161 }
 162
 163 function gaasSetClientGroup_server($msg)
 164 {
 165         if(confGetVal("backend") == "AD") {
 166                 confSetVal("ad.clientdef", $msg["clientgroup"]);
 167         } else return false;
 168
 169         return true;
 170 }
 171
 172 function gaasProvisionUser_server($msg)
 173 {
 174
 175         // function userInGroup($user, $domain, $adlogin, $adpass, $group)
 176         echo "in provision user\n";
 177         print_r($msg);
 178         $dttype = confGetVal("defaulttokentype");
 179         if($dttype != "HOTP" && $dttype != "TOTP") {
 180                 echo "default token type not set, setting to TOTP\n";
 181                 confSetVal("defaulttokentype", "TOTP");
 182                 $dttype = "TOTP";
 183         }
 184         if($msg["tokentype"] == "") {
 185                 $ttype = confGetVal("defaulttokentype");
 186         } else {
 187                 $ttype = $msg["tokentype"];
 188         }
 189         if($ttype != "HOTP" && $ttype != "TOTP") {
 190                 echo "using default token type, $dttype because user entered value of $ttype doesnt make sense\n";
 191                 $ttype = $dttype;
 192         }
 193         $tkey = $msg["tokenkey"];
 194         if(confGetVal("backend") == "AD") {
 195                 if(userInGroup($msg["username"], confGetVal("ad.domain"), confGetVal("ad.user"), confGetVal("ad.pass"), confGetVal("ad.clientdef"))) {
 196                         $myga = new gaasdGA();
 197
 198                         // TODO - figure out how to deal with the token origin - i.e. software/hardware
 199                         if($msg["origin"] == "hardware") {
 200                                 echo "want a hardware token, but i dont know how to do this yet\n";
 201                         } else {
 202                                 echo "using software token\n";
 203                                 $myga->setUser($msg["username"], $ttype, "", $tkey);
 204                         }
 205                 } else {
 206                         echo "User not in client group\n";
 207                 }
 208         } else {
 209                 // internal db
 210         }
 211
 212
 213         return true;
 214 }
 215
 216 // TODO error check/ value check
 217 function gaasAddHardwareToken_server($msg)
 218 {
 219         $tokenid = $msg["tokenid"];
 220         $tokenkey = $msg["tokenkey"];
 221         $tokentype = $msg["tokentype"];
 222
 223         //"hardwaretokens" ("tok_id" INTEGER PRIMARY KEY AUTOINCREMENT,"tok_name" TEXT, "tok_key" TEXT, "tok_type" TEXT);';
 224         print_r($msg);
 225         $db = getDB();
 226         $sql = "insert into hardwaretokens values (NULL, '$tokenid', '$tokenkey', '$tokentype')";
 227         echo "Sql is $sql\n";
 228         $ret = $db->query($sql);
 229         if($ret) return true;
 230         else return false;
 231
 232 }
 233
 234
 235 function gaasGetHardwareTokens_server($msg)
 236 {
 237         $db = getDB();
 238
 239         $sql = "select tok_name, tok_type from hardwaretokens";
 240         $ret = $db->query($sql);
 241
 242         $toks = "";
 243         $i = 0;
 244         foreach($ret as $row) {
 245                 $toks[$i]["name"] = $row["tok_name"];
 246                 $toks[$i]["type"] = $row["tok_type"];
 247                 $i++;
 248         }
 249
 250         return $toks;
 251 }
 252
 253
 254 function gaasAssignToken_server($msg)
 255 {
 256         if(!isset($msg["tokenid"])) return false;
 257
 258         // now, we check the username is in the client gorup
 259         // now we check the token id is valid in the hardware db.
 260
 261         // then we assign to the user
 262 }
 263
 264 function gaasGetUsers_server($msg)
 265 {
 266         $haveTokens = $msg["havetokens"];
 267         $userPatter = $msg["userpattern"];
 268         $group = $msg["group"];
 269
 270         if(confGetval("backend") == "AD") {
 271                 $adgroup = "";
 272                 if($group == "admin") {
 273                         $adgroup = confGetVal("ad.admindef");
 274                 } else {
 275                         $adgroup = confGetVal("ad.clientdef");
 276                 }
 277                 $addom = confGetVal("ad.domain");
 278                 $aduser = confGetVal("ad.user");
 279                 $adpass = confGetVal("ad.pass");
 280                 //echo "using group $adgroup for $group\n";
 281
 282                 $users = getUsersInGroup($addom, $aduser, $adpass, $adgroup);
 283                 foreach($users as $user => $real) {
 284                         hasToken($user);
 285                 }
 286         } else {
 287                 // internal db
 288         }
 289         return $users;
 290 }
 291
 292 function gaasDeleteUser_server($msg)
 293 {
 294         $username = $msg["username"];
 295         $db = getDB();
 296         $db->query($sql = "delete from users where users_username='$username'");
 297
 298 }
 299 ?>