gaas/lib/gaasdMessages.php

   1 <?php
   2
   3 // this file defines all the messages used by gaaasd
   4
   5 // there are only really two status messages at this point - "init" meaning we have no been defined yet
   6 // and "running" meaning we have been defined
   7 function gaasStatus_server($messages)
   8 {
   9         global $initState, $backEnd;
  10
  11         $return = "init";
  12         if($initState != false && $backEnd != "") {
  13                 $return = "running";
  14                 $be = confGetVal("backend");
  15                 if($be == "AD") {
  16                         $dom = confGetVal("ad.domain");
  17                         $user = confGetVal("ad.user");
  18                         $client = confGetVal("ad.clientdef");
  19                         $admin = confGetVal("ad.admindef");
  20                         $return .= " - AD integrated to $dom, GAASD Username: $user, Clients Group: $client, Admins Group: $admin";
  21                 } else {
  22                         $return .= " - internal database";
  23                 }
  24
  25         }
  26
  27
  28
  29         return $return;
  30 }
  31
  32
  33 function gaasInitServer_server($msg)
  34 {
  35         global $initState, $backEnd;
  36
  37         error_log("Init server called\n");
  38         // here we "init" the server, if we're ad, we attempt to connect to AD and if it all works
  39         // we then create the db
  40         // $m["backend"] = "AD|IN";
  41         // AD expects:
  42         // $m["domain"] = "somedomain.com";
  43         // $m["user"] = "someuser";
  44         // $m["pass"] = "somepassword";
  45         // $m["userdef"] = "user definition paramaters";
  46         // IN expects
  47         // $m["user"] = "someuser";
  48         // $m["pass"] = "somepass";
  49         echo "initstate is $initState";
  50         if($initState) {
  51                 echo "true\n";
  52         } else {
  53                 echo "false\n";
  54         }
  55         if($initState) {
  56                 error_log("init server called when server already init'd\n");
  57                 return false;
  58         }
  59
  60         if($msg["backend"] == "AD") {
  61                 $backEnd = "AD";
  62                 // attempt connect to AD, verify creds
  63                 $addom = $msg["domain"];
  64                 $adlogin = $msg["user"];
  65                 $adpass = $msg["pass"];
  66                 $adclientdef = $msg["clientdef"];
  67                 $adadmindef = $msg["admindef"];
  68
  69                 // now wee test our logins...
  70                 // first look up the domain name stuff
  71                 $servers = dns_get_record("_gc._tcp.$addom");
  72                 if(count($servers)<1) {
  73                         echo "AD servers cant be found, fail!\n";
  74                 }
  75
  76                 // we should check all servers, but lets just go with 0 for now
  77                 $res =  adTestLogin($addom, $adlogin, $adpass);
  78                 if(!$res) {
  79                         return false;
  80                 }
  81
  82
  83                 // then
  84                 createDB();
  85                 confSetVal("ad.domain", $addom);
  86                 confSetVal("ad.user", $adlogin);
  87                 confSetVal("ad.pass", $adpass);
  88                 confSetVal("ad.encryptionkey", generateHexString(32));
  89                 confSetVal("ad.clientdef", $adclientdef);
  90                 confSetVal("ad.admindef", $adadmindef);
  91                 confSetVal("backend", "AD");
  92                 confSetVal("defaulttokentype", "TOTP");
  93
  94                 $initState = true;
  95                 $backEnd = "AD";
  96
  97                 // and that should be it... i think cept im in a forked erg.. lets assume it works, need pain i do not.
  98                 return true;
  99         } else if($msg["backend"] == "IN") {
 100                 // this ones simpler
 101                 $backEnd = "IN";
 102                 createDB();
 103
 104                 // create the user in the db
 105                 $username = $msg["user"];
 106                 $password = $msg["pass"];
 107
 108                 $myga = new gaasdGA();
 109                 $myga->setUser($username);
 110
 111                 if($password == "") $pass = "";
 112                 else $pass = hash('sha512', $password);
 113
 114                 $db = getDB();
 115                 $db->query($sql = "update users set users_password='$pass' where users_username='$username'");
 116
 117                 $initState = "running";
 118                 return true;
 119         } else {
 120                 return false;
 121         }
 122 }
 123
 124
 125 function gaasSetADLogin_server($msg)
 126 {
 127         global $initState, $backEnd;
 128
 129         if($initState != "running") {
 130                 return "not in running init state";
 131         }
 132
 133         if($backEnd != "AD") {
 134                 return "not setup as AD client";
 135         }
 136
 137         $addom = $msg["domain"];
 138         $adlogin = $msg["user"];
 139         $adpass = $msg["pass"];
 140
 141         $res = adTestLogin($addmo, $adlogin, $adpass);
 142         if($res != 0) {
 143                 return "not able to connect to AD with given cred's";
 144         }
 145
 146         confSetVal("ad.domain", $addom);
 147         confSetVal("ad.user", $adlogin);
 148         confSetVal("ad.pass", $adpass);
 149
 150         return true;
 151
 152 }
 153
 154 function gaasSetAdminGroup_server($msg)
 155 {
 156         if(confGetVal("backend") == "AD") {
 157                 confSetVal("ad.admindef", $msg["admingroup"]);
 158         } else return false;
 159
 160         return true;
 161 }
 162
 163 function gaasSetClientGroup_server($msg)
 164 {
 165         if(confGetVal("backend") == "AD") {
 166                 confSetVal("ad.clientdef", $msg["clientgroup"]);
 167         } else return false;
 168
 169         return true;
 170 }
 171
 172 function gaasProvisionUser_server($msg)
 173 {
 174
 175         // function userInGroup($user, $domain, $adlogin, $adpass, $group)
 176         echo "in provision user\n";
 177         print_r($msg);
 178         $dttype = confGetVal("defaulttokentype");
 179         if($dttype != "HOTP" && $dttype != "TOTP") {
 180                 echo "default token type not set, setting to TOTP\n";
 181                 confSetVal("defaulttokentype", "TOTP");
 182                 $dttype = "TOTP";
 183         }
 184         if($msg["tokentype"] == "") {
 185                 $ttype = confGetVal("defaulttokentype");
 186         } else {
 187                 $ttype = $msg["tokentype"];
 188         }
 189         if($ttype != "HOTP" && $ttype != "TOTP") {
 190                 echo "using default token type, $dttype because user entered value of $ttype doesnt make sense\n";
 191                 $ttype = $dttype;
 192         }
 193         $tkey = $msg["tokenkey"];
 194         if(confGetVal("backend") == "AD") {
 195                 if(userInGroup($msg["username"], confGetVal("ad.domain"), confGetVal("ad.user"), confGetVal("ad.pass"), confGetVal("ad.clientdef"))) {
 196                         $myga = new gaasdGA();
 197
 198                         echo "using software token\n";
 199                         $myga->setUser($msg["username"], $ttype, "", $tkey);
 200                 } else {
 201                         echo "User not in client group\n";
 202                 }
 203         } else {
 204                 // internal db
 205         }
 206
 207
 208         return true;
 209 }
 210
 211 // TODO error check/ value check
 212 function gaasAddHardwareToken_server($msg)
 213 {
 214         $tokenid = $msg["tokenid"];
 215         $tokenkey = $msg["tokenkey"];
 216         $tokentype = strtoupper($msg["tokentype"]);
 217
 218         if($tokentype != "HOTP" && $tokentype != "TOTP") {
 219                 echo "invalid token type from hardware entry\n";
 220                 return false;
 221         }
 222         //"hardwaretokens" ("tok_id" INTEGER PRIMARY KEY AUTOINCREMENT,"tok_name" TEXT, "tok_key" TEXT, "tok_type" TEXT);';
 223         print_r($msg);
 224         $db = getDB();
 225         $sql = "insert into hardwaretokens values (NULL, '$tokenid', '$tokenkey', '$tokentype')";
 226         echo "Sql is $sql\n";
 227         $ret = $db->query($sql);
 228         if($ret) return true;
 229         else return false;
 230
 231 }
 232
 233
 234 function gaasGetHardwareTokens_server($msg)
 235 {
 236         $db = getDB();
 237
 238         $sql = "select tok_name, tok_type from hardwaretokens";
 239         $ret = $db->query($sql);
 240
 241         $toks = "";
 242         $i = 0;
 243         foreach($ret as $row) {
 244                 $toks[$i]["name"] = $row["tok_name"];
 245                 $toks[$i]["type"] = $row["tok_type"];
 246                 $i++;
 247         }
 248
 249         return $toks;
 250 }
 251
 252
 253 function gaasAssignToken_server($msg)
 254 {
 255         if(!isset($msg["tokenid"])) return false;
 256
 257         $tokenid = $msg["tokenid"];
 258
 259         // now, we check the username is in the client gorup
 260         if(confGetVal("backend") == "AD") {
 261                 if(userInGroup($msg["username"], confGetVal("ad.domain"), confGetVal("ad.user"), confGetVal("ad.pass"), confGetVal("ad.clientdef"))) {
 262                         $myga = new gaasdGA();
 263
 264                         $sql = "select * from hardwaretokens"; // where tok_name='$tokenid'";
 265                         echo "yes, i am here $sql\n";
 266                         $db = getDB();
 267                         $ret = $db->query($sql);
 268                         $tok_key = "";
 269                         $tok_type = "";
 270                         if(!$ret) {
 271                                 echo "got a token assignment for an invalid name\n";
 272                                 print_r($msg);
 273                                 return false;
 274                         } else {
 275                                 // we have something
 276                                 echo "i am here?\n";
 277                                 foreach($ret as $row) {
 278                                         echo "got a row\n";
 279                                         print_r($row);
 280                                         $tok_key = $row["tok_key"];
 281                                         $tok_type = $row["tok_type"];
 282                                 }
 283                         }
 284
 285                         if($tok_type == "" || $tok_key == "") {
 286                                 echo "error in token data from hardware token in DB\n";
 287                         }
 288
 289                         echo "and here too, $tok_type, $tok_key\n";
 290                         if(!$myga->setUser($msg["username"], $tok_type, "", $tok_key)) {
 291                                 print_r($msg);
 292                                 echo "errror assigning token?\n";
 293                         }
 294                 } else return false;
 295         }
 296
 297         // then we assign to the user
 298 }
 299
 300 function gaasGetUsers_server($msg)
 301 {
 302         $haveTokens = $msg["havetokens"];
 303         $userPatter = $msg["userpattern"];
 304         $group = $msg["group"];
 305         $myga = new gaasdGA();
 306
 307         if(confGetval("backend") == "AD") {
 308                 $adgroup = "";
 309                 if($group == "admin") {
 310                         $adgroup = confGetVal("ad.admindef");
 311                 } else {
 312                         $adgroup = confGetVal("ad.clientdef");
 313                 }
 314                 $addom = confGetVal("ad.domain");
 315                 $aduser = confGetVal("ad.user");
 316                 $adpass = confGetVal("ad.pass");
 317                 //echo "using group $adgroup for $group\n";
 318
 319                 $users = getUsersInGroup($addom, $aduser, $adpass, $adgroup);
 320                 foreach($users as $key => $val) {
 321                         $user = $val["username"];
 322                         //echo "checking $user for token - ";
 323                         if($myga->hasToken($user)) {
 324                                 $users[$key]["hastoken"] = true;
 325                                 //echo "yes\n";
 326                         } else {
 327                                 $users[$key]["hastoken"] = false;
 328                                 //echo "no\n";
 329                         }
 330                 }
 331         } else {
 332                 // internal db
 333         }
 334         //print_r($users);
 335         return $users;
 336 }
 337
 338 function gaasDeleteUser_server($msg)
 339 {
 340         $username = $msg["username"];
 341         $db = getDB();
 342         if($db->query("delete from users where users_username='$username'")) {
 343                 return true;
 344         } else return false;
 345
 346 }
 347 ?>