Freeradius users script added

actions added to admin_actions

working radius client using __FILE__ php keywords

diff --git a/authserver/authd/authd.php b/authserver/authd/authd.php
index 67036a7..e0f7296 100644 (file)
--- a/authserver/authd/authd.php
+++ b/authserver/authd/authd.php
@@ -36,6 +36,26 @@ if($pid == -1) {
        while(true) {
                msg_receive($sr_queue, 0, $msg_type, 16384, $msg);
                switch($msg_type) {
+                       case MSG_DELETE_USER_TOKEN:
+                               $username = $msg["username"];
+                               
+                               $sql = "select users_otk from users where users_username='$username'";
+                               $dbo = getDatabase();
+                               $res = $dbo->query($sql);
+                               $otkid = "";
+                               foreach($res as $row) {
+                                       $otkid = $row["users_otk"];
+                               }
+                               if($otkid!="") {
+                                       unlink("otks/$otkid.png");
+                               }
+                               
+                               $sql = "update users set users_tokendata='',users_otk='' where users_username='$username'";
+                               $dbo = getDatabase();
+                               $res = $dbo->query($sql);
+                               
+                               msg_send($cl_queue, MSG_DELETE_USER_TOKEN, true);
+                               break;
                        case MSG_AUTH_USER_TOKEN:
                                echo "Call to auth user token\n";
                                // minimal checking, we leav it up to authenticateUser to do the real
@@ -89,9 +109,9 @@ if($pid == -1) {
                                                $hand = fopen("otks/$otk.png", "rb");
                                                $data = fread($hand, filesize("otks/$otk.png"));
                                                fclose($hand);
-                                               //unlink("otks/$otk.png");
-                                               //$sql = "update users set users_otk='' where users_username='$username'";
-                                               //$dbo->query($sql);
+                                               unlink("otks/$otk.png");
+                                               $sql = "update users set users_otk='' where users_username='$username'";
+                                               $dbo->query($sql);
                                                error_log("senting otk, fsize: ".filesize("otks/$otk.png")." $otk ");
                                                msg_send($cl_queue, MSG_GET_OTK_PNG, $data);
                                        }
@@ -106,7 +126,7 @@ if($pid == -1) {
                                        $username = $msg["username"];
                                        $tokentype="HOTP";
                                        if(isset($msg["tokentype"])) {
-                                               $tokentype="HOTP";
+                                               $tokentype=$msg["tokentype"];
                                        }
                                        $hexkey = "";
                                        if(isset($msg["hexkey"])) {
@@ -134,6 +154,19 @@ if($pid == -1) {
                                } else {
                                        $username = $msg["username"];                           
                                        global $myga;
+
+                                       $sql = "select users_otk from users where users_username='$username'";
+                                       $dbo = getDatabase();
+                                       $res = $dbo->query($sql);
+                                       $otkid = "";
+                                       foreach($res as $row) {
+                                               $otkid = $row["users_otk"];
+                                       }
+                                       if($otkid!="") {
+                                               unlink("otks/$otkid.png");
+                                       }
+                                       
+
                                        $sql = "delete from users where users_username='$username'";
                                        $dbo = getDatabase();
                                        $dbo->query($sql);

diff --git a/authserver/lib/authClient.php b/authserver/lib/authClient.php
index 62419bd..c5ef6dd 100644 (file)
--- a/authserver/lib/authClient.php
+++ b/authserver/lib/authClient.php
@@ -233,6 +233,33 @@ class GAAuthClient {
                return $msg;
        }
        
+       function deleteUserToken($username) {
+               
+               global $MSG_QUEUE_KEY_ID_SERVER, $MSG_QUEUE_KEY_ID_CLIENT;
+               
+               if(!msg_queue_exists($MSG_QUEUE_KEY_ID_SERVER)) {
+                       return false;
+               }
+
+               if(!msg_queue_exists($MSG_QUEUE_KEY_ID_CLIENT)) {
+                       return false;
+               }
+               
+               // TODO we need to setup a client queue sem lock here
+               
+               $cl_queue = msg_get_queue($MSG_QUEUE_KEY_ID_CLIENT);
+               $sr_queue = msg_get_queue($MSG_QUEUE_KEY_ID_SERVER);
+               
+               
+               $message["username"] = $username;
+               
+               msg_send($sr_queue, MSG_DELETE_USER_TOKEN, $message, true, true, $msg_err);
+               
+               msg_receive($cl_queue, 0, $msg_type, 16384, $msg);
+               
+               return $msg;
+       }
+       
        function addUser($username, $tokentype="", $hexkey="") {
                global $MSG_QUEUE_KEY_ID_SERVER, $MSG_QUEUE_KEY_ID_CLIENT;
                

diff --git a/authserver/lib/lib.php b/authserver/lib/lib.php
index 689389a..02be059 100644 (file)
--- a/authserver/lib/lib.php
+++ b/authserver/lib/lib.php
@@ -15,10 +15,10 @@ define("MSG_SET_USER_TOKEN_TYPE", 8);
 define("MSG_GET_USERS", 9);
 define("MSG_GET_OTK_PNG", 10);
 define("MSG_GET_OTK_ID", 11);
+define("MSG_DELETE_USER_TOKEN", 12);
 
-if(file_exists("../../lib/ga4php.php")) require_once("../../lib/ga4php.php");
-if(file_exists("../lib/ga4php.php")) require_once("../lib/ga4php.php");
-
+// messy
+require_once(dirname(__FILE__)."/../../lib/ga4php.php");
 
 function generateRandomString()
 {
@@ -100,9 +100,11 @@ class gaasGA extends GoogleAuthenticator {
                $res = $dbObject->query($sql);
                if($res->fetchColumn() > 0) {
                        // do update
+                       error_log("doing userdata update");
                        $sql = "update users set users_tokendata='$data' where users_username='$username'";
                } else {
                        // do insert
+                       error_log("doing user data create");
                        $sql = "insert into users values (NULL, '$username', '', '', '$data', '')";
                }
                

diff --git a/authserver/usercmd.php b/authserver/usercmd.php
index d19fa54..3c094db 100644 (file)
--- a/authserver/usercmd.php
+++ b/authserver/usercmd.php
@@ -43,9 +43,11 @@ if(!isset($argv[1])) {
 switch($argv[1]) {
        case "radauth":
                if($myAC->authUserToken($argv[2], $argv[3])==1) {
-                       return 0;
+                       syslog(LOG_WARNING, "Got good request for user, ".$argv[2]);
+                       exit(0);
                } else {
-                       return 255;
+                       syslog(LOG_WARNING, "Got bad request for user, ".$argv[2]);
+                       exit(255);
                }
                break;
        case "getotk":

diff --git a/authserver/www/admin.php b/authserver/www/admin.php
index e214751..b35a227 100644 (file)
--- a/authserver/www/admin.php
+++ b/authserver/www/admin.php
@@ -17,10 +17,59 @@ require_once("admin_actions.php");
 if($loggedin) {
 ?>
 <h1>GAAS Manager</h1>
-Welcome to the Google Authenticator Authentication Server Manager Application<br>
+Welcome to the Google Authenticator Authentication Server Manager Application - <a href="?showhelp">Show Help</a><br>
+
+<?php 
+if(isset($_REQUEST["message"])) {
+       echo "<font color=\"green\">".$_REQUEST["message"]."</font>";
+} 
+if(isset($_REQUEST["error"])) {
+       echo "<font color=\"red\">".$_REQUEST["error"]."</font>";
+} 
+
+
+if(isset($_REQUEST["showhelp"])) {
+       echo "<hr>";
+       ?>
+On this page, you create users and manage their tokens and passwords. A few notes,<br>
+<li> Passwords are *ONLY* for this page, if you assign a password to a user they can login here
+and edit anyone, including you
+<li> OTK/One-Time-Keys are the QRcode for provisioning a GA token, it can only be viewed once
+and once viewed is deleted. If you need a new one, you need to delete the user and re-create.
+       <?php 
+} 
+
+if(isset($_REQUEST["edituser"])) {
+       $username = $_REQUEST["edituser"];
+?>
+
+<h2>Editing user, <?php echo $username ?></h2><br>
+<form method="post" action="?action=edituser&username=<?php echo $username ?>">
+<input type="hidden" name="original_real" value="<?php echo $_REQUEST["realname"] ?>">
+<table>
+<tr><td>Real Name:</td><td><input type="text" name="realname" value="<?php echo $_REQUEST["realname"] ?>"></td></tr>
+<tr><td>Password:</td><td><input type="password" name="password"></td></tr>
+<tr><td>Confirm Password:</td><td><input type="password" name="password_conf"></td></tr>
+</table>
+<input type="submit" value="Update">
+</form>
+<form method="post" action="?action=customtoken&username=<?php echo $username ?>">
+<h3>Custom Tokens - doesnt work yet</h3><br>
+For assiging in a user-created or hardware tokens<br>
+Token Key (hex) <input type="text" name="tokenkey"><br>
+Token Type 
+<select name="tokentype">
+<option value="HOTP">HOTP</option>
+<option value="TOTP">TOTP</option>
+</select><br>
+<input type="submit" value="Set">
+</form>
+<?php
+} else {
+?>
 <hr><h2>Users</h2>
 <table border="1">
-<tr><th>Username</th><th>RealName</th><th>Has Password?</th><th>Has Token?</th><th>One Time Key</th><th>Update</th><th>Delete</th></tr>
+<tr><th>Username</th><th>RealName</th><th>Has Password?</th><th>Has Token?</th><th>One Time Key</th><th>Delete</th></tr>
 <?php
 $users = $myAC->getUsers();
 foreach($users as $user) {
@@ -29,25 +78,28 @@ foreach($users as $user) {
        if($user["realname"] == "") $realname = "";
        else $realname = $user["realname"];
        
-       if($user["haspass"]) $haspass = "Yes <input type=\"password\" name=\"password\"> <a href=\"?action=deletepass&username=$username\">Delete Password</a>";
-       else $haspass = "No <input type=\"password\" name=\"password\">";
+       if($user["haspass"]) $haspass = "Yes <a href=\"?action=deletepass&username=$username\">Delete Password</a>";
+       else $haspass = "No";
        
-       if($user["hastoken"]) $hastoken = "Yes";
-       else $hastoken = "No";
+       if($user["hastoken"]) $hastoken = "Yes <a href=\"?action=recreatehotptoken&username=$username\">Re-Create (hotp)</a> <a href=\"?action=recreatetotptoken&username=$username\">Re-Create (totp)</a> <a href=\"?action=deletetoken&username=$username\">Delete</a>";
+       else $hastoken = "No <a href=\"?action=recreatehotptoken&username=$username\">Create (hotp)</a> <a href=\"?action=recreatetotptoken&username=$username\">Create (totp)</a>";
        
        if($user["otk"]!="") $otk = "<a href=\"?action=getotk&username=$username&otk=".$user["otk"]."\">Get</a>";
        else $otk = "Already Claimed";
        
        $delete = "<a href=\"?action=delete&username=$username\">Delete</a>";
        
-       echo "<form method=\"post\" action=\"?action=update&username=$username\"><tr><td>$username</td><td><input type=\"text\" name=\"realname\" value=\"$realname\"></td><td>$haspass</td>";
-       echo "<td>$hastoken</td><td>$otk</td><td><input type=\"submit\" value=\"Update\"></td><td>$delete</td><tr></form>";
-} 
+       echo "<tr>";
+       echo "<td><a href=\"?edituser=$username&realname=$realname\">$username</a></td><td>$realname</td><td>$haspass</td>";
+       echo "<td>$hastoken</td><td>$otk</td><td>$delete</td><tr></form>";
+}
 ?>
 </table><br>
 <form method="post" action="?action=createuser">Create User(s) - Enter a comma seperated list of names: <input type="text" name="username" size="120"> <input type="submit" value="Create"></form>
 
 <?php
+
+
 if(isset($_REQUEST["action"])) if($_REQUEST["action"] == "getotk") {
        $username = $_REQUEST["username"];
        $otk = $_REQUEST["otk"];
@@ -59,10 +111,10 @@ if(isset($_REQUEST["action"])) if($_REQUEST["action"] == "getotk") {
 <hr><h2>Radius Clients</h2>
 Not yet implemented
 
-<hr><a href="?action=logout">Logout</a>
+<hr><a href="?action=logout">Logout</a> <a href="admin.php">Home</a>
 
 <?php 
-
+} // edit users
 
 } else {
        
@@ -80,7 +132,10 @@ Not yet implemented
 <h1>GAAS Manager Login</h1>
 <?php
 if(isset($_REQUEST["message"])) {
-       echo "<font color=\"red\">Login Failed</font>";
+       echo "<font color=\"green\">".$_REQUEST["message"]."</font>";
+} 
+if(isset($_REQUEST["error"])) {
+       echo "<font color=\"red\">".$_REQUEST["error"]."</font>";
 } 
 ?>
 <form method="post" action="?action=login">
@@ -91,5 +146,5 @@ if(isset($_REQUEST["message"])) {
 </table>
 </form>
 <?php
-}
+} //loggedin
 ?>
\ No newline at end of file

diff --git a/authserver/www/admin_actions.php b/authserver/www/admin_actions.php
index bddbc55..e5ddb11 100644 (file)
--- a/authserver/www/admin_actions.php
+++ b/authserver/www/admin_actions.php
@@ -10,6 +10,34 @@ else $loggedin = false;
 
 if(isset($_REQUEST["action"])) {
        switch($_REQUEST["action"]) {
+               case "recreatehotptoken":
+                       $username = $_REQUEST["username"];
+                       $myAC->addUser($username, "HOTP");
+                       header("Location: ?message=".urlencode("seemed to work?"));
+                       break;
+               case "recreatetotptoken":
+                       $username = $_REQUEST["username"];
+                       $myAC->addUser($username, "TOTP");
+                       header("Location: ?message=".urlencode("seemed to work?"));
+                       break;
+               case "deletetoken":
+                       $username = $_REQUEST["username"];
+                       $myAC->deleteUserToken($username);
+                       header("Location: ?message=".urlencode("seemed to work?"));
+                       break;
+               case "edituser":
+                       $username = $_REQUEST["username"];
+                       if($_REQUEST["original_real"] != $_REQUEST["realname"]) {
+                               $myAC->setUserRealName($username, $_REQUEST["realname"]);
+                       }
+                       if($_REQUEST["password"] != "") {
+                               if($_REQUEST["password"]!=$_REQUEST["password_conf"]) {
+                                       header("Location: ?message=confirmfalse");
+                               } else {
+                                       $myAC->setUserPass($username, $_REQUEST["password"]);
+                               }
+                       }
+                       break;
                case "login":
                        $username = $_REQUEST["username"];
                        $password = $_REQUEST["password"];
@@ -19,7 +47,7 @@ if(isset($_REQUEST["action"])) {
                                $_SESSION["username"] = $username;
                                header("Location: admin.php");
                        } else {
-                               header("Location: admin.php?message=loginfail");
+                               header("Location: admin.php?error=".urlencode("Login Failed"));
                        }
                        
                        exit(0);

diff --git a/authserver/www/index.php b/authserver/www/index.php
index c8824b8..723163a 100644 (file)
--- a/authserver/www/index.php
+++ b/authserver/www/index.php
@@ -26,6 +26,8 @@ Token Code: <input type="text" name="tokencode"><br>
 Hi user
 </html>
 
+<hr><a href="?action=logout">Logout</a>
+
 <?php 
 }
 ?>

diff --git a/authserver/www/user_actions.php b/authserver/www/user_actions.php
index 8947432..6b763b6 100644 (file)
--- a/authserver/www/user_actions.php
+++ b/authserver/www/user_actions.php
@@ -7,7 +7,7 @@ $myAC = new GAAuthClient();
 $loggedin = false;
 session_start();
 
-if(isset($_SESSION["loggedin"])) if($_SESSION["loggedin"]) {
+if(isset($_SESSION["user_loggedin"])) if($_SESSION["user_loggedin"]) {
        $loggedin = true;
 } else {
        $loggedin = false;
@@ -23,7 +23,7 @@ if(isset($_REQUEST["action"])) {
                        
                        if($myAC->authUserToken($username, $token)) {
                                
-                               $_SESSION["loggedin"] = true;
+                               $_SESSION["user_loggedin"] = true;
                                $_SESSION["username"] = $username;
                                header("Location: index.php");
                        } else {
@@ -31,6 +31,13 @@ if(isset($_REQUEST["action"])) {
                                header("Location: index.php?message=loginfail");
                        }
                        break;
+               case "logout":
+                       $_SESSION["user_loggedin"] = false;
+                       $_SESSION["username"] = "";
+                       header("Location: admin.php");
+                       exit(0);
+                       break;
+                       
        }
 }
 ?>
\ No newline at end of file

diff --git a/contrib/freeradius-users b/contrib/freeradius-users
new file mode 100644 (file)
index 0000000..5b338ae
--- /dev/null
+++ b/contrib/freeradius-users
@@ -0,0 +1,5 @@
+The following three lines is what my freeradius users command looks like - pretty darn simple really
+
+DEFAULT Auth-Type := Accept
+       Exec-Program-Wait = "/usr/bin/php /home/paulr/src/eclipse-workspace/ga4php/authserver/usercmd.php radauth %{User-Name} %{User-Password}",
+       Fall-Through = Yes