From: paulr <me@pjr.cc>
Date: Mon, 6 Dec 2010 15:01:10 +0000 (+1100)
Subject: Freeradius users script added
X-Git-Url: http://git.pjr.cc/?p=ga4php.git;a=commitdiff_plain;h=d4590a3f34021216c9da29786922fddaf804d113

Freeradius users script added
actions added to admin_actions

working radius client using __FILE__ php keywords
---

diff --git a/authserver/authd/authd.php b/authserver/authd/authd.php
index 67036a7..e0f7296 100644
--- a/authserver/authd/authd.php
+++ b/authserver/authd/authd.php
@@ -36,6 +36,26 @@ if($pid == -1) {
 	while(true) {
 		msg_receive($sr_queue, 0, $msg_type, 16384, $msg);
 		switch($msg_type) {
+			case MSG_DELETE_USER_TOKEN:
+				$username = $msg["username"];
+				
+				$sql = "select users_otk from users where users_username='$username'";
+				$dbo = getDatabase();
+				$res = $dbo->query($sql);
+				$otkid = "";
+				foreach($res as $row) {
+					$otkid = $row["users_otk"];
+				}
+				if($otkid!="") {
+					unlink("otks/$otkid.png");
+				}
+				
+				$sql = "update users set users_tokendata='',users_otk='' where users_username='$username'";
+				$dbo = getDatabase();
+				$res = $dbo->query($sql);
+				
+				msg_send($cl_queue, MSG_DELETE_USER_TOKEN, true);
+				break;
 			case MSG_AUTH_USER_TOKEN:
 				echo "Call to auth user token\n";
 				// minimal checking, we leav it up to authenticateUser to do the real
@@ -89,9 +109,9 @@ if($pid == -1) {
 						$hand = fopen("otks/$otk.png", "rb");
 						$data = fread($hand, filesize("otks/$otk.png"));
 						fclose($hand);
-						//unlink("otks/$otk.png");
-						//$sql = "update users set users_otk='' where users_username='$username'";
-						//$dbo->query($sql);
+						unlink("otks/$otk.png");
+						$sql = "update users set users_otk='' where users_username='$username'";
+						$dbo->query($sql);
 						error_log("senting otk, fsize: ".filesize("otks/$otk.png")." $otk ");
 						msg_send($cl_queue, MSG_GET_OTK_PNG, $data);
 					}
@@ -106,7 +126,7 @@ if($pid == -1) {
 					$username = $msg["username"];
 					$tokentype="HOTP";
 					if(isset($msg["tokentype"])) {
-						$tokentype="HOTP";
+						$tokentype=$msg["tokentype"];
 					}
 					$hexkey = "";
 					if(isset($msg["hexkey"])) {
@@ -134,6 +154,19 @@ if($pid == -1) {
 				} else {
 					$username = $msg["username"];				
 					global $myga;
+
+					$sql = "select users_otk from users where users_username='$username'";
+					$dbo = getDatabase();
+					$res = $dbo->query($sql);
+					$otkid = "";
+					foreach($res as $row) {
+						$otkid = $row["users_otk"];
+					}
+					if($otkid!="") {
+						unlink("otks/$otkid.png");
+					}
+					
+
 					$sql = "delete from users where users_username='$username'";
 					$dbo = getDatabase();
 					$dbo->query($sql);
diff --git a/authserver/lib/authClient.php b/authserver/lib/authClient.php
index 62419bd..c5ef6dd 100644
--- a/authserver/lib/authClient.php
+++ b/authserver/lib/authClient.php
@@ -233,6 +233,33 @@ class GAAuthClient {
 		return $msg;
 	}
 	
+	function deleteUserToken($username) {
+		
+		global $MSG_QUEUE_KEY_ID_SERVER, $MSG_QUEUE_KEY_ID_CLIENT;
+		
+		if(!msg_queue_exists($MSG_QUEUE_KEY_ID_SERVER)) {
+			return false;
+		}
+
+		if(!msg_queue_exists($MSG_QUEUE_KEY_ID_CLIENT)) {
+			return false;
+		}
+		
+		// TODO we need to setup a client queue sem lock here
+		
+		$cl_queue = msg_get_queue($MSG_QUEUE_KEY_ID_CLIENT);
+		$sr_queue = msg_get_queue($MSG_QUEUE_KEY_ID_SERVER);
+		
+		
+		$message["username"] = $username;
+		
+		msg_send($sr_queue, MSG_DELETE_USER_TOKEN, $message, true, true, $msg_err);
+		
+		msg_receive($cl_queue, 0, $msg_type, 16384, $msg);
+		
+		return $msg;
+	}
+	
 	function addUser($username, $tokentype="", $hexkey="") {
 		global $MSG_QUEUE_KEY_ID_SERVER, $MSG_QUEUE_KEY_ID_CLIENT;
 		
diff --git a/authserver/lib/lib.php b/authserver/lib/lib.php
index 689389a..02be059 100644
--- a/authserver/lib/lib.php
+++ b/authserver/lib/lib.php
@@ -15,10 +15,10 @@ define("MSG_SET_USER_TOKEN_TYPE", 8);
 define("MSG_GET_USERS", 9);
 define("MSG_GET_OTK_PNG", 10);
 define("MSG_GET_OTK_ID", 11);
+define("MSG_DELETE_USER_TOKEN", 12);
 
-if(file_exists("../../lib/ga4php.php")) require_once("../../lib/ga4php.php");
-if(file_exists("../lib/ga4php.php")) require_once("../lib/ga4php.php");
-
+// messy
+require_once(dirname(__FILE__)."/../../lib/ga4php.php");
 
 function generateRandomString()
 {
@@ -100,9 +100,11 @@ class gaasGA extends GoogleAuthenticator {
 		$res = $dbObject->query($sql);
 		if($res->fetchColumn() > 0) {
 			// do update
+			error_log("doing userdata update");
 			$sql = "update users set users_tokendata='$data' where users_username='$username'";
 		} else {
 			// do insert
+			error_log("doing user data create");
 			$sql = "insert into users values (NULL, '$username', '', '', '$data', '')";
 		}
 		
diff --git a/authserver/usercmd.php b/authserver/usercmd.php
index d19fa54..3c094db 100644
--- a/authserver/usercmd.php
+++ b/authserver/usercmd.php
@@ -43,9 +43,11 @@ if(!isset($argv[1])) {
 switch($argv[1]) {
 	case "radauth":
 		if($myAC->authUserToken($argv[2], $argv[3])==1) {
-			return 0;
+			syslog(LOG_WARNING, "Got good request for user, ".$argv[2]);
+			exit(0);
 		} else {
-			return 255;
+			syslog(LOG_WARNING, "Got bad request for user, ".$argv[2]);
+			exit(255);
 		}
 		break;
 	case "getotk":
diff --git a/authserver/www/admin.php b/authserver/www/admin.php
index e214751..b35a227 100644
--- a/authserver/www/admin.php
+++ b/authserver/www/admin.php
@@ -17,10 +17,59 @@ require_once("admin_actions.php");
 if($loggedin) {
 ?>
 <h1>GAAS Manager</h1>
-Welcome to the Google Authenticator Authentication Server Manager Application<br>
+Welcome to the Google Authenticator Authentication Server Manager Application - <a href="?showhelp">Show Help</a><br>
+
+<?php 
+if(isset($_REQUEST["message"])) {
+	echo "<font color=\"green\">".$_REQUEST["message"]."</font>";
+} 
+if(isset($_REQUEST["error"])) {
+	echo "<font color=\"red\">".$_REQUEST["error"]."</font>";
+} 
+
+
+if(isset($_REQUEST["showhelp"])) {
+	echo "<hr>";
+	?>
+On this page, you create users and manage their tokens and passwords. A few notes,<br>
+<li> Passwords are *ONLY* for this page, if you assign a password to a user they can login here
+and edit anyone, including you
+<li> OTK/One-Time-Keys are the QRcode for provisioning a GA token, it can only be viewed once
+and once viewed is deleted. If you need a new one, you need to delete the user and re-create.
+	<?php 
+} 
+
+if(isset($_REQUEST["edituser"])) {
+	$username = $_REQUEST["edituser"];
+?>
+
+<h2>Editing user, <?php echo $username ?></h2><br>
+<form method="post" action="?action=edituser&username=<?php echo $username ?>">
+<input type="hidden" name="original_real" value="<?php echo $_REQUEST["realname"] ?>">
+<table>
+<tr><td>Real Name:</td><td><input type="text" name="realname" value="<?php echo $_REQUEST["realname"] ?>"></td></tr>
+<tr><td>Password:</td><td><input type="password" name="password"></td></tr>
+<tr><td>Confirm Password:</td><td><input type="password" name="password_conf"></td></tr>
+</table>
+<input type="submit" value="Update">
+</form>
+<form method="post" action="?action=customtoken&username=<?php echo $username ?>">
+<h3>Custom Tokens - doesnt work yet</h3><br>
+For assiging in a user-created or hardware tokens<br>
+Token Key (hex) <input type="text" name="tokenkey"><br>
+Token Type 
+<select name="tokentype">
+<option value="HOTP">HOTP</option>
+<option value="TOTP">TOTP</option>
+</select><br>
+<input type="submit" value="Set">
+</form>
+<?php
+} else {
+?>
 <hr><h2>Users</h2>
 <table border="1">
-<tr><th>Username</th><th>RealName</th><th>Has Password?</th><th>Has Token?</th><th>One Time Key</th><th>Update</th><th>Delete</th></tr>
+<tr><th>Username</th><th>RealName</th><th>Has Password?</th><th>Has Token?</th><th>One Time Key</th><th>Delete</th></tr>
 <?php
 $users = $myAC->getUsers();
 foreach($users as $user) {
@@ -29,25 +78,28 @@ foreach($users as $user) {
 	if($user["realname"] == "") $realname = "";
 	else $realname = $user["realname"];
 	
-	if($user["haspass"]) $haspass = "Yes <input type=\"password\" name=\"password\"> <a href=\"?action=deletepass&username=$username\">Delete Password</a>";
-	else $haspass = "No <input type=\"password\" name=\"password\">";
+	if($user["haspass"]) $haspass = "Yes <a href=\"?action=deletepass&username=$username\">Delete Password</a>";
+	else $haspass = "No";
 	
-	if($user["hastoken"]) $hastoken = "Yes";
-	else $hastoken = "No";
+	if($user["hastoken"]) $hastoken = "Yes <a href=\"?action=recreatehotptoken&username=$username\">Re-Create (hotp)</a> <a href=\"?action=recreatetotptoken&username=$username\">Re-Create (totp)</a> <a href=\"?action=deletetoken&username=$username\">Delete</a>";
+	else $hastoken = "No <a href=\"?action=recreatehotptoken&username=$username\">Create (hotp)</a> <a href=\"?action=recreatetotptoken&username=$username\">Create (totp)</a>";
 	
 	if($user["otk"]!="") $otk = "<a href=\"?action=getotk&username=$username&otk=".$user["otk"]."\">Get</a>";
 	else $otk = "Already Claimed";
 	
 	$delete = "<a href=\"?action=delete&username=$username\">Delete</a>";
 	
-	echo "<form method=\"post\" action=\"?action=update&username=$username\"><tr><td>$username</td><td><input type=\"text\" name=\"realname\" value=\"$realname\"></td><td>$haspass</td>";
-	echo "<td>$hastoken</td><td>$otk</td><td><input type=\"submit\" value=\"Update\"></td><td>$delete</td><tr></form>";
-} 
+	echo "<tr>";
+	echo "<td><a href=\"?edituser=$username&realname=$realname\">$username</a></td><td>$realname</td><td>$haspass</td>";
+	echo "<td>$hastoken</td><td>$otk</td><td>$delete</td><tr></form>";
+}
 ?>
 </table><br>
 <form method="post" action="?action=createuser">Create User(s) - Enter a comma seperated list of names: <input type="text" name="username" size="120"> <input type="submit" value="Create"></form>
 
 <?php
+
+
 if(isset($_REQUEST["action"])) if($_REQUEST["action"] == "getotk") {
 	$username = $_REQUEST["username"];
 	$otk = $_REQUEST["otk"];
@@ -59,10 +111,10 @@ if(isset($_REQUEST["action"])) if($_REQUEST["action"] == "getotk") {
 <hr><h2>Radius Clients</h2>
 Not yet implemented
 
-<hr><a href="?action=logout">Logout</a>
+<hr><a href="?action=logout">Logout</a> <a href="admin.php">Home</a>
 
 <?php 
-
+} // edit users
 
 } else {
 	
@@ -80,7 +132,10 @@ Not yet implemented
 <h1>GAAS Manager Login</h1>
 <?php
 if(isset($_REQUEST["message"])) {
-	echo "<font color=\"red\">Login Failed</font>";
+	echo "<font color=\"green\">".$_REQUEST["message"]."</font>";
+} 
+if(isset($_REQUEST["error"])) {
+	echo "<font color=\"red\">".$_REQUEST["error"]."</font>";
 } 
 ?>
 <form method="post" action="?action=login">
@@ -91,5 +146,5 @@ if(isset($_REQUEST["message"])) {
 </table>
 </form>
 <?php
-}
+} //loggedin
 ?>
\ No newline at end of file
diff --git a/authserver/www/admin_actions.php b/authserver/www/admin_actions.php
index bddbc55..e5ddb11 100644
--- a/authserver/www/admin_actions.php
+++ b/authserver/www/admin_actions.php
@@ -10,6 +10,34 @@ else $loggedin = false;
 
 if(isset($_REQUEST["action"])) {
 	switch($_REQUEST["action"]) {
+		case "recreatehotptoken":
+			$username = $_REQUEST["username"];
+			$myAC->addUser($username, "HOTP");
+			header("Location: ?message=".urlencode("seemed to work?"));
+			break;
+		case "recreatetotptoken":
+			$username = $_REQUEST["username"];
+			$myAC->addUser($username, "TOTP");
+			header("Location: ?message=".urlencode("seemed to work?"));
+			break;
+		case "deletetoken":
+			$username = $_REQUEST["username"];
+			$myAC->deleteUserToken($username);
+			header("Location: ?message=".urlencode("seemed to work?"));
+			break;
+		case "edituser":
+			$username = $_REQUEST["username"];
+			if($_REQUEST["original_real"] != $_REQUEST["realname"]) {
+				$myAC->setUserRealName($username, $_REQUEST["realname"]);
+			}
+			if($_REQUEST["password"] != "") {
+				if($_REQUEST["password"]!=$_REQUEST["password_conf"]) {
+					header("Location: ?message=confirmfalse");
+				} else {
+					$myAC->setUserPass($username, $_REQUEST["password"]);
+				}
+			}
+			break;
 		case "login":
 			$username = $_REQUEST["username"];
 			$password = $_REQUEST["password"];
@@ -19,7 +47,7 @@ if(isset($_REQUEST["action"])) {
 				$_SESSION["username"] = $username;
 				header("Location: admin.php");
 			} else {
-				header("Location: admin.php?message=loginfail");
+				header("Location: admin.php?error=".urlencode("Login Failed"));
 			}
 			
 			exit(0);
diff --git a/authserver/www/index.php b/authserver/www/index.php
index c8824b8..723163a 100644
--- a/authserver/www/index.php
+++ b/authserver/www/index.php
@@ -26,6 +26,8 @@ Token Code: <input type="text" name="tokencode"><br>
 Hi user
 </html>
 
+<hr><a href="?action=logout">Logout</a>
+
 <?php 
 }
 ?>
diff --git a/authserver/www/user_actions.php b/authserver/www/user_actions.php
index 8947432..6b763b6 100644
--- a/authserver/www/user_actions.php
+++ b/authserver/www/user_actions.php
@@ -7,7 +7,7 @@ $myAC = new GAAuthClient();
 $loggedin = false;
 session_start();
 
-if(isset($_SESSION["loggedin"])) if($_SESSION["loggedin"]) {
+if(isset($_SESSION["user_loggedin"])) if($_SESSION["user_loggedin"]) {
 	$loggedin = true;
 } else {
 	$loggedin = false;
@@ -23,7 +23,7 @@ if(isset($_REQUEST["action"])) {
 			
 			if($myAC->authUserToken($username, $token)) {
 				
-				$_SESSION["loggedin"] = true;
+				$_SESSION["user_loggedin"] = true;
 				$_SESSION["username"] = $username;
 				header("Location: index.php");
 			} else {
@@ -31,6 +31,13 @@ if(isset($_REQUEST["action"])) {
 				header("Location: index.php?message=loginfail");
 			}
 			break;
+		case "logout":
+			$_SESSION["user_loggedin"] = false;
+			$_SESSION["username"] = "";
+			header("Location: admin.php");
+			exit(0);
+			break;
+			
 	}
 }
 ?>
\ No newline at end of file
diff --git a/contrib/freeradius-users b/contrib/freeradius-users
new file mode 100644
index 0000000..5b338ae
--- /dev/null
+++ b/contrib/freeradius-users
@@ -0,0 +1,5 @@
+The following three lines is what my freeradius users command looks like - pretty darn simple really
+
+DEFAULT Auth-Type := Accept
+	Exec-Program-Wait = "/usr/bin/php /home/paulr/src/eclipse-workspace/ga4php/authserver/usercmd.php radauth %{User-Name} %{User-Password}",
+	Fall-Through = Yes