415 lines
		
	
	
		
			12 KiB
		
	
	
	
		
			PHP
		
	
	
	
			
		
		
	
	
			415 lines
		
	
	
		
			12 KiB
		
	
	
	
		
			PHP
		
	
	
	
| <?php
 | |
| /**
 | |
|  $Id: m_authip.php
 | |
|  ----------------------------------------------------------------------
 | |
|  LICENSE
 | |
| 
 | |
|  This program is free software; you can redistribute it and/or
 | |
|  modify it under the terms of the GNU General Public License (GPL)
 | |
|  as published by the Free Software Foundation; either version 2
 | |
|  of the License, or (at your option) any later version.
 | |
| 
 | |
|  This program is distributed in the hope that it will be useful,
 | |
|  but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
|  GNU General Public License for more details.
 | |
| 
 | |
|  To read the license please visit http://www.gnu.org/copyleft/gpl.html
 | |
|  ----------------------------------------------------------------------
 | |
|  Original Author of file: Fufroma
 | |
|  ----------------------------------------------------------------------
 | |
| */
 | |
| /**
 | |
| * Classe de gestion des IP authorisée
 | |
|  * @group alternc
 | |
| **/
 | |
| class m_authip {
 | |
| 
 | |
|   /**
 | |
|    * Retourne la liste des ip whitelist
 | |
|    *
 | |
|    * @global    m_mem   $mem
 | |
|    * @return array retourne un tableau indexé des ip de l'utilisateur
 | |
|    */
 | |
|   function list_ip_whitelist() {
 | |
|     global $mem;
 | |
|     if (!$mem->checkRight()) return false;
 | |
|     return $this->list_ip(true); 
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * 
 | |
|    * @return array
 | |
|    */
 | |
|   function hook_menu() {
 | |
|     $obj = array(
 | |
|       'title'       => _("Access security"),
 | |
|       'ico'         => 'images/ip.png',
 | |
|       'link'        => 'ip_main.php',
 | |
|       'pos'         => 120,
 | |
|      ) ;
 | |
| 
 | |
|      return $obj;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Retourne la liste des ip spécifiées par cet utilisateur
 | |
|    *
 | |
|    * 
 | |
|    * @global    m_mysql $db
 | |
|    * @global    m_mem   $mem
 | |
|    * @global int $cuid
 | |
|    * @param     boolean $whitelist
 | |
|    * @return    array   Retourne un tableau indexé des ip de l'utilisateur
 | |
|    */
 | |
|   function list_ip($whitelist=false) {
 | |
|     global $db, $mem;
 | |
|  
 | |
|     if ($whitelist && $mem->checkRight() ) {
 | |
|       $cuid=0;
 | |
|     } else {
 | |
|       global $cuid;
 | |
|     }
 | |
| 
 | |
|     $r = array();
 | |
|     $db->query("SELECT * FROM authorised_ip WHERE uid='$cuid' order by ip,subnet;");
 | |
|     while ($db->next_record()) {
 | |
|       $r[$db->f('id')]=$db->Record;
 | |
|       if ( (checkip($db->f('ip'))   && $db->f('subnet') == 32) ||
 | |
|            (checkipv6($db->f('ip')) && $db->f('subnet') == 128) ) {
 | |
|         $r[$db->f('id')]['ip_human']=$db->f('ip');
 | |
|       } else {
 | |
|         $r[$db->f('id')]['ip_human']=$db->f('ip')."/".$db->f('subnet');
 | |
|       }
 | |
| 
 | |
|     }
 | |
|     return $r;
 | |
|   }
 | |
| 
 | |
| 
 | |
| 
 | |
|   /**
 | |
|    * Supprime une IP des IP de l'utilisateur
 | |
|    * et supprime les droits attaché en cascade
 | |
|    *
 | |
|    * @param integer $id 
 | |
|    * @return boolean 
 | |
|    * 
 | |
|    * @global    m_mysql $db
 | |
|    * @global int $cuid
 | |
|    * @param     int     $id     id de la ligne à supprimer
 | |
|    * @return    boolean         Retourne FALSE si erreur, sinon TRUE
 | |
|    */
 | |
|   function ip_delete($id) {
 | |
|     global $db, $cuid;
 | |
|     $id=intval($id);
 | |
|     
 | |
|     $db->query("SELECT id FROM authorised_ip_affected where authorised_ip_id ='$id';");
 | |
|     while ($db->next_record()) {
 | |
|       $this->ip_affected_delete($db->f('id'));
 | |
|     }
 | |
|     if (! $db->query("delete from authorised_ip where id='$id' and ( uid='$cuid' or uid=0) limit 1;") ) {
 | |
|       echo "query failed: ".$db->Error;
 | |
|       return false;
 | |
|     }
 | |
|     return true;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Liste les IP et subnet authorisés
 | |
|    * pour une classe donnée
 | |
|    * 
 | |
|    * @global    m_mysql $db
 | |
|    * @global int $cuid
 | |
|    * @param     string  $s      Classe concernée
 | |
|    * @return    array
 | |
|    */
 | |
|   function get_allowed($s) {
 | |
|     global $db, $cuid;
 | |
|     if (! $db->query("select ai.ip, ai.subnet, ai.infos, aia.parameters from authorised_ip ai, authorised_ip_affected aia where aia.protocol='$s' and aia.authorised_ip_id = ai.id and ai.uid='$cuid';") ) {
 | |
|       echo "query failed: ".$db->Error;
 | |
|       return false;
 | |
|     }
 | |
|     $r=Array();
 | |
|     while ($db->next_record()) {
 | |
|       $r[]=Array("ip"=>$db->f("ip"), "subnet"=>$db->f("subnet"), "infos"=>$db->f("infos"), "parameters"=>$db->f("parameters"));
 | |
|     }
 | |
|     return $r;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * 
 | |
|    * @global    m_mysql $db
 | |
|    * @param     string  $ip
 | |
|    * @return    boolean
 | |
|    */
 | |
|   function is_wl($ip) {
 | |
|     global $db;
 | |
|     if (! $db->query("select ai.ip, ai.subnet from authorised_ip ai where ai.uid='0';") ) {
 | |
|       echo "query failed: ".$db->Error;
 | |
|       return false;
 | |
|     }
 | |
|     while ($db->next_record()) {
 | |
|       if ( $this->is_in_subnet($ip, $db->f('ip'), $db->f('subnet') ) ) return true;
 | |
|     }
 | |
|     return false;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Retourne si l'ip appartient au subnet.
 | |
|    *
 | |
|    * @param     string  $o
 | |
|    * @param     string  $ip
 | |
|    * @param     string  $sub
 | |
|    * @return boolean
 | |
|    */
 | |
|    function is_in_subnet($o, $ip, $sub) {
 | |
|     $o = inet_pton($o);
 | |
|     $ip = inet_pton($ip);
 | |
|     $sub = pow(2, $sub);
 | |
|   
 | |
|     if ( $o >= $ip && $o <= ($ip+$sub) ) return true;
 | |
|     return false;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Sauvegarde une IP dans les IP TOUJOURS authorisée
 | |
|    *
 | |
|    * @global    m_mem   $mem
 | |
|    */
 | |
|   function ip_save_whitelist($id, $ipsub, $infos) {
 | |
|     global $mem;
 | |
|     if (!$mem->checkRight()) return false;
 | |
|     return $this->ip_save($id, $ipsub, $infos, 0);
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Sauvegarde une IP dans les IP authorisée
 | |
|    * 
 | |
|    * @global    m_mysql $db
 | |
|    * @global    m_mem   $mem
 | |
|    * @global int $cuid
 | |
|    * @param     int     $id     id de la ligne à modifier. Si vide ou
 | |
|    *                            égal à 0, alors c'est une insertion
 | |
|    * @param     string  $ipsub  IP (v4 ou v6), potentiellement avec un subnet ( /24)
 | |
|    * @param     string  $infos  Commentaire pour l'utilisateur
 | |
|    * @param     int     $uid    Si $uid=0 et qu'on est super-admin, insertion avec uid=0
 | |
|    *                            ce qui correspond a une ip toujours authorisée 
 | |
|    * @return    boolean         Retourne FALSE si erreur, sinon TRUE
 | |
|    * 
 | |
|    */
 | |
|   function ip_save($id, $ipsub, $infos, $uid=null) {
 | |
|     global $db, $mem;
 | |
| 
 | |
|     // If we ask for uid=0, we have to check to be super-user
 | |
|     // else, juste use global cuid;
 | |
|     if ($uid === 0 && $mem->checkRight() ) {
 | |
|       $cuid=0;
 | |
|     } else {
 | |
|       global $cuid;
 | |
|     } 
 | |
| 
 | |
|     $id=intval($id);
 | |
|     $infos=mysql_real_escape_string($infos);
 | |
| 
 | |
|     // Extract subnet from ipsub
 | |
|     $tmp=explode('/',$ipsub);
 | |
|     $ip=$tmp[0];
 | |
| 
 | |
|     // Error if $ip not an IP
 | |
|     if ( ! checkip($ip) && ! checkipv6($ip) ) {
 | |
|         echo "Failed : not an IP address";
 | |
|         return false;
 | |
|     }
 | |
| 
 | |
|     // Check the subnet, if not defined, give a /32 or a /128
 | |
|     if (isset($tmp[1])) {
 | |
|       $subnet=intval($tmp[1]);
 | |
|     } else {
 | |
|       if ( checkip($ip) ) $subnet=32;
 | |
|       else $subnet=128;
 | |
|     }
 | |
| 
 | |
|     // An IPv4 can't have subnet > 32
 | |
|     if (checkip($ip) && $subnet > 32 ) $subnet=32;
 | |
|       
 | |
|     if ($id) { // Update
 | |
|       $list_affected = $this->list_affected($id);
 | |
|       foreach($list_affected as $k => $v) {
 | |
|         $this->call_hooks("authip_on_delete", $k );    
 | |
|       }
 | |
|       if (! $db->query("update authorised_ip set ip='$ip', subnet='$subnet', infos='$infos' where id='$id' and uid='$cuid' ;") ) {
 | |
|         echo "query failed: ".$db->Error;
 | |
|         return false;
 | |
|       }
 | |
|       foreach($list_affected as $k => $v) {
 | |
|         $this->call_hooks("authip_on_create", $k );    
 | |
|       }
 | |
|     } else { // Insert
 | |
|       if (! $db->query("insert into authorised_ip (uid, ip, subnet, infos) values ('$cuid', '$ip', '$subnet', '$infos' );") ) {
 | |
|         echo "query failed: ".$db->Error;
 | |
|         return false;
 | |
|       }
 | |
|     }
 | |
|     return true;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Fonction appelée par Alternc lors de la suppression d'un utilisateur
 | |
|    *
 | |
|    * @global    int     $cuid
 | |
|    * @global    m_mysql $db
 | |
|    * @return    boolean         Retourne TRUE
 | |
|    */
 | |
|   function alternc_del_member() {
 | |
|     global $cuid,$db;
 | |
|     $db->query("SELECT id FROM authorised_ip WHERE uid ='$cuid';");
 | |
|     while ($db->next_record()) {
 | |
|       $this->ip_delete($db->f('id'));
 | |
|     }
 | |
|     return true;
 | |
|   }
 | |
| 
 | |
| 
 | |
|   /**
 | |
|    * Analyse les classes et récupéres les informations
 | |
|    * des classes voulant de la restriction IP
 | |
|    *
 | |
|    * @return array Retourne un tableau compliqué
 | |
|    */
 | |
|   function get_auth_class() {
 | |
|     global $hooks;
 | |
|     $authclass = $hooks->invoke('authip_class');
 | |
| 
 | |
|     // Je rajoute la class DANS l'objet parce que
 | |
|     // ca m'interesse
 | |
|     foreach ($authclass as $k => $v) {
 | |
| 	$authclass[$k]['class']=$k;
 | |
|     }
 | |
| 
 | |
|     return $authclass;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Enregistre ou modifie une affectation ip<=>ressource
 | |
|    * Nota : lance des hooks sur la classe correspondante pour
 | |
|    * informer de l'édition/création
 | |
|    *
 | |
|    * @global    m_mysql $db
 | |
|    * @param     int     $authorised_ip_id   id de l'ip affecté
 | |
|    * @param     string  $protocol           nom du protocole (définie dans la classe correspondante)
 | |
|    * @param     string  $parameters         information propre au protocole
 | |
|    * @param     int     $id                 $id présent si c'est une édition
 | |
|    * @return    boolean                     Retourne FALSE si erreur, sinon TRUE
 | |
|    */
 | |
|   function ip_affected_save($authorised_ip_id, $protocol, $parameters, $id=null) {
 | |
|     global $db;
 | |
|     $authorised_ip_id=intval($authorised_ip_id);
 | |
|     $protocol=mysql_real_escape_string($protocol);
 | |
|     $parameters=mysql_real_escape_string($parameters);
 | |
| 
 | |
|     if ($id) {
 | |
|       $id=intval($id);
 | |
|       $this->call_hooks("authip_on_delete", $id );    
 | |
|       if (! $db->query("update authorised_ip_affected set authorised_ip_id='$authorised_ip_id', protocol='$protocol', parameters='$parameters' where id ='$id' limit 1;") ) {
 | |
|         echo "query failed: ".$db->Error;
 | |
|         return false;
 | |
|       }
 | |
|       $this->call_hooks("authip_on_create", $id );    
 | |
|     } else {
 | |
|       if (! $db->query("insert into authorised_ip_affected (authorised_ip_id, protocol, parameters) values ('$authorised_ip_id', '$protocol', '$parameters');") ) {
 | |
|         echo "query failed: ".$db->Error;
 | |
|         return false;
 | |
|       }
 | |
|       $this->call_hooks("authip_on_create", mysql_insert_id() );    
 | |
|     }
 | |
|     return true;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Supprime une affectation ip<=>ressource
 | |
|    * Nota : lance des hooks dans la classe correspondante
 | |
|    * pour informer de la suppression
 | |
|    *
 | |
|    * @global    m_mysql $db
 | |
|    * @param     int     $id     id de la ligne à supprimer
 | |
|    * @return    boolean         Retourne FALSE si erreur, sinon TRUE
 | |
|    */
 | |
|   function ip_affected_delete($id) {
 | |
|     global $db;
 | |
|     $id=intval($id);
 | |
| 
 | |
|     // Call hooks
 | |
|     $this->call_hooks("authip_on_delete", $id );    
 | |
| 
 | |
|     if (! $db->query("delete from authorised_ip_affected where id='$id' limit 1;") ) {
 | |
|       echo "query failed: ".$db->Error;
 | |
|       return false;
 | |
|     }
 | |
|     return true;
 | |
|   }
 | |
| 
 | |
| 
 | |
|   /**
 | |
|    * Appel les hooks demandé avec en parametres les 
 | |
|    * affectationt ip<=>ressource dont l'id est en parametre
 | |
|    *
 | |
|    * @global    m_hooks $hooks
 | |
|    * @global    m_err   $err
 | |
|    * @param     string  $function       Nom de la fonction a rechercher et appeller dans les classes
 | |
|    * @param     integer $affectation_id Id de l'affectation correspondante
 | |
|    * @return    boolean                 Retourne TRUE
 | |
|    */
 | |
|   function call_hooks($function, $affectation_id) {
 | |
|     global $hooks,$err;
 | |
| 
 | |
|     // On récure l'objet dont on parle
 | |
|     $d = $this->list_affected();
 | |
|     if (! isset($d[$affectation_id] )) {
 | |
|       $err->raise('authip', _("Object not available"));
 | |
|       return false;
 | |
|     }
 | |
| 
 | |
|     $affectation = $d[$affectation_id];
 | |
| 
 | |
|     // On en déduis la classe qui le concerne
 | |
|     $e = $this->get_auth_class();
 | |
|     if (! isset($e[$affectation['protocol']])) {
 | |
|       $err->raise('authip', sprintf(_("Can't identified class for the protocole %s"), $affectation['protocol']));
 | |
|       return false;
 | |
|     }
 | |
|     $c = $e[$affectation['protocol']]['class'];
 | |
| 
 | |
|     // On appelle le hooks de cette classe
 | |
|     $hooks->invoke($function, Array($affectation), Array($c) );
 | |
| 
 | |
|     return true;
 | |
|   }
 | |
| 
 | |
|   /**
 | |
|    * Liste les affectation ip<=>ressource d'un utilisateur
 | |
|    *
 | |
|    * @global    m_mysql $db
 | |
|    * @global    int     $cuid
 | |
|    * @param     int     $ip_id
 | |
|    * @return    array           Retourne un tableau de valeurs
 | |
|    */
 | |
|   function list_affected($ip_id=null) {
 | |
|     global $db, $cuid;
 | |
| 
 | |
|     $r = array();
 | |
|     if ( is_null($ip_id) ) {
 | |
|       $db->query("select aia.* from authorised_ip_affected aia, authorised_ip ai where ai.uid='$cuid' and aia.authorised_ip_id = ai.id order by protocol, parameters;");
 | |
|     } else {
 | |
|       $db->query("select aia.* from authorised_ip_affected aia, authorised_ip ai where ai.uid='$cuid' and aia.authorised_ip_id = '".intval($ip_id)."' order by protocol, parameters;");
 | |
|     }
 | |
|     while ($db->next_record()) {
 | |
|       $r[$db->f('id')]=$db->Record;
 | |
|     }
 | |
|     return $r;
 | |
|   }
 | |
| 
 | |
| }; /* Classe m_authip */
 | |
| 
 | |
| ?>
 |