1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
/** |
4
|
|
|
$Id: m_authip.php |
5
|
|
|
---------------------------------------------------------------------- |
6
|
|
|
LICENSE |
7
|
|
|
|
8
|
|
|
This program is free software; you can redistribute it and/or |
9
|
|
|
modify it under the terms of the GNU General Public License (GPL) |
10
|
|
|
as published by the Free Software Foundation; either version 2 |
11
|
|
|
of the License, or (at your option) any later version. |
12
|
|
|
|
13
|
|
|
This program is distributed in the hope that it will be useful, |
14
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of |
15
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
16
|
|
|
GNU General Public License for more details. |
17
|
|
|
|
18
|
|
|
To read the license please visit http://www.gnu.org/copyleft/gpl.html |
19
|
|
|
---------------------------------------------------------------------- |
20
|
|
|
Original Author of file: Fufroma |
21
|
|
|
---------------------------------------------------------------------- |
22
|
|
|
*/ |
23
|
|
|
|
24
|
|
|
/** |
25
|
|
|
* Classe de gestion des IP authorisée |
26
|
|
|
* @group alternc |
27
|
|
|
* */ |
28
|
|
|
class m_authip { |
29
|
|
|
|
30
|
|
|
/** |
31
|
|
|
* Retourne la liste des ip whitelist |
32
|
|
|
* |
33
|
|
|
* @global m_mem $mem |
34
|
|
|
* @return array retourne un tableau indexé des ip de l'utilisateur |
35
|
|
|
*/ |
36
|
|
|
function list_ip_whitelist() { |
37
|
|
|
global $mem; |
38
|
|
|
if (!$mem->checkRight()) { |
39
|
|
|
return false; |
40
|
|
|
} |
41
|
|
|
return $this->list_ip(true); |
42
|
|
|
} |
43
|
|
|
|
44
|
|
|
/** |
45
|
|
|
* |
46
|
|
|
* @return array |
47
|
|
|
*/ |
48
|
|
|
function hook_menu() { |
49
|
|
|
$obj = array( |
50
|
|
|
'title' => _("FTP Access Security"), |
51
|
|
|
'ico' => 'images/ip.png', |
52
|
|
|
'link' => 'ip_main.php', |
53
|
|
|
'pos' => 120, |
54
|
|
|
); |
55
|
|
|
|
56
|
|
|
return $obj; |
57
|
|
|
} |
58
|
|
|
|
59
|
|
|
/** |
60
|
|
|
* Retourne la liste des ip spécifiées par cet utilisateur |
61
|
|
|
* |
62
|
|
|
* |
63
|
|
|
* @global m_mysql $db |
64
|
|
|
* @global m_mem $mem |
65
|
|
|
* @global int $cuid |
66
|
|
|
* @param boolean $whitelist |
67
|
|
|
* @return array Retourne un tableau indexé des ip de l'utilisateur |
68
|
|
|
*/ |
69
|
|
|
function list_ip($whitelist = false) { |
70
|
|
|
global $db, $mem; |
71
|
|
|
|
72
|
|
|
if ($whitelist && $mem->checkRight()) { |
73
|
|
|
$cuid = 0; |
74
|
|
|
} else { |
75
|
|
|
global $cuid; |
76
|
|
|
} |
77
|
|
|
|
78
|
|
|
$r = array(); |
79
|
|
|
$db->query("SELECT * FROM authorised_ip WHERE uid= ? order by ip,subnet;", array($cuid)); |
80
|
|
|
while ($db->next_record()) { |
81
|
|
|
$r[$db->f('id')] = $db->Record; |
82
|
|
|
if ((checkip($db->f('ip')) && $db->f('subnet') == 32) || |
83
|
|
|
(checkipv6($db->f('ip')) && $db->f('subnet') == 128)) { |
84
|
|
|
$r[$db->f('id')]['ip_human'] = $db->f('ip'); |
85
|
|
|
} else { |
86
|
|
|
$r[$db->f('id')]['ip_human'] = $db->f('ip') . "/" . $db->f('subnet'); |
87
|
|
|
} |
88
|
|
|
} |
89
|
|
|
return $r; |
90
|
|
|
} |
91
|
|
|
|
92
|
|
|
/** |
93
|
|
|
* Supprime une IP des IP de l'utilisateur |
94
|
|
|
* et supprime les droits attaché en cascade |
95
|
|
|
* |
96
|
|
|
* @param integer $id |
97
|
|
|
* @return boolean |
98
|
|
|
* |
99
|
|
|
* @global m_mysql $db |
100
|
|
|
* @global int $cuid |
101
|
|
|
* @param int $id id de la ligne à supprimer |
102
|
|
|
* @return boolean Retourne FALSE si erreur, sinon TRUE |
103
|
|
|
*/ |
104
|
|
|
function ip_delete($id) { |
105
|
|
|
global $db, $cuid; |
106
|
|
|
$id = intval($id); |
107
|
|
|
|
108
|
|
|
$db->query("SELECT id FROM authorised_ip_affected where authorised_ip_id = ?;", array($id)); |
109
|
|
|
while ($db->next_record()) { |
110
|
|
|
$this->ip_affected_delete($db->f('id')); |
111
|
|
|
} |
112
|
|
|
if (!$db->query("delete from authorised_ip where id= ? and ( uid= ? or uid=0) limit 1;", array($id, $cuid))) { |
113
|
|
|
echo "query failed: " . $db->Error; |
114
|
|
|
return false; |
115
|
|
|
} |
116
|
|
|
return true; |
117
|
|
|
} |
118
|
|
|
|
119
|
|
|
/** |
120
|
|
|
* Liste les IP et subnet authorisés |
121
|
|
|
* pour une classe donnée |
122
|
|
|
* |
123
|
|
|
* @global m_mysql $db |
124
|
|
|
* @global int $cuid |
125
|
|
|
* @param string $s Classe concernée |
126
|
|
|
* @return array |
127
|
|
|
*/ |
128
|
|
|
function get_allowed($s) { |
129
|
|
|
global $db, $cuid; |
130
|
|
|
if (!$db->query("select ai.ip, ai.subnet, ai.infos, aia.parameters from authorised_ip ai, authorised_ip_affected aia where aia.protocol= ? and aia.authorised_ip_id = ai.id and ai.uid= ?;", array($s, $cuid))) { |
131
|
|
|
echo "query failed: " . $db->Error; |
132
|
|
|
return false; |
133
|
|
|
} |
134
|
|
|
$r = Array(); |
135
|
|
|
while ($db->next_record()) { |
136
|
|
|
$r[] = Array("ip" => $db->f("ip"), "subnet" => $db->f("subnet"), "infos" => $db->f("infos"), "parameters" => $db->f("parameters")); |
137
|
|
|
} |
138
|
|
|
return $r; |
139
|
|
|
} |
140
|
|
|
|
141
|
|
|
/** |
142
|
|
|
* |
143
|
|
|
* @global m_mysql $db |
144
|
|
|
* @param string $ip |
145
|
|
|
* @return boolean |
146
|
|
|
*/ |
147
|
|
|
function is_wl($ip) { |
148
|
|
|
global $db; |
149
|
|
|
if (!$db->query("select ai.ip, ai.subnet from authorised_ip ai where ai.uid='0';")) { |
150
|
|
|
echo "query failed: " . $db->Error; |
151
|
|
|
return false; |
152
|
|
|
} |
153
|
|
|
while ($db->next_record()) { |
154
|
|
|
if ($this->is_in_subnet($ip, $db->f('ip'), $db->f('subnet'))) |
155
|
|
|
return true; |
156
|
|
|
} |
157
|
|
|
return false; |
158
|
|
|
} |
159
|
|
|
|
160
|
|
|
/** |
161
|
|
|
* Retourne si l'ip appartient au subnet. |
162
|
|
|
* |
163
|
|
|
* @param string $o |
164
|
|
|
* @param string $ip |
165
|
|
|
* @param string $sub |
166
|
|
|
* @return boolean |
167
|
|
|
*/ |
168
|
|
|
function is_in_subnet($o, $ip, $sub) { |
169
|
|
|
$o = inet_pton($o); |
170
|
|
|
$ip = inet_pton($ip); |
171
|
|
|
$sub = pow(2, $sub); |
172
|
|
|
|
173
|
|
|
if ($o >= $ip && $o <= ($ip + $sub)) { |
174
|
|
|
return true; |
175
|
|
|
} |
176
|
|
|
return false; |
177
|
|
|
} |
178
|
|
|
|
179
|
|
|
/** |
180
|
|
|
* Sauvegarde une IP dans les IP TOUJOURS authorisée |
181
|
|
|
* |
182
|
|
|
* @global m_mem $mem |
183
|
|
|
*/ |
184
|
|
|
function ip_save_whitelist($id, $ipsub, $infos) { |
185
|
|
|
global $mem; |
186
|
|
|
if (!$mem->checkRight()) { |
187
|
|
|
return false; |
188
|
|
|
} |
189
|
|
|
return $this->ip_save($id, $ipsub, $infos, 0); |
190
|
|
|
} |
191
|
|
|
|
192
|
|
|
/** |
193
|
|
|
* Sauvegarde une IP dans les IP authorisée |
194
|
|
|
* |
195
|
|
|
* @global m_mysql $db |
196
|
|
|
* @global m_mem $mem |
197
|
|
|
* @global int $cuid |
198
|
|
|
* @param int $id id de la ligne à modifier. Si vide ou |
199
|
|
|
* égal à 0, alors c'est une insertion |
200
|
|
|
* @param string $ipsub IP (v4 ou v6), potentiellement avec un subnet ( /24) |
201
|
|
|
* @param string $infos Commentaire pour l'utilisateur |
202
|
|
|
* @param int $uid Si $uid=0 et qu'on est super-admin, insertion avec uid=0 |
203
|
|
|
* ce qui correspond a une ip toujours authorisée |
204
|
|
|
* @return boolean Retourne FALSE si erreur, sinon TRUE |
205
|
|
|
* |
206
|
|
|
*/ |
207
|
|
|
function ip_save($id, $ipsub, $infos, $uid = null) { |
208
|
|
|
global $db, $mem; |
209
|
|
|
|
210
|
|
|
// If we ask for uid=0, we have to check to be super-user |
211
|
|
|
// else, juste use global cuid; |
212
|
|
|
if ($uid === 0 && $mem->checkRight()) { |
213
|
|
|
$cuid = 0; |
214
|
|
|
} else { |
215
|
|
|
global $cuid; |
216
|
|
|
} |
217
|
|
|
|
218
|
|
|
$id = intval($id); |
219
|
|
|
$infos = mysql_real_escape_string($infos); |
220
|
|
|
|
221
|
|
|
// Extract subnet from ipsub |
222
|
|
|
$tmp = explode('/', $ipsub); |
223
|
|
|
$ip = $tmp[0]; |
224
|
|
|
|
225
|
|
|
// Error if $ip not an IP |
226
|
|
|
if (!checkip($ip) && !checkipv6($ip)) { |
227
|
|
|
echo "Failed : not an IP address"; |
228
|
|
|
return false; |
229
|
|
|
} |
230
|
|
|
|
231
|
|
|
// Check the subnet, if not defined, give a /32 or a /128 |
232
|
|
|
if (isset($tmp[1])) { |
233
|
|
|
$subnet = intval($tmp[1]); |
234
|
|
|
} else { |
235
|
|
|
if (checkip($ip)) { |
236
|
|
|
$subnet = 32; |
237
|
|
|
} else { |
238
|
|
|
$subnet = 128; |
239
|
|
|
} |
240
|
|
|
} |
241
|
|
|
|
242
|
|
|
// An IPv4 can't have subnet > 32 |
243
|
|
|
if (checkip($ip) && $subnet > 32) { |
244
|
|
|
$subnet = 32; |
245
|
|
|
} |
246
|
|
|
|
247
|
|
|
if ($id) { // Update |
248
|
|
|
$list_affected = $this->list_affected($id); |
249
|
|
|
foreach ($list_affected as $k => $v) { |
250
|
|
|
$this->call_hooks("authip_on_delete", $k); |
251
|
|
|
} |
252
|
|
|
if (!$db->query("update authorised_ip set ip= ?, subnet= ?, infos= ? where id= ? and uid=? ;", array($id, $subnetn, $infos, $id, $cuid))) { |
|
|
|
|
253
|
|
|
echo "query failed: " . $db->Error; |
254
|
|
|
return false; |
255
|
|
|
} |
256
|
|
|
foreach ($list_affected as $k => $v) { |
257
|
|
|
$this->call_hooks("authip_on_create", $k); |
258
|
|
|
} |
259
|
|
|
} else { // Insert |
260
|
|
|
if (!$db->query("insert into authorised_ip (uid, ip, subnet, infos) values (?, ?, ?, ?);", array($cuid, $ip, $subnet, $infos))) { |
261
|
|
|
echo "query failed: " . $db->Error; |
262
|
|
|
return false; |
263
|
|
|
} |
264
|
|
|
} |
265
|
|
|
return true; |
266
|
|
|
} |
267
|
|
|
|
268
|
|
|
/** |
269
|
|
|
* Fonction appelée par Alternc lors de la suppression d'un utilisateur |
270
|
|
|
* |
271
|
|
|
* @global int $cuid |
272
|
|
|
* @global m_mysql $db |
273
|
|
|
* @return boolean Retourne TRUE |
274
|
|
|
*/ |
275
|
|
|
function alternc_del_member() { |
276
|
|
|
global $cuid, $db; |
277
|
|
|
$db->query("SELECT id FROM authorised_ip WHERE uid = ?;", array($cuid)); |
278
|
|
|
while ($db->next_record()) { |
279
|
|
|
$this->ip_delete($db->f('id')); |
280
|
|
|
} |
281
|
|
|
return true; |
282
|
|
|
} |
283
|
|
|
|
284
|
|
|
/** |
285
|
|
|
* Analyse les classes et récupéres les informations |
286
|
|
|
* des classes voulant de la restriction IP |
287
|
|
|
* |
288
|
|
|
* @return array Retourne un tableau compliqué |
289
|
|
|
*/ |
290
|
|
|
function get_auth_class() { |
291
|
|
|
global $hooks; |
292
|
|
|
$authclass = $hooks->invoke('authip_class'); |
293
|
|
|
|
294
|
|
|
// Je rajoute la class DANS l'objet parce que |
295
|
|
|
// ca m'interesse |
296
|
|
|
foreach ($authclass as $k => $v) { |
297
|
|
|
$authclass[$k]['class'] = $k; |
298
|
|
|
} |
299
|
|
|
|
300
|
|
|
return $authclass; |
301
|
|
|
} |
302
|
|
|
|
303
|
|
|
/** |
304
|
|
|
* Enregistre ou modifie une affectation ip<=>ressource |
305
|
|
|
* Nota : lance des hooks sur la classe correspondante pour |
306
|
|
|
* informer de l'édition/création |
307
|
|
|
* |
308
|
|
|
* @global m_mysql $db |
309
|
|
|
* @param int $authorised_ip_id id de l'ip affecté |
310
|
|
|
* @param string $protocol nom du protocole (définie dans la classe correspondante) |
311
|
|
|
* @param string $parameters information propre au protocole |
312
|
|
|
* @param int $id $id présent si c'est une édition |
313
|
|
|
* @return boolean Retourne FALSE si erreur, sinon TRUE |
314
|
|
|
*/ |
315
|
|
|
function ip_affected_save($authorised_ip_id, $protocol, $parameters, $id = null) { |
316
|
|
|
global $db; |
317
|
|
|
$authorised_ip_id = intval($authorised_ip_id); |
318
|
|
|
|
319
|
|
|
if ($id) { |
320
|
|
|
$id = intval($id); |
321
|
|
|
$this->call_hooks("authip_on_delete", $id); |
322
|
|
|
if (!$db->query("update authorised_ip_affected set authorised_ip_id= ?, protocol= ?, parameters= ? where id = ? limit 1;", array($authorised_ip_id, $protocol, $parameters, $id))) { |
323
|
|
|
echo "query failed: " . $db->Error; |
324
|
|
|
return false; |
325
|
|
|
} |
326
|
|
|
$this->call_hooks("authip_on_create", $id); |
327
|
|
|
} else { |
328
|
|
|
if (!$db->query("insert into authorised_ip_affected (authorised_ip_id, protocol, parameters) values (?, ?, ?);", array($authorised_ip_id, $protocol, $parameters))) { |
329
|
|
|
echo "query failed: " . $db->Error; |
330
|
|
|
return false; |
331
|
|
|
} |
332
|
|
|
$this->call_hooks("authip_on_create", $db->lastid()); |
333
|
|
|
} |
334
|
|
|
return true; |
335
|
|
|
} |
336
|
|
|
|
337
|
|
|
/** |
338
|
|
|
* Supprime une affectation ip<=>ressource |
339
|
|
|
* Nota : lance des hooks dans la classe correspondante |
340
|
|
|
* pour informer de la suppression |
341
|
|
|
* |
342
|
|
|
* @global m_mysql $db |
343
|
|
|
* @param int $id id de la ligne à supprimer |
344
|
|
|
* @return boolean Retourne FALSE si erreur, sinon TRUE |
345
|
|
|
*/ |
346
|
|
|
function ip_affected_delete($id) { |
347
|
|
|
global $db; |
348
|
|
|
$id = intval($id); |
349
|
|
|
|
350
|
|
|
// Call hooks |
351
|
|
|
$this->call_hooks("authip_on_delete", $id); |
352
|
|
|
|
353
|
|
|
if (!$db->query("delete from authorised_ip_affected where id= ? limit 1;", array($id))) { |
354
|
|
|
echo "query failed: " . $db->Error; |
355
|
|
|
return false; |
356
|
|
|
} |
357
|
|
|
return true; |
358
|
|
|
} |
359
|
|
|
|
360
|
|
|
/** |
361
|
|
|
* Appel les hooks demandé avec en parametres les |
362
|
|
|
* affectationt ip<=>ressource dont l'id est en parametre |
363
|
|
|
* |
364
|
|
|
* @global m_hooks $hooks |
365
|
|
|
* @global m_err $err |
366
|
|
|
* @param string $function Nom de la fonction a rechercher et appeller dans les classes |
367
|
|
|
* @param integer $affectation_id Id de l'affectation correspondante |
368
|
|
|
* @return boolean Retourne TRUE |
369
|
|
|
*/ |
370
|
|
|
function call_hooks($function, $affectation_id) { |
371
|
|
|
global $hooks, $err; |
372
|
|
|
|
373
|
|
|
// On récure l'objet dont on parle |
374
|
|
|
$d = $this->list_affected(); |
375
|
|
|
if (!isset($d[$affectation_id])) { |
376
|
|
|
$err->raise('authip', _("Object not available")); |
377
|
|
|
return false; |
378
|
|
|
} |
379
|
|
|
|
380
|
|
|
$affectation = $d[$affectation_id]; |
381
|
|
|
|
382
|
|
|
// On en déduis la classe qui le concerne |
383
|
|
|
$e = $this->get_auth_class(); |
384
|
|
|
if (!isset($e[$affectation['protocol']])) { |
385
|
|
|
$err->raise('authip', sprintf(_("Can't identified class for the protocole %s"), $affectation['protocol'])); |
386
|
|
|
return false; |
387
|
|
|
} |
388
|
|
|
$c = $e[$affectation['protocol']]['class']; |
389
|
|
|
|
390
|
|
|
// On appelle le hooks de cette classe |
391
|
|
|
$hooks->invoke($function, Array($affectation), Array($c)); |
392
|
|
|
|
393
|
|
|
return true; |
394
|
|
|
} |
395
|
|
|
|
396
|
|
|
/** |
397
|
|
|
* Liste les affectation ip<=>ressource d'un utilisateur |
398
|
|
|
* |
399
|
|
|
* @global m_mysql $db |
400
|
|
|
* @global int $cuid |
401
|
|
|
* @param int $ip_id |
402
|
|
|
* @return array Retourne un tableau de valeurs |
403
|
|
|
*/ |
404
|
|
|
function list_affected($ip_id = null) { |
405
|
|
|
global $db, $cuid; |
406
|
|
|
|
407
|
|
|
$r = array(); |
408
|
|
|
if (is_null($ip_id)) { |
409
|
|
|
$db->query("select aia.* from authorised_ip_affected aia, authorised_ip ai where ai.uid= ? and aia.authorised_ip_id = ai.id order by protocol, parameters;", array($cuid)); |
410
|
|
|
} else { |
411
|
|
|
$db->query("select aia.* from authorised_ip_affected aia, authorised_ip ai where ai.uid= ? and aia.authorised_ip_id = ? order by protocol, parameters;", array($cuid, intval($ip_id))); |
412
|
|
|
} |
413
|
|
|
while ($db->next_record()) { |
414
|
|
|
$r[$db->f('id')] = $db->Record; |
415
|
|
|
} |
416
|
|
|
return $r; |
417
|
|
|
} |
418
|
|
|
|
419
|
|
|
} |
420
|
|
|
|
421
|
|
|
/* Classe m_authip */ |
422
|
|
|
|
This check looks for variables that are accessed but have not been defined. It raises an issue if it finds another variable that has a similar name.
The variable may have been renamed without also renaming all references.