6 files changed, 701 insertions, 0 deletions
diff --git a/endpoints/lib/auth/ActiveDirectory.php b/endpoints/lib/auth/ActiveDirectory.php
new file mode 100644
index 0000000..ce8c4df
--- /dev/null
+++ b/endpoints/lib/auth/ActiveDirectory.php
@@ -0,0 +1,203 @@
+<?php
+/*
+ * $Id: ActiveDirectory.php 501 2013-07-11 17:44:37Z imooreyahoo@gmail.com $
+* Experimental!
+*/
+class phpvbAuthActiveDirectory implements phpvbAuth {
+
+	var $capabilities = array(
+		'canChangePassword' => false,
+		'canLogout' => true
+	);
+
+	var $config = array(
+		'host' => '127.0.0.1',
+		'admin_group' => null,
+		'adminUser' => null,
+		'user_group' => null,
+		'container' => 'CN=Users',
+		'domain' =>   'internal.local',
+		'filter' => '(&(objectclass=User)(objectCategory=Person))'
+	);
+
+	/**
+	 * Constructor
+	 * @param array $userConfig - user configuration for this module
+	 */
+	function phpvbAuthActiveDirectory($userConfig = null) {
+		// Merge user config
+		if($userConfig) {
+			$this->config = array_merge($this->config,$userConfig);
+		}		
+	}
+
+	/**
+	 * Test log in and set $_SESSION vars
+	 * @param string $username
+	 * @param string $password
+	 * @see phpvbAuth::login()
+	 */
+	function login($username, $password)
+	{
+		global $_SESSION;
+
+
+		/*
+		 * Check for LDAP functionality and provide some direction
+		 */
+		if(!function_exists('ldap_connect')) {
+
+			$ex = 'LDAP support is not enabled in your PHP configuration.';
+
+			if(strtolower(substr(PHP_OS, 0, 3)) == 'win') {
+
+				ob_start();
+				phpinfo(INFO_GENERAL);
+				$phpinfo = ob_get_contents();
+				ob_end_clean();
+				preg_match('/Loaded Configuration File <\/td><td.*?>(.*?)\s*</', $phpinfo, $phpinfo);
+
+				$ex .= ' You probably just need to uncomment the line ;extension=php_ldap.dll in php.ini'.
+						(count($phpinfo) > 1 ? ' (' .trim($phpinfo[1]).')' : '') . ' by removing the ";" and restart your web server.';
+
+			} else if(strtolower(substr(PHP_OS, 0, 5)) == 'Linux') {
+
+				$ex .= ' You probably need to install the php5-ldap (or similar depending on your distribution) package and restart your web server.';
+					
+			}
+			throw new Exception($ex);
+		}
+
+		$_SESSION['valid'] = false;
+
+		// Connect to server
+		if(!($auth = ldap_connect($this->config['host']))) {
+			throw new Exception('Active Directory error ('.ldap_errno($auth).') ' . ldap_error($auth));
+		}
+
+		// Set relevant LDAP options
+		ldap_set_option($auth,LDAP_OPT_PROTOCOL_VERSION, 3);
+		
+
+		// Main login /bind
+		if(!($bind = @ldap_bind($auth, $username . "@" .$this->config['domain'], $password))) {
+			if(ldap_errno($auth) == 49) return false;
+			throw new Exception('Active Directory error ('.ldap_errno($auth).') ' . ldap_error($auth));
+		}
+		
+		
+		// Get user information from AD
+		////////////////////////////////////
+		
+		
+		// Set filter and sanitize username before sending it to AD
+		$filter = "(sAMAccountName=" .
+			str_replace(array(',','=','+','<','>',';','\\','"','#','(',')','*',chr(0)), '', $username) . ")";
+		if($this->config['filter'] && false) {
+			$filter = '(&'. $this->config['filter'] .' ('. $filter .'))';
+		}
+		
+		$result = @ldap_search($auth,
+				$this->config['container'] . ',DC=' . join(',DC=', explode('.', $this->config['domain'])),
+				$filter, array("memberof","useraccountcontrol"));
+
+		if(!result) throw new Exception ("Unable to search Active Directory server: " . ldap_error($auth));
+		@list($entries) = @ldap_get_entries($auth, $result);
+		@ldap_unbind($auth);
+		if(!$entries) {
+			throw new Exception("Permission denied");
+		}
+		
+		
+		// Check for disabled user
+		if((intval($entries['useraccountcontrol'][0]) & 2)) {
+			throw new Exception('This account is disabled in Active Directory.');
+		}
+
+		// check for valid admin group
+		if($this->config['admin_group']) {
+			foreach($entries['memberof'] as $group) {
+				list($group) = explode(',', $group);
+				if(strtolower($group) == strtolower('cn='.$this->config['admin_group'])) {
+					$_SESSION['admin'] = $_SESSION['valid'] = true;
+					break;
+				}
+			}
+		}
+		
+		// Admin user explicitly set?
+		if(!$_SESSION['admin'] && $this->config['adminUser']) {
+			$_SESSION['admin'] = (strtolower($this->config['adminUser']) == strtolower($username));
+			// Admin is ok
+			$_SESSION['valid'] = ($_SESSION['admin'] || $_SESSION['valid']);
+		}
+
+		// check for valid user group
+		if($this->config['user_group'] && !$_SESSION['valid']) {
+			foreach($entries['memberof'] as $group) {
+				list($group) = explode(',', $group);
+				if(strtolower($group) == strtolower('cn='.$this->config['user_group'])) {
+					$_SESSION['valid'] = true;
+					break;
+				}
+			}
+		} else {
+			$_SESSION['valid'] = true;
+		}
+		
+		if(!$_SESSION['valid'])
+			throw new Exception("Permission denied");
+
+		// Admin user explicitly set?
+		if(!$_SESSION['admin'] && $this->config['adminUser']) {
+			$_SESSION['admin'] = (strtolower($this->config['adminUser']) == strtolower($username));
+		}
+
+		// No admin information specified makes everyone an admin
+		if(!$this->config['adminUser'] && !$this->config['admin_group'])
+			$_SESSION['admin'] = true;
+		
+		// user has permission. establish session variables
+		$_SESSION['user'] = $username;
+		$_SESSION['authCheckHeartbeat'] = time();
+
+		
+		return true;
+		
+	}
+
+	function heartbeat($vbox)
+	{
+		global $_SESSION;
+
+		$_SESSION['valid'] = true;
+		$_SESSION['authCheckHeartbeat'] = time();
+	}
+
+	function changePassword($old, $new)
+	{
+	}
+
+	function logout(&$response)
+	{
+		global $_SESSION;
+		if(function_exists('session_destroy')) session_destroy();
+		else unset($_SESSION['valid']);
+		$response['data']['result'] = 1;
+	}
+
+	function listUsers()
+	{
+
+	}
+
+	function updateUser($vboxRequest, $skipExistCheck)
+	{
+
+	}
+
+	function deleteUser($user)
+	{
+
+	}
+}
diff --git a/endpoints/lib/auth/Builtin.php b/endpoints/lib/auth/Builtin.php
new file mode 100644
index 0000000..f720c05
--- /dev/null
+++ b/endpoints/lib/auth/Builtin.php
@@ -0,0 +1,203 @@
+<?php
+/**
+ * 
+ * Built-in authentication module. Uses VirtualBox's set/getExtraData capability
+ * to store / retrieve user credentials. Called from API when authentication
+ * functions are requested.
+ * 
+ * @author Ian Moore (imoore76 at yahoo dot com)
+ * @copyright Copyright (C) 2010-2015 Ian Moore (imoore76 at yahoo dot com)
+ * @version $Id: Builtin.php 595 2015-04-17 09:50:36Z imoore76 $
+ * @package phpVirtualBox
+ * @see vboxconnector
+ * 
+ */
+class phpvbAuthBuiltin implements phpvbAuth {
+	
+	/**
+	 * 
+	 * A list of capabilities describing this authentication module.
+	 * @var array capability values:
+	 * 		@var boolean canChangePassword
+	 * 		@var boolean canModifyUsers
+	 * 		@var boolean canLogout
+	 * 		
+	 */
+	var $capabilities = array(
+			'canChangePassword' => true,
+			'canModifyUsers' => true,
+			'canLogout' => true
+		);
+	
+	/**
+	 * 
+	 * Log in function. Populates $_SESSION
+	 * @param string $username user name
+	 * @param string $password password
+	 */
+	function login($username, $password)
+	{
+		global $_SESSION;
+		
+		$vbox = new vboxconnector(true);
+		$vbox->skipSessionCheck = true;
+		$vbox->connect();
+		$p = $vbox->vbox->getExtraData('phpvb/users/'.$username.'/pass');
+		
+		// Check for initial login
+		if($username == 'admin' && !$p && !$vbox->vbox->getExtraData('phpvb/usersSetup')) {
+			$vbox->vbox->setExtraData('phpvb/usersSetup','1');
+			$vbox->vbox->setExtraData('phpvb/users/'.$username.'/pass', hash('sha512', 'admin'));
+			$vbox->vbox->setExtraData('phpvb/users/'.$username.'/admin', '1');
+			$p = hash('sha512', 'admin');
+		}
+		
+		if($p == hash('sha512', $password)) {
+			$_SESSION['valid'] = true;
+			$_SESSION['user'] = $username;
+			$_SESSION['admin'] = intval($vbox->vbox->getExtraData('phpvb/users/'.$username.'/admin'));
+			$_SESSION['authCheckHeartbeat'] = time();
+			$_SESSION['uHash'] = $p;
+			$_SESSION['uHash256'] = hash('sha256',$password);
+		}
+	}
+	
+	/**
+	 * 
+	 * Change password function.
+	 * @param string $old old password
+	 * @param string $new new password
+	 * @return boolean true on success
+	 */
+	function changePassword($old, $new)
+	{
+		global $_SESSION;
+		
+		// Use main / auth server
+		$vbox = new vboxconnector(true);
+		$vbox->connect();
+		$p = $vbox->vbox->getExtraData('phpvb/users/'.$_SESSION['user'].'/pass');
+		
+		if($p == hash('sha512', $old)) {
+			$np = hash('sha512', $new);
+			$vbox->vbox->setExtraData('phpvb/users/'.$_SESSION['user'].'/pass', $np);
+			$response['data']['result'] = 1;
+			$_SESSION['uHash'] = $np;
+			$_SESSION['uHash256'] = hash('sha256',$np);
+			return true;
+		}
+		return false;
+	}
+	
+	/**
+	 * 
+	 * Revalidate login info and set authCheckHeartbeat session variable.
+	 * @param vboxconnector $vbox vboxconnector object instance
+	 */
+	function heartbeat($vbox)
+	{
+		global $_SESSION;
+		
+		// Check to see if we only have 1 server or are already connected
+		// to the authentication master server
+		if(@$vbox->settings->authMaster || count($vbox->settings->servers) == 1) {
+			$vbcheck = &$vbox;
+		} else {
+			$vbcheck = new vboxconnector(true);
+		}
+		
+		$vbcheck->connect();
+		$p = $vbcheck->vbox->getExtraData('phpvb/users/'.$_SESSION['user'].'/pass');
+		if(!@$p || @$_SESSION['uHash'] != $p) {
+			if(function_exists('session_destroy')) session_destroy();
+			unset($_SESSION['valid']);
+		} else {
+			$_SESSION['admin'] = intval($vbcheck->vbox->getExtraData('phpvb/users/'.$_SESSION['user'].'/admin'));
+			$_SESSION['authCheckHeartbeat'] = time();
+		}
+				
+		if(!@$_SESSION['valid'])
+			throw new Exception(trans('Not logged in.','UIUsers'), vboxconnector::PHPVB_ERRNO_FATAL);
+	}
+	
+	/**
+	 * 
+	 * Log out user present in $_SESSION
+	 * @param array $response response passed byref by API and populated within function
+	 */
+	function logout(&$response)
+	{
+		global $_SESSION;
+		if(function_exists('session_destroy')) session_destroy();
+		else unset($_SESSION['valid']);
+		$response['data']['result'] = 1;
+	}
+	
+	/**
+	 * 
+	 * Return a list of users
+	 * @return array list of users
+	 */
+	function listUsers()
+	{
+		$response = array();
+		
+		// Use main / auth server
+		$vbox = new vboxconnector(true);
+		$vbox->connect();
+		
+		$keys = $vbox->vbox->getExtraDataKeys();
+		foreach($keys as $k) {
+			if(strpos($k,'phpvb/users/') === 0) {
+				$user = substr($k,12,strpos($k,'/',13)-12);
+				if(isset($response[$user])) continue;
+				$admin = intval($vbox->vbox->getExtraData('phpvb/users/'.$user.'/admin'));
+				$response[$user] = array('username'=>$user,'admin'=>$admin);
+			}
+		}
+		return $response;
+	}
+	
+	/**
+	 * 
+	 * Update user information such as password and admin status
+	 * @param array $vboxRequest request passed from API representing the request. Contains user, password and administration level.
+	 * @param boolean $skipExistCheck Do not check that the user exists first. Essentially, if this is set and the user does not exist, it is added.
+	 */
+	function updateUser($vboxRequest, $skipExistCheck)
+	{
+		global $_SESSION;
+		
+		// Must be an admin
+		if(!$_SESSION['admin']) break;
+
+		// Use main / auth server
+		$vbox = new vboxconnector(true);
+		$vbox->connect();
+		
+		// See if it exists
+		if(!$skipExistCheck && $vbox->vbox->getExtraData('phpvb/users/'.$vboxRequest['u'].'/pass'))
+			break;
+		
+		if($vboxRequest['p'])
+			$vbox->vbox->setExtraData('phpvb/users/'.$vboxRequest['u'].'/pass', hash('sha512', $vboxRequest['p']));
+			
+		$vbox->vbox->setExtraData('phpvb/users/'.$vboxRequest['u'].'/admin', ($vboxRequest['a'] ? '1' : '0'));
+	}
+	
+	/**
+	 * 
+	 * Remove the user $user
+	 * @param string $user Username to remove
+	 */
+	function deleteUser($user)
+	{
+		// Use main / auth server
+		$vbox = new vboxconnector(true);
+		$vbox->connect();
+		
+		$vbox->vbox->setExtraData('phpvb/users/'.$user.'/pass','');
+		$vbox->vbox->setExtraData('phpvb/users/'.$user.'/admin','');
+		$vbox->vbox->setExtraData('phpvb/users/'.$user,'');
+	}
+}
diff --git a/endpoints/lib/auth/LDAP.php b/endpoints/lib/auth/LDAP.php
new file mode 100644
index 0000000..f4b4672
--- /dev/null
+++ b/endpoints/lib/auth/LDAP.php
@@ -0,0 +1,105 @@
+<?php
+/*
+ * $Id: LDAP.php 501 2013-07-11 17:44:37Z imooreyahoo@gmail.com $
+ * Experimental!
+ */
+
+
+class phpvbAuthLDAP implements phpvbAuth {
+	
+	var $capabilities = array(
+		'canChangePassword' => false,
+		'canLogout' => true
+	);
+	
+	var $config = array(
+		'host' => '127.0.0.1', // LDAP server ip
+		'bind_dn' => 'uid=%s, ou=admins, dc=internal, dc=local', // %s will be replaced with login username
+		'adminUser' => ''
+	);
+	
+	function phpvbAuthLDAP($userConfig = null) {
+		if($userConfig) $this->config = array_merge($this->config,$userConfig);
+	}
+	
+	function login($username, $password)
+	{
+		global $_SESSION;
+		
+		// Check for LDAP functions
+		if(!function_exists('ldap_connect')) {
+			
+			$ex = 'LDAP support is not enabled in your PHP configuration.';
+			
+			if(strtolower(substr(PHP_OS, 0, 3)) == 'win') {
+				
+				ob_start();
+				phpinfo(INFO_GENERAL);
+				$phpinfo = ob_get_contents();
+				ob_end_clean();
+				preg_match('/Loaded Configuration File <\/td><td.*?>(.*?)\s*</', $phpinfo, $phpinfo);
+				
+				$ex .= ' You probably just need to uncomment the line ;extension=php_ldap.dll in php.ini'. 
+					(count($phpinfo) > 1 ? ' (' .trim($phpinfo[1]).')' : '') . ' by removing the ";" and restart your web server.';
+				
+			} else if(strtolower(substr(PHP_OS, 0, 5)) == 'Linux') {
+				
+				$ex .= ' You probably need to install the php5-ldap (or similar depending on your distribution) package.';	
+			
+			}
+			throw new Exception($ex);
+		}
+
+		$auth = ldap_connect($this->config['host']);
+		
+		if(!$auth) return false;
+		
+		ldap_set_option($auth,LDAP_OPT_PROTOCOL_VERSION, 3);
+		
+		if(!@ldap_bind($auth, sprintf($this->config['bind_dn'], $username), $password))
+			return false;
+		
+		
+		$_SESSION['valid'] = true;
+		$_SESSION['user'] = $username;
+		$_SESSION['admin'] = (!$this->config['adminUser']) || ($_SESSION['user'] == $this->config['adminUser']);
+		$_SESSION['authCheckHeartbeat'] = time();
+		
+	}
+	
+	
+	function heartbeat($vbox)
+	{
+		global $_SESSION;
+
+		$_SESSION['valid'] = true;
+		$_SESSION['authCheckHeartbeat'] = time();
+	}
+	
+	function changePassword($old, $new)
+	{
+	}
+	
+	function logout(&$response)
+	{
+		global $_SESSION;
+		if(function_exists('session_destroy')) session_destroy();
+		else unset($_SESSION['valid']);
+		$response['data']['result'] = 1;
+	}
+	
+	function listUsers()
+	{
+		
+	}
+	
+	function updateUser($vboxRequest, $skipExistCheck)
+	{
+		
+	}
+	
+	function deleteUser($user)
+	{
+		
+	}
+}
diff --git a/endpoints/lib/auth/OpenMediaVault.php b/endpoints/lib/auth/OpenMediaVault.php
new file mode 100644
index 0000000..71b3d02
--- /dev/null
+++ b/endpoints/lib/auth/OpenMediaVault.php
@@ -0,0 +1,115 @@
+<?php
+/*
+ * $Id: OpenMediaVault.php 470 2012-10-24 21:43:25Z imooreyahoo@gmail.com $
+*/
+
+/*
+ * OMV Specific
+*/
+try {
+
+	// Must be made global or OMV breaks 
+	global $xmlConfig, $OMV_DEFAULT_FILE;
+
+	require_once("openmediavault/globals.inc");
+	require_once("openmediavault/session.inc");
+	require_once("rpc/authentication.inc");
+
+} catch(Exception $e) {
+
+	header("Content-Type: text/html");
+	die("Error #".$e->getCode().":<br/>". str_replace("\n", "<br/>",$e->__toString()));
+}
+
+class phpvbAuthOpenMediaVault implements phpvbAuth {
+
+	static $session = null;
+	
+	var $capabilities = array(
+		'canChangePassword' => false,
+		'sessionStart' => 'sessionStart',
+		'canLogout' => true
+	);
+
+	var $config = array(
+		'allowNonAdmin' => false
+	);
+
+	function __construct($userConfig = null) {
+		if($userConfig) $this->config = array_merge($this->config,$userConfig);
+	}
+
+	function login($username, $password)
+	{
+		# Try / catch so that we don't expose
+		# usernames / passwords
+		require_once("rpc/authentication.inc");
+		$a = new AuthenticationRpc();
+		try {
+			
+			$auth = $a->login(array('username'=>$username,'password'=>$password));
+			
+			self::$session = &OMVSession::getInstance();
+			
+			if(@$auth["authenticated"] &&
+			(self::$session->getRole() !== OMV_ROLE_USER || $this->config['allowNonAdmin'])) {
+				$_SESSION['admin'] = (self::$session->getRole() !== OMV_ROLE_USER);
+				$_SESSION['user'] = $_SESSION['username'];
+				$_SESSION['valid'] = ($_SESSION['admin'] || $this->config['allowNonAdmin']);
+				$_SESSION['authCheckHeartbeat'] = time();
+	
+			}
+	
+			if(!@$_SESSION['valid']) {
+				return false;
+			}
+			return true;
+	
+		} catch (Exception $e) {
+			return false;
+		}
+		return false;
+	}
+	
+	function sessionStart($keepopen) {
+		
+		self::$session = &OMVSession::getInstance();
+		self::$session->start();
+		
+
+		if (self::$session->isAuthenticated() && !self::$session->isTimeout()) {
+			
+			self::$session->validate();
+			self::$session->updateLastAccess();
+			
+			$_SESSION['admin'] = (self::$session->getRole() !== OMV_ROLE_USER);
+			$_SESSION['user'] = $_SESSION['username'];
+			$_SESSION['valid'] = (self::$session->getRole() !== OMV_ROLE_USER || $this->config['allowNonAdmin']);
+			
+		} else {
+			
+			$_SESSION['admin'] = $_SESSION['user'] = $_SESSION['valid'] = null;
+			
+		}
+
+		if(!$keepopen)
+			session_write_close();
+
+	}
+
+
+	function logout(&$response)
+	{
+		require_once("rpc/authentication.inc");
+		$a = new AuthenticationRpc();
+		$a->logout();
+		$response['data']['result'] = 1;
+	}
+
+	/* Defined for compatibility with implemented interface */
+	function heartbeat($vbox){}
+	function changePassword($old, $new){}
+	function listUsers(){}
+	function updateUser($vboxRequest, $skipExistCheck){}
+	function deleteUser($user){}
+}
diff --git a/endpoints/lib/auth/WebAuth.php b/endpoints/lib/auth/WebAuth.php
new file mode 100644
index 0000000..fb5d4b1
--- /dev/null
+++ b/endpoints/lib/auth/WebAuth.php
@@ -0,0 +1,75 @@
+<?php
+/*
+ * $Id: WebAuth.php 470 2012-10-24 21:43:25Z imooreyahoo@gmail.com $
+ */
+
+class phpvbAuthWebAuth implements phpvbAuth {
+	
+	var $capabilities = array(
+			'canChangePassword' => false,
+			'canLogout' => false
+		);
+	
+	var $config = array(
+		'serverUserKey' => 'REMOTE_USER'
+	);
+	
+	function phpvbAuthWebAuth($userConfig = null) {
+		if($userConfig) $this->config = array_merge($this->config,$userConfig);
+	}
+	
+	function login($username, $password)
+	{
+	}
+	
+	function autoLoginHook()
+	{
+		global $_SESSION;
+		// WebAuth passthrough
+		if ( isset($_SERVER[$this->config['serverUserKey']]) )
+		{
+			$_SESSION['valid'] = true;
+			$_SESSION['user'] = $_SERVER[$this->config['serverUserKey']];
+			$_SESSION['admin'] = (!$this->config['adminUser']) || ($_SESSION['user'] == $this->config['adminUser']);
+			$_SESSION['authCheckHeartbeat'] = time();			
+		}
+	}
+	
+	function heartbeat($vbox)
+	{
+		global $_SESSION;
+		if ( isset($_SERVER[$this->config['serverUserKey']]) )
+		{
+			$_SESSION['valid'] = true;
+			$_SESSION['authCheckHeartbeat'] = time();
+		}
+	}
+	
+	function changePassword($old, $new)
+	{
+	}
+	
+	function logout(&$response)
+	{
+		$response['data']['result'] = 1;
+		if ( isset($this->config['logoutURL']) )
+		{
+			$response['data']['url'] = $this->config['logoutURL'];
+		}
+	}
+	
+	function listUsers()
+	{
+		
+	}
+	
+	function updateUser($vboxRequest, $skipExistCheck)
+	{
+		
+	}
+	
+	function deleteUser($user)
+	{
+		
+	}
+}
diff --git a/endpoints/lib/auth/index.html b/endpoints/lib/auth/index.html
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/endpoints/lib/auth/index.html