loginwebpage.class.inc.php 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449
  1. <?php
  2. // Copyright (C) 2010 Combodo SARL
  3. //
  4. // This program is free software; you can redistribute it and/or modify
  5. // it under the terms of the GNU General Public License as published by
  6. // the Free Software Foundation; version 3 of the License.
  7. //
  8. // This program is distributed in the hope that it will be useful,
  9. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  10. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  11. // GNU General Public License for more details.
  12. //
  13. // You should have received a copy of the GNU General Public License
  14. // along with this program; if not, write to the Free Software
  15. // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  16. /**
  17. * Class LoginWebPage
  18. *
  19. * @author Erwan Taloc <erwan.taloc@combodo.com>
  20. * @author Romain Quetiez <romain.quetiez@combodo.com>
  21. * @author Denis Flaven <denis.flaven@combodo.com>
  22. * @license http://www.opensource.org/licenses/gpl-3.0.html LGPL
  23. */
  24. require_once(APPROOT."/application/nicewebpage.class.inc.php");
  25. /**
  26. * Web page used for displaying the login form
  27. */
  28. class LoginWebPage extends NiceWebPage
  29. {
  30. protected static $m_sLoginFailedMessage = '';
  31. public function __construct()
  32. {
  33. parent::__construct("iTop Login");
  34. $this->add_style(<<<EOF
  35. body {
  36. background: #eee;
  37. margin: 0;
  38. padding: 0;
  39. }
  40. #login-logo {
  41. margin-top: 150px;
  42. width: 300px;
  43. padding-left: 20px;
  44. padding-right: 20px;
  45. padding-top: 10px;
  46. padding-bottom: 10px;
  47. margin-left: auto;
  48. margin-right: auto;
  49. background: #f6f6f1;
  50. height: 54px;
  51. border-top: 1px solid #000;
  52. border-left: 1px solid #000;
  53. border-right: 1px solid #000;
  54. border-bottom: 0;
  55. text-align: center;
  56. }
  57. #login-logo img {
  58. border: 0;
  59. }
  60. #login {
  61. width: 300px;
  62. margin-left: auto;
  63. margin-right: auto;
  64. padding: 20px;
  65. background-color: #fff;
  66. border-bottom: 1px solid #000;
  67. border-left: 1px solid #000;
  68. border-right: 1px solid #000;
  69. border-top: 0;
  70. text-align: center;
  71. }
  72. #pwd, #user,#old_pwd, #new_pwd, #retype_new_pwd {
  73. width: 10em;
  74. }
  75. .center {
  76. text-align: center;
  77. }
  78. h1 {
  79. color: #1C94C4;
  80. font-size: 16pt;
  81. }
  82. .v-spacer {
  83. padding-top: 1em;
  84. }
  85. EOF
  86. );
  87. }
  88. public static function SetLoginFailedMessage($sMessage)
  89. {
  90. self::$m_sLoginFailedMessage = $sMessage;
  91. }
  92. public function DisplayLoginForm($sLoginType, $bFailedLogin = false)
  93. {
  94. switch($sLoginType)
  95. {
  96. case 'cas':
  97. utils::InitCASClient();
  98. // force CAS authentication
  99. phpCAS::forceAuthentication(); // Will redirect the user and exit since the user is not yet authenticated
  100. break;
  101. case 'basic':
  102. case 'url':
  103. $this->add_header('WWW-Authenticate: Basic realm="'.Dict::Format('UI:iTopVersion:Short', ITOP_VERSION));
  104. $this->add_header('HTTP/1.0 401 Unauthorized');
  105. // Note: displayed when the user will click on Cancel
  106. $this->add('<p><strong>'.Dict::S('UI:Login:Error:AccessRestricted').'</strong></p>');
  107. break;
  108. case 'external':
  109. case 'form':
  110. default: // In case the settings get messed up...
  111. $sAuthUser = utils::ReadParam('auth_user', '', true, 'raw_data');
  112. $sAuthPwd = utils::ReadParam('suggest_pwd', '', true, 'raw_data');
  113. $sVersionShort = Dict::Format('UI:iTopVersion:Short', ITOP_VERSION);
  114. $this->add("<div id=\"login-logo\"><a href=\"http://www.combodo.com/itop\"><img title=\"$sVersionShort\" src=\"../images/itop-logo-external.png\"></a></div>\n");
  115. $this->add("<div id=\"login\">\n");
  116. $this->add("<h1>".Dict::S('UI:Login:Welcome')."</h1>\n");
  117. if ($bFailedLogin)
  118. {
  119. if (self::$m_sLoginFailedMessage != '')
  120. {
  121. $this->add("<p class=\"hilite\">".self::$m_sLoginFailedMessage."</p>\n");
  122. }
  123. else
  124. {
  125. $this->add("<p class=\"hilite\">".Dict::S('UI:Login:IncorrectLoginPassword')."</p>\n");
  126. }
  127. }
  128. else
  129. {
  130. $this->add("<p>".Dict::S('UI:Login:IdentifyYourself')."</p>\n");
  131. }
  132. $this->add("<form method=\"post\">\n");
  133. $this->add("<table width=\"100%\">\n");
  134. $this->add("<tr><td style=\"text-align:right\"><label for=\"user\">".Dict::S('UI:Login:UserNamePrompt').":</label></td><td style=\"text-align:left\"><input id=\"user\" type=\"text\" name=\"auth_user\" value=\"".htmlentities($sAuthUser, ENT_QUOTES, 'UTF-8')."\" /></td></tr>\n");
  135. $this->add("<tr><td style=\"text-align:right\"><label for=\"pwd\">".Dict::S('UI:Login:PasswordPrompt').":</label></td><td style=\"text-align:left\"><input id=\"pwd\" type=\"password\" name=\"auth_pwd\" value=\"".htmlentities($sAuthPwd, ENT_QUOTES, 'UTF-8')."\" /></td></tr>\n");
  136. $this->add("<tr><td colspan=\"2\" class=\"center v-spacer\"> <input type=\"submit\" value=\"".Dict::S('UI:Button:Login')."\" /></td></tr>\n");
  137. $this->add("</table>\n");
  138. $this->add("<input type=\"hidden\" name=\"loginop\" value=\"login\" />\n");
  139. $this->add("</form>\n");
  140. $this->add("</div>\n");
  141. break;
  142. }
  143. }
  144. public function DisplayChangePwdForm($bFailedLogin = false)
  145. {
  146. $sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
  147. $sVersionShort = Dict::Format('UI:iTopVersion:Short', ITOP_VERSION);
  148. $sInconsistenPwdMsg = Dict::S('UI:Login:RetypePwdDoesNotMatch');
  149. $this->add_script(<<<EOF
  150. function GoBack()
  151. {
  152. window.history.back();
  153. }
  154. function DoCheckPwd()
  155. {
  156. if ($('#new_pwd').val() != $('#retype_new_pwd').val())
  157. {
  158. alert('$sInconsistenPwdMsg');
  159. return false;
  160. }
  161. return true;
  162. }
  163. EOF
  164. );
  165. $this->add("<div id=\"login-logo\"><a href=\"http://www.combodo.com/itop\"><img title=\"$sVersionShort\" src=\"../images/itop-logo.png\"></a></div>\n");
  166. $this->add("<div id=\"login\">\n");
  167. $this->add("<h1>".Dict::S('UI:Login:ChangeYourPassword')."</h1>\n");
  168. if ($bFailedLogin)
  169. {
  170. $this->add("<p class=\"hilite\">".Dict::S('UI:Login:IncorrectOldPassword')."</p>\n");
  171. }
  172. $this->add("<form method=\"post\">\n");
  173. $this->add("<table width=\"100%\">\n");
  174. $this->add("<tr><td style=\"text-align:right\"><label for=\"old_pwd\">".Dict::S('UI:Login:OldPasswordPrompt').":</label></td><td style=\"text-align:left\"><input type=\"password\" id=\"old_pwd\" name=\"old_pwd\" value=\"\" /></td></tr>\n");
  175. $this->add("<tr><td style=\"text-align:right\"><label for=\"new_pwd\">".Dict::S('UI:Login:NewPasswordPrompt').":</label></td><td style=\"text-align:left\"><input type=\"password\" id=\"new_pwd\" name=\"new_pwd\" value=\"\" /></td></tr>\n");
  176. $this->add("<tr><td style=\"text-align:right\"><label for=\"retype_new_pwd\">".Dict::S('UI:Login:RetypeNewPasswordPrompt').":</label></td><td style=\"text-align:left\"><input type=\"password\" id=\"retype_new_pwd\" name=\"retype_new_pwd\" value=\"\" /></td></tr>\n");
  177. $this->add("<tr><td colspan=\"2\" class=\"center v-spacer\"> <input type=\"button\" onClick=\"GoBack();\" value=\"".Dict::S('UI:Button:Cancel')."\" />&nbsp;&nbsp;<input type=\"submit\" onClick=\"return DoCheckPwd();\" value=\"".Dict::S('UI:Button:ChangePassword')."\" /></td></tr>\n");
  178. $this->add("</table>\n");
  179. $this->add("<input type=\"hidden\" name=\"loginop\" value=\"do_change_pwd\" />\n");
  180. $this->add("</form>\n");
  181. $this->add("</div>\n");
  182. }
  183. static function ResetSession()
  184. {
  185. if (isset($_SESSION['login_mode']))
  186. {
  187. $sPreviousLoginMode = $_SESSION['login_mode'];
  188. }
  189. else
  190. {
  191. $sPreviousLoginMode = '';
  192. }
  193. // Unset all of the session variables.
  194. unset($_SESSION['auth_user']);
  195. unset($_SESSION['login_mode']);
  196. // If it's desired to kill the session, also delete the session cookie.
  197. // Note: This will destroy the session, and not just the session data!
  198. }
  199. static function SecureConnectionRequired()
  200. {
  201. return MetaModel::GetConfig()->GetSecureConnectionRequired();
  202. }
  203. static function IsConnectionSecure()
  204. {
  205. $bSecured = false;
  206. if (isset($_SERVER['HTTPS']) && ($_SERVER['HTTPS']!='off'))
  207. {
  208. $bSecured = true;
  209. }
  210. return $bSecured;
  211. }
  212. protected static function Login()
  213. {
  214. if (self::SecureConnectionRequired() && !self::IsConnectionSecure())
  215. {
  216. // Non secured URL... request for a secure connection
  217. throw new Exception('Secure connection required!');
  218. }
  219. $aAllowedLoginTypes = MetaModel::GetConfig()->GetAllowedLoginTypes();
  220. if (isset($_SESSION['auth_user']))
  221. {
  222. //echo "User: ".$_SESSION['auth_user']."\n";
  223. // Already authentified
  224. UserRights::Login($_SESSION['auth_user']); // Login & set the user's language
  225. return true;
  226. }
  227. else
  228. {
  229. $index = 0;
  230. $sLoginMode = '';
  231. $sAuthentication = 'internal';
  232. while(($sLoginMode == '') && ($index < count($aAllowedLoginTypes)))
  233. {
  234. $sLoginType = $aAllowedLoginTypes[$index];
  235. switch($sLoginType)
  236. {
  237. case 'cas':
  238. utils::InitCASClient();
  239. // check CAS authentication
  240. if (phpCAS::isAuthenticated())
  241. {
  242. $sAuthUser = phpCAS::getUser();
  243. $sAuthPwd = '';
  244. $sLoginMode = 'cas';
  245. $sAuthentication = 'external';
  246. }
  247. break;
  248. case 'form':
  249. // iTop standard mode: form based authentication
  250. $sAuthUser = utils::ReadPostedParam('auth_user', '', false, 'raw_data');
  251. $sAuthPwd = utils::ReadPostedParam('auth_pwd', '', false, 'raw_data');
  252. if ($sAuthUser != '')
  253. {
  254. $sLoginMode = 'form';
  255. }
  256. break;
  257. case 'basic':
  258. // Standard PHP authentication method, works with Apache...
  259. // Case 1) Apache running in CGI mode + rewrite rules in .htaccess
  260. if (isset($_SERVER['HTTP_AUTHORIZATION']) && !empty($_SERVER['HTTP_AUTHORIZATION']))
  261. {
  262. list($sAuthUser, $sAuthPwd) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
  263. $sLoginMode = 'basic';
  264. }
  265. else if (isset($_SERVER['PHP_AUTH_USER']))
  266. {
  267. $sAuthUser = $_SERVER['PHP_AUTH_USER'];
  268. $sAuthPwd = $_SERVER['PHP_AUTH_PW'];
  269. $sLoginMode = 'basic';
  270. }
  271. break;
  272. case 'external':
  273. // Web server supplied authentication
  274. $bExternalAuth = false;
  275. $sExtAuthVar = MetaModel::GetConfig()->GetExternalAuthenticationVariable(); // In which variable is the info passed ?
  276. eval('$sAuthUser = isset('.$sExtAuthVar.') ? '.$sExtAuthVar.' : false;'); // Retrieve the value
  277. if ($sAuthUser && (strlen($sAuthUser) > 0))
  278. {
  279. $sAuthPwd = ''; // No password in this case the web server already authentified the user...
  280. $sLoginMode = 'external';
  281. $sAuthentication = 'external';
  282. }
  283. break;
  284. case 'url':
  285. // Credentials passed directly in the url
  286. $sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
  287. $sAuthPwd = utils::ReadParam('auth_pwd', null, false, 'raw_data');
  288. if (($sAuthUser != '') && ($sAuthPwd != null))
  289. {
  290. $sLoginMode = 'url';
  291. }
  292. break;
  293. }
  294. $index++;
  295. }
  296. //echo "\nsLoginMode: $sLoginMode (user: $sAuthUser / pwd: $sAuthPwd\n)";
  297. if ($sLoginMode == '')
  298. {
  299. // First connection
  300. $sDesiredLoginMode = utils::ReadParam('login_mode');
  301. if (in_array($sDesiredLoginMode, $aAllowedLoginTypes))
  302. {
  303. $sLoginMode = $sDesiredLoginMode;
  304. }
  305. else
  306. {
  307. $sLoginMode = $aAllowedLoginTypes[0]; // First in the list...
  308. }
  309. $oPage = new LoginWebPage();
  310. $oPage->DisplayLoginForm( $sLoginMode, false /* no previous failed attempt */);
  311. $oPage->output();
  312. exit;
  313. }
  314. else
  315. {
  316. if (!UserRights::CheckCredentials($sAuthUser, $sAuthPwd, $sLoginMode, $sAuthentication))
  317. {
  318. //echo "Check Credentials returned false for user $sAuthUser!";
  319. self::ResetSession();
  320. $oPage = new LoginWebPage();
  321. $oPage->DisplayLoginForm( $sLoginMode, true /* failed attempt */);
  322. $oPage->output();
  323. exit;
  324. }
  325. else
  326. {
  327. // User is Ok, let's save it in the session and proceed with normal login
  328. UserRights::Login($sAuthUser, $sAuthentication); // Login & set the user's language
  329. if (MetaModel::GetConfig()->Get('log_usage'))
  330. {
  331. $oLog = new EventLoginUsage();
  332. $oLog->Set('userinfo', UserRights::GetUser());
  333. $oLog->Set('user_id', UserRights::GetUserObject()->GetKey());
  334. $oLog->Set('message', 'Successful login');
  335. $oLog->DBInsertNoReload();
  336. }
  337. $_SESSION['auth_user'] = $sAuthUser;
  338. $_SESSION['login_mode'] = $sLoginMode;
  339. }
  340. }
  341. }
  342. }
  343. /**
  344. * Check if the user is already authentified, if yes, then performs some additional validations:
  345. * - if $bMustBeAdmin is true, then the user must be an administrator, otherwise an error is displayed
  346. * - if $bIsAllowedToPortalUsers is false and the user has only access to the portal, then the user is redirected to the portal
  347. * @param bool $bMustBeAdmin Whether or not the user must be an admin to access the current page
  348. * @param bool $bIsAllowedToPortalUsers Whether or not the current page is considered as part of the portal
  349. */
  350. static function DoLogin($bMustBeAdmin = false, $bIsAllowedToPortalUsers = false)
  351. {
  352. $sMessage = ''; // In case we need to return a message to the calling web page
  353. $operation = utils::ReadParam('loginop', '');
  354. if ($operation == 'logoff')
  355. {
  356. if (isset($_SESSION['login_mode']))
  357. {
  358. $sLoginMode = $_SESSION['login_mode'];
  359. }
  360. else
  361. {
  362. $aAllowedLoginTypes = MetaModel::GetConfig()->GetAllowedLoginTypes();
  363. if (count($aAllowedLoginTypes) > 0)
  364. {
  365. $sLoginMode = $aAllowedLoginTypes[0];
  366. }
  367. else
  368. {
  369. $sLoginMode = 'form';
  370. }
  371. }
  372. self::ResetSession();
  373. $oPage = new LoginWebPage();
  374. $oPage->DisplayLoginForm( $sLoginMode, false /* not a failed attempt */);
  375. $oPage->output();
  376. exit;
  377. }
  378. else if ($operation == 'change_pwd')
  379. {
  380. $sAuthUser = $_SESSION['auth_user'];
  381. UserRights::Login($sAuthUser); // Set the user's language
  382. $oPage = new LoginWebPage();
  383. $oPage->DisplayChangePwdForm();
  384. $oPage->output();
  385. exit;
  386. }
  387. if ($operation == 'do_change_pwd')
  388. {
  389. $sAuthUser = $_SESSION['auth_user'];
  390. UserRights::Login($sAuthUser); // Set the user's language
  391. $sOldPwd = utils::ReadPostedParam('old_pwd', '', false, 'raw_data');
  392. $sNewPwd = utils::ReadPostedParam('new_pwd', '', false, 'raw_data');
  393. if (UserRights::CanChangePassword() && ((!UserRights::CheckCredentials($sAuthUser, $sOldPwd)) || (!UserRights::ChangePassword($sOldPwd, $sNewPwd))))
  394. {
  395. $oPage = new LoginWebPage();
  396. $oPage->DisplayChangePwdForm(true); // old pwd was wrong
  397. $oPage->output();
  398. }
  399. $sMessage = Dict::S('UI:Login:PasswordChanged');
  400. }
  401. self::Login();
  402. if ($bMustBeAdmin && !UserRights::IsAdministrator())
  403. {
  404. require_once(APPROOT.'/setup/setuppage.class.inc.php');
  405. $oP = new SetupPage(Dict::S('UI:PageTitle:FatalError'));
  406. $oP->add("<h1>".Dict::S('UI:Login:Error:AccessAdmin')."</h1>\n");
  407. $oP->p("<a href=\"".utils::GetAbsoluteUrlAppRoot()."pages/logoff.php\">".Dict::S('UI:LogOffMenu')."</a>");
  408. $oP->output();
  409. exit;
  410. }
  411. elseif ( (!$bIsAllowedToPortalUsers) && (UserRights::IsPortalUser()))
  412. {
  413. // No rights to be here, redirect to the portal
  414. header('Location: '.utils::GetAbsoluteUrlAppRoot().'portal/index.php');
  415. }
  416. return $sMessage;
  417. }
  418. } // End of class
  419. ?>