loginwebpage.class.inc.php 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462
  1. <?php
  2. // Copyright (C) 2010-2012 Combodo SARL
  3. //
  4. // This file is part of iTop.
  5. //
  6. // iTop is free software; you can redistribute it and/or modify
  7. // it under the terms of the GNU Affero General Public License as published by
  8. // the Free Software Foundation, either version 3 of the License, or
  9. // (at your option) any later version.
  10. //
  11. // iTop is distributed in the hope that it will be useful,
  12. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  13. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  14. // GNU Affero General Public License for more details.
  15. //
  16. // You should have received a copy of the GNU Affero General Public License
  17. // along with iTop. If not, see <http://www.gnu.org/licenses/>
  18. /**
  19. * Class LoginWebPage
  20. *
  21. * @copyright Copyright (C) 2010-2012 Combodo SARL
  22. * @license http://opensource.org/licenses/AGPL-3.0
  23. */
  24. require_once(APPROOT."/application/nicewebpage.class.inc.php");
  25. /**
  26. * Web page used for displaying the login form
  27. */
  28. class LoginWebPage extends NiceWebPage
  29. {
  30. protected static $m_sLoginFailedMessage = '';
  31. public function __construct()
  32. {
  33. parent::__construct("iTop Login");
  34. $this->add_style(<<<EOF
  35. body {
  36. background: #eee;
  37. margin: 0;
  38. padding: 0;
  39. }
  40. #login-logo {
  41. margin-top: 150px;
  42. width: 300px;
  43. padding-left: 20px;
  44. padding-right: 20px;
  45. padding-top: 10px;
  46. padding-bottom: 10px;
  47. margin-left: auto;
  48. margin-right: auto;
  49. background: #f6f6f1;
  50. height: 54px;
  51. border-top: 1px solid #000;
  52. border-left: 1px solid #000;
  53. border-right: 1px solid #000;
  54. border-bottom: 0;
  55. text-align: center;
  56. }
  57. #login-logo img {
  58. border: 0;
  59. }
  60. #login {
  61. width: 300px;
  62. margin-left: auto;
  63. margin-right: auto;
  64. padding: 20px;
  65. background-color: #fff;
  66. border-bottom: 1px solid #000;
  67. border-left: 1px solid #000;
  68. border-right: 1px solid #000;
  69. border-top: 0;
  70. text-align: center;
  71. }
  72. #pwd, #user,#old_pwd, #new_pwd, #retype_new_pwd {
  73. width: 10em;
  74. }
  75. .center {
  76. text-align: center;
  77. }
  78. h1 {
  79. color: #1C94C4;
  80. font-size: 16pt;
  81. }
  82. .v-spacer {
  83. padding-top: 1em;
  84. }
  85. EOF
  86. );
  87. }
  88. public static function SetLoginFailedMessage($sMessage)
  89. {
  90. self::$m_sLoginFailedMessage = $sMessage;
  91. }
  92. public function DisplayLoginForm($sLoginType, $bFailedLogin = false)
  93. {
  94. switch($sLoginType)
  95. {
  96. case 'cas':
  97. utils::InitCASClient();
  98. // force CAS authentication
  99. phpCAS::forceAuthentication(); // Will redirect the user and exit since the user is not yet authenticated
  100. break;
  101. case 'basic':
  102. case 'url':
  103. $this->add_header('WWW-Authenticate: Basic realm="'.Dict::Format('UI:iTopVersion:Short', ITOP_VERSION));
  104. $this->add_header('HTTP/1.0 401 Unauthorized');
  105. // Note: displayed when the user will click on Cancel
  106. $this->add('<p><strong>'.Dict::S('UI:Login:Error:AccessRestricted').'</strong></p>');
  107. break;
  108. case 'external':
  109. case 'form':
  110. default: // In case the settings get messed up...
  111. $sAuthUser = utils::ReadParam('auth_user', '', true, 'raw_data');
  112. $sAuthPwd = utils::ReadParam('suggest_pwd', '', true, 'raw_data');
  113. $sVersionShort = Dict::Format('UI:iTopVersion:Short', ITOP_VERSION);
  114. $sIconUrl = Utils::GetConfig()->Get('app_icon_url');
  115. $this->add("<div id=\"login-logo\"><a href=\"".htmlentities($sIconUrl, ENT_QUOTES, 'UTF-8')."\"><img title=\"$sVersionShort\" src=\"../images/itop-logo-external.png\"></a></div>\n");
  116. $this->add("<div id=\"login\">\n");
  117. $this->add("<h1>".Dict::S('UI:Login:Welcome')."</h1>\n");
  118. if ($bFailedLogin)
  119. {
  120. if (self::$m_sLoginFailedMessage != '')
  121. {
  122. $this->add("<p class=\"hilite\">".self::$m_sLoginFailedMessage."</p>\n");
  123. }
  124. else
  125. {
  126. $this->add("<p class=\"hilite\">".Dict::S('UI:Login:IncorrectLoginPassword')."</p>\n");
  127. }
  128. }
  129. else
  130. {
  131. $this->add("<p>".Dict::S('UI:Login:IdentifyYourself')."</p>\n");
  132. }
  133. $this->add("<form method=\"post\">\n");
  134. $this->add("<table width=\"100%\">\n");
  135. $this->add("<tr><td style=\"text-align:right\"><label for=\"user\">".Dict::S('UI:Login:UserNamePrompt').":</label></td><td style=\"text-align:left\"><input id=\"user\" type=\"text\" name=\"auth_user\" value=\"".htmlentities($sAuthUser, ENT_QUOTES, 'UTF-8')."\" /></td></tr>\n");
  136. $this->add("<tr><td style=\"text-align:right\"><label for=\"pwd\">".Dict::S('UI:Login:PasswordPrompt').":</label></td><td style=\"text-align:left\"><input id=\"pwd\" type=\"password\" name=\"auth_pwd\" value=\"".htmlentities($sAuthPwd, ENT_QUOTES, 'UTF-8')."\" /></td></tr>\n");
  137. $this->add("<tr><td colspan=\"2\" class=\"center v-spacer\"> <input type=\"submit\" value=\"".Dict::S('UI:Button:Login')."\" /></td></tr>\n");
  138. $this->add("</table>\n");
  139. $this->add("<input type=\"hidden\" name=\"loginop\" value=\"login\" />\n");
  140. // Keep the OTHER parameters posted
  141. foreach($_POST as $sPostedKey => $postedValue)
  142. {
  143. if (!in_array($sPostedKey, array('auth_user', 'auth_pwd')))
  144. {
  145. if (is_array($postedValue))
  146. {
  147. foreach($postedValue as $sKey => $sValue)
  148. {
  149. $this->add("<input type=\"hidden\" name=\"".htmlentities($sPostedKey, ENT_QUOTES, 'UTF-8')."[".htmlentities($sKey, ENT_QUOTES, 'UTF-8')."]\" value=\"".htmlentities($sValue, ENT_QUOTES, 'UTF-8')."\" />\n");
  150. }
  151. }
  152. else
  153. {
  154. $this->add("<input type=\"hidden\" name=\"".htmlentities($sPostedKey, ENT_QUOTES, 'UTF-8')."\" value=\"".htmlentities($postedValue, ENT_QUOTES, 'UTF-8')."\" />\n");
  155. }
  156. }
  157. }
  158. $this->add("</form>\n");
  159. $this->add(Dict::S('UI:Login:About'));
  160. $this->add("</div>\n");
  161. break;
  162. }
  163. }
  164. public function DisplayChangePwdForm($bFailedLogin = false)
  165. {
  166. $sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
  167. $sVersionShort = Dict::Format('UI:iTopVersion:Short', ITOP_VERSION);
  168. $sInconsistenPwdMsg = Dict::S('UI:Login:RetypePwdDoesNotMatch');
  169. $this->add_script(<<<EOF
  170. function GoBack()
  171. {
  172. window.history.back();
  173. }
  174. function DoCheckPwd()
  175. {
  176. if ($('#new_pwd').val() != $('#retype_new_pwd').val())
  177. {
  178. alert('$sInconsistenPwdMsg');
  179. return false;
  180. }
  181. return true;
  182. }
  183. EOF
  184. );
  185. $sIconUrl = Utils::GetConfig()->Get('app_icon_url');
  186. $this->add("<div id=\"login-logo\"><a href=\"".htmlentities($sIconUrl, ENT_QUOTES, 'UTF-8')."\"><img title=\"$sVersionShort\" src=\"../images/itop-logo.png\"></a></div>\n");
  187. $this->add("<div id=\"login\">\n");
  188. $this->add("<h1>".Dict::S('UI:Login:ChangeYourPassword')."</h1>\n");
  189. if ($bFailedLogin)
  190. {
  191. $this->add("<p class=\"hilite\">".Dict::S('UI:Login:IncorrectOldPassword')."</p>\n");
  192. }
  193. $this->add("<form method=\"post\">\n");
  194. $this->add("<table width=\"100%\">\n");
  195. $this->add("<tr><td style=\"text-align:right\"><label for=\"old_pwd\">".Dict::S('UI:Login:OldPasswordPrompt').":</label></td><td style=\"text-align:left\"><input type=\"password\" id=\"old_pwd\" name=\"old_pwd\" value=\"\" /></td></tr>\n");
  196. $this->add("<tr><td style=\"text-align:right\"><label for=\"new_pwd\">".Dict::S('UI:Login:NewPasswordPrompt').":</label></td><td style=\"text-align:left\"><input type=\"password\" id=\"new_pwd\" name=\"new_pwd\" value=\"\" /></td></tr>\n");
  197. $this->add("<tr><td style=\"text-align:right\"><label for=\"retype_new_pwd\">".Dict::S('UI:Login:RetypeNewPasswordPrompt').":</label></td><td style=\"text-align:left\"><input type=\"password\" id=\"retype_new_pwd\" name=\"retype_new_pwd\" value=\"\" /></td></tr>\n");
  198. $this->add("<tr><td colspan=\"2\" class=\"center v-spacer\"> <input type=\"button\" onClick=\"GoBack();\" value=\"".Dict::S('UI:Button:Cancel')."\" />&nbsp;&nbsp;<input type=\"submit\" onClick=\"return DoCheckPwd();\" value=\"".Dict::S('UI:Button:ChangePassword')."\" /></td></tr>\n");
  199. $this->add("</table>\n");
  200. $this->add("<input type=\"hidden\" name=\"loginop\" value=\"do_change_pwd\" />\n");
  201. $this->add("</form>\n");
  202. $this->add("</div>\n");
  203. }
  204. static function ResetSession()
  205. {
  206. if (isset($_SESSION['login_mode']))
  207. {
  208. $sPreviousLoginMode = $_SESSION['login_mode'];
  209. }
  210. else
  211. {
  212. $sPreviousLoginMode = '';
  213. }
  214. // Unset all of the session variables.
  215. unset($_SESSION['auth_user']);
  216. unset($_SESSION['login_mode']);
  217. // If it's desired to kill the session, also delete the session cookie.
  218. // Note: This will destroy the session, and not just the session data!
  219. }
  220. static function SecureConnectionRequired()
  221. {
  222. return MetaModel::GetConfig()->GetSecureConnectionRequired();
  223. }
  224. protected static function Login()
  225. {
  226. if (self::SecureConnectionRequired() && !utils::IsConnectionSecure())
  227. {
  228. // Non secured URL... request for a secure connection
  229. throw new Exception('Secure connection required!');
  230. }
  231. $aAllowedLoginTypes = MetaModel::GetConfig()->GetAllowedLoginTypes();
  232. if (isset($_SESSION['auth_user']))
  233. {
  234. //echo "User: ".$_SESSION['auth_user']."\n";
  235. // Already authentified
  236. UserRights::Login($_SESSION['auth_user']); // Login & set the user's language
  237. return true;
  238. }
  239. else
  240. {
  241. $index = 0;
  242. $sLoginMode = '';
  243. $sAuthentication = 'internal';
  244. while(($sLoginMode == '') && ($index < count($aAllowedLoginTypes)))
  245. {
  246. $sLoginType = $aAllowedLoginTypes[$index];
  247. switch($sLoginType)
  248. {
  249. case 'cas':
  250. utils::InitCASClient();
  251. // check CAS authentication
  252. if (phpCAS::isAuthenticated())
  253. {
  254. $sAuthUser = phpCAS::getUser();
  255. $sAuthPwd = '';
  256. $sLoginMode = 'cas';
  257. $sAuthentication = 'external';
  258. }
  259. break;
  260. case 'form':
  261. // iTop standard mode: form based authentication
  262. $sAuthUser = utils::ReadPostedParam('auth_user', '', false, 'raw_data');
  263. $sAuthPwd = utils::ReadPostedParam('auth_pwd', '', false, 'raw_data');
  264. if ($sAuthUser != '')
  265. {
  266. $sLoginMode = 'form';
  267. }
  268. break;
  269. case 'basic':
  270. // Standard PHP authentication method, works with Apache...
  271. // Case 1) Apache running in CGI mode + rewrite rules in .htaccess
  272. if (isset($_SERVER['HTTP_AUTHORIZATION']) && !empty($_SERVER['HTTP_AUTHORIZATION']))
  273. {
  274. list($sAuthUser, $sAuthPwd) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
  275. $sLoginMode = 'basic';
  276. }
  277. else if (isset($_SERVER['PHP_AUTH_USER']))
  278. {
  279. $sAuthUser = $_SERVER['PHP_AUTH_USER'];
  280. $sAuthPwd = $_SERVER['PHP_AUTH_PW'];
  281. $sLoginMode = 'basic';
  282. }
  283. break;
  284. case 'external':
  285. // Web server supplied authentication
  286. $bExternalAuth = false;
  287. $sExtAuthVar = MetaModel::GetConfig()->GetExternalAuthenticationVariable(); // In which variable is the info passed ?
  288. eval('$sAuthUser = isset('.$sExtAuthVar.') ? '.$sExtAuthVar.' : false;'); // Retrieve the value
  289. if ($sAuthUser && (strlen($sAuthUser) > 0))
  290. {
  291. $sAuthPwd = ''; // No password in this case the web server already authentified the user...
  292. $sLoginMode = 'external';
  293. $sAuthentication = 'external';
  294. }
  295. break;
  296. case 'url':
  297. // Credentials passed directly in the url
  298. $sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
  299. $sAuthPwd = utils::ReadParam('auth_pwd', null, false, 'raw_data');
  300. if (($sAuthUser != '') && ($sAuthPwd != null))
  301. {
  302. $sLoginMode = 'url';
  303. }
  304. break;
  305. }
  306. $index++;
  307. }
  308. //echo "\nsLoginMode: $sLoginMode (user: $sAuthUser / pwd: $sAuthPwd\n)";
  309. if ($sLoginMode == '')
  310. {
  311. // First connection
  312. $sDesiredLoginMode = utils::ReadParam('login_mode');
  313. if (in_array($sDesiredLoginMode, $aAllowedLoginTypes))
  314. {
  315. $sLoginMode = $sDesiredLoginMode;
  316. }
  317. else
  318. {
  319. $sLoginMode = $aAllowedLoginTypes[0]; // First in the list...
  320. }
  321. $oPage = new LoginWebPage();
  322. $oPage->DisplayLoginForm( $sLoginMode, false /* no previous failed attempt */);
  323. $oPage->output();
  324. exit;
  325. }
  326. else
  327. {
  328. if (!UserRights::CheckCredentials($sAuthUser, $sAuthPwd, $sLoginMode, $sAuthentication))
  329. {
  330. //echo "Check Credentials returned false for user $sAuthUser!";
  331. self::ResetSession();
  332. $oPage = new LoginWebPage();
  333. $oPage->DisplayLoginForm( $sLoginMode, true /* failed attempt */);
  334. $oPage->output();
  335. exit;
  336. }
  337. else
  338. {
  339. // User is Ok, let's save it in the session and proceed with normal login
  340. UserRights::Login($sAuthUser, $sAuthentication); // Login & set the user's language
  341. if (MetaModel::GetConfig()->Get('log_usage'))
  342. {
  343. $oLog = new EventLoginUsage();
  344. $oLog->Set('userinfo', UserRights::GetUser());
  345. $oLog->Set('user_id', UserRights::GetUserObject()->GetKey());
  346. $oLog->Set('message', 'Successful login');
  347. $oLog->DBInsertNoReload();
  348. }
  349. $_SESSION['auth_user'] = $sAuthUser;
  350. $_SESSION['login_mode'] = $sLoginMode;
  351. }
  352. }
  353. }
  354. }
  355. /**
  356. * Check if the user is already authentified, if yes, then performs some additional validations:
  357. * - if $bMustBeAdmin is true, then the user must be an administrator, otherwise an error is displayed
  358. * - if $bIsAllowedToPortalUsers is false and the user has only access to the portal, then the user is redirected to the portal
  359. * @param bool $bMustBeAdmin Whether or not the user must be an admin to access the current page
  360. * @param bool $bIsAllowedToPortalUsers Whether or not the current page is considered as part of the portal
  361. */
  362. static function DoLogin($bMustBeAdmin = false, $bIsAllowedToPortalUsers = false)
  363. {
  364. $sMessage = ''; // In case we need to return a message to the calling web page
  365. $operation = utils::ReadParam('loginop', '');
  366. if ($operation == 'logoff')
  367. {
  368. if (isset($_SESSION['login_mode']))
  369. {
  370. $sLoginMode = $_SESSION['login_mode'];
  371. }
  372. else
  373. {
  374. $aAllowedLoginTypes = MetaModel::GetConfig()->GetAllowedLoginTypes();
  375. if (count($aAllowedLoginTypes) > 0)
  376. {
  377. $sLoginMode = $aAllowedLoginTypes[0];
  378. }
  379. else
  380. {
  381. $sLoginMode = 'form';
  382. }
  383. }
  384. self::ResetSession();
  385. $oPage = new LoginWebPage();
  386. $oPage->DisplayLoginForm( $sLoginMode, false /* not a failed attempt */);
  387. $oPage->output();
  388. exit;
  389. }
  390. else if ($operation == 'change_pwd')
  391. {
  392. $sAuthUser = $_SESSION['auth_user'];
  393. UserRights::Login($sAuthUser); // Set the user's language
  394. $oPage = new LoginWebPage();
  395. $oPage->DisplayChangePwdForm();
  396. $oPage->output();
  397. exit;
  398. }
  399. if ($operation == 'do_change_pwd')
  400. {
  401. $sAuthUser = $_SESSION['auth_user'];
  402. UserRights::Login($sAuthUser); // Set the user's language
  403. $sOldPwd = utils::ReadPostedParam('old_pwd', '', false, 'raw_data');
  404. $sNewPwd = utils::ReadPostedParam('new_pwd', '', false, 'raw_data');
  405. if (UserRights::CanChangePassword() && ((!UserRights::CheckCredentials($sAuthUser, $sOldPwd)) || (!UserRights::ChangePassword($sOldPwd, $sNewPwd))))
  406. {
  407. $oPage = new LoginWebPage();
  408. $oPage->DisplayChangePwdForm(true); // old pwd was wrong
  409. $oPage->output();
  410. }
  411. $sMessage = Dict::S('UI:Login:PasswordChanged');
  412. }
  413. self::Login();
  414. if ($bMustBeAdmin && !UserRights::IsAdministrator())
  415. {
  416. require_once(APPROOT.'/setup/setuppage.class.inc.php');
  417. $oP = new SetupPage(Dict::S('UI:PageTitle:FatalError'));
  418. $oP->add("<h1>".Dict::S('UI:Login:Error:AccessAdmin')."</h1>\n");
  419. $oP->p("<a href=\"".utils::GetAbsoluteUrlAppRoot()."pages/logoff.php\">".Dict::S('UI:LogOffMenu')."</a>");
  420. $oP->output();
  421. exit;
  422. }
  423. elseif ( (!$bIsAllowedToPortalUsers) && (UserRights::IsPortalUser()))
  424. {
  425. // No rights to be here, redirect to the portal
  426. header('Location: '.utils::GetAbsoluteUrlAppRoot().'portal/index.php');
  427. }
  428. return $sMessage;
  429. }
  430. } // End of class
  431. ?>