diff --git a/pandora_console/mobile/include/user.class.php b/pandora_console/mobile/include/user.class.php index b79818e5c1..50da3360ea 100644 --- a/pandora_console/mobile/include/user.class.php +++ b/pandora_console/mobile/include/user.class.php @@ -19,22 +19,12 @@ class User { private $user; private $logged = false; private $errorLogin = false; + private $loginTime = false; private $logout_action = false; + private $needDoubleAuth = false; + private $errorDoubleAuth = false; - public function __construct($user = null, $password = null) { - $this->user = $user; - $this->errorLogin = false; - - if (process_user_login($this->user, $password)) { - $this->logged = true; - $this->hackInjectConfig(); - } - else { - $this->logged = false; - } - } - - public static function getInstance() { + public static function getInstance () { if (!(self::$instance instanceof self)) { //Check if in the session $system = System::getInstance(); @@ -51,22 +41,22 @@ class User { return self::$instance; } - public function hackInjectConfig() { - //hack to compatibility with pandora + public function saveLogin () { if ($this->logged) { - global $config; - $system = System::getInstance(); - - $config['id_user'] = $this->user; - - $system->setSessionBase('id_usuario', $this->user); $system->setSession('user', $this); + + if (!$this->needDoubleAuth) { + //hack to compatibility with pandora + global $config; + $config['id_user'] = $this->user; + $system->setSessionBase('id_usuario', $this->user); + } } } - public function isLogged() { + public function isLogged () { $system = System::getInstance(); $autologin = $system->getRequest('autologin', false); @@ -74,15 +64,13 @@ class User { $user = $system->getRequest('user', null); $password = $system->getRequest('password', null); - if ($this->checkLogin($user, $password)) { - $this->hackInjectConfig(); - } + $this->login($user, $password); } return $this->logged; } - - public function checkLogin($user = null, $password = null) { + + public function login ($user = null, $password = null) { $system = System::getInstance(); if (($user == null) && ($password == null)) { @@ -92,44 +80,126 @@ class User { } if (!empty($user) && !empty($password)) { - if (process_user_login($user, $password) !== false) { + $user_in_db = process_user_login($user, $password); + if ($user_in_db !== false) { $this->logged = true; - $this->user = $user; + $this->user = $user_in_db; + $this->loginTime = time(); $this->errorLogin = false; + + // The user login was successful, but the second step is not completed + if ($this->isDobleAuthRequired()) { + $this->needDoubleAuth = true; + } } else { $this->logged = false; + $this->loginTime = false; $this->errorLogin = true; + $this->needDoubleAuth = false; + $this->errorDoubleAuth = false; } } - if ($this->logged) { - $this->hackInjectConfig(); - - if (! check_acl($system->getConfig('id_user'), 0, "AR")) { - db_pandora_audit("ACL Violation", - "Trying to access Agent Data view"); - require ("../general/noaccess.php"); - return; - } - } + $this->saveLogin(); return $this->logged; } - - public function logout() { - $this->user = null; - $this->logged = false; - $this->errorLogin = false; - $this->logout_action = true; - - $system = System::getInstance(); - $system->setSession('user', null); + + public function getLoginTime () { + return $this->loginTime; } - public function showLogin() { + public function isWaitingDoubleAuth () { + return $this->needDoubleAuth; + } + + public function isDobleAuthRequired ($user = false) { + if (empty($user) && !empty($this->user)) + $user = $this->user; + + if (!empty($user)) + return (bool) db_get_value('id', 'tuser_double_auth', 'id_user', $user); + else + return false; + } + + public function validateDoubleAuthCode ($user = null, $code = null) { + + if (!$this->needDoubleAuth) { + return true; + } + + $system = System::getInstance(); + require_once ($system->getConfig('homedir').'/include/auth/GAuth/Auth.php'); + + $result = false; + + if (empty($user)) { + $user = $this->user; + } + if (empty($code)) { + $code = $system->getRequest('auth_code', null); + } + + if (!empty($user) && !empty($code)) { + $secret = db_get_value('secret', 'tuser_double_auth', 'id_user', $user); + + if ($secret === false) { + $result = false; + $this->errorDoubleAuth = array( + 'title_text' => __('Double authentication failed'), + 'content_text' => __('Secret code not found') .". " + .__('Please contact the administrator to reset your double authentication') + ); + } + else if (!empty($secret)) { + try { + $gAuth = new \GAuth\Auth($secret); + $result = $gAuth->validateCode($code); + + // Double auth success + if ($result) { + $this->needDoubleAuth = false; + $this->saveLogin(); + } + else { + $result = false; + $this->errorDoubleAuth = array( + 'title_text' => __('Double authentication failed'), + 'content_text' => __('Invalid code') + ); + } + } catch (Exception $e) { + $result = false; + $this->errorDoubleAuth = array( + 'title_text' => __('Double authentication failed'), + 'content_text' => __('There was an error checking the code') + ); + } + } + } + + return $result; + } + + public function logout () { + $this->user = null; + $this->logged = false; + $this->loginTime = false; + $this->errorLogin = false; + $this->logout_action = true; + $this->needDoubleAuth = false; + $this->errorDoubleAuth = false; + + $system = System::getInstance(); + $system->setSession('user', null); + $system->sessionDestroy(); + } + + public function showLoginPage () { global $pandora_version; $ui = Ui::getInstance(); @@ -191,16 +261,65 @@ class User { $this->errorLogin = false; $this->logout_action = false; } - - public function getIdUser() { + + public function showDoubleAuthPage () { + global $pandora_version; + + $ui = Ui::getInstance(); + + $ui->createPage(); + if (!empty($this->errorDoubleAuth)) { + $options['type'] = 'onStart'; + $options['title_text'] = $this->errorDoubleAuth['title_text']; + $options['content_text'] = $this->errorDoubleAuth['content_text'] . "
"; + $ui->addDialog($options); + } + $left_button = $ui->createHeaderButton( + array('icon' => 'back', + 'pos' => 'left', + 'text' => __('Logout'), + 'href' => 'index.php?action=logout')); + $ui->createHeader('', $left_button); + $ui->showFooter(false); + $ui->beginContent(); + $ui->contentAddHtml(''); + $ui->contentAddHtml('
'); + $ui->beginForm(); + $ui->formAddHtml(html_print_input_hidden('action', 'double_auth', true)); + $options = array( + 'name' => 'auth_code', + 'value' => '', + 'placeholder' => __('Authenticator code'), + 'label' => __('Authenticator code') + ); + $ui->formAddInputPassword($options); + $options = array( + 'value' => __('Check code'), + 'icon' => 'arrow-r', + 'icon_pos' => 'right', + 'name' => 'auth_code_btn' + ); + $ui->formAddSubmitButton($options); + $ui->endForm(); + $ui->contentAddHtml('
'); + $ui->endContent(); + $ui->showPage(); + + $this->errorDoubleAuth = false; + } + + public function getIdUser () { return $this->user; //Oldies methods } - public function isInGroup($access = "AR", $id_group = 0, $name_group = false) { + public function isInGroup ($access = "AR", $id_group = 0, $name_group = false) { return (bool)check_acl($this->user, $id_group, $access); } - public function getIdGroups($access = "AR", $all = false) { + public function getIdGroups ($access = "AR", $all = false) { return array_keys(users_get_groups($this->user, $access, $all)); } } diff --git a/pandora_console/mobile/index.php b/pandora_console/mobile/index.php index a2fe7a5e3f..7a7f5c0414 100644 --- a/pandora_console/mobile/index.php +++ b/pandora_console/mobile/index.php @@ -43,13 +43,32 @@ $enterpriseHook = enterprise_include('mobile/operation/home.php'); $system = System::getInstance(); +require_once($system->getConfig('homedir').'/include/constants.php'); + $user = User::getInstance(); -$user->hackInjectConfig(); +$user->saveLogin(); $page = $system->getRequest('page', 'home'); $action = $system->getRequest('action'); -if (!$user->isLogged()) { - $action = 'login'; + +// The logout action has priority +if ($action != 'logout') { + if (!$user->isLogged()) { + $action = 'login'; + } + else if ($user->isWaitingDoubleAuth()) { + $dauth_period = SECONDS_2MINUTES; + $now = time(); + $dauth_time = $user->getLoginTime(); + + if ($now - $dauth_period < $dauth_time) { + $action = 'double_auth'; + } + // Expired login + else { + $action = 'logout'; + } + } } if ($action != "ajax") { @@ -107,11 +126,45 @@ switch ($action) { return; break; case 'login': - if (!$user->checkLogin()) { - $user->showLogin(); + if ($user->login() && $user->isLogged()) { + if ($user->isWaitingDoubleAuth()) { + if ($user->validateDoubleAuthCode()) { + $user_language = get_user_language ($system->getConfig('id_user')); + if (file_exists ('../include/languages/'.$user_language.'.mo')) { + $l10n = new gettext_reader (new CachedFileReader('../include/languages/'.$user_language.'.mo')); + $l10n->load_tables(); + } + if (class_exists("HomeEnterprise")) + $home = new HomeEnterprise(); + else + $home = new Home(); + $home->show(); + } + else { + $user->showDoubleAuthPage(); + } + } + else { + $user_language = get_user_language ($system->getConfig('id_user')); + if (file_exists ('../include/languages/'.$user_language.'.mo')) { + $l10n = new gettext_reader (new CachedFileReader('../include/languages/'.$user_language.'.mo')); + $l10n->load_tables(); + } + if (class_exists("HomeEnterprise")) + $home = new HomeEnterprise(); + else + $home = new Home(); + $home->show(); + } + } else { - if ($user->isLogged()) { + $user->showLoginPage(); + } + break; + case 'double_auth': + if ($user->isLogged()) { + if ($user->validateDoubleAuthCode()) { $user_language = get_user_language ($system->getConfig('id_user')); if (file_exists ('../include/languages/'.$user_language.'.mo')) { $l10n = new gettext_reader (new CachedFileReader('../include/languages/'.$user_language.'.mo')); @@ -124,13 +177,16 @@ switch ($action) { $home->show(); } else { - $user->showLoginFail(); + $user->showDoubleAuthPage(); } } + else { + $user->showLoginPage(); + } break; case 'logout': $user->logout(); - $user->showLogin(); + $user->showLoginPage(); break; default: if (class_exists("Enterprise")) {