mirror of
https://github.com/myvesta/vesta
synced 2025-08-21 05:44:08 -07:00
Auth fix 0.9.8-20
This commit is contained in:
Serghey Rodin
parent
1034d1bbc2
commit
eaf9d89096
6 changed files with 383 additions and 64 deletions
|
|
@ -4,32 +4,64 @@ define('VESTA_CMD', '/usr/bin/sudo /usr/local/vesta/bin/');
|
|||
if (isset($_POST['user']) || isset($_POST['hash'])) {
|
||||
|
||||
// Authentication
|
||||
$auth_code = 1;
|
||||
if (empty($_POST['hash'])) {
|
||||
// Check user permission to use API
|
||||
if ($_POST['user'] != 'admin') {
|
||||
echo 'Error: only admin is allowed to use API';
|
||||
echo 'Error: authentication failed';
|
||||
exit;
|
||||
}
|
||||
|
||||
$v_user = escapeshellarg($_POST['user']);
|
||||
$v_password = tempnam("/tmp","vst");
|
||||
$fp = fopen($v_password, "w");
|
||||
fwrite($fp, $_POST['password']."\n");
|
||||
$password = $_POST['password'];
|
||||
$v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
|
||||
$output = '';
|
||||
exec (VESTA_CMD."v-get-user-salt admin ".$v_ip." json" , $output, $return_var);
|
||||
$pam = json_decode(implode('', $output), true);
|
||||
$salt = $pam['admin']['SALT'];
|
||||
$method = $pam['admin']['METHOD'];
|
||||
|
||||
if ($method == 'md5' ) {
|
||||
$hash = crypt($password, '$1$'.$salt.'$');
|
||||
}
|
||||
if ($method == 'sha-512' ) {
|
||||
$hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
|
||||
$hash = str_replace('$rounds=5000','',$hash);
|
||||
}
|
||||
if ($method == 'des' ) {
|
||||
$hash = crypt($password, $salt);
|
||||
}
|
||||
|
||||
// Send hash via tmp file
|
||||
$v_hash = exec('mktemp -p /tmp');
|
||||
$fp = fopen($v_hash, "w");
|
||||
fwrite($fp, $hash."\n");
|
||||
fclose($fp);
|
||||
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
|
||||
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".escapeshellarg($v_password)." '".$v_ip_addr."'", $output, $auth_code);
|
||||
unlink($v_password);
|
||||
/* No hash auth for security reason
|
||||
|
||||
// Check user hash
|
||||
exec(VESTA_CMD ."v-check-user-hash admin ".$v_hash." ".$v_ip, $output, $return_var);
|
||||
unset($output);
|
||||
|
||||
// Remove tmp file
|
||||
unlink($v_hash);
|
||||
|
||||
// Check API answer
|
||||
if ( $return_var > 0 ) {
|
||||
echo 'Error: authentication failed';
|
||||
exit;
|
||||
}
|
||||
} else {
|
||||
$key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
|
||||
if (file_exists($key) && is_file($key)) {
|
||||
$auth_code = '0';
|
||||
exec(VESTA_CMD ."v-check-api-key ".escapeshellarg($key)." ".$v_ip, $output, $return_var);
|
||||
unset($output);
|
||||
|
||||
// Check API answer
|
||||
if ( $return_var > 0 ) {
|
||||
echo 'Error: authentication failed';
|
||||
exit;
|
||||
}
|
||||
}
|
||||
*/
|
||||
}
|
||||
|
||||
if ($auth_code != 0 ) {
|
||||
if ( $return_var > 0 ) {
|
||||
echo 'Error: authentication failed';
|
||||
exit;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,9 +14,6 @@ if (isset($_GET['logout'])) {
|
|||
session_destroy();
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
// Login as someone else
|
||||
if (isset($_SESSION['user'])) {
|
||||
if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
|
||||
|
|
@ -36,62 +33,85 @@ if (isset($_SESSION['user'])) {
|
|||
if (isset($_POST['user']) && isset($_POST['password'])) {
|
||||
if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
|
||||
$v_user = escapeshellarg($_POST['user']);
|
||||
$v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
|
||||
|
||||
// Send password via tmp file
|
||||
$v_password = exec('mktemp -p /tmp');
|
||||
$fp = fopen($v_password, "w");
|
||||
fwrite($fp, $_POST['password']."\n");
|
||||
fclose($fp);
|
||||
|
||||
// Check user & password
|
||||
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".escapeshellarg($v_password)." ".escapeshellarg($_SERVER['REMOTE_ADDR']), $output, $return_var);
|
||||
unset($output);
|
||||
|
||||
// Remove tmp file
|
||||
unlink($v_password);
|
||||
|
||||
// Check API answer
|
||||
// Get user's salt
|
||||
$output = '';
|
||||
exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
|
||||
$pam = json_decode(implode('', $output), true);
|
||||
if ( $return_var > 0 ) {
|
||||
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
|
||||
|
||||
} else {
|
||||
$user = $_POST['user'];
|
||||
$password = $_POST['password'];
|
||||
$salt = $pam[$user]['SALT'];
|
||||
$method = $pam[$user]['METHOD'];
|
||||
|
||||
// Make root admin user
|
||||
if ($_POST['user'] == 'root') $v_user = 'admin';
|
||||
|
||||
// Get user speciefic parameters
|
||||
exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
|
||||
$data = json_decode(implode('', $output), true);
|
||||
|
||||
// Define session user
|
||||
$_SESSION['user'] = key($data);
|
||||
$v_user = $_SESSION['user'];
|
||||
|
||||
// Get user favorites
|
||||
get_favourites();
|
||||
|
||||
// Define language
|
||||
$output = '';
|
||||
exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
|
||||
$languages = json_decode(implode('', $output), true);
|
||||
if(in_array($data[$v_user]['LANGUAGE'], $languages)){
|
||||
$_SESSION['language'] = $data[$v_user]['LANGUAGE'];
|
||||
if ($method == 'md5' ) {
|
||||
$hash = crypt($password, '$1$'.$salt.'$');
|
||||
}
|
||||
else {
|
||||
$_SESSION['language'] = 'en';
|
||||
if ($method == 'sha-512' ) {
|
||||
$hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
|
||||
$hash = str_replace('$rounds=5000','',$hash);
|
||||
}
|
||||
if ($method == 'des' ) {
|
||||
$hash = crypt($password, $salt);
|
||||
}
|
||||
|
||||
// Regenerate session id to prevent session fixation
|
||||
session_regenerate_id();
|
||||
|
||||
// Redirect request to control panel interface
|
||||
if (!empty($_SESSION['request_uri'])) {
|
||||
header("Location: ".$_SESSION['request_uri']);
|
||||
unset($_SESSION['request_uri']);
|
||||
exit;
|
||||
// Send hash via tmp file
|
||||
$v_hash = exec('mktemp -p /tmp');
|
||||
$fp = fopen($v_hash, "w");
|
||||
fwrite($fp, $hash."\n");
|
||||
fclose($fp);
|
||||
|
||||
// Check user hash
|
||||
exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var);
|
||||
unset($output);
|
||||
|
||||
// Remove tmp file
|
||||
unlink($v_hash);
|
||||
|
||||
// Check API answer
|
||||
if ( $return_var > 0 ) {
|
||||
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
|
||||
} else {
|
||||
header("Location: /");
|
||||
exit;
|
||||
|
||||
// Make root admin user
|
||||
if ($_POST['user'] == 'root') $v_user = 'admin';
|
||||
|
||||
// Get user speciefic parameters
|
||||
exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
|
||||
$data = json_decode(implode('', $output), true);
|
||||
|
||||
// Define session user
|
||||
$_SESSION['user'] = key($data);
|
||||
$v_user = $_SESSION['user'];
|
||||
|
||||
// Get user favorites
|
||||
get_favourites();
|
||||
|
||||
// Define language
|
||||
$output = '';
|
||||
exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
|
||||
$languages = json_decode(implode('', $output), true);
|
||||
if (in_array($data[$v_user]['LANGUAGE'], $languages)){
|
||||
$_SESSION['language'] = $data[$v_user]['LANGUAGE'];
|
||||
} else {
|
||||
$_SESSION['language'] = 'en';
|
||||
}
|
||||
|
||||
// Regenerate session id to prevent session fixation
|
||||
session_regenerate_id();
|
||||
|
||||
// Redirect request to control panel interface
|
||||
if (!empty($_SESSION['request_uri'])) {
|
||||
header("Location: ".$_SESSION['request_uri']);
|
||||
unset($_SESSION['request_uri']);
|
||||
exit;
|
||||
} else {
|
||||
header("Location: /");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue