modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php

   1 <?php
   2 if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
   3 /*********************************************************************************
   4  * SugarCRM is a customer relationship management program developed by
   5  * SugarCRM, Inc. Copyright (C) 2004-2011 SugarCRM Inc.
   6  *
   7  * This program is free software; you can redistribute it and/or modify it under
   8  * the terms of the GNU Affero General Public License version 3 as published by the
   9  * Free Software Foundation with the addition of the following permission added
  10  * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
  11  * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
  12  * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
  13  *
  14  * This program is distributed in the hope that it will be useful, but WITHOUT
  15  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  16  * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
  17  * details.
  18  *
  19  * You should have received a copy of the GNU Affero General Public License along with
  20  * this program; if not, see http://www.gnu.org/licenses or write to the Free
  21  * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  22  * 02110-1301 USA.
  23  *
  24  * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
  25  * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
  26  *
  27  * The interactive user interfaces in modified source and object code versions
  28  * of this program must display Appropriate Legal Notices, as required under
  29  * Section 5 of the GNU Affero General Public License version 3.
  30  *
  31  * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
  32  * these Appropriate Legal Notices must retain the display of the "Powered by
  33  * SugarCRM" logo. If the display of the logo is not reasonably feasible for
  34  * technical reasons, the Appropriate Legal Notices must display the words
  35  * "Powered by SugarCRM".
  36  ********************************************************************************/
  37
  38
  39
  40
  41 /**
  42  * This file is used to control the authentication process.
  43  * It will call on the user authenticate and controll redirection
  44  * based on the users validation
  45  *
  46  */
  47 class SugarAuthenticate{
  48         var $userAuthenticateClass = 'SugarAuthenticateUser';
  49         var $authenticationDir = 'SugarAuthenticate';
  50         /**
  51          * Constructs SugarAuthenticate
  52          * This will load the user authentication class
  53          *
  54          * @return SugarAuthenticate
  55          */
  56         function SugarAuthenticate(){
  57                 require_once('modules/Users/authentication/'. $this->authenticationDir . '/'. $this->userAuthenticateClass . '.php');
  58                 $this->userAuthenticate = new $this->userAuthenticateClass();
  59
  60         }
  61         /**
  62          * Authenticates a user based on the username and password
  63          * returns true if the user was authenticated false otherwise
  64          * it also will load the user into current user if he was authenticated
  65          *
  66          * @param string $username
  67          * @param string $password
  68          * @return boolean
  69          */
  70         function loginAuthenticate($username, $password, $fallback=false, $PARAMS = array ()){
  71                 global $mod_strings;
  72                 unset($_SESSION['login_error']);
  73                 $usr= new user();
  74                 $usr_id=$usr->retrieve_user_id($username);
  75                 $usr->retrieve($usr_id);
  76                 $_SESSION['login_error']='';
  77                 $_SESSION['waiting_error']='';
  78                 $_SESSION['hasExpiredPassword']='0';
  79                 if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback, $PARAMS)) {
  80                         require_once('modules/Users/password_utils.php');
  81                         if(hasPasswordExpired($username)) {
  82                                 $_SESSION['hasExpiredPassword'] = '1';
  83                         }
  84                         return $this->postLoginAuthenticate();
  85
  86                 }
  87                 else
  88                 {
  89                         if(!empty($usr_id) && $res['lockoutexpiration'] > 0){
  90                                 if (($logout=$usr->getPreference('loginfailed'))=='')
  91                                 $usr->setPreference('loginfailed','1');
  92                         else
  93                                 $usr->setPreference('loginfailed',$logout+1);
  94                         $usr->savePreferencesToDB();
  95                 }
  96                 }
  97                 if(strtolower(get_class($this)) != 'sugarauthenticate'){
  98                         $sa = new SugarAuthenticate();
  99                         $error = (!empty($_SESSION['login_error']))?$_SESSION['login_error']:'';
 100                         if($sa->loginAuthenticate($username, $password, true, $PARAMS)){
 101                                 return true;
 102                         }
 103                         $_SESSION['login_error'] = $error;
 104                 }
 105
 106
 107                 $_SESSION['login_user_name'] = $username;
 108                 $_SESSION['login_password'] = $password;
 109                 if(empty($_SESSION['login_error'])){
 110                         $_SESSION['login_error'] = translate('ERR_INVALID_PASSWORD', 'Users');
 111                 }
 112
 113                 return false;
 114
 115         }
 116
 117         /**
 118          * Once a user is authenticated on login this function will be called. Populate the session with what is needed and log anything that needs to be logged
 119          *
 120          */
 121         function postLoginAuthenticate(){
 122
 123                 global $reset_theme_on_default_user, $reset_language_on_default_user, $sugar_config;
 124                 //THIS SECTION IS TO ENSURE VERSIONS ARE UPTODATE
 125
 126                 require_once ('modules/Versions/CheckVersions.php');
 127                 $invalid_versions = get_invalid_versions();
 128                 if (!empty ($invalid_versions)) {
 129                         if (isset ($invalid_versions['Rebuild Relationships'])) {
 130                                 unset ($invalid_versions['Rebuild Relationships']);
 131
 132                                 // flag for pickup in DisplayWarnings.php
 133                                 $_SESSION['rebuild_relationships'] = true;
 134                         }
 135
 136                         if (isset ($invalid_versions['Rebuild Extensions'])) {
 137                                 unset ($invalid_versions['Rebuild Extensions']);
 138
 139                                 // flag for pickup in DisplayWarnings.php
 140                                 $_SESSION['rebuild_extensions'] = true;
 141                         }
 142
 143                         $_SESSION['invalid_versions'] = $invalid_versions;
 144                 }
 145
 146
 147                 //just do a little house cleaning here
 148                 unset($_SESSION['login_password']);
 149                 unset($_SESSION['login_error']);
 150                 unset($_SESSION['login_user_name']);
 151                 unset($_SESSION['ACL']);
 152
 153                 //set the server unique key
 154                 if (isset ($sugar_config['unique_key']))$_SESSION['unique_key'] = $sugar_config['unique_key'];
 155
 156                 //set user language
 157                 if (isset ($reset_language_on_default_user) && $reset_language_on_default_user && $$GLOBALS['current_user']->user_name == $sugar_config['default_user_name']) {
 158                         $authenticated_user_language = $sugar_config['default_language'];
 159                 } else {
 160                         $authenticated_user_language = isset($_REQUEST['login_language']) ? $_REQUEST['login_language'] : (isset ($_REQUEST['ck_login_language_20']) ? $_REQUEST['ck_login_language_20'] : $sugar_config['default_language']);
 161                 }
 162
 163                 $_SESSION['authenticated_user_language'] = $authenticated_user_language;
 164
 165                 $GLOBALS['log']->debug("authenticated_user_language is $authenticated_user_language");
 166
 167                 // Clear all uploaded import files for this user if it exists
 168
 169                 $tmp_file_name = $sugar_config['import_dir']."IMPORT_".$GLOBALS['current_user']->id;
 170
 171                 if (file_exists($tmp_file_name)) {
 172                         unlink($tmp_file_name);
 173                 }
 174
 175
 176
 177                 return true;
 178         }
 179
 180         /**
 181          * On every page hit this will be called to ensure a user is authenticated
 182          * @return boolean
 183          */
 184         function sessionAuthenticate(){
 185
 186                 global $module, $action, $allowed_actions;
 187                 $authenticated = false;
 188                 $allowed_actions = array ("Authenticate", "Login"); // these are actions where the user/server keys aren't compared
 189                 if (isset ($_SESSION['authenticated_user_id'])) {
 190
 191                         $GLOBALS['log']->debug("We have an authenticated user id: ".$_SESSION["authenticated_user_id"]);
 192
 193                         $authenticated = $this->postSessionAuthenticate();
 194
 195                 } else
 196                 if (isset ($action) && isset ($module) && $action == "Authenticate" && $module == "Users") {
 197                         $GLOBALS['log']->debug("We are authenticating user now");
 198                 } else {
 199                         $GLOBALS['log']->debug("The current user does not have a session.  Going to the login page");
 200                         $action = "Login";
 201                         $module = "Users";
 202                         $_REQUEST['action'] = $action;
 203                         $_REQUEST['module'] = $module;
 204                 }
 205                 if (empty ($GLOBALS['current_user']->id) && !in_array($action, $allowed_actions)) {
 206
 207                         $GLOBALS['log']->debug("The current user is not logged in going to login page");
 208                         $action = "Login";
 209                         $module = "Users";
 210                         $_REQUEST['action'] = $action;
 211                         $_REQUEST['module'] = $module;
 212
 213                 }
 214
 215                 if($authenticated && ((empty($_REQUEST['module']) || empty($_REQUEST['action'])) || ($_REQUEST['module'] != 'Users' || $_REQUEST['action'] != 'Logout'))){
 216                         $this->validateIP();
 217                 }
 218                 return $authenticated;
 219         }
 220
 221
 222
 223
 224         /**
 225          * Called after a session is authenticated - if this returns false the sessionAuthenticate will return false and destroy the session
 226          * and it will load the  current user
 227          * @return boolean
 228          */
 229
 230         function postSessionAuthenticate(){
 231
 232                 global $action, $allowed_actions, $sugar_config;
 233                 $_SESSION['userTime']['last'] = time();
 234                 $user_unique_key = (isset ($_SESSION['unique_key'])) ? $_SESSION['unique_key'] : '';
 235                 $server_unique_key = (isset ($sugar_config['unique_key'])) ? $sugar_config['unique_key'] : '';
 236
 237                 //CHECK IF USER IS CROSSING SITES
 238                 if (($user_unique_key != $server_unique_key) && (!in_array($action, $allowed_actions)) && (!isset ($_SESSION['login_error']))) {
 239
 240                         session_destroy();
 241                         $post_login_nav = '';
 242                         if (!empty ($record) && !empty ($action) && !empty ($module)) {
 243                                 $post_login_nav = "&login_module=".$module."&login_action=".$action."&login_record=".$record;
 244                         }
 245                         $GLOBALS['log']->debug('Destroying Session User has crossed Sites');
 246                         header("Location: index.php?action=Login&module=Users".$post_login_nav);
 247                         sugar_cleanup(true);
 248                 }
 249                 if (!$this->userAuthenticate->loadUserOnSession($_SESSION['authenticated_user_id'])) {
 250                         session_destroy();
 251                         header("Location: index.php?action=Login&module=Users&loginErrorMessage=LBL_SESSION_EXPIRED");
 252                         $GLOBALS['log']->debug('Current user session does not exist redirecting to login');
 253                         sugar_cleanup(true);
 254                 }
 255                 $GLOBALS['log']->debug('Current user is: '.$GLOBALS['current_user']->user_name);
 256                 return true;
 257         }
 258
 259         /**
 260          * Make sure a user isn't stealing sessions so check the ip to ensure that the ip address hasn't dramatically changed
 261          *
 262          */
 263         function validateIP() {
 264                 global $sugar_config;
 265                 // grab client ip address
 266                 $clientIP = query_client_ip();
 267                 $classCheck = 0;
 268                 // check to see if config entry is present, if not, verify client ip
 269                 if (!isset ($sugar_config['verify_client_ip']) || $sugar_config['verify_client_ip'] == true) {
 270                         // check to see if we've got a current ip address in $_SESSION
 271                         // and check to see if the session has been hijacked by a foreign ip
 272                         if (isset ($_SESSION["ipaddress"])) {
 273                                 $session_parts = explode(".", $_SESSION["ipaddress"]);
 274                                 $client_parts = explode(".", $clientIP);
 275                 if(count($session_parts) < 4) {
 276                     $classCheck = 0;
 277                 }
 278                 else {
 279                                 // match class C IP addresses
 280                                 for ($i = 0; $i < 3; $i ++) {
 281                                         if ($session_parts[$i] == $client_parts[$i]) {
 282                                                 $classCheck = 1;
 283                                                 continue;
 284                                         } else {
 285                                                 $classCheck = 0;
 286                                                 break;
 287                                         }
 288                                 }
 289                 }
 290                                 // we have a different IP address
 291                                 if ($_SESSION["ipaddress"] != $clientIP && empty ($classCheck)) {
 292                                         $GLOBALS['log']->fatal("IP Address mismatch: SESSION IP: {$_SESSION['ipaddress']} CLIENT IP: {$clientIP}");
 293                                         session_destroy();
 294                                         die("Your session was terminated due to a significant change in your IP address.  <a href=\"{$sugar_config['site_url']}\">Return to Home</a>");
 295                                 }
 296                         } else {
 297                                 $_SESSION["ipaddress"] = $clientIP;
 298                         }
 299                 }
 300
 301         }
 302
 303
 304
 305
 306         /**
 307          * Called when a user requests to logout
 308          *
 309          */
 310         function logout(){
 311                         session_destroy();
 312                         ob_clean();
 313                         header('Location: index.php?module=Users&action=Login');
 314                         sugar_cleanup(true);
 315         }
 316
 317
 318         /**
 319          * Encodes a users password. This is a static function and can be called at any time.
 320          *
 321          * @param STRING $password
 322          * @return STRING $encoded_password
 323          */
 324         function encodePassword($password){
 325                 return strtolower(md5($password));
 326         }
 327
 328         /**
 329          * If a user may change there password through the Sugar UI
 330          *
 331          */
 332         function canChangePassword(){
 333                 return true;
 334         }
 335         /**
 336          * If a user may change there user name through the Sugar UI
 337          *
 338          */
 339         function canChangeUserName(){
 340                 return true;
 341         }
 342
 343
 344
 345
 346 }