modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php

   1 <?php
   2 if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
   3 /*********************************************************************************
   4  * SugarCRM Community Edition is a customer relationship management program developed by
   5  * SugarCRM, Inc. Copyright (C) 2004-2012 SugarCRM Inc.
   6  *
   7  * This program is free software; you can redistribute it and/or modify it under
   8  * the terms of the GNU Affero General Public License version 3 as published by the
   9  * Free Software Foundation with the addition of the following permission added
  10  * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
  11  * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
  12  * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
  13  *
  14  * This program is distributed in the hope that it will be useful, but WITHOUT
  15  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
  16  * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
  17  * details.
  18  *
  19  * You should have received a copy of the GNU Affero General Public License along with
  20  * this program; if not, see http://www.gnu.org/licenses or write to the Free
  21  * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
  22  * 02110-1301 USA.
  23  *
  24  * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
  25  * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
  26  *
  27  * The interactive user interfaces in modified source and object code versions
  28  * of this program must display Appropriate Legal Notices, as required under
  29  * Section 5 of the GNU Affero General Public License version 3.
  30  *
  31  * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
  32  * these Appropriate Legal Notices must retain the display of the "Powered by
  33  * SugarCRM" logo. If the display of the logo is not reasonably feasible for
  34  * technical reasons, the Appropriate Legal Notices must display the words
  35  * "Powered by SugarCRM".
  36  ********************************************************************************/
  37
  38
  39
  40
  41 /**
  42  * This file is used to control the authentication process.
  43  * It will call on the user authenticate and controll redirection
  44  * based on the users validation
  45  *
  46  */
  47 class SugarAuthenticate{
  48         var $userAuthenticateClass = 'SugarAuthenticateUser';
  49         var $authenticationDir = 'SugarAuthenticate';
  50         /**
  51          * Constructs SugarAuthenticate
  52          * This will load the user authentication class
  53          *
  54          * @return SugarAuthenticate
  55          */
  56         function SugarAuthenticate()
  57         {
  58             // check in custom dir first, in case someone want's to override an auth controller
  59                 if (file_exists('custom/modules/Users/authentication/'.$this->authenticationDir.'/' . $this->userAuthenticateClass . '.php')) {
  60             require_once('custom/modules/Users/authentication/'.$this->authenticationDir.'/' . $this->userAuthenticateClass . '.php');
  61         }
  62         elseif (file_exists('modules/Users/authentication/'.$this->authenticationDir.'/' . $this->userAuthenticateClass . '.php')) {
  63             require_once('modules/Users/authentication/'.$this->authenticationDir.'/' . $this->userAuthenticateClass . '.php');
  64         }
  65
  66         $this->userAuthenticate = new $this->userAuthenticateClass();
  67         }
  68         /**
  69          * Authenticates a user based on the username and password
  70          * returns true if the user was authenticated false otherwise
  71          * it also will load the user into current user if he was authenticated
  72          *
  73          * @param string $username
  74          * @param string $password
  75          * @return boolean
  76          */
  77         function loginAuthenticate($username, $password, $fallback=false, $PARAMS = array ()){
  78                 global $mod_strings;
  79                 unset($_SESSION['login_error']);
  80                 $usr= new user();
  81                 $usr_id=$usr->retrieve_user_id($username);
  82                 $usr->retrieve($usr_id);
  83                 $_SESSION['login_error']='';
  84                 $_SESSION['waiting_error']='';
  85                 $_SESSION['hasExpiredPassword']='0';
  86                 if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback, $PARAMS)) {
  87                         require_once('modules/Users/password_utils.php');
  88                         if(hasPasswordExpired($username)) {
  89                                 $_SESSION['hasExpiredPassword'] = '1';
  90                         }
  91                         // now that user is authenticated, reset loginfailed
  92                         if ($usr->getPreference('loginfailed') != '' && $usr->getPreference('loginfailed') != 0) {
  93                                 $usr->setPreference('loginfailed','0');
  94                                 $usr->savePreferencesToDB();
  95                         }
  96                         return $this->postLoginAuthenticate();
  97
  98                 }
  99                 else
 100                 {
 101                         if(!empty($usr_id) && $res['lockoutexpiration'] > 0){
 102                                 if (($logout=$usr->getPreference('loginfailed'))=='')
 103                                 $usr->setPreference('loginfailed','1');
 104                         else
 105                                 $usr->setPreference('loginfailed',$logout+1);
 106                         $usr->savePreferencesToDB();
 107                 }
 108                 }
 109                 if(strtolower(get_class($this)) != 'sugarauthenticate'){
 110                         $sa = new SugarAuthenticate();
 111                         $error = (!empty($_SESSION['login_error']))?$_SESSION['login_error']:'';
 112                         if($sa->loginAuthenticate($username, $password, true, $PARAMS)){
 113                                 return true;
 114                         }
 115                         $_SESSION['login_error'] = $error;
 116                 }
 117
 118
 119                 $_SESSION['login_user_name'] = $username;
 120                 $_SESSION['login_password'] = $password;
 121                 if(empty($_SESSION['login_error'])){
 122                         $_SESSION['login_error'] = translate('ERR_INVALID_PASSWORD', 'Users');
 123                 }
 124
 125                 return false;
 126
 127         }
 128
 129         /**
 130          * Once a user is authenticated on login this function will be called. Populate the session with what is needed and log anything that needs to be logged
 131          *
 132          */
 133         function postLoginAuthenticate(){
 134
 135                 global $reset_theme_on_default_user, $reset_language_on_default_user, $sugar_config;
 136                 //THIS SECTION IS TO ENSURE VERSIONS ARE UPTODATE
 137
 138                 require_once ('modules/Versions/CheckVersions.php');
 139                 $invalid_versions = get_invalid_versions();
 140                 if (!empty ($invalid_versions)) {
 141                         if (isset ($invalid_versions['Rebuild Relationships'])) {
 142                                 unset ($invalid_versions['Rebuild Relationships']);
 143
 144                                 // flag for pickup in DisplayWarnings.php
 145                                 $_SESSION['rebuild_relationships'] = true;
 146                         }
 147
 148                         if (isset ($invalid_versions['Rebuild Extensions'])) {
 149                                 unset ($invalid_versions['Rebuild Extensions']);
 150
 151                                 // flag for pickup in DisplayWarnings.php
 152                                 $_SESSION['rebuild_extensions'] = true;
 153                         }
 154
 155                         $_SESSION['invalid_versions'] = $invalid_versions;
 156                 }
 157
 158
 159                 //just do a little house cleaning here
 160                 unset($_SESSION['login_password']);
 161                 unset($_SESSION['login_error']);
 162                 unset($_SESSION['login_user_name']);
 163                 unset($_SESSION['ACL']);
 164
 165                 //set the server unique key
 166                 if (isset ($sugar_config['unique_key']))$_SESSION['unique_key'] = $sugar_config['unique_key'];
 167
 168                 //set user language
 169                 if (isset ($reset_language_on_default_user) && $reset_language_on_default_user && $GLOBALS['current_user']->user_name == $sugar_config['default_user_name']) {
 170                         $authenticated_user_language = $sugar_config['default_language'];
 171                 } else {
 172                         $authenticated_user_language = isset($_REQUEST['login_language']) ? $_REQUEST['login_language'] : (isset ($_REQUEST['ck_login_language_20']) ? $_REQUEST['ck_login_language_20'] : $sugar_config['default_language']);
 173                 }
 174
 175                 $_SESSION['authenticated_user_language'] = $authenticated_user_language;
 176
 177                 $GLOBALS['log']->debug("authenticated_user_language is $authenticated_user_language");
 178
 179                 // Clear all uploaded import files for this user if it exists
 180         require_once('modules/Import/ImportCacheFiles.php');
 181         $tmp_file_name = ImportCacheFiles::getImportDir()."/IMPORT_" . $GLOBALS['current_user']->id;
 182
 183                 if (file_exists($tmp_file_name)) {
 184                         unlink($tmp_file_name);
 185                 }
 186
 187                 return true;
 188         }
 189
 190         /**
 191          * On every page hit this will be called to ensure a user is authenticated
 192          * @return boolean
 193          */
 194         function sessionAuthenticate(){
 195
 196                 global $module, $action, $allowed_actions;
 197                 $authenticated = false;
 198                 $allowed_actions = array ("Authenticate", "Login"); // these are actions where the user/server keys aren't compared
 199                 if (isset ($_SESSION['authenticated_user_id'])) {
 200
 201                         $GLOBALS['log']->debug("We have an authenticated user id: ".$_SESSION["authenticated_user_id"]);
 202
 203                         $authenticated = $this->postSessionAuthenticate();
 204
 205                 } else
 206                 if (isset ($action) && isset ($module) && $action == "Authenticate" && $module == "Users") {
 207                         $GLOBALS['log']->debug("We are authenticating user now");
 208                 } else {
 209                         $GLOBALS['log']->debug("The current user does not have a session.  Going to the login page");
 210                         $action = "Login";
 211                         $module = "Users";
 212                         $_REQUEST['action'] = $action;
 213                         $_REQUEST['module'] = $module;
 214                 }
 215                 if (empty ($GLOBALS['current_user']->id) && !in_array($action, $allowed_actions)) {
 216
 217                         $GLOBALS['log']->debug("The current user is not logged in going to login page");
 218                         $action = "Login";
 219                         $module = "Users";
 220                         $_REQUEST['action'] = $action;
 221                         $_REQUEST['module'] = $module;
 222
 223                 }
 224
 225                 if($authenticated && ((empty($_REQUEST['module']) || empty($_REQUEST['action'])) || ($_REQUEST['module'] != 'Users' || $_REQUEST['action'] != 'Logout'))){
 226                         $this->validateIP();
 227                 }
 228                 return $authenticated;
 229         }
 230
 231
 232
 233
 234         /**
 235          * Called after a session is authenticated - if this returns false the sessionAuthenticate will return false and destroy the session
 236          * and it will load the  current user
 237          * @return boolean
 238          */
 239
 240         function postSessionAuthenticate(){
 241
 242                 global $action, $allowed_actions, $sugar_config;
 243                 $_SESSION['userTime']['last'] = time();
 244                 $user_unique_key = (isset ($_SESSION['unique_key'])) ? $_SESSION['unique_key'] : '';
 245                 $server_unique_key = (isset ($sugar_config['unique_key'])) ? $sugar_config['unique_key'] : '';
 246
 247                 //CHECK IF USER IS CROSSING SITES
 248                 if (($user_unique_key != $server_unique_key) && (!in_array($action, $allowed_actions)) && (!isset ($_SESSION['login_error']))) {
 249
 250                         $GLOBALS['log']->debug('Destroying Session User has crossed Sites');
 251                     session_destroy();
 252                         header("Location: index.php?action=Login&module=Users".$GLOBALS['app']->getLoginRedirect());
 253                         sugar_cleanup(true);
 254                 }
 255                 if (!$this->userAuthenticate->loadUserOnSession($_SESSION['authenticated_user_id'])) {
 256                         session_destroy();
 257                         header("Location: index.php?action=Login&module=Users&loginErrorMessage=LBL_SESSION_EXPIRED");
 258                         $GLOBALS['log']->debug('Current user session does not exist redirecting to login');
 259                         sugar_cleanup(true);
 260                 }
 261                 $GLOBALS['log']->debug('Current user is: '.$GLOBALS['current_user']->user_name);
 262                 return true;
 263         }
 264
 265         /**
 266          * Make sure a user isn't stealing sessions so check the ip to ensure that the ip address hasn't dramatically changed
 267          *
 268          */
 269         function validateIP() {
 270                 global $sugar_config;
 271                 // grab client ip address
 272                 $clientIP = query_client_ip();
 273                 $classCheck = 0;
 274                 // check to see if config entry is present, if not, verify client ip
 275                 if (!isset ($sugar_config['verify_client_ip']) || $sugar_config['verify_client_ip'] == true) {
 276                         // check to see if we've got a current ip address in $_SESSION
 277                         // and check to see if the session has been hijacked by a foreign ip
 278                         if (isset ($_SESSION["ipaddress"])) {
 279                                 $session_parts = explode(".", $_SESSION["ipaddress"]);
 280                                 $client_parts = explode(".", $clientIP);
 281                 if(count($session_parts) < 4) {
 282                     $classCheck = 0;
 283                 }
 284                 else {
 285                                 // match class C IP addresses
 286                                 for ($i = 0; $i < 3; $i ++) {
 287                                         if ($session_parts[$i] == $client_parts[$i]) {
 288                                                 $classCheck = 1;
 289                                                 continue;
 290                                         } else {
 291                                                 $classCheck = 0;
 292                                                 break;
 293                                         }
 294                                 }
 295                 }
 296                                 // we have a different IP address
 297                                 if ($_SESSION["ipaddress"] != $clientIP && empty ($classCheck)) {
 298                                         $GLOBALS['log']->fatal("IP Address mismatch: SESSION IP: {$_SESSION['ipaddress']} CLIENT IP: {$clientIP}");
 299                                         session_destroy();
 300                                         die("Your session was terminated due to a significant change in your IP address.  <a href=\"{$sugar_config['site_url']}\">Return to Home</a>");
 301                                 }
 302                         } else {
 303                                 $_SESSION["ipaddress"] = $clientIP;
 304                         }
 305                 }
 306
 307         }
 308
 309
 310
 311
 312         /**
 313          * Called when a user requests to logout
 314          *
 315          */
 316         function logout(){
 317                         session_destroy();
 318                         ob_clean();
 319                         header('Location: index.php?module=Users&action=Login');
 320                         sugar_cleanup(true);
 321         }
 322
 323
 324         /**
 325          * Encodes a users password. This is a static function and can be called at any time.
 326          *
 327          * @param STRING $password
 328          * @return STRING $encoded_password
 329          */
 330         function encodePassword($password){
 331                 return strtolower(md5($password));
 332         }
 333
 334         /**
 335          * If a user may change there password through the Sugar UI
 336          *
 337          */
 338         function canChangePassword(){
 339                 return true;
 340         }
 341         /**
 342          * If a user may change there user name through the Sugar UI
 343          *
 344          */
 345         function canChangeUserName(){
 346                 return true;
 347         }
 348
 349
 350     /**
 351      * pre_login
 352      *
 353      * This function allows the SugarAuthenticate subclasses to perform some pre login initialization as needed
 354      */
 355     function pre_login()
 356     {
 357     }
 358
 359 }