Commit 0db1b771 authored by Leigh Stoller's avatar Leigh Stoller

A set of changes to the login mechanism. Use the cookie to determine

who the user is instead of passing ?uid to every page all the way down.
Update login timeout with each useful operation (done in checklogin).
Put default user name in the login box when visiting the page.
parent 8ca84bb5
......@@ -8,9 +8,10 @@ importance should be obvious. Whoever does this work *will* program in the
dominate style of the existing, newly written, 4500 lines of code! Now, if
I could just figure out how to add a php mode to emacs ...
* Add password hint for the clueless users who forget their passwords.
* Add DB connect as authorized user so we can track whats going in
the DB log files.
* tbend should work from the database, not the .ir file.
* Add password hint for the clueless users who forget their passwords.
* Put a limit on the number of new users/projects that can be
unapproved (to prevent DOS attacks on the database).
......@@ -30,11 +31,7 @@ I could just figure out how to add a php mode to emacs ...
include the uid in the existing cookie (the one I added to send back the
hash key).
* Look at the 'suexec' program from the Apache distribution and use it
as the basis for the "run as a user" program. Instead of checking
the home directory, it'll check the database.
* Fix the email list problem. Right now we add people people to the two
* Fix the email list problem. Right now we add people to the two
email list files in /usr/testbed/www/maillist when they apply. We should
either delay that until they are approved, or make sure they get taken
back out when denied.
......@@ -54,19 +51,12 @@ I could just figure out how to add a php mode to emacs ...
certificates. I'm not too crazy about this unless its easy to do all of it
on my home machine (apache server).
* Continue to hook up the backend parts of the system, which right now is a
major unfinished piece of business.
* More linking of information in the forms. There are some obvious places
where stuff should be presented as hypertext links so that navigation is
easier.
* Backup links in all the pages.
* Change to ?uid=stoller&pid=testbed style arguments in all the pages I
have not yet fixed (that is, get rid of that regex thing at the top of
the page to find the arguments).
* Admin page to remove a project.
* Admin page to remove a user.
......@@ -82,8 +72,6 @@ I could just figure out how to add a php mode to emacs ...
experiment name, downcase it. Mac was going to do this, but I don't know
if he got to it.
* Get people to go use the pages (including modify user information!).
* Lastly, macrofy the entire thing and get rid the damn frames! I hate
frames!
......
......@@ -3,20 +3,17 @@ include("defs.php3");
PAGEHEADER("New User");
$uid = "";
if ( ereg("php3\?([[:alnum:]]+)",$REQUEST_URI,$Vals) ) {
$uid=$Vals[1];
addslashes($uid);
} else {
unset($uid);
}
#
# Get current user.
#
$uid = GETLOGIN();
#
# If a uid came in, then we check to see if the login is valid.
# If the login is not valid, then quit cause we don't want to display the
# personal information for some random ?uid argument.
#
if (isset($uid)) {
if ($uid) {
if (CHECKLOGIN($uid) != 1) {
USERERROR("You are not logged in. Please log in and try again.", 1);
}
......
......@@ -9,6 +9,7 @@ PAGEHEADER("New Project Approved");
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......
......@@ -9,6 +9,7 @@ PAGEHEADER("New Project Approval");
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......@@ -19,6 +20,14 @@ if (! $isadmin) {
USERERROR("You do not have admin privledges to approve projects!", 1);
}
#
# Verify arguments.
#
if (!isset($pid) ||
strcmp($pid, "") == 0) {
USERERROR("You must provide a project ID.", 1);
}
echo "<center><h1>Approve a Project</h1></center>\n";
#
......@@ -75,7 +84,7 @@ echo "<center>
<h3>What would you like to do?</h3>
</center>
<table align=center border=1>
<form action='approveproject.php3?uid=$uid&pid=$pid' method='post'>\n";
<form action='approveproject.php3?pid=$pid' method='post'>\n";
echo "<tr>
<td align=center>
......
......@@ -9,6 +9,7 @@ PAGEHEADER("New Project Approval List");
#
# Only known and logged in users can do this. uid came in with the URI.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
echo "<center><h1>Approve New Projects List</h1></center>\n";
......@@ -87,12 +88,12 @@ while ($projectrow = mysql_fetch_array($query_result)) {
</tr>
<tr>
<td align=center rowspan=2>
<A href='approveproject_form.php3?uid=$uid&pid=$pid'>
<A href='approveproject_form.php3?pid=$pid'>
<img alt=\"o\" src=\"redball.gif\"></A></td>
<td rowspan=2>
<A href='showproject.php3?uid=$uid&pid=$pid'>$pid</A></td>
<A href='showproject.php3?pid=$pid'>$pid</A></td>
<td rowspan=2>
<A href='showuser.php3?uid=$uid&target_uid=$headuid'>
<A href='showuser.php3?target_uid=$headuid'>
$headuid</A></td>
<td>$name</td>
<td>$title</td>
......
......@@ -9,14 +9,7 @@ PAGEHEADER("New Users Approved");
#
# Only known and logged in users can be verified.
#
$uid = "";
if (ereg("php3\?([[:alnum:]]+)", $REQUEST_URI, $Vals)) {
$uid=$Vals[1];
addslashes($uid);
}
else {
unset($uid);
}
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
echo "<center><h1>
......
......@@ -9,14 +9,7 @@ PAGEHEADER("New Users Approval Form");
#
# Only known and logged in users can be verified.
#
$auth_usr = "";
if (ereg("php3\?([[:alnum:]]+)", $REQUEST_URI, $Vals)) {
$auth_usr=$Vals[1];
addslashes($auth_usr);
}
else {
unset($auth_usr);
}
$auth_usr = GETLOGIN();
LOGGEDINORDIE($auth_usr);
echo "
......@@ -105,7 +98,7 @@ echo "<tr>
<td>Zip</td>
</tr>\n";
echo "<form action='approveuser.php3?$auth_usr' method='post'>\n";
echo "<form action='approveuser.php3' method='post'>\n";
while ($usersrow = mysql_fetch_array($query_result)) {
$newuid = $usersrow[uid];
......
......@@ -9,13 +9,7 @@ PAGEHEADER("Begin an Experiment Form");
#
# Only known and logged in users can begin experiments.
#
$uid = "";
if ( ereg("php3\?([[:alnum:]]+)",$REQUEST_URI,$Vals) ) {
$uid=$Vals[1];
addslashes($uid);
} else {
unset($uid);
}
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......
......@@ -36,7 +36,8 @@ if (!isset($exp_created) ||
}
#
# Only known and logged in users can begin experiments.
# Only known and logged in users can begin experiments. Name came in as
# a POST var.
#
LOGGEDINORDIE($uid);
......
......@@ -27,6 +27,7 @@ $TBUSER_DIR = "/users/";
$TBNSSUBDIR = "nsdir";
$TBAUTHCOOKIE = "HashCookie";
$TBNAMECOOKIE = "MyUidCookie";
$TBAUTHTIMEOUT = 10800;
$TBAUTHDOMAIN = ".emulab.net";
#$TBAUTHDOMAIN = "golden-gw.ballmoss.com";
......
......@@ -9,13 +9,7 @@ PAGEHEADER("Terminate Experiment");
#
# Only known and logged in users can end experiments.
#
$uid = "";
if ( ereg("php3\?([[:alnum:]]+)",$REQUEST_URI,$Vals) ) {
$uid=$Vals[1];
addslashes($uid);
} else {
unset($uid);
}
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......
......@@ -9,13 +9,7 @@ PAGEHEADER("Terminate Experiment Form");
#
# Only known and logged in users can end experiments.
#
$uid = "";
if ( ereg("php3\?([[:alnum:]]+)",$REQUEST_URI,$Vals) ) {
$uid=$Vals[1];
addslashes($uid);
} else {
unset($uid);
}
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......@@ -59,7 +53,7 @@ you are a member of.</h2>
<table align="center" border="1">
<?php
echo "<form action=\"endexp.php3?$uid\" method=\"post\">";
echo "<form action=\"endexp.php3\" method=\"post\">";
echo "<tr>
<td align='center'>Project/Experiment</td>
</tr>\n";
......
......@@ -10,8 +10,6 @@ if (isset($login)) {
#
# Login button pressed.
#
unset($login);
if (!isset($uid) ||
strcmp($uid, "") == 0) {
$login_status = "Login Failed";
......@@ -31,20 +29,17 @@ elseif (isset($logout)) {
#
# Logout button pressed.
#
unset($logout);
DOLOGOUT($uid);
$login_status = "$uid Logged Out";
unset($uid);
}
elseif (isset($uid)) {
elseif ($uid = GETUID()) {
#
# Check to make sure the UID is logged in (not timed out).
#
$status = CHECKLOGIN($uid);
switch ($status) {
case 0:
$login_status = "$uid Not Logged In";
unset($uid);
break;
case 1:
......@@ -97,28 +92,28 @@ if (isset($uid)) {
if ($status == "active") {
if ($admin) {
echo "<A href='approveproject_list.php3?uid=$uid'>
echo "<A href='approveproject_list.php3'>
New Project Approval</A><p>\n";
echo "<A href='showproject_list.php3?uid=$uid'>
echo "<A href='showproject_list.php3'>
Project Information</A><p>\n";
echo "<A href='nodecontrol_list.php3?uid=$uid'>
echo "<A href='nodecontrol_list.php3'>
Node Control</A><p>\n";
}
if ($trusted) {
# Only group leaders can do these options
echo "<A href='approveuser_form.php3?$uid'>
echo "<A href='approveuser_form.php3'>
New User Approval</A>\n";
}
# Since a user can be a member of more than one project,
# display this option, and let the form decide if the user is
# allowed to do this.
echo "<p><A href='beginexp_form.php3?$uid'>
echo "<p><A href='beginexp_form.php3'>
Begin an Experiment</A>\n";
echo "<p><A href='endexp_form.php3?$uid'>
echo "<p><A href='endexp_form.php3'>
End an Experiment</A>\n";
echo "<p><A href='showexp_form.php3?$uid'>
echo "<p><A href='showexp_form.php3'>
Experiment Information</A>\n";
echo "<p><A href='modusr_form.php3?$uid'>
echo "<p><A href='modusr_form.php3'>
Update user information</A>\n";
echo "<p><A href='reserved.php3'>
Node Reservation Status</A>\n";
......@@ -131,7 +126,7 @@ if (isset($uid)) {
"Please try back later", 1);
}
elseif (($status == "newuser") || ($status == "unverified")) {
echo "<A href='verifyusr_form.php3?$uid'>New User Verification</A>\n";
echo "<A href='verifyusr_form.php3'>New User Verification</A>\n";
}
elseif (($status == "frozen") || ($status == "other")) {
USERERROR("Your account has been changed to status $status, and is ".
......@@ -143,14 +138,9 @@ if (isset($uid)) {
#
# Standard options for anyone.
#
if (isset($uid)) {
echo "<p><A href=\"newproject_form.php3?$uid\">Start a Project</A>\n";
echo "<p><A href=\"addusr.php3?$uid\">Join a Project</A>\n";
}
else {
echo "<p><A href=\"newproject_form.php3\">Start a Project</A>\n";
echo "<p><A href=\"addusr.php3\">Join a Project</A>\n";
}
echo "<p><A href=\"newproject_form.php3\">Start Project</A>\n";
echo "<p><A href=\"addusr.php3\">Join Project</A>\n";
echo "<hr>";
echo "<table cellpadding=\"0\" cellspacing=\"0\" width=\"100%\">";
echo "<form action=\"index.php3\" method=\"post\" target=\"fixed\">";
......@@ -168,8 +158,16 @@ if (isset($uid)) {
</tr>\n";
}
else {
#
# Get the UID that came back in the cookie so that we can present a
# default login name to the user.
#
if (($uid = GETUID()) == FALSE)
$uid = "";
echo "<tr>
<td>Username:<input type='text' name='uid' size=8></td>
<td>Username:<input type='text' value='$uid'
name='uid' size=8></td>
</tr>
<tr>
<td>Password:<input type='password' name='password' size=12></td>
......
......@@ -9,14 +9,7 @@ PAGEHEADER("Modify User Information Form");
#
# Only known and logged in users can modify info.
#
$uid = "";
if (ereg("php3\?([[:alnum:]]+)", $REQUEST_URI, $Vals)) {
$uid=$Vals[1];
addslashes($uid);
}
else {
unset($uid);
}
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
?>
......@@ -55,7 +48,7 @@ $usr_affil = $row[usr_affil];
#
# Generate the form.
#
echo "<form action=\"modusr_process.php3?$uid\" method=\"post\">\n";
echo "<form action=\"modusr_process.php3\" method=\"post\">\n";
echo "<tr>
<td>Username:</td>
<td class=\"left\">
......
......@@ -44,7 +44,7 @@ if (!isset($usr_affil) ||
}
#
# Only known and logged in users can modify info.
# Only known and logged in users can modify info. uid came in as a POST var.
#
LOGGEDINORDIE($uid);
......
......@@ -3,20 +3,17 @@ include("defs.php3");
PAGEHEADER("Start a New Project");
$uid = "";
if ( ereg("php3\?([[:alnum:]]+)",$REQUEST_URI,$Vals) ) {
$uid=$Vals[1];
addslashes($uid);
} else {
unset($uid);
}
#
# Get current user.
#
$uid = GETLOGIN();
#
# If a uid came in, then we check to see if the login is valid.
# If the login is not valid, then quit cause we don't want to display the
# personal information for some random ?uid argument.
#
if (isset($uid)) {
if ($uid) {
if (CHECKLOGIN($uid) != 1) {
USERERROR("You are not logged in. Please log in and try again.", 1);
}
......
......@@ -7,6 +7,7 @@ include("defs.php3");
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......@@ -63,10 +64,10 @@ if (! $insert_result) {
# Zap back to the referrer. Seems better than a silly "we did it" message.
#
if ($refer == "list") {
header("Location: nodecontrol_list.php3?uid=$uid");
header("Location: nodecontrol_list.php3");
}
else {
header("Location: showexp.php3?uid=$uid&exp_pideid=$refer");
header("Location: showexp.php3?exp_pideid=$refer");
}
#
......
......@@ -9,8 +9,17 @@ PAGEHEADER("Node Control Form");
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
# Verify form arguments.
#
if (!isset($node_id) ||
strcmp($node_id, "") == 0) {
USERERROR("You must provide a node ID.", 1);
}
#
# Check to make sure that this is a valid nodeid
#
......@@ -60,7 +69,7 @@ echo "<table border=2 cellpadding=0 cellspacing=2
# Generate the form. Note that $refer is set by the caller so we know
# how we got to the nodecontrol page.
#
echo "<form action=\"nodecontrol.php3?uid=$uid&refer=$refer\"
echo "<form action=\"nodecontrol.php3?refer=$refer\"
method=\"post\">\n";
echo "<tr>
......
......@@ -9,6 +9,7 @@ PAGEHEADER("Node Control List");
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......@@ -83,7 +84,7 @@ while ($row = mysql_fetch_array($query_result)) {
echo "<tr>
<td align=center>
<A href='nodecontrol_form.php3?uid=$uid&node_id=$node_id&refer=list'>
<A href='nodecontrol_form.php3?node_id=$node_id&refer=list'>
<img alt=\"o\" src=\"redball.gif\"></A></td>
<td>$node_id</td>
<td>$type</td>
......
<html>
<head>
<title>Foo</title>
</head>
<body bgcolor="#ffffff">
<H1>Utah Testbed Machine Status</h1>
<P>
<?
mysql_connect("localhost", "webuser", "");
$query = "SELECT n.node_id, n.type, j.eid from nodes as n left join reserved AS j ON n.node_id = j.node_id";
$result = mysql_db_query("tbdb", $query);
if (!$result) {
$err = mysql_error();
echo "<H1>Could not query the database: $err</h1>\n";
exit;
}
echo "<table border=1 padding=1>\n";
echo "<tr><td><b>ID</b></td> <td><b>Type</b></td> <td><b>Reservation Status</b></td></tr>\n";
while ($r = mysql_fetch_array($result)) {
$id = $r["node_id"]; $type = $r["type"];
$res = $r["eid"];
if (!$res || $res == "NULL") {
$res = " ";
}
echo "<tr><td>$id</td> <td>$type</td> <td>$res</td></tr>\n";
}
echo "</table>\n";
<?php
include("defs.php3");
#
# Standard Testbed Header
#
PAGEHEADER("Utah Testbed Machine Statu");
echo "<center>
<h1>Utah Testbed Machine Status</h1>
</center>\n";
$query_result = mysql_db_query($TBDBNAME,
"SELECT n.node_id, n.type, j.eid from nodes ".
"as n left join reserved AS j ON n.node_id = j.node_id");
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error getting node reservation status: $err\n", 1);
}
echo "<table border=1 padding=1>\n";
echo "<tr>
<td><b>ID</b></td>
<td><b>Type</b></td>
<td><b>Reservation Status</b></td>
</tr>\n";
while ($r = mysql_fetch_array($query_result)) {
$id = $r["node_id"]; $type = $r["type"];
$res = $r["eid"];
if (!$res || $res == "NULL") {
$res = "--";
}
echo "<tr><td>$id</td> <td>$type</td> <td>$res</td></tr>\n";
}
echo "</table>\n";
#
# Standard Testbed Footer
#
PAGEFOOTER();
?>
</body>
</html>
......@@ -10,6 +10,7 @@ PAGEHEADER("Show Experiment Information");
#
# Only known and logged in users can end experiments.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
$isadmin = ISADMIN($uid);
......@@ -91,7 +92,7 @@ echo "<tr>
echo "<tr>
<td>Experiment Head: </td>
<td class=\"left\">
<A href='showuser.php3?uid=$uid&target_uid=$exp_head'>
<A href='showuser.php3?target_uid=$exp_head'>
$exp_head</td>
</tr>\n";
......@@ -165,7 +166,7 @@ if (mysql_num_rows($reserved_result)) {
echo "<tr>
<td align=center>
<A href='nodecontrol_form.php3?uid=$uid&node_id=$node_id&refer=$exp_pideid'>
<A href='nodecontrol_form.php3?node_id=$node_id&refer=$exp_pideid'>
<img alt=\"o\" src=\"redball.gif\"></A></td>
<td>$node_id</td>
<td>$type</td>
......
......@@ -9,13 +9,7 @@ PAGEHEADER("Show Experiment Information Form");
#
# Only known and logged in users can end experiments.
#
$uid = "";
if ( ereg("php3\?([[:alnum:]]+)",$REQUEST_URI,$Vals) ) {
$uid=$Vals[1];
addslashes($uid);
} else {
unset($uid);
}
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
$isadmin = ISADMIN($uid);
......@@ -71,7 +65,7 @@ you are a member of.</h2>
<table align="center" border="1">
<?php
echo "<form action=\"showexp.php3?uid=$uid\" method=\"post\">";
echo "<form action=\"showexp.php3\" method=\"post\">";
echo "<tr>
<td align='center'>Project/Experiment</td>
</tr>\n";
......
......@@ -18,6 +18,7 @@ PAGEHEADER("Show Project Information");
#
# Only known and logged in users can end experiments.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
$isadmin = ISADMIN($uid);
......@@ -70,7 +71,7 @@ if (mysql_num_rows($query_result)) {
while ($row = mysql_fetch_row($query_result)) {
$target_uid = $row[0];
echo "<tr><td>
<A href='showuser.php3?uid=$uid&target_uid=$target_uid'>
<A href='showuser.php3?target_uid=$target_uid'>
$target_uid</A>
</td>
</tr>\n";
......
......@@ -12,6 +12,7 @@ PAGEHEADER("Show Experiment Information Form");
#
# Only known and logged in users can end experiments.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......@@ -74,7 +75,7 @@ you are a member of.</h2>
<table align="center" border="1">
<?php
echo "<form action=\"showexp.php3?$uid\" method=\"post\">";
echo "<form action=\"showexp.php3\" method=\"post\">";
echo "<tr>
<td align='center'>Project/Experiment</td>
</tr>\n";
......
......@@ -12,6 +12,7 @@ PAGEHEADER("Show Experiment Information List");
#
# Only known and logged in users can end experiments.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
......@@ -56,9 +57,9 @@ while ($projectrow = mysql_fetch_array($query_result)) {
$Paffil = $projectrow[affil];
echo "<tr>
<td><A href='showproject.php3?uid=$uid&pid=$pid'>$pid</A></td>
<td><A href='showproject.php3?pid=$pid'>$pid</A></td>
<td>$Pname</td>
<td><A href='showuser.php3?uid=$uid&target_uid=$headuid'>
<td><A href='showuser.php3?target_uid=$headuid'>
$headuid</A></td>
<td>$Paffil</td>
</tr>\n";
......
......@@ -47,7 +47,7 @@ function SHOWPROJECT($pid, $thisuid) {
echo "<tr>
<td>Project Head: </td>
<td class=\"left\">
<A href='showuser.php3?uid=$thisuid&target_uid=$proj_head_uid'>
<A href='showuser.php3?target_uid=$proj_head_uid'>
$proj_head_uid</A></td>
</tr>\n";
......
......@@ -17,6 +17,7 @@ PAGEHEADER("Show User Information");
#
# Only known and logged in users can do this.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
$isadmin = ISADMIN($uid);
......
......@@ -19,6 +19,37 @@ function GENHASH() {
return bin2hex($hash);
}
#
# Return the value of the currently logged in uid, or null if not
# logged in. Basically, check the browser to see if its sending a UID
# and HASH back, and then check the DB to see if the useris really
# logged in.
#
function GETLOGIN() {
if (($uid = GETUID()) == FALSE)
return FALSE;
if (CHECKLOGIN($uid) == 1)
return $uid;
return FALSE;
}
#
# Return the value of the UID cookie. This does not check to see if
# this person is currently logged in. We just want to know what the
# browser thinks, if anything.
#
function GETUID() {
global $TBNAMECOOKIE, $HTTP_COOKIE_VARS;
$curname = $HTTP_COOKIE_VARS[$TBNAMECOOKIE];
if ($curname == NULL)
return FALSE;
return $curname;
}
#
# Verify a login by sucking a UID's current hash value out of the database.
# If the login has expired, or of the hashkey in the database does not
......@@ -31,7 +62,7 @@ function GENHASH() {
# -1 if login timed out
#
function CHECKLOGIN($uid) {
global $TBDBNAME, $TBAUTHCOOKIE, $HTTP_COOKIE_VARS;
global $TBDBNAME, $TBAUTHCOOKIE, $HTTP_COOKIE_VARS, $TBAUTHTIMEOUT;
$curhash = $HTTP_COOKIE_VARS[$TBAUTHCOOKIE];
......@@ -53,6 +84,20 @@ function CHECKLOGIN($uid) {
# A match?
if ($timeout > time() &&
strcmp($curhash, $hashkey) == 0) {
#
# We update the time in the database. Basically, each time the
# user does something, we bump the logout further into the future.
# This avoids timing them out just when they are doing useful work.
#
$timeout = time() + $TBAUTHTIMEOUT;
$query_result = mysql_db_query($TBDBNAME,
"UPDATE login set timeout='$timeout' ".
"WHERE uid=\"$uid\"");
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error updating login timeout for $uid: $err", 1);