Commit d76fc450 authored by Leigh Stoller's avatar Leigh Stoller

First part of better authorization.

parent 278d1fb1
......@@ -84,7 +84,7 @@ echo "<tr>
if ($row) {
echo " type=\"readonly\" value=\"$row[usr_name]\">";
} else {
echo " type=\"text\">";
echo " type=\"text\" size=\"30\">";
}
echo " </td>
</tr>\n";
......@@ -99,7 +99,7 @@ echo "<tr>
if ($row) {
echo " type=\"readonly\" value=\"$row[usr_title]\">";
} else {
echo " type=\"text\" value=\"Professor Emeritus\">";
echo " type=\"text\" value=\"Professor Emeritus\" size=\"30\">";
}
echo " </td>
......@@ -115,7 +115,7 @@ echo "<tr>
if ($row) {
echo " type=\"readonly\" value=\"$row[usr_affil]\">";
} else {
echo " type=\"text\" value=\"UCB Networks Group\">";
echo " type=\"text\" value=\"UCB Networks Group\" size=\"40\">";
}
echo " </td>
......@@ -132,7 +132,7 @@ echo "<tr>
if ($row) {
echo " type=\"readonly\" value=\"$row[usr_email]\">";
} else {
echo " type=\"text\">";
echo " type=\"text\" size=\"30\">";
}
echo " </td>
......@@ -148,7 +148,7 @@ echo "<tr>
if ($row) {
echo " type=\"readonly\" value=\"$row[usr_addr]\">";
} else {
echo " type=\"text\">";
echo " type=\"text\" size=\"40\">";
}
echo " </td>
</tr>\n";
......@@ -162,7 +162,7 @@ echo " <td>*Phone #:</td>
if ($row) {
echo " type=\"readonly\" value=\"$row[usr_phone]\">";
} else {
echo " type=\"text\">";
echo " type=\"text\" size=\"15\">";
}
echo " </td>
</tr>\n";
......@@ -172,7 +172,7 @@ echo " </td>
#
echo "<tr>
<td>*Password:</td>
<td><input type=\"password\" name=\"password1\"></td>
<td><input type=\"password\" name=\"password1\" size=\"8\"></td>
</tr>\n";
#
......@@ -183,7 +183,7 @@ if (! $row) {
echo "<tr>
<td>*Retype<br>New Password:</td>
<td class=\"left\">
<input type=\"password\" name=\"password2\"></td>
<input type=\"password\" name=\"password2\" size=\"8\"></td>
</tr>\n";
}
......@@ -214,7 +214,7 @@ echo "<tr>
echo "<tr>
<td>*Long name:</td>
<td><input type=\"text\" name=\"grp_name\"
value=\"UCB Overlay Multicast\"></td>
value=\"UCB Overlay Multicast\" size=\"40\"></td>
</tr>\n";
#
......@@ -222,7 +222,7 @@ echo "<tr>
#
echo "<tr>
<td>+URL:</td>
<td><input type=\"text\" name=\"grp_URL\"
<td><input type=\"text\" name=\"grp_URL\" size=\"45\"
value=\"http://www.cs.berkeley.edu/netgrp/omcast/\"></td>
</tr>\n";
......@@ -231,12 +231,13 @@ echo "<tr>
#
echo "<tr>
<td>*Estimated #of PCs:</td>
<td><input type=\"text\" name=\"grp_pcs\"></td>
<td><input type=\"text\" name=\"grp_pcs\" size=\"4\"></td>
</tr>\n";
echo "<tr>
<td>*Estimated #of Sharks:</td>
<td><input type=\"text\" name=\"grp_sharks\" value=\"0\"></td>
<td><input type=\"text\" name=\"grp_sharks\" size=\"4\"
value=\"0\"></td>
</tr>\n";
#
......
......@@ -19,6 +19,11 @@ $TBLIST_USERS = "$TBLIST_DIR"."/users.txt";
$TBUSER_DIR = "/users/";
$TBNSSUBDIR = "nsdir";
$TBAUTHCOOKIE = "HashCookie";
$TBAUTHTIMEOUT = 10800;
$TBAUTHDOMAIN = "emulab.net";
#$TBAUTHDOMAIN = "C884963-A.crvlls1.or.home.com";
#
# Generate the KEY from a name
#
......@@ -32,6 +37,8 @@ function GENKEY ($name) {
# should then terminate if required to do so.
#
function TBERROR ($message, $death) {
global $TBMAIL_WWW;
if (0) {
mail($TBMAIL_WWW,
"TESTBED ERROR REPORT",
......@@ -65,6 +72,11 @@ function USERERROR($message, $death) {
<br>
</h3>";
echo "<p><p>
Please contact <a href=\"mailto:testbed-ops@flux.cs.utah.edu\">
Testbed Operations (testbed-ops@flux.cs.utah.edu)</a>
if you feel this message is an error.";
if ($death) {
echo "</body>
</html>";
......@@ -72,4 +84,8 @@ function USERERROR($message, $death) {
}
}
#
# Beware empty spaces (cookies)!
#
require("tbauth.php3");
?>
<?php
#
# Beware empty spaces (cookies)!
#
require("defs.php3");
$login_status = "";
if (isset($login)) {
#
# Login button pressed.
#
unset($login);
if (!isset($uid) ||
strcmp($uid, "") == 0) {
$login_status = "Login Failed";
unset($uid);
}
else {
if (DOLOGIN($uid, $password)) {
$login_status = "Login Failed";
unset($uid);
}
else {
$login_status = "$uid Logged In";
}
}
}
elseif (isset($logout)) {
#
# Logout button pressed.
#
unset($logout);
DOLOGOUT($uid);
$login_status = "$uid Logged Out";
unset($uid);
}
elseif (isset($uid)) {
#
# Check to make sure the UID is logged in (not timed out).
#
$status = CHECKLOGIN($uid, $HTTP_COOKIE_VARS[$TBAUTHCOOKIE]);
switch ($status) {
case 0:
$login_status = "$uid Not Logged In";
unset($uid);
break;
case 1:
$login_status = "$uid Logged In";
break;
case -1:
$login_status = "$uid Login Timed Out";
unset($uid);
break;
}
}
?>
<html>
<head>
<title>Utah Network Testbed</title>
......@@ -6,152 +66,91 @@
</head>
<body>
<a href="welcome.html"><h3>Utah Network Testbed</h3></a>
<?php
if (isset($login)) {
unset($login);
if (isset($auth_usr)) {
addslashes($auth_usr);
$query = "SELECT usr_pswd FROM users WHERE uid=\"$auth_usr\"";
$result = mysql_db_query("tbdb", $query);
$row = mysql_fetch_row($result);
$usr_pswd = $row[0];
#print "Got $usr_pswd from Database\n<br>";
$salt = substr($usr_pswd,0,2);
if ($salt[0] == $salt[1]) { $salt = $salt[0]; }
#print "Got $salt for salt\n<br>";
$PSWD = crypt("$auth_passwd",$salt);
#echo "<pre>GOT PWD $PSWD</pre>";
if ($PSWD == $usr_pswd) {
$query2 = "SELECT timeout FROM login WHERE uid=\"$auth_usr\"";
$result2 = mysql_db_query("tbdb", $query2);
$exists = mysql_num_rows($result2);
$timeout = time() + 86400;
if ($exists) {
$cmnd="update login set timeout='$timeout' where uid='$auth_usr'";
mysql_db_query("tbdb", $cmnd);
} else {
$c="insert into login (uid,timeout) values ('$auth_usr','$timeout')";
mysql_db_query("tbdb", $c);
}
$message="Welcome back, $auth_usr...<br>You are logged in.\n";
#echo $message;
} else {
$message="Login Failed\n";
#echo $message;
unset($auth_usr);
if (isset($uid)) {
echo "<hr>";
$query_result = mysql_db_query($TBDBNAME,
"SELECT status FROM users WHERE uid='$uid'");
$row = mysql_fetch_row($query_result);
$status = $row[0];
$query_result = mysql_db_query($TBDBNAME,
"SELECT trust FROM grp_memb WHERE uid='$uid'");
$row = mysql_fetch_row($query_result);
$trust = $row[0];
if ($status == "active") {
if ($trust == "group_root") {
# Only group leaders can do these options
echo "<A href='approval.php3?$uid'>New User Approval</A>\n";
}
# Since a user can be a member of more than one project (grp),
# display this option, and let the form decide if the user is
# allowed to do this.
echo "<p><A href='beginexp_form.php3?$uid'>
Begin an Experiment</A>\n";
echo "<p><A href='endexp_form.php3?$uid'>
End an Experiment</A>\n";
# Every active user can do these options. For
echo "<p><A href='showexp_form.php3?$uid'>
Show experiment information</A>\n";
echo "<p><A href='modusr_form.php3?$uid'>
Update user information</A>\n";
echo "</p>\n";
}
} else {
$message="Login Failed\n";
#echo $message;
unset($auth_usr);
}
} elseif (isset($logout)) { # a logout clause
unset($logout);
addslashes($auth_usr);
$cmnd = "delete from login WHERE uid=\"$auth_usr\"";
$result = mysql_db_query("tbdb", $cmnd);
if (!$result) {
$err = mysql_error();
$message="Logout failed: $err";
#echo $message;
} else {
$message="<p>You have been logged out, $auth_usr.</p>";
#echo $message;
unset($auth_usr);
}
} elseif (isset($auth_usr)) {
#Check login...
addslashes($auth_usr);
$query = "SELECT timeout FROM login WHERE uid=\"$auth_usr\"";
$result = mysql_db_query("tbdb", $query);
$n = mysql_num_rows($result);
if ($n == 0) {
$message="<h3>You are not logged in. Please go back to the
<a href=\"tbdb.html\"> Home Page </a> and log in first.\n";
#echo $message;
} else {
$row = mysql_fetch_row($result);
if ($row[0] < time()) { # if their login expired
$message= "<h3>You have been logged out due to inactivity.
Please log in again.</h3>\n";
#echo $message;
$cmnd = "DELETE FROM login WHERE uid=\"$auth_usr\"";
mysql_db_query("tbdb", $cmnd);
} else {
$timeout = time() + 86400;
$cmnd = "UPDATE login SET timeout=\"$timeout\" where uid=\"$auth_usr\"";
mysql_db_query("tbdb", $cmnd);
elseif ($status == "unapproved") {
USERERROR("Your account has not been approved yet. ".
"Please try back later", 1);
}
}
}
if (isset($auth_usr)) {
echo "<hr>";
$query="SELECT status FROM users WHERE uid='$auth_usr'";
$result = mysql_db_query("tbdb", $query);
$status_row = mysql_fetch_row($result);
$status = $status_row[0];
$query="SELECT trust FROM grp_memb WHERE uid='$auth_usr'";
$result = mysql_db_query("tbdb", $query);
$row = mysql_fetch_row($result);
$trust = $row[0];
if ($status == "active") {
if ($trust == "group_root") {
# Only group leaders can do these options
echo "<A href='approval.php3?$auth_usr'>New User Approval</A>\n";
#echo "<p>Add a New User";
#echo "<p><A href='addusr.php3?$auth_usr'>Add a New User</A>";
#echo "</p>";
elseif (($status == "newuser") || ($status == "unverified")) {
echo "<A href='verify.php3?$uid'>New User Verification</A>\n";
}
elseif (($status == "frozen") || ($status == "other")) {
USERERROR("Your account has been changed to status $status, and is ".
"currently unusable. Please contact your project leader ".
"to find out why.", 1);
}
# Since a user can be a member of more than one project (grp),
# display this option, and let the form decide if the user is
# allowed to do this.
echo "<p><A href='beginexp_form.php3?$auth_usr'>
Begin an Experiment</A>\n";
echo "<p><A href='endexp_form.php3?$auth_usr'>
End an Experiment</A>\n";
# Every active user can do these options. For
echo "<p><A href='showexp_form.php3?$auth_usr'>
Show experiment information</A>\n";
echo "<p><A href='modusr_form.php3?$auth_usr'>
Update user information</A>\n";
echo "</p>\n";
} elseif ($status == "unapproved") {
echo "Your account has not been approved yet. Please try back ";
echo "later. Contact ";
echo "<a href=\"mailto:testbed-ops@flux.cs.utah.edu\">";
echo "Testbed ops (testbed-ops@flux.cs.utah.edu)</a>";
echo " for further assistance.\n";
} elseif (($status == "newuser") || ($status == "unverified")) {
echo "<A href='verify.php3?$auth_usr'>New User Verification</A>\n";
} elseif (($status == "frozen") || ($status == "other")) {
echo "Your account has been changed to status $status, and is ";
echo "currently unusable. Please contact your project leader to find out ";
echo "why. If you need further help, contact ";
echo "<a href=\"mailto:testbed-ops@flux.cs.utah.edu\">";
echo "Testbed Ops (testbed-ops@flux.cs.utah.edu)</a>.";
}
}
?>
<hr>
<?php
echo "<A href='addgrp.php3";
if (isset($auth_usr)) { echo "?$auth_usr"; }
echo "'>Start a Project</A>\n";
echo "<p><A href='addusr.php3";
if (isset($auth_usr)) { echo "?$auth_usr"; }
echo "'>Join a Project</A>";
?>
<hr>
<table cellpadding='0' cellspacing='0' width="100%">
<form action="index.php3" method='post' target='fixed'>
<?php
if (isset($message)) {
echo "<b>$message</b>";
#
# Standard options for anyone.
#
if (isset($uid)) {
echo "<p><A href=\"addgrp.php3?$uid\">Start a Project</A>\n";
echo "<p><A href=\"addusr.php3?$uid\">Join a Project</A>\n";
}
else {
echo "<p><A href=\"addgrp.php3\">Start a Project</A>\n";
echo "<p><A href=\"addusr.php3\">Join a Project</A>\n";
}
echo "<hr>";
echo "<table cellpadding=\"0\" cellspacing=\"0\" width=\"100%\">";
echo "<form action=\"index.php3\" method=\"post\" target=\"fixed\">";
echo "<b>$login_status</b>";
#
# Present either a login box, or a logout box
#
if (isset($uid)) {
echo "<tr>
<td><input type='hidden' name='uid' value='$uid'</td>
<td align='center'>
<b><input type='submit' value='Logout' name='logout'></b>
</td>
</tr>\n";
}
if (!isset($auth_usr)) {
echo "<tr><td>Username:<input type='text' name='auth_usr' size=8></td></tr><tr><td>Password:<input type='password' name='auth_passwd' size=8></td></tr><tr><td align='center'><b><input type='submit' value='Login' name='login'></td></tr></b>";
} else {
echo "<tr><td><input type='hidden' name='auth_usr' value='$auth_usr'</td><td align='center'><b><input type='submit' value='Logout' name='logout'></b></td></tr>";
else {
echo "<tr>
<td>Username:<input type='text' name='uid' size=8></td>
</tr>
<tr>
<td>Password:<input type='password' name='password' size=8></td>
</tr>
<tr>
<td align='center'>
<b><input type='submit' value='Login' name='login'></b></td>
</tr>\n";
}
?>
</form>
......
......@@ -7,33 +7,19 @@
<?php
include("defs.php3");
$uid = "";
if ( ereg("php3\?([[:alnum:]]+)",$REQUEST_URI,$Vals) ) {
$uid=$Vals[1];
addslashes($uid);
} else {
unset($uid);
}
#
# Only known and logged in users can modify info.
#
if (!isset($uid)) {
USERERROR("You must be logged in to change your user information!", 1);
}
#
# Verify that the uid is known in the database.
#
$query_result = mysql_db_query($TBDBNAME,
"SELECT usr_pswd FROM users WHERE uid='$uid'");
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error confirming user $uid: $err\n", 1);
$uid = "";
if (ereg("php3\?([[:alnum:]]+)", $REQUEST_URI, $Vals)) {
$uid=$Vals[1];
addslashes($uid);
}
if (($row = mysql_fetch_row($query_result)) == 0) {
USERERROR("You do not appear to have an account!", 1);
else {
unset($uid);
}
LOGGEDINORDIE($uid);
?>
<center>
......@@ -74,63 +60,67 @@ echo "<tr>
<td>Username:</td>
<td class=\"left\">
<input type=\"readonly\" name=\"uid\" value=\"$uid\"></td>
</tr>\n";
<td>Expiration date:</td>
echo "<tr>
<td>*Full Name:</td>
<td class=\"left\">
<input type=\"text\" name=\"usr_expires\"
value=\"$usr_expires\"></td>
<input type=\"text\" name=\"usr_name\" size=\"30\"
value=\"$usr_name\"></td>
</tr>\n";
echo "<tr>
<td>*Email Address:</td>
<td class=\"left\">
<input type=\"text\" name=\"usr_email\"
<input type=\"text\" name=\"usr_email\" size=\"30\"
value=\"$usr_email\"></td>
</tr>\n";
<td>*Mailing Address:</td>
echo "<tr>
<td>Expiration date:</td>
<td class=\"left\">
<input type=\"text\" name=\"usr_addr\"
value=\"$usr_addr\"></td>
<input type=\"text\" name=\"usr_expires\"
value=\"$usr_expires\"></td>
</tr>\n";
echo "<tr>
<td>*Full Name:</td>
<td>*Mailing Address:</td>
<td class=\"left\">
<input type=\"text\" name=\"usr_name\"
value=\"$usr_name\"></td>
<input type=\"text\" name=\"usr_addr\" size=\"40\"
value=\"$usr_addr\"></td>
</tr>\n";
echo "<tr>
<td>*Phone #:</td>
<td class=\"left\">
<input type=\"text\" name=\"usr_phone\"
<input type=\"text\" name=\"usr_phone\" size=\"15\"
value=\"$usr_phone\"></td>
</tr>\n";
echo "<tr>
<td>*Old Password:</td>
<td class=\"left\">
<input type=\"password\" name=\"old_password\"></td>
<td>*Title/Position:</td>
<td class=\"left\">
<input type=\"text\" name=\"usr_title\"
<input type=\"text\" name=\"usr_title\" size=\"30\"
value=\"$usr_title\"></td>
</tr>\n";
echo "<tr>
<td>New Password:</td>
<td>*Institutional Affiliation:</td>
<td class=\"left\">
<input type=\"password\" name=\"new_password1\"></td>
<input type=\"text\" name=\"usr_affil\" size=\"40\"
value=\"$usr_affil\"></td>
</tr>\n";
<td>*Institutional<br>Affiliation:</td>
echo "<tr>
<td>New Password:</td>
<td class=\"left\">
<input type=\"text\" name=\"usr_affil\"
value=\"$usr_affil\"></td>
<input type=\"password\" name=\"new_password1\" size=\"8\"></td>
</tr>\n";
echo "<tr>
<td>Retype<br>New Password:</td>
<td class=\"left\">
<input type=\"password\" name=\"new_password2\"></td>
<input type=\"password\" name=\"new_password2\" size=\"8\"></td>
</tr>\n";
?>
<td colspan="4" align="center">
......
......@@ -44,9 +44,6 @@ if (!isset($usr_affil) ||
strcmp($usr_affil, "") == 0) {
$formerror = "Institutional Affiliation";
}
if (!isset($old_password) || strcmp($old_password, "") == 0) {
$formerror = "Old Password";
}
if ($formerror != "No Error") {
USERERROR("Missing field; Please go back and fill out ".
......@@ -54,23 +51,9 @@ if ($formerror != "No Error") {
}
#
# Verify the old password.
# Only known and logged in users can modify info.
#
$pswd_result = mysql_db_query($TBDBNAME,
"SELECT usr_pswd FROM users WHERE uid=\"$uid\"");
if (!$pswd_result) {
TBERROR("Database Error retrieving password for $uid: $err\n", 1);
}
if ($row = mysql_fetch_row($pswd_result)) {
$db_encoding = $row[0];
$salt = substr($db_encoding,0,2);
if ($salt[0] == $salt[1]) { $salt = $salt[0]; }
$encoding = crypt("$old_password", $salt);
if (strcmp($encoding, $db_encoding)) {
USERERROR("The password provided was incorrect. ".
"Please go back and retype the password.", 1);
}
}
LOGGEDINORDIE($uid);
#
# Now see if the user is requesting to change the password. We do the usual
......
<?php
#
# Login support: Beware empty spaces (cookies)!
#
#
# Generate a hash value suitable for authorization. We use the results of
# microtime, combined with a random number.
#
function GENHASH() {
$fp = fopen("/dev/urandom", "r");
if (! $fp) {
TBERROR("Error opening /dev/urandom", 1);
}
$random_bytes = fread($fp, 8);
fclose($fp);
$hash = mhash (MHASH_MD5, bin2hex($retval) . " " . microtime());
return bin2hex($hash);
}
#
# Verify a login by sucking a UID's current hash value out of the database.
# If the login has expired, or of the hashkey in the database does not
# match what came back in the cookie, then the UID is no longer logged in.
#
# Should we advance the timeout since the user is still being active?
#
# Returns: 0 if not logged in ever.
# 1 if logged in okay
# -1 if login timed out
#
function CHECKLOGIN($uid, $curhash) {
global $TBDBNAME;
$query_result = mysql_db_query($TBDBNAME,
"SELECT hashkey, timeout FROM login WHERE uid=\"$uid\"");
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error retrieving login info for $uid: $err\n", 1);
}
# Not logged in.
if (($row = mysql_fetch_array($query_result)) == 0) {
return 0;
}
$hashkey = $row[hashkey];
$timeout = $row[timeout];
# A match?
if ($timeout > time() &&
strcmp($curhash, $hashkey) == 0) {
return 1;
}
#
# Clear out the database entry for completeness.
#
$query_result = mysql_db_query($TBDBNAME,
"DELETE FROM login WHERE uid=\"$uid\"");
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error deleting login info for $uid: $err\n", 1);
}
return -1;
}
#
# This one checks for login, but then dies with an appropriate error
# message.
#
function LOGGEDINORDIE($uid) {
global $TBDBNAME, $TBAUTHCOOKIE, $TBAUTHDOMAIN, $TBAUTHTIMEOUT;
global $HTTP_COOKIE_VARS;
$curhash = $HTTP_COOKIE_VARS[$TBAUTHCOOKIE];
$status = CHECKLOGIN($uid, $curhash);
switch ($status) {
case 0:
USERERROR("You do not appear to be logged in!", 1);
break;
case 1:
return $uid;
break;
case -1:
USERERROR("Your login has timed out! Please log in again.", 1);
break;
}
TBERROR("LOGGEDINORDIE failed mysteriously", 1);
}
#
# Attempt a login.
#
function DOLOGIN($uid, $password) {
global $TBDBNAME, $TBAUTHCOOKIE, $TBAUTHDOMAIN, $TBAUTHTIMEOUT;
$query_result = mysql_db_query($TBDBNAME,
"SELECT usr_pswd FROM users WHERE uid=\"$uid\"");
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error retrieving password for $uid: $err\n", 1);
}
#
# Check password in the database against provided.
#
if ($row = mysql_fetch_row($query_result)) {
$db_encoding = $row[0];
$salt = substr($db_encoding, 0, 2);
if ($salt[0] == $salt[1]) { $salt = $salt[0]; }
$encoding = crypt("$password", $salt);
if (strcmp($encoding, $db_encoding)) {
return -1;
}
#
# Pass! Insert a record in the login table for this uid with
# the new hash value. If the user is already logged in, thats
# okay; just update it in place with a new hash and timeout.
#
$timeout = time() + 10800;
$hashkey = GENHASH();
$query_result = mysql_db_query($TBDBNAME,
"SELECT timeout FROM login WHERE uid=\"$uid\"");
if (mysql_num_rows($query_result)) {
$query_result = mysql_db_query($TBDBNAME,
"UPDATE login set ".
"timeout='$timeout', hashkey='$hashkey' ".
"WHERE uid=\"$uid\"");
}
else {
$query_result = mysql_db_query($TBDBNAME,
"INSERT into login (uid, hashkey, timeout) ".
"VALUES ('$uid', '$hashkey', '$timeout')");
}
if (! $query_result) {
$err = mysql_error();
TBERROR("Database Error logging in $uid: $err\n", 1);
}
#