source: gsdl/trunk/src/recpt/authenaction.cpp@ 15589

Last change on this file since 15589 was 15589, checked in by mdewsnip, 13 years ago

(Adding new DB support) Replacing almost all "gdbmhome" with "dbhome".

  • Property svn:executable set to *
  • Property svn:keywords set to Author Date Id Revision
File size: 11.6 KB
Line 
1/**********************************************************************
2 *
3 * authenaction.cpp -- authenticating users
4 * Copyright (C) 1999 DigiLib Systems Limited, New Zealand
5 *
6 * A component of the Greenstone digital library software
7 * from the New Zealand Digital Library Project at the
8 * University of Waikato, New Zealand.
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version.
14 *
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
19 *
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 *
24 *********************************************************************/
25
26#include "gsdl_modules_cfg.h"
27#ifdef GSDL_USE_AUTHEN_ACTION
28
29#include "authenaction.h"
30#include "fileutil.h"
31#include "cfgread.h"
32#include "cgiutils.h"
33#include "gsdltimes.h"
34
35
36///////////////
37// authenaction
38///////////////
39
40authenaction::authenaction () {
41 keydecay = 1800; // 30 minutes
42 recpt = NULL;
43
44 // this action uses cgi variable "a"
45 cgiarginfo arg_ainfo;
46 arg_ainfo.shortname = "a";
47 arg_ainfo.longname = "action";
48 arg_ainfo.multiplechar = true;
49 arg_ainfo.defaultstatus = cgiarginfo::weak;
50 arg_ainfo.argdefault = "a";
51 arg_ainfo.savedarginfo = cgiarginfo::must;
52 argsinfo.addarginfo (NULL, arg_ainfo);
53
54 // "us"
55 arg_ainfo.shortname = "us";
56 arg_ainfo.longname = "user account status";
57 arg_ainfo.multiplechar = true;
58 arg_ainfo.defaultstatus = cgiarginfo::weak;
59 arg_ainfo.argdefault = "invalid";
60 arg_ainfo.savedarginfo = cgiarginfo::mustnot;
61 argsinfo.addarginfo (NULL, arg_ainfo);
62
63 // "ug"
64 arg_ainfo.shortname = "ug";
65 arg_ainfo.longname = "user groups"; // comma seperated list
66 arg_ainfo.multiplechar = true;
67 arg_ainfo.defaultstatus = cgiarginfo::weak;
68 arg_ainfo.argdefault = g_EmptyText;
69 arg_ainfo.savedarginfo = cgiarginfo::mustnot;
70 argsinfo.addarginfo (NULL, arg_ainfo);
71
72 // "un"
73 arg_ainfo.shortname = "un";
74 arg_ainfo.longname = "user name";
75 arg_ainfo.multiplechar = true;
76 arg_ainfo.defaultstatus = cgiarginfo::weak;
77 arg_ainfo.argdefault = g_EmptyText;
78 arg_ainfo.savedarginfo = cgiarginfo::must;
79 argsinfo.addarginfo (NULL, arg_ainfo);
80
81 // "pw"
82 arg_ainfo.shortname = "pw";
83 arg_ainfo.longname = "password";
84 arg_ainfo.multiplechar = true;
85 arg_ainfo.defaultstatus = cgiarginfo::weak;
86 arg_ainfo.argdefault = g_EmptyText;
87 arg_ainfo.savedarginfo = cgiarginfo::mustnot;
88 argsinfo.addarginfo (NULL, arg_ainfo);
89
90 // "ky" - gives a specific user authentication for a
91 // limited amount of time
92 arg_ainfo.shortname = "ky";
93 arg_ainfo.longname = "user time key";
94 arg_ainfo.multiplechar = true;
95 arg_ainfo.defaultstatus = cgiarginfo::weak;
96 arg_ainfo.argdefault = g_EmptyText;
97 arg_ainfo.savedarginfo = cgiarginfo::must;
98 argsinfo.addarginfo (NULL, arg_ainfo);
99
100 // "ua" - ""=no, "1"=yes
101 arg_ainfo.shortname = "ua";
102 arg_ainfo.longname = "whether a user has been authenticated";
103 arg_ainfo.multiplechar = true;
104 arg_ainfo.defaultstatus = cgiarginfo::weak;
105 arg_ainfo.argdefault = g_EmptyText;
106 arg_ainfo.savedarginfo = cgiarginfo::mustnot;
107 argsinfo.addarginfo (NULL, arg_ainfo);
108
109 // "er" - compressed arguments for the referer page
110 arg_ainfo.shortname = "er";
111 arg_ainfo.longname = "the compressed args of the refer page";
112 arg_ainfo.multiplechar = true;
113 arg_ainfo.defaultstatus = cgiarginfo::weak;
114 arg_ainfo.argdefault = g_EmptyText;
115 arg_ainfo.savedarginfo = cgiarginfo::mustnot;
116 argsinfo.addarginfo (NULL, arg_ainfo);
117
118 // "uan" - whether user authentication is needed
119 arg_ainfo.shortname = "uan";
120 arg_ainfo.longname = "whether user authentication is needed";
121 arg_ainfo.multiplechar = true;
122 arg_ainfo.defaultstatus = cgiarginfo::weak;
123 arg_ainfo.argdefault = g_EmptyText;
124 arg_ainfo.savedarginfo = cgiarginfo::mustnot;
125 argsinfo.addarginfo (NULL, arg_ainfo);
126}
127
128void authenaction::configure (const text_t &key, const text_tarray &cfgline) {
129 action::configure (key, cfgline);
130}
131
132bool authenaction::init (ostream &logout) {
133 if (dbhome.empty()) {
134 logout << "ERROR (authenaction::init) dbhome is not set\n";
135 return false;
136 }
137
138 return action::init (logout);
139}
140
141bool authenaction::check_cgiargs (cgiargsinfoclass &/*argsinfo*/, cgiargsclass &/*args*/,
142 recptprotolistclass * /*protos*/, ostream &/*logout*/) {
143 return true;
144}
145
146// returns false if there is a major problem with the cgi arguments -- not
147// if authentication fails. If the authentication fails "un" will be empty
148bool authenaction::check_external_cgiargs (cgiargsinfoclass &argsinfo,
149 cgiargsclass &args,
150 outconvertclass &outconvert,
151 const text_t &saveconf,
152 ostream &logout) {
153
154 // no need to go further unless authentication is
155 // required by this page
156 if (args["uan"].empty()) return true;
157
158 // failure means we have to redirect to this action to get authentication
159 // (if we are not already doing this)
160
161 userinfo_t thisuser;
162
163 text_t &args_uan = args["uan"]; text_t &args_un = args["un"];
164 text_t &args_pw = args["pw"]; text_t &args_us = args["us"];
165 text_t &args_ug = args["ug"]; text_t &args_ky = args["ky"];
166 text_t &args_ua = args["ua"]; text_t &args_a = args["a"];
167
168 // we must have a username and a password or a key to
169 // do any authentication
170 args_ua.clear(); // default = false;
171 if (args_un.empty() || args_pw.empty()) args_us = "invalid";
172 else args_us = "failed";
173
174 // make sure we have a username
175 int status = user_database->get_user_info (args_un, thisuser);
176 if (!args_un.empty() && (status == ERRNO_SUCCEED)) {
177 if (!args_pw.empty()) {
178 // we are authenticating using a password
179 if (user_database->check_passwd (thisuser.username, args_pw) == ERRNO_SUCCEED) args_ua = "1"; // succeeded
180
181 } else if (!args_ky.empty()) {
182 // we are authenticating using a key
183 if (key_database->check_key(thisuser, args_ky, args_ug, keydecay)) args_ua = "1";
184 else args_us = "stalekey";
185 }
186 }
187
188 args_pw.clear(); // password goes no further
189 if (!args_ua.empty()) {
190 if (thisuser.enabled) {
191 bool haspermission = true;
192
193 // check to make sure the user is in the required group
194 // one group is available only at the moment.
195 // this is what we are changing !
196
197 if (!args_ug.empty()) {
198
199 // Since we recieve a comma seperated list
200 // of groups like mygroup,yourgroup,ourgroup
201 // we want to split them into individual groups
202 // and examine them. This is what is done here.
203
204 text_tset splitgrps;
205 text_t::const_iterator split_here = args_ug.begin();
206 text_t::const_iterator split_end = args_ug.end();
207
208 splitchar(split_here,split_end,',',splitgrps);
209
210 haspermission = false;
211
212 // This examines the current user to be authenticated and
213 // tries to see if he or she is in the group that we have in
214 // thisuser structure. We compare args_ua contents with that
215 // of the user database.
216
217 text_t::const_iterator group_here = thisuser.groups.begin();
218 text_t::const_iterator group_end = thisuser.groups.end();
219 text_t thisgroup;
220 while (group_here != group_end) {
221 group_here = getdelimitstr (group_here, group_end, ',', thisgroup);
222 if (splitgrps.find(thisgroup) != splitgrps.end() )
223 {
224 haspermission = true;
225 break;
226 }
227 }
228 }
229
230 if (haspermission) {
231 // succeeded, get info about this user
232 // note: we don't need to set "ug" as it is already set to what it needs to be
233 args_us = "enabled";
234 args_ky = key_database->generate_key(args_un); // new key
235
236 // delete old keys around every 50 accesses
237 if (rand()%50 == 1) key_database->remove_old_keys(keydecay);
238
239 } else {
240 // succeeded, however, the user is not in the correct group
241 args_ua.clear();
242 args_us = "permissiondenied";
243 args_ky.clear();
244 }
245
246 } else {
247 // succeeded, however, the account is disabled
248 args_ua.clear();
249 args_us = "disabled";
250 args_ky.clear();
251 }
252
253 } else {
254 // failure, reset info about the user
255 args_ky.clear();
256 }
257
258 // we will have to redirect the user if authentication is needed,
259 // it failed, and we weren't on our way to be authenticated anyway
260 if ((!args_uan.empty()) && (args_ua.empty()) && (args_a != "a")) {
261 // need to save the current arguments in "er"
262 text_t &arg_er = args["er"];
263 if (!compress_save_args(argsinfo, saveconf, args, arg_er, outconvert, logout))
264 arg_er.clear();
265
266 // needs to be decoded for use within forms
267 decode_cgi_arg (arg_er);
268
269 // redirect to this action
270 args_a = "a";
271 }
272
273 return true;
274}
275
276void authenaction::get_cgihead_info (cgiargsclass &/*args*/, recptprotolistclass * /*protos*/,
277 response_t &response, text_t &response_data,
278 ostream &/*logout*/) {
279 response = content;
280 response_data = "text/html";
281}
282
283void authenaction::define_internal_macros (displayclass &disp, cgiargsclass &args,
284 recptprotolistclass * /*protos*/, ostream &/*logout*/) {
285 // sets _authen:messageextra_ based on the value of args["us"]
286 // _authen:hiddenargs_ to contain all the arguments that were
287 // explicitly set
288 disp.setmacro ("messagestatus", "authen", ("_authen:message" + args["us"]
289 + "_"));
290 // change style of header and footer if page is a frame
291 if ((args["p"].empty()) || (args["p"] == "frameset")) {
292 disp.setmacro ("header", "authen", "_status:infoheader_(Log in)");
293 disp.setmacro ("header", "authenok", "_status:infoheader_(Log in)");
294 disp.setmacro ("footer", "authen", "_status:infofooter_(Log in)");
295 disp.setmacro ("footer", "authenok", "_status:infofooter_(Log in)");
296 }
297
298 // get a list of saved configuration arguments (if possible)
299 text_t saveconf;
300 text_tset saveconfset;
301 if (recpt != NULL) {
302 saveconf = recpt->get_configinfo().saveconf;
303 splitchar (saveconf.begin(), saveconf.end(), '-', saveconfset);
304 }
305
306 text_t hiddenargs;
307 cgiargsclass::const_iterator args_here = args.begin();
308 cgiargsclass::const_iterator args_end = args.end();
309 while (args_here != args_end) {
310 // set this as a hidden argument if it came from the cgi arguments,
311 // its not the compressed arguments, the query string, a user name or
312 // password, or collect.cfg, and if it is not in the compressed arguments
313 if ((*args_here).second.source == cgiarg_t::cgi_arg &&
314 (*args_here).first != "e" && (*args_here).first != "q" &&
315 (*args_here).first != "un" && (*args_here).first != "pw" &&
316 (*args_here).first != "cfgfile" &&
317 saveconfset.find((*args_here).first) == saveconfset.end()) {
318 hiddenargs += "<input type=hidden name=\"" + (*args_here).first +
319 "\" value=\"_cgiarg" + (*args_here).first + "_\">\n";
320 }
321 ++args_here;
322 }
323
324 disp.setmacro ("hiddenargs", "authen", hiddenargs);
325}
326
327bool authenaction::do_action (cgiargsclass &args, recptprotolistclass * /*protos*/,
328 browsermapclass * /*browsers*/, displayclass &disp,
329 outconvertclass &outconvert, ostream &textout,
330 ostream &/*logout*/) {
331 if (args["us"] == "enabled") {
332 // have been authenticated
333 textout << outconvert << disp
334 << "_authenok:header_\n_authenok:content_\n_authenok:footer_\n";
335 return true;
336 }
337
338 // need to be authenticated
339 textout << outconvert << disp
340 << "_authen:header_\n_authen:content_\n_authen:footer_\n";
341
342 return true;
343}
344
345#endif //GSDL_USE_AUTHEN_ACTION
Note: See TracBrowser for help on using the repository browser.