session_auth/caldap.php
<?php
$session_keyname='keydb';
date_default_timezone_set('Europe/Rome');
#$nav=file_get_contents('nav.php');
$footer=file_get_contents('views/footer.php');
$login_error='<article><header>Login error</header><p>Errore nel login.</p></article>';
$htmlFormLogin='<form action="'.$_SERVER['REQUEST_URI'].'" method="post">
<main style="text-align: center;padding-top:10px;padding-bottom:20px" >
<img src="/dash/views/img/despalmes_logo.png" style="height:100px">
</main>
<article class="loginbox">
<header>Autenticazione</header>
<p style="font-size: 12px" >Autenticazione sperimentale su ldap con db mysql.Utilizzo il database di appoggio per evitare troppe query al server ldap.<br>
Il tutto nell\' ottica di sviluppare una <a href="/dash">Intranet aziendale.</a> Un giorno.</p>
<p style="font-size: 12px" >Inserisci le stesse credenziali che usi per fare il login sul pc dell\'ufficio.</p>
<div><label> Utente: <input id="username" name="username" type="text" placeholder="Inserisci utente"></label></div>
<div><label> Password: <input id="password" name="password" type="password" placeholder="Inserisci password"></label></div>
<div><button id="login_btn" name="login_btn" >Login</button></div>
</article>
</form></article>'.$footer;
$session_user='hdp_intranet_admins_user_ldap';
$session_pass='hdp_intranet_admins_pass_ldap';
$session_is_logged='hdp_intranet_logged_ldap';
function checkIfKeySessionExsist($keyname)
{
if (!isset($_SESSION[$keyname]))
{
return false;
}else{
return true;
}
}
function checkUsername($username)
{
if (ctype_alnum($username)) {
return true;
}else{
return false;
}
}
function checkPassword($password)
{
if (ctype_alnum($password)) {
return true;
}else{
return false;
}
}
function genRandomStringFromUsername($user)
{
$now = new DateTime();
$timestamp=$now->getTimestamp();
$ret=md5($timestamp.$user.$timestamp);
return $ret;
}
function loginLdap($user,$pass)
{
$output=[];
/*$pass=str_replace("\\","\\\\",$pass);
$pass=str_replace(";","\\;",$pass);
$user=str_replace("$","\\$",$user);
$pass=str_replace("$","\\$",$pass);*/
$cmd=escapeshellcmd("python ./ldap.py $user $pass");
exec($cmd, $output);
if ($output[0]=='0')
{
return true;
}else{
return false;
}
}
function loginErrorAction($msg)
{
echo $msg;
die();
}
function loginKey($username,$keycode)
{
global $DSN;
global $DBUSER;
global $DBPASS;
try{
$dbh = new PDO($DSN, $DBUSER, $DBPASS);
$sql = "select id from `ldap_users` where username=? and keycode=? ";
$stmt = $dbh->prepare($sql);
if (! $stmt->execute([$username,$keycode]) ) echo "<b>Errore nella query.</b>";
$result = $stmt->fetchAll();
if (!empty($result))
{
return true;
}else{
return false;
}
}catch (PDOException $err) {
print "Problemi nella connessione al database: <br>" . $err->getMessage() . "<br/>";
return false;
}
}
function checkIfRecordExsist($username)
{
global $DSN;
global $DBUSER;
global $DBPASS;
try{
$dbh = new PDO($DSN, $DBUSER, $DBPASS);
$sql = "select * from ldap_users where username like :username ";
$stmt = $dbh->prepare($sql);
$stmt->bindParam('username', $username, PDO::PARAM_STR);
if (! $stmt->execute() ) echo "<b>Errore nella query.</b>";
$result = $stmt->fetchAll();
#echo 'Username: '. $result["username"];
if (count($result)>0)
{
return true;
}else{
return false;
}
}catch (PDOException $err) {
print "<article>in function checkIfRecordExsist : " . $err->getMessage() . "</article>";
return false;
}
}
function deleteUsername($username)
{
global $DSN;
global $DBUSER;
global $DBPASS;
try{
$dbh = new PDO($DSN, $DBUSER, $DBPASS);
$sql = "delete from ldap_users where username like :username ";
$stmt = $dbh->prepare($sql);
$stmt->bindParam('username', $username, PDO::PARAM_STR);
if (! $stmt->execute() ) echo "<b>Errore nella query.</b>";
return true;
}catch (PDOException $err) {
print "<article>in function deleteUsername : " . $err->getMessage() . "</article>";
return false;
}
}
function insertKey($username,$keycode)
{
global $DSN;
global $DBUSER;
global $DBPASS;
$date = date("Y-m-d H:i:s");
try{
$dbh = new PDO($DSN, $DBUSER, $DBPASS);
if (!checkIfRecordExsist($username))
{
$sql = "INSERT INTO `ldap_users` ( `username`, `keycode`, `type`, `lastlogin`) VALUES (:username,:keycode,1,:date)";
$stmt = $dbh->prepare($sql);
$stmt->bindParam('username', $username, PDO::PARAM_STR);
$stmt->bindParam('keycode', $keycode, PDO::PARAM_STR);
$stmt->bindParam('date', $date, PDO::PARAM_STR);
}else{
$sql="UPDATE `ldap_users` SET `keycode` = :keycode, `lastlogin` = :date WHERE `ldap_users`.`username` like :username ; ";
$stmt = $dbh->prepare($sql);
$stmt->bindParam('username', $username, PDO::PARAM_STR);
$stmt->bindParam('date', $date, PDO::PARAM_STR);
$stmt->bindParam('keycode', $keycode, PDO::PARAM_STR);
}
if (! $stmt->execute() ) echo "<b>Errore nella query.</b>";
$result = $stmt->fetchAll();
return $result;
}catch (PDOException $err) {
print "<article> in function insertKey: <br>" . $err->getMessage() . "</article>";
return null;
}
}
if (isset($_POST["login_btn"]))
{
if (!checkIfKeySessionExsist($session_keyname) || !checkIfRecordExsist($_SESSION[$session_user]) )
{
$user=$_POST["username"];
$pass=$_POST["password"];
if (loginLdap($user,$pass))
{
// crea una chiave nel database
// salva lo username su una variabile di sessione
$_SESSION[$session_user]=$user;
$_SESSION[$session_keyname]=genRandomStringFromUsername($user);
$_SESSION[$session_is_logged]="yes";
$key=genRandomStringFromUsername($user);
insertKey($user,$key);
}else{
//non autenticato
echo $htmlFormLogin;
die();
}
}else{
//controlla se la variabile di sessione della chiave matcha con lo username sul database
if (!loginKey($_SESSION[$session_user],$_SESSION[$session_keyname]))
{
loginErrorAction($login_error);
deleteUsername($_SESSION[$session_user]);
}
}
}else{
//di nuovo un controllo
/*if(!checkIfKeySessionExsist($_SESSION[$session_keyname]))
{
echo $htmlFormLogin;
die();
}*/
if (!loginKey($_SESSION[$session_user],$_SESSION[$session_keyname]))
{
#loginErrorAction($login_error);
echo $htmlFormLogin;
die();
}
}
?>