1: | <?php |
2: | declare(strict_types=1); |
3: | |
4: | |
5: | |
6: | |
7: | |
8: | |
9: | |
10: | |
11: | |
12: | |
13: | |
14: | |
15: | use Auth\UI\SecureAccessKey; |
16: | use Module\Skeleton\Contracts\Hookable; |
17: | use Module\Skeleton\Contracts\Tasking; |
18: | use Module\Support\Auth; |
19: | use Opcenter\Account\State; |
20: | use Opcenter\Auth\Password; |
21: | use Opcenter\Auth\Shadow; |
22: | use Opcenter\Mail\Services\Dovecot; |
23: | |
24: | |
25: | |
26: | |
27: | |
28: | |
29: | class Auth_Module extends Auth implements Hookable, Tasking |
30: | { |
31: | const DEPENDENCY_MAP = [ |
32: | 'siteinfo', |
33: | 'users' |
34: | ]; |
35: | |
36: | const API_KEY_LIMIT = 10; |
37: | const API_USER_SYNC_COMMENT = PANEL_BRAND . ' user sync'; |
38: | |
39: | const PWOVERRIDE_KEY = 'pwoverride'; |
40: | |
41: | const SECURITY_TOKEN = \Auth\Sectoken::SECURITY_TOKEN; |
42: | |
43: | const MIN_PW_LENGTH = AUTH_MIN_PW_LENGTH; |
44: | |
45: | const PAM_SERVICES = ['cp', 'dav']; |
46: | |
47: | private static $domain_db; |
48: | |
49: | protected $exportedFunctions = [ |
50: | '*' => PRIVILEGE_ALL, |
51: | 'inactive_reason' => PRIVILEGE_SITE|PRIVILEGE_USER, |
52: | 'verify_password' => PRIVILEGE_SERVER_EXEC | PRIVILEGE_ALL, |
53: | 'change_domain' => PRIVILEGE_SITE, |
54: | 'change_username' => PRIVILEGE_SITE | PRIVILEGE_ADMIN, |
55: | 'reset_password' => PRIVILEGE_SITE | PRIVILEGE_ADMIN, |
56: | 'set_temp_password' => PRIVILEGE_ADMIN | PRIVILEGE_SITE |
57: | ]; |
58: | |
59: | |
60: | |
61: | public function __construct() |
62: | { |
63: | parent::__construct(); |
64: | if (!AUTH_ALLOW_USERNAME_CHANGE) { |
65: | $this->exportedFunctions['change_username'] = PRIVILEGE_ADMIN; |
66: | } |
67: | if (!AUTH_ALLOW_DOMAIN_CHANGE) { |
68: | $this->exportedFunctions['change_domain'] = PRIVILEGE_NONE; |
69: | } |
70: | } |
71: | |
72: | |
73: | |
74: | |
75: | |
76: | |
77: | public function session_info(): array |
78: | { |
79: | return (array)$this->getAuthContext(); |
80: | } |
81: | |
82: | |
83: | |
84: | |
85: | |
86: | |
87: | |
88: | |
89: | |
90: | |
91: | |
92: | |
93: | |
94: | public function change_password(string $password, string $user = null, string $domain = null): bool |
95: | { |
96: | if (!$this->password_permitted($password, $user)) { |
97: | return error('weak password disallowed'); |
98: | } else if ($this->is_demo()) { |
99: | return error('cannot change password in demo mode'); |
100: | } |
101: | $crypted = $this->crypt($password); |
102: | |
103: | return $this->change_cpassword($crypted, $user, $domain); |
104: | } |
105: | |
106: | |
107: | |
108: | |
109: | |
110: | |
111: | |
112: | |
113: | public function reset_password(?string $user = null, string $domain = null): ?string |
114: | { |
115: | if (!IS_CLI) { |
116: | return $this->query('auth_reset_password', $user, $domain); |
117: | } |
118: | |
119: | if ($this->is_demo()) { |
120: | return nerror('cannot change password in demo mode'); |
121: | } |
122: | |
123: | if ($this->permission_level & PRIVILEGE_SITE) { |
124: | $domain = $this->domain; |
125: | } else if ($domain) { |
126: | if (null === ($tmp = \Auth::get_site_id_from_anything($domain))) { |
127: | return nerror("Cannot find `%s'", $domain); |
128: | } |
129: | $domain = \Auth::get_domain_from_site_id($tmp); |
130: | } |
131: | |
132: | if (!$user && !$domain) { |
133: | $user = $this->username; |
134: | } else if ($domain && !$user) { |
135: | if (null === ($tmp = \Auth::get_admin_from_site_id(\Auth::get_site_id_from_anything($domain)))) { |
136: | return nerror("Cannot find admin for `%s'", $domain); |
137: | } |
138: | $user = $tmp; |
139: | } |
140: | |
141: | $password = Password::generate(max(self::MIN_PW_LENGTH, 8)); |
142: | |
143: | if (!$this->setCryptedPassword($this->crypt($password), $user, $domain)) { |
144: | return null; |
145: | } |
146: | |
147: | $ctx = \Auth::context($user, $domain); |
148: | $email = \apnscpFunctionInterceptor::factory($ctx)->common_get_email(); |
149: | |
150: | success("Password set to: `%s'", $password); |
151: | |
152: | $this->sendNotice( |
153: | 'password', |
154: | [ |
155: | 'email' => $email, |
156: | 'password' => $password, |
157: | 'username' => $user, |
158: | 'domain' => $domain |
159: | ] |
160: | ); |
161: | |
162: | \apnscpSession::invalidate_by_user($this->site_id, $user, true); |
163: | if ($domain) { |
164: | $afi = $this->permission_level & PRIVILEGE_ADMIN ? \apnscpFunctionInterceptor::factory($ctx) : $this; |
165: | $afi->site_kill_user($user) && (!Dovecot::exists() || Dovecot::flushAuth()); |
166: | } |
167: | |
168: | return $password; |
169: | } |
170: | |
171: | |
172: | |
173: | |
174: | |
175: | |
176: | |
177: | |
178: | public function password_permitted(string $password, string $user = null): bool |
179: | { |
180: | return Password::strong($password, $user); |
181: | } |
182: | |
183: | |
184: | |
185: | |
186: | |
187: | |
188: | public function is_demo(): bool |
189: | { |
190: | |
191: | |
192: | |
193: | if ($this->permission_level & PRIVILEGE_ADMIN) { |
194: | return DEMO_ADMIN_LOCK; |
195: | } |
196: | |
197: | return $this->billing_get_invoice() == DEMO_INVOICE || $this->getConfig('billing', 'parent_invoice') === DEMO_INVOICE; |
198: | } |
199: | |
200: | |
201: | |
202: | |
203: | |
204: | |
205: | |
206: | |
207: | public function crypt(string $password, string $salt = null): string |
208: | { |
209: | return Shadow::crypt($password, $salt); |
210: | } |
211: | |
212: | |
213: | |
214: | |
215: | |
216: | |
217: | |
218: | |
219: | |
220: | |
221: | |
222: | |
223: | |
224: | |
225: | |
226: | |
227: | |
228: | public function change_cpassword(string $cpassword, string $user = null, string $domain = null): bool |
229: | { |
230: | if ($this->is_demo()) { |
231: | return error('demo account password changes disabled'); |
232: | } |
233: | |
234: | $user = $user ?? $this->username; |
235: | $domain = $domain ?: $this->domain; |
236: | |
237: | if (!IS_CLI) { |
238: | $ret = $this->query('auth_change_cpassword', $cpassword, $user, $domain); |
239: | if (!$ret) { |
240: | return $ret; |
241: | } |
242: | if ($this->permission_level & (PRIVILEGE_SITE | PRIVILEGE_USER)) { |
243: | if ($this->getServiceValue(self::getAuthService(), self::PWOVERRIDE_KEY)) { |
244: | return true; |
245: | } |
246: | |
247: | if ($user !== $this->username) { |
248: | $email = \apnscpFunctionInterceptor::factory(\Auth::context($user, $this->site))->common_get_email(); |
249: | } |
250: | $email = $email ?? $this->common_get_email() ?? $this->getConfig('siteinfo', 'email'); |
251: | } else if ($this->permission_level & PRIVILEGE_ADMIN) { |
252: | if (!$domain) { |
253: | $email = $this->common_get_email(); |
254: | } else { |
255: | |
256: | $afi = \apnscpFunctionInterceptor::factory(\Auth::context(null, $domain)); |
257: | if ($afi->common_get_service_value(self::getAuthService(), self::PWOVERRIDE_KEY)) { |
258: | |
259: | return true; |
260: | } |
261: | $email = $afi->common_get_email(); |
262: | } |
263: | } |
264: | parent::sendNotice( |
265: | 'password', |
266: | [ |
267: | 'email' => $email, |
268: | 'ip' => \Auth::client_ip(), |
269: | 'username' => $user, |
270: | 'domain' => $domain ?: $this->domain |
271: | ] |
272: | ); |
273: | \apnscpSession::invalidate_by_user($this->site_id, $user, true); |
274: | |
275: | return $ret; |
276: | } |
277: | |
278: | return $this->setCryptedPassword($cpassword, $user, $domain); |
279: | } |
280: | |
281: | |
282: | |
283: | |
284: | |
285: | |
286: | public function is_inactive(): bool |
287: | { |
288: | if (!IS_CLI) { |
289: | return $this->query('auth_is_inactive'); |
290: | } |
291: | if ($this->permission_level & (PRIVILEGE_USER | PRIVILEGE_SITE)) { |
292: | return file_exists(State::disableMarker($this->site)); |
293: | } |
294: | |
295: | return false; |
296: | } |
297: | |
298: | |
299: | |
300: | |
301: | |
302: | |
303: | public function inactive_reason(): ?string |
304: | { |
305: | if (!IS_CLI) { |
306: | return $this->query('auth_inactive_reason'); |
307: | } |
308: | |
309: | if ($this->permission_level & PRIVILEGE_USER || |
310: | !AUTH_SHOW_SUSPENSION_REASON || !$this->is_inactive()) { |
311: | return null; |
312: | } |
313: | |
314: | if (!file_exists($path = State::disableMarker($this->site))) { |
315: | return null; |
316: | } |
317: | |
318: | return rtrim(implode("\n", array_filter( |
319: | file($path, FILE_IGNORE_NEW_LINES), |
320: | static function ($line) { |
321: | var_dump($line[0] ?? ''); |
322: | $firstChar = ltrim($line)[0] ?? ''; |
323: | return $firstChar !== '#' && $firstChar !== ';'; |
324: | }) |
325: | )); |
326: | } |
327: | |
328: | |
329: | |
330: | |
331: | |
332: | |
333: | |
334: | |
335: | |
336: | |
337: | |
338: | |
339: | |
340: | |
341: | |
342: | |
343: | public function create_api_key(string $comment = '', string $user = null): ?string |
344: | { |
345: | if (!$user || !($this->permission_level & PRIVILEGE_SITE)) { |
346: | $user = $this->username; |
347: | } else if (!$this->user_exists($user)) { |
348: | error("cannot set comment for key, user `%s' does not exist", $user); |
349: | return null; |
350: | } |
351: | |
352: | if (strlen($comment) > 255) { |
353: | warn('api key comment truncated beyond 255 characters'); |
354: | } |
355: | $key = hash('sha256', uniqid((string)random_int(PHP_INT_MIN, PHP_INT_MAX), true)); |
356: | $invoice = null; |
357: | if (!($this->permission_level & PRIVILEGE_ADMIN)) { |
358: | $invoice = $this->billing_get_invoice(); |
359: | if (!$invoice) { |
360: | error('unable to find invoice for account'); |
361: | return null; |
362: | } |
363: | } |
364: | $db = Auth_SOAP::get_api_db(); |
365: | $qfrag = $this->_getAPIQueryFragment(); |
366: | $rs = $db->query('SELECT |
367: | `api_key` |
368: | FROM `api_keys` ' . |
369: | $qfrag['join'] . |
370: | "WHERE |
371: | `username` = '" . $user . "' |
372: | AND " . $qfrag['where'] . ' GROUP BY (api_key)'); |
373: | |
374: | if ((!$this->permission_level & PRIVILEGE_ADMIN) && ($rs->num_rows >= self::API_KEY_LIMIT)) { |
375: | error('%d key limit reached', self::API_KEY_LIMIT); |
376: | return null; |
377: | } |
378: | $q = 'INSERT INTO `api_keys` ' . |
379: | '(`api_key`, `server_name`, `username`, `site_id`, `invoice`)' . |
380: | "VALUES (?,'" . SERVER_NAME_SHORT . "',?,?,?)"; |
381: | $stmt = $db->prepare($q); |
382: | if ($this->permission_level & PRIVILEGE_ADMIN) { |
383: | $site_id = null; |
384: | $invoice = null; |
385: | } else if ($this->permission_level & PRIVILEGE_RESELLER) { |
386: | $site_id = null; |
387: | $invoice = $this->billing_get_invoice(); |
388: | } else { |
389: | $site_id = $this->site_id; |
390: | $invoice = $this->billing_get_invoice(); |
391: | } |
392: | $stmt->bind_param('ssds', $key, $this->username, $site_id, $invoice); |
393: | if (!$stmt->execute()) { |
394: | error('unable to add key - %s', $stmt->error); |
395: | return null; |
396: | } |
397: | if ($comment) { |
398: | $this->set_api_key_comment($key, $comment, $user); |
399: | } |
400: | |
401: | return $key; |
402: | } |
403: | |
404: | |
405: | |
406: | |
407: | |
408: | |
409: | private function _getAPIQueryFragment(): array |
410: | { |
411: | $qfrag = array('where' => '1 = 1', 'join' => ''); |
412: | if ($this->permission_level & PRIVILEGE_ADMIN) { |
413: | $qfrag['where'] = 'api_keys.invoice IS NULL AND site_id IS NULL'; |
414: | } else { |
415: | $invoice = $this->billing_get_invoice(); |
416: | if (!$invoice) { |
417: | error('cannot get billing invoice for API key'); |
418: | $qfrag['where'] = '1 = 0'; |
419: | |
420: | return $qfrag; |
421: | } |
422: | $qfrag['where'] = "api_keys.invoice = '" . Auth_SOAP::get_api_db()->real_escape_string($invoice) . "'"; |
423: | } |
424: | |
425: | return $qfrag; |
426: | } |
427: | |
428: | |
429: | |
430: | |
431: | |
432: | |
433: | |
434: | |
435: | |
436: | |
437: | public function set_api_key_comment(string $key, string $comment = null, string $user = null): bool |
438: | { |
439: | $key = str_replace('-', '', strtolower($key)); |
440: | if (!ctype_xdigit($key)) { |
441: | return error($key . ': invalid key'); |
442: | } |
443: | |
444: | |
445: | if (strlen($comment) > 255) { |
446: | warn('comment truncated to max length 255 characters'); |
447: | } |
448: | if (!$user || !($this->permission_level & PRIVILEGE_SITE)) { |
449: | $user = $this->username; |
450: | } else if (!$this->user_exists($user)) { |
451: | return error("cannot set comment for key, user `%s' does not exist", $user); |
452: | } |
453: | $db = Auth_SOAP::get_api_db(); |
454: | $qfrag = $this->_getAPIQueryFragment(); |
455: | $rs = $db->query('UPDATE `api_keys` ' . $qfrag['join'] . |
456: | "SET comment = '" . $db->escape_string($comment) . "' |
457: | WHERE `api_key` = '" . strtolower($key) . "' |
458: | AND " . $qfrag['where'] . " |
459: | AND `username` = '" . $user . "';"); |
460: | |
461: | return $rs && $db->affected_rows > 0; |
462: | } |
463: | |
464: | |
465: | |
466: | |
467: | |
468: | |
469: | |
470: | |
471: | |
472: | |
473: | |
474: | |
475: | public function verify_password(string $password): bool |
476: | { |
477: | $file = static::ADMIN_AUTH; |
478: | if ($this->permission_level & (PRIVILEGE_SITE | PRIVILEGE_USER)) { |
479: | if (!$this->site) { |
480: | return false; |
481: | } |
482: | $file = $this->domain_fs_path('/etc/shadow'); |
483: | } |
484: | $fp = fopen($file, 'r'); |
485: | if (!$fp) { |
486: | return false; |
487: | } |
488: | $data = array(); |
489: | while (false !== ($line = fgets($fp))) { |
490: | if (0 === strpos($line, $this->username . ':')) { |
491: | $data = explode(':', rtrim($line)); |
492: | break; |
493: | } |
494: | } |
495: | fclose($fp); |
496: | if (!$data) { |
497: | return false; |
498: | } |
499: | |
500: | if (!isset($data[1])) { |
501: | $str = 'Corrupted shadow: ' . $file . "\r\n" . |
502: | $this->username . "\r\n"; |
503: | Error_Reporter::report($str . "\r\n" . var_export($data, true)); |
504: | |
505: | return false; |
506: | } |
507: | $salt = implode('$', explode('$', $data[1])); |
508: | return Shadow::verify($password, $salt); |
509: | } |
510: | |
511: | |
512: | |
513: | |
514: | |
515: | |
516: | |
517: | |
518: | |
519: | |
520: | |
521: | public function get_last_login(): array |
522: | { |
523: | $login = $this->get_login_history(1); |
524: | if (!$login) { |
525: | return array(); |
526: | } |
527: | |
528: | return $login[0]; |
529: | } |
530: | |
531: | |
532: | |
533: | |
534: | |
535: | |
536: | |
537: | |
538: | |
539: | |
540: | |
541: | |
542: | |
543: | |
544: | public function get_login_history(int $limit = null): array |
545: | { |
546: | $logins = array(); |
547: | |
548: | if ($this->is_demo()) { |
549: | $logins[] = array( |
550: | 'ip' => \Auth::client_ip(), |
551: | 'ts' => \Auth::login_time() |
552: | ); |
553: | |
554: | return $logins; |
555: | } |
556: | if (!is_null($limit) && $limit < 100) { |
557: | $limit = (int)$limit; |
558: | } else { |
559: | $limit = 10; |
560: | } |
561: | $limitStr = 'LIMIT ' . ($limit + 1); |
562: | $handler = \MySQL::initialize(); |
563: | $q = $handler->query("SELECT |
564: | UNIX_TIMESTAMP(`login_date`) AS login_date, |
565: | INET_NTOA(`ip`) AS ip FROM `login_log` |
566: | WHERE |
567: | `domain` = '" . $this->domain . "' |
568: | AND `username` = '" . $this->username . "' |
569: | ORDER BY id DESC " . $limitStr); |
570: | $q->fetch_object(); |
571: | |
572: | while (($data = $q->fetch_object()) !== null) { |
573: | $logins[] = array( |
574: | 'ip' => $data->ip, |
575: | 'ts' => $data->login_date |
576: | ); |
577: | } |
578: | |
579: | |
580: | |
581: | return $logins; |
582: | |
583: | } |
584: | |
585: | |
586: | |
587: | |
588: | |
589: | |
590: | |
591: | public function change_domain(string $domain): bool |
592: | { |
593: | if (!IS_CLI) { |
594: | $olddomain = $this->domain; |
595: | $ret = $this->query('auth_change_domain', $domain); |
596: | if ($ret) { |
597: | parent::sendNotice( |
598: | 'domain', |
599: | [ |
600: | 'email' => $this->getConfig('siteinfo', 'email'), |
601: | 'ip' => \Auth::client_ip(), |
602: | 'domain' => $olddomain |
603: | ] |
604: | ); |
605: | $this->_purgeLoginKey($this->username, $olddomain); |
606: | } |
607: | |
608: | return $ret; |
609: | } |
610: | |
611: | if ($this->is_demo()) { |
612: | return error('domain change disabled for demo'); |
613: | } |
614: | |
615: | $domain = strtolower($domain); |
616: | if (0 === strncmp($domain, "www.", 4)) { |
617: | $domain = substr($domain, 4); |
618: | } |
619: | if ($domain === $this->domain) { |
620: | return error('new domain is equivalent to old domain'); |
621: | } |
622: | if (!preg_match(Regex::DOMAIN, $domain)) { |
623: | return error("`%s': invalid domain", $domain); |
624: | } |
625: | if ($this->dns_domain_hosted($domain, true)) { |
626: | |
627: | return error("`%s': cannot add domain - hosted on another " . |
628: | 'account elsewhere', $domain); |
629: | } |
630: | |
631: | if ($this->web_subdomain_exists($domain)) { |
632: | return error("cannot promote subdomain `%s' to domain", $domain); |
633: | } |
634: | |
635: | if (\Opcenter\License::get()->isDevelopment() && substr($domain, -5) !== '.test') { |
636: | return error("License permits only .test TLDs. `%s' provided.", $domain); |
637: | } |
638: | |
639: | if (!$this->aliases_bypass_exists($domain) && |
640: | $this->dns_gethostbyname_t($domain) != $this->dns_get_public_ip() && |
641: | $this->dns_get_records_external('', 'any', $domain) && |
642: | !$this->dns_domain_uses_nameservers($domain) |
643: | ) { |
644: | $currentns = join(',', (array)$this->dns_get_authns_from_host($domain)); |
645: | $hostingns = join(',', $this->dns_get_hosting_nameservers($domain)); |
646: | |
647: | return error('domain uses third-party nameservers - %s, change nameservers to %s before promoting ' . |
648: | 'this domain to primary domain status', $currentns, $hostingns); |
649: | } |
650: | |
651: | $proc = new Util_Account_Editor($this->getAuthContext()->getAccount(), $this->getAuthContext()); |
652: | $proc->setConfig('siteinfo', 'domain', $domain)-> |
653: | setConfig(\Opcenter\SiteConfiguration::getModuleRemap('proftpd'), 'ftpserver', 'ftp' . $domain)-> |
654: | setConfig(\Opcenter\SiteConfiguration::getModuleRemap('apache'), 'webserver', 'www.' . $domain)-> |
655: | setConfig(\Opcenter\SiteConfiguration::getModuleRemap('sendmail'), 'mailserver', 'mail.' . $domain); |
656: | |
657: | return $proc->edit(); |
658: | } |
659: | |
660: | |
661: | |
662: | |
663: | |
664: | |
665: | |
666: | |
667: | private function _purgeLoginKey(string $user = '', string $domain = ''): void |
668: | { |
669: | |
670: | $userkey = md5($user . $domain); |
671: | $arrkey = self::SECURITY_TOKEN . '.' . $userkey; |
672: | $prefs = Preferences::factory($this->getAuthContext()); |
673: | $prefs->unlock($this->getApnscpFunctionInterceptor()); |
674: | unset($prefs[$arrkey]); |
675: | } |
676: | |
677: | |
678: | |
679: | |
680: | |
681: | |
682: | |
683: | public function change_username(string $user): bool |
684: | { |
685: | if (!IS_CLI) { |
686: | $email = $this->common_get_email(); |
687: | \Preferences::factory($this->getAuthContext())->sync(); |
688: | $ret = $this->query('auth_change_username', $user); |
689: | if ($ret && $email) { |
690: | |
691: | $this->getAuthContext()->username = $user; |
692: | |
693: | parent::sendNotice( |
694: | 'username', |
695: | [ |
696: | 'email' => $email, |
697: | 'ip' => \Auth::client_ip() |
698: | ] |
699: | ); |
700: | |
701: | $db = \apnscpSession::db(); |
702: | |
703: | $stmt = $db->prepare("UPDATE " . apnscpSession::TABLE . " SET |
704: | username = :user WHERE session_id = :session_id"); |
705: | $params = ['user' => $user, 'session_id' => $this->session_id]; |
706: | |
707: | if (!$stmt->execute($params)) { |
708: | \Error_Reporter::report($db->errorInfo()[0]); |
709: | fatal('failed to access credentials database'); |
710: | } |
711: | |
712: | $this->_purgeLoginKey($user, $this->domain); |
713: | } |
714: | |
715: | return $ret; |
716: | } |
717: | |
718: | if ($this->is_demo()) { |
719: | return error('username change disabled for demo'); |
720: | } |
721: | $user = strtolower($user); |
722: | if (!preg_match(Regex::USERNAME, $user)) { |
723: | return error("invalid new username `%s'", $user); |
724: | } |
725: | |
726: | |
727: | $class = \a23r::get_autoload_class_from_module('user'); |
728: | if (strlen($user) > $class::USER_MAXLEN) { |
729: | return error('user max length %d', $class::USER_MAXLEN); |
730: | } |
731: | |
732: | if ($this->permission_level & PRIVILEGE_ADMIN) { |
733: | |
734: | |
735: | if (!($fp = fopen(static::ADMIN_AUTH, 'r+')) || !flock($fp, LOCK_EX | LOCK_NB)) { |
736: | fclose($fp); |
737: | |
738: | return error("unable to gain exclusive lock on `%s'", static::ADMIN_AUTH); |
739: | } |
740: | $lines = []; |
741: | while (false !== ($line = fgets($fp))) { |
742: | $lines[] = explode(':', rtrim($line)); |
743: | } |
744: | if (false !== ($pos = array_search($user, array_column($lines, 0), true))) { |
745: | flock($fp, LOCK_UN); |
746: | fclose($fp); |
747: | |
748: | return error("user `%s' already exists", $user); |
749: | } |
750: | if (false === ($pos = array_search($this->username, array_column($lines, 0), true))) { |
751: | flock($fp, LOCK_UN); |
752: | fclose($fp); |
753: | |
754: | return error("original user `%s' does not exist", $this->username); |
755: | } |
756: | $lines[$pos][0] = $user; |
757: | if (!ftruncate($fp, 0)) { |
758: | flock($fp, LOCK_UN); |
759: | fclose($fp); |
760: | |
761: | return error("failed to truncate `%s'", static::ADMIN_AUTH); |
762: | } |
763: | rewind($fp); |
764: | fwrite($fp, implode("\n", array_map(static function ($a) { |
765: | return join(':', $a); |
766: | }, $lines))); |
767: | |
768: | |
769: | $oldprefs = implode(DIRECTORY_SEPARATOR, |
770: | [\Admin_Module::ADMIN_HOME, \Admin_Module::ADMIN_CONFIG, $this->username]); |
771: | $newprefs = implode(DIRECTORY_SEPARATOR, |
772: | [\Admin_Module::ADMIN_HOME, \Admin_Module::ADMIN_CONFIG, $user]); |
773: | if (file_exists($oldprefs)) { |
774: | if (file_exists($newprefs)) { |
775: | unlink($newprefs); |
776: | } |
777: | rename($oldprefs, $newprefs) || warn("failed to rename preferences from `%s' to `%s'", $oldprefs, $newprefs); |
778: | } |
779: | \apnscpSession::invalidate_by_user(null, $this->username); |
780: | return flock($fp, LOCK_UN) && fclose($fp); |
781: | } |
782: | |
783: | $this->user_flush(); |
784: | if (!$this->_username_unique($user)) { |
785: | return error("requested username `%s' in use on another account", $user); |
786: | } |
787: | if ($this->user_exists($user)) { |
788: | return error("requested username `%s' already exists on this account", $user); |
789: | } |
790: | |
791: | $this->getAuthContext()->username = $user; |
792: | $proc = new Util_Account_Editor($this->getAuthContext()->getAccount(), $this->getAuthContext()); |
793: | $proc->setConfig('siteinfo', 'admin_user', $user) |
794: | ->setConfig('mysql', 'dbaseadmin', $user); |
795: | $ret = $proc->edit(); |
796: | |
797: | if (!$ret) { |
798: | return error('failed to change admin user'); |
799: | } |
800: | |
801: | return true; |
802: | } |
803: | |
804: | |
805: | |
806: | |
807: | |
808: | |
809: | |
810: | |
811: | |
812: | private function _username_unique($user) |
813: | { |
814: | |
815: | $user = strtolower($user); |
816: | if (\Auth::get_admin_from_site_id($user)) { |
817: | return 0; |
818: | } |
819: | |
820: | if (!Auth_Lookup::extendedAvailable()) { |
821: | return 1; |
822: | } |
823: | |
824: | $db = self::_connect_db(); |
825: | if (!$db) { |
826: | return error('cannot connect to db'); |
827: | } |
828: | $q = "SELECT 1 FROM account_cache where admin = '" . |
829: | $db->real_escape_string($user) . "'"; |
830: | $rs = $db->query($q); |
831: | |
832: | return $rs->num_rows > 0 ? -1 : 1; |
833: | } |
834: | |
835: | private static function _connect_db() |
836: | { |
837: | if (!is_null(self::$domain_db) && self::$domain_db->ping()) { |
838: | return self::$domain_db; |
839: | } |
840: | try { |
841: | $db = new mysqli(AUTH_USERNAME_HOST, AUTH_USERNAME_USER, AUTH_USERNAME_PASSWORD, AUTH_USERNAME_DB); |
842: | } catch (\mysqli_sql_exception $e) { |
843: | return error('Cannot connect to domain server at this time'); |
844: | } |
845: | |
846: | self::$domain_db = &$db; |
847: | |
848: | return $db; |
849: | } |
850: | |
851: | |
852: | |
853: | |
854: | |
855: | |
856: | |
857: | |
858: | |
859: | public function set_temp_password(string $item, int $duration = 120, string $password = null) |
860: | { |
861: | if (!IS_CLI) { |
862: | return $this->query('auth_set_temp_password', $item, $duration, $password); |
863: | } |
864: | |
865: | if (!$password) { |
866: | $password = Password::generate(); |
867: | } |
868: | if ($duration < 1) { |
869: | return error("invalid duration `%d'", $duration); |
870: | } |
871: | |
872: | $user = null; |
873: | if ($this->permission_level & PRIVILEGE_ADMIN) { |
874: | if (0 !== strpos($item, 'site')) { |
875: | $tmp = \Auth::get_site_id_from_domain($item); |
876: | if (!$tmp) { |
877: | return error("domain `%s' not found on server", $item); |
878: | } |
879: | $item = 'site' . $tmp; |
880: | } else { |
881: | $tmp = \Auth::get_domain_from_site_id(substr($item, 4)); |
882: | if (!$tmp) { |
883: | return error("site `%s' not found on server", $item); |
884: | } |
885: | } |
886: | $site = $item; |
887: | $user = \Auth::get_admin_from_site_id(substr($site, 4)); |
888: | } else { |
889: | if (!\array_key_exists($item, $this->user_get_users())) { |
890: | return error("Unknown user `%s'", $item); |
891: | } |
892: | $site = $this->site; |
893: | $user = $item; |
894: | } |
895: | |
896: | $ctx = \Auth::context($user, $site); |
897: | if (!($oldcrypted = Shadow::bindTo($ctx->domain_fs_path())->getspnam($user))) { |
898: | return error("Failed to locate shadow for `%s'", $user); |
899: | } |
900: | |
901: | $crypted = $this->crypt($password); |
902: | |
903: | $accountMeta = $ctx->getAccount(); |
904: | if ($this->permission_level & PRIVILEGE_ADMIN) { |
905: | $editor = new Util_Account_Editor($accountMeta, $ctx); |
906: | $ret = $editor->setMode('edit')->setConfig(self::getAuthService(), self::PWOVERRIDE_KEY, true) |
907: | ->setConfig(self::getAuthService(), 'cpasswd', $crypted)->edit(); |
908: | } else { |
909: | $ret = Shadow::bindTo($ctx->domain_fs_path())->set_cpasswd($crypted, $user); |
910: | } |
911: | if (!$ret) { |
912: | return error("failed to set temp password: `%s'", Error_Reporter::get_last_msg()); |
913: | } |
914: | |
915: | |
916: | $status = array( |
917: | 'success' => true |
918: | ); |
919: | |
920: | $dt = new DateTime("now + ${duration} seconds"); |
921: | $proc = new Util_Process_Schedule($dt); |
922: | $key = 'RESET-' . $ctx->user_id; |
923: | if (!$proc->idPending($key, $this->getAuthContext())) { |
924: | $proc->setID($key, $this->getAuthContext()); |
925: | if ($this->permission_level & PRIVILEGE_ADMIN) { |
926: | $editor = new Util_Account_Editor($accountMeta, $ctx); |
927: | $editor->setMode('edit')->setConfig(self::getAuthService(), 'cpasswd', $oldcrypted['shadow'])-> |
928: | setConfig(self::getAuthService(), self::PWOVERRIDE_KEY, false); |
929: | $cmd = $editor->getCommand(); |
930: | $args = null; |
931: | } else { |
932: | $chrtcmd = 'usermod -p ' . |
933: | escapeshellarg($oldcrypted['shadow']) . ' ' . |
934: | '"$(id -nu ' . $ctx->user_id . ')"'; |
935: | $cmd = "chroot %(path)s /bin/sh -c '%(command)s'"; |
936: | $args = [ |
937: | 'command' => escapeshellarg($chrtcmd), |
938: | 'path' => $ctx->domain_fs_path() |
939: | ]; |
940: | } |
941: | $status = $proc->run($cmd, $args); |
942: | } |
943: | |
944: | if ($status['success']) { |
945: | info("Password set on `%s'@`%s' to `%s' for %d seconds", |
946: | $ctx->username, |
947: | $ctx->domain, |
948: | $password, |
949: | $duration |
950: | ); |
951: | } |
952: | |
953: | return $password; |
954: | } |
955: | |
956: | |
957: | |
958: | |
959: | |
960: | |
961: | |
962: | |
963: | |
964: | |
965: | private function _get_site_admin_shadow($site_id): string |
966: | { |
967: | $site = 'site' . (int)$site_id; |
968: | $base = FILESYSTEM_VIRTBASE . "/${site}/fst"; |
969: | $file = '/etc/shadow'; |
970: | $admin = \Auth::get_admin_from_site_id($site_id); |
971: | if (!file_exists($base . $file)) { |
972: | fatal("shadow not found for `%s'", $site); |
973: | } |
974: | $shadow = null; |
975: | $fp = fopen($base . $file, 'r'); |
976: | while (false !== ($line = fgets($fp))) { |
977: | $tok = strtok($line, ':'); |
978: | if ($tok != $admin) { |
979: | continue; |
980: | } |
981: | $shadow = strtok(':'); |
982: | break; |
983: | } |
984: | fclose($fp); |
985: | if (!$shadow) { |
986: | fatal("admin `%s' not found for `%s'", $admin, $site); |
987: | } |
988: | |
989: | return $shadow; |
990: | } |
991: | |
992: | public function _create() |
993: | { |
994: | static::rebuildMap(); |
995: | } |
996: | |
997: | public function _edit() |
998: | { |
999: | $conf_new = $this->getAuthContext()->getAccount()->new; |
1000: | $conf_old = $this->getAuthContext()->getAccount()->old; |
1001: | $user = array( |
1002: | 'old' => $conf_old['siteinfo']['admin_user'], |
1003: | 'new' => $conf_new['siteinfo']['admin_user'] |
1004: | ); |
1005: | static::rebuildMap(); |
1006: | if ($user['old'] === $user['new']) { |
1007: | return; |
1008: | } |
1009: | |
1010: | return $this->_edit_wrapper($user['old'], $user['new']); |
1011: | } |
1012: | |
1013: | |
1014: | |
1015: | |
1016: | |
1017: | |
1018: | |
1019: | |
1020: | private function _edit_wrapper($userold, $usernew) |
1021: | { |
1022: | if ($userold === $usernew) { |
1023: | return; |
1024: | } |
1025: | $db = \MySQL::initialize(); |
1026: | foreach ($this->_get_api_keys_real($userold) as $key) { |
1027: | if (!$db->query("UPDATE api_keys SET `username` = '" . $db->escape_string($usernew) . "' " . |
1028: | "WHERE api_key = '" . $key['key'] . "' AND `username` = '" . $db->escape_string($userold) . "'" |
1029: | )) { |
1030: | warn("failed to rename API keys for user `%s' to `%s'", $userold, $usernew); |
1031: | } |
1032: | } |
1033: | |
1034: | $invoice = $this->billing_get_invoice(); |
1035: | if (!$db->query("UPDATE login_log SET `username` = '" . $db->escape_string($usernew) . "' " . |
1036: | "WHERE `username` = '" . $db->escape_string($userold) . "' AND invoice = '" . $db->escape_string($invoice) . "'")) { |
1037: | warn("failed to rename login history for user `%s' to `%s'", $userold, $usernew); |
1038: | } |
1039: | |
1040: | |
1041: | |
1042: | |
1043: | |
1044: | |
1045: | |
1046: | |
1047: | mute_warn(); |
1048: | foreach (static::PAM_SERVICES as $svc) { |
1049: | if ($this->user_permitted($userold, $svc)) { |
1050: | $this->deny_user($userold, $svc); |
1051: | $this->permit_user($usernew, $svc); |
1052: | } |
1053: | } |
1054: | unmute_warn(); |
1055: | |
1056: | $this->user_flush(); |
1057: | |
1058: | return true; |
1059: | } |
1060: | |
1061: | protected function _get_api_keys_real($user) |
1062: | { |
1063: | $db = Auth_SOAP::get_api_db(); |
1064: | $qfrag = $this->_getAPIQueryFragment(); |
1065: | |
1066: | |
1067: | |
1068: | |
1069: | $q = 'SELECT `api_key`, |
1070: | UNIX_TIMESTAMP(`last_used`) as last_used, |
1071: | comment |
1072: | FROM `api_keys` |
1073: | ' . $qfrag['join'] . " |
1074: | WHERE |
1075: | `username` = '" . $db->escape_string($user) . "' AND " . |
1076: | $qfrag['where'] . ' GROUP BY (api_key)'; |
1077: | $rs = $db->query($q); |
1078: | if (!$rs) { |
1079: | return error('failed to get keys'); |
1080: | } |
1081: | $keys = array(); |
1082: | while ($row = $rs->fetch_object()) { |
1083: | $keys[] = array( |
1084: | 'key' => $row->api_key, |
1085: | 'last_used' => $row->last_used, |
1086: | 'comment' => $row->comment |
1087: | ); |
1088: | } |
1089: | |
1090: | return $keys; |
1091: | } |
1092: | |
1093: | |
1094: | |
1095: | |
1096: | |
1097: | |
1098: | |
1099: | |
1100: | |
1101: | |
1102: | public function user_permitted(string $user, string $svc = 'cp'): bool |
1103: | { |
1104: | return $this->user_enabled($user, $svc); |
1105: | } |
1106: | |
1107: | |
1108: | |
1109: | |
1110: | |
1111: | |
1112: | |
1113: | |
1114: | public function user_enabled(string $user, string $svc = 'cp'): bool |
1115: | { |
1116: | if (!in_array($svc, static::PAM_SERVICES, true)) { |
1117: | return error("unknown service `$svc'"); |
1118: | } |
1119: | |
1120: | if ($svc == 'cp' && ($this->permission_level & PRIVILEGE_SITE) && |
1121: | $user === $this->username |
1122: | ) { |
1123: | return true; |
1124: | } else if ($this->permission_level & (PRIVILEGE_ADMIN | PRIVILEGE_RESELLER)) { |
1125: | return true; |
1126: | } |
1127: | |
1128: | return (new Util_Pam($this->getAuthContext()))->check($user, $svc); |
1129: | } |
1130: | |
1131: | |
1132: | |
1133: | |
1134: | |
1135: | |
1136: | |
1137: | |
1138: | public function deny_user(string $user, string $svc = 'cp'): bool |
1139: | { |
1140: | return (new Util_Pam($this->getAuthContext()))->remove($user, $svc); |
1141: | } |
1142: | |
1143: | |
1144: | |
1145: | |
1146: | |
1147: | |
1148: | |
1149: | public function permit_user($user, $svc = 'cp'): bool |
1150: | { |
1151: | if (!in_array($svc, static::PAM_SERVICES, true)) { |
1152: | return error("unknown service `$svc'"); |
1153: | } |
1154: | |
1155: | return (new Util_Pam($this->getAuthContext()))->add($user, $svc); |
1156: | } |
1157: | |
1158: | |
1159: | |
1160: | |
1161: | |
1162: | |
1163: | |
1164: | |
1165: | public function restrict_ip(string $ip, string $gate = null): bool |
1166: | { |
1167: | if ($this->is_demo()) { |
1168: | return error('Cannot restrict IP in demo mode'); |
1169: | } |
1170: | return \Auth\IpRestrictor::instantiateContexted($this->getAuthContext())->add($ip, $gate); |
1171: | } |
1172: | |
1173: | |
1174: | |
1175: | |
1176: | |
1177: | |
1178: | |
1179: | |
1180: | public function remove_ip_restriction(string $ip, string $gate = null): bool |
1181: | { |
1182: | return \Auth\IpRestrictor::instantiateContexted($this->getAuthContext())->remove($ip, $gate); |
1183: | } |
1184: | |
1185: | |
1186: | |
1187: | |
1188: | |
1189: | |
1190: | public function get_ip_restrictions(): array |
1191: | { |
1192: | return \Auth\IpRestrictor::instantiateContexted($this->getAuthContext())->list(); |
1193: | } |
1194: | |
1195: | public function _edit_user(string $userold, string $usernew, array $oldpwd) |
1196: | { |
1197: | return $this->_edit_wrapper($userold, $usernew); |
1198: | } |
1199: | |
1200: | public function _reset(\Util_Account_Editor &$editor = null) |
1201: | { |
1202: | $module = self::getAuthService(); |
1203: | $crypted = $this->_get_site_admin_shadow($this->site_id); |
1204: | if (!$crypted) { |
1205: | fatal('call _reset() in auth from backend'); |
1206: | } |
1207: | $params = array( |
1208: | 'cpasswd' => $crypted |
1209: | ); |
1210: | if ($editor) { |
1211: | foreach ($params as $k => $v) { |
1212: | $editor->setConfig($module, $k, $v); |
1213: | } |
1214: | } |
1215: | |
1216: | return array($module => $params); |
1217: | |
1218: | } |
1219: | |
1220: | public function _delete() |
1221: | { |
1222: | |
1223: | |
1224: | |
1225: | $server = \Auth_Redirect::lookup($this->domain); |
1226: | if (!$server || $server === SERVER_NAME_SHORT) { |
1227: | foreach ($this->get_api_keys() as $key) { |
1228: | $this->delete_api_key($key['key']); |
1229: | } |
1230: | } |
1231: | } |
1232: | |
1233: | |
1234: | |
1235: | |
1236: | |
1237: | |
1238: | |
1239: | |
1240: | |
1241: | |
1242: | |
1243: | |
1244: | public function get_api_keys(string $user = null) |
1245: | { |
1246: | if (!$user || !($this->permission_level & PRIVILEGE_SITE)) { |
1247: | $user = $this->username; |
1248: | } else if ($user && !$this->user_exists($user)) { |
1249: | return error("user `%s' does not exist", $user); |
1250: | } |
1251: | |
1252: | return $this->_get_api_keys_real($user); |
1253: | } |
1254: | |
1255: | |
1256: | |
1257: | |
1258: | |
1259: | |
1260: | |
1261: | |
1262: | |
1263: | |
1264: | public function delete_api_key(string $key, string $user = null): bool |
1265: | { |
1266: | $key = str_replace('-', '', strtolower($key)); |
1267: | if (!ctype_xdigit($key)) { |
1268: | return error($key . ': invalid key'); |
1269: | } |
1270: | |
1271: | |
1272: | $keys = $this->get_api_keys($user); |
1273: | if (!$keys) { |
1274: | return false; |
1275: | } |
1276: | $found = false; |
1277: | foreach ($keys as $k) { |
1278: | if ($k['key'] === $key) { |
1279: | $found = true; |
1280: | break; |
1281: | } |
1282: | } |
1283: | if (!$found) { |
1284: | return error("unknown key `%s'", $key); |
1285: | } |
1286: | $db = Auth_SOAP::get_api_db(); |
1287: | $rs = $db->query("DELETE FROM `api_keys` |
1288: | WHERE `api_key` = '" . strtolower($key) . "'"); |
1289: | |
1290: | return (bool)$rs; |
1291: | } |
1292: | |
1293: | public function _housekeeping() |
1294: | { |
1295: | |
1296: | static::rebuildMap(); |
1297: | |
1298: | if (\Opcenter\License::get()->needsReissue()) { |
1299: | info('Attempting to renew apnscp license'); |
1300: | \Opcenter\License::get()->reissue(); |
1301: | } |
1302: | |
1303: | (new SecureAccessKey)->check(); |
1304: | } |
1305: | |
1306: | public function _cron(Cronus $cron) |
1307: | { |
1308: | $cron->schedule(FRONTEND_SECKEY_TTL, 'seckey.roll', static function () { |
1309: | (new SecureAccessKey)->reset(); |
1310: | }); |
1311: | |
1312: | $cron->schedule((int)FRONTEND_SECKEY_TTL/4, 'seckey.check', static function () { |
1313: | (new SecureAccessKey)->check(); |
1314: | }); |
1315: | } |
1316: | |
1317: | public function _create_user(string $user) |
1318: | { |
1319: | |
1320: | } |
1321: | |
1322: | public function _delete_user(string $user) |
1323: | { |
1324: | |
1325: | } |
1326: | |
1327: | public function _verify_conf(\Opcenter\Service\ConfigurationContext $ctx): bool |
1328: | { |
1329: | return true; |
1330: | } |
1331: | } |