-
Notifications
You must be signed in to change notification settings - Fork 138
/
Klsecurity.php
432 lines (408 loc) · 16.7 KB
/
Klsecurity.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
class Klsecurity extends CI_Model
{
/*
WARNING:
- this model is loaded only when a valid controller is called.
- if an invalid controller is requested (GET/POST) then 404 page will kick in
- some external API requests are routed in config/router.php
User auth is as follows:
0 - disabled - Unauthenticated user
1 - suspended - User suspended from system
2 - registered - User allowed to view/add jobs, quotas enforced
4 - observer - Not used
8 - poweruser - User allowed to view/add jobs, quotas disabled
16 - Admin - God
*/
private $auth_disabled = 0;
private $auth_suspended = 1;
private $auth_registered = 2;
private $auth_observer = 4;
private $auth_poweruser = 8;
private $auth_admin = 16;
// Centralized set of permissions for controllers
private $controller_perms = array();
public function __construct()
{
// Centralized set of permissions for each controller
$this->controller_perms = array(
"/login" => $this->auth_disabled_level(),
"/profile" => $this->auth_registered_level(),
"/jobs" => $this->auth_registered_level(),
"/advanced_search" => $this->auth_admin_level(),
// This is just for admins
"/admin_tools" => $this->auth_admin_level()
);
// Centralized set of controllers that are external API endpoint
$this->api_controllers = array(
"/api/jobs",
"/api/users"
);
// Auth logic starts here!!
$controller_full_path = $this->get_curr_controller_full_path();
// Default controller restriction is admin lvl
$this_controller_restriction = $this->auth_admin_level();
$user_carry_on = false;
// Here we want to check if the current user has permissions to invoke the controller
// Let's check if we find the controller in the list.
if (array_key_exists($controller_full_path, $this->controller_perms))
{
$this_controller_restriction = $this->controller_perms[$controller_full_path];
$this->authorized_for_level($this_controller_restriction);
// If we got there, then every-thing's fine!
$user_carry_on = true;
}
// If the full path is not in the list of controllers, maybe it's an API endpoint
else if (in_array($controller_full_path, $this->api_controllers, true))
{
// Indeed is an API request!
// Authenticate the user
// Check if the auth_code exists!
$auth_code = $this->input->post('auth_code');
if (is_null($auth_code))
{
$this->log('warn', 'klsecurity','[API] No auth_code POST variable received');
echo $this->global_functions->api_generate_error_json("not_authorized");
$this->api_finish_request();
}
// Check if $auth_code is in our DB
// We want to force string conversion
$this->db->where('api_auth_code', "".$auth_code);
$this->db->where('api_status', '1');
// We should get only 1 result
$this->db->limit(1);
$res = $this->db->get('users');
if ($res->num_rows() == 1)
{
$row = $res->result_array();
$row = $row[0];
// Valid API request!
// We now check if the user is allowed to access the requested method
$requested_method = $controller_full_path . "/" . $this->get_requested_method();
// Check its permissions
$allowed_methods = json_decode($row['api_perms']);
if (in_array($requested_method, $allowed_methods, true) ||
in_array("all", $allowed_methods))
{
// CI tries to set up the session data. We don't need to show it to API end-points
header_remove("Set-Cookie");
// Client is allowed to request this method!
// Let's set up his session
$data = array (
// We only have user_id so we don't break the existing function calls
// We have a static user in the `users` table special for API
'username' => $row['username'],
'user_id' => $row['cnt'],
'user_auth' => $row['auth'],
'dateadded' => $row['dateadded'],
// We mark it as api request
'api_user_id' => $row['cnt'],
'api_request' => true
);
// Initializing session for the user
$this->session->set_userdata($data);
// CI tries to set up the session data after we updated it.
// We don't need to show it to API end-points, again
header_remove("Set-Cookie");
$user_carry_on = true;
}
else
{
$this->log('warn', 'klsecurity','[API] User '.$row['cnt'].' tried to access unauthorized method '.$requested_method);
echo $this->global_functions->api_generate_error_json("not_authorized");
$this->api_finish_request();
}
}
// If we got 0 results, then we generate an error
else
{
$this->log('warn', 'klsecurity','[API] auth_code not found in DB: ['.$auth_code."]");
echo $this->global_functions->api_generate_error_json("not_authorized");
$this->api_finish_request();
}
}
// Valid controller is not in list of controllers, nor an API endpoint.
else
{
$this->log('error', 'klsecurity', "User requested valid controller $controller_full_path but no ACL for it");
// Valid controller is missing ACL restrictions. We invalidate the session
$user_carry_on = false;
$this->redirect_destroy_session();
}
// Ultimate safety check
if (!$user_carry_on)
$this->redirect_destroy_session();
// User is allowed to view this page. Carry on!
}
public function get_curr_controller_full_path()
{
$current_controller = $this->router->class;
$current_directory = $this->router->directory;
return "/".$current_directory.$current_controller;
}
public function get_requested_method()
{
return $this->router->method;
}
// Function returns auth user name
// It assumes that the caller is expecting an user name so will fail
// if the session variable doesn't exist
public function get_auth_username()
{
if (is_null($this->session->userdata('username')))
{
$this->log('error','klsecurity/get_auth_username','Tried to fetch username, but was not assigned in session');
$this->redirect_destroy_session();
}
else
return $this->session->userdata('username');
}
// Function returns auth user ID
// It assumes that the caller is expecting an user ID so will fail
// If the session variable doesn't exist
public function get_auth_userid()
{
if (is_null($this->session->userdata('user_id')))
{
$this->log('error','klsecurity/get_auth_userid','Tried to fetch user_id, but was not assigned in session');
$this->redirect_destroy_session();
}
else
return intval($this->session->userdata('user_id'));
}
/* User Authorization Functions */
// If the user_auth is NOT >= than the selected level
// kick out the user!
// If no argument given, considering the lowest auth possible
public function authorized_for_level($level = -1)
{
// Minimum auth level is the Guest one
if ($level == -1)
$level = $this->auth_disabled_level();
// If this function returns NULL, then this user has no auth level,
// So we assign it the lowest possible
if (is_null($this->session->userdata('user_auth')))
{
$user_access_level = $this->auth_disabled_level();
// If the user tries to access one level which is > $this->auth_disabled_level()
// and he doesn't have the 'user_auth' session variable, this means that he shouldn't be here,
// BUT maybe his session might have expired.
// So we redirect him, without logging
// This feature is temporarily disabled
// $this->redirect_destroy_session();
}
else
$user_access_level = $this->session->userdata('user_auth');
// If the user access level is LOWER than the level we're asking, reject!
if ( $user_access_level < $level)
{
// TODO: here we should add controller name as well
$this->log('alert', 'klsecurity', 'User with lvl '.$user_access_level.' tried to access unauthorized level '. $level);
$this->redirect_destroy_session();
}
// The user is authorized .. let him carry on
}
// Function returns TRUE of FALSE if user is allowed to access
// the $link_path provided
public function link_visible_for_user($link_path = '')
{
$curr_user_acces_level = $this->current_auth_lvl();
if (array_key_exists($link_path, $this->controller_perms))
{
// This link exists in our list of controllers
// Let's check if the current user has privilege to view it!
if ($curr_user_acces_level >= $this->controller_perms[$link_path])
return true;
else
return false;
}
// else return false
return false;
}
// Destroy the user's session and redirect him to /
public function redirect_destroy_session()
{
$this->session->sess_destroy();
redirect('/login');
die();
}
// Cleaning up an API request
public function api_finish_request()
{
$this->api_clear_session();
die();
}
// Cleaning up an API request and printing a message before exiting
public function api_finish_request_output($output)
{
$this->api_clear_session();
echo $output;
die();
}
public function api_clear_session()
{
$this->session->sess_destroy();
header_remove("Set-Cookie");
}
// Function determining if this is an API request
public function api_request()
{
if (is_null($this->session->userdata('api_request')))
{
return false;
}
// Else return this variable's value
return $this->session->userdata('api_request');
}
// Return the Disabled auth lvl
public function auth_disabled_level()
{
return $this->auth_disabled;
}
// Returns the Suspended auth lvl
public function auth_suspended_level()
{
return $this->auth_suspended;
}
// Returns the Registered auth lvl
public function auth_registered_level()
{
return $this->auth_registered;
}
// Returns the Observer auth lvl
public function auth_observer_level()
{
return $this->auth_observer;
}
// Return the Poweruser auth lvl
public function auth_poweruser_level()
{
return $this->auth_poweruser;
}
// Return the Admin auth lvl
public function auth_admin_level()
{
return $this->auth_admin;
}
public function current_auth_lvl()
{
// IF the user_auth session data doesn't exist, return disabled user
if (!$this->user_is_authenticated())
return $this->auth_disabled_level();
return intval($this->session->userdata('user_auth'));
}
public function user_is_authenticated()
{
return $this->session->userdata('user_auth') !== NULL;
}
// Returns TRUE if this user is registered
public function user_is_registered()
{
return $this->current_auth_lvl() >= $this->auth_registered_level();
}
// Return TRUE if user is observer
public function user_is_observer()
{
return $this->current_auth_lvl() >= $this->auth_observer_level();
}
// Return TRUE if user is poweruser
public function user_is_poweruser()
{
return $this->current_auth_lvl() >= $this->auth_poweruser_level();
}
// Returns TRUE if this user is admin
public function user_is_admin()
{
return $this->current_auth_lvl() >= $this->auth_admin_level();
}
/* End Authorization Functions */
/* Password Functions */
public function generate_password($length = 16, $level = 3)
{
list($usec, $sec) = explode(' ', microtime());
srand((float) $sec + ((float) $usec * 100000));
$valid_chars[1] = "0123456789abcdfghjkmnpqrstvwxyz";
$valid_chars[2] = "0123456789abcdfghjkmnpqrstvwxyzABCDEFGHIJKLMNOPQRSTUVWXZY";
$valid_chars[3] = "0123456789_!@#$%&*()-=+/abcdfghjkmnpqrstvwxzyABCDEFGHIJKLMNOPQRSTUVWXZY_!@#$%&*()-=+/";
$password = "";
$count = 0;
while ($count < $length)
{
$found_char = substr($valid_chars[$level], rand(0, strlen($valid_chars[$level])-1), 1);
// All character must be different
if (!strstr($password, $found_char))
{
$password .= $found_char;
++ $count;
}
}
return $password;
}
// This function receives a plaintext password and generates the
// BCRYPT hash for it.
// It returns string OR FALSE!
public function generate_hash ($pass = '')
{
// I don't really trust the PASSWORD_DEFAULT constant in PHP.
// As such, we stick to PASSWORD_BCRYPT
$new_password = password_hash($pass, PASSWORD_BCRYPT);
if ($new_password === FALSE)
{
$this->log('alert', 'klsecurity', '1st attempt failed to generate hash for password '. $pass);
// Weird, we failed to generate the pass,
// Trying again
$new_password = password_hash($pass, PASSWORD_BCRYPT);
}
return $new_password;
}
// Returns TRUE of FALSE if the password matches the hash
public function compare_hash ($input, $hash)
{
return password_verify($input, $hash);
}
/* End Password Functions */
// function xss_clean($input)
// {
// // Do stuff..
// $returned_filtered_string = $this->security->xss_clean($input);
// if (strcmp($input, $returned_filtered_string) !== 0)
// // Different output! Smth is wrong
// $this->log('warning', 'xss_clean', 'Got different results!')
// // Log stuff
// return $returned_filtered_string;
// }
public function log ($type = 'info', $module = 'undefined', $message = '', $user_id = -1)
{
/* Log type
- info - for information, statistics, successful logins and changes, etc.
- alert - for failed logins, failed data
- warning - for errors or actions that users should not be allowed to do
- error - for important errors which can affect the stability of the app
*/
// If the user ID is not set by the calling function we get it from the user data.
// If the user data is not set in session as well the user id is set to -1
if ($user_id == -1 && !is_null($this->session->userdata('user_id')))
$user_id = $this->session->userdata('user_id');
// If we are at an API endpoint, maybe we can find the user_id from the session
if ($this->session->userdata('api_request') === TRUE && !is_null($this->session->userdata('api_user_id')))
{
$user_id = $this->session->userdata('api_user_id');
// We append the message with API
$message = "[API] ".$message;
}
$data['type'] = $type;
$data['module'] = $module;
$data['data'] = $message;
if (is_cli())
{
$data['ip'] = 0;
$data['data'] = "[CLI] ".$data['data'];
}
else
$data['ip'] = ip2long($this->input->ip_address());
$data['user_id'] = $user_id;
// Check if we are in sinkhole mode
$ci_logs = 'ci_logs';
$this->db->insert($ci_logs, $data);
}
}