1<?php
2/*
3 * Copyright 2005-2016 OCSInventory-NG/OCSInventory-ocsreports contributors.
4 * See the Contributors file for more details about them.
5 *
6 * This file is part of OCSInventory-NG/OCSInventory-ocsreports.
7 *
8 * OCSInventory-NG/OCSInventory-ocsreports is free software: you can redistribute
9 * it and/or modify it under the terms of the GNU General Public License as
10 * published by the Free Software Foundation, either version 2 of the License,
11 * or (at your option) any later version.
12 *
13 * OCSInventory-NG/OCSInventory-ocsreports is distributed in the hope that it
14 * will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
15 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 * GNU General Public License for more details.
17 *
18 * You should have received a copy of the GNU General Public License
19 * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the
20 * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
21 * MA 02110-1301, USA.
22 */
23/* This module automatically inserts valid LDAP users into OCS operators table.
24 *
25 * The userlevel is defined according to conditions defined in the following configuration fields:
26 *
27 * - CONEX_LDAP_CHECK_FIELD1_NAME
28 * - CONEX_LDAP_CHECK_FIELD1_VALUE
29 * - CONEX_LDAP_CHECK_FIELD1_ROLE
30 * - CONEX_LDAP_CHECK_FIELD2_NAME
31 * - CONEX_LDAP_CHECK_FIELD2_VALUE
32 * - CONEX_LDAP_CHECK_FIELD2_ROLE
33 *
34 * If any of these attributes are defined (and found on the LDAP query), they're used to determine the correct
35 * user level and role.
36 *
37 * in case of success, an array is returned with the access data in the following format:
38 * array('accesslvl'=>%%,'tag_show'=>array(%,%,%,%,%...))
39 *
40 * else, an error code is returned.
41 *
42 * CONEX_LDAP_CHECK_FIELD1_NAME="thisGuyIsAdmin"
43 * CONEX_LDAP_CHECK_FIELD1_VALUE="0"
44 * CONEX_LDAP_CHECK_FIELD1_ROLE="user"
45 * CONEX_LDAP_CHECK_FIELD2_NAME="thisGuyIsAdmin"
46 * CONEX_LDAP_CHECK_FIELD2_VALUE="1"
47 * CONEX_LDAP_CHECK_FIELD2_ROLE="sadmin"
48 * In logical terms:
49 * if thisGuyIsAdmin=0 then
50 *    role=user
51 * else if thisGuyIsAdmin=1 then
52 *    role=sadmin
53 *
54 *    Note: the default user levels in OCS currently are "admin", "ladmin" and "sadmin". The above is just an example.
55 *
56 */
57if ($_SESSION['OCS']['cnx_origine'] != "LDAP") {
58    return false;
59}
60
61require_once ('require/function_files.php');
62// page name
63$name = "ldap.php";
64connexion_local_read();
65
66// select the main database
67mysqli_select_db($link_ocs, $db_ocs);
68
69// retrieve LDAP-related config values into an array
70$sql = "select substr(NAME,7) as NAME,TVALUE from config where NAME like '%s'";
71$arg = array("%CONEX%");
72$res = mysql2_query_secure($sql, $link_ocs, $arg);
73while ($item = mysqli_fetch_object($res)) {
74    $config[$item->NAME] = $item->TVALUE;
75}
76
77// checks if the user already exists
78$reqOp = "SELECT new_accesslvl as accesslvl FROM operators WHERE id='%s'";
79$argOp = array($_SESSION['OCS']["loggeduser"]);
80$resOp = mysql2_query_secure($reqOp, $link_ocs, $argOp);
81
82// defines the user level according to specific LDAP attributes
83// default: normal user
84$defaultRole = $config['LDAP_CHECK_DEFAULT_ROLE'];
85// Checks if the custom fields are valid
86$f1_name = $config['LDAP_CHECK_FIELD1_NAME'];
87$f2_name = $config['LDAP_CHECK_FIELD2_NAME'];
88$f1_value = $_SESSION['OCS']['details'][$f1_name];
89$f2_value = $_SESSION['OCS']['details'][$f2_name];
90
91if (!empty($f1_value)) {
92    if (strtolower($f1_name) == "memberof") {
93        //the idea here is to iterate through the groups array looking for a match
94        //if we find it, unset the array and store only the match, else leave as it is
95        foreach ($f1_value as $group) {
96            if ($group == $config['LDAP_CHECK_FIELD1_VALUE']) {
97                $f1_value = array();
98                $f1_value = $group;
99            }
100        }
101    }
102    //the if below is now redundant since we already know that we have a match
103    //the coding can be improved, but the logic works.
104    //END NEW CODE
105    if ($f1_value == $config['LDAP_CHECK_FIELD1_VALUE']) {
106        $defaultRole = $config['LDAP_CHECK_FIELD1_ROLE'];
107    }
108}
109
110if (!empty($f2_value)) {
111    if (strtolower($f2_name) == "memberof") {
112        foreach ($f2_value as $group) {
113            if ($group == $config['LDAP_CHECK_FIELD2_VALUE']) {
114                $f2_value = array();
115                $f2_value = $group;
116            }
117        }
118    }
119    //END NEW CODE
120    if ($f2_value == $config['LDAP_CHECK_FIELD2_VALUE']) {
121        $defaultRole = $config['LDAP_CHECK_FIELD2_ROLE'];
122    }
123}
124
125// uncomment this section for DEBUG
126// note: cannot use the global DEBUG variable because this happens before the toggle is available.
127/*
128  echo ("field1: ".$f1_name." value=".$f1_value." condition: ".$config['LDAP_CHECK_FIELD1_VALUE']." role=".$config['LDAP_CHECK_FIELD1_ROLE']." level=".$config['LDAP_CHECK_FIELD1_USERLEVEL']."<br>");
129  echo ("field2: ".$item['CONEX_LDAP_CHECK_FIELD2_NAME']." value=".$f2_value." condition: ".$config['LDAP_CHECK_FIELD2_VALUE']." role=".$config['LDAP_CHECK_FIELD2_ROLE']." level=".$config['LDAP_CHECK_FIELD2_USERLEVEL']."<br>");
130  echo ("user: ".$_SESSION['OCS']["loggeduser"]." will have level=".$defaultLevel." and role=".$defaultRole."<br>");
131 */
132//if defaultRole is define
133if (isset($defaultRole) && $defaultRole != '') {
134    // if it doesn't exist, create the user record
135    if (!mysqli_fetch_object($resOp)) {
136
137        $reqInsert = "INSERT INTO operators (
138            ID,
139            FIRSTNAME,
140            LASTNAME,
141            PASSWD,
142            COMMENTS,
143            NEW_ACCESSLVL,
144            EMAIL,
145            USER_GROUP
146                )
147                VALUES ('%s','%s', '%s', '%s','%s', '%s', '%s', '%s')";
148
149        $arg_insert = array($_SESSION['OCS']["loggeduser"],
150            $_SESSION['OCS']['details']['givenname'],
151            $_SESSION['OCS']['details']['sn'],
152            "",
153            "LDAP",
154            $defaultRole,
155            $_SESSION['OCS']['details']['mail'],
156            "NULL"
157        );
158    } else {
159        // else update it
160        $reqInsert = "UPDATE operators SET
161                        NEW_ACCESSLVL='%s',
162                        EMAIL='%s'
163                    WHERE ID='%s'";
164
165        $arg_insert = array($defaultRole,
166            $_SESSION['OCS']['details']['mail'],
167            $_SESSION['OCS']["loggeduser"]);
168    }
169    connexion_local_write();
170    // select the main database
171    mysqli_select_db($link_ocs, $db_ocs);
172    // Execute the query to insert/update the user record
173    mysql2_query_secure($reqInsert, $link_ocs, $arg_insert);
174
175    // repeat the query and define the needed OCS variables
176    // note: original OCS code below
177    connexion_local_read();
178
179    // select the main database
180    mysqli_select_db($link_ocs, $db_ocs);
181    $resOp = mysql2_query_secure($reqOp, $link_ocs, $argOp);
182    $rowOp = mysqli_fetch_object($resOp);
183    if (isset($rowOp->accesslvl)) {
184        $lvluser = $rowOp->accesslvl;
185
186        $profile_config = PROFILES_DIR . $lvluser . '.xml';
187
188        if (!file_exists($profile_config)) {
189            migrate_config_2_2();
190        }
191
192        $profile_serializer = new XMLProfileSerializer();
193        $profile = $profile_serializer->unserialize($lvluser, file_get_contents($profile_config));
194
195        $restriction = $profile->getRestriction('GUI');
196
197        //if this user has RESTRICTION
198        //search all tag for this user
199        if ($restriction == 'YES') {
200            $sql = "select tag from tags where login='%s'";
201            $arg = array($_SESSION['OCS']["loggeduser"]);
202            $res = mysql2_query_secure($sql, $link_ocs, $arg);
203            while ($row = mysqli_fetch_object($res)) {
204                // Check for wildcard
205                if (strpos($row->tag, '*') !== false || strpos($row->tag,'?') !== false) {
206                    $wildcard = true;
207                    $row->tag = str_replace("*", "%", $row->tag);
208                    $row->tag = str_replace("?", "_", $row->tag);
209                    if($wildcard === true){
210                        $sql_wildcard = "SELECT TAG FROM `accountinfo` WHERE TAG LIKE '$row->tag' GROUP BY TAG";
211                        $res_wildcard = mysql2_query_secure($sql_wildcard, $link_ocs);
212                        while ($row_wildcard = mysqli_fetch_object($res_wildcard)) {
213                            $list_tag[$row_wildcard->TAG] = $row_wildcard->TAG;
214                        }
215
216                    }
217                }else{
218                    $list_tag[$row->tag] = $row->tag;
219                }
220            }
221            if (!isset($list_tag)) {
222                $ERROR = $l->g(893);
223            }
224        } elseif (($restriction != 'NO')) {
225            $ERROR = $restriction;
226        }
227    } else {
228        $ERROR = $l->g(894);
229    }
230} else {
231    $ERROR = $l->g(1278);
232}
233?>