uses('remoting_lib'); $this->_methods = $methods; /* $this->app = $app; $this->conf = $conf; */ } //* remote login function public function login($username, $password, $client_login = false) { global $app, $conf; $error = array(); // Maintenance mode $app->uses('ini_parser,getconf'); $server_config_array = $app->getconf->get_global_config('misc'); if($server_config_array['maintenance_mode'] == 'y'){ $error = array('faultcode' => 'maintenance_mode', 'faultstring' => 'This ISPConfig installation is currently under maintenance. We should be back shortly. Thank you for your patience.'); } else { if(empty($username)) { $error = array('faultcode' => 'login_username_empty', 'faultstring' => 'The login username is empty.'); } if(empty($password)) { $error = array('faultcode' => 'login_password_empty', 'faultstring' => 'The login password is empty.'); } //* Delete old remoting sessions $sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMESTAMP()"; $app->db->query($sql); $ip = md5($_SERVER['REMOTE_ADDR']); $sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1"; $alreadyfailed = $app->db->queryOneRecord($sql, $ip); if($alreadyfailed['times'] > 5) { $error = array('faultcode' => 'error_user_too_many_logins', 'faultstring' => 'Too many failed logins.'); } } if (empty($error)) { if($client_login == true) { $sql = "SELECT * FROM sys_user WHERE USERNAME = ?"; $user = $app->db->queryOneRecord($sql, $username); if($user) { $saved_password = stripslashes($user['passwort']); if(substr($saved_password, 0, 3) == '$1$') { //* The password is crypt-md5 encrypted $salt = '$1$'.substr($saved_password, 3, 8).'$'; if(crypt(stripslashes($password), $salt) != $saved_password) { $error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Username or password wrong.'); } } else { //* The password is md5 encrypted if(md5($password) != $saved_password) { $error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Username or password wrong.'); } } } else { $error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Username or password wrong.'); } if($user['active'] != 1) { $error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. User is blocked.'); } // now we need the client data $client = $app->db->queryOneRecord("SELECT client.can_use_api FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $user['default_group']); if(!$client || $client['can_use_api'] != 'y') { $error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Client may not use api.'); } } else { $sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)"; $remote_user = $app->db->queryOneRecord($sql, $username, $password); if($remote_user['remote_userid'] > 0) { $allowed_ips = explode(',',$remote_user['remote_ips']); foreach($allowed_ips as $i => $allowed) { if(!filter_var($allowed, FILTER_VALIDATE_IP)) { // get the ip for a hostname unset($allowed_ips[$i]); $temp=dns_get_record($allowed, DNS_A+DNS_AAAA); if(is_array($temp) && !empty($temp)) { foreach($temp as $t) { if(isset($t['ip'])) $allowed_ips[] = $t['ip']; if(isset($t['ipv6'])) $allowed_ips[] = $t['ipv6']; } unset($temp); } } } $allowed_ips[] = '127.0.0.1'; $allowed_ips[] = '::1'; $allowed_ips=array_unique($allowed_ips); $ip = $_SERVER['REMOTE_ADDR']; $remote_allowed = @($ip == '::1' || $ip == '127.0.0.1')?true:false; if(!$remote_allowed && $remote_user['remote_access'] == 'y') { if(trim($remote_user['remote_ips']) == '') { $remote_allowed=true; } else { $ip = inet_pton($_SERVER['REMOTE_ADDR']); foreach($allowed_ips as $allowed) { if($ip == inet_pton(trim($allowed))) { $remote_allowed=true; break; } } } } if(!$remote_allowed) { $error = array('faultcode' => 'login_failed', 'faultstring' => 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']); } } else { $error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Username or password wrong.'); } } if(empty($error) && isset($remote_user['remote_userid'])) { //* Create a remote user session //srand ((double)microtime()*1000000); $remote_session = md5(mt_rand().uniqid('ispco')); $remote_userid = $remote_user['remote_userid']; $remote_functions = $remote_user['remote_functions']; $tstamp = time() + $this->session_timeout; $sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp' .') VALUES (?, ?, ?, ?)'; $app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp); } } if (! empty($error)) { if(! $alreadyfailed['times']) { //* user login the first time wrong $sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES (?, 1, NOW())"; $app->db->query($sql, $ip); } elseif($alreadyfailed['times'] >= 1) { //* update times wrong $sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `ip` = ? AND `login_time` < NOW() ORDER BY `login_time` DESC LIMIT 1"; $app->db->query($sql, $ip); } $authlog = 'Failed login for user \''. $username .'\' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' (api)'; $authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a'); fwrite($authlog_handle, $authlog ."\n"); fclose($authlog_handle); throw new ISPConfigRemoteException($error['faultcode'], $error['faultstring']); return false; } else { // User login right, so attempts can be deleted $sql = "DELETE FROM `attempts_login` WHERE `ip`=?"; $app->db->query($sql, $ip); $authlog = 'Successful login for user \''. $username .'\' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' (api)'; $authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a'); fwrite($authlog_handle, $authlog ."\n"); fclose($authlog_handle); } if (isset($remote_session)) { return $remote_session; } } //* remote logout function public function logout($session_id) { global $app; if(empty($session_id)) { throw new ISPConfigRemoteException('session_id_empty', 'The SessionID is empty.'); return false; } $sql = "DELETE FROM remote_session WHERE remote_session = ?"; if($app->db->query($sql, $session_id) != false) { return true; } else { return false; } } //** protected functions ----------------------------------------------------------------------------------- protected function klientadd($formdef_file, $reseller_id, $params) { global $app; //* Load the form definition $app->remoting_lib->loadFormDef($formdef_file); //* load the user profile of the client $app->remoting_lib->loadUserProfile($reseller_id); //* Get the SQL query $sql = $app->remoting_lib->getSQL($params, 'INSERT', 0); //* Check if no system user with that username exists $username = $params["username"]; $tmp = $app->db->queryOneRecord("SELECT count(userid) as number FROM sys_user WHERE username = ?", $username); if($tmp['number'] > 0) $app->remoting_lib->errorMessage .= "Duplicate username
"; //* Stop on error while preparing the sql query if($app->remoting_lib->errorMessage != '') { throw new ISPConfigRemoteException('data_processing_error', $app->remoting_lib->errorMessage); return false; } //* Execute the SQL query $app->db->query($sql); if($app->db->errorMessage != '') { throw new ISPConfigRemoteException('database_error', $app->db->errorMessage . ' '.$sql); return false; } if ( isset($params['_primary_id'] )) $insert_id = $params['_primary_id']; else $insert_id = $app->db->insertID(); //* Stop on error while executing the sql query if($app->remoting_lib->errorMessage != '') { throw new ISPConfigRemoteException('data_processing_error', $app->remoting_lib->errorMessage); return false; } $this->id = $insert_id; $this->dataRecord = $params; $app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . ':on_after_insert', $this); /* if($app->db->errorMessage != '') { throw new ISPConfigRemoteException('database_error', $app->db->errorMessage . ' '.$sql); return false; } */ /* copied from the client_edit php */ $app->uses('functions'); $app->functions->generate_ssh_key($this->id, $username); //$app->uses('tform'); //* Save changes to Datalog if($app->remoting_lib->formDef["db_history"] == 'yes') { $new_rec = $app->remoting_lib->getDataRecord($insert_id); $app->remoting_lib->datalogSave('INSERT', $primary_id, array(), $new_rec); $app->remoting_lib->ispconfig_sysuser_add($params, $insert_id); if($reseller_id) { $client_group = $app->db->queryOneRecord("SELECT * FROM sys_group WHERE client_id = ?", $insert_id); $reseller_user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ?", $reseller_id); $app->auth->add_group_to_user($reseller_user['userid'], $client_group['groupid']); $app->db->query("UPDATE client SET parent_client_id = ? WHERE client_id = ?", $reseller_id, $insert_id); } } return $insert_id; } protected function insertQuery($formdef_file, $client_id, $params, $event_identifier = '') { $sql = $this->insertQueryPrepare($formdef_file, $client_id, $params); if($sql !== false) return $this->insertQueryExecute($sql, $params, $event_identifier); else return false; } protected function insertQueryPrepare($formdef_file, $client_id, $params) { global $app; $app->uses('remoting_lib'); //* load the user profile of the client $app->remoting_lib->loadUserProfile($client_id); //* Load the form definition $app->remoting_lib->loadFormDef($formdef_file); //* Get the SQL query $sql = $app->remoting_lib->getSQL($params, 'INSERT', 0); if($app->remoting_lib->errorMessage != '') { throw new ISPConfigRemoteException('data_processing_error', $app->remoting_lib->errorMessage); return false; } $app->log('Executed insertQueryPrepare', LOGLEVEL_DEBUG); return $sql; } protected function insertQueryExecute($sql, $params, $event_identifier = '') { global $app; $app->uses('remoting_lib'); $app->db->query($sql); if($app->db->errorMessage != '') { throw new ISPConfigRemoteException('database_error', $app->db->errorMessage . ' '.$sql); return false; } if ( isset($params['_primary_id'] )) $insert_id = $params['_primary_id']; else $insert_id = $app->db->insertID(); // set a few values for compatibility with tform actions, mostly used by plugins $this->id = $insert_id; $this->dataRecord = $params; $app->log('Executed insertQueryExecute, raising events now if any: ' . $event_identifier, LOGLEVEL_DEBUG); if($event_identifier != '') $app->plugin->raiseEvent($event_identifier, $this); //$app->uses('tform'); //* Save changes to Datalog if($app->remoting_lib->formDef["db_history"] == 'yes') { $new_rec = $app->remoting_lib->getDataRecord($insert_id); $app->remoting_lib->datalogSave('INSERT', $primary_id, array(), $new_rec); } return $insert_id; } protected function updateQuery($formdef_file, $client_id, $primary_id, $params, $event_identifier = '') { global $app; $sql = $this->updateQueryPrepare($formdef_file, $client_id, $primary_id, $params); if($sql !== false) return $this->updateQueryExecute($sql, $primary_id, $params, $event_identifier); else return false; } protected function updateQueryPrepare($formdef_file, $client_id, $primary_id, $params) { global $app; $app->uses('remoting_lib'); //* load the user profile of the client $app->remoting_lib->loadUserProfile($client_id); //* Load the form definition $app->remoting_lib->loadFormDef($formdef_file); //* get old record and merge with params, so only new values have to be set in $params $old_rec = $app->remoting_lib->getDataRecord($primary_id, $client_id); foreach ($app->remoting_lib->formDef['fields'] as $fieldName => $fieldConf) { if ($fieldConf['formtype'] === 'PASSWORD' && empty($params[$fieldName])) { unset($old_rec[$fieldName]); } } $params = $app->functions->array_merge($old_rec,$params); //* Get the SQL query $sql = $app->remoting_lib->getSQL($params, 'UPDATE', $primary_id); // throw new ISPConfigRemoteException('debug', $sql); if($app->remoting_lib->errorMessage != '') { throw new ISPConfigRemoteException('data_processing_error', $app->remoting_lib->errorMessage); return false; } return $sql; } protected function updateQueryExecute($sql, $primary_id, $params, $event_identifier = '') { global $app; $app->uses('remoting_lib'); $old_rec = $app->remoting_lib->getDataRecord($primary_id); // set a few values for compatibility with tform actions, mostly used by plugins $this->oldDataRecord = $old_rec; $this->id = $primary_id; $this->dataRecord = $params; $app->db->query($sql); if($app->db->errorMessage != '') { throw new ISPConfigRemoteException('database_error', $app->db->errorMessage . ' '.$sql); return false; } $affected_rows = $app->db->affectedRows(); $app->log('Executed updateQueryExecute, raising events now if any: ' . $event_identifier, LOGLEVEL_DEBUG); if($event_identifier != '') $app->plugin->raiseEvent($event_identifier, $this); //* Save changes to Datalog if($app->remoting_lib->formDef["db_history"] == 'yes') { $new_rec = $app->remoting_lib->getDataRecord($primary_id); $app->remoting_lib->datalogSave('UPDATE', $primary_id, $old_rec, $new_rec); } return $affected_rows; } protected function deleteQuery($formdef_file, $primary_id, $event_identifier = '') { global $app; $app->uses('remoting_lib'); //* load the user profile of the client $app->remoting_lib->loadUserProfile(0); //* Load the form definition $app->remoting_lib->loadFormDef($formdef_file); $old_rec = $app->remoting_lib->getDataRecord($primary_id); // set a few values for compatibility with tform actions, mostly used by plugins $this->oldDataRecord = $old_rec; $this->id = $primary_id; $this->dataRecord = $old_rec; $app->log('Executed deleteQuery, raising events now if any: ' . $event_identifier, LOGLEVEL_DEBUG); //$this->dataRecord = $params; //* Get the SQL query $sql = $app->remoting_lib->getDeleteSQL($primary_id); $app->db->errorMessage = ''; $app->db->query($sql); $affected_rows = $app->db->affectedRows(); if($app->db->errorMessage != '') { throw new ISPConfigRemoteException('database_error', $app->db->errorMessage . ' '.$sql); return false; } if($event_identifier != '') { $app->plugin->raiseEvent($event_identifier, $this); } //* Save changes to Datalog if($app->remoting_lib->formDef["db_history"] == 'yes') { $app->remoting_lib->datalogSave('DELETE', $primary_id, $old_rec, array()); } return $affected_rows; } protected function checkPerm($session_id, $function_name) { global $app; $dobre=array(); $session = $this->getSession($session_id); if(!$session){ return false; } $_SESSION['client_login'] = $session['client_login']; if($session['client_login'] == 1) { // permissions are checked at an other place $_SESSION['client_sys_userid'] = $session['remote_userid']; $app->remoting_lib->loadUserProfile(); // load the profile - we ALWAYS need this on client logins! return true; } else { $_SESSION['client_sys_userid'] = 0; } $dobre= str_replace(';', ',', $session['remote_functions']); $check = in_array($function_name, explode(',', $dobre) ); if(!$check) { $app->log("REMOTE-LIB DENY: ".$session_id ." /". $function_name, LOGLEVEL_WARN); } return $check; } protected function getSession($session_id) { global $app; if(empty($session_id)) { throw new ISPConfigRemoteException('session_id_empty', 'The SessionID is empty.'); return false; } $sql = "SELECT * FROM remote_session WHERE remote_session = ? AND tstamp >= UNIX_TIMESTAMP()"; $session = $app->db->queryOneRecord($sql, $session_id); if($session['remote_userid'] > 0) { return $session; } else { throw new ISPConfigRemoteException('session_does_not_exist', 'The Session is expired or does not exist.'); return false; } } public function server_get($session_id, $server_id = null, $section ='') { global $app; if(!$this->checkPerm($session_id, 'server_get')) { throw new ISPConfigRemoteException('permission_denied', 'You do not have the permissions to access this function.'); return false; } if (!empty($session_id)) { if(!empty($server_id)) { $app->uses('remoting_lib , getconf'); $section_config = $app->getconf->get_server_config($server_id, $section); return $section_config; } else { $servers = array(); $sql = "SELECT server_id FROM server WHERE 1"; $all = $app->db->queryAllRecords($sql); foreach($all as $s) { $servers[$s['server_id']] = $app->getconf->get_server_config($s['server_id'], $section); } unset($all); unset($s); return $servers; } } else { return false; } } /** Gets a list of all servers @param int session_id @param int server_name @author Marius Cramer 2014 */ public function server_get_all($session_id) { global $app; if(!$this->checkPerm($session_id, 'server_get')) { throw new ISPConfigRemoteException('permission_denied', 'You do not have the permissions to access this function.'); return false; } if (!empty($session_id)) { $sql = "SELECT server_id, server_name FROM server WHERE 1"; $servers = $app->db->queryAllRecords($sql); return $servers; } else { return false; } } /** * Get a list of functions * @param int session id * @return mixed array of the available functions * @author Julio Montoya BeezNest 2010 */ public function get_function_list($session_id) { if(!$this->checkPerm($session_id, 'get_function_list')) { throw new ISPConfigRemoteException('permission_denied', 'You do not have the permissions to access this function.'); return false; } return $this->_methods; } } ?>