uses('remoting_lib');
$this->_methods = $methods;
/*
$this->app = $app;
$this->conf = $conf;
*/
}
//* remote login function
public function login($username, $password, $client_login = false)
{
global $app, $conf;
$error = array();
// Maintenance mode
$app->uses('ini_parser,getconf');
$server_config_array = $app->getconf->get_global_config('misc');
if($server_config_array['maintenance_mode'] == 'y'){
throw new SoapFault('maintenance_mode', 'This ISPConfig installation is currently under maintenance. We should be back shortly. Thank you for your patience.');
return false;
}
if(empty($username)) {
$error = array('faultcode' => 'login_username_empty', 'faultstring' => 'The login username is empty.');
}
if(empty($password)) {
$error = array('faultcode' => 'login_password_empty', 'faultstring' => 'The login password is empty.');
}
//* Delete old remoting sessions
$sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMESTAMP()";
$app->db->query($sql);
$ip = md5($_SERVER['REMOTE_ADDR']);
$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";
$alreadyfailed = $app->db->queryOneRecord($sql, $ip);
if($alreadyfailed['times'] > 5) {
throw new SoapFault('error_user_too_many_logins', 'Too many failed logins');
return false;
}
if (empty($error)) {
if($client_login == true) {
$sql = "SELECT * FROM sys_user WHERE USERNAME = ?";
$user = $app->db->queryOneRecord($sql, $username);
if($user) {
$saved_password = stripslashes($user['passwort']);
if(substr($saved_password, 0, 3) == '$1$') {
//* The password is crypt-md5 encrypted
$salt = '$1$'.substr($saved_password, 3, 8).'$';
if(crypt(stripslashes($password), $salt) != $saved_password) {
$error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Username or password wrong.');
}
} else {
//* The password is md5 encrypted
if(md5($password) != $saved_password) {
$error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Username or password wrong.');
}
}
} else {
$error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Username or password wrong.');
}
if($user['active'] != 1) {
$error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. User is blocked.');
}
// now we need the client data
$client = $app->db->queryOneRecord("SELECT client.can_use_api FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = ?", $user['default_group']);
if(!$client || $client['can_use_api'] != 'y') {
$error = array('faultcode' => 'client_login_failed', 'faultstring' => 'The login failed. Client may not use api.');
}
//* Create a remote user session
//srand ((double)microtime()*1000000);
$remote_session = md5(mt_rand().uniqid('ispco'));
$remote_userid = $remote_user['remote_userid'];
$remote_functions = $remote_user['remote_functions'];
$tstamp = time() + $this->session_timeout;
$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp'
.') VALUES (?, ?, ?, ?)';
$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
} else {
$sql = "SELECT * FROM remote_user WHERE remote_username = ? and remote_password = md5(?)";
$remote_user = $app->db->queryOneRecord($sql, $username, $password);
if($remote_user['remote_userid'] > 0) {
//* Create a remote user session
//srand ((double)microtime()*1000000);
$remote_session = md5(mt_rand().uniqid('ispco'));
$remote_userid = $remote_user['remote_userid'];
$remote_functions = $remote_user['remote_functions'];
$tstamp = time() + $this->session_timeout;
$sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,tstamp'
.') VALUES (?, ?, ?, ?)';
$app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp);
} else {
$error = array('faultcode' => 'login_failed', 'faultstring' => 'The login failed. Username or password wrong.');
}
}
}
if (! empty($error)) {
if(! $alreadyfailed['times']) {
//* user login the first time wrong
$sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES (?, 1, NOW())";
$app->db->query($sql, $ip);
} elseif($alreadyfailed['times'] >= 1) {
//* update times wrong
$sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `ip` = ? AND `login_time` < NOW() ORDER BY `login_time` DESC LIMIT 1";
$app->db->query($sql, $ip);
}
$authlog = 'Failed login for user \''. $username .'\' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' (api)';
$authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a');
fwrite($authlog_handle, $authlog ."\n");
fclose($authlog_handle);
throw new SoapFault($error['faultcode'], $error['faultstring']);
return false;
} else {
// User login right, so attempts can be deleted
$sql = "DELETE FROM `attempts_login` WHERE `ip`=?";
$app->db->query($sql, $ip);
$authlog = 'Successful login for user \''. $username .'\' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' (api)';
$authlog_handle = fopen($conf['ispconfig_log_dir'].'/auth.log', 'a');
fwrite($authlog_handle, $authlog ."\n");
fclose($authlog_handle);
}
if (isset($remote_session)) {
return $remote_session;
}
}
//* remote logout function
public function logout($session_id)
{
global $app;
if(empty($session_id)) {
throw new SoapFault('session_id_empty', 'The SessionID is empty.');
return false;
}
$sql = "DELETE FROM remote_session WHERE remote_session = ?";
if($app->db->query($sql, $session_id) != false) {
return true;
} else {
return false;
}
}
//** protected functions -----------------------------------------------------------------------------------
protected function klientadd($formdef_file, $reseller_id, $params)
{
global $app;
//* Load the form definition
$app->remoting_lib->loadFormDef($formdef_file);
//* load the user profile of the client
$app->remoting_lib->loadUserProfile($reseller_id);
//* Get the SQL query
$sql = $app->remoting_lib->getSQL($params, 'INSERT', 0);
//* Check if no system user with that username exists
$username = $params["username"];
$tmp = $app->db->queryOneRecord("SELECT count(userid) as number FROM sys_user WHERE username = ?", $username);
if($tmp['number'] > 0) $app->remoting_lib->errorMessage .= "Duplicate username
";
//* Stop on error while preparing the sql query
if($app->remoting_lib->errorMessage != '') {
throw new SoapFault('data_processing_error', $app->remoting_lib->errorMessage);
return false;
}
//* Execute the SQL query
$app->db->query($sql);
if($app->db->errorMessage != '') {
throw new SoapFault('database_error', $app->db->errorMessage . ' '.$sql);
return false;
}
if ( isset($params['_primary_id'] ))
$insert_id = $params['_primary_id'];
else
$insert_id = $app->db->insertID();
//* Stop on error while executing the sql query
if($app->remoting_lib->errorMessage != '') {
throw new SoapFault('data_processing_error', $app->remoting_lib->errorMessage);
return false;
}
$this->id = $insert_id;
$this->dataRecord = $params;
$app->plugin->raiseEvent('client:' . (isset($params['limit_client']) && $params['limit_client'] > 0 ? 'reseller' : 'client') . ':on_after_insert', $this);
/*
if($app->db->errorMessage != '') {
throw new SoapFault('database_error', $app->db->errorMessage . ' '.$sql);
return false;
}
*/
/* copied from the client_edit php */
$app->uses('functions');
$app->functions->generate_ssh_key($this->id, $username);
//$app->uses('tform');
//* Save changes to Datalog
if($app->remoting_lib->formDef["db_history"] == 'yes') {
$new_rec = $app->remoting_lib->getDataRecord($insert_id);
$app->remoting_lib->datalogSave('INSERT', $primary_id, array(), $new_rec);
$app->remoting_lib->ispconfig_sysuser_add($params, $insert_id);
if($reseller_id) {
$client_group = $app->db->queryOneRecord("SELECT * FROM sys_group WHERE client_id = ?", $insert_id);
$reseller_user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ?", $reseller_id);
$app->auth->add_group_to_user($reseller_user['userid'], $client_group['groupid']);
$app->db->query("UPDATE client SET parent_client_id = ? WHERE client_id = ?", $reseller_id, $insert_id);
}
}
return $insert_id;
}
protected function insertQuery($formdef_file, $client_id, $params, $event_identifier = '')
{
$sql = $this->insertQueryPrepare($formdef_file, $client_id, $params);
if($sql !== false) return $this->insertQueryExecute($sql, $params, $event_identifier);
else return false;
}
protected function insertQueryPrepare($formdef_file, $client_id, $params)
{
global $app;
$app->uses('remoting_lib');
//* load the user profile of the client
$app->remoting_lib->loadUserProfile($client_id);
//* Load the form definition
$app->remoting_lib->loadFormDef($formdef_file);
//* Get the SQL query
$sql = $app->remoting_lib->getSQL($params, 'INSERT', 0);
if($app->remoting_lib->errorMessage != '') {
throw new SoapFault('data_processing_error', $app->remoting_lib->errorMessage);
return false;
}
$app->log('Executed insertQueryPrepare', LOGLEVEL_DEBUG);
return $sql;
}
protected function insertQueryExecute($sql, $params, $event_identifier = '')
{
global $app;
$app->uses('remoting_lib');
$app->db->query($sql);
if($app->db->errorMessage != '') {
throw new SoapFault('database_error', $app->db->errorMessage . ' '.$sql);
return false;
}
if ( isset($params['_primary_id'] ))
$insert_id = $params['_primary_id'];
else
$insert_id = $app->db->insertID();
// set a few values for compatibility with tform actions, mostly used by plugins
$this->id = $insert_id;
$this->dataRecord = $params;
$app->log('Executed insertQueryExecute, raising events now if any: ' . $event_identifier, LOGLEVEL_DEBUG);
if($event_identifier != '') $app->plugin->raiseEvent($event_identifier, $this);
//$app->uses('tform');
//* Save changes to Datalog
if($app->remoting_lib->formDef["db_history"] == 'yes') {
$new_rec = $app->remoting_lib->getDataRecord($insert_id);
$app->remoting_lib->datalogSave('INSERT', $primary_id, array(), $new_rec);
}
return $insert_id;
}
protected function updateQuery($formdef_file, $client_id, $primary_id, $params, $event_identifier = '')
{
global $app;
$sql = $this->updateQueryPrepare($formdef_file, $client_id, $primary_id, $params);
if($sql !== false) return $this->updateQueryExecute($sql, $primary_id, $params, $event_identifier);
else return false;
}
protected function updateQueryPrepare($formdef_file, $client_id, $primary_id, $params)
{
global $app;
$app->uses('remoting_lib');
//* load the user profile of the client
$app->remoting_lib->loadUserProfile($client_id);
//* Load the form definition
$app->remoting_lib->loadFormDef($formdef_file);
//* get old record and merge with params, so only new values have to be set in $params
$old_rec = $app->remoting_lib->getDataRecord($primary_id);
foreach ($app->remoting_lib->formDef['fields'] as $fieldName => $fieldConf)
{
if ($fieldConf['formtype'] === 'PASSWORD' && empty($params[$fieldName])) {
unset($old_rec[$fieldName]);
}
}
$params = $app->functions->array_merge($old_rec,$params);
//* Get the SQL query
$sql = $app->remoting_lib->getSQL($params, 'UPDATE', $primary_id);
// throw new SoapFault('debug', $sql);
if($app->remoting_lib->errorMessage != '') {
throw new SoapFault('data_processing_error', $app->remoting_lib->errorMessage);
return false;
}
return $sql;
}
protected function updateQueryExecute($sql, $primary_id, $params, $event_identifier = '')
{
global $app;
$app->uses('remoting_lib');
$old_rec = $app->remoting_lib->getDataRecord($primary_id);
// set a few values for compatibility with tform actions, mostly used by plugins
$this->oldDataRecord = $old_rec;
$this->id = $primary_id;
$this->dataRecord = $params;
$app->db->query($sql);
if($app->db->errorMessage != '') {
throw new SoapFault('database_error', $app->db->errorMessage . ' '.$sql);
return false;
}
$affected_rows = $app->db->affectedRows();
$app->log('Executed updateQueryExecute, raising events now if any: ' . $event_identifier, LOGLEVEL_DEBUG);
if($event_identifier != '') $app->plugin->raiseEvent($event_identifier, $this);
//* Save changes to Datalog
if($app->remoting_lib->formDef["db_history"] == 'yes') {
$new_rec = $app->remoting_lib->getDataRecord($primary_id);
$app->remoting_lib->datalogSave('UPDATE', $primary_id, $old_rec, $new_rec);
}
return $affected_rows;
}
protected function deleteQuery($formdef_file, $primary_id, $event_identifier = '')
{
global $app;
$app->uses('remoting_lib');
//* load the user profile of the client
$app->remoting_lib->loadUserProfile(0);
//* Load the form definition
$app->remoting_lib->loadFormDef($formdef_file);
$old_rec = $app->remoting_lib->getDataRecord($primary_id);
// set a few values for compatibility with tform actions, mostly used by plugins
$this->oldDataRecord = $old_rec;
$this->id = $primary_id;
$this->dataRecord = $old_rec;
$app->log('Executed deleteQuery, raising events now if any: ' . $event_identifier, LOGLEVEL_DEBUG);
//$this->dataRecord = $params;
//* Get the SQL query
$sql = $app->remoting_lib->getDeleteSQL($primary_id);
$app->db->errorMessage = '';
$app->db->query($sql);
$affected_rows = $app->db->affectedRows();
if($app->db->errorMessage != '') {
throw new SoapFault('database_error', $app->db->errorMessage . ' '.$sql);
return false;
}
if($event_identifier != '') {
$app->plugin->raiseEvent($event_identifier, $this);
}
//* Save changes to Datalog
if($app->remoting_lib->formDef["db_history"] == 'yes') {
$app->remoting_lib->datalogSave('DELETE', $primary_id, $old_rec, array());
}
return $affected_rows;
}
protected function checkPerm($session_id, $function_name)
{
global $app;
$dobre=array();
$session = $this->getSession($session_id);
if(!$session){
return false;
}
$_SESSION['client_login'] = $session['client_login'];
if($session['client_login'] == 1) {
// permissions are checked at an other place
$_SESSION['client_sys_userid'] = $session['remote_userid'];
$app->remoting_lib->loadUserProfile(); // load the profile - we ALWAYS need this on client logins!
return true;
} else {
$_SESSION['client_sys_userid'] = 0;
}
$dobre= str_replace(';', ',', $session['remote_functions']);
$check = in_array($function_name, explode(',', $dobre) );
if(!$check) {
$app->log("REMOTE-LIB DENY: ".$session_id ." /". $function_name, LOGLEVEL_WARN);
}
return $check;
}
protected function getSession($session_id)
{
global $app;
if(empty($session_id)) {
throw new SoapFault('session_id_empty', 'The SessionID is empty.');
return false;
}
$sql = "SELECT * FROM remote_session WHERE remote_session = ? AND tstamp >= UNIX_TIMESTAMP()";
$session = $app->db->queryOneRecord($sql, $session_id);
if($session['remote_userid'] > 0) {
return $session;
} else {
throw new SoapFault('session_does_not_exist', 'The Session is expired or does not exist.');
return false;
}
}
public function server_get($session_id, $server_id = null, $section ='') {
global $app;
if(!$this->checkPerm($session_id, 'server_get')) {
throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
return false;
}
if (!empty($session_id)) {
if(!empty($server_id)) {
$app->uses('remoting_lib , getconf');
$section_config = $app->getconf->get_server_config($server_id, $section);
return $section_config;
} else {
$servers = array();
$sql = "SELECT server_id FROM server WHERE 1";
$all = $app->db->queryAllRecords($sql);
foreach($all as $s) {
$servers[$s['server_id']] = $app->getconf->get_server_config($s['server_id'], $section);
}
unset($all);
unset($s);
return $servers;
}
} else {
return false;
}
}
/**
Gets a list of all servers
@param int session_id
@param int server_name
@author Marius Cramer 2014
*/
public function server_get_all($session_id)
{
global $app;
if(!$this->checkPerm($session_id, 'server_get')) {
throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
return false;
}
if (!empty($session_id)) {
$sql = "SELECT server_id, server_name FROM server WHERE 1";
$servers = $app->db->queryAllRecords($sql);
return $servers;
} else {
return false;
}
}
/**
* Get a list of functions
* @param int session id
* @return mixed array of the available functions
* @author Julio Montoya BeezNest 2010
*/
public function get_function_list($session_id)
{
if(!$this->checkPerm($session_id, 'get_function_list')) {
throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
return false;
}
return $this->_methods;
}
}
?>