From 97e1ffadf86fca34dca10dae7955e92fdc677930 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andreas=20=C3=96sterreicher?= <oesi@technikum-wien.at>
Date: Fri, 28 Jun 2013 12:40:27 +0000
Subject: [PATCH] Neue Authentifizierungsklasse

---
 config/cis.config-default.inc.php  |  12 +++
 config/wawi.config-default.inc.php |  15 ++-
 include/auth_mixed.class.php       | 155 +++++++++++++++++++++++++++++
 include/auth_session.class.php     | 143 ++++++++++++++++++++++++++
 include/authentication.class.php   |  40 ++++++++
 include/content.class.php          |   3 +
 include/functions.inc.php          | 130 +++++++-----------------
 locale/de-AT/fas.dtd               |   2 +-
 8 files changed, 403 insertions(+), 97 deletions(-)
 create mode 100644 include/auth_mixed.class.php
 create mode 100644 include/auth_session.class.php
 create mode 100644 include/authentication.class.php

diff --git a/config/cis.config-default.inc.php b/config/cis.config-default.inc.php
index 6f8d475f6..0e6edc838 100644
--- a/config/cis.config-default.inc.php
+++ b/config/cis.config-default.inc.php
@@ -62,9 +62,21 @@ define('CIS_EXT_MENU',true);
 // Legt fest ob bei den Zeitsperren der Bereich fuer die Resturlaubstage angezeigt wird
 define('URLAUB_TOOLS',true);
 
+// Authentifizierungsmethode 
+// Moegliche Werte: 
+// auth_mixed    - htaccess mit LDAP (Default)
+// auth_session  - Sessions mit LDAP (Testbetrieb)
+define("AUTH_SYSTEM", "auth_mixed");
+
 // LDAP_SERVER: Adresse des LDAP Servers
 define("LDAP_SERVER","www.technikum-wien.at");
 define("LDAP_BASE_DN","ou=People, dc=technikum-wien, dc=at");
+//User fuer LDAP BIND falls Authentifizierung noetig
+define("LDAP_BIND_USER",null);
+//Passwort fuer LDAP BIND falls Authentifzierung noetig
+define("LDAP_BIND_PASSWORD",null);
+//LDAP Attribut in dem der Username steht nach dem gesucht wird
+define("LDAP_USER_SEARCH_FILTER","uid");
 // Attribut fuer Zutrittskartennummer im LDAP
 define("LDAP_CARD_NUMBER","twHitagCardNumber");
 // Attribut fuer Zutrittskartennummer2 im LDAP
diff --git a/config/wawi.config-default.inc.php b/config/wawi.config-default.inc.php
index 35a5ac300..796272e20 100644
--- a/config/wawi.config-default.inc.php
+++ b/config/wawi.config-default.inc.php
@@ -35,9 +35,22 @@ define('EXT_FKT_PATH','tw');
 // Fuer Mails etc
 define('DOMAIN','technikum-wien.at');
 
+// Authentifizierungsmethode 
+// Moegliche Werte: 
+// auth_mixed    - htaccess mit LDAP (Default)
+// auth_session  - Sessions mit LDAP (Testbetrieb)
+define("AUTH_SYSTEM", "auth_mixed");
+
 //LDAP_SERVER: Speichert die Adresse des LDAP Servers
 define("LDAP_SERVER","ldap.technikum-wien.at");
 define("LDAP_BASE_DN","ou=People, dc=technikum-wien, dc=at");
+//User fuer LDAP BIND falls Authentifizierung noetig
+define("LDAP_BIND_USER",null);
+//Passwort fuer LDAP BIND falls Authentifzierung noetig
+define("LDAP_BIND_PASSWORD",null);
+//LDAP Attribut in dem der Username steht nach dem gesucht wird
+define("LDAP_USER_SEARCH_FILTER","uid");
+
 // Attribut fuer Zutrittskartennummer im LDAP
 define("LDAP_CARD_NUMBER","twHitagCardNumber");
 // Attribut fuer Zutrittskartennummer2 im LDAP
@@ -62,4 +75,4 @@ define('MAIL_ZENTRALEINKAUF','info@technikum-wien.at');
 //Gibt an welche Funktion zur generierung des PDF Files herangezogen wird
 //moegliche Werte: FOP | XSLFO2PDF
 define ('PDF_CREATE_FUNCTION','XSLFO2PDF');
-?>
\ No newline at end of file
+?>
diff --git a/include/auth_mixed.class.php b/include/auth_mixed.class.php
new file mode 100644
index 000000000..e9600314a
--- /dev/null
+++ b/include/auth_mixed.class.php
@@ -0,0 +1,155 @@
+<?php
+/* Copyright (C) 2013 FH Technikum-Wien
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Authors: Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at> 
+ *
+ */
+/**
+ * Klasse fuer Authentifizierung
+ */
+
+require_once(dirname(__FILE__).'/basis.class.php');
+
+class authentication extends auth
+{
+
+	public function login($username)
+	{
+		// Nicht noetig da dies ueber htaccess gesteuert wird
+	}
+
+	public function getUser()
+	{
+		 // derzeit get_uid in functions.inc.php
+		if(isset($_SERVER['REMOTE_USER']))
+		{
+			return mb_strtolower(trim($_SERVER['REMOTE_USER']));
+		}
+		else
+		{
+			if(isset($_SESSION['user']))
+				return mb_strtolower($_SESSION['user']);
+			else
+				return $this->RequireLogin();
+		}
+	}
+
+	// derzeit checkldapuser in functions.inc.php bzw per htaccess
+	public function checkpassword($username, $passwort)
+	{
+		if($connect=ldap_connect(LDAP_SERVER))
+		{
+			ldap_set_option($connect, LDAP_OPT_REFERRALS,0);
+			ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION,3);
+
+			// bind to ldap connection
+			if(($bind=ldap_bind($connect, LDAP_BIND_USER, LDAP_BIND_PASSWORD)) == false)
+			{
+				$this->errormsg="LDAP BIND Fehlgeschlagen";
+				return false;
+			}
+
+			// search for user
+			if (($res_id = ldap_search( $connect, LDAP_BASE_DN, LDAP_USER_SEARCH_FILTER."=$username")) == false)
+			{
+				$this->errorsmg="Suche in LDAP fehlgeschlagen";
+				return false;
+			}
+
+			if (ldap_count_entries($connect, $res_id) != 1)
+			{
+				$this->errormsg='Username wurde nicht oder oefter gefunden';
+				return false;
+			}
+
+			if (( $entry_id = ldap_first_entry($connect, $res_id))== false)
+			{
+				$this->errormsg='LDAP Fetch fehlgeschlagen';
+				return false;
+			}
+
+			if (( $user_dn = ldap_get_dn($connect, $entry_id)) == false)
+			{
+				$this->errormsg='LDAP user-dn fetched fehlgeschlagen';
+				return false;
+			}
+
+			/* Authentifizierung des User */
+			if (($link_id = @ldap_bind($connect, $user_dn, $passwort)) == false)
+			{
+				return false;
+			}
+
+			ldap_close($connect);
+			return true;
+		}
+		else
+		{
+			$this->errormsg='Verbindung zum LDAP Server fehlgeschlagen';
+		}
+		ldap_close($connect);
+		return(false);
+	}
+
+	// derzeit manual_basic_auth in functions.inc.php eventuell 
+	// direkt von getUser aus aufrufen wenn nicht authentifiziert
+	public function RequireLogin()
+	{
+		if(!(isset($_SERVER['PHP_AUTH_USER']) && $this->checkpassword($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])))
+		{
+			header('WWW-Authenticate: Basic realm="FHComplete"');
+			header('HTTP/1.0 401 Unauthorized');
+			echo "Ihre Zugangsdaten sind ungueltig!";
+			exit;
+		}
+		else
+		{
+			return mb_strtolower($_SERVER['PHP_AUTH_USER']);
+		}
+	}
+
+	public function isUserLoggedIn()
+	{
+		if(isset($_SERVER['PHP_AUTH_USER']) && $this->checkpassword($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']))
+			return true;
+		else
+			return false;
+	}
+
+	public function getOriginalUser()
+	{
+		if(isset($_SERVER['REMOTE_USER']))
+			return mb_strtolower(trim($_SERVER['REMOTE_USER']));
+		else
+		{
+			if(isset($_SESSION['user_original']))
+				return $_SESSION['user_original'];
+		}
+	}
+
+	public function loginAsUser($username)
+	{
+		$_SESSION['user']=$username;
+		return true;
+	}
+	
+	public function logout()
+	{
+		echo "LOGOUT BEI MIXED AUTH NICHT MÖGLICH";
+	}
+}
+?>
diff --git a/include/auth_session.class.php b/include/auth_session.class.php
new file mode 100644
index 000000000..4f31c8f50
--- /dev/null
+++ b/include/auth_session.class.php
@@ -0,0 +1,143 @@
+<?php
+/* Copyright (C) 2013 FH Technikum-Wien
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Authors: Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at> 
+ *
+ */
+/**
+ * Klasse fuer Authentifizierung ueber Sessions und LDAP
+ */
+
+/**
+ * Damit Session Authentifizierung funktioniert, muss in der php.ini die option
+ * session.auto_start=1 gesetzt sein oder im Config ein session_start() hinzugefügt werden
+ */
+require_once(dirname(__FILE__).'/basis.class.php');
+
+class authentication extends auth
+{
+	public function login($username)
+	{
+		// Bei einem Login wird die Session ID erneuert
+		// um Session Fixation zu erschweren
+		session_regenerate_id();
+		$_SESSION['user'] = mb_strtolower($username);
+	}
+
+	public function getUser()
+	{
+		if(isset($_SESSION['user']))
+			return mb_strtolower($_SESSION['user']);
+		else
+			return $this->RequireLogin();
+	}
+
+	public function checkpassword($username, $passwort)
+	{
+		if($connect=ldap_connect(LDAP_SERVER))
+		{
+			// bind to ldap connection
+			if(($bind=ldap_bind($connect, LDAP_BIND_USER, LDAP_BIND_PASSWORD)) == false)
+			{
+				$this->errormsg="LDAP BIND Fehlgeschlagen";
+				return false;
+			}
+
+			// search for user
+			if (($res_id = ldap_search( $connect, LDAP_BASE_DN, LDAP_USER_SEARCH_FILTER."=$username")) == false)
+			{
+				$this->errorsmg="Suche in LDAP fehlgeschlagen";
+				return false;
+			}
+
+			if (ldap_count_entries($connect, $res_id) != 1)
+			{
+				$this->errormsg='Username wurde nicht oder oefter gefunden';
+				return false;
+			}
+
+			if (( $entry_id = ldap_first_entry($connect, $res_id))== false)
+			{
+				$this->errormsg='LDAP Fetch fehlgeschlagen';
+				return false;
+			}
+
+			if (( $user_dn = ldap_get_dn($connect, $entry_id)) == false)
+			{
+				$this->errormsg='LDAP user-dn fetched fehlgeschlagen';
+				return false;
+			}
+
+			/* Authentifizierung des User */
+			if (($link_id = @ldap_bind($connect, $user_dn, $passwort)) == false)
+			{
+				return false;
+			}
+
+			ldap_close($connect);
+			return true;
+		}
+		else
+		{
+			$this->errormsg='Verbindung zum LDAP Server fehlgeschlagen';
+		}
+		ldap_close($connect);
+		return(false);
+	}
+
+	public function RequireLogin()
+	{
+		$_SESSION['request_uri']=$_SERVER['REQUEST_URI'];
+		header('Location: '.APP_ROOT.'login.php');
+		exit;
+	}
+
+	public function isUserLoggedIn()
+	{
+		if(isset($_SESSION['user']) && $_SESSION['user']!='')
+			return true;
+		else
+			return false;
+	}
+
+	public function getOriginalUser()
+	{
+		if(isset($_SESSION['user_original']))
+			return $_SESSION['user_original'];
+		else
+			return $_SESSION['user'];
+	}
+
+	public function loginAsUser($username)
+	{
+		$_SESSION['user_original']=$_SESSION['user'];
+		$_SESSION['user']=$username;
+		session_regenerate_id();
+		return true;
+	}
+	
+	public function logout()
+	{
+		unset($_SESSION['user']);
+		unset($_SESSION['user_original']);
+		session_destroy();
+		return true;
+	}
+}
+require_once(dirname(__FILE__).'/'.AUTH_SYSTEM.'.class.php');
+
+?>
diff --git a/include/authentication.class.php b/include/authentication.class.php
new file mode 100644
index 000000000..ec195211e
--- /dev/null
+++ b/include/authentication.class.php
@@ -0,0 +1,40 @@
+<?php
+/* Copyright (C) 2013 FH Technikum-Wien
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
+ *
+ * Authors: Andreas Oesterreicher <andreas.oesterreicher@technikum-wien.at> 
+ *
+ */
+/**
+ * Klasse fuer Authentifizierung
+ */
+
+require_once(dirname(__FILE__).'/basis.class.php');
+
+abstract class auth extends basis
+{
+	abstract function getUser();
+	abstract function checkpassword($username, $passwort);
+	abstract function RequireLogin(); 
+	abstract function isUserLoggedIn();
+	abstract function getOriginalUser();
+	abstract function login($username);
+	abstract function loginAsUser($username);
+	abstract function logout();
+}
+require_once(dirname(__FILE__).'/'.AUTH_SYSTEM.'.class.php');
+
+?>
diff --git a/include/content.class.php b/include/content.class.php
index f3789bc3e..9fedd6a87 100644
--- a/include/content.class.php
+++ b/include/content.class.php
@@ -1350,6 +1350,9 @@ class content extends basis_db
 	 */
 	public function loadArray($ids, $sprache, $sichtbar=null)
 	{
+		if(count($ids)==0)
+			return false;
+
 		$qry='';
 		foreach($ids as $id)
 		{
diff --git a/include/functions.inc.php b/include/functions.inc.php
index a55820092..1feca0448 100644
--- a/include/functions.inc.php
+++ b/include/functions.inc.php
@@ -20,49 +20,43 @@
  *          Rudolf Hangl <rudolf.hangl@technikum-wien.at>.
  */
 require_once(dirname(__FILE__).'/basis_db.class.php');
+require_once(dirname(__FILE__).'/authentication.class.php');
 require_once('betriebsmittelperson.class.php'); 
 
 // Auth: Benutzer des Webportals
+/**
+ * DEPRECATED - Use Authentication Class
+ */
 function get_uid()
 {
-	if(isset($_SERVER['REMOTE_USER']))
-	{
-		return mb_strtolower(trim($_SERVER['REMOTE_USER']));
-	}
-	else
-	{
-		if(isset($_SESSION['user']))
-			return mb_strtolower($_SESSION['user']);
-		else
-			return manual_basic_auth();
-	}
-	// fuer Testzwecke
-	//return 'oesi';
-	//return 'pam';
+	$auth = new authentication();
+	return $auth->getUser();
 }
+
+/**
+ * DEPRECATED - Use Authentication Class
+ */
 function is_user_logged_in()
 {
-	if(isset($_SERVER['PHP_AUTH_USER']) && checkldapuser($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']))
-		return true;
-	else
-		return false;
+	$auth = new authentication();
+	return $auth->isUserLoggedIn();
 }
+/**
+ * DEPRECATED - Use Authentication Class
+ */
 function get_original_uid()
 {
-	if(isset($_SERVER['REMOTE_USER']))
-		return mb_strtolower(trim($_SERVER['REMOTE_USER']));
-	else
-	{
-		if(isset($_SESSION['user_original']))
-			return $_SESSION['user_original'];
-	}
+	$auth = new authentication();
+	return $auth->getOriginalUser();
 }
 
-
+/**
+ * DEPRECATED - Use Authentication Class
+ */
 function login_as_user($uid)
 {
-	$_SESSION['user']=$uid;
-	return true;
+	$auth = new authentication();
+	return $auth->loginAsUser($uid);
 }
 
 function crlf()
@@ -266,13 +260,16 @@ function jump_week($datum, $wochen)
 	return $datum;
 }
 
+/**
+ * DEPRECATED - Use Variable Class
+ */
 function loadVariables($user)
 {
 	$db = new basis_db();
 	
 	$error_msg='';
 	$num_rows=0;
-	$sql_query="SELECT * FROM public.tbl_variable WHERE uid='$user'";
+	$sql_query="SELECT * FROM public.tbl_variable WHERE uid=".$db->db_add_param($user);
 	if(!$db->db_query($sql_query))
 		$error_msg.=$db->db_last_error().'<BR>'.$sql_query;
 	else
@@ -376,9 +373,9 @@ function getStudiensemesterFromDatum($datum, $naechstes=true)
 	$qry = "SELECT studiensemester_kurzbz FROM public.tbl_studiensemester WHERE";
 
 	if($naechstes)
-		$qry.= " ende>'".addslashes($datum)."' ORDER BY ende ASC ";
+		$qry.= " ende>".$db->db_add_param($datum)." ORDER BY ende ASC ";
 	else
-		$qry.= " start<'".addslashes($datum)."' ORDER BY ende DESC ";
+		$qry.= " start<".$db->db_add_param($datum)." ORDER BY ende DESC ";
 
 	$qry.= "LIMIT 1";
 
@@ -422,61 +419,13 @@ function getUidFromCardNumber($number)
 
 }
 
-// ****************************************************************
-// * Prueft ob im LDAP ein User mit diesem Passwort existiert
-// ****************************************************************
+/**
+ * DEPRECATED
+ */
 function checkldapuser($username,$password)
 {
-	if($connect=@ldap_connect(LDAP_SERVER))
-	{
-	    // bind to ldap connection
-	    if(($bind=@ldap_bind($connect)) == false)
-	    {
-			print "bind:__FAILED__<br>\n";
-			return false;
-	    }
-
-	    // search for user
-	    if (($res_id = ldap_search( $connect, LDAP_BASE_DN, "uid=$username")) == false)
-	    {
-			print "failure: search in LDAP-tree failed<br>";
-			return false;
-	    }
-
-	    if (ldap_count_entries($connect, $res_id) != 1)
-	    {
-			print "failure: username not found<br>\n";
-			return false;
-	    }
-
-	    if (( $entry_id = ldap_first_entry($connect, $res_id))== false)
-	    {
-			print "failur: entry of searchresult couln't be fetched<br>\n";
-			return false;
-	    }
-
-		if (( $user_dn = ldap_get_dn($connect, $entry_id)) == false)
-		{
-			print "failure: user-dn coulnd't be fetched<br>\n";          
-			return false;
-	    }
-
-	    /* Authentifizierung des User */
-	    if (($link_id = @ldap_bind($connect, $user_dn, $password)) == false)
-	    {
-			return false;
-	    }
-
-	    @ldap_close($connect);
-		return true;
-	}
-	else
-	{
-		// no conection to ldap server
-		echo "no connection to '$ldap_server'<br>\n";
-	}
-	@ldap_close($connect);
-	return(false);
+	$auth = new authentication();
+	return $auth->checkpassword($username, $password);
 }
 
 /**
@@ -825,17 +774,8 @@ function check_filename($filename)
  */
 function manual_basic_auth()
 {
-	if(!(isset($_SERVER['PHP_AUTH_USER']) && checkldapuser($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'])))
-	{
-		header('WWW-Authenticate: Basic realm="Technikum-Wien"');
-    	header('HTTP/1.0 401 Unauthorized');
-    	echo "Ihre Zugangsdaten sind ungueltig!";
-    	exit;
-	}
-	else
-	{
-		return mb_strtolower($_SERVER['PHP_AUTH_USER']);
-	}
+	$auth = new authentication();
+	return $auth->RequireLogin();
 }
 
 /**
diff --git a/locale/de-AT/fas.dtd b/locale/de-AT/fas.dtd
index a28b36a74..70bbf8f05 100644
--- a/locale/de-AT/fas.dtd
+++ b/locale/de-AT/fas.dtd
@@ -1,5 +1,5 @@
 <!ENTITY window.title			"FASOnline"> 
-<!ENTITY window.version			"2.0 vom 20.Juli 2009"> 
+<!ENTITY window.version			"2.2"> 
 
 <!-- MENUE -->