summaryrefslogblamecommitdiffstats
path: root/pam.php
blob: 3eb413e67dcf91273f0a384d39d78414bcf635b0 (plain) (tree)
1
2
3
4
5
6
7
8
9


                                                                                    

                                                                                          


                                
   


                          


                                 









































                                                                                                                             



                                     
                                                                                




                                               

                                                                                                                                   



                                                          

                                                                               





                                       







                                                                                                                                 
<?php

// Autoload classes from ./inc which adhere to naming scheme <lowercasename>.inc.php
spl_autoload_register(function ($class) {
	$file = 'inc/' . preg_replace('/[^a-z0-9]/', '', strtolower($class)) . '.inc.php';
	if (!file_exists($file))
		return;
	require_once $file;
});

require_once 'config.php';

$action = Request::any('action');

//
// Even newer version - QR code based
//
if ($action === 'qrgen') {
	// Generate new QR code
	$token = Request::get('token');
	if (strlen($token) !== 16) {
		http_response_code(400);
		die('Wrong token length');
	}
	Database::exec("DELETE FROM client_token WHERE dateline < UNIX_TIMESTAMP() - 300");
	$ret = Database::exec("INSERT INTO client_token (username, token, dateline, qrtoken)
		VALUES ('', '', UNIX_TIMESTAMP(), :token)", ['token' => $token], true);
	if ($ret === false) {
		http_response_code(400);
		die('Token already in use');
	}
	$code = QRCode::getMinimumQRCode('https://' . CONFIG_FORCE_DOMAIN . '/?qr=' . $token, QR_ERROR_CORRECT_LEVEL_L);
	Header('Content-Type: image/svg+xml; charset=utf-8');
	$code->printSVG(16);
	exit;
}
if ($action === 'qrpoll') {
	$token = Request::get('token');
	$ret = Database::queryFirst("SELECT username, token, dmsdsession FROM client_token WHERE qrtoken = :qrtoken LIMIT 1",
		['qrtoken' => $token]);
	if ($ret === false) {
		http_response_code(404);
		exit;
	}
	if ($ret['username'] === '') {
		http_response_code(204);
		exit;
	}
	// Successful, send reply to lightdm
	$retval = $ret['username'] . "\n" . $ret['token'];
	if (!empty($ret['dmsdsession'])) {
		$retval .= "\n" . $ret['dmsdsession'];
	}
	die ($retval);
}

//
// New version - browser based
//
if ($action === 'browser') {
	// Browser requesting a token
	Header('Location: shib/client_auth.php?token=' . Request::any('token'));
	exit;
}

if ($action === 'verify') {
	// pam stack on client trying to verify
	$row = Database::queryFirst("SELECT username FROM client_token WHERE token = :token AND dateline > UNIX_TIMESTAMP() - 300",
		['token' => (string)Request::any('token')]);
	Header('Content-Type: text/plain; charset=utf-8');
	if ($row === false) {
		die("ERROR=Invalid token");
	}
	Database::exec("DELETE FROM client_token WHERE token = :token LIMIT 1",
		['token' => (string)Request::any('token')]);
	die("USER={$row['username']}");
}

//
// Old way, ECP
//
Header('Content-Type: text/plain; charset=utf-8');

$res = Database::simpleQuery("SELECT suffix, authmethod FROM organization INNER JOIN organization_suffix USING(organizationid)");
while ($row = $res->fetch(PDO::FETCH_ASSOC)) {
	if (substr($row['authmethod'], 0, 5) === 'https') {
		echo $row['suffix'], '=', $row['authmethod'], "\n";
	}
}