From 2d37f6ce56d1254c94c402fa47618dad42e40daf Mon Sep 17 00:00:00 2001
From: cajus <cajus@594d385d-05f5-0310-b6e9-bd551577e9d8>
Date: Thu, 3 Sep 2009 07:45:50 +0000
Subject: [PATCH] Added possibility to allow access only from certain clients,
 networks.

git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@14199 594d385d-05f5-0310-b6e9-bd551577e9d8
---
 gosa-core/include/class_userinfo.inc | 54 +++++++++++++++++++++++++++-
 gosa-core/include/functions.inc      | 28 +++++++++++++++
 2 files changed, 81 insertions(+), 1 deletion(-)

diff --git a/gosa-core/include/class_userinfo.inc b/gosa-core/include/class_userinfo.inc
index 36c507255..01315479d 100644
--- a/gosa-core/include/class_userinfo.inc
+++ b/gosa-core/include/class_userinfo.inc
@@ -27,6 +27,7 @@ class userinfo
   var $username;
   var $cn;
   var $uid;
+  var $restrictions= array();
   var $gidNumber= -1;
   var $language= "";
   var $config;
@@ -45,7 +46,7 @@ class userinfo
   function userinfo(&$config, $userdn){
     $this->config= &$config;
     $ldap= $this->config->get_ldap_link();
-    $ldap->cat($userdn,array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage', 'gosaUnitTag'));
+    $ldap->cat($userdn,array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage', 'gosaUnitTag', 'gosaLoginRestriction'));
     $attrs= $ldap->fetch();
 
     if (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])){
@@ -57,6 +58,12 @@ class userinfo
       $this->gidNumber= $attrs['gidNumber'][0];
     }
 
+    /* Restrictions? */
+    if (isset($attrs['gosaLoginRestrictions'])){
+      $this->restrictions= $attrs['gosaLoginRestrictions'];
+      unset($this->restrictions['count']);
+    }
+
     /* Assign user language */
     if (isset($attrs['preferredLanguage'][0])){
       $this->language= $attrs['preferredLanguage'][0];
@@ -705,7 +712,52 @@ class userinfo
     return($this->ignoreACL);
   }
 
+
+  function loginAllowed()
+  {
+    // Need to check restrictions?
+    if (count($this->restrictions)){
+
+      // We have restrictions but cannot check them
+      if (!isset($_SERVER['REMOTE_ADDR'])){
+        return false;
+      }
+
+      // Move to binary...
+      $source= $_SERVER['REMOTE_ADDR'];
+      foreach ($this->restrictions as $restriction) {
+
+        // Single IP
+        if (preg_match('/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/', $restriction)) {
+           if ($source == $restriction){
+             return true;
+           }
+        }
+
+        // Match with short netmask
+        if (preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)$/', $restriction, $matches)) {
+          if (isIpInNet($source, $matches[1], long2ip(~(pow(2, (32-$matches[2]))-1)))) {
+            return true;
+          }
+        }
+
+        // Match with long netmask
+        if (preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $restriction, $matches)) {
+          if (isIpInNet($source, $matches[1], $matches[2])) {
+            return true;
+          }
+        }
+
+      }
+
+      return false;
+    }
+
+    return true;
+  }
+
 }
 
+
 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
 ?>
diff --git a/gosa-core/include/functions.inc b/gosa-core/include/functions.inc
index e75dc292f..d02d7d462 100644
--- a/gosa-core/include/functions.inc
+++ b/gosa-core/include/functions.inc
@@ -405,6 +405,12 @@ function ldap_login_user_htaccess ($username)
   $ui= new userinfo($config, $ldap->getDN());
   $ui->username= $attrs['uid'][0];
 
+  /* Bail out if we have login restrictions set, for security reasons
+     the message is the same than failed user/pw */
+  if (!$ui->loginAllowed()){
+    return (NULL);
+  }
+
   /* No password check needed - the webserver did it for us */
   $ldap->disconnect();
 
@@ -485,6 +491,12 @@ function ldap_login_user ($username, $password)
   $ui= new userinfo($config, $ldap->getDN());
   $ui->username= $attrs['uid'][0];
 
+  /* Bail out if we have login restrictions set, for security reasons
+     the message is the same than failed user/pw */
+  if (!$ui->loginAllowed()){
+    return (NULL);
+  }
+
   /* password check, bind as user with supplied password  */
   $ldap->disconnect();
   $ldap= new LDAP($ui->dn, $password, $config->current['SERVER'],
@@ -2787,6 +2799,7 @@ function cred_encrypt($input, $password) {
 
 }
 
+
 function cred_decrypt($input,$password) {
   $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
   $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
@@ -2794,16 +2807,31 @@ function cred_decrypt($input,$password) {
   return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, pack("H*", $input), MCRYPT_MODE_ECB, $iv);
 }
 
+
 function get_object_info()
 {
   return(session::get('objectinfo'));
 }
 
+
 function set_object_info($str = "")
 {
   session::set('objectinfo',$str);
 }
 
 
+function isIpInNet($ip, $net, $mask) {
+   // Move to long ints
+   $ip= ip2long($ip);
+   $net= ip2long($net);
+   $mask= ip2long($mask);
+
+   // Mask given IP with mask. If it returns "net", we're in...
+   $res= $ip & $mask;
+
+   return ($res == $net);
+}
+
+
 // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
 ?>
-- 
2.30.2