GetUserDevicePermission()

1.     /**
2.      * Checks if a given IP address matches the specified CIDR subnet/s
3.      *
4.      * @param string $ip The IP address to check
5.      * @param mixed $cidrs The IP subnet (string) or subnets (array) in CIDR notation
6.      * @param string $match optional If provided, will contain the first matched IP subnet
7.      * @return boolean TRUE if the IP matches a given subnet or FALSE if it does not
8.      */
9.     public function ipMatch($ip, $cidrs, &$match = null) {
10.         foreach((array) $cidrs as $cidr) {
11.             list($subnet, $mask) = explode('/', $cidr);
12.             if(((ip2long($ip) & ($mask = ~ ((1 << (32 - $mask)) - 1))) == (ip2long($subnet) & $mask))) {
13.                 $match = $cidr;
14.                 return true;
15.             }
16.         }
17.         return false;
18.     }
19.        /**
20.          * Returns the value of the user parameter of the querystring
21.          *
22.          * @access public
23.          * @return string/boolean       false if not available
24.          */
25.         static public function GetUserDeviceStatus() {
26.             if (isset(self::$UserDeviceStatus))
27.                 return self::$UserDeviceStatus;
28.             else
29.                 return SYNC_COMMONSTATUS_NOT_SET;
30.         }
31.  
32.         /**
33.          * Returns user/device authorization status
34.          *
35.          * @param string    $user
36.          * @param string    $devid
37.      * @param string    $remip       //Client IP
38.      * @param boolean   $isoptions   //Is REQ_TYPE = OPTIONS, used to identify first auth step
39.          *
40.          * @return integer            returns status = SYNC_COMMONSTATUS_SUCCESS if user/device combination OK to sync,
41.         *                            otherwise returns SYNC_COMMONSTATUS_USERDISABLEDFORSYNC, SYNC_COMMONSTATUS_DEVICEBLOCKEDFORUSER, SYNC_COMMONSTATUS_MAXDEVICESREACHED, SYNC_COMMONSTATUS_IP_UNAUTHORIZED,SYNC_COMMONSTATUS_DEVICE_NULL, SYNC_COMMONSTATUS_FILE_UNAVAILABLE
42.          * @access public
43.          */
44.         static public function GetUserDevicePermission($user, $devid, $remip, $isoptions) {
45.  
46.       ZLog::Write(LOGLEVEL_DEBUG, "ZPushAdmin::GetUserDevicePermission(): start");
47.           ZLog::Write(LOGLEVEL_INFO, sprintf("ZPushAdmin::GetUserDevicePermission(): Client IP is '%s'", $remip));
48.       if ($isoptions) {
49.         ZLog::Write(LOGLEVEL_INFO, "ZPushAdmin::GetUserDevicePermission(): Request method is OPTIONS");
50.       } else {
51.         ZLog::Write(LOGLEVEL_DEBUG, "ZPushAdmin::GetUserDevicePermission(): Request method is NOT OPTIONS");         
52.       }
53.  
54.           self::$UserDeviceStatus = SYNC_COMMONSTATUS_SUCCESS;
55.  
56.           $userFile = STATE_DIR . 'AuthorizedUsersAndDevices';
57.  
58.            $userList = @file_get_contents( $userFile );
59.           if (!$userList) {
60.                 ZLog::Write(LOGLEVEL_ERROR, "ZPushAdmin::GetUserDevicePermission(): AuthorizedUsersAndDevices file not found - all users are restricted");
61.              self::$UserDeviceStatus = SYNC_COMMONSTATUS_FILE_UNAVAILABLE;
62.              return self::$UserDeviceStatus;
63.           }
64.          
65.           $lines = explode( "\n", str_replace( "\r", "", $userList) );
66.  
67.           $userFound = false;
68.           $userStatus = false;
69.           $deviceFound = false;
70.             $deviceStatus = false;
71.  
72.           $lastBlankLine = false;
73.           $firstUserLine = false;
74.           $fileUpdated = false;
75.  
76.           // Allow a configuration to be set that allows/blocks new users/devices by default
77.           $newDeviceAuthorize = false;
78.           $newUserAuthorize = false;
79.           $userMaxDevices = 0;
80.       $allowedipranges = array("");
81.       $ipauthorized = false;
82.  
83. //          if ($devid == 'validate') { // Android PROVISIONING initial step
84. //             $deviceFound = true;
85. //          }
86.  
87.  
88.             for ($i=0;$i<count($lines);$i++)  {
89.               if (trim($lines[$i]) == "") {
90.                 $lastBlankLine = $i;
91.                 continue;
92.                
93.              } elseif ($lines[$i][0] == "#") {
94.                 continue;
95.                
96.              } elseif ($lines[$i][0] == "$") {
97.                   $keyValue = explode( "=", substr($lines[$i],1) );
98.                 if (strtolower(trim($keyValue[0])) == "newuserauthorize") {
99.                     $newUserAuthorize = (strtolower(trim($keyValue[1])) == "false") ? false : true;
100.                 } elseif (strtolower(trim($keyValue[0])) == "newdeviceauthorize") {
101.                     $newDeviceAuthorize = (strtolower(trim($keyValue[1])) == "false") ? false : true;
102.                 } elseif (strtolower(trim($keyValue[0])) == "usermaxdevices") {
103.                     $userMaxDevices = (is_numeric(trim($keyValue[1])) ? intval(trim($keyValue[1])) : $userMaxDevices);
104.                 } elseif (strtolower(trim($keyValue[0])) == "allowedipranges") {
105.                     $allowedipranges = explode(",", trim($keyValue[1]));
106.                 }
107.                 continue;
108.              }
109.  
110.              if (!$firstUserLine) {
111.                 $firstUserLine = $i;
112.              }
113.              
114.                 $userDeviceArray = explode( "|", $lines[$i] );
115.               $userIdStatus = explode( "^", $userDeviceArray[0] );
116.    
117.              if (ZPushAdmin::ipMatch($remip, $allowedipranges)){
118.          ZLog::Write(LOGLEVEL_DEBUG, sprintf("ZPushAdmin::ipMatch(): Client IP '%s' is in allowedipranges '%s'", $remip, implode(",",$allowedipranges)));
119.          $ipauthorized = true;
120.          } else {
121.          ZLog::Write(LOGLEVEL_DEBUG, sprintf("ZPushAdmin::ipMatch(): Client IP '%s' is not in the allowedipranges '%s'", $remip, implode(",",$allowedipranges)));
122.          $ipauthorized = false;
123.          }
124.              
125.              if ($user == trim($userIdStatus[0])) {
126.                 $userFound = true;
127.                
128.                 if (isset($userIdStatus[1])) {
129.                    $userStatus = trim( $userIdStatus[1] );
130.                 }
131.                
132.                 for ($j=1;$j<count($userDeviceArray);$j++) {
133.                     $deviceIdStatus = explode( "^", $userDeviceArray[$j] );
134.                    if (($devid == trim( $deviceIdStatus[0])) && ($devid <> "")) {
135.                       $deviceFound = true;
136.                       if (isset($deviceIdStatus[1])) {
137.                          $deviceStatus = trim( $deviceIdStatus[1] );
138.                       }
139.                       break;
140.                    }
141.                 }
142.                
143.                 if (!$deviceFound) {
144.                    if (count($userDeviceArray) >= $userMaxDevices + 1) {
145.                       ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Device '%s' NOT found for User '%s' in AuthorizedUsersAndDevices file - User has Max '%d' Devices Reqistered - Cannot Add", $devid, $user, $userMaxDevices ));
146.                       self::$UserDeviceStatus = SYNC_COMMONSTATUS_MAXDEVICESREACHED; // MaximumDevicesReached
147.            } elseif (!$ipauthorized) {
148.                       ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Client IP '%s' for User '%s' is not authorized to add devices automatically, please add device to the AuthorizedUsersAndDevices file manually, or correct allowedipranges variable", $remip, $user));
149.                       self::$UserDeviceStatus = SYNC_COMMONSTATUS_IP_UNAUTHORIZED; // IP UNAUTHORIZED TO ADD DEVICE
150.            } elseif (($devid == "")&&($isoptions)) {
151.                       ZLog::Write(LOGLEVEL_WARN, sprintf("ZPushAdmin::GetUserDevicePermission(): Request method is OPTIONS and devid is NULL, assuming first auth request, skipping device check", $user));  // FIRST AUTH REQUIEST
152.            } elseif ($devid == "") {
153.                       ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Device for User '%s' is NULL, such devices cant be processed", $user));
154.                       self::$UserDeviceStatus = SYNC_COMMONSTATUS_DEVICE_NULL; // DEVICEID IS NULL FOR UNKNOWN REASON
155.                    } else {
156.                       $lines[$i] .= " | " . $devid . ($newDeviceAuthorize ? "" : "^NA");
157.                       $fileUpdated = true;
158.            }
159.            }
160.           break;
161.              }
162.             }
163.  
164.           if ((!$userFound) && ($ipauthorized)) {
165.              if ((!$lastBlankLine) || ($lastBlankLine < $firstUserLine )) {
166.                 $lastBlankLine = count($lines);
167.              }
168.              
169.               $lines[$lastBlankLine] = $user . ($newUserAuthorize ? "" : "^NA" ). " | " . $devid . ($newDeviceAuthorize ? "" : "^NA");
170.              $fileUpdated = true;
171.           }
172.  
173.           if ((!$userFound) && ($ipauthorized)) {
174.              ZLog::Write(LOGLEVEL_WARN, sprintf("ZPushAdmin::GetUserDevicePermission(): User '%s' NOT found in AuthorizedUsersAndDevices file - Adding", $user ));
175.              self::$UserDeviceStatus = (($newUserAuthorize) ? SYNC_COMMONSTATUS_SUCCESS : SYNC_COMMONSTATUS_USERDISABLEDFORSYNC); // OK : UserDisabledForSync
176.           } elseif ($userStatus == 'NA' )  {
177.              ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): User '%s' NOT AUTHORIZED in AuthorizedUsersAndDevices file ", $user ));
178.              self::$UserDeviceStatus = SYNC_COMMONSTATUS_USERDISABLEDFORSYNC; // UserDisabledForSync
179.           } elseif (!$ipauthorized)  {
180.              ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Client IP '%s' for User '%s' is not authorized to add users automatically, please add user to the AuthorizedUsersAndDevices file manually, or correct allowedipranges variable", $remip, $user));
181.              self::$UserDeviceStatus = SYNC_COMMONSTATUS_IP_UNAUTHORIZED; // IP UNAUTHORIZED TO ADD USER
182.           }
183.          
184.           // if self::$UserDeviceStatus not updated already based on user permissions/max devices - then check device permissions
185.           if ((self::$UserDeviceStatus == SYNC_COMMONSTATUS_SUCCESS) && ($devid <>"")) {
186.              if (! $deviceFound ) {
187.                 ZLog::Write(LOGLEVEL_WARN, sprintf("ZPushAdmin::GetUserDevicePermission(): Device '%s' NOT found for User '%s' in AuthorizedUsersAndDevices file - Adding", $devid, $user ));
188.                 self::$UserDeviceStatus = (($newDeviceAuthorize) ? 1 : SYNC_COMMONSTATUS_DEVICEBLOCKEDFORUSER); // OK : DeviceIsBlockedForThisUser
189.              } elseif ($deviceStatus == 'NA' )  {
190.                 ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Device '%s' NOT AUTHORIZED for User '%s' in AuthorizedUsersAndDevices file ", $devid, $user ));
191.                 self::$UserDeviceStatus = SYNC_COMMONSTATUS_DEVICEBLOCKEDFORUSER; // DeviceIsBlockedForThisUser
192.              }
193.           }
194.  
195.           if ($fileUpdated) {
196.              $userList = implode( "\n", $lines );
197.  
198.              @file_put_contents( $userFile, $userList, LOCK_EX );
199.                 ZLog::Write(LOGLEVEL_DEBUG, "ZPushAdmin::GetUserDevicePermission(): AuthorizedUsersAndDevices file updated ");
200.           }
201.  
202.             return self::$UserDeviceStatus;
203.         }