Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /**
- * Checks if a given IP address matches the specified CIDR subnet/s
- *
- * @param string $ip The IP address to check
- * @param mixed $cidrs The IP subnet (string) or subnets (array) in CIDR notation
- * @param string $match optional If provided, will contain the first matched IP subnet
- * @return boolean TRUE if the IP matches a given subnet or FALSE if it does not
- */
- public function ipMatch($ip, $cidrs, &$match = null) {
- foreach((array) $cidrs as $cidr) {
- list($subnet, $mask) = explode('/', $cidr);
- if(((ip2long($ip) & ($mask = ~ ((1 << (32 - $mask)) - 1))) == (ip2long($subnet) & $mask))) {
- $match = $cidr;
- return true;
- }
- }
- return false;
- }
- /**
- * Returns the value of the user parameter of the querystring
- *
- * @access public
- * @return string/boolean false if not available
- */
- static public function GetUserDeviceStatus() {
- if (isset(self::$UserDeviceStatus))
- return self::$UserDeviceStatus;
- else
- return SYNC_COMMONSTATUS_NOT_SET;
- }
- /**
- * Returns user/device authorization status
- *
- * @param string $user
- * @param string $devid
- * @param string $remip //Client IP
- * @param boolean $isoptions //Is REQ_TYPE = OPTIONS, used to identify first auth step
- *
- * @return integer returns status = SYNC_COMMONSTATUS_SUCCESS if user/device combination OK to sync,
- * otherwise returns SYNC_COMMONSTATUS_USERDISABLEDFORSYNC, SYNC_COMMONSTATUS_DEVICEBLOCKEDFORUSER, SYNC_COMMONSTATUS_MAXDEVICESREACHED, SYNC_COMMONSTATUS_IP_UNAUTHORIZED,SYNC_COMMONSTATUS_DEVICE_NULL, SYNC_COMMONSTATUS_FILE_UNAVAILABLE
- * @access public
- */
- static public function GetUserDevicePermission($user, $devid, $remip, $isoptions) {
- ZLog::Write(LOGLEVEL_DEBUG, "ZPushAdmin::GetUserDevicePermission(): start");
- ZLog::Write(LOGLEVEL_INFO, sprintf("ZPushAdmin::GetUserDevicePermission(): Client IP is '%s'", $remip));
- if ($isoptions) {
- ZLog::Write(LOGLEVEL_INFO, "ZPushAdmin::GetUserDevicePermission(): Request method is OPTIONS");
- } else {
- ZLog::Write(LOGLEVEL_DEBUG, "ZPushAdmin::GetUserDevicePermission(): Request method is NOT OPTIONS");
- }
- self::$UserDeviceStatus = SYNC_COMMONSTATUS_SUCCESS;
- $userFile = STATE_DIR . 'AuthorizedUsersAndDevices';
- $userList = @file_get_contents( $userFile );
- if (!$userList) {
- ZLog::Write(LOGLEVEL_ERROR, "ZPushAdmin::GetUserDevicePermission(): AuthorizedUsersAndDevices file not found - all users are restricted");
- self::$UserDeviceStatus = SYNC_COMMONSTATUS_FILE_UNAVAILABLE;
- return self::$UserDeviceStatus;
- }
- $lines = explode( "\n", str_replace( "\r", "", $userList) );
- $userFound = false;
- $userStatus = false;
- $deviceFound = false;
- $deviceStatus = false;
- $lastBlankLine = false;
- $firstUserLine = false;
- $fileUpdated = false;
- // Allow a configuration to be set that allows/blocks new users/devices by default
- $newDeviceAuthorize = false;
- $newUserAuthorize = false;
- $userMaxDevices = 0;
- $allowedipranges = array("");
- $ipauthorized = false;
- // if ($devid == 'validate') { // Android PROVISIONING initial step
- // $deviceFound = true;
- // }
- for ($i=0;$i<count($lines);$i++) {
- if (trim($lines[$i]) == "") {
- $lastBlankLine = $i;
- continue;
- } elseif ($lines[$i][0] == "#") {
- continue;
- } elseif ($lines[$i][0] == "$") {
- $keyValue = explode( "=", substr($lines[$i],1) );
- if (strtolower(trim($keyValue[0])) == "newuserauthorize") {
- $newUserAuthorize = (strtolower(trim($keyValue[1])) == "false") ? false : true;
- } elseif (strtolower(trim($keyValue[0])) == "newdeviceauthorize") {
- $newDeviceAuthorize = (strtolower(trim($keyValue[1])) == "false") ? false : true;
- } elseif (strtolower(trim($keyValue[0])) == "usermaxdevices") {
- $userMaxDevices = (is_numeric(trim($keyValue[1])) ? intval(trim($keyValue[1])) : $userMaxDevices);
- } elseif (strtolower(trim($keyValue[0])) == "allowedipranges") {
- $allowedipranges = explode(",", trim($keyValue[1]));
- }
- continue;
- }
- if (!$firstUserLine) {
- $firstUserLine = $i;
- }
- $userDeviceArray = explode( "|", $lines[$i] );
- $userIdStatus = explode( "^", $userDeviceArray[0] );
- if (ZPushAdmin::ipMatch($remip, $allowedipranges)){
- ZLog::Write(LOGLEVEL_DEBUG, sprintf("ZPushAdmin::ipMatch(): Client IP '%s' is in allowedipranges '%s'", $remip, implode(",",$allowedipranges)));
- $ipauthorized = true;
- } else {
- ZLog::Write(LOGLEVEL_DEBUG, sprintf("ZPushAdmin::ipMatch(): Client IP '%s' is not in the allowedipranges '%s'", $remip, implode(",",$allowedipranges)));
- $ipauthorized = false;
- }
- if ($user == trim($userIdStatus[0])) {
- $userFound = true;
- if (isset($userIdStatus[1])) {
- $userStatus = trim( $userIdStatus[1] );
- }
- for ($j=1;$j<count($userDeviceArray);$j++) {
- $deviceIdStatus = explode( "^", $userDeviceArray[$j] );
- if (($devid == trim( $deviceIdStatus[0])) && ($devid <> "")) {
- $deviceFound = true;
- if (isset($deviceIdStatus[1])) {
- $deviceStatus = trim( $deviceIdStatus[1] );
- }
- break;
- }
- }
- if (!$deviceFound) {
- if (count($userDeviceArray) >= $userMaxDevices + 1) {
- ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Device '%s' NOT found for User '%s' in AuthorizedUsersAndDevices file - User has Max '%d' Devices Reqistered - Cannot Add", $devid, $user, $userMaxDevices ));
- self::$UserDeviceStatus = SYNC_COMMONSTATUS_MAXDEVICESREACHED; // MaximumDevicesReached
- } elseif (!$ipauthorized) {
- ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Client IP '%s' for User '%s' is not authorized to add devices automatically, please add device to the AuthorizedUsersAndDevices file manually, or correct allowedipranges variable", $remip, $user));
- self::$UserDeviceStatus = SYNC_COMMONSTATUS_IP_UNAUTHORIZED; // IP UNAUTHORIZED TO ADD DEVICE
- } elseif (($devid == "")&&($isoptions)) {
- ZLog::Write(LOGLEVEL_WARN, sprintf("ZPushAdmin::GetUserDevicePermission(): Request method is OPTIONS and devid is NULL, assuming first auth request, skipping device check", $user)); // FIRST AUTH REQUIEST
- } elseif ($devid == "") {
- ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Device for User '%s' is NULL, such devices cant be processed", $user));
- self::$UserDeviceStatus = SYNC_COMMONSTATUS_DEVICE_NULL; // DEVICEID IS NULL FOR UNKNOWN REASON
- } else {
- $lines[$i] .= " | " . $devid . ($newDeviceAuthorize ? "" : "^NA");
- $fileUpdated = true;
- }
- }
- break;
- }
- }
- if ((!$userFound) && ($ipauthorized)) {
- if ((!$lastBlankLine) || ($lastBlankLine < $firstUserLine )) {
- $lastBlankLine = count($lines);
- }
- $lines[$lastBlankLine] = $user . ($newUserAuthorize ? "" : "^NA" ). " | " . $devid . ($newDeviceAuthorize ? "" : "^NA");
- $fileUpdated = true;
- }
- if ((!$userFound) && ($ipauthorized)) {
- ZLog::Write(LOGLEVEL_WARN, sprintf("ZPushAdmin::GetUserDevicePermission(): User '%s' NOT found in AuthorizedUsersAndDevices file - Adding", $user ));
- self::$UserDeviceStatus = (($newUserAuthorize) ? SYNC_COMMONSTATUS_SUCCESS : SYNC_COMMONSTATUS_USERDISABLEDFORSYNC); // OK : UserDisabledForSync
- } elseif ($userStatus == 'NA' ) {
- ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): User '%s' NOT AUTHORIZED in AuthorizedUsersAndDevices file ", $user ));
- self::$UserDeviceStatus = SYNC_COMMONSTATUS_USERDISABLEDFORSYNC; // UserDisabledForSync
- } elseif (!$ipauthorized) {
- ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Client IP '%s' for User '%s' is not authorized to add users automatically, please add user to the AuthorizedUsersAndDevices file manually, or correct allowedipranges variable", $remip, $user));
- self::$UserDeviceStatus = SYNC_COMMONSTATUS_IP_UNAUTHORIZED; // IP UNAUTHORIZED TO ADD USER
- }
- // if self::$UserDeviceStatus not updated already based on user permissions/max devices - then check device permissions
- if ((self::$UserDeviceStatus == SYNC_COMMONSTATUS_SUCCESS) && ($devid <>"")) {
- if (! $deviceFound ) {
- ZLog::Write(LOGLEVEL_WARN, sprintf("ZPushAdmin::GetUserDevicePermission(): Device '%s' NOT found for User '%s' in AuthorizedUsersAndDevices file - Adding", $devid, $user ));
- self::$UserDeviceStatus = (($newDeviceAuthorize) ? 1 : SYNC_COMMONSTATUS_DEVICEBLOCKEDFORUSER); // OK : DeviceIsBlockedForThisUser
- } elseif ($deviceStatus == 'NA' ) {
- ZLog::Write(LOGLEVEL_ERROR, sprintf("ZPushAdmin::GetUserDevicePermission(): Device '%s' NOT AUTHORIZED for User '%s' in AuthorizedUsersAndDevices file ", $devid, $user ));
- self::$UserDeviceStatus = SYNC_COMMONSTATUS_DEVICEBLOCKEDFORUSER; // DeviceIsBlockedForThisUser
- }
- }
- if ($fileUpdated) {
- $userList = implode( "\n", $lines );
- @file_put_contents( $userFile, $userList, LOCK_EX );
- ZLog::Write(LOGLEVEL_DEBUG, "ZPushAdmin::GetUserDevicePermission(): AuthorizedUsersAndDevices file updated ");
- }
- return self::$UserDeviceStatus;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement