[irc/unrealircd/unrealircd-webpanel.git] / plugins / sql_auth / sql_auth.php

<?php

require_once "SQL/sql.php";
require_once "SQL/settings.php";

class sql_auth
{
	public $name = "SQLAuth";
	public $author = "Valware";
	public $version = "1.0";
	public $description = "Provides a User Auth and Management Panel with an SQL backend";
	public $email = "v.a.pond@outlook.com";

	function __construct()
	{
		self::create_tables();
		Hook::func(HOOKTYPE_PRE_HEADER, 'sql_auth::session_start');
		Hook::func(HOOKTYPE_FOOTER, 'sql_auth::add_footer_info');
		Hook::func(HOOKTYPE_USER_LOOKUP, 'sql_auth::get_user');
		Hook::func(HOOKTYPE_USERMETA_ADD, 'sql_auth::add_usermeta');
		Hook::func(HOOKTYPE_USERMETA_DEL, 'sql_auth::del_usermeta');
		Hook::func(HOOKTYPE_USERMETA_GET, 'sql_auth::get_usermeta');
		Hook::func(HOOKTYPE_USER_CREATE, 'sql_auth::user_create');
		Hook::func(HOOKTYPE_GET_USER_LIST, 'sql_auth::get_user_list');
		Hook::func(HOOKTYPE_USER_DELETE, 'sql_auth::user_delete');

		if (defined('SQL_DEFAULT_USER')) // we've got a default account
		{
			$lkup = new PanelUser(SQL_DEFAULT_USER['username']);

			if (!$lkup->id) // doesn't exist, add it with full privileges
			{
				$user = [];
				$user['user_name'] = SQL_DEFAULT_USER['username'];
				$user['user_pass'] = SQL_DEFAULT_USER['password'];
				$user['err'] = "";
				create_new_user($user);
			}
		}
	}


	public static function add_footer_info($empty)
	{
		if (!($user = unreal_get_current_user()))
			return;

		else {
			echo "<code>Admin Panel v" . WEBPANEL_VERSION . "</code>";
		}
	}

	/* pre-Header hook */
	public static function session_start($n)
	{
		if (!isset($_SESSION))
		{
			session_set_cookie_params(3600);
			session_start();
		}
		do_log($_SESSION);
		if (!isset($_SESSION['id']) || empty($_SESSION))
		{
			$secure = ($_SERVER['HTTPS'] == 'on') ? "https://" : "http://";
			$current_url = "$secure$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
			$tok = split($_SERVER['SCRIPT_FILENAME'], "/");
			if ($check = security_check() && $tok[count($tok) - 1] !== "error.php") {
				header("Location: " . BASE_URL . "plugins/sql_auth/error.php");
				die();
			}
			header("Location: ".BASE_URL."login/?redirect=".urlencode($current_url));
			die();
		}
		else
		{
			if (!unreal_get_current_user()->id) // user no longer exists
			{
				session_destroy();
				header("Location: ".BASE_URL."login");
				die();
			}
			// you'll be automatically logged out after one hour of inactivity
		}
	}

	/**
	 * Create the tables we'll be using in the SQLdb
	 * @return void
	 */
	public static function create_tables()
	{
		$conn = sqlnew();
		$conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "users (
			user_id int AUTO_INCREMENT NOT NULL,
			user_name VARCHAR(255) NOT NULL,
			user_pass VARCHAR(255) NOT NULL,
			
			user_fname VARCHAR(255),
			user_lname VARCHAR(255),
			user_bio VARCHAR(255),
			created VARCHAR(255),
			PRIMARY KEY (user_id)
		)");
		$conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "user_meta (
			meta_id int AUTO_INCREMENT NOT NULL,
			user_id int NOT NULL,
			meta_key VARCHAR(255) NOT NULL,
			meta_value VARCHAR(255),
			PRIMARY KEY (meta_id)
		)");
		$conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "auth_settings (
			id int AUTO_INCREMENT NOT NULL,
			setting_key VARCHAR(255) NOT NULL,
			setting_value VARCHAR(255),
			PRIMARY KEY (id)
		)");
		$conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "fail2ban (
			id int AUTO_INCREMENT NOT NULL,
			ip VARCHAR(255) NOT NULL,
			count VARCHAR(255),
			PRIMARY KEY (id)
		)");
		new AuthSettings();
	}

	/* We convert $u with a full user as an object ;D*/
	public static function get_user(&$u)
	{
		$id = $u['id'];
		$name = $u['name'];
		$conn = sqlnew();

		if ($id)
		{
			$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE user_id = :id LIMIT 1");
			$prep->execute(["id" => strtolower($id)]);
		}
		elseif ($name)
		{
			$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE LOWER(user_name) = :name LIMIT 1");
			$prep->execute(["name" => strtolower($name)]);
		}
		$data = NULL;
		$obj = (object) [];
		if ($prep)
			$data = $prep->fetchAll();
		if (isset($data[0]) && $data = $data[0])
		{
			$obj->id = $data['user_id'];
			$obj->username = $data['user_name'];
			$obj->passhash = $data['user_pass'];
			$obj->first_name = $data['user_fname'] ?? NULL;
			$obj->last_name = $data['user_lname'] ?? NULL;
			$obj->created = $data['created'];
			$obj->bio = $data['user_bio'];
			$obj->user_meta = (new PanelUser_Meta($obj->id))->list;
		}
		$u['object'] = $obj;
	}

	public static function get_usermeta(&$u)
	{
		//do_log($u);
		$list = &$u['meta'];
		$id = $u['id'];
		$conn = sqlnew();
		if (isset($id))
		{
			$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id");
			$prep->execute(["id" => $id]);
		}
		foreach ($prep->fetchAll() as $row)
		{
			$list[$row['meta_key']] = $row['meta_value'];
		}
	}

	public static function add_usermeta(&$meta)
	{
		$meta = $meta['meta'];
		$conn = sqlnew();
		/* check if it exists first, update it if it does */
		$query = "SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key";
		$stmt = $conn->prepare($query);
		$stmt->execute(["id" => $meta['id'], "key" => $meta['key']]);
		if ($stmt->rowCount()) // it exists, update instead of insert
		{
			$query = "UPDATE " . SQL_PREFIX . "user_meta SET meta_value = :value WHERE user_id = :id AND meta_key = :key";
			$stmt = $conn->prepare($query);
			$stmt->execute($meta);
			if ($stmt->rowCount())
				return true;
			return false;
		}

		else
		{
			$query = "INSERT INTO " . SQL_PREFIX . "user_meta (user_id, meta_key, meta_value) VALUES (:id, :key, :value)";
			$stmt = $conn->prepare($query);
			$stmt->execute($meta);
			if ($stmt->rowCount())
				return true;
			return false;
		}
	}
	public static function del_usermeta(&$u)
	{
		$conn = sqlnew();
		$query = "DELETE FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key";
		$stmt = $conn->prepare($query);
		$stmt->execute($u['meta']);
		if ($stmt->rowCount())
			return true;
		return false;
	}
	public static function user_create(&$u)
	{
		$username = $u['user_name'];
		$first_name = $u['fname'];
		$last_name = $u['lname'];
		$password = $u['user_pass'];
		$user_bio = $u['user_bio'];
		$conn = sqlnew();
		$prep = $conn->prepare("INSERT INTO " . SQL_PREFIX . "users (user_name, user_pass, user_fname, user_lname, user_bio, created) VALUES (:name, :pass, :fname, :lname, :user_bio, :created)");
		$prep->execute(["name" => $username, "pass" => $password, "fname" => $first_name, "lname" => $last_name, "user_bio" => $user_bio, "created" => date("Y-m-d H:i:s")]);
		if ($prep->rowCount())
			$u['success'] = true;
		else
			$u['errmsg'][] = "Could not add user";
	}

	public static function get_user_list(&$list)
	{
		$conn = sqlnew();
		$result = $conn->query("SELECT user_id FROM " . SQL_PREFIX . "users");
		if (!$result) // impossible
		{
			die("Something went wrong.");
		}
		$userlist = [];
		while($row =  $result->fetch())
		{
			$userlist[] = new PanelUser(NULL, $row['user_id']);
		}
		if (!empty($userlist))
			$list = $userlist;
		
	}
	public static function user_delete(&$u)
	{
		$user = $u['user'];
		$query = "DELETE FROM " . SQL_PREFIX . "users WHERE user_id = :id";
		$conn = sqlnew();
		$stmt = $conn->prepare($query);
		$stmt->execute(["id" => $user->id]);
		$deleted = $stmt->rowCount();
		if ($deleted)
		{
			$u['info'][] = "Successfully deleted user \"$user->username\"";
			$u['boolint'] =  1;
		} else {
			$u['info'][] = "Unknown error";
			$u['boolint'] = 0;
		}
	}
}


function security_check()
{
	$ip = $_SERVER['REMOTE_ADDR'];
	if (dnsbl_check($ip))
		return true;

	else if (fail2ban_check($ip))
	{

	}
}

function dnsbl_check($ip)
{
	$dnsbl_lookup = DNSBL;

	// clear variable just in case
	$listed = NULL;

	// if the IP was not given because you're an idiot, stop processing
	if (!$ip) { return; }
	
	// get the first two segments of the IPv4	
	$because = split($ip, ".");   // why you
	$you = $because[1]; 		  // gotta play
	$want = $because[2];		 // that song
	$to = $you.".".$want.".";	// so loud?
	
	// exempt local connections because sometimes they get a false positive
	if ($to == "192.168." || $to == "127.0.") { return NULL; }
	
	// you spin my IP right round, right round, to check the records baby, right round-round-round
	$reverse_ip = glue(array_reverse(split($ip, ".")), ".");
	
	// checkem
	foreach ($dnsbl_lookup as $host) {
		
		//if it was listed
		if (checkdnsrr($reverse_ip . "." . $host . ".", "A")) {
			
			//take note
			$listed = $host;
		}
	}

	// if it was safe, return NOTHING
	if (!$listed) {
		return NULL;
	}
	
	// else, you guessed it, return where it was listed
	else {
		return $listed;
	}
}

function fail2ban_check($ip)
{

}
Commit	Line	Data
ea27475b VP	1	<?php
	2
	3	require_once "SQL/sql.php";
ce9cf366	4	require_once "SQL/settings.php";
4d634d0a	5
ea27475b VP	6	class sql_auth
ea27475b VP	7	{
b44a2e97	8	public $name = "SQLAuth";
ea27475b VP	9	public $author = "Valware";
	10	public $version = "1.0";
	11	public $description = "Provides a User Auth and Management Panel with an SQL backend";
b65f0496	12	public $email = "v.a.pond@outlook.com";
ea27475b VP	13
	14	function __construct()
	15	{
5015c85c	16	self::create_tables();
b44a2e97	17	Hook::func(HOOKTYPE_PRE_HEADER, 'sql_auth::session_start');
33f512fa	18	Hook::func(HOOKTYPE_FOOTER, 'sql_auth::add_footer_info');
6930484c VP	19	Hook::func(HOOKTYPE_USER_LOOKUP, 'sql_auth::get_user');
	20	Hook::func(HOOKTYPE_USERMETA_ADD, 'sql_auth::add_usermeta');
	21	Hook::func(HOOKTYPE_USERMETA_DEL, 'sql_auth::del_usermeta');
	22	Hook::func(HOOKTYPE_USERMETA_GET, 'sql_auth::get_usermeta');
180b8ec1 VP	23	Hook::func(HOOKTYPE_USER_CREATE, 'sql_auth::user_create');
	24	Hook::func(HOOKTYPE_GET_USER_LIST, 'sql_auth::get_user_list');
	25	Hook::func(HOOKTYPE_USER_DELETE, 'sql_auth::user_delete');
4d634d0a VP	26
	27	if (defined('SQL_DEFAULT_USER')) // we've got a default account
	28	{
6930484c	29	$lkup = new PanelUser(SQL_DEFAULT_USER['username']);
4d634d0a VP	30
	31	if (!$lkup->id) // doesn't exist, add it with full privileges
	32	{
180b8ec1 VP	33	$user = [];
	34	$user['user_name'] = SQL_DEFAULT_USER['username'];
	35	$user['user_pass'] = SQL_DEFAULT_USER['password'];
	36	$user['err'] = "";
	37	create_new_user($user);
4d634d0a VP	38	}
4d634d0a VP	39	}
ea27475b VP	40	}
ea27475b VP	41
ea27475b	42
33f512fa VP	43	public static function add_footer_info($empty)
	44	{
	45	if (!($user = unreal_get_current_user()))
	46	return;
	47
	48	else {
	49	echo "<code>Admin Panel v" . WEBPANEL_VERSION . "</code>";
	50	}
	51	}
	52
3a8ffab8	53	/* pre-Header hook */
b44a2e97 VP	54	public static function session_start($n)
b44a2e97 VP	55	{
06369f59 VP	56	if (!isset($_SESSION))
	57	{
	58	session_set_cookie_params(3600);
	59	session_start();
	60	}
454379e3 VP	61	do_log($_SESSION);
454379e3 VP	62	if (!isset($_SESSION['id']) \|\| empty($_SESSION))
b44a2e97	63	{
3a8ffab8 VP	64	$secure = ($_SERVER['HTTPS'] == 'on') ? "https://" : "http://";
3a8ffab8 VP	65	$current_url = "$secure$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
ce9cf366 VP	66	$tok = split($_SERVER['SCRIPT_FILENAME'], "/");
	67	if ($check = security_check() && $tok[count($tok) - 1] !== "error.php") {
	68	header("Location: " . BASE_URL . "plugins/sql_auth/error.php");
	69	die();
	70	}
321b7b81	71	header("Location: ".BASE_URL."login/?redirect=".urlencode($current_url));
454379e3	72	die();
b44a2e97	73	}
08ce3aa7 VP	74	else
08ce3aa7 VP	75	{
f5e3ecee	76	if (!unreal_get_current_user()->id) // user no longer exists
08ce3aa7 VP	77	{
08ce3aa7 VP	78	session_destroy();
321b7b81	79	header("Location: ".BASE_URL."login");
f5e3ecee	80	die();
08ce3aa7	81	}
e3e93dde	82	// you'll be automatically logged out after one hour of inactivity
08ce3aa7	83	}
b44a2e97	84	}
ea27475b	85
ce9cf366 VP	86	/**
	87	* Create the tables we'll be using in the SQLdb
	88	* @return void
	89	*/
5015c85c VP	90	public static function create_tables()
	91	{
	92	$conn = sqlnew();
	93	$conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "users (
	94	user_id int AUTO_INCREMENT NOT NULL,
	95	user_name VARCHAR(255) NOT NULL,
	96	user_pass VARCHAR(255) NOT NULL,
	97
	98	user_fname VARCHAR(255),
	99	user_lname VARCHAR(255),
	100	user_bio VARCHAR(255),
	101	created VARCHAR(255),
	102	PRIMARY KEY (user_id)
	103	)");
	104	$conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "user_meta (
	105	meta_id int AUTO_INCREMENT NOT NULL,
	106	user_id int NOT NULL,
	107	meta_key VARCHAR(255) NOT NULL,
	108	meta_value VARCHAR(255),
	109	PRIMARY KEY (meta_id)
	110	)");
ce9cf366 VP	111	$conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "auth_settings (
	112	id int AUTO_INCREMENT NOT NULL,
	113	setting_key VARCHAR(255) NOT NULL,
	114	setting_value VARCHAR(255),
	115	PRIMARY KEY (id)
	116	)");
33f512fa VP	117	$conn->query("CREATE TABLE IF NOT EXISTS " . SQL_PREFIX . "fail2ban (
	118	id int AUTO_INCREMENT NOT NULL,
	119	ip VARCHAR(255) NOT NULL,
	120	count VARCHAR(255),
	121	PRIMARY KEY (id)
	122	)");
9c643401	123	new AuthSettings();
5015c85c VP	124	}
5015c85c VP	125
6930484c VP	126	/* We convert $u with a full user as an object ;D*/
	127	public static function get_user(&$u)
	128	{
	129	$id = $u['id'];
	130	$name = $u['name'];
	131	$conn = sqlnew();
	132
	133	if ($id)
	134	{
	135	$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE user_id = :id LIMIT 1");
	136	$prep->execute(["id" => strtolower($id)]);
	137	}
	138	elseif ($name)
	139	{
	140	$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "users WHERE LOWER(user_name) = :name LIMIT 1");
	141	$prep->execute(["name" => strtolower($name)]);
	142	}
	143	$data = NULL;
	144	$obj = (object) [];
	145	if ($prep)
	146	$data = $prep->fetchAll();
	147	if (isset($data[0]) && $data = $data[0])
	148	{
	149	$obj->id = $data['user_id'];
	150	$obj->username = $data['user_name'];
	151	$obj->passhash = $data['user_pass'];
	152	$obj->first_name = $data['user_fname'] ?? NULL;
	153	$obj->last_name = $data['user_lname'] ?? NULL;
	154	$obj->created = $data['created'];
	155	$obj->bio = $data['user_bio'];
	156	$obj->user_meta = (new PanelUser_Meta($obj->id))->list;
	157	}
	158	$u['object'] = $obj;
	159	}
	160
	161	public static function get_usermeta(&$u)
	162	{
	163	//do_log($u);
	164	$list = &$u['meta'];
	165	$id = $u['id'];
	166	$conn = sqlnew();
	167	if (isset($id))
	168	{
	169	$prep = $conn->prepare("SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id");
	170	$prep->execute(["id" => $id]);
	171	}
	172	foreach ($prep->fetchAll() as $row)
	173	{
	174	$list[$row['meta_key']] = $row['meta_value'];
	175	}
	176	}
	177
	178	public static function add_usermeta(&$meta)
	179	{
da6fa2d1	180	$meta = $meta['meta'];
6930484c VP	181	$conn = sqlnew();
	182	/* check if it exists first, update it if it does */
	183	$query = "SELECT * FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key";
	184	$stmt = $conn->prepare($query);
	185	$stmt->execute(["id" => $meta['id'], "key" => $meta['key']]);
	186	if ($stmt->rowCount()) // it exists, update instead of insert
	187	{
	188	$query = "UPDATE " . SQL_PREFIX . "user_meta SET meta_value = :value WHERE user_id = :id AND meta_key = :key";
	189	$stmt = $conn->prepare($query);
	190	$stmt->execute($meta);
	191	if ($stmt->rowCount())
	192	return true;
	193	return false;
	194	}
	195
	196	else
	197	{
	198	$query = "INSERT INTO " . SQL_PREFIX . "user_meta (user_id, meta_key, meta_value) VALUES (:id, :key, :value)";
	199	$stmt = $conn->prepare($query);
	200	$stmt->execute($meta);
	201	if ($stmt->rowCount())
	202	return true;
	203	return false;
	204	}
	205	}
	206	public static function del_usermeta(&$u)
	207	{
	208	$conn = sqlnew();
	209	$query = "DELETE FROM " . SQL_PREFIX . "user_meta WHERE user_id = :id AND meta_key = :key";
	210	$stmt = $conn->prepare($query);
	211	$stmt->execute($u['meta']);
	212	if ($stmt->rowCount())
	213	return true;
	214	return false;
	215	}
180b8ec1 VP	216	public static function user_create(&$u)
	217	{
	218	$username = $u['user_name'];
	219	$first_name = $u['fname'];
	220	$last_name = $u['lname'];
	221	$password = $u['user_pass'];
	222	$user_bio = $u['user_bio'];
	223	$conn = sqlnew();
	224	$prep = $conn->prepare("INSERT INTO " . SQL_PREFIX . "users (user_name, user_pass, user_fname, user_lname, user_bio, created) VALUES (:name, :pass, :fname, :lname, :user_bio, :created)");
	225	$prep->execute(["name" => $username, "pass" => $password, "fname" => $first_name, "lname" => $last_name, "user_bio" => $user_bio, "created" => date("Y-m-d H:i:s")]);
	226	if ($prep->rowCount())
	227	$u['success'] = true;
	228	else
	229	$u['errmsg'][] = "Could not add user";
	230	}
	231
	232	public static function get_user_list(&$list)
	233	{
	234	$conn = sqlnew();
	235	$result = $conn->query("SELECT user_id FROM " . SQL_PREFIX . "users");
	236	if (!$result) // impossible
	237	{
	238	die("Something went wrong.");
	239	}
	240	$userlist = [];
	241	while($row = $result->fetch())
	242	{
	243	$userlist[] = new PanelUser(NULL, $row['user_id']);
	244	}
	245	if (!empty($userlist))
	246	$list = $userlist;
	247
	248	}
	249	public static function user_delete(&$u)
	250	{
	251	$user = $u['user'];
	252	$query = "DELETE FROM " . SQL_PREFIX . "users WHERE user_id = :id";
	253	$conn = sqlnew();
	254	$stmt = $conn->prepare($query);
	255	$stmt->execute(["id" => $user->id]);
	256	$deleted = $stmt->rowCount();
	257	if ($deleted)
	258	{
	259	$u['info'][] = "Successfully deleted user \"$user->username\"";
	260	$u['boolint'] = 1;
	261	} else {
	262	$u['info'][] = "Unknown error";
	263	$u['boolint'] = 0;
	264	}
	265	}
ce9cf366 VP	266	}
	267
	268
	269	function security_check()
	270	{
	271	$ip = $_SERVER['REMOTE_ADDR'];
	272	if (dnsbl_check($ip))
	273	return true;
	274
	275	else if (fail2ban_check($ip))
	276	{
	277
	278	}
	279	}
	280
	281	function dnsbl_check($ip)
	282	{
	283	$dnsbl_lookup = DNSBL;
	284
	285	// clear variable just in case
	286	$listed = NULL;
	287
	288	// if the IP was not given because you're an idiot, stop processing
	289	if (!$ip) { return; }
	290
	291	// get the first two segments of the IPv4
	292	$because = split($ip, "."); // why you
	293	$you = $because[1]; // gotta play
	294	$want = $because[2]; // that song
	295	$to = $you.".".$want."."; // so loud?
	296
	297	// exempt local connections because sometimes they get a false positive
	298	if ($to == "192.168." \|\| $to == "127.0.") { return NULL; }
	299
	300	// you spin my IP right round, right round, to check the records baby, right round-round-round
	301	$reverse_ip = glue(array_reverse(split($ip, ".")), ".");
	302
	303	// checkem
	304	foreach ($dnsbl_lookup as $host) {
	305
	306	//if it was listed
	307	if (checkdnsrr($reverse_ip . "." . $host . ".", "A")) {
	308
	309	//take note
	310	$listed = $host;
	311	}
	312	}
	313
	314	// if it was safe, return NOTHING
	315	if (!$listed) {
	316	return NULL;
	317	}
	318
	319	// else, you guessed it, return where it was listed
	320	else {
	321	return $listed;
	322	}
	323	}
	324
	325	function fail2ban_check($ip)
33f512fa VP	326	{
	327
	328	}