X-Git-Url: https://jfr.im/git/irc/unrealircd/unrealircd-webpanel.git/blobdiff_plain/d3e3ec08fc18333b563857148039bcbf80726625..579020f8c67f7bdfd9d530a25b701af6ee53c412:/Classes/class-paneluser.php diff --git a/Classes/class-paneluser.php b/Classes/class-paneluser.php index 722f4f8..1757e30 100644 --- a/Classes/class-paneluser.php +++ b/Classes/class-paneluser.php @@ -27,6 +27,8 @@ define('PERMISSION_SPAMFILTER_ADD', 'sf_add'); define('PERMISSION_SPAMFILTER_DEL', 'sf_del'); /** Can rehash servers */ define('PERMISSION_REHASH', 'rhs'); +/** Can install and uninstall plugins */ +define('PERMISSION_MANAGE_PLUGINS', 'mng_plg'); /** * PanelUser * This is the User class for the SQL_Auth plugin @@ -54,6 +56,8 @@ class PanelUser $user["id"] = $id; $user["object"] = NULL; Hook::run(HOOKTYPE_USER_LOOKUP, $user); + if ($user['object'] === null) + return; /* no auth module loaded? */ foreach ($user['object'] as $key => $value) $this->$key = $value; } @@ -63,33 +67,79 @@ class PanelUser * @param string $input * @return bool */ - function password_verify(string $input) : bool + function password_verify(string $password, bool &$hash_needs_updating = false) : bool { - if (password_verify($input, $this->passhash)) - return true; + GLOBAL $config; + $hash_needs_updating = false; + $p2 = $password; + if (str_starts_with($this->passhash, "peppered:")) + { + /* Argon2 with pepper */ + $password = hash_hmac("sha256", $password, $config['secrets']['pepper']); + if (password_verify($password, substr($this->passhash,9))) + { + $this->HIBP(sha1($p2)); + return true; + } + } + else + { + /* Old standard argon2 */ + if (password_verify($password, $this->passhash)) + { + $this->HIBP(sha1($p2)); + $hash_needs_updating = true; + return true; + } + } return false; } + /** + * Generate hash of user's password + * @param string $password + * @return string + */ + public static function password_hash(string $password) : string + { + GLOBAL $config; + $input = hash_hmac("sha256", $password, $config['secrets']['pepper']); + return "peppered:".password_hash($input, PASSWORD_ARGON2ID); + } + /** * Add user meta data - * @param string $key - * @param string $value + * If using an array for the first param then you + * must also use an array for the second param + * @param array|string $key + * @param array|string|int|bool|null $value */ - function add_meta(string $key, string $value) + function add_meta(array|string $key, array|string|int|bool|null $value) { - if (!$key || !$value) + if (!$key) return false; - $meta = [ - "id" => $this->id, - "key" => $key, - "value" => $value - ]; + if (is_array($key)) + { + foreach ($key as $i => $k) + $arr[$k] = $value[$i]; + } else { + $arr[$key] = $value; + } - $array['meta'] = $meta; - $array['user'] = $this; - Hook::run(HOOKTYPE_USERMETA_ADD, $array); + foreach($arr as $k => $v) + { + $meta = [ + "id" => $this->id, + "key" => $k, + "value" => $v + ]; + + $array['meta'] = $meta; + $array['user'] = $this; + Hook::run(HOOKTYPE_USERMETA_ADD, $array); + } } @@ -106,7 +156,9 @@ class PanelUser "id" => $this->id, "key" => $key, ]; - Hook::run(HOOKTYPE_USERMETA_DEL, $meta); + $array['meta'] = $meta; + $array['user'] = $this; + Hook::run(HOOKTYPE_USERMETA_DEL, $array); } @@ -141,6 +193,44 @@ class PanelUser $arr = ['info' => $array, 'user' => $this]; Hook::run(HOOKTYPE_EDIT_USER, $arr); } + + /** Have I Been Pwned + * Check password against HIBP to let them know about their + * leaked password. + * @param string $password_hash This should be a pre-hashed sha1 password + */ + function HIBP($password_hash) + { + $url = "https://api.pwnedpasswords.com/range/".substr($password_hash,0,5); + $end = substr($password_hash,5); + $ch = curl_init($url); + + curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + + $response = curl_exec($ch); + + if (curl_errno($ch)) + { + error_log("[error] Could not check against Have I Been Pwned API"); + return; + } + $data = explode("\r\n",$response); + curl_close($ch); + $count = count($data); + $i = 1; + foreach($data as $dat) + { + $result = explode(":",$dat); + error_log("Checking $i of $count: ".substr($result[0],0,5)." => ".substr(strtoupper($end), 0,5)); + if ($result[0] == strtoupper($end)) + { + error_log("FOUND"); + $this->add_meta("hibp", $result[1]); + return; + } + $i++; + } + } } @@ -184,7 +274,7 @@ function create_new_user(array &$user) : bool throw new Exception("Attempted to add user without specifying user_name or user_pass"); $user['user_name'] = htmlspecialchars($user['user_name']); - $user['user_pass'] = password_hash($user['user_pass'], PASSWORD_ARGON2ID); + $user['user_pass'] = PanelUser::password_hash($user['user_pass']); $user['fname'] = (isset($user['fname'])) ? htmlspecialchars($user['fname']) : NULL; $last['lname'] = (isset($user['lname'])) ? htmlspecialchars($user['lname']) : NULL; $user['user_bio'] = (isset($user['user_bio'])) ? htmlspecialchars($user['user_bio']) : NULL; @@ -228,8 +318,6 @@ function unreal_get_current_user() : PanelUser|bool */ function current_user_can($permission) : bool { - if (!is_auth_provided()) // if there is no auth plugin, assume the user handles logins themselves - return true; $user = unreal_get_current_user(); if (!$user) return false; @@ -243,9 +331,25 @@ function current_user_can($permission) : bool */ function user_can(PanelUser $user, $permission) : bool { + global $config; if (!$user) return false; + if (isset($user->user_meta['role'])) + { + if ($user->user_meta['role'] == "Super-Admin") + return true; + + else if ($user->user_meta['role'] == "Read-Only") + return false; + + else if (in_array($permission, $config['user_roles'][$user->user_meta['role']])) + return true; + + return false; + } + + /* compatibility fallback */ if (isset($user->user_meta['permissions'])) { $perms = unserialize($user->user_meta['permissions']); @@ -282,6 +386,7 @@ function get_panel_user_permission_list() { $list = [ "Can add/delete/edit Admin Panel users" => PERMISSION_MANAGE_USERS, + "Can add/delete/manage plugins" => PERMISSION_MANAGE_PLUGINS, "Can ban/kill IRC users" => PERMISSION_BAN_USERS, "Can change properties of a user, i.e. vhost, modes and more" => PERMISSION_EDIT_USER, "Can change properties of a channel, i.e. topic, modes and more" => PERMISSION_EDIT_CHANNEL, @@ -294,6 +399,7 @@ function get_panel_user_permission_list() "Can remove server ban exceptions" => PERMISSION_BAN_EXCEPTION_DEL, "Can add Spamfilter entries" => PERMISSION_SPAMFILTER_ADD, "Can remove Spamfilter entries" => PERMISSION_SPAMFILTER_DEL + ]; Hook::run(HOOKTYPE_USER_PERMISSION_LIST, $list); // so plugin writers can add their own permissions return $list; @@ -326,13 +432,18 @@ function generate_panel_user_permission_table($user) function get_panel_user_roles_list() { + GLOBAL $config; + /* Defaults */ $list = [ - "Super Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything - "Read Only" => [], // Read Only can do nothing + "Super-Admin" => get_panel_user_permission_list(), // SuperAdmin can do everything + "Read-Only" => [], // Read Only can do nothing ]; - Hook::run(HOOKTYPE_USER_ROLE_LIST, $list); + if (isset($config["user_roles"])) + foreach($config['user_roles'] as $r => $role) + $list[$r] = $role; + return $list; } @@ -342,7 +453,7 @@ function generate_role_list($list) ?>
Roles List:
-
+
$slug) {?> @@ -350,16 +461,25 @@ function generate_role_list($list)
- + +
+ + +
+ + +
$slug) { $attributes = ""; - $attributes .= ($role == "Super Admin" || $role == "Read Only") ? "disabled " : ""; + $attributes .= ($role == "Super-Admin" || $role == "Read-Only") ? "disabled " : ""; ?>
@@ -368,7 +488,7 @@ function generate_role_list($list) name="_permissions[]" value="" type="checkbox"> + ?> name="permissions[]" value="" type="checkbox">
"> @@ -376,14 +496,15 @@ function generate_role_list($list) + ?>
+

-