LDAPAccountManager/lam/templates/misc/ajax.php

<?php
namespace LAM\AJAX;
use htmlResponsiveTable;
use htmlStatusMessage;
use \LAM\TOOLS\IMPORT_EXPORT\Importer;
use \LAM\TOOLS\IMPORT_EXPORT\Exporter;
use \LAM\TYPES\TypeManager;
use \htmlResponsiveRow;
use \htmlLink;
use \htmlOutputText;
use \htmlButton;
use \LAM\LOGIN\WEBAUTHN\WebauthnManager;
use \LAMCfgMain;

/*

  This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
  Copyright (C) 2011 - 2020  Roland Gruber

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program; if not, write to the Free Software
  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

*/

/**
* Manages all AJAX requests.
*
* @author Roland Gruber
* @package tools
*/

/** security functions */
include_once(__DIR__ . "/../../lib/security.inc");
/** LDIF import */
include_once(__DIR__ . "/../../lib/import.inc");

// start session
if (isset($_GET['selfservice'])) {
	// self service uses a different session name
	session_name('SELFSERVICE');
}

// return standard JSON response if session expired
if (startSecureSession(false, true) === false) {
	echo json_encode(array(
		'sessionExpired' => "true"
	));
	die();
}

setlanguage();

$ajax = new Ajax();
$ajax->handleRequest();

/**
 * Manages all AJAX requests.
 */
class Ajax {

	/**
	 * Manages an AJAX request.
	 */
	public function handleRequest() {
		$this->setHeader();
		// check token
		validateSecurityToken();
		$isSelfService = isset($_GET['selfservice']);
		if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
			enforceUserIsLoggedIn();
			if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
				$sessionKey  = htmlspecialchars($_GET['editKey']);
				if (!isset($_SESSION[$sessionKey])) {
					logNewMessage(LOG_ERR, 'Unable to find account container');
					die();
				}
				$module = $_SESSION[$sessionKey]->getAccountModule($_GET['module']);
				$module->handleAjaxRequest();
			}
			else {
				$module = new $_GET['module']($_GET['scope']);
				$module->handleAjaxRequest();
			}
			die();
		}
		if (!isset($_GET['function'])) {
			die();
		}
		$function = $_GET['function'];
		if (!isset($_POST['jsonInput'])) {
			die();
		}

		$jsonInput = $_POST['jsonInput'];
		if ($function == 'passwordStrengthCheck') {
			$this->checkPasswordStrength($jsonInput);
			die();
		}
		if ($function === 'webauthn') {
			enforceUserIsLoggedIn(false);
			$this->manageWebauthn($isSelfService);
			die();
		}
		if ($function === 'webauthnDevices') {
			$this->enforceUserIsLoggedInToMainConfiguration();
			$this->manageWebauthnDevices();
			die();
		}
		enforceUserIsLoggedIn();
		if ($function == 'passwordChange') {
			$this->managePasswordChange($jsonInput);
		}
		elseif ($function === 'import') {
			include_once('../../lib/import.inc');
			$importer = new Importer();
			ob_start();
			$jsonOut = $importer->doImport();
			ob_end_clean();
			echo $jsonOut;
		}
		elseif ($function === 'export') {
			include_once('../../lib/export.inc');
			$attributes = $_POST['attributes'];
			$baseDn = $_POST['baseDn'];
			$ending = $_POST['ending'];
			$filter = $_POST['filter'];
			$format = $_POST['format'];
			$includeSystem = ($_POST['includeSystem'] === 'true');
			$saveAsFile = ($_POST['saveAsFile'] === 'true');
			$searchScope = $_POST['searchScope'];
			$exporter = new Exporter($baseDn, $searchScope, $filter, $attributes, $includeSystem, $saveAsFile, $format, $ending);
			ob_start();
			$jsonOut = $exporter->doExport();
			ob_end_clean();
			echo $jsonOut;
		}
		elseif ($function === 'upload') {
			include_once('../../lib/upload.inc');
			$typeManager = new \LAM\TYPES\TypeManager();
			$uploader = new \LAM\UPLOAD\Uploader($typeManager->getConfiguredType($_GET['typeId']));
			ob_start();
			$jsonOut = $uploader->doUpload();
			ob_end_clean();
			echo $jsonOut;
		}
		elseif ($function === 'dnselection') {
			ob_start();
			$jsonOut = $this->dnSelection();
			ob_end_clean();
			echo $jsonOut;
		}
		elseif ($function === 'webauthnOwnDevices') {
			$this->manageWebauthnOwnDevices();
		}
	}

	/**
	 * Sets JSON HTTP header.
	 */
	private static function setHeader() {
		if (!headers_sent()) {
			header('Content-Type: application/json; charset=utf-8');
		}
	}

	/**
	 * Manages a password change request on the edit account page.
	 *
	 * @param array $input input parameters
	 */
	private static function managePasswordChange($input) {
		$sessionKey  = htmlspecialchars($_GET['editKey']);
		$return = $_SESSION[$sessionKey]->setNewPassword($input);
		echo json_encode($return);
	}

	/**
	 * Checks if a password is accepted by LAM's password policy.
	 *
	 * @param array $input input parameters
	 */
	private function checkPasswordStrength($input) {
		$password = $input['password'];
		$result = checkPasswordStrength($password, null, null);
		echo json_encode(array("result" => $result));
	}

	/**
	 * Manages webauthn requests.
	 *
	 * @param bool $isSelfService request is from self service
	 */
	private function manageWebauthn($isSelfService) {
		include_once __DIR__ . '/../../lib/webauthn.inc';
		if ($isSelfService) {
			$userDN = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService');
		}
		else {
			$userDN = $_SESSION['ldap']->getUserName();
		}
		$webauthnManager = new WebauthnManager();
		$isRegistered = $webauthnManager->isRegistered($userDN);
		if (!$isRegistered) {
			$registrationObject = $webauthnManager->getRegistrationObject($userDN, $isSelfService);
			$_SESSION['webauthn_registration'] = json_encode($registrationObject);
			echo json_encode(
				array(
					'action' => 'register',
					'registration' => $registrationObject
				),
				JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE
			);
		}
		else {
			$authenticationObject = $webauthnManager->getAuthenticationObject($userDN, $isSelfService);
			$_SESSION['webauthn_authentication'] = json_encode($authenticationObject);
			echo json_encode(
				array(
					'action' => 'authenticate',
					'authentication' => $authenticationObject
				),
				JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE
			);
		}
		die();
	}

	/**
	 * Webauthn device management.
	 */
	private function manageWebauthnDevices() {
		$action = $_POST['action'];
		if ($action === 'search') {
			$searchTerm = $_POST['searchTerm'];
			if (!empty($searchTerm)) {
				$this->manageWebauthnDevicesSearch($searchTerm);
			}
		}
		elseif ($action === 'delete') {
			$dn = $_POST['dn'];
			$credentialId = $_POST['credentialId'];
			if (!empty($dn) && !empty($credentialId)) {
				$this->manageWebauthnDevicesDelete($dn, $credentialId);
			}
		}
	}

	/**
	 * Searches for webauthn devices and prints the results as html.
	 *
	 * @param string $searchTerm search term
	 */
	private function manageWebauthnDevicesSearch($searchTerm) {
		include_once __DIR__ . '/../../lib/webauthn.inc';
		$database = new \LAM\LOGIN\WEBAUTHN\PublicKeyCredentialSourceRepositorySQLite();
		$results = $database->searchDevices('%' . $searchTerm . '%');
		$row = new htmlResponsiveRow();
		$row->addVerticalSpacer('0.5rem');
		if (empty($results)) {
			$row->add(new htmlStatusMessage('INFO', _('No devices found.')), 12);
		}
		else {
			$titles = array(
				_('User'),
				_('Registration'),
				_('Last use'),
				_('Delete')
			);
			$data = array();
			$id = 0;
			foreach ($results as $result) {
				$delButton = new htmlButton('deleteDevice' . $id, 'delete.png', true);
				$delButton->addDataAttribute('credential', $result['credentialId']);
				$delButton->addDataAttribute('dn', $result['dn']);
				$delButton->addDataAttribute('dialogtitle', _('Remove device'));
				$delButton->addDataAttribute('oktext', _('Ok'));
				$delButton->addDataAttribute('canceltext', _('Cancel'));
				$delButton->setCSSClasses(array('webauthn-delete'));
				$data[] = array(
					new htmlOutputText($result['dn']),
					new htmlOutputText(date('Y-m-d H:i:s', $result['registrationTime'])),
					new htmlOutputText(date('Y-m-d H:i:s', $result['lastUseTime'])),
					$delButton
				);
				$id++;
			}
			$table = new htmlResponsiveTable($titles, $data);
			$row->add($table, 12);
		}
		$row->addVerticalSpacer('2rem');
		$tabindex = 10000;
		ob_start();
		$row->generateHTML('none', array(), array(), false, $tabindex, null);
		$content = ob_get_contents();
		ob_end_clean();
		echo json_encode(array('content' => $content));
	}

	/**
	 * Deletes a webauthn device.
	 *
	 * @param string $dn user DN
	 * @param string $credentialId base64 encoded credential id
	 */
	private function manageWebauthnDevicesDelete($dn, $credentialId) {
		include_once __DIR__ . '/../../lib/webauthn.inc';
		$database = new \LAM\LOGIN\WEBAUTHN\PublicKeyCredentialSourceRepositorySQLite();
		$success = $database->deleteDevice($dn, $credentialId);
		if ($success) {
			$message = new htmlStatusMessage('INFO', _('The device was deleted.'));
		}
		else {
			$message = new htmlStatusMessage('ERROR', _('The device was not found.'));
		}
		$row = new htmlResponsiveRow();
		$row->addVerticalSpacer('0.5rem');
		$row->add($message, 12);
		$row->addVerticalSpacer('2rem');
		ob_start();
		$tabindex = 50000;
		$row->generateHTML('none', array(), array(), true, $tabindex, null);
		$content = ob_get_contents();
		ob_end_clean();
		echo json_encode(array('content' => $content));
	}

	/**
	 * Manages requests to setup user's own webauthn devices.
	 */
	private function manageWebauthnOwnDevices() {
		$action = $_POST['action'];
		$dn = $_POST['dn'];
		$sessionDn = $_SESSION['ldap']->getUserName();
		if ($sessionDn !== $dn) {
			logNewMessage(LOG_ERR, 'Webauthn delete canceled, DN does not match.');
			die();
		}
		if ($action === 'delete') {
			$credentialId = $_POST['credentialId'];
			$this->manageWebauthnDevicesDelete($sessionDn, $credentialId);
		}
	}

	/**
	 * Handles DN selection fields.
	 *
	 * @return string JSON output
	 */
	private function dnSelection() {
		$dn = trim($_POST['dn']);
		if (empty($dn) || !get_preg($dn, 'dn')) {
			$dnList = $this->getDefaultDns();
			$dn = null;
		}
		else {
			$dnList = $this->getSubDns($dn);
		}
		$html = $this->buildDnSelectionHtml($dnList, $dn);
		return json_encode(array('dialogData' => $html));
	}

	/**
	 * Returns a list of default DNs from account types + tree suffix.
	 *
	 * @return string[] default DNs
	 */
	private function getDefaultDns() {
		$typeManager = new TypeManager();
		$baseDnList = array();
		foreach ($typeManager->getConfiguredTypes() as $type) {
			$suffix = $type->getSuffix();
			if (!empty($suffix)) {
				$baseDnList[] = $suffix;
			}
		}
		$treeSuffix = $_SESSION['config']->get_Suffix('tree');
		if (!empty($treeSuffix)) {
			$baseDnList[] = $suffix;
		}
		$baseDnList = array_unique($baseDnList);
		usort($baseDnList, 'compareDN');
		return $baseDnList;
	}

	/**
	 * Returns the HTML to build the DN selection list.
	 *
	 * @param string[] $dnList DN list
	 * @param string $currentDn current DN
	 */
	private function buildDnSelectionHtml($dnList, $currentDn) {
		$fieldId = trim($_POST['fieldId']);
		$mainRow = new htmlResponsiveRow();
		$onclickUp = 'window.lam.html.updateDnSelection(this, \''
				. htmlspecialchars($fieldId) . '\', \'' . getSecurityTokenName() . '\', \''
				. getSecurityTokenValue() . '\')';
		if (!empty($currentDn)) {
			$row = new htmlResponsiveRow();
			$row->addDataAttribute('dn', $currentDn);
			$text = new htmlOutputText($currentDn);
			$text->setIsBold(true);
			$row->add($text, 12, 9);
			$row->setCSSClasses(array('text-right'));
			$buttonId = base64_encode($currentDn);
			$buttonId = str_replace('=', '', $buttonId);
			$button = new htmlButton($buttonId, _('Ok'));
			$button->setIconClass('okButton');
			$button->setOnClick('window.lam.html.selectDn(this, \'' . htmlspecialchars($fieldId) . '\')');
			$row->add($button, 12, 3);
			$mainRow->add($row, 12);
			// back up
			$row = new htmlResponsiveRow();
			$row->addDataAttribute('dn', extractDNSuffix($currentDn));
			$text = new htmlLink('..', '#');
			$text->setCSSClasses(array('bold'));
			$text->setOnClick($onclickUp);
			$row->add($text, 12, 9);
			$row->setCSSClasses(array('text-right'));
			$buttonId = base64_encode('..');
			$buttonId = str_replace('=', '', $buttonId);
			$button = new htmlButton($buttonId, _('Up'));
			$button->setIconClass('upButton');
			$button->setOnClick($onclickUp);
			$row->add($button, 12, 3);
			$mainRow->add($row, 12);
		}
		foreach ($dnList as $dn) {
			$row = new htmlResponsiveRow();
			$row->addDataAttribute('dn', $dn);
			$link = new htmlLink($dn, '#');
			$link->setOnClick($onclickUp);
			$row->add($link, 12, 9);
			$row->setCSSClasses(array('text-right'));
			$buttonId = base64_encode($dn);
			$buttonId = str_replace('=', '', $buttonId);
			$button = new htmlButton($buttonId, _('Ok'));
			$button->setIconClass('okButton');
			$button->setOnClick('window.lam.html.selectDn(this, \'' . htmlspecialchars($fieldId) . '\')');
			$row->add($button, 12, 3);
			$mainRow->add($row, 12);
		}
		$tabindex = 1000;
		ob_start();
		parseHtml(null, $mainRow, array(), false, $tabindex, 'user');
		$out = ob_get_contents();
		ob_end_clean();
		return $out;
	}

	/**
	 * Returns the sub DNs of given DN.
	 *
	 * @param string $dn DN
	 * @return string[] sub DNs
	 */
	private function getSubDns($dn) {
		$dnEntries = ldapListDN($dn);
		$dnList = array();
		foreach ($dnEntries as $entry) {
			$dnList[] = $entry['dn'];
		}
		usort($dnList, 'compareDN');
		return $dnList;
	}

	/**
	 * Checks if the user entered the configuration master password.
	 * Dies if password is not set.
	 */
	private function enforceUserIsLoggedInToMainConfiguration() {
		if (!isset($_SESSION['cfgMain'])) {
			$cfg = new LAMCfgMain();
		}
		else {
			$cfg = $_SESSION['cfgMain'];
		}
		if (isset($_SESSION["mainconf_password"]) && ($cfg->checkPassword($_SESSION["mainconf_password"]))) {
			return;
		}
		die();
	}

}


?>