hedera-web-mindshore/rest/core/account.php

<?php

class Account {
	static function trySync($db, $userName, $password = NULL) {
		$isSync = $db->getValue(
			'SELECT sync FROM account.user WHERE name = #',
			[$userName]
		);

		if ($isSync)
			return;

		self::sync($db, $userName, $password);
	}

	static function sync($db, $userName, $password = NULL, $force = TRUE) {
		$hasAccount = $db->getValue(
			'SELECT COUNT(*) > 0
				FROM account.user u
					JOIN account.account a ON u.id = a.id
				WHERE u.name = #',
			[$userName]
		);
		
		if ($hasAccount) {
			self::ldapSync($db, $userName, $password);
			self::sambaSync($db, $userName, $password);
		}

		$db->query(
			'UPDATE account.user SET sync = TRUE WHERE name = #',
			[$userName]
		);
	}

	/**
	 * Synchronizes the user credentials in the LDAP server.
	 */
	static function ldapSync($db, $userName, $password) {
		// Gets LDAP configuration parameters

		$conf = $db->getObject(
			'SELECT host, rdn, password, baseDn, filter
				FROM account.ldapConfig');

		// Connects an authenticates against server

		$ds = ldap_connect($conf->host);

		if (!$ds)
			throw new Exception("Can't connect to LDAP server: ". ldapError($ds));

		try {
			ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
			$bind = ldap_bind($ds, $conf->rdn, base64_decode($conf->password));

			if (!$bind)
				throw new Exception("Authentication failed on LDAP server: ". ldapError($ds));

			// Prepares the data

			$domain = $db->getValue('SELECT domain FROM account.mailConfig');

			$user = $db->getObject(
				'SELECT id, nickname, lang
					FROM account.user
					WHERE name = #',
				[$userName]
			);

			$cn = empty($user->nickname) ? $userName : $user->nickname;

			$nameArgs = explode(' ', $user->nickname);
			$givenName = $nameArgs[0];

			if (count($nameArgs) > 1)
				$sn = $nameArgs[1];
			if (empty($sn))
				$sn = 'Empty';

			$attrs = [
				'cn'                => $cn,
				'displayName'       => $user->nickname,
				'givenName'         => $givenName,
				'sn'                => $sn,
				'mail'              => "$userName@{$domain}",
				'userPassword'      => sshaEncode($password),
				'preferredLanguage' => $user->lang
			];

			// Search the user entry

			$filter = "uid=$userName";

			if (!empty($conf->filter))
				$filter = "(&($filter)($conf->filter))";

			$res = ldap_search($ds, $conf->baseDn, $filter);

			if (!$res)
				throw new Exception("Can't get the LDAP entry: ". ldapError($ds));

			$dn = "uid=$userName,{$conf->baseDn}";
			$entry = ldap_first_entry($ds, $res);

			$classes = ldap_get_values($ds, $entry, 'objectClass');

			if (!in_array('inetOrgPerson', $classes)) {
				ldap_delete($ds, $dn);
				$entry = NULL;
			}

			if ($entry) {
				$modifs = [];
				$curAttrs = ldap_get_attributes($ds, $entry);

				foreach ($attrs as $attribute => $value)
				if (!empty($value)) {
					$modifs[] = [
						'attrib'  => $attribute,
						'modtype' => LDAP_MODIFY_BATCH_REPLACE,
						'values'  => [$value]
					];
				} elseif (isset($curAttrs[$attribute])) {
					$modifs[] = [
						'attrib'  => $attribute,
						'modtype' => LDAP_MODIFY_BATCH_REMOVE_ALL
					];
				}

				$updated = ldap_modify_batch($ds, $dn, $modifs);
			} else {
				$addAttrs = [];
	
				foreach ($attrs as $attribute => $value)
				if (!empty($value))
					$addAttrs[$attribute] = $value;
	
				$addAttrs = array_merge($addAttrs, [
					'objectClass' => ['inetOrgPerson'],
					'uid'         => $userName
				]);
				$updated = ldap_add($ds, $dn, $addAttrs);
			}

			if (!$updated)
				throw new Exception("Can't update the LDAP entry: ". ldapError($ds));
		} catch (Exception $e) {
			ldap_unbind($ds);
			throw $e;
		}
	}

	/**
	 * Synchronizes the user credentials in the Samba server.
	 */
	static function sambaSync($db, $userName, $password) {
		$conf = $db->getObject(
			'SELECT host, sshUser, sshPass, uidBase
				FROM account.sambaConfig'
		);
		
		$domain = $db->getValue('SELECT domain FROM account.mailConfig');

		$samba = new SshConnection($conf->host
			,$conf->sshUser
			,base64_decode($conf->sshPass)
		);

		$scriptDir = '/mnt/cluster/scripts';

		// Creates the Samba user and initializes it's home directory

		$userId = $db->getValue(
			'SELECT id FROM account.user WHERE name = #', [$userName]);

		$samba->exec("$scriptDir/create-user.sh %s %s %s"
			,$userName
			,$conf->uidBase + $userId
			,"$userName@{$domain}"
		);

		// Syncronizes the Samba password

		if (empty($password))
			return;

		$samba->exec("$scriptDir/set-password.sh %s %s"
			,$userName
			,$password
		);
	}
}

function ldapError($ds) {
    return ldap_errno($ds) .': '. ldap_error($ds);
}

function sshaEncode($value) {
    mt_srand((double) microtime() * 1000000);
    $salt = pack('CCCC', mt_rand(), mt_rand(), mt_rand(), mt_rand());
    $hash = '{SSHA}' . base64_encode(pack('H*', sha1($value . $salt)) . $salt);
    return $hash;
}

function sshaVerify($hash, $value) {
    $ohash = base64_decode(substr($hash, 6));
    $osalt = substr($ohash, 20);
    $ohash = substr($ohash, 0, 20);
    $nhash = pack('H*', sha1($value . $osalt));
    return $ohash == $nhash;
}

class SshConnection {
	var $connection;

	/**
	 * Abrebiated method to make SSH connections.
	 */
	function __construct($host, $user, $password) {
		$this->connection = $connection = ssh2_connect($host);

		if (!$connection)
			throw new Exception("Can't connect to SSH server $host");
		
		$authOk = ssh2_auth_password($connection, $user, $password);

		if (!$authOk)
			throw new Exception("SSH authentication failed on server $host");
			
		return $connection;
	}
	
	/**
	 * Executes a command on the host.
	 */
	function exec() {
		$nargs = func_num_args();
		$args = func_get_args();

		for ($i = 1; $i < $nargs; $i++)
			$args[$i] = self::escape($args[$i]);

		$command = call_user_func_array('sprintf', $args);
		return ssh2_exec($this->connection, $command);
	}
	
	/**
	 * Escapes the double quotes from an string.
	 */
	static function escape($str) {
		return '"'. str_replace('"', '\\"', $str) .'"';
	}
}