/* * ZoneMinder regular expression class implementation, $Date$, $Revision$ * Copyright (C) 2001-2008 Philip Coombes * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include "zm.h" #include "zm_db.h" #include "zm_user.h" #include #include #include #include #include "zm_utils.h" #include "zm_crypt.h" User::User() { id = 0; username[0] = password[0] = 0; enabled = false; stream = events = control = monitors = system = PERM_NONE; } User::User( MYSQL_ROW &dbrow ) { int index = 0; id = atoi( dbrow[index++] ); strncpy( username, dbrow[index++], sizeof(username)-1 ); strncpy( password, dbrow[index++], sizeof(password)-1 ); enabled = (bool)atoi( dbrow[index++] ); stream = (Permission)atoi( dbrow[index++] ); events = (Permission)atoi( dbrow[index++] ); control = (Permission)atoi( dbrow[index++] ); monitors = (Permission)atoi( dbrow[index++] ); system = (Permission)atoi( dbrow[index++] ); char *monitor_ids_str = dbrow[index++]; if ( monitor_ids_str && *monitor_ids_str ) { StringVector ids = split(monitor_ids_str, ","); for( StringVector::iterator i = ids.begin(); i < ids.end(); ++i ) { monitor_ids.push_back( atoi( (*i).c_str()) ); } } } User::~User() { monitor_ids.clear(); } void User::Copy( const User &u ) { id=u.id; strncpy( username, u.username, sizeof(username)-1 ); strncpy( password, u.password, sizeof(password)-1 ); enabled = u.enabled; stream = u.stream; events = u.events; control = u.control; monitors = u.monitors; system = u.system; monitor_ids = u.monitor_ids; } bool User::canAccess( int monitor_id ) { if ( monitor_ids.empty() ) return true; for ( std::vector::iterator i = monitor_ids.begin(); i != monitor_ids.end(); ++i ) { if ( *i == monitor_id ) { return true; } } return false; } // Function to load a user from username and password // Please note that in auth relay mode = none, password is NULL User *zmLoadUser( const char *username, const char *password ) { char sql[ZM_SQL_MED_BUFSIZ] = ""; int username_length = strlen(username); char *safer_username = new char[(username_length * 2) + 1]; // According to docs, size of safer_whatever must be 2*length+1 due to unicode conversions + null terminator. mysql_real_escape_string(&dbconn, safer_username, username, username_length ); snprintf(sql, sizeof(sql), "SELECT Id, Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds" " FROM Users where Username = '%s' and Enabled = 1", safer_username ); if ( mysql_query(&dbconn, sql) ) { Error("Can't run query: %s", mysql_error(&dbconn)); exit(mysql_errno(&dbconn)); } MYSQL_RES *result = mysql_store_result(&dbconn); if ( !result ) { Error("Can't use query result: %s", mysql_error(&dbconn)); exit(mysql_errno(&dbconn)); } int n_users = mysql_num_rows(result); if ( n_users != 1 ) { mysql_free_result(result); Warning("Unable to authenticate user %s", username); return NULL; } MYSQL_ROW dbrow = mysql_fetch_row(result); User *user = new User(dbrow); if (verifyPassword(username, password, user->getPassword())) { Info("Authenticated user '%s'", user->getUsername()); mysql_free_result(result); delete safer_username; return user; } else { Warning("Unable to authenticate user %s", username); mysql_free_result(result); return NULL; } } User *zmLoadTokenUser (std::string jwt_token_str, bool use_remote_addr ) { std::string key = config.auth_hash_secret; std::string remote_addr = ""; if (use_remote_addr) { remote_addr = std::string(getenv( "REMOTE_ADDR" )); if ( remote_addr == "" ) { Warning( "Can't determine remote address, using null" ); remote_addr = ""; } key += remote_addr; } Info ("Inside zmLoadTokenUser, formed key=%s", key.c_str()); try { auto decoded = jwt::decode(jwt_token_str); auto verifier = jwt::verify() .allow_algorithm(jwt::algorithm::hs256{ key }) .with_issuer("ZoneMinder"); verifier.verify(decoded); // token is valid and not expired if (decoded.has_payload_claim("type")) { std::string type = decoded.get_payload_claim("type").as_string(); if (type != "access") { Error ("Only access tokens are allowed. Please do not use refresh tokens"); return 0; } } else { // something is wrong. All ZM tokens have type Error ("Missing token type. This should not happen"); return 0; } if (decoded.has_payload_claim("user")) { // We only need to check if user is enabled in DB and pass on // correct access permissions std::string username = decoded.get_payload_claim("user").as_string(); Info ("Got %s as user claim from token", username.c_str()); char sql[ZM_SQL_MED_BUFSIZ] = ""; snprintf(sql, sizeof(sql), "SELECT Id, Username, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds" " FROM Users WHERE Username = '%s' and Enabled = 1", username.c_str() ); if ( mysql_query(&dbconn, sql) ) { Error("Can't run query: %s", mysql_error(&dbconn)); exit(mysql_errno(&dbconn)); } MYSQL_RES *result = mysql_store_result(&dbconn); if ( !result ) { Error("Can't use query result: %s", mysql_error(&dbconn)); exit(mysql_errno(&dbconn)); } int n_users = mysql_num_rows(result); if ( n_users != 1 ) { mysql_free_result(result); Warning("Unable to authenticate user %s", username.c_str()); return NULL; } MYSQL_ROW dbrow = mysql_fetch_row(result); User *user = new User(dbrow); Info ("Authenticated user '%s' via token", username.c_str()); mysql_free_result(result); return user; } else { Error ("User not found in claim"); return 0; } } catch (const std::exception &e) { Error("Unable to verify token: %s", e.what()); return 0; } catch (...) { Error ("unknown exception"); } return 0; } // Function to validate an authentication string User *zmLoadAuthUser( const char *auth, bool use_remote_addr ) { #if HAVE_DECL_MD5 || HAVE_DECL_GNUTLS_FINGERPRINT #ifdef HAVE_GCRYPT_H // Special initialisation for libgcrypt if ( !gcry_check_version( GCRYPT_VERSION ) ) { Fatal( "Unable to initialise libgcrypt" ); } gcry_control( GCRYCTL_DISABLE_SECMEM, 0 ); gcry_control( GCRYCTL_INITIALIZATION_FINISHED, 0 ); #endif // HAVE_GCRYPT_H const char *remote_addr = ""; if ( use_remote_addr ) { remote_addr = getenv( "REMOTE_ADDR" ); if ( !remote_addr ) { Warning( "Can't determine remote address, using null" ); remote_addr = ""; } } Debug( 1, "Attempting to authenticate user from auth string '%s'", auth ); char sql[ZM_SQL_SML_BUFSIZ] = ""; snprintf( sql, sizeof(sql), "SELECT Id, Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds FROM Users WHERE Enabled = 1" ); if ( mysql_query( &dbconn, sql ) ) { Error( "Can't run query: %s", mysql_error( &dbconn ) ); exit( mysql_errno( &dbconn ) ); } MYSQL_RES *result = mysql_store_result( &dbconn ); if ( !result ) { Error( "Can't use query result: %s", mysql_error( &dbconn ) ); exit( mysql_errno( &dbconn ) ); } int n_users = mysql_num_rows( result ); if ( n_users < 1 ) { mysql_free_result( result ); Warning( "Unable to authenticate user" ); return( 0 ); } while( MYSQL_ROW dbrow = mysql_fetch_row( result ) ) { const char *user = dbrow[1]; const char *pass = dbrow[2]; char auth_key[512] = ""; char auth_md5[32+1] = ""; size_t md5len = 16; unsigned char md5sum[md5len]; time_t now = time( 0 ); unsigned int hours = config.auth_hash_ttl; if ( ! hours ) { Warning("No value set for ZM_AUTH_HASH_TTL. Defaulting to 2."); hours = 2; } else { Debug( 1, "AUTH_HASH_TTL is %d", hours ); } for ( unsigned int i = 0; i < hours; i++, now -= 3600 ) { struct tm *now_tm = localtime( &now ); snprintf( auth_key, sizeof(auth_key), "%s%s%s%s%d%d%d%d", config.auth_hash_secret, user, pass, remote_addr, now_tm->tm_hour, now_tm->tm_mday, now_tm->tm_mon, now_tm->tm_year ); #if HAVE_DECL_MD5 MD5( (unsigned char *)auth_key, strlen(auth_key), md5sum ); #elif HAVE_DECL_GNUTLS_FINGERPRINT gnutls_datum_t md5data = { (unsigned char *)auth_key, strlen(auth_key) }; gnutls_fingerprint( GNUTLS_DIG_MD5, &md5data, md5sum, &md5len ); #endif auth_md5[0] = '\0'; for ( unsigned int j = 0; j < md5len; j++ ) { sprintf( &auth_md5[2*j], "%02x", md5sum[j] ); } Debug( 1, "Checking auth_key '%s' -> auth_md5 '%s' == '%s'", auth_key, auth_md5, auth ); if ( !strcmp( auth, auth_md5 ) ) { // We have a match User *user = new User( dbrow ); Debug(1, "Authenticated user '%s'", user->getUsername() ); mysql_free_result( result ); return( user ); } else { Debug(1, "No match for %s", auth ); } } } mysql_free_result( result ); #else // HAVE_DECL_MD5 Error( "You need to build with gnutls or openssl installed to use hash based authentication" ); #endif // HAVE_DECL_MD5 Debug(1, "No user found for auth_key %s", auth ); return 0; } //Function to check Username length bool checkUser ( const char *username) { if ( ! username ) return false; if ( strlen(username) > 32 ) return false; return true; } //Function to check password length bool checkPass (const char *password) { if ( !password ) return false; if ( strlen(password) > 64 ) return false; return true; }