skynetUser.php 11.3 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<?php
/* Skynet - Automated "Cloud" Security Scanner                                *#
#* Copyright (C) 2014-present  Jason Frisvold <friz@godshell.com>             *#
#*                                                                            *#
#* This program is free software; you can redistribute it and/or modify       *#
#* it under the terms of the GNU General Public License as published by       *#
#* the Free Software Foundation; either version 2 of the License, or          *#
#* (at your option) any later version.                                        *#
#*                                                                            *#
#* This program is distributed in the hope that it will be useful,            *#
#* but WITHOUT ANY WARRANTY; without even the implied warranty of             *#
#* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the              *#
#* GNU General Public License for more details.                               *#
#*                                                                            *#
#* You should have received a copy of the GNU General Public License          *#
#* along with this program; if not, write to the Free Software                *#
#* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA */

/**
 * This is the skynet User class.
 * Each object represents a single User
 *
 * @package default
 */

// File is only accessible from within the skynet program
if (!defined('skynet')) exit();

/**
 * @package skynetUser
 */
class skynetUser {
   /**
    * These are the class variables
    */
   private $user_id;             // Integer
   private $username;            // Char(15)
38
   private $passwordHash;        // Char()
39
40
41
42
43
   private $fullname;            // Char(40)
   private $email;               // Char(320)
   private $adminflag;           // Boolean (TinyInt)
   private $logged_in;           // Boolean

44
   private $sqlhdlr;             // Object
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

   private $dirty_flag;          // Boolean
   private $pwd_dirty_flag;      // Boolean

   private $deleteme;

   /**
    * Class Constructor
    *
    * @param string $dbHost The database host
    * @param string $dbUser The user to access the database
    * @param string $dbPass The password to access the database
    * @param string $dbName The name of the database
    * @param string $username String representing the username
    * @param string $password String representing the password
    * @param boolean $login Boolean value indicating whether this is a login
    *                       attempt
    */ 
63
64
   public function __construct($sqlhdlr, $uid = -1, $username = '',
                               $password = '', $login = false) {
65

66
67
      // Store the database handler
      $this->sqlhdlr = $sqlhdlr;
68

69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
      // Everyone starts with a clean slate
      $this->dirty_flag = false;
      $this->pwd_dirty_flag = false;

      // Don't delete unless explicitly told to
      $this->deleteme = false;

      // All users are considered offline until otherwise determined
      $this->logged_in = false;

      // Check to see if this is a login attempt
      if ($login) {
         // Input checking for username and password
         $skynet_nameRegex = '/^[a-zA-Z0-9_\-]{1,15}\z/';
         $skynet_pwdRegex = '/^[a-zA-Z0-9@#$%\^&\*\/]{4,15}\z/';
         $clean_username = '';
         $clean_password = '';

         if (preg_match($skynet_nameRegex, $username)) {
            $clean_username = $username;
         }

         if (preg_match($skynet_pwdRegex, $password)) {
            $clean_password = $password;
         }

95
         //// Check the database for the user and get their password
96
         $results = $this->sqlhdlr->table('users')
97
98
99
100
101
102
103
104
105
106
107
108
109
            ->select('id', 'password')
            ->where('username', $clean_username)
            ->first();

         $this->user_id = $results['id'];
         $this->passwordHash = $results['password']; 
               
         if (password_verify($clean_password, $this->passwordHash)) {
            if (password_needs_rehash($this->passwordHash,
                                      PASSWORD_BCRYPT,
                                      ['cost' => 10])) {
                $this->passwordHash = password_hash($password);
                $this->_update_password();
110
            }
111
            $this->logged_in = true;
112
         }
113
       }
114
115
116
117
118
119
120
121

      // If we have a UID, or we are logged in
      if ((is_numeric($uid) && ($uid != -1)) || $this->logged_in) {
         // Assign the UID if needed
         if (! $this->logged_in) {
            $this->user_id = $uid;
         }

122
         $results = $this->sqlhdlr->table('users')
123
124
125
126
127
128
129
130
131
            ->select('username', 'full_name', 'email', 'admin')
            ->where('id', $this->user_id)
            ->first();

         $this->username = $results['username'];
         $this->fullname = $results['full_name'];
         $this->email = $results['email'];
         $this->adminflag = $results['admin'];

132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
      // New user, use defaults
      } else {
         $this->user_id = -1;
         $this->username($username);
         $this->fullname = '';
         $this->adminflag = 0;

         // Mark the object as dirty, as long as we're not trying to login
         if (! $login)
            $this->dirty_flag = true;
      }
   }

   /**
    * Return the user_id
    *
    * @return integer user_id of the user this object represents
    */
   public function user_id() {
      if ($this->user_id == -1) {
         $this->_serialize();
      }

      return $this->user_id;
   }

   /**
    * Return the logged_in status
    *
    * @return boolean Boolean value indicating whether or not the user is
    *                 logged in
    */
   public function logged_in() {
      return $this->logged_in;
   }

   /**
169
    * Set the user's password
170
171
172
173
174
175
176
177
178
179
180
    *
    * @param string $password String representing the user password
    *
    * @return string Returns the user's password, or NULL if the password being
    *                set does not pass validation
    */
   public function password($password = '') {
      $skynet_pwdRegex = '/^[a-zA-Z0-9@#$%\^&\*\/]{4,15}\z/';
      if (! empty($password)) {
         if (preg_match($skynet_pwdRegex, $password)) {

181
182
183
            $this->passwordHash =
               password_hash($password, PASSWORD_BCRYPT, ['cost' => 10]);
   
184
185
            // Mark as dirty
            $this->pwd_dirty_flag = true;
186
            return true;
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
         }
      }

      return false;
   }

   /**
    * Set / Return the username
    *
    * @param string $username String representing the username
    *
    * @return string Returns the username, or null if the supplied username
    *                fails validation
    */
   public function username($username = '') {
      $skynet_nameRegex = '/^[a-zA-Z0-9_\-]{1,15}\z/';
      if (! empty($username) && (! strcmp($username, $this->username) == 0)) {
         if (preg_match($skynet_nameRegex, $username) && ($username != 'guest')) {
            $this->username = $username;

            // Mark as dirty, if the user is logged in
            if ($this->logged_in)
               $this->dirty_flag = true;
         } else {
            return null;
         }
      }

      return $this->username;
   }

   /**
    * Set / Return the full name
    *
    * @param string $fullname String representing the full name
    *
    * @return string Returns the full name, or null if the supplied full name
    *                fails validation
    */
   public function fullname($fullname = '') {
      $skynet_fullnameRegex = '/^[a-zA-Z0-9_\-\ \']{1,40}\z/';
      if (! empty($fullname) && (! strcmp($fullname, $this->fullname) == 0)) {
         if (preg_match($skynet_fullnameRegex, $fullname)) {
            $this->fullname = $fullname;

            // Mark as dirty
            $this->dirty_flag = true;
         } else {
            return null;
         }
      }

      return $this->fullname;
   }

   /**
    * Set / Return the email address
    *
    * @param string $email String representing the email address
    *
    * @return string Returns the email address, or null if the supplied email
    *                address fails validation
    */
   public function email($email = '') {
      $skynet_emailRegex = '/^[a-zA-Z0-9_\-\.!#\$%&\*\+\/=\?\^\{\|\}~]{0,64}@[a-zA-Z0-9\-\.]{0,255}\z/';
      if (! empty($email) && (! strcmp($email, $this->email) == 0)) {
         if (preg_match($skynet_emailRegex, $email)) {
            $this->email = $email;

            // Mark as dirty
            $this->dirty_flag = true;
         } else {
            return null;
         }
      }

      return $this->email;
   }

   /**
    * Set / Return the admin flag
    *
    * @param boolean $adminflag Boolean value representing whether the user is
    *                           an administrator or not
    *
    * @return boolean Returns true if the user is an administrator or false if
    *                 the user is not an admin, or if the supplied value is not
    *                 a boolean
    */
   public function adminflag($adminflag = '') {
      if (! empty($adminflag) && ($this->adminflag != $adminflag)) {
         if (is_bool($adminflag)) {
            $this->adminflag = $adminflag;

            // Mark as dirty
            $this->dirty_flag = true;
         } else {
            return false;
         }
      }

      return $this->adminflag;
   }

   /**
    * Return the delete flag value
    *
    * @return boolean Returns true if this user is to be deleted, false if not
    */
   public function delete() {
      $this->deleteme = true;
   }

300
301
302
303
   /**
    * Updates the user password hash in the database
    */
   private function _update_password() {
304
      $this->sqlhdlr->table('users')
305
306
307
308
         ->where('id', $this->user_id)
         ->update(array('password' => $this->passwordHash));
   }

309
310
311
312
313
314
315
316
   /**
    * Deletes the user from the database if the deleteme flag is set
    */
   private function _delete() {
      // If the deleteme flag is set, delete the user
      if ($this->deleteme) {
         // Delete the entries, being careful to ensure it's
         // from the right user
317
         $this->sqlhdlr->table('users')
318
319
            ->where('id', $this->id)
            ->delete();
320
321
322
323
324
325
326
327
328
329
      }
   }

   /**
    * Serialize the User object
    */
   private function _serialize() {
      // username, fullname, password, admin flag
      // User ID of -1 indicates a new user
      if ($this->user_id == -1) {
330
331
332
333
334
335
336
337
         $this->sqlhdlr->table('users')
            ->insert(array(
               'username' => $this->username,
               'full_name' => $this->fullname,
               'email' => $this->email,
               'password' => $this->passwordHash,
               'admin' => $this->adminflag
            ));
338
339
340
341

         // Get the user_id
         $this->user_id = $this->sqlhdlr->insert_id;
      } else {
342
         $this->sqlhdlr->table('users')
343
344
345
346
347
348
349
            ->where('id', $this->user_id)
            ->update(array(
               'username' => $this->username,
               'full_name' => $this->fullname,
               'email' => $this->email,
               'admin' => $this->adminflag
            ));
350
351

         if ($this->pwd_dirty_flag) {
352
            $this->_update_password();
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
         }
      }
   }

   /**
    * Destructor
    */
   public function __destruct() {
      if ($this->deleteme) {
         $this->_delete();
         return;
      }

      if ($this->dirty_flag || $this->pwd_dirty_flag) {
         $this->_serialize();
      }
   }
}

?>