Intranet Site notes

PHAS Intranet Site (secure.phas.ubc.ca)

Date: 2013-03-12

Note: The dark-green font indicates recent updates concerned with improving the security of the site.

Site Overview

The site authenticates users against the mail server via the imap protocol (PHP imap_open function).

Session management is done through a 3rd party DB_eSession class which saves session data in a MySQL database.

Access control is governed by various MySQL databases. Typcially local auth.php scripts consult the relevant database to allow or reject access to applications in a given directory.

All databases, except db_esessions, are located on the "mysql" server (currently omega).

The variouls MySQL databases are also consulted to build navigation pages (eg. /forms/index.php). They determine who can see links to the various applications.

Site-wide banner, navigation bar and trailer are maintained via calls to the phasbegin() and phasend() functions.

2012-12-11: Restricted access to /wwws/forms via .htaccess - our subnets and PHAS VPN only.

Site Mechanics

All executable PHP files begin with something like:

<?php

require_once
("/wwws/functions.php");

    $user=sessbegin();                     
// are they logged in (session started)?

require_once
("auth.php");

    auth($user);                           
// are they allowed to see this page?

require_once
("/wwws/default.php");

$mainitem
= "Forms";

    phasbegin();                           
// show site-wide banner and navigation 

// begin content
--------------------------------------------------------------------

, and end with something like:

// end content --------------------------------------------------------------------
phasend();
?>

The call to sessbegin() ensures that the user is authenticated. It will redirect to login.php if not.

The local auth.php scripts ensure that the user is allowed to run the scripts in each directory.
They define the local auth($user) functions which:

redirect to login.php if $user is not set, and
redirect to reject.php if the user is not allowed
make use of the allow function located in db_access.php to determine access.
2012-12-11: calls directly to allow are slowly being replaced with role-based equivalents

Eg.

function auth($user) {
// function to determine whether this user is allowed to see a page
// in this directory. Calls "allow" function with right parameters.
// If result is false, redirects to rejection page
   require_once('/wwws/functions.php');
   require_once('db_connect.php');

   if ( isset($user) ) {
// the parameters passed to allow function are specific to this directory
      #if ( ! allow('gradstudents',$user) ) {
        if ( ! is_GradAdmin($user)) ) {
        // not allowed - redirect to rejection page
       $redirect_url = "/reject.php";
       header ("Location: $redirect_url");
      }
   } else {    // not logged in yet - redirect to Login page
      $redirect_url = "/login.php";
      header ("Location: $redirect_url");
   }
} // if didn't get redirected then return and continue

The calls to phasbegin() and phasend() provide the site-wide look and feel elements.
The $mainitem variable controls which button is highlighted in the navigation bar.

Files in DocumentRoot - /var/www/shtml (aka /wwws)

functions.php - required by every PHP script in site

sessbegin()
- invokes DB_eSession and checks for authenticated user
- if authenticated returns the session variable "PAuser"
- else retrieves requested url and redirects to login.php with url appended as a parameter
$req_url = IsSet($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : '';
-2012-10-29: passed $_SERVER['REQUEST_URI'] to new clean_requrl() function before appending
clean_requrl($req_url)
- 2012-10-29: new function
- does basic validation (printable 2-255 chars); strips off scheme, host, port, username and password in URL
allow($database,$user,$table='users',$field='username',$andclause='1')
- 2012-11-??: Code moved to /usr/local/lib/php/db_access.php
Following 4 functions not used much (or least systematically):
sql_ready($var)
- calls addslashes and str_replace on specific strings (eg. <script)
sql_clean($_value)
- $_value = trim(addslashes(strip_tags($_value)));
get_char($field,$len)
- returns $field truncated to $len
get_date($field)
- validates $field as a date (yyyy-mm-dd)
- either returns the date or "INVALID"
rest are functions to paint site (phasbegin, phasend, MainMenu, MakeSubMenu, etc.)

login.php

- form for username and password
- if $action is LOG_OUT, destroys session
- 2012-10-29: does basic validation on $action (char. set and length)
- form is submitted to login_auth.php
- requested url is included as a hidden field $req_url
- 2012-10-29: passed $_REQUEST['req_url'] to clean_requrl() before including as hidden field

login_auth.php

NOTE: this is the script that processes the login form.
- 2012-10-30: renamed from auth.php to login_auth.php to avoid confusion with directory/application-specific auth.php files.
- retrieves username and password from login form
- 2012-10-26: tightened up check for valid characters/length in username/password
- tries to authenticate via IMAP; redirects to login.php if fails
- if $_REQUEST['req_url'], redirects to it, otherwise redirects to index.php
- 2012-10-29:
- passed $_REQUEST['req_url'] to clean_requrl() before redirecting
- removed check for $req_url="CARCHIVE" and redirection to specific URL
- 2012-10-26: forced redirection to our site: header ("Location: https://secure.phas.ubc.ca".$req_url);

index.php

- relies on call to sessbegin() to redirect if necessary to login.php
- any authenticated user is allowed to view home page, but
- makes use of allow() function to customize it: Eg.

// Dept. Members and Grad Students
if ( allow('directory',$user,'department','Username') ||
allow('gradstudents',$user,'students','email') ) {

htaccess_deptonly

- 2012-11-19: started restricting access to sensitive applications by ip domain/address
- restricts access to PHAS domains, subnets or VPN
- /wwws/forms/.htaccess is a symlink to here

default.php (now navi_menu.php)

- sets up main menu for site
- 2013-03-12: renamed to navi_menu.php and symlink added from old name

reject.php

- page to which any unallowed attempts are redirected
- ie. from a call to allow() or role-based function, in a given directory's auth.php script

Files in /usr/local/lib/php

Session Management

These are the files that utilize the DB_eSession class.
The class safely stores our session data outside the document root.
I have disabled the session monitoring tools available under the Sysadmin folder. To re-enable, just rename the directory.
class.DB_eSession.php
- class itself
config.DB_eSession.php
- configuration file for Intranet site
cwl_config.DB_eSession.php
- configuration file for CWL authentication
- see /wwws/ubc_cwl/ directory for main files
- currently used only for Clab Kiosk registration
eSessions_table.sql
- this file is needed to rebuild mysql table in the case of a disaster
- steps required are outlined in it
- check config file for database/table/username/password
- cgi-bin scripts that use session require a "sess_check" user with Select privileges (see /var/www/lib/perl/sql_lib/PAsql_Sessions.pm)
- to create the CWL session table: create table cwlSessions like eSessions;

db_connect.php (Database Access)

db_connect($db,$access)
- all database connections are made through a call to this function (true statement I hope)
- mysql usernames/passwords are stored here
- $access is used to determine which credentials will be used - and therefore whether the user will have read or write access
db_record_exists($database,$query)
- 2012-10-26: function added so that database access from allow() function is done outside document root.
- $query is typically a search for the authenticated username in the given database.

db_access.php (Application Access)

allow($database,$user,$table='users',$field='username',$andclause='1')
- 2012-11-??: Moved from /wwws/functions.php
- consults individual MySQL database to determine whether $user is allowed to see a page
- by default it looks in a table called "users" at the "username" field for the given $user
- called from various auth.php and index.php in various directories as well as from within various applications
- connects to databases with "read" access only
- query string built from parameters passed
$query = "SELECT $field FROM $table WHERE $field='$user' AND $andclause";
-2012-10-26:
- validates all parameters using preg_match to limit character set and length
- calls mysql_real_escape_string when forming query
- actual database access now done via db_record_exists() function
role-based access functions:
- eg. is_DeptMem, is_Faculty, is_Sysadmin
- call allow() with appropriate parameters

form_validation.php (Input Validation) - 2012-12-10

getCleanPost($varname)
- returns trim(strip_tags($_POST[$varname])) or FALSE if not set
getCleanReq($varname)
- returns trim(strip_tags($_REQUEST[$varname])) or FALSE if not set
validateVar($value,$validtype,$validval)
- validates $value according to the $validtype against $validval
- $validtypes: pattern, enum, function, length
- $validval varies accordingly: string, array, function name, min/max values

To-Do List

Continue to create role-based access functions so we can see access levels in one place for future development

Create specific read-only MySQL usernames/passwords for each database instead of using sel_only.

Continue to develop input validation tools.

Application-specific:

check any file upload/download apps. - validate, canonize, escape, whatever
prioritize sensitive/critical apps - validate inputs, escape outputs, etc.
see MySQL Databases notes.

Authenticate against ldap server instead of mail server.
2013-06-17: Code which does this with current ldap server: https://secure.phas.ubc.ca/dev/ldapauth.php

Consider using PHP/PEAR functions/classes for session management (instead of DB_esessions).