From 51d0c765b7d619d1a123db6cb2d9389a0fb70f52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Bousqui=C3=A9?= <jerome@bousquie.fr>
Date: Thu, 22 Sep 2016 11:49:17 +0200
Subject: [PATCH] commit initial

---
 index.php       | 30 +++++++++++++++++++++
 log.vbs         |  9 +++++++
 logcas.php      | 31 ++++++++++++++++++++++
 logout.vbs      |  9 +++++++
 proxy/squid.php | 46 +++++++++++++++++++++++++++++++++
 wifi/kanet.php  | 69 +++++++++++++++++++++++++++++++++++++++++++++++++
 6 files changed, 194 insertions(+)
 create mode 100644 index.php
 create mode 100644 log.vbs
 create mode 100644 logcas.php
 create mode 100644 logout.vbs
 create mode 100644 proxy/squid.php
 create mode 100644 wifi/kanet.php

diff --git a/index.php b/index.php
new file mode 100644
index 0000000..98d4f01
--- /dev/null
+++ b/index.php
@@ -0,0 +1,30 @@
+<?php
+include_once('winlogconf.php');
+include_once('admin/db_access.php');
+
+// ne traiter que sur des requêtes POST sur le port 443
+if ( $_SERVER["REQUEST_METHOD"] == "POST" && $_SERVER["SERVER_PORT"] == "443") {
+
+    $action = $_POST["action"];
+	$username = $_POST["username"];
+	$computer = $_POST["computer"];
+	$code = $_POST["code"];
+	$ip = $_SERVER["REMOTE_ADDR"];
+
+	if (strcmp($code, $server_code)!=0) { exit; } // se protéger des POST anonymes par un code partagé entre client et serveur
+
+	$db = db_connect();
+	
+	// requête de purge d'une éventuelle connexion restée ouverte sur une machine (multi-session non autorisée sur les PC)
+	$req_purge_C = 'UPDATE connexions SET close = 1 WHERE close = 0 AND hote = "'.$computer.'"';
+	// requête de création de l'enregistrement de connexion
+	$req_con_C ='INSERT INTO connexions (username, hote, ip, debut_con, close) VALUES ("'.$username.'", "'.$computer.'", "'.$ip.'", CURRENT_TIMESTAMP(),0)';
+	//requête de mise à jour (fermeture) de la connexion
+	$req_con_D = 'UPDATE connexions SET close = 1 WHERE close = 0 AND username = "'.$username.'" AND hote = "'.$computer.'"';
+	// si action = C alors $req = $req_con_C, sinon $req_con_D
+	$req = $action == "C" ? $req_con_C:$req_con_D;
+	
+	if ($action == "C") { db_query($db, $req_purge_C); } // on commence par purger avant de créer une connexion
+	$res = db_query($db, $req);
+	}
+?>
diff --git a/log.vbs b/log.vbs
new file mode 100644
index 0000000..1cfea1c
--- /dev/null
+++ b/log.vbs
@@ -0,0 +1,9 @@
+Dim  o, n, data, secopt
+Set o = CreateObject("WinHttp.WinHttpRequest.5.1")
+Set n = CreateObject("wscript.network")
+o.setproxy 1
+o.Option(4) = 13056 'pour forcer à ignorer toutes les erreurs de certificats
+o.open "POST", "https://winlog.dometud.iut-rodez.local/", False
+o.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
+data = "action=C&username="+n.Username+"&computer="+n.ComputerName
+o.send data
diff --git a/logcas.php b/logcas.php
new file mode 100644
index 0000000..a1eede4
--- /dev/null
+++ b/logcas.php
@@ -0,0 +1,31 @@
+<?php
+//
+// phpCAS simple client
+//
+
+
+// import phpCAS lib
+include_once('CAS/CAS.php');
+
+//phpCAS::setDebug();
+
+// initialize phpCAS
+phpCAS::client(CAS_VERSION_2_0,$cas_server,$cas_port,$cas_path);
+
+// no SSL validation for the CAS server
+phpCAS::setNoCasServerValidation();
+
+// check CAS authentication
+phpCAS::checkAuthentication();
+
+// at this step, the user has been authenticated by the CAS server
+// and the user's login name can be read with phpCAS::getUser().
+function Autorise($user, $liste_users_autorises) {
+  return in_array($user, $liste_users_autorises);
+}
+
+// logout if desired
+if (isset($_REQUEST['logout'])) {
+	phpCAS::logout();
+}
+?>
diff --git a/logout.vbs b/logout.vbs
new file mode 100644
index 0000000..4217a07
--- /dev/null
+++ b/logout.vbs
@@ -0,0 +1,9 @@
+Dim  o, n, data
+Set o = CreateObject("WinHttp.WinHttpRequest.5.1")
+Set n = CreateObject("wscript.network")
+o.setproxy 1
+o.open "POST", "http://winlog.dometud.iut-rodez.local/", False
+o.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
+data = "action=D&username="+n.Username+"&computer="+n.ComputerName
+o.send data
+
diff --git a/proxy/squid.php b/proxy/squid.php
new file mode 100644
index 0000000..49536f1
--- /dev/null
+++ b/proxy/squid.php
@@ -0,0 +1,46 @@
+<?php
+//header('Content-type: application/json; charset=utf-8');
+include('../admin/winlog_admin_conf.php');
+include('../admin/connexions.php');
+$ip = $_GET["ip"];
+$src = $_GET["src"];
+$target = $_GET["tgt"];
+$username = "";
+
+$prefixe_reseau_captif = "10.3.";             // prefixe du réseau captif
+
+if ($src!="etudiants" && $src!="personnels") {
+  // si src <> étudiants ou personnels :
+  // la requête vient directement de cache.iut-rodez.fr : $ip reçu est fiable
+  // il s'agit d'un accès interdit depuis un poste fixe de l'IUT
+  // sinon :
+  // la requête vient d'un iframe inclus dans la page interdit.php
+  // on ne peut se baser que sur X_FORWARDED_FOR
+
+  $adresses = explode(',', $_SERVER["HTTP_X_FORWARDED_FOR"]); 
+        // le header peut contenir plusieurs ip (ex: routeur Kanet) => on récupère un tableau
+  $ip = "";
+  $lg_prefixe = strlen($prefixe_reseau_captif);
+  foreach($adresses as $http_ip) {
+    if (substr($http_ip, 0, $lg_prefixe) == $prefixe_reseau_captif) { $ip = $http_ip; }
+  }
+  
+  $connexions_wifi = Connexions_wifi();
+  $i = 0;
+  while ($connexions_wifi[$i]) {
+  if ($connexions_wifi[$i]["ip"] == $ip) { $username = $connexions_wifi[$i]["username"];}
+  $i++;
+  }
+
+}
+else { // src= etudiants ou personnels
+  $con_ip = Con_ip($ip);
+  if (!empty($con_ip)) { $username = $con_ip[1]; }
+}
+
+$db = db_connect();
+$req_log = 'INSERT INTO proxy (ip, username, target, logts) VALUES ( "'.$ip.'", "'.$username.'", "'.$target.'", CURRENT_TIMESTAMP() )';
+$req_purge = 'DELETE from proxy WHERE timestampdiff(SECOND, timestamp(logts), timestamp(now())) > 60'; // on purge les logs de plus de 1mn
+$res = db_query($db, $req_purge);
+$res = db_query($db, $req_log);
+?>
diff --git a/wifi/kanet.php b/wifi/kanet.php
new file mode 100644
index 0000000..ab130a0
--- /dev/null
+++ b/wifi/kanet.php
@@ -0,0 +1,69 @@
+<?php 
+
+// conf serveur CAS
+$cas_server = 'cas.iut-rodez.fr';
+$cas_path = '/cas';
+$cas_port = 443;
+include_once('../logcas.php');
+include_once('../winlogconf.php');               // importation de la conf mysql
+
+
+$prefixe_reseau_captif = "10.3.";             // prefixe du réseau captif
+$delai = "15";                                // délai en secondes de renvoi de la requête depuis le browser
+$delai_vie = "40";                           // délai en secondes avant de fermer une connexion en base
+                                              // le délai de vie doit être supérieur au délai de reload
+
+
+$cas_user = phpCAS::getUser();
+$action = $_GET['action'];
+// $action : 
+// si "C" =>  création d'un enregistrement de connexion
+// si "U" =>  mise à jour d'un enregistrement existant (déconnexion)
+
+$browser = $_SERVER["HTTP_USER_AGENT"];
+$adresses = explode(',', $_SERVER["HTTP_X_FORWARDED_FOR"]); 
+        // le header peut contenir plusieurs ip (ex: routeur Kanet) => on récupère un tableau
+$wifi_ip = "";
+$lg_prefixe = strlen($prefixe_reseau_captif);
+foreach($adresses as $http_ip) {
+  if (substr($http_ip, 0, $lg_prefixe) == $prefixe_reseau_captif) { $wifi_ip = $http_ip; }
+}
+
+$req_check = 'SELECT * FROM wifi WHERE wifi_username="'.$cas_user.'" AND wifi_ip="'.$wifi_ip.'" AND close=0'; // recherche connexion déjà ouverte
+$req_con = 'INSERT INTO wifi (wifi_username, wifi_ip, wifi_browser, wifi_deb_conn, wifi_fin_conn, close) VALUES ( "'.$cas_user.'", "'.$wifi_ip.'", "'.$browser.'", CURRENT_TIMESTAMP(), CURRENT_TIMESTAMP(), 0 )';
+
+$req_clos = 'UPDATE wifi SET close = 1 WHERE close = 0 AND timestampdiff(SECOND, timestamp(wifi_fin_conn), timestamp(now())) > '.$delai_vie; // ferme TOUTES les connexions trop anciennes
+
+$req_maj = 'UPDATE wifi SET wifi_fin_conn = CURRENT_TIMESTAMP() WHERE close = 0 AND wifi_username = "'.$cas_user.'" AND wifi_ip = "'.$wifi_ip.'"';
+
+$db = mysql_pconnect($db_server, $db_user, $db_passwd);
+mysql_select_db($db_dbname, $db);
+
+$clos = mysql_query($req_clos, $db); // dans tous les cas, on ferme toutes les connexions trop anciennes
+
+
+if ($action == "C") { 
+    $deja_con = mysql_query($req_check, $db);
+    $req = $req_maj;
+    if (mysql_num_rows($deja_con) == 0) { $req = $req_con; } 
+        // si non déjà connecté, alors connecte, sinon update
+    }
+if ($action=="U") { $req = $req_maj; }
+$res = mysql_query($req, $db);
+
+
+
+// on sert une page web vide qui se reloade toutes les $delai secondes dans une iframe invisible
+// (seulement sur action == U, sinon une iframe charge une fois unique la page => action == C)
+// mieux qu'un appel ajax : kanet.php est un client CAS, xhr ne suit pas la redirection CAS
+?>
+<html>
+<head>
+<?php 
+if ($action == "U") { echo('<meta http-equiv="refresh" content="'.$delai.'">'); }
+?>
+</head>
+<body>
+still alive...
+</body>
+</html>