| [613] | 1 | XOBSRAKJ ;kc/oak - VistALink Reauthentication Code, SSO/UC KAAJEE ; 03/02/2004 07:00
|
|---|
| 2 | ;;1.5;VistALink Security;;Sep 09, 2005
|
|---|
| 3 | ;;Foundations Toolbox Release v1.5 [Build: 1.5.0.026]
|
|---|
| 4 | ;
|
|---|
| 5 | QUIT
|
|---|
| 6 | ;
|
|---|
| 7 | ; ------------------------------------------------------------------------
|
|---|
| 8 | ; RPC Server: Reauthentication subroutines for SSO/UC KAAJEE
|
|---|
| 9 | ; ------------------------------------------------------------------------
|
|---|
| 10 | ;
|
|---|
| 11 | CCOW(XOBID,XOBERR) ; -- CCOW connection type
|
|---|
| 12 | NEW XOBOUT,T,HDL
|
|---|
| 13 | SET XOBID=0
|
|---|
| 14 | ;
|
|---|
| 15 | ;get DUZ using Kernel CCOW Token xref
|
|---|
| 16 | SET HDL=$GET(XOBDATA("XOB RPC","SECURITY","TYPE","CCOW"))
|
|---|
| 17 | SET HDL=$$DECRYP^XUSRB1(HDL)
|
|---|
| 18 | ;
|
|---|
| 19 | IF $EXTRACT(HDL,1,2)'="~2" DO QUIT
|
|---|
| 20 | . SET XOBERR=182301_U_"CCOW"_U_"[token does not match CCOW handle format.]"
|
|---|
| 21 | . SET XOBID=0
|
|---|
| 22 | ;
|
|---|
| 23 | ; TODO: need IP address, then need to do $$IPLOCKED(IP)?
|
|---|
| 24 | ;
|
|---|
| 25 | ; since bypassing CHKCCOW^XUSRB4, need to extract true handle, expiry here
|
|---|
| 26 | SET HDL=$$UP^XLFSTR($EXTRACT(HDL,3,99)),T=$PIECE($GET(^XTV(8989.3,1,30),5400),U)
|
|---|
| 27 | ; call Kernel to resolve CCOW handle into user ID
|
|---|
| 28 | SET XOBOUT=$$CHECK^XUSRB4(HDL,T)
|
|---|
| 29 | IF (+XOBOUT)<1 DO QUIT
|
|---|
| 30 | . SET XOBERR=182301_U_"CCOW"_U_"["_$PIECE(XOBOUT,U,2)_"]"
|
|---|
| 31 | . SET XOBID=0
|
|---|
| 32 | ;
|
|---|
| 33 | ; need to get set XOBID=DUZ, save off DUZ(2) and anything else held in the token for XOBSRA
|
|---|
| 34 | SET XOBID=+XOBOUT
|
|---|
| 35 | ;
|
|---|
| 36 | ; Save the division station# into $GET(XOBDATA("XOB RPC","SECURITY","DIV")) -- that
|
|---|
| 37 | ; is where the XOBSRA division check is looking for it
|
|---|
| 38 | SET:+DUZ(2) XOBDATA("XOB RPC","SECURITY","DIV")=$$STA^XUAF4(DUZ(2))
|
|---|
| 39 | ;
|
|---|
| 40 | IF XOBID<1 DO QUIT
|
|---|
| 41 | . SET XOBERR=182305_U_"CCOW"
|
|---|
| 42 | . SET XOBID=0
|
|---|
| 43 | ;
|
|---|
| 44 | ; probably can run MORECHKS as is?
|
|---|
| 45 | ; SET XOBERR=$$MORECHKS(XOBID)
|
|---|
| 46 | ;
|
|---|
| 47 | IF XOBERR SET XOBID=0 QUIT
|
|---|
| 48 | ;
|
|---|
| 49 | ; TODO: POST(IP)
|
|---|
| 50 | ;
|
|---|
| 51 | QUIT
|
|---|
| 52 | ;
|
|---|
| 53 | AV(XOBID,XOBERR) ; -- AV connection type
|
|---|
| 54 | NEW AC,AVCODE,VC,X,XOBCLIP,XOBTYPE
|
|---|
| 55 | SET XOBID=0
|
|---|
| 56 | ;
|
|---|
| 57 | ; -- get DUZ using access and verify codes
|
|---|
| 58 | SET AVCODE=$GET(XOBDATA("XOB RPC","SECURITY","TYPE","AVCODE"))
|
|---|
| 59 | ;
|
|---|
| 60 | SET AVCODE=$$DECRYP^XUSRB1(AVCODE)
|
|---|
| 61 | SET AC=$PIECE(AVCODE,";",1),VC=$PIECE(AVCODE,";",2),XOBCLIP=$PIECE(AVCODE,";",3)
|
|---|
| 62 | ;
|
|---|
| 63 | ; -- convert AC, VC into hashed versions
|
|---|
| 64 | SET X=AC,AC=$$EN^XUSHSH($$UP^XLFSTR(X))
|
|---|
| 65 | SET X=VC,VC=$$EN^XUSHSH($$UP^XLFSTR(X))
|
|---|
| 66 | ;
|
|---|
| 67 | ; -- check if exceeded multiple signon attempts
|
|---|
| 68 | SET XOBERR=$$IPLOCKED(XOBCLIP) IF XOBERR SET XOBID=0 QUIT
|
|---|
| 69 | ;
|
|---|
| 70 | ; -- look up AC
|
|---|
| 71 | SET XOBID=+$ORDER(^VA(200,"A",AC,0))
|
|---|
| 72 | IF XOBID<1 DO QUIT
|
|---|
| 73 | . SET XOBERR=182305_U_"AV"
|
|---|
| 74 | . SET XOBID=0
|
|---|
| 75 | ;
|
|---|
| 76 | ; -- check VC
|
|---|
| 77 | IF $PIECE($GET(^VA(200,XOBID,.1)),U,2)'=VC DO QUIT
|
|---|
| 78 | . SET XOBERR=182305_U_"AV"
|
|---|
| 79 | . SET XOBID=0
|
|---|
| 80 | ;
|
|---|
| 81 | ; -- check user access and whether verify code needs changing
|
|---|
| 82 | SET XOBERR=$$MORECHKS(XOBID)
|
|---|
| 83 | IF XOBERR SET XOBID=0 QUIT
|
|---|
| 84 | ;
|
|---|
| 85 | ; login succeeded
|
|---|
| 86 | DO POST(XOBCLIP)
|
|---|
| 87 | ;
|
|---|
| 88 | ; NOTE: AV doesn't need to check $$PERSON for AV because our source was file 200, not a separate index
|
|---|
| 89 | ;
|
|---|
| 90 | QUIT
|
|---|
| 91 | ;
|
|---|
| 92 | MORECHKS(XOBID) ; -- More separate checks
|
|---|
| 93 | NEW XOBERR
|
|---|
| 94 | SET XOBERR=0
|
|---|
| 95 | ;
|
|---|
| 96 | ; -- check user access
|
|---|
| 97 | SET XOBERR=$$NOACCESS^XOBSRA(XOBID)
|
|---|
| 98 | IF XOBERR SET XOBID=0 QUIT XOBERR
|
|---|
| 99 | ;
|
|---|
| 100 | ; -- check if verify code needs changing
|
|---|
| 101 | SET XOBERR=$$VCHG^XOBSRA(XOBID)
|
|---|
| 102 | IF XOBERR SET XOBID=0 QUIT XOBERR
|
|---|
| 103 | ;
|
|---|
| 104 | QUIT XOBERR
|
|---|
| 105 | ;
|
|---|
| 106 | IPLOCKED(XOBCLIP) ; -- check if IP address is locked, increment if not
|
|---|
| 107 | ;
|
|---|
| 108 | ; Implements the script-inhibiting lock-by-IP-address Kernel function.
|
|---|
| 109 | ; Does not lock user out for long, but does slow down scripts.
|
|---|
| 110 | ;
|
|---|
| 111 | ; Return:
|
|---|
| 112 | ; 182306^XOBID : if too many invalid login attempts
|
|---|
| 113 | ; 0 : not too many login attempts
|
|---|
| 114 | ;
|
|---|
| 115 | IF $$LKCHECK^XUSTZIP(XOBCLIP) DO QUIT XOBERR
|
|---|
| 116 | . SET XOBERR="182306^Too many invalid signon attempts."
|
|---|
| 117 | ;
|
|---|
| 118 | NEW XOBERR,XUFAC SET XOBERR=0
|
|---|
| 119 | ;
|
|---|
| 120 | IF $$FAIL^XUS3(XOBCLIP) SET XOBERR="182306^"_$$RA^XUSTZ(XOBCLIP)
|
|---|
| 121 | QUIT XOBERR
|
|---|
| 122 | ;
|
|---|
| 123 | POST(XOBCLIP) ; post-successful tasks
|
|---|
| 124 | DO CLRFAC^XUS3(XOBCLIP)
|
|---|
| 125 | QUIT
|
|---|
