<?php
// $Id

/**
 * Implementation of hook_requirements()
 */
function phpids_requirements($phase) {
  $t = get_t();
  
  // Test PHPIDS version
  $requirements['phpids'] = array(
    'title' => $t('PHPIDS'),  
    'value' => $t('Found'),
  );
    
  if (!file_exists(realpath(dirname(__FILE__) . '/IDS/Config/Config.ini'))) {
    $requirements['phpids']['value'] = $t('Not found');
    $requirements['phpids']['description'] = $t('You must dowload the latest <a href="http://www.phpids.org">PHPIDS package</a> and place in the phpids module folder. Warning: the PHP4 version is not supported.');
    $requirements['phpids']['severity'] = REQUIREMENT_ERROR;
  }
  return $requirements;
}

/**
 * Implementation of hook_menu()
 */
function phpids_menu($may_cache) {
  $items = array();
  if ($may_cache) {
    $items[] = array(
      'path' => 'admin/settings/phpids',
      'title' => t('phpids'),
      'description' => t('Configure phpids levels'),
      'callback' => 'drupal_get_form',
      'callback arguments' => array('phpids_admin_settings'),
      'type' => MENU_NORMAL_ITEM,
      'access' => user_access('administer phpids'));
    $items[] = array(
      'path' => 'phpidswarning',
      'title' => t('PHPIDS warning'),
      'callback' => 'phpids_warning',
      'access' => user_access('access content'),
      'type' => MENU_CALLBACK
      );
  }
  return $items;
} 

/**
 * Implementation of hook_perm().
 */
function phpids_perm() {
  return array('administer phpids');
}

/**
 * Implementation of hook_init()
 * @ignore : value depends which action will happen
 *   0 = do nothing
 *   1 = only log
 *   2 = log & actions
 */
function phpids_init() {

  if (file_exists(realpath(dirname(__FILE__) . '/IDS/Config/Config.ini'))) {

    global $user, $base_root;

    // default is logging
    $ignore = 1;
    // anonymous user
    if ($user->uid == 0) {
      $anon = variable_get('phpids_anonymous',2);
      if ($anon == 2) $ignore = 2;
    }
    // authenticated user - always ignore user 1
    if ($user->uid != 0) {
      if ($user->uid == 1) $ignore = 0;
      else {
        $auth = variable_get('phpids_authenticated',2);
        if ($auth == 1) $ignore = 0;
        if ($auth == 3) $ignore = 2;        
      }
    }
        
    // start PHPIDS if ignore is not 0
    if ($ignore != 0) {
 
      $request_uri = $base_root . request_uri();

      // set include path and required the needed files
      $phpids_path = realpath(dirname(__FILE__));
      set_include_path(get_include_path(). PATH_SEPARATOR. $phpids_path);
      require_once 'IDS/Init.php';

      // instanciate the needed stuff
      $request = array('GET' => $_GET, 'POST' => $_POST);
      $init = IDS_Init::init($phpids_path.'/IDS/Config/Config.ini');
      $init->config['General']['tmp_path'] = $phpids_path . '/IDS/tmp';
      $init->config['General']['filter_path'] = $phpids_path . '/IDS/default_filter.xml';
      $init->config['Caching']['caching'] = 'file';
      $init->config['Caching']['path'] = $phpids_path. '/IDS/tmp/default_filter.cache';

      $request = new IDS_Monitor($request, $init);
      $report = $request->run();

      // if report is not empty, always log
      // depending on variables, take other actions if impact level matches settings criteria.
      if (!$report->isEmpty()) {
        // default action is log
        $action = 0;

        // level of severity
        $severity = $report->getImpact(); 

        // get variables to see if we need to take more action than only logging
        $mail_level = variable_get('phpids_maillevel',9);
        $mail_sent = variable_get('phpids_mail','');
        $warn_level = variable_get('phpids_warnlevel',27);
        if ($severity >= $mail_level && !empty($mail_sent) && $ignore == 2) $action = 1;
        if ($severity >= $warn_level && $ignore == 2) $action = 2;

        // create detailed report
        $message = 'All tags: ' . join(", ", $report->getTags());
        $message .= '<br />Total impact: '.$severity;
        // iterate through the result an get every event (IDS_Event)
        foreach ($report as $event) {
          $message .= '<br />Variable: '.$event->getName().' | Value: ' . htmlspecialchars($event->getValue()) . '<br />';
          $message .= 'Impact: '.$event->getImpact().' | Tags: ' . join(", ", $event->getTags()) . '<br />'; 
          // iterator throught every filter 
          $message .= '<ul>';
          foreach ($event as $filter) {
            $message .= '<li>Rule: '. $filter->getRule() .'<br />';
            $message .= 'Description: '. $filter->getDescription() .'<br />';
            $message .= 'Tags: ' . join(", ", $filter->getTags()) . '</li>';
          }
          $message .= '</ul>';
        }

        // log the impact
        watchdog('phpids',wordwrap($message,'100',' ',TRUE));

        // send out mail if needed
        if ($action == 1) {
          $body = 'Check your logs to see a full detail of the report.';
          drupal_mail('',$mail_sent,'PHPIDS detected an attack with impact '.$severity,$body);
        }
        // Warning : redirect the user to a warning page so nothing can happen to the system
        if ($action == 2) {
          // load common.inc if necessary
          if (!function_exists('drupal_goto')) require_once './includes/common.inc';
          drupal_goto('phpidswarning');
        }
      }
    }
  }
}

/*
 * Callback function to configure PHPIDS
 */
function phpids_admin_settings() {

  // general settings 
  $form['general'] = array(
    '#type' => 'fieldset',
    '#title' => t('General'),
  );
  $form['general']['phpids_maillevel'] = array(
    '#type' => 'textfield',
    '#title' => t('Mail impact'),
    '#default_value' => variable_get('phpids_maillevel',9),
    '#description' => t('Sends out mail when this level of impact is reached.'),
  );
  $form['general']['phpids_mail'] = array(
    '#type' => 'textfield',
    '#title' => t('Email'),
    '#default_value' => variable_get('phpids_mail',''),
    '#description' => t('Leave empty if you don\'t want to send out email.'),
  );
  $form['general']['phpids_warnlevel'] = array(
    '#type' => 'textfield',
    '#title' => t('Warning impact'),
    '#default_value' => variable_get('phpids_warnlevel',27),
    '#description' => t('Redirects to a warning page after this level of impact is reached.'),
  );
  // finetine filter settings
  $form['filters'] = array(
    '#type' => 'fieldset',
    '#title' => t('Ignore filters'),
    '#description' => t('Finetune settings when PHPIDS shouldn\'t take action. Keep in mind that user 1 is always ignored and anonymous users are always monitored!'),
  );
  $options_anon = array(1 => t('Log anonymous users without actions'), 2 => t('Log anonymous users and take actions'));
  $form['filters']['phpids_anonymous'] = array(
    '#type' => 'select',
    '#title' => t('Anonymous users'),
    '#description' => t('Choose a setting for anonymous users.'),
    '#default_value' => variable_get('phpids_anonymous',1),
    '#options' => $options_anon,
  );
  $options_auth = array(1 => t('Do not log authenticated users'), 2 => t('Log authenticated users without actions'), 3 => t('Log authenticated users and take actions'));
  $form['filters']['phpids_authenticated'] = array(
    '#type' => 'select',
    '#title' => t('Authenticated users'),
    '#description' => t('Choose a setting for authenticated users. Choosing the second option is the probably the best as it is less anoying for users.'),
    '#default_value' => variable_get('phpids_authenticated',2),
    '#options' => $options_auth,
  );

  return system_settings_form($form);
}

/**
 * Warning page: display this page if the attack has reached warning level thus
 * making the action of the (anonymous) user completely worthless.
 */
function phpids_warning() {
  $output = t('We have detected malicious input and blocked your attempt.<br />If you keep experiencing problems but feel like you are doing nothing wrong, please contact the site administrator.');
  return $output;
}