icingaweb2-module-director/library/Director/Util.php

176 lines
5.4 KiB
PHP
Raw Normal View History

2015-06-23 14:37:23 +02:00
<?php
namespace Icinga\Module\Director;
2015-07-31 14:38:22 +02:00
use Icinga\Authentication\Auth;
2015-07-30 09:11:53 +02:00
use Icinga\Data\ResourceFactory;
use Icinga\Module\Director\Web\Form\QuickForm;
use Icinga\Exception\NotImplementedError;
use Icinga\Exception\ProgrammingError;
use ipl\Html\Html;
use gipfl\IcingaWeb2\Link;
2015-06-23 14:37:23 +02:00
class Util
{
2015-07-30 09:04:42 +02:00
protected static $auth;
2015-08-28 16:57:40 +02:00
protected static $allowedResources;
2015-07-30 09:11:53 +02:00
/**
* PBKDF2 - Password-Based Cryptography Specification (RFC2898)
*
* This method strictly follows examples in php.net's documentation
* comments. Hint: RFC6070 would be a good source for related tests
*
* @param string $alg Desired hash algorythm (sha1, sha256...)
* @param string $secret Shared secret, password
* @param string $salt Hash salt
* @param int $iterations How many iterations to perform. Please use at
* least 1000+. More iterations make it slower
* but more secure.
* @param int $length Desired key length
* @param bool $raw Returns the binary key if true, hex string otherwise
*
2016-11-01 18:28:36 +01:00
* @throws NotImplementedError when asking for an unsupported algorightm
* @throws ProgrammingError when passing invalid parameters
*
* @return string A $length byte long key, derived from secret and salt
*/
public static function pbkdf2($alg, $secret, $salt, $iterations, $length, $raw = false)
{
if (! in_array($alg, hash_algos(), true)) {
throw new NotImplementedError('No such hash algorithm found: "%s"', $alg);
}
if ($iterations <= 0 || $length <= 0) {
throw new ProgrammingError('Positive iterations and length required');
}
$hashLength = strlen(hash($alg, '', true));
$blocks = ceil($length / $hashLength);
$out = '';
2016-02-26 11:58:37 +01:00
for ($i = 1; $i <= $blocks; $i++) {
// $i encoded as 4 bytes, big endian.
$last = $salt . pack('N', $i);
// first iteration
$last = $xorsum = hash_hmac($alg, $last, $secret, true);
// perform the other $iterations - 1 iterations
for ($j = 1; $j < $iterations; $j++) {
$xorsum ^= ($last = hash_hmac($alg, $last, $secret, true));
}
$out .= $xorsum;
}
if ($raw) {
return substr($out, 0, $length);
}
return bin2hex(substr($out, 0, $length));
}
2015-07-30 09:04:42 +02:00
public static function auth()
{
if (self::$auth === null) {
2015-07-31 14:38:22 +02:00
self::$auth = Auth::getInstance();
2015-07-30 09:04:42 +02:00
}
return self::$auth;
}
public static function hasPermission($name)
{
return self::auth()->hasPermission($name);
}
public static function getRestrictions($name)
{
return self::auth()->getRestrictions($name);
}
2015-07-30 09:11:53 +02:00
2015-08-28 16:57:40 +02:00
public static function resourceIsAllowed($name)
2015-07-30 09:11:53 +02:00
{
2015-08-28 16:57:40 +02:00
if (self::$allowedResources === null) {
$restrictions = self::getRestrictions('director/resources/use');
2015-07-30 09:11:53 +02:00
$list = array();
foreach ($restrictions as $restriction) {
foreach (preg_split('/\s*,\s*/', $restriction, -1, PREG_SPLIT_NO_EMPTY) as $key) {
$list[$key] = $key;
}
}
2015-08-28 16:57:40 +02:00
self::$allowedResources = $list;
2015-07-30 09:11:53 +02:00
} else {
2015-08-28 16:57:40 +02:00
$list = self::$allowedResources;
2015-07-30 09:11:53 +02:00
}
if (empty($list) || array_key_exists($name, $list)) {
return true;
}
return false;
}
public static function enumDbResources()
2015-08-28 16:57:40 +02:00
{
return self::enumResources('db');
}
public static function enumLdapResources()
{
return self::enumResources('ldap');
}
protected static function enumResources($type)
2015-07-30 09:11:53 +02:00
{
$resources = array();
foreach (ResourceFactory::getResourceConfigs() as $name => $resource) {
2016-11-01 18:28:36 +01:00
if ($resource->get('type') === $type && self::resourceIsAllowed($name)) {
2015-07-30 09:11:53 +02:00
$resources[$name] = $name;
}
}
return $resources;
}
public static function addDbResourceFormElement(QuickForm $form, $name)
{
2017-07-10 20:08:39 +02:00
static::addResourceFormElement($form, $name, 'db');
2015-08-28 16:57:40 +02:00
}
public static function addLdapResourceFormElement(QuickForm $form, $name)
{
2017-07-10 20:08:39 +02:00
static::addResourceFormElement($form, $name, 'ldap');
2015-08-28 16:57:40 +02:00
}
protected static function addResourceFormElement(QuickForm $form, $name, $type)
{
$list = self::enumResources($type);
2015-07-30 09:11:53 +02:00
$form->addElement('select', $name, array(
'label' => 'Resource name',
'multiOptions' => $form->optionalEnum($list),
'required' => true,
));
if (empty($list)) {
2015-07-30 09:11:53 +02:00
if (self::hasPermission('config/application/resources')) {
$form->addHtmlHint(Html::sprintf(
$form->translate('Please click %s to create new resources'),
Link::create(
$form->translate('here'),
'config/resource',
null,
['data-base-target' => '_main']
)
));
$msg = sprintf($form->translate('No %s resource available'), $type);
2015-07-30 09:11:53 +02:00
} else {
2015-08-28 16:57:40 +02:00
$msg = $form->translate('Please ask an administrator to grant you access to resources');
2015-07-30 09:11:53 +02:00
}
$form->getElement($name)->addError($msg);
}
}
2015-06-23 14:37:23 +02:00
}