2013-06-07 17:30:18 +02:00
|
|
|
<?php
|
2016-02-08 15:41:00 +01:00
|
|
|
/* Icinga Web 2 | (c) 2013 Icinga Development Team | GPLv2+ */
|
2013-06-07 17:30:18 +02:00
|
|
|
|
|
|
|
namespace Icinga\Authentication;
|
|
|
|
|
2014-02-14 17:28:11 +01:00
|
|
|
use Exception;
|
2014-10-20 13:43:40 +02:00
|
|
|
use Icinga\Application\Config;
|
2018-04-16 16:19:03 +02:00
|
|
|
use Icinga\Application\Hook\AuditHook;
|
2015-07-29 15:56:45 +02:00
|
|
|
use Icinga\Application\Icinga;
|
2015-07-29 14:14:19 +02:00
|
|
|
use Icinga\Application\Logger;
|
2015-07-30 12:02:42 +02:00
|
|
|
use Icinga\Authentication\User\ExternalBackend;
|
2015-07-29 14:14:19 +02:00
|
|
|
use Icinga\Authentication\UserGroup\UserGroupBackend;
|
2015-07-01 15:41:45 +02:00
|
|
|
use Icinga\Data\ConfigObject;
|
2014-10-20 13:43:40 +02:00
|
|
|
use Icinga\Exception\IcingaException;
|
2014-02-20 13:53:28 +01:00
|
|
|
use Icinga\Exception\NotReadableError;
|
2014-10-20 13:43:40 +02:00
|
|
|
use Icinga\User;
|
2014-02-14 17:28:11 +01:00
|
|
|
use Icinga\User\Preferences;
|
|
|
|
use Icinga\User\Preferences\PreferencesStore;
|
2014-10-20 13:43:40 +02:00
|
|
|
use Icinga\Web\Session;
|
2013-11-06 10:20:15 +01:00
|
|
|
|
2015-07-28 17:08:55 +02:00
|
|
|
class Auth
|
2013-06-07 17:30:18 +02:00
|
|
|
{
|
2013-08-28 10:16:18 +02:00
|
|
|
/**
|
|
|
|
* Singleton instance
|
|
|
|
*
|
|
|
|
* @var self
|
|
|
|
*/
|
2014-01-23 12:09:48 +01:00
|
|
|
private static $instance;
|
2013-06-10 13:28:54 +02:00
|
|
|
|
2015-07-29 15:56:45 +02:00
|
|
|
/**
|
|
|
|
* Request
|
|
|
|
*
|
|
|
|
* @var \Icinga\Web\Request
|
|
|
|
*/
|
|
|
|
protected $request;
|
|
|
|
|
2015-07-30 13:59:18 +02:00
|
|
|
/**
|
|
|
|
* Response
|
|
|
|
*
|
|
|
|
* @var \Icinga\Web\Response
|
|
|
|
*/
|
|
|
|
protected $response;
|
|
|
|
|
2014-02-26 17:36:20 +01:00
|
|
|
/**
|
2014-03-03 17:21:17 +01:00
|
|
|
* Authenticated user
|
2013-08-28 10:16:18 +02:00
|
|
|
*
|
2013-08-13 18:08:21 +02:00
|
|
|
* @var User
|
2014-07-16 09:33:49 +02:00
|
|
|
*/
|
2014-01-23 12:09:48 +01:00
|
|
|
private $user;
|
2013-07-12 15:37:36 +02:00
|
|
|
|
2014-01-22 12:50:17 +01:00
|
|
|
|
2015-07-29 15:52:56 +02:00
|
|
|
/**
|
|
|
|
* @see getInstance()
|
|
|
|
*/
|
2014-03-03 17:21:17 +01:00
|
|
|
private function __construct()
|
2013-06-07 17:30:18 +02:00
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2014-02-14 12:11:49 +01:00
|
|
|
* Get the authentication manager
|
2013-08-28 10:16:18 +02:00
|
|
|
*
|
2014-03-03 17:21:17 +01:00
|
|
|
* @return self
|
2013-08-28 10:16:18 +02:00
|
|
|
*/
|
2014-03-03 17:21:17 +01:00
|
|
|
public static function getInstance()
|
2013-06-07 17:30:18 +02:00
|
|
|
{
|
|
|
|
if (self::$instance === null) {
|
2015-07-28 17:08:55 +02:00
|
|
|
self::$instance = new self();
|
2013-06-07 17:30:18 +02:00
|
|
|
}
|
|
|
|
return self::$instance;
|
|
|
|
}
|
|
|
|
|
2015-07-29 14:14:19 +02:00
|
|
|
/**
|
|
|
|
* Get the auth chain
|
|
|
|
*
|
|
|
|
* @return AuthChain
|
|
|
|
*/
|
|
|
|
public function getAuthChain()
|
|
|
|
{
|
|
|
|
return new AuthChain();
|
|
|
|
}
|
|
|
|
|
2015-07-29 15:52:56 +02:00
|
|
|
/**
|
2016-12-06 12:41:22 +01:00
|
|
|
* Get whether the user is authenticated
|
2015-07-29 15:52:56 +02:00
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
2016-12-06 12:41:22 +01:00
|
|
|
public function isAuthenticated()
|
2015-07-29 15:52:56 +02:00
|
|
|
{
|
2016-12-06 12:41:22 +01:00
|
|
|
if ($this->user !== null) {
|
|
|
|
return true;
|
2015-07-29 15:52:56 +02:00
|
|
|
}
|
2016-12-06 12:41:22 +01:00
|
|
|
$this->authenticateFromSession();
|
2015-07-30 14:50:05 +02:00
|
|
|
if ($this->user === null && ! $this->authExternal()) {
|
2016-11-07 10:40:38 +01:00
|
|
|
return false;
|
2015-07-30 14:50:05 +02:00
|
|
|
}
|
|
|
|
return true;
|
2015-07-29 15:52:56 +02:00
|
|
|
}
|
|
|
|
|
2014-03-03 17:21:17 +01:00
|
|
|
public function setAuthenticated(User $user, $persist = true)
|
2013-08-13 18:08:21 +02:00
|
|
|
{
|
2014-03-03 17:21:17 +01:00
|
|
|
$username = $user->getUsername();
|
2013-08-13 18:08:21 +02:00
|
|
|
try {
|
2014-10-20 13:43:40 +02:00
|
|
|
$config = Config::app();
|
2014-03-03 17:21:17 +01:00
|
|
|
} catch (NotReadableError $e) {
|
2014-03-03 19:03:39 +01:00
|
|
|
Logger::error(
|
2014-08-27 16:03:15 +02:00
|
|
|
new IcingaException(
|
2015-05-13 10:46:34 +02:00
|
|
|
'Cannot load preferences for user "%s". An exception was thrown: %s',
|
2014-08-27 16:03:15 +02:00
|
|
|
$username,
|
|
|
|
$e
|
|
|
|
)
|
2014-02-21 10:16:16 +01:00
|
|
|
);
|
2014-11-07 13:53:03 +01:00
|
|
|
$config = new Config();
|
2013-08-13 18:08:21 +02:00
|
|
|
}
|
2015-07-01 15:41:45 +02:00
|
|
|
if ($config->get('global', 'config_backend', 'ini') !== 'none') {
|
|
|
|
$preferencesConfig = new ConfigObject(array(
|
|
|
|
'store' => $config->get('global', 'config_backend', 'ini'),
|
|
|
|
'resource' => $config->get('global', 'config_resource')
|
|
|
|
));
|
2013-08-28 10:16:18 +02:00
|
|
|
try {
|
2014-03-03 17:21:17 +01:00
|
|
|
$preferencesStore = PreferencesStore::create(
|
2015-01-23 15:23:43 +01:00
|
|
|
$preferencesConfig,
|
2014-03-03 17:21:17 +01:00
|
|
|
$user
|
2013-08-28 10:16:18 +02:00
|
|
|
);
|
2014-03-03 17:21:17 +01:00
|
|
|
$preferences = new Preferences($preferencesStore->load());
|
2015-05-27 15:13:53 +02:00
|
|
|
} catch (Exception $e) {
|
2013-08-28 10:16:18 +02:00
|
|
|
Logger::error(
|
2014-08-27 16:03:15 +02:00
|
|
|
new IcingaException(
|
2015-05-13 10:46:34 +02:00
|
|
|
'Cannot load preferences for user "%s". An exception was thrown: %s',
|
2014-08-27 16:03:15 +02:00
|
|
|
$username,
|
|
|
|
$e
|
2014-03-03 17:21:17 +01:00
|
|
|
)
|
2013-08-28 10:16:18 +02:00
|
|
|
);
|
2014-03-03 17:21:17 +01:00
|
|
|
$preferences = new Preferences();
|
2013-08-28 10:16:18 +02:00
|
|
|
}
|
2014-03-03 17:21:17 +01:00
|
|
|
} else {
|
|
|
|
$preferences = new Preferences();
|
2013-08-28 10:16:18 +02:00
|
|
|
}
|
2016-01-18 12:56:02 +01:00
|
|
|
// TODO(el): Quick-fix for #10957. Only reload CSS if the theme changed.
|
|
|
|
$this->getResponse()->setReloadCss(true);
|
2014-03-03 17:21:17 +01:00
|
|
|
$user->setPreferences($preferences);
|
2015-02-09 15:27:50 +01:00
|
|
|
$groups = $user->getGroups();
|
2018-12-18 11:59:56 +01:00
|
|
|
$userBackendName = $user->getAdditional('backend_name');
|
2014-10-20 13:43:40 +02:00
|
|
|
foreach (Config::app('groups') as $name => $config) {
|
2018-12-18 11:59:56 +01:00
|
|
|
$groupsUserBackend = $config->user_backend;
|
|
|
|
if ($groupsUserBackend
|
|
|
|
&& $groupsUserBackend !== 'none'
|
|
|
|
&& $userBackendName !== null
|
|
|
|
&& $groupsUserBackend !== $userBackendName
|
|
|
|
) {
|
|
|
|
// Do not ask for Group membership if a specific User Backend
|
|
|
|
// has been assigned to that Group Backend, and the user has
|
|
|
|
// been authenticated by another User Backend
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2014-10-20 13:43:40 +02:00
|
|
|
try {
|
|
|
|
$groupBackend = UserGroupBackend::create($name, $config);
|
|
|
|
$groupsFromBackend = $groupBackend->getMemberships($user);
|
|
|
|
} catch (Exception $e) {
|
|
|
|
Logger::error(
|
2015-05-13 10:46:34 +02:00
|
|
|
'Can\'t get group memberships for user \'%s\' from backend \'%s\'. An exception was thrown: %s',
|
2014-10-20 13:43:40 +02:00
|
|
|
$username,
|
|
|
|
$name,
|
|
|
|
$e
|
|
|
|
);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (empty($groupsFromBackend)) {
|
2018-10-08 14:02:26 +02:00
|
|
|
Logger::debug(
|
|
|
|
'No groups found in backend "%s" which the user "%s" is a member of.',
|
|
|
|
$name,
|
|
|
|
$user->getUsername()
|
|
|
|
);
|
2014-10-20 13:43:40 +02:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
$groupsFromBackend = array_values($groupsFromBackend);
|
2018-10-08 14:02:26 +02:00
|
|
|
Logger::debug(
|
|
|
|
'Groups found in backend "%s" for user "%s": %s',
|
|
|
|
$name,
|
|
|
|
$user->getUsername(),
|
|
|
|
join(', ', $groupsFromBackend)
|
|
|
|
);
|
2014-10-20 13:43:40 +02:00
|
|
|
$groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend));
|
|
|
|
}
|
2014-02-18 09:33:33 +01:00
|
|
|
$user->setGroups($groups);
|
2014-02-12 17:01:11 +01:00
|
|
|
$admissionLoader = new AdmissionLoader();
|
2016-03-24 15:30:30 +01:00
|
|
|
$admissionLoader->applyRoles($user);
|
2014-02-18 09:33:33 +01:00
|
|
|
$this->user = $user;
|
2014-10-20 13:43:40 +02:00
|
|
|
if ($persist) {
|
2013-06-10 13:28:54 +02:00
|
|
|
$this->persistCurrentUser();
|
|
|
|
}
|
2018-07-18 14:33:02 +02:00
|
|
|
AuditHook::logActivity('login', 'User logged in');
|
2013-06-07 17:30:18 +02:00
|
|
|
}
|
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2015-07-29 15:52:56 +02:00
|
|
|
* Getter for groups belonged to authenticated user
|
|
|
|
*
|
|
|
|
* @return array
|
|
|
|
* @see User::getGroups
|
2014-07-16 09:33:49 +02:00
|
|
|
*/
|
2015-07-29 15:52:56 +02:00
|
|
|
public function getGroups()
|
2013-06-07 17:30:18 +02:00
|
|
|
{
|
2015-07-29 15:52:56 +02:00
|
|
|
return $this->user->getGroups();
|
|
|
|
}
|
|
|
|
|
2015-07-29 15:56:45 +02:00
|
|
|
/**
|
|
|
|
* Get the request
|
|
|
|
*
|
|
|
|
* @return \Icinga\Web\Request
|
|
|
|
*/
|
|
|
|
public function getRequest()
|
|
|
|
{
|
|
|
|
if ($this->request === null) {
|
2015-07-29 17:22:55 +02:00
|
|
|
$this->request = Icinga::app()->getRequest();
|
2015-07-29 15:56:45 +02:00
|
|
|
}
|
|
|
|
return $this->request;
|
|
|
|
}
|
|
|
|
|
2015-07-30 13:59:18 +02:00
|
|
|
/**
|
|
|
|
* Get the response
|
|
|
|
*
|
|
|
|
* @return \Icinga\Web\Response
|
|
|
|
*/
|
|
|
|
public function getResponse()
|
|
|
|
{
|
|
|
|
if ($this->response === null) {
|
|
|
|
$this->response = Icinga::app()->getResponse();
|
|
|
|
}
|
|
|
|
return $this->response;
|
|
|
|
}
|
|
|
|
|
2015-07-29 15:52:56 +02:00
|
|
|
/**
|
|
|
|
* Get applied restrictions matching a given restriction name
|
|
|
|
*
|
|
|
|
* Returns a list of applied restrictions, empty if no user is
|
|
|
|
* authenticated
|
|
|
|
*
|
|
|
|
* @param string $restriction Restriction name
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
public function getRestrictions($restriction)
|
|
|
|
{
|
|
|
|
if (! $this->isAuthenticated()) {
|
|
|
|
return array();
|
|
|
|
}
|
|
|
|
return $this->user->getRestrictions($restriction);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Returns the current user or null if no user is authenticated
|
|
|
|
*
|
|
|
|
* @return User
|
|
|
|
*/
|
|
|
|
public function getUser()
|
|
|
|
{
|
|
|
|
return $this->user;
|
2013-06-07 17:30:18 +02:00
|
|
|
}
|
2013-09-04 18:27:16 +02:00
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2014-09-18 15:20:46 +02:00
|
|
|
* Try to authenticate the user with the current session
|
|
|
|
*
|
|
|
|
* Authentication for externally-authenticated users will be revoked if the username changed or external
|
|
|
|
* authentication is no longer in effect
|
2014-07-16 09:33:49 +02:00
|
|
|
*/
|
2013-06-07 17:30:18 +02:00
|
|
|
public function authenticateFromSession()
|
|
|
|
{
|
2014-01-23 12:09:48 +01:00
|
|
|
$this->user = Session::getSession()->get('user');
|
2016-04-11 14:07:44 +02:00
|
|
|
if ($this->user !== null && $this->user->isExternalUser()) {
|
2015-07-29 15:44:32 +02:00
|
|
|
list($originUsername, $field) = $this->user->getExternalUserInformation();
|
2016-04-11 14:07:44 +02:00
|
|
|
$username = ExternalBackend::getRemoteUser($field);
|
|
|
|
if ($username === null || $username !== $originUsername) {
|
2014-07-30 12:54:08 +02:00
|
|
|
$this->removeAuthorization();
|
|
|
|
}
|
|
|
|
}
|
2013-06-07 17:30:18 +02:00
|
|
|
}
|
|
|
|
|
2015-07-30 12:02:42 +02:00
|
|
|
/**
|
|
|
|
* Attempt to authenticate a user from external user backends
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
protected function authExternal()
|
|
|
|
{
|
|
|
|
$user = new User('');
|
|
|
|
foreach ($this->getAuthChain() as $userBackend) {
|
|
|
|
if ($userBackend instanceof ExternalBackend) {
|
|
|
|
if ($userBackend->authenticate($user)) {
|
2017-06-07 14:21:42 +02:00
|
|
|
if (! $user->hasDomain()) {
|
|
|
|
$user->setDomain(Config::app()->get('authentication', 'default_domain'));
|
|
|
|
}
|
2015-07-30 12:02:42 +02:00
|
|
|
$this->setAuthenticated($user);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2015-07-29 17:22:55 +02:00
|
|
|
/**
|
2016-02-15 10:53:32 +01:00
|
|
|
* Attempt to authenticate a user using HTTP authentication on API requests only
|
2015-07-29 17:22:55 +02:00
|
|
|
*
|
2015-07-30 13:59:18 +02:00
|
|
|
* Supports only the Basic HTTP authentication scheme. XHR will be ignored.
|
2015-07-29 17:22:55 +02:00
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
2016-11-07 10:40:38 +01:00
|
|
|
public function authHttp()
|
2015-07-29 17:22:55 +02:00
|
|
|
{
|
2016-02-15 10:44:33 +01:00
|
|
|
$request = $this->getRequest();
|
2016-02-15 14:50:33 +01:00
|
|
|
$header = $request->getHeader('Authorization');
|
|
|
|
if (empty($header)) {
|
2016-11-07 10:40:38 +01:00
|
|
|
return false;
|
2015-07-30 13:59:18 +02:00
|
|
|
}
|
2015-07-29 17:22:55 +02:00
|
|
|
list($scheme) = explode(' ', $header, 2);
|
|
|
|
if ($scheme !== 'Basic') {
|
2016-02-15 10:38:10 +01:00
|
|
|
return false;
|
2015-07-29 17:22:55 +02:00
|
|
|
}
|
|
|
|
$authorization = substr($header, strlen('Basic '));
|
|
|
|
$credentials = base64_decode($authorization);
|
2015-07-30 13:59:47 +02:00
|
|
|
$credentials = array_filter(explode(':', $credentials, 2));
|
2015-07-29 17:22:55 +02:00
|
|
|
if (count($credentials) !== 2) {
|
|
|
|
// Deny empty username and/or password
|
2016-11-07 10:40:38 +01:00
|
|
|
return false;
|
2015-07-29 17:22:55 +02:00
|
|
|
}
|
|
|
|
$user = new User($credentials[0]);
|
2017-06-07 14:21:42 +02:00
|
|
|
if (! $user->hasDomain()) {
|
|
|
|
$user->setDomain(Config::app()->get('authentication', 'default_domain'));
|
|
|
|
}
|
2015-07-29 17:22:55 +02:00
|
|
|
$password = $credentials[1];
|
|
|
|
if ($this->getAuthChain()->setSkipExternalBackends(true)->authenticate($user, $password)) {
|
|
|
|
$this->setAuthenticated($user, false);
|
2015-07-30 09:32:24 +02:00
|
|
|
$user->setIsHttpUser(true);
|
2015-07-29 17:22:55 +02:00
|
|
|
return true;
|
|
|
|
} else {
|
2016-11-07 10:40:38 +01:00
|
|
|
return false;
|
2015-07-29 17:22:55 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-07-30 13:59:18 +02:00
|
|
|
/**
|
|
|
|
* Challenge client immediately for HTTP authentication
|
|
|
|
*
|
|
|
|
* Sends the response w/ the 401 Unauthorized status code and WWW-Authenticate header.
|
|
|
|
*/
|
2016-11-07 10:40:38 +01:00
|
|
|
public function challengeHttp()
|
2015-07-30 13:59:18 +02:00
|
|
|
{
|
|
|
|
$response = $this->getResponse();
|
|
|
|
$response->setHttpResponseCode(401);
|
|
|
|
$response->setHeader('WWW-Authenticate', 'Basic realm="Icinga Web 2"');
|
|
|
|
$response->sendHeaders();
|
|
|
|
exit();
|
|
|
|
}
|
|
|
|
|
2014-01-22 14:06:59 +01:00
|
|
|
/**
|
|
|
|
* Whether an authenticated user has a given permission
|
|
|
|
*
|
|
|
|
* @param string $permission Permission name
|
2014-09-18 14:57:24 +02:00
|
|
|
*
|
|
|
|
* @return bool True if the user owns the given permission, false if not or if not authenticated
|
2014-01-22 14:06:59 +01:00
|
|
|
*/
|
|
|
|
public function hasPermission($permission)
|
|
|
|
{
|
|
|
|
if (! $this->isAuthenticated()) {
|
|
|
|
return false;
|
|
|
|
}
|
2014-09-18 14:57:24 +02:00
|
|
|
return $this->user->can($permission);
|
2014-01-22 14:06:59 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2015-07-29 15:52:56 +02:00
|
|
|
* Writes the current user to the session
|
2014-01-22 14:06:59 +01:00
|
|
|
*/
|
2015-07-29 15:52:56 +02:00
|
|
|
public function persistCurrentUser()
|
2014-01-22 14:06:59 +01:00
|
|
|
{
|
2017-01-12 12:28:40 +01:00
|
|
|
// @TODO(el): https://dev.icinga.com/issues/10646
|
2015-11-16 14:19:33 +01:00
|
|
|
$params = session_get_cookie_params();
|
|
|
|
setcookie(
|
|
|
|
'icingaweb2-session',
|
|
|
|
time(),
|
|
|
|
null,
|
|
|
|
$params['path'],
|
|
|
|
$params['domain'],
|
|
|
|
$params['secure'],
|
|
|
|
$params['httponly']
|
|
|
|
);
|
2015-07-29 15:52:56 +02:00
|
|
|
Session::getSession()->set('user', $this->user)->refreshId();
|
2014-01-22 14:06:59 +01:00
|
|
|
}
|
|
|
|
|
2013-06-27 15:18:24 +02:00
|
|
|
/**
|
2014-07-16 09:35:32 +02:00
|
|
|
* Purges the current authorization information and session
|
|
|
|
*/
|
2013-06-07 17:30:18 +02:00
|
|
|
public function removeAuthorization()
|
|
|
|
{
|
2018-07-18 14:33:02 +02:00
|
|
|
AuditHook::logActivity('logout', 'User logged out');
|
2013-06-07 17:30:18 +02:00
|
|
|
$this->user = null;
|
2014-07-16 09:35:32 +02:00
|
|
|
Session::getSession()->purge();
|
2013-06-07 17:30:18 +02:00
|
|
|
}
|
|
|
|
}
|