icingaweb2/library/Icinga/Authentication/User/ExternalBackend.php

<?php
/* Icinga Web 2 | (c) 2014 Icinga Development Team | GPLv2+ */

namespace Icinga\Authentication\User;

use Icinga\Data\ConfigObject;
use Icinga\User;

/**
 * Test login with external authentication mechanism, e.g. Apache
 */
class ExternalBackend implements UserBackendInterface
{
    /**
     * The name of this backend
     *
     * @var string
     */
    protected $name;

    /**
     * Regexp expression to strip values from a username
     *
     * @var string
     */
    protected $stripUsernameRegexp;

    /**
     * The name variable where to read the user from
     *
     * @var string|null
     */
    protected $usernameEnvvar;

    /**
     * Create new authentication backend of type "external"
     *
     * @param ConfigObject $config
     */
    public function __construct(ConfigObject $config)
    {
        $this->stripUsernameRegexp = $config->get('strip_username_regexp');
        $this->usernameEnvvar = $config->get('username_envvar');
    }

    /**
     * {@inheritdoc}
     */
    public function getName()
    {
        return $this->name;
    }

    /**
     * {@inheritdoc}
     */
    public function setName($name)
    {
        $this->name = $name;
        return $this;
    }

    /**
     * Get the remote user from environment or $_SERVER, if any
     *
     * @param   string|null $variable   The name variable where to read the user from
     *
     * @return  string|null
     */
    public static function getRemoteUser($variable = 'REMOTE_USER')
    {
        foreach (($variable === null ? array('REMOTE_USER', 'REDIRECT_REMOTE_USER') : array($variable)) as $variable) {
            $username = getenv($variable);
            if ($username !== false) {
                return $username;
            }
            if (array_key_exists($variable, $_SERVER)) {
                return $_SERVER[$variable];
            }
        }
        return null;
    }


    /**
     * {@inheritdoc}
     */
    public function authenticate(User $user, $password = null)
    {
        $username = static::getRemoteUser($this->usernameEnvvar);
        if ($username !== null) {
            $user->setExternalUserInformation($username, $this->usernameEnvvar);

            if ($this->stripUsernameRegexp) {
                $stripped = preg_replace($this->stripUsernameRegexp, '', $username);
                if ($stripped !== false) {
                    // TODO(el): PHP issues a warning when PHP cannot compile the regular expression. Should we log an
                    // additional message in that case?
                    $username = $stripped;
                }
            }

            $user->setUsername($username);
            return true;
        }

        return false;
    }
}
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`<?php`
Change all license headers to only reflect a file's year of creation refs #11000 2016-02-08 15:41:00 +01:00			`/* Icinga Web 2 \| (c) 2014 Icinga Development Team \| GPLv2+ */`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00
Move concrete UserBackend classes to Icinga\Authentication\User refs #8826 2015-04-21 12:51:31 +02:00			`namespace Icinga\Authentication\User;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00
Adjust usages of Icinga\Application\Config refs #7147 2014-11-18 13:11:52 +01:00			`use Icinga\Data\ConfigObject;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`use Icinga\User;`

			`/**`
			`* Test login with external authentication mechanism, e.g. Apache`
			`*/`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 12:15:50 +02:00			`class ExternalBackend implements UserBackendInterface`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`{`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 12:15:50 +02:00			`/**`
			`* The name of this backend`
			`*`
			`* @var string`
			`*/`
			`protected $name;`

Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`/**`
			`* Regexp expression to strip values from a username`
			`*`
			`* @var string`
			`*/`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 12:15:50 +02:00			`protected $stripUsernameRegexp;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00
ExternalBackend: don't reference more than necessary from the config refs #12164 2016-10-18 10:17:21 +02:00			`/**`
			`* The name variable where to read the user from`
			`*`
			`* @var string\|null`
			`*/`
			`protected $usernameEnvvar;`

Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`/**`
Rename authentication type "autologin" to "external" refs #8274 2015-01-27 09:49:36 +01:00			`* Create new authentication backend of type "external"`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`*`
Adjust usages of Icinga\Application\Config refs #7147 2014-11-18 13:11:52 +01:00			`* @param ConfigObject $config`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`*/`
Adjust usages of Icinga\Application\Config refs #7147 2014-11-18 13:11:52 +01:00			`public function __construct(ConfigObject $config)`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`{`
			`$this->stripUsernameRegexp = $config->get('strip_username_regexp');`
ExternalBackend: don't reference more than necessary from the config refs #12164 2016-10-18 10:17:21 +02:00			`$this->usernameEnvvar = $config->get('username_envvar');`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`}`

			`/**`
lib: Fix PHPDoc in ExternalBackend refs #9660 2015-07-29 15:46:40 +02:00			`* {@inheritdoc}`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 12:15:50 +02:00			`*/`
lib: Move getters before setters in ExternalBackend 2016-04-11 10:57:01 +02:00			`public function getName()`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 12:15:50 +02:00			`{`
lib: Move getters before setters in ExternalBackend 2016-04-11 10:57:01 +02:00			`return $this->name;`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 12:15:50 +02:00			`}`

			`/**`
lib: Fix PHPDoc in ExternalBackend refs #9660 2015-07-29 15:46:40 +02:00			`* {@inheritdoc}`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`*/`
lib: Move getters before setters in ExternalBackend 2016-04-11 10:57:01 +02:00			`public function setName($name)`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`{`
lib: Move getters before setters in ExternalBackend 2016-04-11 10:57:01 +02:00			`$this->name = $name;`
			`return $this;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`}`

lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 2016-04-11 14:01:36 +02:00			`/**`
			`* Get the remote user from environment or $_SERVER, if any`
			`*`
External authentication: respect REDIRECT_REMOTE_USER as well refs #12164 2016-10-17 16:19:26 +02:00			`* @param string\|null $variable The name variable where to read the user from`
lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 2016-04-11 14:01:36 +02:00			`*`
			`* @return string\|null`
			`*/`
			`public static function getRemoteUser($variable = 'REMOTE_USER')`
			`{`
External authentication: respect REDIRECT_REMOTE_USER as well refs #12164 2016-10-17 16:19:26 +02:00			`foreach (($variable === null ? array('REMOTE_USER', 'REDIRECT_REMOTE_USER') : array($variable)) as $variable) {`
			`$username = getenv($variable);`
			`if ($username !== false) {`
			`return $username;`
			`}`
			`if (array_key_exists($variable, $_SERVER)) {`
			`return $_SERVER[$variable];`
			`}`
lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 2016-04-11 14:01:36 +02:00			`}`
			`return null;`
			`}`

lib: Fix PHPDoc in ExternalBackend refs #9660 2015-07-29 15:46:40 +02:00
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`/**`
lib: Fix PHPDoc in ExternalBackend refs #9660 2015-07-29 15:46:40 +02:00			`* {@inheritdoc}`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`*/`
ExternalBackend: Drop redundant method hasUser refs #8826 2015-04-21 13:15:06 +02:00			`public function authenticate(User $user, $password = null)`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`{`
ExternalBackend: don't reference more than necessary from the config refs #12164 2016-10-18 10:17:21 +02:00			`$username = static::getRemoteUser($this->usernameEnvvar);`
Get remote user from $_SERVER if env does not have it in external auth refs #11391 2016-04-11 14:07:44 +02:00			`if ($username !== null) {`
ExternalBackend: don't reference more than necessary from the config refs #12164 2016-10-18 10:17:21 +02:00			`$user->setExternalUserInformation($username, $this->usernameEnvvar);`
ExternalBackend: Drop redundant method hasUser refs #8826 2015-04-21 13:15:06 +02:00
Make regular expression pattern in autologin backend being fully optional 2014-10-20 15:14:14 +02:00			`if ($this->stripUsernameRegexp) {`
Autologin: Actually set the username upon authentication Before, when using autologin the username of the authenticated user always was the empty string. 2014-06-11 15:27:36 +02:00			`$stripped = preg_replace($this->stripUsernameRegexp, '', $username);`
			`if ($stripped !== false) {`
			`// TODO(el): PHP issues a warning when PHP cannot compile the regular expression. Should we log an`
			`// additional message in that case?`
			`$username = $stripped;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`}`
			`}`
ExternalBackend: Drop redundant method hasUser refs #8826 2015-04-21 13:15:06 +02:00
Autologin: Actually set the username upon authentication Before, when using autologin the username of the authenticated user always was the empty string. 2014-06-11 15:27:36 +02:00			`$user->setUsername($username);`
			`return true;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 17:59:22 +02:00			`}`

			`return false;`
			`}`
			`}`