Auth: Log and notify user about authentication backend errors

refs #5685
This commit is contained in:
Eric Lippmann 2014-06-02 15:47:21 +02:00
parent 2274b6e11e
commit 086e2b6197
1 changed files with 23 additions and 16 deletions

View File

@ -36,6 +36,7 @@ use Icinga\Form\Authentication\LoginForm;
use Icinga\Authentication\AuthChain; use Icinga\Authentication\AuthChain;
use Icinga\Application\Config; use Icinga\Application\Config;
use Icinga\Logger\Logger; use Icinga\Logger\Logger;
use Icinga\Exception\AuthenticationException;
use Icinga\Exception\NotReadableError; use Icinga\Exception\NotReadableError;
use Icinga\Exception\ConfigurationError; use Icinga\Exception\ConfigurationError;
use Icinga\User; use Icinga\User;
@ -83,39 +84,45 @@ class AuthenticationController extends ActionController
); );
throw new ConfigurationError( throw new ConfigurationError(
'No authentication methods available. It seems that none authentication method has been set' 'No authentication methods available. It seems that none authentication method has been set'
. ' up. Please contact your Icinga Web administrator' . ' up. Please check the system log or Icinga Web 2 log for more information'
); );
} }
$user = new User($this->view->form->getValue('username')); $user = new User($this->view->form->getValue('username'));
$password = $this->view->form->getValue('password'); $password = $this->view->form->getValue('password');
// TODO(el): Currently the user is only notified about authentication backend problems when all backends
// have errors. It may be the case that the authentication backend which provides the user has errors
// but other authentication backends work. In that scenario the user is presented an error message
// saying "Incorrect username or password". We must inform the user that not all authentication methods
// are available.
$backendsTried = 0; $backendsTried = 0;
$backendsWithError = 0; $backendsWithError = 0;
$chain = new AuthChain($config); $chain = new AuthChain($config);
foreach ($chain as $backend) { foreach ($chain as $backend) {
++$backendsTried;
try {
$authenticated = $backend->authenticate($user, $password); $authenticated = $backend->authenticate($user, $password);
} catch (AuthenticationException $e) {
Logger::error($e);
++$backendsWithError;
continue;
}
if ($authenticated === true) { if ($authenticated === true) {
$auth->setAuthenticated($user); $auth->setAuthenticated($user);
$this->redirectNow($redirectUrl); $this->redirectNow($redirectUrl);
} elseif ($authenticated === null) {
$backendsWithError += 1;
} }
$backendsTried += 1;
} }
if ($backendsWithError === $backendsTried) { if ($backendsWithError === $backendsTried) {
throw new ConfigurationError( throw new ConfigurationError(
$this->translate(
'No authentication methods available. It seems that all set up authentication methods have' 'No authentication methods available. It seems that all set up authentication methods have'
. ' errors. Please contact your Icinga Web administrator' . ' errors. Please check the system log or Icinga Web 2 log for more information'
)
); );
} }
if ($backendsWithError) {
$this->view->form->getElement('password')->addError(t('Incorrect username or password')); $this->view->form->addNote(
$this->translate(
'Note that not all authentication backends are available for authentication because they'
. ' have errors. Please check the system log or Icinga Web 2 log for more information'
)
);
}
$this->view->form->getElement('password')->addError($this->translate('Incorrect username or password'));
} }
} catch (Exception $e) { } catch (Exception $e) {
$this->view->errorInfo = $e->getMessage(); $this->view->errorInfo = $e->getMessage();