From 2b060d9bd42bba8a4cb89bb81d7455643e973fb1 Mon Sep 17 00:00:00 2001
From: Eric Lippmann <eric.lippmann@icinga.com>
Date: Mon, 7 Nov 2016 10:40:38 +0100
Subject: [PATCH] Challenge API requests only if the controller requires auth

fixes #12580
---
 library/Icinga/Application/Web.php            |  4 +++
 library/Icinga/Authentication/Auth.php        | 33 +++++++++++--------
 .../Web/Controller/ActionController.php       | 16 ++++++---
 3 files changed, 34 insertions(+), 19 deletions(-)

diff --git a/library/Icinga/Application/Web.php b/library/Icinga/Application/Web.php
index df5cbf729..1d8097af1 100644
--- a/library/Icinga/Application/Web.php
+++ b/library/Icinga/Application/Web.php
@@ -411,6 +411,10 @@ class Web extends EmbeddedWeb
     private function setupUser()
     {
         $auth = Auth::getInstance();
+        $auth->authenticate();
+        if (! $this->request->isXmlHttpRequest() && $this->request->isApiRequest() && ! $auth->isAuthenticated()) {
+            $auth->authHttp();
+        }
         if ($auth->isAuthenticated()) {
             $user = $auth->getUser();
             $this->getRequest()->setUser($user);
diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php
index 814f1366e..498495997 100644
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@@ -79,23 +79,31 @@ class Auth
     }
 
     /**
-     * Whether the user is authenticated
-     *
-     * @param  bool $ignoreSession True to prevent session authentication
+     * Authenticate the user
      *
      * @return bool
      */
-    public function isAuthenticated($ignoreSession = false)
+    public function authenticate()
     {
-        if ($this->user === null && ! $ignoreSession) {
+        if ($this->user === null) {
             $this->authenticateFromSession();
         }
         if ($this->user === null && ! $this->authExternal()) {
-            return $this->authHttp();
+            return false;
         }
         return true;
     }
 
+    /**
+     * Get whether the user is authenticated
+     *
+     * @return bool
+     */
+    public function isAuthenticated()
+    {
+        return $this->user !== null;
+    }
+
     public function setAuthenticated(User $user, $persist = true)
     {
         $username = $user->getUsername();
@@ -275,15 +283,12 @@ class Auth
      *
      * @return bool
      */
-    protected function authHttp()
+    public function authHttp()
     {
         $request = $this->getRequest();
-        if ($request->isXmlHttpRequest() || ! $request->isApiRequest()) {
-            return false;
-        }
         $header = $request->getHeader('Authorization');
         if (empty($header)) {
-            $this->challengeHttp();
+            return false;
         }
         list($scheme) = explode(' ', $header, 2);
         if ($scheme !== 'Basic') {
@@ -294,7 +299,7 @@ class Auth
         $credentials = array_filter(explode(':', $credentials, 2));
         if (count($credentials) !== 2) {
             // Deny empty username and/or password
-            $this->challengeHttp();
+            return false;
         }
         $user = new User($credentials[0]);
         $password = $credentials[1];
@@ -303,7 +308,7 @@ class Auth
             $user->setIsHttpUser(true);
             return true;
         } else {
-            $this->challengeHttp();
+            return false;
         }
     }
 
@@ -312,7 +317,7 @@ class Auth
      *
      * Sends the response w/ the 401 Unauthorized status code and WWW-Authenticate header.
      */
-    protected function challengeHttp()
+    public function challengeHttp()
     {
         $response = $this->getResponse();
         $response->setHttpResponseCode(401);
diff --git a/library/Icinga/Web/Controller/ActionController.php b/library/Icinga/Web/Controller/ActionController.php
index 655a85aca..c6030b079 100644
--- a/library/Icinga/Web/Controller/ActionController.php
+++ b/library/Icinga/Web/Controller/ActionController.php
@@ -99,6 +99,8 @@ class ActionController extends Zend_Controller_Action
         Zend_Controller_Response_Abstract $response,
         array $invokeArgs = array()
     ) {
+        /** @var \Icinga\Web\Request $request */
+        /** @var \Icinga\Web\Response $response */
         $this->params = UrlParams::fromQueryString();
 
         $this->setRequest($request)
@@ -124,7 +126,11 @@ class ActionController extends Zend_Controller_Action
             $this->_helper->layout()->disableLayout();
         }
 
+        // $auth->authenticate($request, $response, $this->requiresLogin());
         if ($this->requiresLogin()) {
+            if (! $request->isXmlHttpRequest() && $request->isApiRequest()) {
+                Auth::getInstance()->challengeHttp();
+            }
             $this->redirectToLogin(Url::fromRequest());
         }
 
@@ -255,8 +261,9 @@ class ActionController extends Zend_Controller_Action
     /**
      * Return restriction information for an eventually authenticated user
      *
-     * @param  string  $name Permission name
-     * @return Array
+     * @param   string  $name   Restriction name
+     *
+     * @return  array
      */
     public function getRestrictions($name)
     {
@@ -268,15 +275,14 @@ class ActionController extends Zend_Controller_Action
      * user is currently not authenticated
      *
      * @return  bool
-     * @see     requiresAuthentication
      */
     protected function requiresLogin()
     {
-        if (!$this->requiresAuthentication) {
+        if (! $this->requiresAuthentication) {
             return false;
         }
 
-        return !$this->Auth()->isAuthenticated();
+        return ! $this->Auth()->isAuthenticated();
     }
 
     /**