tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Challenge API requests only if the controller requires auth 

fixes #12580
This commit is contained in:
Eric Lippmann 2016-11-07 10:40:38 +01:00
parent 1045d91389
commit 2b060d9bd4
3 changed files with 34 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
library/Icinga/Application/Web.php
View File

@ -411,6 +411,10 @@ class Web extends EmbeddedWeb
private function setupUser() private function setupUser()
{ {
$auth = Auth::getInstance(); $auth = Auth::getInstance();
$auth->authenticate();
if (! $this->request->isXmlHttpRequest() && $this->request->isApiRequest() && ! $auth->isAuthenticated()) {
$auth->authHttp();
}
if ($auth->isAuthenticated()) { if ($auth->isAuthenticated()) {
$user = $auth->getUser(); $user = $auth->getUser();
$this->getRequest()->setUser($user); $this->getRequest()->setUser($user);

33
library/Icinga/Authentication/Auth.php
View File

@ -79,23 +79,31 @@ class Auth
} }
/** /**
* Whether the user is authenticated * Authenticate the user
*
* @param bool $ignoreSession True to prevent session authentication
* *
* @return bool * @return bool
*/ */
public function isAuthenticated($ignoreSession = false) public function authenticate()
{ {
if ($this->user === null && ! $ignoreSession) { if ($this->user === null) {
$this->authenticateFromSession(); $this->authenticateFromSession();
} }
if ($this->user === null && ! $this->authExternal()) { if ($this->user === null && ! $this->authExternal()) {
return $this->authHttp(); return false;
} }
return true; return true;
} }
/**
* Get whether the user is authenticated
*
* @return bool
*/
public function isAuthenticated()
{
return $this->user !== null;
}
public function setAuthenticated(User $user, $persist = true) public function setAuthenticated(User $user, $persist = true)
{ {
$username = $user->getUsername(); $username = $user->getUsername();
@ -275,15 +283,12 @@ class Auth
* *
* @return bool * @return bool
*/ */
protected function authHttp() public function authHttp()
{ {
$request = $this->getRequest(); $request = $this->getRequest();
if ($request->isXmlHttpRequest() || ! $request->isApiRequest()) {
return false;
}
$header = $request->getHeader('Authorization'); $header = $request->getHeader('Authorization');
if (empty($header)) { if (empty($header)) {
$this->challengeHttp(); return false;
} }
list($scheme) = explode(' ', $header, 2); list($scheme) = explode(' ', $header, 2);
if ($scheme !== 'Basic') { if ($scheme !== 'Basic') {
@ -294,7 +299,7 @@ class Auth
$credentials = array_filter(explode(':', $credentials, 2)); $credentials = array_filter(explode(':', $credentials, 2));
if (count($credentials) !== 2) { if (count($credentials) !== 2) {
// Deny empty username and/or password // Deny empty username and/or password
$this->challengeHttp(); return false;
} }
$user = new User($credentials[0]); $user = new User($credentials[0]);
$password = $credentials[1]; $password = $credentials[1];
@ -303,7 +308,7 @@ class Auth
$user->setIsHttpUser(true); $user->setIsHttpUser(true);
return true; return true;
} else { } else {
$this->challengeHttp(); return false;
} }
} }
@ -312,7 +317,7 @@ class Auth
* *
* Sends the response w/ the 401 Unauthorized status code and WWW-Authenticate header. * Sends the response w/ the 401 Unauthorized status code and WWW-Authenticate header.
*/ */
protected function challengeHttp() public function challengeHttp()
{ {
$response = $this->getResponse(); $response = $this->getResponse();
$response->setHttpResponseCode(401); $response->setHttpResponseCode(401);

12
library/Icinga/Web/Controller/ActionController.php
View File

@ -99,6 +99,8 @@ class ActionController extends Zend_Controller_Action
Zend_Controller_Response_Abstract $response, Zend_Controller_Response_Abstract $response,
array $invokeArgs = array() array $invokeArgs = array()
) { ) {
/** @var \Icinga\Web\Request $request */
/** @var \Icinga\Web\Response $response */
$this->params = UrlParams::fromQueryString(); $this->params = UrlParams::fromQueryString();
$this->setRequest($request) $this->setRequest($request)
@ -124,7 +126,11 @@ class ActionController extends Zend_Controller_Action
$this->_helper->layout()->disableLayout(); $this->_helper->layout()->disableLayout();
} }
// $auth->authenticate($request, $response, $this->requiresLogin());
if ($this->requiresLogin()) { if ($this->requiresLogin()) {
if (! $request->isXmlHttpRequest() && $request->isApiRequest()) {
Auth::getInstance()->challengeHttp();
}
$this->redirectToLogin(Url::fromRequest()); $this->redirectToLogin(Url::fromRequest());
} }
@ -255,8 +261,9 @@ class ActionController extends Zend_Controller_Action
/** /**
* Return restriction information for an eventually authenticated user * Return restriction information for an eventually authenticated user
* *
* @param string $name Permission name * @param string $name Restriction name
* @return Array *
* @return array
*/ */
public function getRestrictions($name) public function getRestrictions($name)
{ {
@ -268,7 +275,6 @@ class ActionController extends Zend_Controller_Action
* user is currently not authenticated * user is currently not authenticated
* *
* @return bool * @return bool
* @see requiresAuthentication
*/ */
protected function requiresLogin() protected function requiresLogin()
{ {