Challenge API requests only if the controller requires auth

fixes #12580
2016-11-07 10:40:38 +01:00 · 2016-11-07 10:40:38 +01:00 · 2b060d9bd4
parent 1045d91389
commit 2b060d9bd4
3 changed files with 34 additions and 19 deletions
--- a/library/Icinga/Application/Web.php
+++ b/library/Icinga/Application/Web.php
@ -411,6 +411,10 @@ class Web extends EmbeddedWeb
    private function setupUser()
    {
        $auth = Auth::getInstance();
+        $auth->authenticate();
+        if (! $this->request->isXmlHttpRequest() && $this->request->isApiRequest() && ! $auth->isAuthenticated()) {
+            $auth->authHttp();
+        }
        if ($auth->isAuthenticated()) {
            $user = $auth->getUser();
            $this->getRequest()->setUser($user);
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@ -79,23 +79,31 @@ class Auth
    }

    /**
-     * Whether the user is authenticated
-     *
-     * @param  bool $ignoreSession True to prevent session authentication
+     * Authenticate the user
     *
     * @return bool
     */
-    public function isAuthenticated($ignoreSession = false)
+    public function authenticate()
    {
-        if ($this->user === null && ! $ignoreSession) {
+        if ($this->user === null) {
            $this->authenticateFromSession();
        }
        if ($this->user === null && ! $this->authExternal()) {
-            return $this->authHttp();
+            return false;
        }
        return true;
    }

+    /**
+     * Get whether the user is authenticated
+     *
+     * @return bool
+     */
+    public function isAuthenticated()
+    {
+        return $this->user !== null;
+    }
+
    public function setAuthenticated(User $user, $persist = true)
    {
        $username = $user->getUsername();
@ -275,15 +283,12 @@ class Auth
     *
     * @return bool
     */
-    protected function authHttp()
+    public function authHttp()
    {
        $request = $this->getRequest();
-        if ($request->isXmlHttpRequest() || ! $request->isApiRequest()) {
-            return false;
-        }
        $header = $request->getHeader('Authorization');
        if (empty($header)) {
-            $this->challengeHttp();
+            return false;
        }
        list($scheme) = explode(' ', $header, 2);
        if ($scheme !== 'Basic') {
@ -294,7 +299,7 @@ class Auth
        $credentials = array_filter(explode(':', $credentials, 2));
        if (count($credentials) !== 2) {
            // Deny empty username and/or password
-            $this->challengeHttp();
+            return false;
        }
        $user = new User($credentials[0]);
        $password = $credentials[1];
@ -303,7 +308,7 @@ class Auth
            $user->setIsHttpUser(true);
            return true;
        } else {
-            $this->challengeHttp();
+            return false;
        }
    }

@ -312,7 +317,7 @@ class Auth
     *
     * Sends the response w/ the 401 Unauthorized status code and WWW-Authenticate header.
     */
-    protected function challengeHttp()
+    public function challengeHttp()
    {
        $response = $this->getResponse();
        $response->setHttpResponseCode(401);
--- a/library/Icinga/Web/Controller/ActionController.php
+++ b/library/Icinga/Web/Controller/ActionController.php
@ -99,6 +99,8 @@ class ActionController extends Zend_Controller_Action
        Zend_Controller_Response_Abstract $response,
        array $invokeArgs = array()
    ) {
+        /** @var \Icinga\Web\Request $request */
+        /** @var \Icinga\Web\Response $response */
        $this->params = UrlParams::fromQueryString();

        $this->setRequest($request)
@ -124,7 +126,11 @@ class ActionController extends Zend_Controller_Action
            $this->_helper->layout()->disableLayout();
        }

+        // $auth->authenticate($request, $response, $this->requiresLogin());
        if ($this->requiresLogin()) {
+            if (! $request->isXmlHttpRequest() && $request->isApiRequest()) {
+                Auth::getInstance()->challengeHttp();
+            }
            $this->redirectToLogin(Url::fromRequest());
        }

@ -255,8 +261,9 @@ class ActionController extends Zend_Controller_Action
    /**
     * Return restriction information for an eventually authenticated user
     *
-     * @param  string  $name Permission name
-     * @return Array
+     * @param   string  $name   Restriction name
+     *
+     * @return  array
     */
    public function getRestrictions($name)
    {
@ -268,15 +275,14 @@ class ActionController extends Zend_Controller_Action
     * user is currently not authenticated
     *
     * @return  bool
-     * @see     requiresAuthentication
     */
    protected function requiresLogin()
    {
-        if (!$this->requiresAuthentication) {
+        if (! $this->requiresAuthentication) {
            return false;
        }

-        return !$this->Auth()->isAuthenticated();
+        return ! $this->Auth()->isAuthenticated();
    }

    /**