Decouple authentication backend creation from Icinga\Authentication\Manager
Add authentication backend type msldap with default values for user_class and user_name_attribute. Backend type ldap now logs an error when user_class and user_name_attribute ist not configured. Rename membership.ini to memberships.ini since all our INI configuration files are in the plurar where it makes sense. The AuthenticationController now handles authentication refs #5685 refs #5638 fixes #5218
This commit is contained in:
parent
25665dec24
commit
39c80dccaf
|
@ -1,11 +1,9 @@
|
|||
[internal_ldap_authentication]
|
||||
backend = ldap
|
||||
resource = internal_ldap
|
||||
; Object class of the user
|
||||
user_class = inetOrgPerson
|
||||
; ; Attribute name for username
|
||||
backend = ldap
|
||||
resource = internal_ldap
|
||||
user_class = inetOrgPerson
|
||||
user_name_attribute = uid
|
||||
|
||||
[internal_db_authentication]
|
||||
backend = db
|
||||
resource = "internal_db"
|
||||
backend = db
|
||||
resource = internal_db
|
||||
|
|
|
@ -30,11 +30,14 @@
|
|||
|
||||
# namespace Icinga\Application\Controllers;
|
||||
|
||||
use \Exception;
|
||||
use Icinga\Web\Controller\ActionController;
|
||||
use Icinga\Authentication\Credential;
|
||||
use Icinga\Authentication\Manager as AuthManager;
|
||||
use Icinga\Form\Authentication\LoginForm;
|
||||
use Icinga\Authentication\AuthChain;
|
||||
use Icinga\Application\Config;
|
||||
use Icinga\Exception\NotReadableError;
|
||||
use Icinga\Exception\ConfigurationError;
|
||||
use Icinga\User;
|
||||
|
||||
/**
|
||||
* Application wide controller for authentication
|
||||
|
@ -64,16 +67,52 @@ class AuthenticationController extends ActionController
|
|||
$this->redirectNow($redirectUrl);
|
||||
}
|
||||
if ($this->view->form->isSubmittedAndValid()) {
|
||||
$credentials = new Credential(
|
||||
$this->view->form->getValue('username'),
|
||||
$this->view->form->getValue('password')
|
||||
$user = new User(
|
||||
$this->view->form->getValue('username')
|
||||
);
|
||||
if (!$auth->authenticate($credentials)) {
|
||||
$this->view->form->getElement('password')
|
||||
->addError(t('Incorrect username or password'));
|
||||
} else {
|
||||
$this->redirectNow($redirectUrl);
|
||||
try {
|
||||
$config = Config::app('authentication');
|
||||
} catch (NotReadableError $e) {
|
||||
Logger::exception(
|
||||
new Exception('Cannot load authentication configuration. An exception was thrown:', 0, $e)
|
||||
);
|
||||
throw new ConfigurationError(
|
||||
'No authentication methods available. It seems that none authentication method has been set'
|
||||
. ' up. Please contact your Icinga Web administrator'
|
||||
);
|
||||
}
|
||||
$backendsWithError = 0;
|
||||
// TODO(el): Currently the user is only notified about authentication backend problems when all backends
|
||||
// have errors. It may be the case that the authentication backend which provides the user has errors
|
||||
// but other authentication backends work. In that scenario the user is presented an error message
|
||||
// saying "Incorrect username or password". We must inform the user that not all authentication methods
|
||||
// are available.
|
||||
$backendsTried = 0;
|
||||
$chain = new AuthChain($config);
|
||||
foreach ($chain as $backend) {
|
||||
++$backendsTried;
|
||||
try {
|
||||
if ($backend->authenticate($user, $this->view->form->getValue('password'))) {
|
||||
$auth->setAuthenticated($user);
|
||||
$this->redirectNow($redirectUrl);
|
||||
}
|
||||
} catch (Exception $e) {
|
||||
Logger::exception(
|
||||
new Exception(
|
||||
'Cannot authenticate against backend "' . $backend->getName() . '".'
|
||||
. ' An exception was thrown:', 0, $e
|
||||
)
|
||||
);
|
||||
++$backendsWithError;
|
||||
}
|
||||
}
|
||||
if ($backendsWithError === $backendsTried) {
|
||||
throw new ConfigurationError(
|
||||
'No authentication methods available. It seems that all set up authentication methods have'
|
||||
. ' errors. Please contact your Icinga Web administrator'
|
||||
);
|
||||
}
|
||||
$this->view->form->getElement('password')->addError(t('Incorrect username or password'));
|
||||
}
|
||||
} catch (Exception $e) {
|
||||
$this->view->errorInfo = $e->getMessage();
|
||||
|
|
|
@ -11,12 +11,10 @@
|
|||
@ldap_auth_disabled@
|
||||
backend = ldap
|
||||
resource = internal_ldap
|
||||
; Object class of the user
|
||||
user_class = @ldap_user_objectclass@
|
||||
; ; Attribute name for username
|
||||
user_name_attribute = @ldap_attribute_username@
|
||||
|
||||
[internal_db_authentication]
|
||||
@internal_auth_disabled@
|
||||
backend = db
|
||||
resource = "internal_db"
|
||||
resource = internal_db
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
namespace Icinga\Authentication;
|
||||
|
||||
use Icinga\Application\Config;
|
||||
use Icinga\Exception\NotReadableError;
|
||||
use Icinga\Util\String;
|
||||
|
||||
/**
|
||||
|
@ -70,7 +71,12 @@ class AdmissionLoader
|
|||
public function getPermissions($username, array $groups)
|
||||
{
|
||||
$permissions = array();
|
||||
foreach (Config::app('permissions') as $section) {
|
||||
try {
|
||||
$config = Config::app('permissions');
|
||||
} catch (NotReadableError $e) {
|
||||
return $permissions;
|
||||
}
|
||||
foreach ($config as $section) {
|
||||
if ($this->match($section, $username, $groups)) {
|
||||
foreach ($section as $key => $value) {
|
||||
if (strpos($key, 'permission') === 0) {
|
||||
|
@ -79,7 +85,6 @@ class AdmissionLoader
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $permissions;
|
||||
}
|
||||
|
||||
|
@ -94,15 +99,19 @@ class AdmissionLoader
|
|||
public function getRestrictions($username, array $groups)
|
||||
{
|
||||
$restrictions = array();
|
||||
foreach (Config::app('restrictions') as $section) {
|
||||
try {
|
||||
$config = Config::app('restrictions');
|
||||
} catch (NotReadableError $e) {
|
||||
return $restrictions;
|
||||
}
|
||||
foreach ($config as $section) {
|
||||
if ($this->match($section, $username, $groups)) {
|
||||
if (array_key_exists($section->name, $restrictions) === false) {
|
||||
if (!array_key_exists($section->name, $restrictions)) {
|
||||
$restrictions[$section->name] = array();
|
||||
}
|
||||
$restrictions[$section->name][] = $section->restriction;
|
||||
}
|
||||
}
|
||||
|
||||
return $restrictions;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,66 @@
|
|||
<?php
|
||||
|
||||
namespace Icinga\Authentication;
|
||||
|
||||
use Iterator;
|
||||
use Zend_Config;
|
||||
use Icinga\Application\Logger;
|
||||
use Icinga\Exception\ConfigurationError;
|
||||
|
||||
class AuthChain implements Iterator
|
||||
{
|
||||
private $config;
|
||||
|
||||
private $currentBackend;
|
||||
|
||||
public function __construct(Zend_Config $config)
|
||||
{
|
||||
$this->config = $config;
|
||||
}
|
||||
|
||||
public function rewind()
|
||||
{
|
||||
$this->config->rewind();
|
||||
}
|
||||
|
||||
public function current()
|
||||
{
|
||||
return $this->currentBackend;
|
||||
}
|
||||
|
||||
public function key()
|
||||
{
|
||||
return $this->config->key();
|
||||
}
|
||||
|
||||
public function next()
|
||||
{
|
||||
$this->config->next();
|
||||
}
|
||||
|
||||
public function valid()
|
||||
{
|
||||
if (!$this->config->valid()) {
|
||||
return false;
|
||||
}
|
||||
$backendConfig = $this->config->current();
|
||||
if ((bool) $backendConfig->get('disabled', false) === true) {
|
||||
$this->next();
|
||||
return $this->valid();
|
||||
}
|
||||
try {
|
||||
$name = $this->key();
|
||||
$backend = UserBackend::create($name, $backendConfig);
|
||||
} catch (ConfigurationError $e) {
|
||||
Logger::exception(
|
||||
new ConfigurationError(
|
||||
'Cannot create authentication backend "' . $name . '". An exception was thrown:', 0, $e
|
||||
)
|
||||
);
|
||||
$this->next();
|
||||
return $this->valid();
|
||||
}
|
||||
$this->currentBackend = $backend;
|
||||
return true;
|
||||
}
|
||||
}
|
|
@ -29,336 +29,98 @@
|
|||
|
||||
namespace Icinga\Authentication\Backend;
|
||||
|
||||
use \Exception;
|
||||
use \stdClass;
|
||||
use \Zend_Config;
|
||||
use \Zend_Db;
|
||||
use \Zend_Db_Adapter_Abstract;
|
||||
use \Icinga\Data\ResourceFactory;
|
||||
use \Icinga\User;
|
||||
use \Icinga\Authentication\UserBackend;
|
||||
use \Icinga\Authentication\Credential;
|
||||
use \Icinga\Authentication;
|
||||
use \Icinga\Application\Logger;
|
||||
use \Icinga\Exception\ProgrammingError;
|
||||
use \Icinga\Exception\ConfigurationError;
|
||||
use Exception;
|
||||
use Zend_Db_Expr;
|
||||
use Icinga\Authentication\UserBackend;
|
||||
use Icinga\Data\Db\Connection;
|
||||
use Icinga\User;
|
||||
|
||||
/**
|
||||
* User authentication backend (@see Icinga\Authentication\UserBackend) for
|
||||
* authentication of users via an SQL database. The credentials needed to access
|
||||
* the database are configurable via the application.ini
|
||||
*
|
||||
* See the UserBackend class (@see Icinga\Authentication\UserBackend) for
|
||||
* usage information
|
||||
*/
|
||||
class DbUserBackend implements UserBackend
|
||||
class DbUserBackend extends UserBackend
|
||||
{
|
||||
/**
|
||||
* The database connection that will be used for fetching users
|
||||
* Connection to the database
|
||||
*
|
||||
* @var Zend_Db
|
||||
* @var Connection
|
||||
*/
|
||||
private $db;
|
||||
private $conn;
|
||||
|
||||
/**
|
||||
* The name of the user table
|
||||
*
|
||||
* @var String
|
||||
*/
|
||||
private $userTable = 'account';
|
||||
|
||||
/**
|
||||
* Column name to identify active users
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $activeColumnName = 'active';
|
||||
|
||||
/**
|
||||
* Column name to fetch the password
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $passwordColumnName = 'password';
|
||||
|
||||
/**
|
||||
* Column name for password salt
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $saltColumnName = 'salt';
|
||||
|
||||
/**
|
||||
* Column name for user name
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $userColumnName = 'username';
|
||||
|
||||
/**
|
||||
* Column name of email
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $emailColumnName = null;
|
||||
|
||||
/**
|
||||
* Name of the backend
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $name;
|
||||
|
||||
/**
|
||||
* Create a new DbUserBackend
|
||||
*
|
||||
* @param Zend_Config $config The configuration for this authentication backend.
|
||||
* 'resource' => The name of the resource to use, or an actual
|
||||
* instance of Zend_Db_Adapter_Abstract
|
||||
* 'name' => The name of this authentication backend
|
||||
*
|
||||
* @throws ConfigurationError When the given resource does not exist.
|
||||
*/
|
||||
public function __construct(Zend_Config $config)
|
||||
public function __construct(Connection $conn)
|
||||
{
|
||||
if (!isset($config->resource)) {
|
||||
throw new ConfigurationError('An authentication backend must provide a resource.');
|
||||
$this->conn = $conn;
|
||||
}
|
||||
|
||||
/**
|
||||
* Test whether the given user exists
|
||||
*
|
||||
* @param User $user
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function hasUser(User $user)
|
||||
{
|
||||
$row = $this->conn->select()->from('account', array(new Zend_Db_Expr(1)))
|
||||
->where('username = ?', $user->getUsername())
|
||||
->fetch();
|
||||
return $row !== false ? true : false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Authenticate
|
||||
*
|
||||
* @param User $user
|
||||
* @param string $password
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function authenticate(User $user, $password)
|
||||
{
|
||||
$salt = $this->getSalt($user->getUsername());
|
||||
if ($salt === null) {
|
||||
return false;
|
||||
}
|
||||
$this->name = $config->name;
|
||||
if ($config->resource instanceof Zend_Db_Adapter_Abstract) {
|
||||
$this->db = $config->resource;
|
||||
} else {
|
||||
$resource = ResourceFactory::createResource(ResourceFactory::getResourceConfig($config->resource));
|
||||
$this->db = $resource->getConnection();
|
||||
if ($salt === '') {
|
||||
throw new Exception();
|
||||
}
|
||||
$row = $this->conn->select()->from('account', array(new Zend_Db_Expr(1)))
|
||||
->where('username = ?', $user->getUsername())
|
||||
->where('active = ?', true)
|
||||
->where('password = ?', $this->hashPassword($password, $salt))
|
||||
->fetchRow();
|
||||
return $row !== false ? true : false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for password column
|
||||
* Get salt by username
|
||||
*
|
||||
* @param string $passwordColumnName
|
||||
* @param string $username
|
||||
*
|
||||
* @return string|null
|
||||
*/
|
||||
public function setPasswordColumnName($passwordColumnName)
|
||||
private function getSalt($username)
|
||||
{
|
||||
$this->passwordColumnName = $passwordColumnName;
|
||||
$row = $this->conn->select()->from('account', array('salt'))->where('username = ?', $username)->fetchRow();
|
||||
return $row !== false ? $row->salt : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for password salt column
|
||||
*
|
||||
* @param string $saltColumnName
|
||||
*/
|
||||
public function setSaltColumnName($saltColumnName)
|
||||
{
|
||||
$this->saltColumnName = $saltColumnName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for usernamea column
|
||||
*
|
||||
* @param string $userColumnName
|
||||
*/
|
||||
public function setUserColumnName($userColumnName)
|
||||
{
|
||||
$this->userColumnName = $userColumnName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for database table
|
||||
*
|
||||
* @param String $userTable
|
||||
*/
|
||||
public function setUserTable($userTable)
|
||||
{
|
||||
$this->userTable = $userTable;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for column identifying an active user
|
||||
*
|
||||
* Set this to null if no active column exists.
|
||||
*
|
||||
* @param string $activeColumnName
|
||||
*/
|
||||
public function setActiveColumnName($activeColumnName)
|
||||
{
|
||||
$this->activeColumnName = $activeColumnName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for email column
|
||||
*
|
||||
* Set to null if not needed
|
||||
*
|
||||
* @param string $emailColumnName
|
||||
*/
|
||||
public function setEmailColumnName($emailColumnName)
|
||||
{
|
||||
$this->emailColumnName = $emailColumnName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Name of the backend
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getName()
|
||||
{
|
||||
return $this->name;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the user identified by the given credentials is available
|
||||
*
|
||||
* @param Credential $credential Credential to find a user in the database
|
||||
*
|
||||
* @return boolean True when the username is known and currently active.
|
||||
*/
|
||||
public function hasUsername(Credential $credential)
|
||||
{
|
||||
$user = $this->getUserByName($credential->getUsername());
|
||||
return isset($user);
|
||||
}
|
||||
|
||||
/**
|
||||
* Authenticate a user with the given credentials
|
||||
*
|
||||
* @param Credential $credential Credential to authenticate
|
||||
*
|
||||
* @return User|null The authenticated user or Null.
|
||||
*/
|
||||
public function authenticate(Credential $credential)
|
||||
{
|
||||
try {
|
||||
$salt = $this->getUserSalt($credential->getUsername());
|
||||
} catch (Exception $e) {
|
||||
Logger::error(
|
||||
'Could not fetch salt from database for user %s. Exception was thrown: %s',
|
||||
$credential->getUsername(),
|
||||
$e->getMessage()
|
||||
);
|
||||
return null;
|
||||
}
|
||||
$sth = $this->db
|
||||
->select()->from($this->userTable)
|
||||
->where($this->userColumnName . ' = ?', $credential->getUsername())
|
||||
->where(
|
||||
$this->passwordColumnName . ' = ?',
|
||||
$this->createPasswordHash($credential->getPassword(), $salt)
|
||||
);
|
||||
|
||||
if ($this->activeColumnName !== null) {
|
||||
$sth->where($this->activeColumnName . ' = ?', true);
|
||||
}
|
||||
|
||||
$res = $sth->query()->fetch();
|
||||
|
||||
if ($res !== false) {
|
||||
return $this->createUserFromResult($res);
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Fetch the users salt from the database
|
||||
*
|
||||
* @param string$username The user whose salt should be fetched
|
||||
*
|
||||
* @return string|null Return the salt-string or null, when the user does not exist
|
||||
* @throws ProgrammingError
|
||||
*/
|
||||
private function getUserSalt($username)
|
||||
{
|
||||
$res = $this->db->select()
|
||||
->from($this->userTable, $this->saltColumnName)
|
||||
->where($this->userColumnName . ' = ?', $username)
|
||||
->query()->fetch();
|
||||
if ($res !== false) {
|
||||
return $res->{$this->saltColumnName};
|
||||
} else {
|
||||
throw new ProgrammingError('No Salt found for user "' . $username . '"');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Create password hash at this place
|
||||
* Hash a password
|
||||
*
|
||||
* @param string $password
|
||||
* @param string $salt
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
protected function createPasswordHash($password, $salt) {
|
||||
private function hashPassword($password, $salt) {
|
||||
return hash_hmac('sha256', $password, $salt);
|
||||
}
|
||||
|
||||
/**
|
||||
* Fetch the user information from the database
|
||||
* Get the number of users available
|
||||
*
|
||||
* @param string $username The name of the user
|
||||
*
|
||||
* @return User|null Returns the user object, or null when the user does not exist
|
||||
* @return int
|
||||
*/
|
||||
private function getUserByName($username)
|
||||
public function count()
|
||||
{
|
||||
$this->db->getConnection();
|
||||
$sth = $this->db->select()
|
||||
->from($this->userTable)
|
||||
->where($this->userColumnName .' = ?', $username);
|
||||
|
||||
if ($this->activeColumnName !== null) {
|
||||
$sth->where($this->activeColumnName .' = ?', true);
|
||||
}
|
||||
|
||||
$res = $sth->query()->fetch();
|
||||
|
||||
if ($res !== false) {
|
||||
return $this->createUserFromResult($res);
|
||||
}
|
||||
return null;
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new instance of User from a query result
|
||||
*
|
||||
* @param stdClass $resultRow Result object from database
|
||||
*
|
||||
* @return User The created instance of User.
|
||||
*/
|
||||
protected function createUserFromResult(stdClass $resultRow)
|
||||
{
|
||||
$usr = new User(
|
||||
$resultRow->{$this->userColumnName},
|
||||
null,
|
||||
null,
|
||||
(isset($resultRow->{$this->emailColumnName})) ? $resultRow->{$this->emailColumnName} : null
|
||||
);
|
||||
return $usr;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the number of users in this database connection
|
||||
*
|
||||
* This class is mainly used for determining whether the authentication backend is valid or not
|
||||
*
|
||||
* @return int The number of users set in this backend
|
||||
* @see UserBackend::getUserCount
|
||||
*/
|
||||
public function getUserCount()
|
||||
{
|
||||
$query = $this->db->select()->from($this->userTable, 'COUNT(*) as count')->query();
|
||||
return $query->fetch()->count;
|
||||
}
|
||||
|
||||
/**
|
||||
* Try to connect to the underlying database.
|
||||
*
|
||||
* @throws ConfigurationError When the backend is not reachable with the given configuration.
|
||||
*/
|
||||
public function connect()
|
||||
{
|
||||
$this->db->getConnection();
|
||||
return $this->conn->select()->from('account', array('count' => 'COUNT(*)'))->fetch()->count();
|
||||
}
|
||||
}
|
||||
|
|
|
@ -29,170 +29,98 @@
|
|||
|
||||
namespace Icinga\Authentication\Backend;
|
||||
|
||||
use Icinga\Data\ResourceFactory;
|
||||
use \stdClass;
|
||||
use \Zend_Config;
|
||||
use \Icinga\User;
|
||||
use \Icinga\Authentication\UserBackend;
|
||||
use \Icinga\Authentication\Credential;
|
||||
use \Icinga\Protocol\Ldap;
|
||||
use \Icinga\Protocol\Ldap\Connection as LdapConnection;
|
||||
use \Icinga\Application\Config as IcingaConfig;
|
||||
use \Icinga\Exception\ConfigurationError;
|
||||
use Icinga\User;
|
||||
use Icinga\Authentication\UserBackend;
|
||||
use Icinga\Protocol\Ldap\Connection;
|
||||
|
||||
/**
|
||||
* User authentication backend
|
||||
*/
|
||||
class LdapUserBackend implements UserBackend
|
||||
class LdapUserBackend extends UserBackend
|
||||
{
|
||||
/**
|
||||
* Ldap resource
|
||||
* Connection to the LDAP server
|
||||
*
|
||||
* @var Connection
|
||||
**/
|
||||
protected $connection;
|
||||
protected $conn;
|
||||
|
||||
/**
|
||||
* The ldap connection information
|
||||
*
|
||||
* @var Zend_Config
|
||||
*/
|
||||
private $config;
|
||||
protected $userClass;
|
||||
|
||||
/**
|
||||
* Name of the backend
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $name;
|
||||
protected $userNameAttribute;
|
||||
|
||||
/**
|
||||
* Create a new LdapUserBackend
|
||||
*
|
||||
* @param Zend_Config $config The configuration for this authentication backend.
|
||||
* 'resource' => The name of the resource to use, or an actual
|
||||
* instance of \Icinga\Protocol\Ldap\Connection.
|
||||
* 'name' => The name of this authentication backend.
|
||||
*
|
||||
* @throws ConfigurationError When the given resource does not exist.
|
||||
*/
|
||||
public function __construct(Zend_Config $config)
|
||||
public function __construct(Connection $conn, $userClass, $userNameAttribute)
|
||||
{
|
||||
if (!isset($config->resource)) {
|
||||
throw new ConfigurationError('An authentication backend must provide a resource.');
|
||||
}
|
||||
$this->config = $config;
|
||||
$this->name = $config->name;
|
||||
if ($config->resource instanceof LdapConnection) {
|
||||
$this->connection = $config->resource;
|
||||
} else {
|
||||
$this->connection = ResourceFactory::createResource(
|
||||
ResourceFactory::getResourceConfig($config->resource)
|
||||
$this->conn = $conn;
|
||||
$this->userClass = $userClass;
|
||||
$this->userNameAttribute = $userNameAttribute;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create query
|
||||
*
|
||||
* @param string $username
|
||||
*
|
||||
* @return \Icinga\Protocol\Ldap\Query
|
||||
**/
|
||||
protected function createQuery($username)
|
||||
{
|
||||
return $this->conn->select()
|
||||
->from(
|
||||
$this->userClass,
|
||||
array($this->userNameAttribute)
|
||||
)
|
||||
->where(
|
||||
$this->userNameAttribute,
|
||||
str_replace('*', '', $username)
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Name of the backend
|
||||
* Test whether the given user exists
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getName()
|
||||
{
|
||||
return $this->name;
|
||||
}
|
||||
|
||||
/**
|
||||
* Test if the username exists
|
||||
*
|
||||
* @param Credential $credential Credential to find user in database
|
||||
* @param User $user
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function hasUsername(Credential $credential)
|
||||
public function hasUser(User $user)
|
||||
{
|
||||
return $this->connection->fetchOne(
|
||||
$this->selectUsername($credential->getUsername())
|
||||
) === $credential->getUsername();
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes the '*' character from $string
|
||||
*
|
||||
* @param string $string Input string
|
||||
*
|
||||
* @return string
|
||||
**/
|
||||
protected function stripAsterisks($string)
|
||||
{
|
||||
return str_replace('*', '', $string);
|
||||
}
|
||||
|
||||
/**
|
||||
* Tries to fetch the username
|
||||
*
|
||||
* @param string $username The username to select
|
||||
*
|
||||
* @return stdClass $result
|
||||
**/
|
||||
protected function selectUsername($username)
|
||||
{
|
||||
return $this->connection->select()
|
||||
->from(
|
||||
$this->config->user_class,
|
||||
array(
|
||||
$this->config->user_name_attribute
|
||||
)
|
||||
)
|
||||
->where(
|
||||
$this->config->user_name_attribute,
|
||||
$this->stripAsterisks($username)
|
||||
);
|
||||
$username = $user->getUsername();
|
||||
return $this->conn->fetchOne($this->createQuery($username)) === $username;
|
||||
}
|
||||
|
||||
/**
|
||||
* Authenticate
|
||||
*
|
||||
* @param Credential $credentials Credential to authenticate
|
||||
* @param User $user
|
||||
* @param string $password
|
||||
*
|
||||
* @return User
|
||||
* @return bool
|
||||
*/
|
||||
public function authenticate(Credential $credentials)
|
||||
public function authenticate(User $user, $password)
|
||||
{
|
||||
if ($this->connection->testCredentials(
|
||||
$this->connection->fetchDN($this->selectUsername($credentials->getUsername())),
|
||||
$credentials->getPassword()
|
||||
)) {
|
||||
return new User($credentials->getUsername());
|
||||
if ($this->conn->testCredentials(
|
||||
$this->conn->fetchDN($this->createQuery($user->getUsername())),
|
||||
$password
|
||||
)
|
||||
) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return number of users in this backend
|
||||
* Get the number of users available
|
||||
*
|
||||
* @return int The number of users set in this backend
|
||||
* @see UserBackend::getUserCount
|
||||
* @return int
|
||||
*/
|
||||
public function getUserCount()
|
||||
public function count()
|
||||
{
|
||||
return $this->connection->count(
|
||||
$this->connection->select()->from(
|
||||
$this->config->user_class,
|
||||
return $this->conn->count(
|
||||
$this->conn->select()->from(
|
||||
$this->userClass,
|
||||
array(
|
||||
$this->config->user_name_attribute
|
||||
$this->userNameAttribute
|
||||
)
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* Establish the connection to this authentication backend
|
||||
*
|
||||
* @throws \Exception When the connection to the resource is not possible.
|
||||
*/
|
||||
public function connect()
|
||||
{
|
||||
$this->connection->connect();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,135 +0,0 @@
|
|||
<?php
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
/**
|
||||
* This file is part of Icinga Web 2.
|
||||
*
|
||||
* Icinga Web 2 - Head for multiple monitoring backends.
|
||||
* Copyright (C) 2013 Icinga Development Team
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
*
|
||||
* @copyright 2013 Icinga Development Team <info@icinga.org>
|
||||
* @license http://www.gnu.org/licenses/gpl-2.0.txt GPL, version 2
|
||||
* @author Icinga Development Team <info@icinga.org>
|
||||
*
|
||||
*/
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
|
||||
namespace Icinga\Authentication;
|
||||
|
||||
/**
|
||||
* Data holder object for authentication information
|
||||
*
|
||||
* This object should be used instead of passing names and
|
||||
* passwords as primitives in order to allow additional information
|
||||
* to be provided (like the domain) when needed.
|
||||
*/
|
||||
class Credential
|
||||
{
|
||||
/**
|
||||
* Username
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $username;
|
||||
|
||||
/**
|
||||
* Password
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $password;
|
||||
|
||||
/**
|
||||
* Domain
|
||||
*
|
||||
* @var string
|
||||
*/
|
||||
private $domain;
|
||||
|
||||
/**
|
||||
* Create a new credential object
|
||||
*
|
||||
* @param string $username
|
||||
* @param string $password
|
||||
* @param string $domain
|
||||
*/
|
||||
public function __construct($username = '', $password = null, $domain = null)
|
||||
{
|
||||
$this->username = $username;
|
||||
$this->password = $password;
|
||||
$this->domain = $domain;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for username
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getUsername()
|
||||
{
|
||||
return $this->username;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for username
|
||||
*
|
||||
* @param string $username
|
||||
*/
|
||||
public function setUsername($username)
|
||||
{
|
||||
$this->username = $username;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for password
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getPassword()
|
||||
{
|
||||
return $this->password;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for password
|
||||
*
|
||||
* @param string $password
|
||||
*/
|
||||
public function setPassword($password)
|
||||
{
|
||||
$this->password = $password;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for domain
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getDomain()
|
||||
{
|
||||
return $this->domain;
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for domain
|
||||
*
|
||||
* @param string $domain
|
||||
*/
|
||||
public function setDomain($domain)
|
||||
{
|
||||
$this->domain = $domain;
|
||||
}
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
<?php
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
/**
|
||||
* This file is part of Icinga Web 2.
|
||||
*
|
||||
* Icinga Web 2 - Head for multiple monitoring backends.
|
||||
* Copyright (C) 2013 Icinga Development Team
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
*
|
||||
* @copyright 2013 Icinga Development Team <info@icinga.org>
|
||||
* @license http://www.gnu.org/licenses/gpl-2.0.txt GPL, version 2
|
||||
* @author Icinga Development Team <info@icinga.org>
|
||||
*
|
||||
*/
|
||||
// {{{ICINGA_LICENSE_HEADER}}}}
|
||||
|
||||
namespace Icinga\Authentication;
|
||||
|
||||
/**
|
||||
* Api behaviour for a group backend
|
||||
*
|
||||
* @TODO(mh): Groups not implemented at present, re-implement if needed (#4624)
|
||||
*/
|
||||
interface GroupBackend
|
||||
{
|
||||
/**
|
||||
* Name of the backend
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getName();
|
||||
}
|
|
@ -33,25 +33,12 @@ use Exception;
|
|||
use Zend_Config;
|
||||
use Icinga\User;
|
||||
use Icinga\Web\Session;
|
||||
use Icinga\Data\ResourceFactory;
|
||||
use Icinga\Application\Logger;
|
||||
use Icinga\Exception\ConfigurationError;
|
||||
use Icinga\Exception\NotReadableError;
|
||||
use Icinga\Exception\ProgrammingError;
|
||||
use Icinga\Application\Config as IcingaConfig;
|
||||
use Icinga\Authentication\Backend\DbUserBackend;
|
||||
use Icinga\Authentication\Backend\LdapUserBackend;
|
||||
use Icinga\User\Preferences;
|
||||
use Icinga\User\Preferences\PreferencesStore;
|
||||
|
||||
/**
|
||||
* The authentication manager allows to identify users and
|
||||
* to persist authentication information in a session.
|
||||
*
|
||||
* Direct instantiation is not permitted, the AuthenticationManager
|
||||
* must be created using the getInstance method. Subsequent getInstance
|
||||
* calls return the same object and ignore any additional configuration.
|
||||
**/
|
||||
class Manager
|
||||
{
|
||||
/**
|
||||
|
@ -62,252 +49,41 @@ class Manager
|
|||
private static $instance;
|
||||
|
||||
/**
|
||||
* Instance of authenticated user
|
||||
* Authenticated user
|
||||
*
|
||||
* @var User
|
||||
**/
|
||||
private $user;
|
||||
|
||||
/**
|
||||
* Array of user backends
|
||||
*
|
||||
* @var array
|
||||
**/
|
||||
private $userBackends = array();
|
||||
|
||||
/**
|
||||
* The configuration
|
||||
*
|
||||
* @var Zend_Config
|
||||
*/
|
||||
private $config = null;
|
||||
|
||||
/**
|
||||
* Creates a new authentication manager using the provided config (or the
|
||||
* configuration provided in the authentication.ini if no config is given).
|
||||
*
|
||||
* @param Zend_Config $config The configuration to use for authentication
|
||||
* instead of the authentication.ini
|
||||
**/
|
||||
private function __construct(Zend_Config $config = null)
|
||||
private function __construct()
|
||||
{
|
||||
if ($config !== null) {
|
||||
$this->setupBackends($config);
|
||||
$this->config = $config;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the authentication manager
|
||||
*
|
||||
* @param Zend_Config $config
|
||||
*
|
||||
* @return self
|
||||
* @see Manager:__construct
|
||||
* @return self
|
||||
*/
|
||||
public static function getInstance(Zend_Config $config = null)
|
||||
public static function getInstance()
|
||||
{
|
||||
if (self::$instance === null) {
|
||||
self::$instance = new static($config);
|
||||
self::$instance = new static();
|
||||
}
|
||||
return self::$instance;
|
||||
}
|
||||
|
||||
/**
|
||||
* Initialize multiple backends from Zend Config
|
||||
*/
|
||||
private function setupBackends(Zend_Config $config)
|
||||
public function setAuthenticated(User $user, $persist = true)
|
||||
{
|
||||
foreach ($config as $name => $backendConfig) {
|
||||
if ((bool) $backendConfig->get('disabled', false) === true) {
|
||||
continue;
|
||||
}
|
||||
if ($backendConfig->name === null) {
|
||||
$backendConfig->name = $name;
|
||||
}
|
||||
$backend = $this->createBackend($backendConfig);
|
||||
$this->userBackends[$backend->getName()] = $backend;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a backend from the given Zend_Config
|
||||
*
|
||||
* @param Zend_Config $backendConfig
|
||||
*
|
||||
* @return UserBackend
|
||||
* @throws ConfigurationError
|
||||
*/
|
||||
private function createBackend(Zend_Config $backendConfig)
|
||||
{
|
||||
if (isset($backendConfig->class)) {
|
||||
// Use a custom backend class, this is only useful for testing
|
||||
if (!class_exists($backendConfig->class)) {
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $backendConfig->name . '" defines an invalid backend'
|
||||
. ' class. Backend class "' . $backendConfig->class. '" not found'
|
||||
);
|
||||
}
|
||||
return new $backendConfig->class($backendConfig);
|
||||
}
|
||||
if ($backendConfig->resource === null) {
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $backendConfig->name
|
||||
. '" is missing the resource directive'
|
||||
);
|
||||
}
|
||||
$username = $user->getUsername();
|
||||
try {
|
||||
$type = ResourceFactory::getResourceConfig($backendConfig->resource)->type;
|
||||
} catch (ProgrammingError $e) {
|
||||
throw new ConfigurationError(
|
||||
'No authentication methods available. It seems that none resources have been set up. '
|
||||
. ' Please contact your Icinga Web administrator'
|
||||
$config = IcingaConfig::app();
|
||||
} catch (NotReadableError $e) {
|
||||
Logger::exception(
|
||||
new Exception('Cannot load preferences for user "' . $username . '". An exception was thrown', 0, $e)
|
||||
);
|
||||
$config = new Zend_Config(array());
|
||||
}
|
||||
if ($type === null) {
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "%s" is missing the type directive',
|
||||
$backendConfig->name,
|
||||
$backendConfig->class
|
||||
);
|
||||
}
|
||||
switch (strtolower($type)) {
|
||||
case 'db':
|
||||
return new DbUserBackend($backendConfig);
|
||||
case 'ldap':
|
||||
return new LdapUserBackend($backendConfig);
|
||||
default:
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $backendConfig->name. '" defines an invalid backend'
|
||||
. ' type. Backend type "' . $type . '" is not supported'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Add a user backend to the stack
|
||||
*
|
||||
* @param UserBackend $userBackend
|
||||
*/
|
||||
public function addUserBackend(UserBackend $userBackend)
|
||||
{
|
||||
$this->userBackends[$userBackend->getName()] = $userBackend;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a user backend by name
|
||||
*
|
||||
* @param string $name
|
||||
*
|
||||
* @return UserBackend|null
|
||||
*/
|
||||
public function getUserBackend($name)
|
||||
{
|
||||
return (isset($this->userBackends[$name])) ? $this->userBackends[$name] : null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Find the backend which provides the user with the given credentials
|
||||
*
|
||||
* @param Credential $credentials
|
||||
*
|
||||
* @return UserBackend|null
|
||||
* @throws ConfigurationError
|
||||
*/
|
||||
private function revealBackend(Credential $credentials)
|
||||
{
|
||||
if (count($this->userBackends) === 0) {
|
||||
throw new ConfigurationError(
|
||||
'No authentication methods available. It seems that none authentication method has been set up. '
|
||||
. ' Please contact your Icinga Web administrator'
|
||||
);
|
||||
}
|
||||
$backendsWithError = 0;
|
||||
// TODO(el): Currently the user is only notified about authentication backend problems when all backends
|
||||
// have errors. It may be the case that the authentication backend which provides the user has errors but other
|
||||
// authentication backends work. In that scenario the user is presented an error message saying "Incorrect
|
||||
// username or password". We must inform the user that not all authentication methods are available.
|
||||
foreach ($this->userBackends as $backend) {
|
||||
Logger::debug(
|
||||
'Asking authentication backend "%s" for user "%s"',
|
||||
$backend->getName(),
|
||||
$credentials->getUsername()
|
||||
);
|
||||
try {
|
||||
$hasUser = $backend->hasUsername($credentials);
|
||||
} catch (Exception $e) {
|
||||
Logger::error(
|
||||
'Cannot ask authentication backend "%s" for user "%s". An exception was thrown: %s',
|
||||
$backend->getName(),
|
||||
$credentials->getUsername(),
|
||||
$e->getMessage()
|
||||
);
|
||||
++$backendsWithError;
|
||||
continue;
|
||||
}
|
||||
if ($hasUser === true) {
|
||||
Logger::debug(
|
||||
'Authentication backend "%s" provides user "%s"',
|
||||
$backend->getName(),
|
||||
$credentials->getUsername()
|
||||
);
|
||||
return $backend;
|
||||
} else {
|
||||
Logger::debug(
|
||||
'Authentication backend "%s" does not provide user "%s"',
|
||||
$backend->getName(),
|
||||
$credentials->getUsername()
|
||||
);
|
||||
}
|
||||
}
|
||||
if ($backendsWithError === count($this->userBackends)) {
|
||||
throw new ConfigurationError(
|
||||
'No authentication methods available. It seems that all set up authentication methods have errors. '
|
||||
. ' Please contact your Icinga Web administrator'
|
||||
);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Try to authenticate a user with the given credentials
|
||||
*
|
||||
* @param Credential $credentials The credentials to use for authentication
|
||||
* @param Boolean $persist Whether to persist the authentication result in the current session
|
||||
*
|
||||
* @return Boolean Whether the authentication was successful or not
|
||||
* @throws ConfigurationError
|
||||
*/
|
||||
public function authenticate(Credential $credentials, $persist = true)
|
||||
{
|
||||
$userBackend = $this->revealBackend($credentials);
|
||||
if ($userBackend === null) {
|
||||
Logger::info('Unknown user "%s" tried to log in', $credentials->getUsername());
|
||||
return false;
|
||||
}
|
||||
if (($user = $userBackend->authenticate($credentials)) === null) {
|
||||
Logger::info('User "%s" tried to log in with an incorrect password', $credentials->getUsername());
|
||||
return false;
|
||||
}
|
||||
|
||||
$username = $credentials->getUsername();
|
||||
|
||||
$membership = new Membership();
|
||||
|
||||
$groups = $membership->getGroupsByUsername($username);
|
||||
$user->setGroups($groups);
|
||||
|
||||
$admissionLoader = new AdmissionLoader();
|
||||
|
||||
$user->setPermissions(
|
||||
$admissionLoader->getPermissions($username, $groups)
|
||||
);
|
||||
|
||||
$user->setRestrictions(
|
||||
$admissionLoader->getRestrictions($username, $groups)
|
||||
);
|
||||
|
||||
if (($preferencesConfig = IcingaConfig::app()->preferences) !== null) {
|
||||
if (($preferencesConfig = $config->preferences) !== null) {
|
||||
try {
|
||||
$preferencesStore = PreferencesStore::create(
|
||||
$preferencesConfig,
|
||||
|
@ -315,21 +91,31 @@ class Manager
|
|||
);
|
||||
$preferences = new Preferences($preferencesStore->load());
|
||||
} catch (NotReadableError $e) {
|
||||
Logger::error($e);
|
||||
Logger::exception(
|
||||
new Exception(
|
||||
'Cannot load preferences for user "' . $username . '". An exception was thrown', 0, $e
|
||||
)
|
||||
);
|
||||
$preferences = new Preferences();
|
||||
}
|
||||
} else {
|
||||
$preferences = new Preferences();
|
||||
}
|
||||
$user->setPreferences($preferences);
|
||||
$membership = new Membership();
|
||||
$groups = $membership->getGroupsByUsername($username);
|
||||
$user->setGroups($groups);
|
||||
$admissionLoader = new AdmissionLoader();
|
||||
$user->setPermissions(
|
||||
$admissionLoader->getPermissions($username, $groups)
|
||||
);
|
||||
$user->setRestrictions(
|
||||
$admissionLoader->getRestrictions($username, $groups)
|
||||
);
|
||||
$this->user = $user;
|
||||
if ($persist == true) {
|
||||
$this->persistCurrentUser();
|
||||
}
|
||||
|
||||
Logger::info('User "%s" logged in', $credentials->getUsername());
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -30,6 +30,7 @@
|
|||
namespace Icinga\Authentication;
|
||||
|
||||
use Icinga\Application\Config;
|
||||
use Icinga\Exception\NotReadableError;
|
||||
use Icinga\Util\String;
|
||||
|
||||
/**
|
||||
|
@ -47,10 +48,14 @@ class Membership
|
|||
public function getGroupsByUsername($username)
|
||||
{
|
||||
$groups = array();
|
||||
foreach (Config::app('membership') as $section) {
|
||||
try {
|
||||
$config = Config::app('memberships');
|
||||
} catch (NotReadableError $e) {
|
||||
return $groups;
|
||||
}
|
||||
foreach ($config as $section) {
|
||||
$users = String::trimSplit($section->users);
|
||||
|
||||
if (in_array($username, $users) === true) {
|
||||
if (in_array($username, $users)) {
|
||||
$groups = array_merge($groups, String::trimSplit($section->groups));
|
||||
}
|
||||
}
|
||||
|
|
|
@ -29,51 +29,133 @@
|
|||
|
||||
namespace Icinga\Authentication;
|
||||
|
||||
use \Zend_Config;
|
||||
use \Icinga\User;
|
||||
use Icinga\Authentication\Credential;
|
||||
use Countable;
|
||||
use Zend_Config;
|
||||
use Icinga\Authentication\Backend\DbUserBackend;
|
||||
use Icinga\Authentication\Backend\LdapUserBackend;
|
||||
use Icinga\Data\ResourceFactory;
|
||||
use Icinga\Exception\ConfigurationError;
|
||||
use Icinga\User;
|
||||
|
||||
/**
|
||||
* Public api for an user backend object
|
||||
*/
|
||||
interface UserBackend
|
||||
abstract class UserBackend implements Countable
|
||||
{
|
||||
/**
|
||||
* Test if the username exists
|
||||
* Name of the backend
|
||||
*
|
||||
* @param Credential $credentials
|
||||
* @var string
|
||||
*/
|
||||
protected $name;
|
||||
|
||||
/**
|
||||
* Setter for the backend's name
|
||||
*
|
||||
* @param string $name
|
||||
*
|
||||
* @return self
|
||||
*/
|
||||
public function setName($name)
|
||||
{
|
||||
$this->name = $name;
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for the backend's name
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getName()
|
||||
{
|
||||
return $this->name;
|
||||
}
|
||||
|
||||
public static function create($name, Zend_Config $backendConfig)
|
||||
{
|
||||
if ($backendConfig->name !== null) {
|
||||
$name = $backendConfig->name;
|
||||
}
|
||||
if (isset($backendConfig->class)) {
|
||||
// Use a custom backend class, this is only useful for testing
|
||||
if (!class_exists($backendConfig->class)) {
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $name . '" defines an invalid backend'
|
||||
. ' class. Backend class "' . $backendConfig->class. '" not found'
|
||||
);
|
||||
}
|
||||
return new $backendConfig->class($backendConfig);
|
||||
}
|
||||
if ($backendConfig->resource === null) {
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $name
|
||||
. '" is missing the resource directive'
|
||||
);
|
||||
}
|
||||
if (($backendType = $backendConfig->backend) === null) {
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $name
|
||||
. '" is missing the backend directive'
|
||||
);
|
||||
}
|
||||
try {
|
||||
$resourceConfig = ResourceFactory::getResourceConfig($backendConfig->resource);
|
||||
} catch (ProgrammingError $e) {
|
||||
throw new ConfigurationError(
|
||||
'Resources not set up. Please contact your Icinga Web administrator'
|
||||
);
|
||||
}
|
||||
$resource = ResourceFactory::createResource($resourceConfig);
|
||||
switch (strtolower($backendType)) {
|
||||
case 'db':
|
||||
$backend = new DbUserBackend($resource);
|
||||
break;
|
||||
case 'msldap':
|
||||
$backend = new LdapUserBackend(
|
||||
$resource,
|
||||
$backendConfig->get('user_class', 'user'),
|
||||
$backendConfig->get('user_name_attribute', 'sAMAccountName')
|
||||
);
|
||||
break;
|
||||
case 'ldap':
|
||||
if (($userClass = $backendConfig->user_class) === null) {
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $name
|
||||
. '" is missing the user_class directive'
|
||||
);
|
||||
}
|
||||
if (($userNameAttribute = $backendConfig->user_name_attribute) === null) {
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $name
|
||||
. '" is missing the user_name_attribute directive'
|
||||
);
|
||||
}
|
||||
$backend = new LdapUserBackend($resource, $userClass, $userNameAttribute);
|
||||
break;
|
||||
default:
|
||||
throw new ConfigurationError(
|
||||
'Authentication configuration for backend "' . $name. '" defines an invalid backend'
|
||||
. ' type. Backend type "' . $backendType . '" is not supported'
|
||||
);
|
||||
}
|
||||
$backend->setName($name);
|
||||
return $backend;
|
||||
}
|
||||
|
||||
/**
|
||||
* Test whether the given user exists
|
||||
*
|
||||
* @param User $user
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function hasUsername(Credential $credentials);
|
||||
abstract public function hasUser(User $user);
|
||||
|
||||
/**
|
||||
* Authenticate
|
||||
*
|
||||
* @param Credential $credentials
|
||||
* @param User $user
|
||||
* @param string $password
|
||||
*
|
||||
* @return User
|
||||
* @return bool
|
||||
*/
|
||||
public function authenticate(Credential $credentials);
|
||||
|
||||
/**
|
||||
* Name of the backend
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getName();
|
||||
|
||||
/**
|
||||
* Get the number of users available through this backend
|
||||
*
|
||||
* @return int
|
||||
*/
|
||||
public function getUserCount();
|
||||
|
||||
/**
|
||||
* Establish the connection to this authentication backend
|
||||
*
|
||||
* @throws ConfigurationError When the backend is not reachable with the given configuration.
|
||||
*/
|
||||
public function connect();
|
||||
abstract public function authenticate(User $user, $password);
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue