Adds DbUserBackend to handle the authentication against a sql db.
Users should be able to authenticate against an internal DB without setting up additional authentication domains. refs #3769
This commit is contained in:
Matthias Jentsch
parent
9cb745a0ed
commit
3ff0c0f02a
|
|
@ -1,9 +1,14 @@
|
|||
[users]
|
||||
backend=ldap
|
||||
hostname=localhost
|
||||
backend=Db
|
||||
dbtype=mysql
|
||||
table=icinga_users
|
||||
host=localhost
|
||||
password=icinga
|
||||
user=icinga
|
||||
db=icinga
|
||||
|
||||
root_dn="ou=people,dc=icinga,dc=org"
|
||||
bind_dn="cn=admin,cn=config"
|
||||
bind_pw=admin
|
||||
user_class=inetOrgPerson
|
||||
user_name_attribute=uid
|
||||
|
||||
user_name_attribute=uid
|
||||
|
|
@ -16,5 +16,4 @@ objects_file = "/usr/local/icinga/var/objects.cache"
|
|||
|
||||
[localfailsafe]
|
||||
type = combo
|
||||
backends = localdb, locallive, localfile
|
||||
|
||||
backends = localdb, locallive, localfile
|
||||
|
|
@ -490,6 +490,7 @@ AS_IF([test "x$ldap_authentication" != xno],
|
|||
>>>>>>> ws-jmosshammer:icinga2-web moja$ git commit
|
||||
=======
|
||||
AC_CHECK_PHP_MODULE([ldap])
|
||||
AC_CHECK_PHP_MODULE([mcrypt])
|
||||
ldap_enabled=""
|
||||
)
|
||||
>>>>>>> Add Autoconf based installation with most parameters
|
||||
|
|
|
|||
|
|
@ -0,0 +1,12 @@
|
|||
create table icinga_users (
|
||||
user_name varchar(255) NOT NULL,
|
||||
first_name varchar(255),
|
||||
last_name varchar(255),
|
||||
email varchar(255),
|
||||
domain varchar(255),
|
||||
last_login timestamp,
|
||||
salt varchar(255),
|
||||
password varchar(255) NOT NULL,
|
||||
active BOOL,
|
||||
PRIMARY KEY (user_name)
|
||||
);
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
create table icinga_users (
|
||||
user_name varchar(255) NOT NULL,
|
||||
first_name varchar(255),
|
||||
last_name varchar(255),
|
||||
email varchar(255),
|
||||
domain varchar(255),
|
||||
last_login timestamp,
|
||||
salt varchar(255),
|
||||
password varchar(255) NOT NULL,
|
||||
active BOOL,
|
||||
PRIMARY KEY (user_name)
|
||||
);
|
||||
|
|
@ -0,0 +1,185 @@
|
|||
<?php
|
||||
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
/**
|
||||
* This file is part of Icinga 2 Web.
|
||||
*
|
||||
* Icinga 2 Web - Head for multiple monitoring backends.
|
||||
* Copyright (C) 2013 Icinga Development Team
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
*
|
||||
* @copyright 2013 Icinga Development Team <info@icinga.org>
|
||||
* @license http://www.gnu.org/licenses/gpl-2.0.txt GPL, version 2
|
||||
* @author Icinga Development Team <info@icinga.org>
|
||||
*/
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
|
||||
namespace Icinga\Authentication\Backend;
|
||||
|
||||
use Icinga\Util\Crypto as Crypto;
|
||||
use Icinga\Authentication\User as User;
|
||||
use Icinga\Authentication\UserBackend;
|
||||
use Icinga\Authentication\Credentials;
|
||||
use Icinga\Authentication;
|
||||
|
||||
|
||||
/**
|
||||
* Authenticates users using a sql db as backend.
|
||||
* @package Icinga\Authentication\Backend
|
||||
*/
|
||||
class DbUserBackend implements UserBackend {
|
||||
|
||||
private $db;
|
||||
|
||||
private $userTable;
|
||||
|
||||
private $USER_NAME_COLUMN = "user_name",
|
||||
$FIRST_NAME_COLUMN = "first_name",
|
||||
$LAST_NAME_COLUMN = "last_name",
|
||||
$LAST_LOGIN_COLUMN = "last_login",
|
||||
$SALT_COLUMN = "salt",
|
||||
$PASSWORD_COLUMN = "password",
|
||||
$ACTIVE_COLUMN = "active",
|
||||
$DOMAIN_COLUMN = "domain",
|
||||
$EMAIL_COLUMN = "email";
|
||||
|
||||
/*
|
||||
* maps the configuration dbtypes to the corresponding Zend-PDOs
|
||||
*/
|
||||
private $dbTypeMap = Array(
|
||||
"mysql" => "PDO_MYSQL",
|
||||
"pgsql" => "PDO_PGSQL"
|
||||
);
|
||||
|
||||
/**
|
||||
* Creates a DbUserBackend with the given configuration.
|
||||
* @param $config The configuration-object containing the members host,user,password,db
|
||||
*/
|
||||
public function __construct($config){
|
||||
$this->dbtype = $config->dbtype;
|
||||
$this->userTable = $config->table;
|
||||
|
||||
$this->db = \Zend_Db::factory(
|
||||
$this->dbTypeMap[$config->dbtype],
|
||||
array(
|
||||
'host' => $config->host,
|
||||
'username' => $config->user,
|
||||
'password' => $config->password,
|
||||
'dbname' => $config->db
|
||||
));
|
||||
|
||||
/*
|
||||
* Test the connection settings
|
||||
*/
|
||||
$this->db->getConnection();
|
||||
$this->db->select()->from($this->userTable,new \Zend_Db_Expr("TRUE"));
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the user in the given Credentials-object is available.
|
||||
* @param Credentials $credentials The login credentials of the user.
|
||||
* @return boolean True when the username is known and currently active.
|
||||
*/
|
||||
public function hasUsername(Credentials $credential)
|
||||
{
|
||||
$user = $this->getUserByName($credential->getUsername());
|
||||
return !empty($user);
|
||||
}
|
||||
|
||||
/**
|
||||
* Authenticate a user with the given credentials.
|
||||
* @param Credentials $credentials
|
||||
* @return User|null The authenticated user or Null.
|
||||
*/
|
||||
public function authenticate(Credentials $credential){
|
||||
$this->db->getConnection();
|
||||
$res = $this->db
|
||||
->select()->from($this->userTable)
|
||||
->where($this->USER_NAME_COLUMN.' = ?',$credential->getUsername())
|
||||
->where($this->ACTIVE_COLUMN. ' = ?',true)
|
||||
->where($this->PASSWORD_COLUMN. ' = ?',Crypto::hashPassword(
|
||||
$credential->getPassword(),
|
||||
$this->getUserSalt($credential->getUsername())
|
||||
))
|
||||
->query()->fetch();
|
||||
if(!empty($res)){
|
||||
$this->updateLastLogin($credential->getUsername());
|
||||
return $this->createUserFromResult($res);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Updates the timestamp containing the time of the last login for
|
||||
* the user with the given username.
|
||||
* @param $username The login-name of the user.
|
||||
*/
|
||||
private function updateLastLogin($username){
|
||||
$this->db->getConnection();
|
||||
$this->db->update(
|
||||
$this->userTable,
|
||||
array(
|
||||
$this->LAST_LOGIN_COLUMN => new \Zend_Db_Expr("NOW()")
|
||||
),
|
||||
$this->USER_NAME_COLUMN.' = '.$this->db->quoteInto('?',$username));
|
||||
}
|
||||
|
||||
/**
|
||||
* Fetches the user's salt from the database.
|
||||
* @param $username The user whose salt should be fetched.
|
||||
* @return String|null Returns the salt-string or Null, when the user does not exist.
|
||||
*/
|
||||
private function getUserSalt($username){
|
||||
$this->db->getConnection();
|
||||
$res = $this->db->select()
|
||||
->from($this->userTable,$this->SALT_COLUMN)
|
||||
->where($this->USER_NAME_COLUMN.' = ?',$username)
|
||||
->query()->fetch();
|
||||
return $res[$this->SALT_COLUMN];
|
||||
}
|
||||
|
||||
/**
|
||||
* Fetches the user information from the database.
|
||||
* @param $username The name of the user.
|
||||
* @return User|null Returns the user object, or null when the user does not exist.
|
||||
*/
|
||||
private function getUserByName($username){
|
||||
$this->db->getConnection();
|
||||
$res = $this->db->
|
||||
select()->from($this->userTable)
|
||||
->where($this->USER_NAME_COLUMN.' = ?',$username)
|
||||
->where($this->ACTIVE_COLUMN.' = ?',true)
|
||||
->query()->fetch();
|
||||
if(empty($res)){
|
||||
return null;
|
||||
}
|
||||
return $this->createUserFromResult($res);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new instance of User from the given result-array.
|
||||
* @param array $result The query result-array containing the column
|
||||
* @return User The created instance of User.
|
||||
*/
|
||||
private function createUserFromResult(Array $result){
|
||||
$usr = new User(
|
||||
$result[$this->USER_NAME_COLUMN],
|
||||
$result[$this->FIRST_NAME_COLUMN],
|
||||
$result[$this->LAST_NAME_COLUMN],
|
||||
$result[$this->EMAIL_COLUMN]);
|
||||
$usr->setDomain($result[$this->DOMAIN_COLUMN]);
|
||||
return $usr;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
<?php
|
||||
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
/**
|
||||
* This file is part of Icinga 2 Web.
|
||||
*
|
||||
* Icinga 2 Web - Head for multiple monitoring backends.
|
||||
* Copyright (C) 2013 Icinga Development Team
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License
|
||||
* as published by the Free Software Foundation; either version 2
|
||||
* of the License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU General Public License
|
||||
* along with this program; if not, write to the Free Software
|
||||
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
||||
*
|
||||
* @copyright 2013 Icinga Development Team <info@icinga.org>
|
||||
* @license http://www.gnu.org/licenses/gpl-2.0.txt GPL, version 2
|
||||
* @author Icinga Development Team <info@icinga.org>
|
||||
*/
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
|
||||
namespace Icinga\Util;
|
||||
|
||||
/**
|
||||
* Defines cryptographic algorithms that should be globally used to avoid
|
||||
* inconsistency.
|
||||
*
|
||||
* @package Icinga\Util
|
||||
*/
|
||||
class Crypto {
|
||||
|
||||
/**
|
||||
* Creates the hash for a given password.
|
||||
* @param $password The password that should be hashed.
|
||||
* @param $salt The salt that will be used.
|
||||
* @return string The hashed password.
|
||||
*/
|
||||
public static function hashPassword($password,$salt){
|
||||
return crypt($password,$salt);
|
||||
}
|
||||
|
||||
/**
|
||||
* Creates a new randomly generated salt.
|
||||
* @return string the generated salt.
|
||||
*/
|
||||
public static function createSalt(){
|
||||
return bin2hex(mcrypt_create_iv(16,MCRYPT_RAND));
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,208 @@
|
|||
<?php
|
||||
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
// {{{ICINGA_LICENSE_HEADER}}}
|
||||
|
||||
namespace Tests\Icinga\Authentication;
|
||||
|
||||
//use Icinga\Protocol\Ldap\Exception;
|
||||
//use Zend_Config_Ini;
|
||||
|
||||
require_once("Zend/Config/Ini.php");
|
||||
require_once("Zend/Db.php");
|
||||
require_once("../../library/Icinga/Authentication/UserBackend.php");
|
||||
require_once("../../library/Icinga/Protocol/Ldap/Exception.php");
|
||||
require_once("../../library/Icinga/Application/Config.php");
|
||||
require_once("../../library/Icinga/Authentication/Credentials.php");
|
||||
require_once("../../library/Icinga/Authentication/Backend/DbUserBackend.php");
|
||||
require_once("../../library/Icinga/Util/Crypto.php");
|
||||
require_once("../../library/Icinga/Authentication/User.php");
|
||||
|
||||
use Icinga\Authentication\Backend\DbUserBackend;
|
||||
use Icinga\Util\Crypto;
|
||||
use Icinga\Authentication\Credentials;
|
||||
use Icinga\Authentication\User;
|
||||
use Icinga\Application\Config;
|
||||
|
||||
/**
|
||||
* Test Class fpr DbUserBackend
|
||||
* Created Wed, 17 Jul 2013 11:52:34 +0000
|
||||
*
|
||||
* @package Tests\Icinga\Authentication
|
||||
*/
|
||||
class DbUserBackendTest extends \PHPUnit_Framework_TestCase {
|
||||
|
||||
private $dbUserBackend;
|
||||
private $db;
|
||||
private $testTable = "icinga_users_test";
|
||||
|
||||
/*
|
||||
* Must be identical with the column names defined in DbUserBackend
|
||||
*/
|
||||
private $USER_NAME_COLUMN = "user_name",
|
||||
$FIRST_NAME_COLUMN = "first_name",
|
||||
$LAST_NAME_COLUMN = "last_name",
|
||||
$LAST_LOGIN_COLUMN = "last_login",
|
||||
$SALT_COLUMN = "salt",
|
||||
$PASSWORD_COLUMN = "password",
|
||||
$ACTIVE_COLUMN = "active",
|
||||
$DOMAIN_COLUMN = "domain",
|
||||
$EMAIL_COLUMN = "email";
|
||||
|
||||
private $users;
|
||||
private $unknownUsers;
|
||||
|
||||
private $dbTypeMap = Array(
|
||||
'mysql' => 'PDO_MYSQL',
|
||||
'pgsql' => 'PDO_PGSQL'
|
||||
);
|
||||
|
||||
protected function setUp()
|
||||
{
|
||||
$this->users = Array(
|
||||
0 => Array(
|
||||
$this->USER_NAME_COLUMN => 'user1',
|
||||
$this->PASSWORD_COLUMN => 'secret1',
|
||||
$this->SALT_COLUMN => '8a7487a539c5d1d6766639d04d1ed1e6',
|
||||
$this->ACTIVE_COLUMN => true
|
||||
),
|
||||
1 => Array(
|
||||
$this->USER_NAME_COLUMN => 'user2',
|
||||
$this->PASSWORD_COLUMN => 'secret2',
|
||||
$this->SALT_COLUMN => '04b5521ddd761b5a5b633be83faa494d',
|
||||
$this->ACTIVE_COLUMN => true
|
||||
),
|
||||
2 => Array(
|
||||
$this->USER_NAME_COLUMN => 'user3',
|
||||
$this->PASSWORD_COLUMN => 'secret3',
|
||||
$this->SALT_COLUMN => '08bb94ba3120338ae56db80ef551d324',
|
||||
$this->ACTIVE_COLUMN => false
|
||||
)
|
||||
);
|
||||
|
||||
// TODO: Fetch config folder from somewhere instead of defining it statically.
|
||||
Config::$configDir = "/vagrant/config";
|
||||
$config = Config::app('authentication')->users;
|
||||
$config->table = $this->testTable;
|
||||
|
||||
$this->db = \Zend_Db::factory($this->dbTypeMap[$config->dbtype],
|
||||
array(
|
||||
'host' => $config->host,
|
||||
'username' => $config->user,
|
||||
'password' => $config->password,
|
||||
'dbname' => $config->db
|
||||
));
|
||||
|
||||
if($config->dbtype == 'pgsql'){
|
||||
$this->users[0][$this->ACTIVE_COLUMN] = "TRUE";
|
||||
$this->users[1][$this->ACTIVE_COLUMN] = "TRUE";
|
||||
$this->users[2][$this->ACTIVE_COLUMN] = "FALSE";
|
||||
}
|
||||
$this->setUpDb($this->db);
|
||||
$this->dbUserBackend = new DbUserBackend($config);
|
||||
}
|
||||
|
||||
public function tearDown()
|
||||
{
|
||||
$this->tearDownDb($this->db);
|
||||
}
|
||||
|
||||
private function setUpDb($db){
|
||||
|
||||
$db->exec('CREATE TABLE '.$this->testTable.' (
|
||||
'.$this->USER_NAME_COLUMN.' varchar(255) NOT NULL,
|
||||
'.$this->FIRST_NAME_COLUMN.' varchar(255),
|
||||
'.$this->LAST_NAME_COLUMN.' varchar(255),
|
||||
'.$this->LAST_LOGIN_COLUMN.' timestamp,
|
||||
'.$this->SALT_COLUMN.' varchar(255),
|
||||
'.$this->DOMAIN_COLUMN.' varchar(255),
|
||||
'.$this->EMAIL_COLUMN.' varchar(255),
|
||||
'.$this->PASSWORD_COLUMN.' varchar(255) NOT NULL,
|
||||
'.$this->ACTIVE_COLUMN.' BOOL,
|
||||
PRIMARY KEY ('.$this->USER_NAME_COLUMN.')
|
||||
)');
|
||||
|
||||
for($i = 0; $i < count($this->users); $i++){
|
||||
$usr = $this->users[$i];
|
||||
$data = Array(
|
||||
$this->USER_NAME_COLUMN => $usr[$this->USER_NAME_COLUMN],
|
||||
$this->PASSWORD_COLUMN => Crypto::hashPassword(
|
||||
$usr[$this->PASSWORD_COLUMN],
|
||||
$usr[$this->SALT_COLUMN]),
|
||||
$this->ACTIVE_COLUMN => $usr[$this->ACTIVE_COLUMN],
|
||||
$this->SALT_COLUMN => $usr[$this->SALT_COLUMN]
|
||||
);
|
||||
$db->insert($this->testTable,$data);
|
||||
}
|
||||
}
|
||||
|
||||
private function tearDownDb($db){
|
||||
$db->exec('DROP TABLE '.$this->testTable);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test for DbUserBackend::HasUsername()
|
||||
**/
|
||||
public function testHasUsername(){
|
||||
|
||||
// Known user
|
||||
$this->assertTrue($this->dbUserBackend->hasUsername(
|
||||
new Credentials(
|
||||
$this->users[0][$this->USER_NAME_COLUMN],
|
||||
$this->users[0][$this->PASSWORD_COLUMN])
|
||||
));
|
||||
|
||||
// Unknown user
|
||||
$this->assertFalse($this->dbUserBackend->hasUsername(
|
||||
new Credentials(
|
||||
'unkown user',
|
||||
'secret')
|
||||
));
|
||||
|
||||
// Inactive user
|
||||
$this->assertFalse($this->dbUserBackend->hasUsername(
|
||||
new Credentials(
|
||||
$this->users[2][$this->USER_NAME_COLUMN],
|
||||
$this->users[2][$this->PASSWORD_COLUMN])
|
||||
));
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Test for DbUserBackend::Authenticate()
|
||||
*
|
||||
**/
|
||||
public function testAuthenticate(){
|
||||
// Known user
|
||||
$this->assertNotNull($this->dbUserBackend->authenticate(
|
||||
new Credentials(
|
||||
$this->users[0][$this->USER_NAME_COLUMN],
|
||||
$this->users[0][$this->PASSWORD_COLUMN])
|
||||
));
|
||||
|
||||
// Wrong password
|
||||
$this->assertNull(
|
||||
$this->dbUserBackend->authenticate(
|
||||
new Credentials(
|
||||
$this->users[1][$this->USER_NAME_COLUMN],
|
||||
'wrongpassword')
|
||||
)
|
||||
);
|
||||
|
||||
// Nonexistend user
|
||||
$this->assertNull(
|
||||
$this->dbUserBackend->authenticate(
|
||||
new Credentials(
|
||||
'nonexistend user',
|
||||
$this->users[1][$this->PASSWORD_COLUMN])
|
||||
)
|
||||
);
|
||||
|
||||
// Inactive user
|
||||
$this->assertNull($this->dbUserBackend->authenticate(
|
||||
new Credentials(
|
||||
$this->users[2][$this->USER_NAME_COLUMN],
|
||||
$this->users[2][$this->PASSWORD_COLUMN])
|
||||
));
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue