mirror of
https://github.com/Icinga/icingaweb2.git
synced 2025-07-27 07:44:04 +02:00
DbUserBackend: Provide a custom insert and update implementation
As we're transmitting password hashes which may contain special chars and the like, we need to utilize prepared statements with explicit types. refs #8826
This commit is contained in:
Johannes Meyer
parent
b3957c556b
commit
44bbd93cbc
@ -5,6 +5,7 @@ namespace Icinga\Authentication\User;
|
|||||||
|
|
||||||
use Exception;
|
use Exception;
|
||||||
use PDO;
|
use PDO;
|
||||||
|
use Icinga\Data\Filter\Filter;
|
||||||
use Icinga\Exception\AuthenticationException;
|
use Icinga\Exception\AuthenticationException;
|
||||||
use Icinga\Repository\DbRepository;
|
use Icinga\Repository\DbRepository;
|
||||||
use Icinga\User;
|
use Icinga\User;
|
||||||
@ -40,6 +41,19 @@ class DbUserBackend extends DbRepository implements UserBackendInterface
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The statement columns being provided
|
||||||
|
*
|
||||||
|
* @var array
|
||||||
|
*/
|
||||||
|
protected $statementColumns = array(
|
||||||
|
'user' => array(
|
||||||
|
'password' => 'password_hash',
|
||||||
|
'created_at' => 'ctime',
|
||||||
|
'last_modified' => 'mtime'
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The columns which are not permitted to be queried
|
* The columns which are not permitted to be queried
|
||||||
*
|
*
|
||||||
@ -61,6 +75,13 @@ class DbUserBackend extends DbRepository implements UserBackendInterface
|
|||||||
)
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The value conversion rules to apply on a query/statement
|
||||||
|
*
|
||||||
|
* @var array
|
||||||
|
*/
|
||||||
|
protected $conversionRules = array('password');
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Initialize this database user backend
|
* Initialize this database user backend
|
||||||
*/
|
*/
|
||||||
@ -72,23 +93,91 @@ class DbUserBackend extends DbRepository implements UserBackendInterface
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add a new user
|
* Insert a table row with the given data
|
||||||
*
|
*
|
||||||
* @param string $username The name of the new user
|
* @param string $table
|
||||||
* @param string $password The new user's password
|
* @param array $data
|
||||||
* @param bool $active Whether the user is active
|
|
||||||
*/
|
*/
|
||||||
public function addUser($username, $password, $active = true)
|
public function insert($table, array $data)
|
||||||
{
|
{
|
||||||
$passwordHash = $this->hashPassword($password);
|
$newData['created_at'] = date('Y-m-d H:i:s');
|
||||||
|
$newData = $this->requireStatementColumns($data);
|
||||||
|
|
||||||
$stmt = $this->ds->getDbAdapter()->prepare(
|
$values = array();
|
||||||
'INSERT INTO icingaweb_user VALUES (:name, :active, :password_hash, now(), DEFAULT);'
|
foreach ($newData as $column => $_) {
|
||||||
);
|
$values[] = ':' . $column;
|
||||||
$stmt->bindParam(':name', $username, PDO::PARAM_STR);
|
}
|
||||||
$stmt->bindParam(':active', $active, PDO::PARAM_INT);
|
|
||||||
$stmt->bindParam(':password_hash', $passwordHash, PDO::PARAM_LOB);
|
$sql = 'INSERT INTO '
|
||||||
$stmt->execute();
|
. $this->prependTablePrefix($table)
|
||||||
|
. ' (' . join(', ', array_keys($newData)) . ') '
|
||||||
|
. 'VALUES (' . join(', ', $values) . ')';
|
||||||
|
$statement = $this->ds->getDbAdapter()->prepare($sql);
|
||||||
|
|
||||||
|
foreach ($newData as $column => $value) {
|
||||||
|
$type = PDO::PARAM_STR;
|
||||||
|
if ($column === 'password_hash') {
|
||||||
|
$type = PDO::PARAM_LOB;
|
||||||
|
} elseif ($column === 'active') {
|
||||||
|
$type = PDO::PARAM_INT;
|
||||||
|
}
|
||||||
|
|
||||||
|
$statement->bindValue(':' . $column, $value, $type);
|
||||||
|
}
|
||||||
|
|
||||||
|
$statement->execute();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Update table rows with the given data, optionally limited by using a filter
|
||||||
|
*
|
||||||
|
* @param string $table
|
||||||
|
* @param array $data
|
||||||
|
* @param Filter $filter
|
||||||
|
*/
|
||||||
|
public function update($table, array $data, Filter $filter = null)
|
||||||
|
{
|
||||||
|
$newData['last_modified'] = date('Y-m-d H:i:s');
|
||||||
|
$newData = $this->requireStatementColumns($data);
|
||||||
|
if ($filter) {
|
||||||
|
$this->requireFilter($filter);
|
||||||
|
}
|
||||||
|
|
||||||
|
$set = array();
|
||||||
|
foreach ($newData as $column => $_) {
|
||||||
|
$set[] = $column . ' = :' . $column;
|
||||||
|
}
|
||||||
|
|
||||||
|
$sql = 'UPDATE '
|
||||||
|
. $this->prependTablePrefix($table)
|
||||||
|
. ' SET ' . join(', ', $set)
|
||||||
|
. ($filter ? ' WHERE ' . $this->ds->renderFilter($filter) : '');
|
||||||
|
$statement = $this->ds->getDbAdapter()->prepare($sql);
|
||||||
|
|
||||||
|
foreach ($newData as $column => $value) {
|
||||||
|
$type = PDO::PARAM_STR;
|
||||||
|
if ($column === 'password_hash') {
|
||||||
|
$type = PDO::PARAM_LOB;
|
||||||
|
} elseif ($column === 'active') {
|
||||||
|
$type = PDO::PARAM_INT;
|
||||||
|
}
|
||||||
|
|
||||||
|
$statement->bindValue(':' . $column, $value, $type);
|
||||||
|
}
|
||||||
|
|
||||||
|
$statement->execute();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Hash and return the given password
|
||||||
|
*
|
||||||
|
* @param string $value
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
protected function persistPassword($value)
|
||||||
|
{
|
||||||
|
return $this->hashPassword($value);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user