From 4c96da3d567107fc87acec3e80c13901b99b5958 Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Tue, 2 Oct 2018 15:24:11 +0200
Subject: [PATCH] auth/external: Use a stripped down layout for the logout
 workaround

We've used the standard layout before which caused a automatic login.
Automatic because the browser saw our js/css <link> tags and accessed
the routes which in turn logged in the user, but only if there's a
enabled module which's configuration.php (or run.php) accesses the
Auth singleton. The stripped down layout provides its own js/css so
there's no need for our full-blown resources.

fixes #3583
---
 .../controllers/AuthenticationController.php  |  1 +
 .../layouts/scripts/external-logout.phtml     | 33 ++++++++++++++++++
 .../views/scripts/authentication/logout.phtml | 34 ++++++++++++++++++-
 3 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 application/layouts/scripts/external-logout.phtml

diff --git a/application/controllers/AuthenticationController.php b/application/controllers/AuthenticationController.php
index 3e8843722..c6fedb57c 100644
--- a/application/controllers/AuthenticationController.php
+++ b/application/controllers/AuthenticationController.php
@@ -74,6 +74,7 @@ class AuthenticationController extends Controller
         AuthenticationHook::triggerLogout($auth->getUser());
         $auth->removeAuthorization();
         if ($isExternalUser) {
+            $this->view->layout()->setLayout('external-logout');
             $this->getResponse()->setHttpResponseCode(401);
         } else {
             $this->redirectToLogin();
diff --git a/application/layouts/scripts/external-logout.phtml b/application/layouts/scripts/external-logout.phtml
new file mode 100644
index 000000000..a1df8b7ba
--- /dev/null
+++ b/application/layouts/scripts/external-logout.phtml
@@ -0,0 +1,33 @@
+<?php
+
+use Icinga\Util\Translator;
+
+$lang = Translator::splitLocaleCode()->language;
+$showFullscreen = $this->layout()->showFullscreen;
+$innerLayoutScript = $this->layout()->innerLayout . '.phtml';
+
+?><!DOCTYPE html>
+<!--[if IE 8]>
+<html class="no-js ie8" lang="<?= $lang ?>"> <![endif]-->
+<!--[if gt IE 8]><!-->
+<html class="no-js" lang="<?= $lang ?>"> <!--<![endif]-->
+<head>
+    <meta charset="utf-8">
+    <meta name="google" value="notranslate">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+    <meta http-equiv="cleartype" content="on">
+    <title><?= $this->title ? $this->escape($this->title) : $this->defaultTitle ?></title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no, viewport-fit=cover">
+    <meta name="apple-mobile-web-app-capable" content="yes">
+    <meta name="application-name" content="Icinga Web 2">
+    <meta name="apple-mobile-web-app-title" content="Icinga">
+    <link rel="mask-icon" href="<?= $this->baseUrl('img/website-icon.svg') ?>" color="#0096BF">
+    <link type="image/png" rel="shortcut icon" href="<?= $this->baseUrl('img/favicon.png') ?>" />
+    <link rel="apple-touch-icon" href="<?= $this->baseUrl('img/touch-icon.png') ?>">
+</head>
+<body id="body">
+<div id="layout" class="default-layout<?php if ($showFullscreen): ?> fullscreen-layout<?php endif ?>">
+    <?= $this->render($innerLayoutScript); ?>
+</div>
+</body>
+</html>
diff --git a/application/views/scripts/authentication/logout.phtml b/application/views/scripts/authentication/logout.phtml
index f7ad84b8c..d4bd78e01 100644
--- a/application/views/scripts/authentication/logout.phtml
+++ b/application/views/scripts/authentication/logout.phtml
@@ -8,6 +8,7 @@
     logged-in user this JavaScript provides a workaround to force a new authentication prompt in most browsers.
 -->
 <div class="content">
+    <div id="icinga-logo" aria-hidden="true"></div>
     <div class="alert alert-warning" id="logout-status">
         <b><?= $this->translate('Logging out...'); ?></b>
         <br>
@@ -19,7 +20,7 @@
     </div>
 
     <div class="container">
-        <a href="<?= $this->href('dashboard/index?renderLayout'); ?>"><?= $this->translate('Login'); ?></a>
+        <a href="<?= $this->href('dashboard'); ?>"><?= $this->translate('Login'); ?></a>
     </div>
 </div>
 <script type="text/javascript">
@@ -45,3 +46,34 @@
         msg.className = 'alert alert-success';
     });
 </script>
+<style type="text/css">
+    body {
+        font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol";
+        background-color: #0095bf;
+        color: white;
+    }
+    .content {
+        text-align: center;
+    }
+
+    #icinga-logo {
+        background-image: url('../img/icinga-logo-big.svg');
+        background-position: center bottom;
+        background-repeat: no-repeat;
+        background-size: contain;
+        height: 177px;
+        margin-top: 10em;
+        width: 100%;
+    }
+
+    #logout-status {
+        margin: 2em 0 1em;
+        font-size: 2em;
+        font-weight: bold;
+    }
+
+    .container a {
+        color: white;
+        font-size: 1.5em;
+    }
+</style>