Merge branch 'bugfix/evaluate-redirect_remote_user-12164'

fixes #12164
2016-11-21 08:53:35 +01:00 · 2016-11-21 08:53:35 +01:00 · 78be71bc92
parent 3d6e804ff3 2c817215cb
commit 78be71bc92
3 changed files with 50 additions and 20 deletions
--- a/library/Icinga/Authentication/User/ExternalBackend.php
+++ b/library/Icinga/Authentication/User/ExternalBackend.php
@ -3,6 +3,7 @@

 namespace Icinga\Authentication\User;

+use Icinga\Application\Logger;
 use Icinga\Data\ConfigObject;
 use Icinga\User;

@ -11,6 +12,13 @@ use Icinga\User;
 */
 class ExternalBackend implements UserBackendInterface
 {
+    /**
+     * Possible variables where to read the user from
+     *
+     * @var string[]
+     */
+    public static $remoteUserEnvvars = array('REMOTE_USER', 'REDIRECT_REMOTE_USER');
+
    /**
     * The name of this backend
     *
@ -55,7 +63,7 @@ class ExternalBackend implements UserBackendInterface
    /**
     * Get the remote user from environment or $_SERVER, if any
     *
-     * @param   string  $variable   The name variable where to read the user from
+     * @param   string  $variable   The name of the variable where to read the user from
     *
     * @return  string|null
     */
@ -65,29 +73,46 @@ class ExternalBackend implements UserBackendInterface
        if ($username !== false) {
            return $username;
        }
+
        if (array_key_exists($variable, $_SERVER)) {
            return $_SERVER[$variable];
        }
-        return null;
    }

+    /**
+     * Get the remote user information from environment or $_SERVER, if any
+     *
+     * @return  array   Contains always two entries, the username and origin which may both set to null.
+     */
+    public static function getRemoteUserInformation()
+    {
+        foreach (static::$remoteUserEnvvars as $envVar) {
+            $username = static::getRemoteUser($envVar);
+            if ($username !== null) {
+                return array($username, $envVar);
+            }
+        }
+
+        return array(null, null);
+    }

    /**
     * {@inheritdoc}
     */
    public function authenticate(User $user, $password = null)
    {
-        $username = static::getRemoteUser();
+        list($username, $field) = static::getRemoteUserInformation();
        if ($username !== null) {
-            $user->setExternalUserInformation($username, 'REMOTE_USER');
+            $user->setExternalUserInformation($username, $field);

            if ($this->stripUsernameRegexp) {
-                $stripped = preg_replace($this->stripUsernameRegexp, '', $username);
-                if ($stripped !== null) {
-                    // TODO(el): PHP issues a warning when PHP cannot compile the regular expression. Should we log an
-                    // additional message in that case?
-                    $username = $stripped;
+                $stripped = @preg_replace($this->stripUsernameRegexp, '', $username);
+                if ($stripped === false) {
+                    Logger::error('Failed to strip external username. The configured regular expression is invalid.');
+                    return false;
                }
+
+                $username = $stripped;
            }

            $user->setUsername($username);
--- a/modules/setup/application/forms/AdminAccountPage.php
+++ b/modules/setup/application/forms/AdminAccountPage.php
@ -5,6 +5,7 @@ namespace Icinga\Module\Setup\Forms;

 use Exception;
 use Icinga\Application\Config;
+use Icinga\Authentication\User\ExternalBackend;
 use Icinga\Authentication\User\UserBackend;
 use Icinga\Authentication\User\DbUserBackend;
 use Icinga\Authentication\User\LdapUserBackend;
@ -269,8 +270,8 @@ class AdminAccountPage extends Form
     */
    protected function getUsername()
    {
-        $name = getenv('REMOTE_USER');
-        if ($name === false) {
+        list($name, $_) = ExternalBackend::getRemoteUserInformation();
+        if ($name === null) {
            return '';
        }

--- a/modules/setup/application/forms/AuthenticationPage.php
+++ b/modules/setup/application/forms/AuthenticationPage.php
@ -3,6 +3,7 @@

 namespace Icinga\Module\Setup\Forms;

+use Icinga\Authentication\User\ExternalBackend;
 use Icinga\Web\Form;
 use Icinga\Application\Platform;

@ -30,15 +31,18 @@ class AuthenticationPage extends Form
     */
    public function createElements(array $formData)
    {
-        if (isset($formData['type']) && $formData['type'] === 'external' && getenv('REMOTE_USER') === false) {
-            $this->info(
-                $this->translate(
-                    'You\'re currently not authenticated using any of the web server\'s authentication '
-                    . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to '
-                    . 'log into Icinga Web 2.'
-                ),
-                false
-            );
+        if (isset($formData['type']) && $formData['type'] === 'external') {
+            list($username, $_) = ExternalBackend::getRemoteUserInformation();
+            if ($username === null) {
+                $this->info(
+                    $this->translate(
+                        'You\'re currently not authenticated using any of the web server\'s authentication '
+                        . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to '
+                        . 'log into Icinga Web 2.'
+                    ),
+                    false
+                );
+            }
        }

        $backendTypes = array();