From 29c221418b4049aab1d20c316806a5440b312fae Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Mon, 17 Oct 2016 16:19:26 +0200 Subject: [PATCH 01/13] External authentication: respect REDIRECT_REMOTE_USER as well refs #12164 --- .../Authentication/User/ExternalBackend.php | 20 ++++++++++--------- .../application/forms/AdminAccountPage.php | 5 +++-- .../application/forms/AuthenticationPage.php | 4 +++- 3 files changed, 17 insertions(+), 12 deletions(-) diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index 3baf1c8e0..7e9f7baba 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -55,18 +55,20 @@ class ExternalBackend implements UserBackendInterface /** * Get the remote user from environment or $_SERVER, if any * - * @param string $variable The name variable where to read the user from + * @param string|null $variable The name variable where to read the user from * * @return string|null */ public static function getRemoteUser($variable = 'REMOTE_USER') { - $username = getenv($variable); - if ($username !== false) { - return $username; - } - if (array_key_exists($variable, $_SERVER)) { - return $_SERVER[$variable]; + foreach (($variable === null ? array('REMOTE_USER', 'REDIRECT_REMOTE_USER') : array($variable)) as $variable) { + $username = getenv($variable); + if ($username !== false) { + return $username; + } + if (array_key_exists($variable, $_SERVER)) { + return $_SERVER[$variable]; + } } return null; } @@ -77,9 +79,9 @@ class ExternalBackend implements UserBackendInterface */ public function authenticate(User $user, $password = null) { - $username = static::getRemoteUser(); + $username = static::getRemoteUser(null); if ($username !== null) { - $user->setExternalUserInformation($username, 'REMOTE_USER'); + $user->setExternalUserInformation($username, null); if ($this->stripUsernameRegexp) { $stripped = preg_replace($this->stripUsernameRegexp, '', $username); diff --git a/modules/setup/application/forms/AdminAccountPage.php b/modules/setup/application/forms/AdminAccountPage.php index 439a3beb2..6e8fe26dc 100644 --- a/modules/setup/application/forms/AdminAccountPage.php +++ b/modules/setup/application/forms/AdminAccountPage.php @@ -5,6 +5,7 @@ namespace Icinga\Module\Setup\Forms; use Exception; use Icinga\Application\Config; +use Icinga\Authentication\User\ExternalBackend; use Icinga\Authentication\User\UserBackend; use Icinga\Authentication\User\DbUserBackend; use Icinga\Authentication\User\LdapUserBackend; @@ -269,8 +270,8 @@ class AdminAccountPage extends Form */ protected function getUsername() { - $name = getenv('REMOTE_USER'); - if ($name === false) { + $name = ExternalBackend::getRemoteUser(null); + if ($name === null) { return ''; } diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index 132f9377b..d90b52a09 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -3,6 +3,7 @@ namespace Icinga\Module\Setup\Forms; +use Icinga\Authentication\User\ExternalBackend; use Icinga\Web\Form; use Icinga\Application\Platform; @@ -30,7 +31,8 @@ class AuthenticationPage extends Form */ public function createElements(array $formData) { - if (isset($formData['type']) && $formData['type'] === 'external' && getenv('REMOTE_USER') === false) { + if (isset($formData['type']) && $formData['type'] === 'external' + && ExternalBackend::getRemoteUser(null) === null) { $this->info( $this->translate( 'You\'re currently not authenticated using any of the web server\'s authentication ' From ce951295d33ccf8b18d62c2347bce8345b8caac2 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Mon, 17 Oct 2016 18:46:00 +0200 Subject: [PATCH 02/13] ExternalBackend: make the variable a webserver assigns a username to configurable refs #12164 --- .../Icinga/Authentication/User/ExternalBackend.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index 7e9f7baba..d3631dcee 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -11,6 +11,13 @@ use Icinga\User; */ class ExternalBackend implements UserBackendInterface { + /** + * The configuration of this backend + * + * @var ConfigObject + */ + protected $config; + /** * The name of this backend * @@ -32,6 +39,7 @@ class ExternalBackend implements UserBackendInterface */ public function __construct(ConfigObject $config) { + $this->config = $config; $this->stripUsernameRegexp = $config->get('strip_username_regexp'); } @@ -79,9 +87,10 @@ class ExternalBackend implements UserBackendInterface */ public function authenticate(User $user, $password = null) { - $username = static::getRemoteUser(null); + $usernameEnvvar = $this->config->username_envvar; + $username = static::getRemoteUser($usernameEnvvar); if ($username !== null) { - $user->setExternalUserInformation($username, null); + $user->setExternalUserInformation($username, $usernameEnvvar); if ($this->stripUsernameRegexp) { $stripped = preg_replace($this->stripUsernameRegexp, '', $username); From ab01d2f91532c77133e0d62f1177d149872821a4 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 18 Oct 2016 10:17:21 +0200 Subject: [PATCH 03/13] ExternalBackend: don't reference more than necessary from the config refs #12164 --- .../Authentication/User/ExternalBackend.php | 21 +++++++++---------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index d3631dcee..38cc27b61 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -11,13 +11,6 @@ use Icinga\User; */ class ExternalBackend implements UserBackendInterface { - /** - * The configuration of this backend - * - * @var ConfigObject - */ - protected $config; - /** * The name of this backend * @@ -32,6 +25,13 @@ class ExternalBackend implements UserBackendInterface */ protected $stripUsernameRegexp; + /** + * The name variable where to read the user from + * + * @var string|null + */ + protected $usernameEnvvar; + /** * Create new authentication backend of type "external" * @@ -39,8 +39,8 @@ class ExternalBackend implements UserBackendInterface */ public function __construct(ConfigObject $config) { - $this->config = $config; $this->stripUsernameRegexp = $config->get('strip_username_regexp'); + $this->usernameEnvvar = $config->get('username_envvar'); } /** @@ -87,10 +87,9 @@ class ExternalBackend implements UserBackendInterface */ public function authenticate(User $user, $password = null) { - $usernameEnvvar = $this->config->username_envvar; - $username = static::getRemoteUser($usernameEnvvar); + $username = static::getRemoteUser($this->usernameEnvvar); if ($username !== null) { - $user->setExternalUserInformation($username, $usernameEnvvar); + $user->setExternalUserInformation($username, $this->usernameEnvvar); if ($this->stripUsernameRegexp) { $stripped = preg_replace($this->stripUsernameRegexp, '', $username); From 4d6160d9872e1fca21ba7aba9d78027c22c30c04 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 18 Oct 2016 10:22:06 +0200 Subject: [PATCH 04/13] ExternalBackend::getRemoteUser(): restore previous default behavior refs #12164 --- .../Authentication/User/ExternalBackend.php | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index 38cc27b61..44cd85eb5 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -67,16 +67,18 @@ class ExternalBackend implements UserBackendInterface * * @return string|null */ - public static function getRemoteUser($variable = 'REMOTE_USER') + public static function getRemoteUser($variable = null) { - foreach (($variable === null ? array('REMOTE_USER', 'REDIRECT_REMOTE_USER') : array($variable)) as $variable) { - $username = getenv($variable); - if ($username !== false) { - return $username; - } - if (array_key_exists($variable, $_SERVER)) { - return $_SERVER[$variable]; - } + if ($variable === null) { + $variable = 'REMOTE_USER'; + } + + $username = getenv($variable); + if ($username !== false) { + return $username; + } + if (array_key_exists($variable, $_SERVER)) { + return $_SERVER[$variable]; } return null; } From 790d83cb72177cf3ff9495e16d81feb2c8268bf7 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 18 Oct 2016 13:44:01 +0200 Subject: [PATCH 05/13] ExternalBackendForm: make the variable a webserver assigns a username to configurable refs #12164 --- .../forms/Config/UserBackend/ExternalBackendForm.php | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/application/forms/Config/UserBackend/ExternalBackendForm.php b/application/forms/Config/UserBackend/ExternalBackendForm.php index f4a463911..39c46d927 100644 --- a/application/forms/Config/UserBackend/ExternalBackendForm.php +++ b/application/forms/Config/UserBackend/ExternalBackendForm.php @@ -55,6 +55,18 @@ class ExternalBackendForm extends Form 'validators' => array($callbackValidator) ) ); + $this->addElement( + 'text', + 'username_envvar', + array( + 'label' => $this->translate('Username Environment Variable'), + 'description' => $this->translate( + 'The environment variable the webserver assigns the authenticated user\'s name to.' + ), + 'required' => true, + 'value' => 'REMOTE_USER' + ) + ); $this->addElement( 'hidden', 'backend', From be4a31c8e19db2bc51932d8d6c69b31f1ae7fb32 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 18 Oct 2016 15:05:57 +0200 Subject: [PATCH 06/13] ExternalBackendForm: suggest REDIRECT_REMOTE_USER as username variable if set refs #12164 --- .../forms/Config/UserBackend/ExternalBackendForm.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/application/forms/Config/UserBackend/ExternalBackendForm.php b/application/forms/Config/UserBackend/ExternalBackendForm.php index 39c46d927..34519e63b 100644 --- a/application/forms/Config/UserBackend/ExternalBackendForm.php +++ b/application/forms/Config/UserBackend/ExternalBackendForm.php @@ -3,6 +3,7 @@ namespace Icinga\Forms\Config\UserBackend; +use Icinga\Authentication\User\ExternalBackend; use Zend_Validate_Callback; use Icinga\Web\Form; @@ -55,6 +56,12 @@ class ExternalBackendForm extends Form 'validators' => array($callbackValidator) ) ); + + foreach (array('REDIRECT_REMOTE_USER', 'REMOTE_USER') as $envvar) { + if (ExternalBackend::getRemoteUser($envvar) !== null) { + break; + } + } $this->addElement( 'text', 'username_envvar', @@ -64,9 +71,10 @@ class ExternalBackendForm extends Form 'The environment variable the webserver assigns the authenticated user\'s name to.' ), 'required' => true, - 'value' => 'REMOTE_USER' + 'value' => $envvar ) ); + $this->addElement( 'hidden', 'backend', From d6ac6c8374a4268f746fbcea04f61503c855eb7d Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 18 Oct 2016 15:19:13 +0200 Subject: [PATCH 07/13] setup/AuthenticationPage: don't show the warning about external backend configuration if REDIRECT_REMOTE_USER is set refs #12164 --- .../UserBackend/ExternalBackendForm.php | 2 +- .../Authentication/User/ExternalBackend.php | 9 ++++++ .../application/forms/AuthenticationPage.php | 28 ++++++++++++------- 3 files changed, 28 insertions(+), 11 deletions(-) diff --git a/application/forms/Config/UserBackend/ExternalBackendForm.php b/application/forms/Config/UserBackend/ExternalBackendForm.php index 34519e63b..e21ed426f 100644 --- a/application/forms/Config/UserBackend/ExternalBackendForm.php +++ b/application/forms/Config/UserBackend/ExternalBackendForm.php @@ -57,7 +57,7 @@ class ExternalBackendForm extends Form ) ); - foreach (array('REDIRECT_REMOTE_USER', 'REMOTE_USER') as $envvar) { + foreach (ExternalBackend::getRemoteUserEnvvars() as $envvar) { if (ExternalBackend::getRemoteUser($envvar) !== null) { break; } diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index 44cd85eb5..98a180788 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -83,6 +83,15 @@ class ExternalBackend implements UserBackendInterface return null; } + /** + * Get possible variables where to read the user from + * + * @return string[] + */ + public static function getRemoteUserEnvvars() + { + return array('REDIRECT_REMOTE_USER', 'REMOTE_USER'); + } /** * {@inheritdoc} diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index d90b52a09..8fb397edc 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -31,16 +31,24 @@ class AuthenticationPage extends Form */ public function createElements(array $formData) { - if (isset($formData['type']) && $formData['type'] === 'external' - && ExternalBackend::getRemoteUser(null) === null) { - $this->info( - $this->translate( - 'You\'re currently not authenticated using any of the web server\'s authentication ' - . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to ' - . 'log into Icinga Web 2.' - ), - false - ); + if (isset($formData['type']) && $formData['type'] === 'external') { + $hasRemoteUser = false; + foreach (ExternalBackend::getRemoteUserEnvvars() as $envvar) { + if (ExternalBackend::getRemoteUser($envvar) !== null) { + $hasRemoteUser = true; + break; + } + } + if (! $hasRemoteUser) { + $this->info( + $this->translate( + 'You\'re currently not authenticated using any of the web server\'s authentication ' + . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to ' + . 'log into Icinga Web 2.' + ), + false + ); + } } $backendTypes = array(); From f8501aa80d413cb36abc2afec677f14e47a81c05 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Tue, 18 Oct 2016 15:38:03 +0200 Subject: [PATCH 08/13] setup/AdminAccountPage: respect previously configured envvar when suggesting admin username refs #12164 --- modules/setup/application/forms/AdminAccountPage.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/setup/application/forms/AdminAccountPage.php b/modules/setup/application/forms/AdminAccountPage.php index 6e8fe26dc..b636063c9 100644 --- a/modules/setup/application/forms/AdminAccountPage.php +++ b/modules/setup/application/forms/AdminAccountPage.php @@ -270,7 +270,7 @@ class AdminAccountPage extends Form */ protected function getUsername() { - $name = ExternalBackend::getRemoteUser(null); + $name = ExternalBackend::getRemoteUser($this->backendConfig['username_envvar']); if ($name === null) { return ''; } From d9330486e9fe36a179d2d0a1e01e608fecff0558 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Fri, 4 Nov 2016 17:27:36 +0100 Subject: [PATCH 09/13] Replace ExternalBackend::getRemoteUserEnvvars() with an attribute refs #12164 --- .../Config/UserBackend/ExternalBackendForm.php | 2 +- .../Authentication/User/ExternalBackend.php | 17 +++++++---------- .../application/forms/AuthenticationPage.php | 2 +- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/application/forms/Config/UserBackend/ExternalBackendForm.php b/application/forms/Config/UserBackend/ExternalBackendForm.php index e21ed426f..61303b0f3 100644 --- a/application/forms/Config/UserBackend/ExternalBackendForm.php +++ b/application/forms/Config/UserBackend/ExternalBackendForm.php @@ -57,7 +57,7 @@ class ExternalBackendForm extends Form ) ); - foreach (ExternalBackend::getRemoteUserEnvvars() as $envvar) { + foreach (ExternalBackend::$remoteUserEnvvars as $envvar) { if (ExternalBackend::getRemoteUser($envvar) !== null) { break; } diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index 98a180788..65ec1029a 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -11,6 +11,13 @@ use Icinga\User; */ class ExternalBackend implements UserBackendInterface { + /** + * Possible variables where to read the user from + * + * @var string[] + */ + public static $remoteUserEnvvars = array('REDIRECT_REMOTE_USER', 'REMOTE_USER'); + /** * The name of this backend * @@ -83,16 +90,6 @@ class ExternalBackend implements UserBackendInterface return null; } - /** - * Get possible variables where to read the user from - * - * @return string[] - */ - public static function getRemoteUserEnvvars() - { - return array('REDIRECT_REMOTE_USER', 'REMOTE_USER'); - } - /** * {@inheritdoc} */ diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index 8fb397edc..97356cab8 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -33,7 +33,7 @@ class AuthenticationPage extends Form { if (isset($formData['type']) && $formData['type'] === 'external') { $hasRemoteUser = false; - foreach (ExternalBackend::getRemoteUserEnvvars() as $envvar) { + foreach (ExternalBackend::$remoteUserEnvvars as $envvar) { if (ExternalBackend::getRemoteUser($envvar) !== null) { $hasRemoteUser = true; break; From 846f8ec3d8a59155a187d54e45c668ca75057213 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Fri, 4 Nov 2016 17:31:52 +0100 Subject: [PATCH 10/13] ExternalBackendForm: set default username envvar explicitly refs #12164 --- .../forms/Config/UserBackend/ExternalBackendForm.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/application/forms/Config/UserBackend/ExternalBackendForm.php b/application/forms/Config/UserBackend/ExternalBackendForm.php index 61303b0f3..f178f53a2 100644 --- a/application/forms/Config/UserBackend/ExternalBackendForm.php +++ b/application/forms/Config/UserBackend/ExternalBackendForm.php @@ -57,11 +57,17 @@ class ExternalBackendForm extends Form ) ); + $hasRemoteUser = false; foreach (ExternalBackend::$remoteUserEnvvars as $envvar) { if (ExternalBackend::getRemoteUser($envvar) !== null) { + $hasRemoteUser = true; break; } } + if (! $hasRemoteUser) { + $envvar = 'REMOTE_USER'; + } + $this->addElement( 'text', 'username_envvar', From 0bd00ba3d0a872d2f64e8a3bd50c21b71cfad9b3 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Wed, 16 Nov 2016 11:55:54 +0100 Subject: [PATCH 11/13] ExternalBackend: Simplify how remote users are identified refs #12164 --- .../Authentication/User/ExternalBackend.php | 41 +++++++++++-------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index 65ec1029a..84f93e8b7 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -16,7 +16,7 @@ class ExternalBackend implements UserBackendInterface * * @var string[] */ - public static $remoteUserEnvvars = array('REDIRECT_REMOTE_USER', 'REMOTE_USER'); + public static $remoteUserEnvvars = array('REMOTE_USER', 'REDIRECT_REMOTE_USER'); /** * The name of this backend @@ -32,13 +32,6 @@ class ExternalBackend implements UserBackendInterface */ protected $stripUsernameRegexp; - /** - * The name variable where to read the user from - * - * @var string|null - */ - protected $usernameEnvvar; - /** * Create new authentication backend of type "external" * @@ -47,7 +40,6 @@ class ExternalBackend implements UserBackendInterface public function __construct(ConfigObject $config) { $this->stripUsernameRegexp = $config->get('strip_username_regexp'); - $this->usernameEnvvar = $config->get('username_envvar'); } /** @@ -70,24 +62,37 @@ class ExternalBackend implements UserBackendInterface /** * Get the remote user from environment or $_SERVER, if any * - * @param string|null $variable The name variable where to read the user from + * @param string $variable The name of the variable where to read the user from * * @return string|null */ - public static function getRemoteUser($variable = null) + public static function getRemoteUser($variable = 'REMOTE_USER') { - if ($variable === null) { - $variable = 'REMOTE_USER'; - } - $username = getenv($variable); if ($username !== false) { return $username; } + if (array_key_exists($variable, $_SERVER)) { return $_SERVER[$variable]; } - return null; + } + + /** + * Get the remote user information from environment or $_SERVER, if any + * + * @return array Contains always two entries, the username and origin which may both set to null. + */ + public static function getRemoteUserInformation() + { + foreach (static::$remoteUserEnvvars as $envVar) { + $username = static::getRemoteUser($envVar); + if ($username !== null) { + return array($username, $envVar); + } + } + + return array(null, null); } /** @@ -95,9 +100,9 @@ class ExternalBackend implements UserBackendInterface */ public function authenticate(User $user, $password = null) { - $username = static::getRemoteUser($this->usernameEnvvar); + list($username, $field) = static::getRemoteUserInformation(); if ($username !== null) { - $user->setExternalUserInformation($username, $this->usernameEnvvar); + $user->setExternalUserInformation($username, $field); if ($this->stripUsernameRegexp) { $stripped = preg_replace($this->stripUsernameRegexp, '', $username); From 3a816ce0f7a61d74f29a56b76ed1f9ade43516da Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Wed, 16 Nov 2016 12:04:46 +0100 Subject: [PATCH 12/13] ExternalBackend: Don't throw an error if it's not possible to clean usernames --- .../Icinga/Authentication/User/ExternalBackend.php | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index 84f93e8b7..a6159818a 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -3,6 +3,7 @@ namespace Icinga\Authentication\User; +use Icinga\Application\Logger; use Icinga\Data\ConfigObject; use Icinga\User; @@ -105,12 +106,13 @@ class ExternalBackend implements UserBackendInterface $user->setExternalUserInformation($username, $field); if ($this->stripUsernameRegexp) { - $stripped = preg_replace($this->stripUsernameRegexp, '', $username); - if ($stripped !== false) { - // TODO(el): PHP issues a warning when PHP cannot compile the regular expression. Should we log an - // additional message in that case? - $username = $stripped; + $stripped = @preg_replace($this->stripUsernameRegexp, '', $username); + if ($stripped === false) { + Logger::error('Failed to strip external username. The configured regular expression is invalid.'); + return false; } + + $username = $stripped; } $user->setUsername($username); From 2c817215cbd56d7c0df2926c0656376b293c7c79 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Wed, 16 Nov 2016 12:06:58 +0100 Subject: [PATCH 13/13] ExternalBackendForm: Remove option to configure where to fetch a remote user refs #12164 --- .../UserBackend/ExternalBackendForm.php | 26 ------------------- .../application/forms/AdminAccountPage.php | 2 +- .../application/forms/AuthenticationPage.php | 10 ++----- 3 files changed, 3 insertions(+), 35 deletions(-) diff --git a/application/forms/Config/UserBackend/ExternalBackendForm.php b/application/forms/Config/UserBackend/ExternalBackendForm.php index f178f53a2..f4a463911 100644 --- a/application/forms/Config/UserBackend/ExternalBackendForm.php +++ b/application/forms/Config/UserBackend/ExternalBackendForm.php @@ -3,7 +3,6 @@ namespace Icinga\Forms\Config\UserBackend; -use Icinga\Authentication\User\ExternalBackend; use Zend_Validate_Callback; use Icinga\Web\Form; @@ -56,31 +55,6 @@ class ExternalBackendForm extends Form 'validators' => array($callbackValidator) ) ); - - $hasRemoteUser = false; - foreach (ExternalBackend::$remoteUserEnvvars as $envvar) { - if (ExternalBackend::getRemoteUser($envvar) !== null) { - $hasRemoteUser = true; - break; - } - } - if (! $hasRemoteUser) { - $envvar = 'REMOTE_USER'; - } - - $this->addElement( - 'text', - 'username_envvar', - array( - 'label' => $this->translate('Username Environment Variable'), - 'description' => $this->translate( - 'The environment variable the webserver assigns the authenticated user\'s name to.' - ), - 'required' => true, - 'value' => $envvar - ) - ); - $this->addElement( 'hidden', 'backend', diff --git a/modules/setup/application/forms/AdminAccountPage.php b/modules/setup/application/forms/AdminAccountPage.php index b636063c9..3252ec160 100644 --- a/modules/setup/application/forms/AdminAccountPage.php +++ b/modules/setup/application/forms/AdminAccountPage.php @@ -270,7 +270,7 @@ class AdminAccountPage extends Form */ protected function getUsername() { - $name = ExternalBackend::getRemoteUser($this->backendConfig['username_envvar']); + list($name, $_) = ExternalBackend::getRemoteUserInformation(); if ($name === null) { return ''; } diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index 97356cab8..52e3c66f8 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -32,14 +32,8 @@ class AuthenticationPage extends Form public function createElements(array $formData) { if (isset($formData['type']) && $formData['type'] === 'external') { - $hasRemoteUser = false; - foreach (ExternalBackend::$remoteUserEnvvars as $envvar) { - if (ExternalBackend::getRemoteUser($envvar) !== null) { - $hasRemoteUser = true; - break; - } - } - if (! $hasRemoteUser) { + list($username, $_) = ExternalBackend::getRemoteUserInformation(); + if ($username === null) { $this->info( $this->translate( 'You\'re currently not authenticated using any of the web server\'s authentication '