From 2ac54d7c3e309ef44cdaa5e7490697fffda81e8f Mon Sep 17 00:00:00 2001 From: Eric Lippmann Date: Mon, 11 Apr 2016 14:01:36 +0200 Subject: [PATCH 1/2] lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 --- .../Authentication/User/ExternalBackend.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index e2cb44716..616f2371e 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -52,6 +52,25 @@ class ExternalBackend implements UserBackendInterface return $this; } + /** + * Get the remote user from environment or $_SERVER, if any + * + * @param string $variable The name variable where to read the user from + * + * @return string|null + */ + public static function getRemoteUser($variable = 'REMOTE_USER') + { + $username = getenv($variable); + if ($username !== false) { + return $username; + } + if (array_key_exists($variable, $_SERVER)) { + return $_SERVER[$variable]; + } + return null; + } + /** * {@inheritdoc} From 99d08bf03b6be08eebfa5575d88bf35ae12ac467 Mon Sep 17 00:00:00 2001 From: Eric Lippmann Date: Mon, 11 Apr 2016 14:07:44 +0200 Subject: [PATCH 2/2] Get remote user from $_SERVER if env does not have it in external auth refs #11391 --- library/Icinga/Authentication/Auth.php | 6 +++--- library/Icinga/Authentication/User/ExternalBackend.php | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php index 392a59d71..814f1366e 100644 --- a/library/Icinga/Authentication/Auth.php +++ b/library/Icinga/Authentication/Auth.php @@ -240,10 +240,10 @@ class Auth public function authenticateFromSession() { $this->user = Session::getSession()->get('user'); - if ($this->user !== null && $this->user->isExternalUser() === true) { + if ($this->user !== null && $this->user->isExternalUser()) { list($originUsername, $field) = $this->user->getExternalUserInformation(); - $username = getenv($field); // usually REMOTE_USER here - if ( !$username || $username !== $originUsername) { + $username = ExternalBackend::getRemoteUser($field); + if ($username === null || $username !== $originUsername) { $this->removeAuthorization(); } } diff --git a/library/Icinga/Authentication/User/ExternalBackend.php b/library/Icinga/Authentication/User/ExternalBackend.php index 616f2371e..3baf1c8e0 100644 --- a/library/Icinga/Authentication/User/ExternalBackend.php +++ b/library/Icinga/Authentication/User/ExternalBackend.php @@ -77,8 +77,8 @@ class ExternalBackend implements UserBackendInterface */ public function authenticate(User $user, $password = null) { - $username = getenv('REMOTE_USER'); - if ($username !== false) { + $username = static::getRemoteUser(); + if ($username !== null) { $user->setExternalUserInformation($username, 'REMOTE_USER'); if ($this->stripUsernameRegexp) {