From 0fa133abfb4dd636038baeab563c639e339d4ad7 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Mon, 26 Jan 2015 16:58:40 +0100 Subject: [PATCH 01/12] setup: Display a note in case autologin is chosen while not being logged in In case the user chooses to use autologin as authentication while not being externally authenticated a note is displayed indicating that it is necessary to set up the webserver's authentication to be able to login once the wizard is complete. refs #8274 --- .../application/forms/AuthenticationPage.php | 27 +++++++++++++++++++ public/css/icinga/setup.less | 10 +++++++ 2 files changed, 37 insertions(+) diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index 88db9c6d8..ca182a4b1 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -36,6 +36,32 @@ class AuthenticationPage extends Form ) ) ); + + if (isset($formData['type']) && $formData['type'] === 'autologin' && !isset($_SERVER['REMOTE_USER'])) { + $this->addElement( + 'note', + 'autologin_note', + array( + 'value' => sprintf( + $this->translate( + 'You\'re currently not authenticated using any of the web server\'s authentication ' + . 'mechanisms. Make sure you\'ll configure such either by using the %s or by setting' + . ' it up manually, otherwise you\'ll not be able to log into Icinga Web 2 once the ' + . 'wizard is complete.' + ), + 'IcingaCLI' + ), + 'decorators' => array( + 'ViewHelper', + array( + 'HtmlTag', + array('tag' => 'p', 'class' => 'icon-info info') + ) + ) + ) + ); + } + $this->addElement( 'note', 'description', @@ -61,6 +87,7 @@ class AuthenticationPage extends Form 'type', array( 'required' => true, + 'autosubmit' => true, 'label' => $this->translate('Authentication Type'), 'description' => $this->translate('The type of authentication to use when accessing Icinga Web 2'), 'multiOptions' => $backendTypes diff --git a/public/css/icinga/setup.less b/public/css/icinga/setup.less index 0bf8eb7b2..2c86a985a 100644 --- a/public/css/icinga/setup.less +++ b/public/css/icinga/setup.less @@ -220,6 +220,16 @@ } } +#setup_authentication_type p.info { + padding: 0.5em; + border: 1px solid lightgrey; + background-color: infobackground; + + em { + text-decoration: underline; + } +} + #setup_ldap_discovery_confirm table { margin: 1em 0; border-collapse: separate; From 50fc85d7ffc1ab8aee0608569997299cc16a0f26 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 27 Jan 2015 09:49:36 +0100 Subject: [PATCH 02/12] Rename authentication type "autologin" to "external" refs #8274 --- .../templates/authentication.ini.erb | 2 +- ...ackendForm.php => ExternalBackendForm.php} | 10 +++++----- .../AuthenticationBackendConfigForm.php | 20 +++++++++---------- doc/authentication.md | 2 +- ...toLoginBackend.php => ExternalBackend.php} | 6 +++--- library/Icinga/Authentication/UserBackend.php | 6 +++--- .../application/forms/AuthBackendPage.php | 8 ++++---- .../application/forms/AuthenticationPage.php | 6 +++--- .../Setup/Steps/AuthenticationStep.php | 2 +- 9 files changed, 31 insertions(+), 31 deletions(-) rename application/forms/Config/Authentication/{AutologinBackendForm.php => ExternalBackendForm.php} (88%) rename library/Icinga/Authentication/Backend/{AutoLoginBackend.php => ExternalBackend.php} (91%) diff --git a/.puppet/profiles/icingaweb2_dev/templates/authentication.ini.erb b/.puppet/profiles/icingaweb2_dev/templates/authentication.ini.erb index f28395e18..87f9f53ed 100644 --- a/.puppet/profiles/icingaweb2_dev/templates/authentication.ini.erb +++ b/.puppet/profiles/icingaweb2_dev/templates/authentication.ini.erb @@ -1,5 +1,5 @@ [autologin] -backend = autologin +backend = external [icingaweb-mysql] backend = db diff --git a/application/forms/Config/Authentication/AutologinBackendForm.php b/application/forms/Config/Authentication/ExternalBackendForm.php similarity index 88% rename from application/forms/Config/Authentication/AutologinBackendForm.php rename to application/forms/Config/Authentication/ExternalBackendForm.php index cd09d38ac..51000b2d2 100644 --- a/application/forms/Config/Authentication/AutologinBackendForm.php +++ b/application/forms/Config/Authentication/ExternalBackendForm.php @@ -8,16 +8,16 @@ use Zend_Validate_Callback; use Icinga\Web\Form; /** - * Form class for adding/modifying autologin authentication backends + * Form class for adding/modifying authentication backends of type "external" */ -class AutologinBackendForm extends Form +class ExternalBackendForm extends Form { /** * Initialize this form */ public function init() { - $this->setName('form_config_authbackend_autologin'); + $this->setName('form_config_authbackend_external'); } /** @@ -69,7 +69,7 @@ class AutologinBackendForm extends Form 'backend', array( 'disabled' => true, - 'value' => 'autologin' + 'value' => 'external' ) ); @@ -79,7 +79,7 @@ class AutologinBackendForm extends Form /** * Validate the configuration by creating a backend and requesting the user count * - * Returns always true as autologin backends are just "passive" backends. (The webserver authenticates users.) + * Returns always true as backends of type "external" are just "passive" backends. * * @param Form $form The form to fetch the configuration values from * diff --git a/application/forms/Config/AuthenticationBackendConfigForm.php b/application/forms/Config/AuthenticationBackendConfigForm.php index 076f8cb17..de3093ada 100644 --- a/application/forms/Config/AuthenticationBackendConfigForm.php +++ b/application/forms/Config/AuthenticationBackendConfigForm.php @@ -14,7 +14,7 @@ use Icinga\Data\ResourceFactory; use Icinga\Exception\ConfigurationError; use Icinga\Forms\Config\Authentication\DbBackendForm; use Icinga\Forms\Config\Authentication\LdapBackendForm; -use Icinga\Forms\Config\Authentication\AutologinBackendForm; +use Icinga\Forms\Config\Authentication\ExternalBackendForm; class AuthenticationBackendConfigForm extends ConfigForm { @@ -67,8 +67,8 @@ class AuthenticationBackendConfigForm extends ConfigForm } elseif ($type === 'ldap') { $form = new LdapBackendForm(); $form->setResources(isset($this->resources['ldap']) ? $this->resources['ldap'] : array()); - } elseif ($type === 'autologin') { - $form = new AutologinBackendForm(); + } elseif ($type === 'external') { + $form = new ExternalBackendForm(); } else { throw new InvalidArgumentException(sprintf($this->translate('Invalid backend type "%s" provided'), $type)); } @@ -251,14 +251,14 @@ class AuthenticationBackendConfigForm extends ConfigForm $configValues['name'] = $authBackend; $this->populate($configValues); } elseif (empty($this->resources)) { - $autologinBackends = array_filter( + $externalBackends = array_filter( $this->config->toArray(), function ($authBackendCfg) { - return isset($authBackendCfg['backend']) && $authBackendCfg['backend'] === 'autologin'; + return isset($authBackendCfg['backend']) && $authBackendCfg['backend'] === 'external'; } ); - if (false === empty($autologinBackends)) { + if (false === empty($externalBackends)) { throw new ConfigurationError($this->translate('Could not find any resources for authentication')); } } @@ -299,14 +299,14 @@ class AuthenticationBackendConfigForm extends ConfigForm $backendTypes['ldap'] = 'LDAP'; } - $autologinBackends = array_filter( + $externalBackends = array_filter( $this->config->toArray(), function ($authBackendCfg) { - return isset($authBackendCfg['backend']) && $authBackendCfg['backend'] === 'autologin'; + return isset($authBackendCfg['backend']) && $authBackendCfg['backend'] === 'external'; } ); - if ($backendType === 'autologin' || empty($autologinBackends)) { - $backendTypes['autologin'] = $this->translate('Autologin'); + if ($backendType === 'external' || empty($externalBackends)) { + $backendTypes['external'] = $this->translate('External'); } if ($backendType === null) { diff --git a/doc/authentication.md b/doc/authentication.md index d36051e8f..542eb9934 100644 --- a/doc/authentication.md +++ b/doc/authentication.md @@ -24,7 +24,7 @@ For delegating authentication to the web server simply add `autologin` to your a ```` [autologin] -backend = autologin +backend = external ```` If your web server is not configured for authentication though the `autologin` section has no effect. diff --git a/library/Icinga/Authentication/Backend/AutoLoginBackend.php b/library/Icinga/Authentication/Backend/ExternalBackend.php similarity index 91% rename from library/Icinga/Authentication/Backend/AutoLoginBackend.php rename to library/Icinga/Authentication/Backend/ExternalBackend.php index b4a70bd4f..d5eb491e5 100644 --- a/library/Icinga/Authentication/Backend/AutoLoginBackend.php +++ b/library/Icinga/Authentication/Backend/ExternalBackend.php @@ -11,7 +11,7 @@ use Icinga\User; /** * Test login with external authentication mechanism, e.g. Apache */ -class AutoLoginBackend extends UserBackend +class ExternalBackend extends UserBackend { /** * Regexp expression to strip values from a username @@ -21,7 +21,7 @@ class AutoLoginBackend extends UserBackend private $stripUsernameRegexp; /** - * Create new autologin backend + * Create new authentication backend of type "external" * * @param ConfigObject $config */ @@ -33,7 +33,7 @@ class AutoLoginBackend extends UserBackend /** * Count the available users * - * Autologin backends will always return 1 + * Authenticaton backends of type "external" will always return 1 * * @return int */ diff --git a/library/Icinga/Authentication/UserBackend.php b/library/Icinga/Authentication/UserBackend.php index eaf39e49d..7215f4d41 100644 --- a/library/Icinga/Authentication/UserBackend.php +++ b/library/Icinga/Authentication/UserBackend.php @@ -5,7 +5,7 @@ namespace Icinga\Authentication; use Countable; -use Icinga\Authentication\Backend\AutoLoginBackend; +use Icinga\Authentication\Backend\ExternalBackend; use Icinga\Authentication\Backend\DbUserBackend; use Icinga\Authentication\Backend\LdapUserBackend; use Icinga\Data\ConfigObject; @@ -69,8 +69,8 @@ abstract class UserBackend implements Countable ); } $backendType = strtolower($backendType); - if ($backendType === 'autologin') { - $backend = new AutoLoginBackend($backendConfig); + if ($backendType === 'external') { + $backend = new ExternalBackend($backendConfig); $backend->setName($name); return $backend; } diff --git a/modules/setup/application/forms/AuthBackendPage.php b/modules/setup/application/forms/AuthBackendPage.php index ced0d9c59..b123b5906 100644 --- a/modules/setup/application/forms/AuthBackendPage.php +++ b/modules/setup/application/forms/AuthBackendPage.php @@ -7,7 +7,7 @@ namespace Icinga\Module\Setup\Forms; use Icinga\Web\Form; use Icinga\Forms\Config\Authentication\DbBackendForm; use Icinga\Forms\Config\Authentication\LdapBackendForm; -use Icinga\Forms\Config\Authentication\AutologinBackendForm; +use Icinga\Forms\Config\Authentication\ExternalBackendForm; use Icinga\Data\ConfigObject; /** @@ -80,7 +80,7 @@ class AuthBackendPage extends Form 'Before you are able to authenticate using the LDAP connection defined earlier you need to' . ' provide some more information so that Icinga Web 2 is able to locate account details.' ); - } else { // if ($this->config['type'] === 'autologin' + } else { // if ($this->config['type'] === 'external' $note = $this->translate( 'You\'ve chosen to authenticate using a web server\'s mechanism so it may be necessary' . ' to adjust usernames before any permissions, restrictions, etc. are being applied.' @@ -103,8 +103,8 @@ class AuthBackendPage extends Form } elseif ($this->config['type'] === 'ldap') { $backendForm = new LdapBackendForm(); $backendForm->createElements($formData)->removeElement('resource'); - } else { // $this->config['type'] === 'autologin' - $backendForm = new AutologinBackendForm(); + } else { // $this->config['type'] === 'external' + $backendForm = new ExternalBackendForm(); $backendForm->createElements($formData); } diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index ca182a4b1..6b25868ac 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -37,10 +37,10 @@ class AuthenticationPage extends Form ) ); - if (isset($formData['type']) && $formData['type'] === 'autologin' && !isset($_SERVER['REMOTE_USER'])) { + if (isset($formData['type']) && $formData['type'] === 'external' && !isset($_SERVER['REMOTE_USER'])) { $this->addElement( 'note', - 'autologin_note', + 'external_note', array( 'value' => sprintf( $this->translate( @@ -80,7 +80,7 @@ class AuthenticationPage extends Form if (Platform::extensionLoaded('ldap')) { $backendTypes['ldap'] = 'LDAP'; } - $backendTypes['autologin'] = $this->translate('Autologin'); + $backendTypes['external'] = $this->translate('External'); $this->addElement( 'select', diff --git a/modules/setup/library/Setup/Steps/AuthenticationStep.php b/modules/setup/library/Setup/Steps/AuthenticationStep.php index a15198c57..ce0b49f58 100644 --- a/modules/setup/library/Setup/Steps/AuthenticationStep.php +++ b/modules/setup/library/Setup/Steps/AuthenticationStep.php @@ -139,7 +139,7 @@ class AuthenticationStep extends Step . '' . t('User Name Attribute') . '' . '' . $this->data['backendConfig']['user_name_attribute'] . '' . '' - ) : ($authType === 'autologin' ? ( + ) : ($authType === 'external' ? ( '' . '' . t('Filter Pattern') . '' . '' . $this->data['backendConfig']['strip_username_regexp'] . '' From afd4a9a134ebaedfaafd1ba055af41aa55fc7ca4 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 27 Jan 2015 10:54:33 +0100 Subject: [PATCH 03/12] There will be '.. users create' instead of '.. setup config webserver --with..' refs #8274 --- modules/setup/application/forms/AuthenticationPage.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index 6b25868ac..1377ce230 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -45,11 +45,11 @@ class AuthenticationPage extends Form 'value' => sprintf( $this->translate( 'You\'re currently not authenticated using any of the web server\'s authentication ' - . 'mechanisms. Make sure you\'ll configure such either by using the %s or by setting' - . ' it up manually, otherwise you\'ll not be able to log into Icinga Web 2 once the ' - . 'wizard is complete.' + . 'mechanisms. Make sure you\'ll configure such either by using the %s once the ' + . 'wizard is complete or by setting it up manually, otherwise you\'ll not be able ' + . 'to log into Icinga Web 2.' ), - 'IcingaCLI' + 'IcingaCLI' ), 'decorators' => array( 'ViewHelper', From 6c292f7e5659fc49fbe876c0655d0b6890aaf6bf Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 27 Jan 2015 13:31:14 +0100 Subject: [PATCH 04/12] Move the configuration warning on the login screen further up ..and add translation support to the login screen. refs #8274 refs #8134 --- .../views/scripts/authentication/login.phtml | 30 +++++++++---------- public/css/icinga/login.less | 2 +- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/application/views/scripts/authentication/login.phtml b/application/views/scripts/authentication/login.phtml index 7d8d15df8..f05e51e43 100644 --- a/application/views/scripts/authentication/login.phtml +++ b/application/views/scripts/authentication/login.phtml @@ -1,11 +1,23 @@
-

Welcome to Icinga Web 2

+ +
translate( + 'It appears that you did not configure Icinga Web 2 yet so it\'s not possible to log in without any defined ' + . 'authentication method. Please define a authentication method by following the instructions in the' + . ' %1$sdocumentation%3$s or by using our %2$sweb-based setup-wizard%3$s.' + ), + '', // TODO: More exact documentation link.. + '', + '' + ); ?>
+ +

translate('Welcome to Icinga Web 2'); ?>

errorInfo)): ?> @@ -14,18 +26,6 @@
form ?> -
Icinga Web 2 © 2013-2015
The Icinga Project
- -
', // TODO: Documentation link - '', - '' - ); ?>
- +
Icinga Web 2 © 2013-2015
translate('The Icinga Project'); ?>
diff --git a/public/css/icinga/login.less b/public/css/icinga/login.less index cfae3c478..05649881f 100644 --- a/public/css/icinga/login.less +++ b/public/css/icinga/login.less @@ -116,7 +116,7 @@ div.config-note { width: 50%; padding: 1em; - margin: 5em auto 0; + margin: 0 auto 2.5em; text-align: center; color: white; background-color: @colorCritical; From 47b27fcfe44a482b334ada1a7cb6bfa8f634cc31 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 27 Jan 2015 13:34:59 +0100 Subject: [PATCH 05/12] setup: Look for the authentication.ini instead of the config.ini The config.ini does not include any settings mandatory to operate Icinga Web 2, but the authentication.ini does. refs #8134 --- library/Icinga/Application/ApplicationBootstrap.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/Icinga/Application/ApplicationBootstrap.php b/library/Icinga/Application/ApplicationBootstrap.php index 909431663..89bca7b97 100644 --- a/library/Icinga/Application/ApplicationBootstrap.php +++ b/library/Icinga/Application/ApplicationBootstrap.php @@ -407,7 +407,7 @@ abstract class ApplicationBootstrap */ protected function loadSetupModuleIfNecessary() { - if (! @file_exists($this->config->resolvePath('config.ini'))) { + if (! @file_exists($this->config->resolvePath('authentication.ini'))) { $this->requiresSetup = true; $this->moduleManager->loadModule('setup'); } elseif ($this->setupTokenExists()) { From d99d147901901f5fd266a7f19c34312e40a09762 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 27 Jan 2015 13:45:13 +0100 Subject: [PATCH 06/12] Fix usages of AutoLoginBackend refs #8274 --- application/controllers/AuthenticationController.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/application/controllers/AuthenticationController.php b/application/controllers/AuthenticationController.php index 2d7926819..77925bd8c 100644 --- a/application/controllers/AuthenticationController.php +++ b/application/controllers/AuthenticationController.php @@ -8,7 +8,7 @@ use Icinga\Application\Config; use Icinga\Application\Icinga; use Icinga\Application\Logger; use Icinga\Authentication\AuthChain; -use Icinga\Authentication\Backend\AutoLoginBackend; +use Icinga\Authentication\Backend\ExternalBackend; use Icinga\Exception\AuthenticationException; use Icinga\Exception\ConfigurationError; use Icinga\Exception\NotReadableError; @@ -82,7 +82,7 @@ class AuthenticationController extends ActionController } foreach ($chain as $backend) { - if ($backend instanceof AutoLoginBackend) { + if ($backend instanceof ExternalBackend) { continue; } ++$backendsTried; @@ -126,7 +126,7 @@ class AuthenticationController extends ActionController } elseif ($request->isGet()) { $user = new User(''); foreach ($chain as $backend) { - if ($backend instanceof AutoLoginBackend) { + if ($backend instanceof ExternalBackend) { $authenticated = $backend->authenticate($user); if ($authenticated === true) { $auth->setAuthenticated($user); From 4a245ed8e09d211bc948d2e1622ce58c86ff902a Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 27 Jan 2015 13:58:55 +0100 Subject: [PATCH 07/12] login: Wrap the config warning in paragraph tags instead of div --- application/views/scripts/authentication/login.phtml | 4 ++-- public/css/icinga/login.less | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/application/views/scripts/authentication/login.phtml b/application/views/scripts/authentication/login.phtml index f05e51e43..f372b6657 100644 --- a/application/views/scripts/authentication/login.phtml +++ b/application/views/scripts/authentication/login.phtml @@ -6,7 +6,7 @@
-
translate( 'It appears that you did not configure Icinga Web 2 yet so it\'s not possible to log in without any defined ' . 'authentication method. Please define a authentication method by following the instructions in the' @@ -15,7 +15,7 @@ '', // TODO: More exact documentation link.. '', '' - ); ?>
+ ); ?>

translate('Welcome to Icinga Web 2'); ?>

Date: Tue, 27 Jan 2015 14:05:41 +0100 Subject: [PATCH 08/12] Rename css class "info" to "info-box" and add it as generic box refs #8274 --- modules/setup/application/forms/AuthenticationPage.php | 2 +- public/css/icinga/main-content.less | 6 ++++++ public/css/icinga/setup.less | 10 ++-------- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index 1377ce230..fdc076e60 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -55,7 +55,7 @@ class AuthenticationPage extends Form 'ViewHelper', array( 'HtmlTag', - array('tag' => 'p', 'class' => 'icon-info info') + array('tag' => 'p', 'class' => 'icon-info info-box') ) ) ) diff --git a/public/css/icinga/main-content.less b/public/css/icinga/main-content.less index 5b142184d..e3e31b397 100644 --- a/public/css/icinga/main-content.less +++ b/public/css/icinga/main-content.less @@ -203,3 +203,9 @@ table.benchmark { [class^="icon-"]:before, [class*=" icon-"]:before { text-decoration: none; } + +.info-box { + padding: 0.5em; + border: 1px solid lightgrey; + background-color: infobackground; +} diff --git a/public/css/icinga/setup.less b/public/css/icinga/setup.less index 2c86a985a..9dff6fecf 100644 --- a/public/css/icinga/setup.less +++ b/public/css/icinga/setup.less @@ -220,14 +220,8 @@ } } -#setup_authentication_type p.info { - padding: 0.5em; - border: 1px solid lightgrey; - background-color: infobackground; - - em { - text-decoration: underline; - } +#setup_authentication_type p.info-box em { + text-decoration: underline; } #setup_ldap_discovery_confirm table { From 7ad44b8411b5bffc038d4e019263bd7fcc07ac85 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 27 Jan 2015 14:26:06 +0100 Subject: [PATCH 09/12] login: Show a note if the only active external auth backend is not available refs #8274 --- application/controllers/AuthenticationController.php | 5 +++++ application/views/scripts/authentication/login.phtml | 9 +++++++++ public/css/icinga/login.less | 9 +++++++++ 3 files changed, 23 insertions(+) diff --git a/application/controllers/AuthenticationController.php b/application/controllers/AuthenticationController.php index 77925bd8c..4e70894a1 100644 --- a/application/controllers/AuthenticationController.php +++ b/application/controllers/AuthenticationController.php @@ -39,6 +39,7 @@ class AuthenticationController extends ActionController $this->redirectNow(Url::fromPath('setup')); } + $triedOnlyExternalAuth = null; $auth = $this->Auth(); $this->view->form = $form = new LoginForm(); $this->view->title = $this->translate('Icingaweb Login'); @@ -126,6 +127,7 @@ class AuthenticationController extends ActionController } elseif ($request->isGet()) { $user = new User(''); foreach ($chain as $backend) { + $triedOnlyExternalAuth = $triedOnlyExternalAuth === null; if ($backend instanceof ExternalBackend) { $authenticated = $backend->authenticate($user); if ($authenticated === true) { @@ -134,6 +136,8 @@ class AuthenticationController extends ActionController Url::fromPath(Url::fromRequest()->getParam('redirect', 'dashboard')) ); } + } else { + $triedOnlyExternalAuth = false; } } } @@ -141,6 +145,7 @@ class AuthenticationController extends ActionController $this->view->errorInfo = $e->getMessage(); } + $this->view->requiresExternalAuth = $triedOnlyExternalAuth && !$auth->isAuthenticated(); $this->view->requiresSetup = Icinga::app()->requiresSetup(); } diff --git a/application/views/scripts/authentication/login.phtml b/application/views/scripts/authentication/login.phtml index f372b6657..5f99aff17 100644 --- a/application/views/scripts/authentication/login.phtml +++ b/application/views/scripts/authentication/login.phtml @@ -16,6 +16,15 @@ '', '' ); ?>

+ +

translate( + 'You\'re currently not authenticated using any of the web server\'s authentication mechanisms.' + . ' Make sure you\'ll configure such either by using the %s or by setting it up manually,' + . ' otherwise you\'ll not be able to login.' + ), + 'IcingaCLI' + ); ?>

translate('Welcome to Icinga Web 2'); ?>

Date: Wed, 28 Jan 2015 16:22:20 +0100 Subject: [PATCH 10/12] Phrase external auth warnings more neutral refs #8274 --- application/views/scripts/authentication/login.phtml | 10 +++------- .../setup/application/forms/AuthenticationPage.php | 12 ++++-------- public/css/icinga/login.less | 6 ++++++ 3 files changed, 13 insertions(+), 15 deletions(-) diff --git a/application/views/scripts/authentication/login.phtml b/application/views/scripts/authentication/login.phtml index 5f99aff17..805196b96 100644 --- a/application/views/scripts/authentication/login.phtml +++ b/application/views/scripts/authentication/login.phtml @@ -17,13 +17,9 @@ '' ); ?>

-

translate( - 'You\'re currently not authenticated using any of the web server\'s authentication mechanisms.' - . ' Make sure you\'ll configure such either by using the %s or by setting it up manually,' - . ' otherwise you\'ll not be able to login.' - ), - 'IcingaCLI' +

translate( + 'You\'re currently not authenticated using any of the web server\'s authentication mechanisms.' + . ' Make sure you\'ll configure such, otherwise you\'ll not be able to login.' ); ?>

translate('Welcome to Icinga Web 2'); ?>

diff --git a/modules/setup/application/forms/AuthenticationPage.php b/modules/setup/application/forms/AuthenticationPage.php index fdc076e60..f51ef946a 100644 --- a/modules/setup/application/forms/AuthenticationPage.php +++ b/modules/setup/application/forms/AuthenticationPage.php @@ -42,14 +42,10 @@ class AuthenticationPage extends Form 'note', 'external_note', array( - 'value' => sprintf( - $this->translate( - 'You\'re currently not authenticated using any of the web server\'s authentication ' - . 'mechanisms. Make sure you\'ll configure such either by using the %s once the ' - . 'wizard is complete or by setting it up manually, otherwise you\'ll not be able ' - . 'to log into Icinga Web 2.' - ), - 'IcingaCLI' + 'value' => $this->translate( + 'You\'re currently not authenticated using any of the web server\'s authentication ' + . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to ' + . 'log into Icinga Web 2.' ), 'decorators' => array( 'ViewHelper', diff --git a/public/css/icinga/login.less b/public/css/icinga/login.less index 223a388d2..6b03b476a 100644 --- a/public/css/icinga/login.less +++ b/public/css/icinga/login.less @@ -129,8 +129,14 @@ p.info-box { width: 50%; + height: 2.2em; margin: 0 auto 2.5em; + span.icon-info { + float: left; + height: 100%; + } + em { text-decoration: underline; } From 8383320f319ddea9a3bd0e730c13eb0c8c96d7be Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Wed, 28 Jan 2015 17:52:17 +0100 Subject: [PATCH 11/12] Update documentation covering external authentication refs #8274 --- doc/external_authentication.md | 125 ++++++++++++++++----------------- 1 file changed, 59 insertions(+), 66 deletions(-) diff --git a/doc/external_authentication.md b/doc/external_authentication.md index 240713038..15df1e1cf 100644 --- a/doc/external_authentication.md +++ b/doc/external_authentication.md @@ -1,90 +1,83 @@ -# Externel Authentication +# External Authentication -It is possible to use the authentication mechanism of the webserver, -instead of using the internal authentication-manager to -authenticate users. This might be useful if you only have very few users, and -user management over *.htaccess* is sufficient, or if you must use some other -authentication mechanism that is only available through your webserver. +It is possible to utilize the authentication mechanism of the webserver instead +of the internal authentication of Icinga Web 2 to authenticate users. This might +be useful if you only have very few users and user management over **.htaccess** +is not sufficient or if you are required to use some other authentication +mechanism that is only available by utilizing the webserver. -When external authentication is used, Icingaweb will entrust the -complete authentication process to the external authentication provider (the webserver): -The provider should take care of authenticating the user and declining -all requests with invalid or missing credentials. When the authentication -was succesful, it should provide the authenticated users name to its php-module -and Icingaweb will assume that the user is authorized to access the page. -Because of this it is very important that the webservers authentication is -configured correctly, as wrong configuration could lead to unauthorized -access to the site, or a broken login-process. +Icinga Web 2 will entrust the complete authentication process to the +authentication provider of the webserver, if external authentication is used. +So it is very important that the webserver's authentication is configured +correctly as wrong configuration might lead to unauthorized access or a +malfunction in the login-process. +## Using External Authentication -## Use External Authentication +External authentication in Icinga Web 2 requires the following preparations: -Using external authentication in Icingaweb requires two steps to work: +1. The external authentication must be set up properly to correctly + authenticate users +2. Icinga Web 2 must be configured to use external authentication -1. The external authentication must be set up correctly to always - authenticate the users. -2. Icingaweb must be configured to use the external authentication. +### Preparing the External Authentication Provider +This step depends heavily on the used webserver and authentication mechanism you +want to use. It is not possible to cover all possibillities and you should +probably read the documentation for your webserver to get detailed instructions +on how to set up authentication properly. -### Prepare the External Authentication Provider - -This step depends heavily on the used webserver and authentication -mechanism you want to use. It is not possible to cover all possibillities -and you should probably read the documentation for your webserver for -detailed instructions on how to set up authentication properly. - -In general, you need to make sure that: - - - All routes require authentication - - Only permitted users are allowed to authenticate +In general you need to make sure that: +- All routes require authentication +- Only permitted users are allowed to authenticate #### Example Configuration for Apache and HTTPDigestAuthentication -The following example will show how to enable external authentication in Apache using -*HTTP Digest Authentication*. +The following example will show how to enable external authentication in Apache +using *HTTP Digest Authentication*. -##### Create users +##### Creating users -To create users for a digest authentication we can use the tool *htdigest*. -We choose *.icingawebdigest* as a name for the created file, containing -the user credentials. +To create users for digest authentication you can use the tool *htdigest*. In +this example **.icingawebdigest** is the name of the file containing the user +credentials. -This command will create a new file with the user *jdoe*. *htdigest* -will prompt you for your password, after it has been executed. If you -want to add more users to the file you need to ommit the *-c* parameter -in all further commands to avoInid the file to be overwritten. +This command creates a new file with the user *jdoe*. *htdigest* will prompt +you for a password. If you want to add more users to the file you need to omit +the *-c* parameter in all following commands to not to overwrite the file. +```` +sudo htdigest -c /etc/icingaweb2/.icingawebdigest "Icinga Web 2" jdoe +```` - sudo htdigest -c /etc/httpd/conf.d/.icingawebdigest "Icingaweb 2" jdoe +##### Configuring the Webserver +The webserver should require authentication for all public Icinga Web 2 files. -##### Set up authentication +```` + + AuthType digest + AuthName "Icinga Web 2" + AuthDigestProvider file + AuthUserFile /etc/icingaweb2/.icingawebdigest + Require valid-user + +```` -The webserver should require authentication for all public icingaweb files. +### Preparing Icinga Web 2 +Once external authentication is set up correctly you need to configure Icinga +Web 2. In case you already completed the setup wizard it is likely that you are +now finished. - - AuthType digest - AuthName "Icingaweb 2" - AuthDigestProvider file - AuthUserFile /etc/httpd/conf.d/.icingawebdigest - Require valid-user - +To get Icinga Web 2 to use external authentication the file +**config/authentication.ini** is required. Just add the following section +called "autologin", or any name of your choice, and save your changes: - -### Prepare Icingaweb +```` +[autologin] +backend = external +```` -When the external authentication is set up correctly, we need -to configure IcingaWeb to use it as an authentication source. The -configuration key *authenticationMode* in the section *global* defines -if the authentication should be handled internally or externally. Since -we want to delegate the authentication to the Webserver we choose -"external" as the new value: - - - [global] - ; ... - authenticationMode = "external" - ; ... - +Congratulations! You are now logged in when visiting Icinga Web 2. \ No newline at end of file From 400fbccbb899b922931033165bda42c0dc44fc24 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Wed, 28 Jan 2015 17:59:43 +0100 Subject: [PATCH 12/12] Add setup route to the installation documentation refs #7848 --- doc/installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/installation.md b/doc/installation.md index def23ffaf..170199832 100644 --- a/doc/installation.md +++ b/doc/installation.md @@ -107,4 +107,4 @@ In case you do not remember the token you can show it using the `icingacli`: **Step 5: Web Setup** -Visit Icinga Web 2 in your browser and complete installation using the web setup. +Visit Icinga Web 2 in your browser and complete installation using the web setup: /icingaweb2/setup