lib: Add basic access authentication (WIP)

refs #9660
2015-07-29 17:22:55 +02:00 · 2015-07-29 17:22:55 +02:00 · cf8c680482
parent ce2a196c4a
commit cf8c680482
1 changed files with 41 additions and 3 deletions
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@ -79,10 +79,10 @@ class Auth
     */
    public function isAuthenticated($ignoreSession = false)
    {
-        if ($this->user === null && ! $ignoreSession) {
+        if ($this->user === null && ! $this->authHttp() && ! $ignoreSession) {
            $this->authenticateFromSession();
        }
-        return is_object($this->user);
+        return $this->user !== null;
    }

    public function setAuthenticated(User $user, $persist = true)
@ -175,7 +175,7 @@ class Auth
    public function getRequest()
    {
        if ($this->request === null) {
-            $this->request = Icinga::app()->getFrontController()->getRequest();
+            $this->request = Icinga::app()->getRequest();
        }
        return $this->request;
    }
@ -224,6 +224,44 @@ class Auth
        }
    }

+    /**
+     * Attempt to authenticate a user using HTTP authentication
+     *
+     * Supports only the Basic HTTP authentication scheme. This will not challenge the client if authorization is
+     * missing or invalid yet. XHR will be ignored.
+     *
+     * @return bool
+     */
+    protected function authHttp()
+    {
+        if ($this->getRequest()->isXmlHttpRequest()) {
+            return false;
+        }
+        $header = $this->getRequest()->getHeader('Authorization');
+        if (empty($header)) {
+            return false;
+        }
+        list($scheme) = explode(' ', $header, 2);
+        if ($scheme !== 'Basic') {
+            return false;
+        }
+        $authorization = substr($header, strlen('Basic '));
+        $credentials = base64_decode($authorization);
+        $credentials = array_filter(explode(':', $credentials));
+        if (count($credentials) !== 2) {
+            // Deny empty username and/or password
+            return false;
+        }
+        $user = new User($credentials[0]);
+        $password = $credentials[1];
+        if ($this->getAuthChain()->setSkipExternalBackends(true)->authenticate($user, $password)) {
+            $this->setAuthenticated($user, false);
+            return true;
+        } else {
+            return false;
+        }
+    }
+
    /**
     * Whether an authenticated user has a given permission
     *