tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
12,998 Commits 120 Branches 71 Tags 80 MiB
Commit Graph

438 Commits

Author SHA1 Message Date
Johannes Meyer a87f15c861 Auth: Reload entire layout if the locale changes 2021-05-17 13:20:42 +02:00
Johannes Meyer d9a87f76a2 AdmissionLoader: Optimize role loading 2021-04-14 10:11:19 +02:00
Johannes Meyer ab90b3e0a1 Role: Add param `$cascadeUpwards` also to public method `grant()` 2021-04-07 14:30:14 +02:00
Johannes Meyer 9d10424f97 AdmissionLoader: Set additional user information `assigned_roles` 2021-04-07 14:30:14 +02:00
Johannes Meyer f4da973f68 Auth: Only reload CSS upon login if the theme **really** changed 
fixes #2233
 2021-04-07 14:30:14 +02:00
Johannes Meyer 0aa4e25723 Auth: Introduce method `setupUser()` 
This was previously part of method `setAuthenticated()`.
Split up to allow external usage.
 2021-04-07 14:30:14 +02:00
Johannes Meyer 5dfa5e28da User: Add property `$unrestricted` 2021-03-09 11:27:13 +01:00
Johannes Meyer 6a5e12af04 LdapUserGroupBackend: Properly handle multi-valued names 2021-02-23 08:22:58 +01:00
sukhwinder33445 ab97b6fdf0
Enforce database as configuration backend (#4135) 2021-02-18 12:31:21 +01:00
Johannes Meyer cc65164a67 Adjust global permissions 2021-02-18 11:11:39 +01:00
Johannes Meyer 429a70f05f Auth: Allow to ignore any and all restrictions 2021-02-18 11:11:39 +01:00
Johannes Meyer 6eb0139446 User: Move `$user:local_name$` handling to class `AdmissionLoader` 
This way it also adjusts the roles directly, and not just their
copies for the user object
 2021-02-18 11:11:39 +01:00
Johannes Meyer bdd0f204f0 Auth: Support single inheritance in roles 2021-02-18 11:11:39 +01:00
Johannes Meyer 87d741265e Auth: Add support for denied permissions 2021-02-18 11:11:39 +01:00
Johannes Meyer c0541d70e9 Move permission match code from class `User` to `Role` 2021-02-18 11:11:39 +01:00
Johannes Meyer 4d173e6746 DbUserBackend: Lowercase usernames before fetching password hashes 
The BINARY cast to make trailing spaces significant (#4030) also
made these queries case-sensitive. This wasn't identified at the
time because the query itself wasn't case-insensitive, but the
default collation on the `name` column. (Tests sometimes are the
perfect mitigation for this...)

fixes #4184
 2020-06-24 14:08:30 +02:00
Eric Lippmann 990a5e4d61 Introduce Auth::setUser() 2020-03-02 14:15:53 +01:00
Johannes Meyer f63dfa5294 DbUserBackend: Use binary string comparison if it's a mysql db 2019-12-11 10:15:05 +01:00
Johannes Meyer 668ae38497 ExternalBackend: Don't authenticate a user if `REMOTE_USER` is empty 2019-12-05 15:13:02 +01:00
Johannes Meyer 9de9fe8f39 Introduce class RolesConfig 2019-07-23 13:53:29 +02:00
Johannes Meyer 59fa054d42 AuthChain: Send failed login-attempts to the audit log 
resolves #3855
 2019-07-11 14:41:17 +02:00
Thomas Gelf 08c879249b Auth: do not ask for unrelated group membership 
If a specific User-Backend has been assigned to a Group Backend, and
the User has been authenticated by another User-Backend, then there is
no need to ask the unrelated Groups Backend for membership.
 2018-12-18 14:51:13 +01:00
Johannes Meyer 2f9037e545 Auth: Log which groups were identified for the user being authenticated 2018-10-08 14:02:26 +02:00
Johannes Meyer 3c69a63ce3 LdapUserGroupBackend: Log what the ambiguity check does 2018-10-08 10:34:27 +02:00
Johannes Meyer f28f7150fc AuditHook: Enforce a named identity and allow to pass a explicit time 2018-07-18 14:45:00 +02:00
Eric Lippmann d6c4df7a5d Use password_hash and password_verify 2018-07-03 13:08:06 +02:00
Eric Lippmann faaff42096 Revert "Introduce PasswordHelper for safer passwords" 
This reverts commit f57277aa96.

Since we're dropping PHP support for versions lower than 5.6 this class is no longer necessary.
 2018-07-03 13:08:06 +02:00
Johannes Meyer 3f66bd7437 Auth: Log login/logout activities to the audit log 
refs #2563
 2018-06-08 14:21:15 +02:00
Eric Lippmann 4a000d0098 Revert "Merge branch 'bugfix/domain-aware-auth-non-domain-ldap-group-backend-3250'" 
This reverts commit 5cb7deda20, reversing
changes made to 02391e648b.

The change must be reverted because it makes it impossible to load groups
if domain aware auth is not enabled and the authenticated user specifies a domain.

refs #3324
 2018-03-19 13:10:47 +01:00
Alexander A. Klimov 72ec132f25 Correct interfaces to conform to PHP 7.2+ 2018-01-24 11:50:10 +01:00
Alexander A. Klimov 7106de5aa2 DbUserGroupBackend: implement Inspectable 
refs #3233
 2018-01-19 16:31:24 +01:00
Alexander A. Klimov 7227e10824 LdapUserGroupBackend: implement Inspectable 
refs #3233
 2018-01-19 16:31:24 +01:00
lippserd ddfafb27f6
Merge pull request #3256 from Icinga/bugfix/multi-domain-support-broken-3232 
Make multi-domain authn working w/ upper-case domains in user names
 2018-01-17 11:57:48 +01:00
Alexander A. Klimov 8c7ccce4a7 Make multi-domain authn working w/ upper-case domains in user names 
refs #3232
 2018-01-16 10:36:22 +01:00
Paolo Schiro c806099e1b Avoid including domain users in a group not belonging to a domain 
Signed-off-by: Alexander A. Klimov <alexander.klimov@icinga.com>

refs #3250
 2018-01-15 11:19:35 +01:00
Markus Frosch 1aae1eab23 DBUserBackend: Replace internal crypt handling with PasswordHelper 
refs #2954
 2017-11-21 08:26:24 +01:00
Markus Frosch f57277aa96 Introduce PasswordHelper for safer passwords 
refs #2954
 2017-11-21 08:26:24 +01:00
Eric Lippmann f495b390da Apply role to all users if the role is defined with users=* 
If the users directive contains at least one single asterisk, the role is applied to all users.
So, this supports roles which define users=username, ..., * and users=*

refs #3095
 2017-11-16 12:02:41 +01:00
ss23 c196a7c7c4 Modify authentication function to support alternative algorithms 
The existing usage of crypt() was borderline incorrect. This simplified
function will allow hashes of other types (e.g. bcrypt) and thus
mitigate #2954 (use password_hash) until this can be implemented.

The getSalt protected method was also removed as this is no longer
required, though this can be added again in future.
 2017-11-06 22:48:42 +13:00
Markus Frosch f65759ace8 LdapUserGroupBackend: Base ambiguity decision based on isDN 
Problem was: When a DN did not contain the same base DN, the check failed

This happens when you have an entry referencing a DN of another domain.
(And this value is tested as a sample)
 2017-10-20 15:17:11 +02:00
Eric Lippmann ab7fa9f925 Add domain part to user groups if the user group backend is reponsible for a domain 2017-07-31 09:03:40 +02:00
Eric Lippmann b13c38b65b Auth/Groups: Prefer the domain from the LDAP/MSAD user backend 
If a LDAP/MSAD user group backend is linked w/ a user backend, the domain from the user backend is preferred over the domain configured for the user group backend.
 2017-07-11 17:09:24 +02:00
Eric Lippmann 4b11afe7d5 Remove unused method LdapUserBackend::setConfig() 2017-07-11 17:08:16 +02:00
Eric Lippmann bd23d008ca Auth: Make sure to set the configured domain on LDAP/MSAD user backends 2017-07-11 17:02:32 +02:00
Eric Lippmann cbde758fc6 Remove unused domain-aware auth related functions from UserBackend 
These functions made it into the master branch accidentally.
 2017-07-11 17:01:06 +02:00
Eric Lippmann 686d022987 Merge pull request #2863 from Icinga/feature/domain-support-for-authn-authz-2153 2017-06-21 13:16:36 +02:00
Eric Lippmann cfbd5c500e Make LDAP user group backends domain-aware 
refs #2153
 2017-06-12 13:31:07 +02:00
Eric Lippmann 0cbec01743 Make auth via LDAP user backends domain-aware 
refs #2153
 2017-06-12 13:31:07 +02:00
Eric Lippmann 05288e9bea Add interface for user backends which are responsible for a specific domain 
refs #2153
 2017-06-12 13:31:07 +02:00
Eric Lippmann 41acffdc24 Login: set the default domain if necessary 
refs #2153
 2017-06-12 13:31:07 +02:00