Commit Graph

438 Commits

Author SHA1 Message Date
Eric Lippmann 36ff2d8914 lib: Set User::$isHttpUser in Auth
refs #9660
2015-07-30 09:32:24 +02:00
Eric Lippmann cf8c680482 lib: Add basic access authentication (WIP)
refs #9660
2015-07-29 17:22:55 +02:00
Johannes Meyer fb7666e6bd LdapUserGroupBackend: Adjust usage of LdapCapabilities::hasAdOid()
Usage search ftw..
2015-07-29 16:26:39 +02:00
Eric Lippmann c3a057dbdb lib: Add AuthChain::setSkipExternalBackends() in favor of setIteratorMode()
There's only one mode.

refs #9660
2015-07-29 16:18:30 +02:00
Eric Lippmann 3ca85f9daa lib: Add Auth::getRequest()
Basic auth will require the request.

refs #9660
2015-07-29 15:56:45 +02:00
Eric Lippmann 96e3111f58 lib: Reorder functions in Auth
refs #9660
2015-07-29 15:52:56 +02:00
Eric Lippmann 37ef87b9ab lib: Fix PHPDoc in ExternalBackend
refs #9660
2015-07-29 15:46:40 +02:00
Eric Lippmann 1b5c5deace lib: Rename remote user to external user
We renamed our backend. Code now reflects this.

refs #9660
2015-07-29 15:44:32 +02:00
Johannes Meyer 3f7081296b Merge branch 'master' into bugfix/allow-to-configure-how-to-manage-groups-9609 2015-07-29 15:02:20 +02:00
Eric Lippmann ae4b7144cd lib: Implement Auth::getAuthChain()
Saves one use statement for auth chain usages.

refs #9660
2015-07-29 14:14:19 +02:00
Eric Lippmann 745e30259d lib: Implement AuthChain::authenticate()
Right now the LoginController has all the authentication which is kind of a mess. Further, the upcoming basic access authentication has to reuse this code.
Thus AuthChain::authenticate() is introduced to handle both cases.

refs #9660
2015-07-29 14:11:54 +02:00
Johannes Meyer 13edbf901d UserBackend: Implement interface ConfigAwareFactory
refs #9609
2015-07-29 13:44:26 +02:00
Johannes Meyer 83aafe8cda Allow to discover LDAP connections in the wizard as well
...
2015-07-29 09:26:53 +02:00
Eric Lippmann 4d44a0625c lib: Move UserBackendInterface::authenticate() to new interface Authenticatable
refs #9660
2015-07-29 09:25:14 +02:00
Eric Lippmann 2a4e614b5e Fix code style in AuthChain
refs #9660
2015-07-28 19:55:26 +02:00
Eric Lippmann 07849e0fea lib: Rename Authentication/Manager to Authentication/Auth
refs #9660
2015-07-28 17:08:55 +02:00
Matthias Jentsch c8d065b3e0 Accept DbUserBackends with only one single user
fixes #9739
2015-07-28 12:41:08 +02:00
Matthias Jentsch 5478027855 Bring back user count in ldap backend inspection
We already use count later in the wizard anyways.

refs #9630
2015-07-16 16:52:56 +02:00
Matthias Jentsch e357960d1e Add Inspection API to DB backend
refs #9641
2015-07-16 16:16:55 +02:00
Matthias Jentsch ffe672c252 Improve message texts and scalabillity
Always start uppercase and don't use count() function until we've got a more scalable implementation in the LdapConnection.

refs #9630
2015-07-16 13:51:26 +02:00
Matthias Jentsch 6b8e5da76d Move all assertion functions into the inspect functions
Reduce code duplication and add class Inspection

refs #9630
2015-07-16 12:21:11 +02:00
Matthias Jentsch 59c4f8d056 Use Inspection API in User Backend Form
refs #9630
2015-07-15 19:35:25 +02:00
Matthias Jentsch 3ddb8ca1bd Add abillity to discover AD version and vendor name to discovery
refs #9605
2015-07-14 18:32:44 +02:00
Johannes Meyer f5089dab1a DbUserGroupBackend: Use is_numeric() instead of is_int()
Using MySQL fetchColumn() returns integers for id fields, using MariaDB
though, fetchColumn() returns strings..

fixes #9572
2015-07-07 14:07:55 +02:00
Johannes Meyer 066b3d9e28 ApplicationConfigForm: Make preference options be global options
refs #8709
2015-07-01 15:41:45 +02:00
Johannes Meyer 3dddee8b7d Setup: Fix authentication backend validation
This is a ridiculous dirty fix. We'll definitely need to
improve how we create authentication backends...

fixes #9509
2015-06-25 14:36:51 +02:00
Johannes Meyer 3c47ef6826 Ldap\Exception: Rename to LdapException
refs #8954
2015-06-24 09:19:41 +02:00
Johannes Meyer 6d8c56a12f Ldap\Connection: Return false if nothing is found for fetchRow()
This should behave like DbConnection::fetchRow().

refs #8954
2015-06-23 10:49:51 +02:00
Johannes Meyer 15220da645 Automatically strip unnecessary parentheses from custom ldap filters
fixes #9348
2015-06-23 10:32:45 +02:00
Johannes Meyer 5688f0cb85 Allow to configure user group backends of type LDAP
refs #7343
2015-06-05 14:53:29 +02:00
Johannes Meyer cacd97fb46 LdapUserGroupBackend: Make default configuration providers public
I'd like to access these when preparing a config form.

refs #7343
2015-06-05 11:09:31 +02:00
Johannes Meyer 02d2ea682e LdapUserGroupBackend: Do not permit to link different directories
I cannot think of a valid usecase right now. In case someone got one,
revert this commit and make use of the backend itself and not only
its configuration.

refs #7343
2015-06-05 10:51:54 +02:00
Johannes Meyer 0ab192cd1f LdapUserGroupBackend: Allow to link a user backend
refs #7343
2015-06-05 10:41:47 +02:00
Johannes Meyer 127489ca20 UserBackend: Allow to only pass a backend's name 2015-06-05 10:40:47 +02:00
Johannes Meyer ee2462a6b2 LdapUserGroupBackend: Let the backend decide which defaults to use
refs #7343
2015-06-05 10:19:28 +02:00
Johannes Meyer 3fd0d99db2 LdapUserGroupBackend: Add support for custom query filters
refs #7343
2015-06-05 09:57:40 +02:00
Johannes Meyer 90d946f149 LdapUserGroupBackend: We need a datasource, actually
Forgot to add this when disabling LdapRepository inheritance...

refs #7343
2015-06-03 16:40:14 +02:00
Johannes Meyer d9eb8f9e8d LdapUserGroupBackend: Do not extend LdapRepository
Selecting groups works, but not memberships. Does not make sense
until both things work...

refs #7343
2015-06-03 16:33:22 +02:00
Johannes Meyer 89d992278b Introduce class LdapUserGroupBackend
refs #743
2015-06-03 16:27:50 +02:00
Johannes Meyer 86c63ec913 Introduce class LdapRepository
refs #7343
2015-06-03 15:28:07 +02:00
Johannes Meyer 96f5f8fd49 LdapUserBackend: Do not fetch a user's groups
refs #7343
2015-06-03 15:16:54 +02:00
Johannes Meyer e0c0e9c874 LdapUserBackend: Move function retrieveGeneralizedTime into its parent
refs #7343
2015-06-03 14:36:46 +02:00
Johannes Meyer cd0c418854 Merge branch 'master' into feature/user-and-group-management-8826 2015-06-02 10:44:13 +02:00
Johannes Meyer e936c76ca9 DbUserGroupBackend: Really clear memberships and parent relations...
...when removing a group.

refs #8826
2015-06-01 15:34:38 +02:00
Johannes Meyer 1385295e4e DbUserGroupBackend: Properly handle sequences of group names
refs #8826
2015-06-01 15:33:35 +02:00
Johannes Meyer 62fff94808 DbUserGroupBackend: Do not try to fetch a group id for null
refs #8826
2015-06-01 15:16:03 +02:00
Johannes Meyer beb5bd7370 Repository: Clone a filter implicitly in self::requireFilter($clone = true)
refs #8826
2015-06-01 15:03:08 +02:00
Johannes Meyer 601b720a03 LdapUserBackend: Fetch and interpret the correct attributes (OpenLDAP)
refs #8826
2015-06-01 14:05:44 +02:00
Johannes Meyer d1a5321d02 LdapUserBackend: Fetch and interpret the correct attributes (ActiveDirectory)
refs #8826
2015-06-01 12:23:16 +02:00
Johannes Meyer a88037f45d DbUserGroupBackend: Fetch and persist a group's id when it's name is given
refs #8826
2015-05-29 11:33:35 +02:00
Johannes Meyer bb285db05b Differentiate the source or destination of a column when converting values
refs #8826
2015-05-29 11:32:15 +02:00
Johannes Meyer 60ce78c958 DbUserGroupBackend: Adjust how to load the name of a group's parent
refs #8826
2015-05-29 08:57:49 +02:00
Johannes Meyer c94e6a3292 Db/IniUserGroupBackend: Drop column parent_name, it's not a name anymore
refs #8826
2015-05-29 08:56:58 +02:00
Johannes Meyer 32b99be8ab DbUserGroupBackend: Adjust to fit the new database schema
refs #8826
2015-05-28 15:22:15 +02:00
Alexander A. Klimov cba36ec017 Ignore the preferences' loadability during authentication
fixes #8956
2015-05-27 15:13:53 +02:00
Johannes Meyer 10b158a182 LdapUserBackend: Fix sorting when sorting by user_name
refs #8826
2015-05-21 13:53:27 +02:00
Johannes Meyer 4d79731646 DbUserBackend: Fix sorting when sorting by user_name
refs #8826
2015-05-21 13:53:18 +02:00
Johannes Meyer 9278d708d7 IniUserGroupBackend: Do not sort by parent when sorting by group_name
refs #8826
2015-05-21 13:51:24 +02:00
Johannes Meyer 6369643145 DbUserGroupBackend: Do not sort by parent when sorting by group_name
refs #8826
2015-05-21 13:51:15 +02:00
Johannes Meyer 0a387573f3 Logger: Fix substitution of exception messages 2015-05-13 10:46:34 +02:00
Johannes Meyer f93c2de6be UserGroupBackend: Disable default backend type `ini'
We're not going to support this until a proper membership implementation
exists (or is required at all).

refs #8826
2015-05-13 10:45:54 +02:00
Johannes Meyer 223ecab991 DbUserGroupBackend: Make it possible to handle memberships
refs #8826
2015-05-13 10:34:39 +02:00
Johannes Meyer 47dfcf5e1d DbUserGroupBackend: Do not use the repository abstraction internally
That's overhead which is not necessary.

refs #8826
2015-05-13 10:34:00 +02:00
Johannes Meyer 104c1c6bba DbUserBackend: Utilize Zend_Db_Select when fetching the password hash 2015-05-13 09:16:24 +02:00
Johannes Meyer 7d08dd2765 DbConnection: Adjust insert and update to support custom type definitions
This strips the custom insert and update implementataions in
DbUserBackend down so that it does not need to do such low level stuff...

refs #8826
2015-05-13 09:15:18 +02:00
Johannes Meyer 053c9cdcb3 Repository: Check whether a column is queried from the correct table
refs #8826
2015-05-12 15:38:29 +02:00
Johannes Meyer 44bbd93cbc DbUserBackend: Provide a custom insert and update implementation
As we're transmitting password hashes which may contain special chars
and the like, we need to utilize prepared statements with explicit types.

refs #8826
2015-05-11 16:00:24 +02:00
Matthias Jentsch 25f397042b Merge branch 'master' into feature/improve-multi-select-view-8565
Conflicts:
	modules/monitoring/application/controllers/HostsController.php
	modules/monitoring/application/controllers/ServicesController.php
	modules/monitoring/application/views/scripts/hosts/show.phtml
	modules/monitoring/application/views/scripts/list/hosts.phtml
	modules/monitoring/application/views/scripts/partials/host/objects-header.phtml
	modules/monitoring/application/views/scripts/partials/service/objects-header.phtml
	modules/monitoring/application/views/scripts/services/show.phtml
	modules/monitoring/public/css/module.less
	public/js/icinga/behavior/tooltip.js
2015-05-11 13:28:43 +02:00
Johannes Meyer b3957c556b DbUserGroupBackend: Properly utilize the insert and update capability
refs #8826
2015-05-11 13:28:01 +02:00
Johannes Meyer f1c82fc318 IniUserGroupBackend: Convert timestamps and arrays...
...to formatted datetime strings and comma separated strings respectively

refs #8826
2015-05-08 15:28:10 +02:00
Johannes Meyer 59ec11f047 IniUserGroupBackend: Extend IniRepository
We are now able to insert, update and delete user groups stored in INI files

refs #8826
2015-05-08 15:26:35 +02:00
Johannes Meyer 99be358714 Repository: Make it possible to initialize column properties lazily
refs #8826
2015-05-07 08:28:32 +02:00
Johannes Meyer 4d83b2f93d Authentication\Manager: Fix invalid class path in use statement
refs #8826
2015-05-06 12:18:57 +02:00
Johannes Meyer 4044e56a03 LdapUserBackend: Provide filter column `user'
refs #8826
2015-05-06 10:27:26 +02:00
Johannes Meyer 9c799dca22 IniUserGroupBackend: Automatically set section names on column `name'
refs #8826
2015-05-06 08:41:54 +02:00
Johannes Meyer 89029308ef IniUserGroupBackend: Extend Repository and implement UserGroupBackendInterface
Note that it was necessary to change the structure of ini files providing
the membership information. They need to be structured like our db
table rows now.

refs #8826
2015-05-05 15:24:18 +02:00
Johannes Meyer de68d78938 DbUserGroupBackend: Add case insensitive filter columns `group' and `parent'
refs #8826
2015-05-05 09:34:49 +02:00
Johannes Meyer 37e47f0d3f DbUserBackend: Add case insensitive filter column `user'
refs #8826
2015-05-05 09:34:23 +02:00
Johannes Meyer 58233b0072 DbUserGroupBackend: Extend DbRepository and implement UserGroupBackendInterface
refs #8826
2015-05-05 09:23:29 +02:00
Johannes Meyer b1454c199a Introduce interface UserGroupBackendInterface
refs #8826
2015-05-05 08:27:11 +02:00
Johannes Meyer 7b2fc1ba41 Make class UserGroupBackend being just a factory for user group backends
refs #8826
2015-05-05 08:26:38 +02:00
Johannes Meyer 842b043f7f LdapUserBackend: Use is_active as well as a default sort column
refs #8826
2015-05-04 15:56:13 +02:00
Johannes Meyer b86a0024c3 DbUserBackend: Use is_active as well as a default sort column
refs #8826
2015-05-04 15:55:36 +02:00
Johannes Meyer c441117324 LdapUserBackend: Extend Repository and implement UserBackendInterface
refs #8826
2015-05-04 12:18:25 +02:00
Johannes Meyer e74194c18e ExternalBackend: Implement UserBackendInterface
refs #8826
2015-05-04 12:15:50 +02:00
Johannes Meyer 99ac0b78ea DbUserBackend: Extend DbRepository and implement UserBackendInterface
refs #8826
2015-05-04 12:15:05 +02:00
Johannes Meyer 7b41fc020a AuthChain: Yield UserBackendInterface instead of UserBackend
refs #8826
2015-05-04 11:44:41 +02:00
Johannes Meyer 1824eb9c3b Make class UserBackend being just a factory for user backends
refs #8826
2015-05-04 11:43:53 +02:00
Johannes Meyer 68657c02ee Introduce interface Icinga\Authentication\User\UserBackendInterface
refs #8826
2015-05-04 11:40:17 +02:00
Johannes Meyer 7960e911a6 UserGroupBackend: Add support for custom backends to fetch user groups
refs #8826
refs #9122
2015-04-22 09:52:08 +02:00
Johannes Meyer a2cd5d63f1 UserBackend: Wrap config directives as part of errors in single quotes 2015-04-22 09:36:45 +02:00
Johannes Meyer a1d8ed6e8f UserBackend: Utilize ResourceFactory::create 2015-04-22 09:35:41 +02:00
Johannes Meyer c9dcddb134 UserGroupBackend: Add missing and fix existing method documentation 2015-04-22 09:35:06 +02:00
Johannes Meyer 847c02ed8e UserBackend: Add support for custom authentication backends
refs #8826
refs #8877
2015-04-22 09:28:42 +02:00
Johannes Meyer b45e576722 UserBackend: Remove testing only related code
There are no tests for this class at all.
2015-04-21 14:15:43 +02:00
Johannes Meyer 97caeb27f7 UserBackend: Add missing and fix existing method documentation
refs #8826
2015-04-21 13:59:35 +02:00
Johannes Meyer 319ca3625c LdapUserBackend: Drop redundant method hasUser
refs #8826
2015-04-21 13:15:40 +02:00
Johannes Meyer 60a8654614 ExternalBackend: Drop redundant method hasUser
refs #8826
2015-04-21 13:15:06 +02:00
Johannes Meyer 11f522d929 DbUserBackend: Drop redundant method hasUser
refs #8826
2015-04-21 13:14:50 +02:00
Johannes Meyer a7af546078 UserBackend: Drop abstract method hasUser
refs #8826
2015-04-21 13:14:27 +02:00
Johannes Meyer 6ca68f438d Move concrete UserBackend classes to Icinga\Authentication\User
refs #8826
2015-04-21 12:51:31 +02:00
Johannes Meyer 39473e8939 Move UserGroupBackend to Icinga\Authentication\User
refs #8826
2015-04-21 12:42:21 +02:00
Johannes Meyer b51ce9c7ab Move concrete UserGroupBackend classes to Icinga\Authentication\UserGroup
refs #8826
2015-04-21 12:38:57 +02:00
Johannes Meyer 8058eb0215 Move UserGroupBackend class to Icinga\Authentication\UserGroup
refs #8826
2015-04-21 12:32:18 +02:00
Alexander Klimov 967a2e82dc Use (only) "@return $this" in fluent interfaces' documentation 2015-04-07 14:24:11 +02:00
Johannes Meyer 0bc1416b10 Use the correct name for malformed LDAP attributes automatically
...or more purposefully: Guard lazy users from themselves. I hope I don't
have to explain why _this_ is not part of Icinga\Protocol\Ldap\Query...

resolves #8608
2015-03-13 11:17:43 +01:00
Johannes Meyer 39a74c4f3d LDAP-Auth backend config: Add support for custom LDAP filter rules
refs #8365
2015-03-11 09:52:14 +01:00
Johannes Meyer f3fa743022 Fix login when using a PostgreSQL database as authentication backend
fixes #8524
2015-03-06 11:03:45 +01:00
Matthias Jentsch cb0ca6d6ac Remove unused piechart code 2015-03-06 09:41:38 +01:00
Thomas Gelf 88315db1eb UserBackend: reasonable defaults for AD groups
I didn't do farther research, but those values seem to work fine.
2015-02-09 15:31:47 +01:00
Thomas Gelf 81f65a7cd4 LdapUserBackend: disable "health check"
I see no point in checking this at every login. It could however be a
nice addition for our config backends and the setup wizard. I'd also
opt for completely removing this parameter - who wants to use this
method should explicitely call it.
2015-02-09 15:29:52 +01:00
Thomas Gelf 7b1b5b9b40 Authentication\Manager: do not override user groups
Needs more care, but this way we are at least able to fetch groups
unless we get out improved implementation.
2015-02-09 15:27:50 +01:00
Johannes Meyer 8b94e4c701 Fix documentation and code style in the LdapUserBackend 2015-02-06 16:32:26 +01:00
Eric Lippmann 6bae2e0a53 Note that our license is GPL v2 or any later version in our license header instead of pointing to the license's URL 2015-02-04 10:52:27 +01:00
Eric Lippmann 5b4fab0750 Add license header
This time without syntax errors hopefully :)
2015-02-03 16:27:59 +01:00
Eric Lippmann 5fa2e3cfdc Revert "Add license header"
This reverts commit 338d067aba.
2015-02-03 16:16:26 +01:00
Eric Lippmann 4c7d120523 Revert "Fix typo in UserBackend"
This reverts commit 9fa1fd626c.
2015-02-03 16:16:26 +01:00
Eric Lippmann 160b3a96ca Revert "Fix typo in UserGroupBackend"
This reverts commit e8c4f45d68.
2015-02-03 16:16:26 +01:00
Eric Lippmann e8c4f45d68 Fix typo in UserGroupBackend 2015-02-03 16:14:13 +01:00
Eric Lippmann 9fa1fd626c Fix typo in UserBackend 2015-02-03 16:13:22 +01:00
Eric Lippmann 6517f8e2be security: Activate permissions 2015-02-03 16:08:35 +01:00
Eric Lippmann 338d067aba Add license header
fixes #7788
2015-02-03 15:51:04 +01:00
Johannes Meyer 7989b48248 Fix ldap auth when the userNameAttribute holds multiple values
fixes #8246
2015-02-03 10:15:54 +01:00
Johannes Meyer 2a115e71d4 Add support for paged LDAP search results
fixes #8261
refs #6176
2015-01-29 15:53:15 +01:00
Johannes Meyer 50fc85d7ff Rename authentication type "autologin" to "external"
refs #8274
2015-01-27 09:49:36 +01:00
Johannes Meyer d452f3218d Use "ini" as preferences store in case preferences are not configured
refs #8234
2015-01-23 16:25:24 +01:00
Johannes Meyer 14a4aaeb77 Revert "Fix that when chosing to not to store preferences an invalid config is created"
This reverts commit 6284da451e.
2015-01-23 15:23:43 +01:00
Johannes Meyer 6284da451e Fix that when chosing to not to store preferences an invalid config is created
fixes #8234
2015-01-23 14:42:09 +01:00
Eric Lippmann 44de790cc9 Security: Temporary grant all permissions 2015-01-22 17:12:49 +01:00
Eric Lippmann 2bd2f32b2e postgresql/auth: Fix that users cannot login when using PostgreSQL >= version 9.0
fixes #8251
2015-01-19 16:43:19 +01:00
Tom Ford dc0f396fbf Check LDAP username in case insensitive way
Signed-off-by: Eric Lippmann <eric.lippmann@netways.de>

refs #7991
2014-12-10 16:00:39 +01:00
Eric Lippmann 3e1583ca40 Security: Remove getPermissions and getRestrictions from the AdmissionLoader
These funtctions are superseded by getRestrictionsAndPermissions.

refs #5647
2014-11-19 15:13:45 +01:00
Eric Lippmann bed11ebb60 Security: Load user permissions and restrictions from roles.ini
refs #5647
2014-11-19 15:11:14 +01:00
Eric Lippmann b01a9a65e0 Security: Introduce AdmissionLoader::getPermissionsAndRestrictions() for loading permissins and restrictions from roles.ini
When loading from roles.ini there's currently an empty permission added which is of course a bug and will be fixed asap.

refs #5647
2014-11-19 15:10:09 +01:00
Johannes Meyer 7621f6642d Adjust usages of Icinga\Application\Config
refs #7147
2014-11-18 13:11:52 +01:00
Johannes Meyer eb4672923f Require the OpenSSL module instead of providing an unsafe fallback
refs #7163
2014-11-11 10:19:09 +01:00
Johannes Meyer 9d292269b1 Merge branch 'master' into feature/setup-wizard-7163
Conflicts:
	application/forms/Config/Resource/LdapResourceForm.php
	test/php/application/forms/Config/Authentication/LdapBackendFormTest.php
2014-11-11 09:44:11 +01:00
Johannes Meyer 2bb7217d04 Do not require the openssl extension 2014-11-10 11:20:02 +01:00
Johannes Meyer 124f64ad89 Merge branch 'master' into bugfix/drop-zend-config-7147 2014-11-07 14:07:15 +01:00
Johannes Meyer 7b99b74ae1 Prefer Icinga\Application\Config instead of Zend_Config
refs #7147
2014-11-07 13:53:03 +01:00
Matthias Jentsch d0706a55ea Chain exceptions in LdapUserBackend instead of printing the message 2014-11-06 16:32:43 +01:00
Johannes Meyer 7569c55796 Fix how password hashes are stored and retrieved in DbUserBackend 2014-11-04 15:52:09 +01:00
Johannes Meyer 170ded6510 Merge branch 'master' into feature/setup-wizard-7163
Conflicts:
	library/Icinga/Authentication/Backend/LdapUserBackend.php
	library/Icinga/File/Ini/IniWriter.php
2014-11-04 14:22:53 +01:00
Johannes Meyer 8913bf53c9 Fix salt extraction 2014-11-04 13:03:36 +01:00
Johannes Meyer 99277383b9 Fix retrieving a user's data from the database 2014-11-04 13:03:12 +01:00
Johannes Meyer cad8f7538e Leave it up to the database to decide what is the current time 2014-11-04 12:42:39 +01:00
Matthias Jentsch f9fee2df70 Do not interrupt authentication chain on invalid ldap connection infos
Catch LdapExceptions and throw AuthenticationException to not interrupt authentication chain

fixes #7497
2014-11-04 12:35:41 +01:00
Eric Lippmann 16352fc10c Move Logger to the Application namespace
fixes #7148
2014-10-31 10:27:17 +01:00
Johannes Meyer 4f1e1ddb6f Adjust the DbUserBackend to reflect the new database schema 2014-10-30 15:40:07 +01:00
Johannes Meyer c1bff9a26e Merge branch 'master' into feature/setup-wizard-7163 2014-10-30 10:38:21 +01:00
Eric Lippmann f68c591a46 LDAP Auth: Make group loading really optional
fixes #7432
2014-10-23 03:50:03 +02:00
Johannes Meyer 8c62c66a4e Make regular expression pattern in autologin backend being fully optional 2014-10-20 15:14:14 +02:00
Eric Lippmann 424cee6b4a Auth: Load user groups using the new user group backends 2014-10-20 13:43:40 +02:00
Eric Lippmann aa56f3010c lib: Add DbUserGroupBackend 2014-10-20 13:42:33 +02:00
Eric Lippmann d170cf0c9d lib: Replace Membership with IniUserGroupBackend 2014-10-20 13:42:15 +02:00
Eric Lippmann d1228deef2 lib: Add UserGroupBackend as base class and factory for user group backends 2014-10-20 13:41:33 +02:00
Eric Lippmann cee261bf7e Use lowercase username and user groups for loading user permissions and restrictions 2014-10-20 13:36:37 +02:00
Matthias Jentsch 9a9aa84e23 Respect base_dn in LdapUserBackend 2014-10-14 14:37:21 +02:00
Matthias Jentsch dd21b7b5d1 Make sure that we work only with arrays when handling LDAP groups 2014-10-09 10:14:42 +02:00
Matthias Jentsch 04e83a53c5 Add `base_dn' directive to LDAP backend config 2014-10-09 10:10:09 +02:00
Johannes Meyer 1cbe2451a8 Merge branch 'master' into feature/setup-wizard-7163
Conflicts:
	application/forms/Config/Resource/StatusdatResourceForm.php
2014-10-08 16:34:31 +02:00
Johannes Meyer 96ba45d896 Convert password salt to ASCII to avoid encoding issues with PostgreSQL 2014-10-08 15:26:42 +02:00
Johannes Meyer 393191ced1 Add admin creation routine
refs #7163
2014-10-08 10:26:12 +02:00
Alexander Fuhr 421263af00 Make LDAP Groups optional
refs #7343
2014-10-06 13:35:17 +02:00
Alexander Fuhr 017d4b8c9d Introduce Groups from LDAP to User Object 2014-10-01 16:03:42 +02:00
Eric Lippmann 74bd9b319d restrictions: Include restriction's section name in user restrictions 2014-10-01 14:08:21 +02:00
Eric Lippmann 084691570e permissions: Use a comma-separated list as config instead of the `permission_*' directives
Permissions are now set using a comma-separated list of permissions using the `permissions' config because
the `users' and `groups' are comma-separated lists too.
2014-10-01 08:14:03 +02:00
Johannes Meyer 8fcf21a6b8 Make it possible to retrieve a list of available users for authentication
refs #7163
2014-09-29 11:21:40 +02:00
Johannes Meyer c00dbf9f46 Write session on response
There should not be any necessity to write the session once changes are
being made to it. We now track whether changes were made and write
the session when responding to the user's request if so.
2014-09-24 10:46:35 +02:00
Eric Lippmann f1d3b72f05 autologin: Fix externally-authenticated users still being authenticated after external authentication is disabled
The if condition for revoking authentication if the username changed relied on having the `$_SERVER' variable set which was used for authentication.
Authentication is now revoked if the username changed or external authentication is no longer in effect.

refs #6462
2014-09-18 15:20:46 +02:00
Eric Lippmann 794910256a Use `User::can()' in `hasPermission()' of the authentication manager 2014-09-18 14:57:24 +02:00
Alexander Klimov 45638b218c Throw IcingaException rather than Exception
fixes #7014
2014-08-27 16:03:15 +02:00
Alexander Klimov 9c5878cbbe ConfigurationError: extend IcingaException
refs #6931
2014-08-22 11:46:11 +02:00
Alexander Klimov b764993091 AuthenticationException: extend IcingaException
refs #6931
2014-08-22 10:59:52 +02:00
Marius Hein 56a29354d3 AutoLogin: Check the remote username against logged in user
fixes #6462
2014-07-30 12:54:08 +02:00
Marius Hein e2c761a7aa AutoLogin/Logout: Remove own session namespace
Store data in the user and implement interface to left
backends store remote information.

fixes #6461
2014-07-30 12:35:55 +02:00
Eric Lippmann 294728ac47 Revert "Autologin: Test logged session against remote user"
This reverts commit 64954e9924.

If the strip_username_regex is configured on the autologin backend and applies on a user's name,
the authenticated user's username does never match the REMOTE_USER server variable.
Thus the application will logout/login on every request which results in a redirect loop.

refs #6462
2014-07-29 17:50:44 +02:00
Marius Hein 64954e9924 Autologin: Test logged session against remote user
fixes #6462
2014-07-29 12:06:43 +02:00
Marius Hein 8b9d446d2e Autologin: Remove deprecated autologin methods
Remove methods from manager because autologin
is now handled with special backends (AutoLoginBackend).

The session is used to store the status about a remote
user authentication to send a 401 header to the client
upon logout.

refs #6461
2014-07-29 10:48:57 +02:00
Johannes Meyer b40027b6c7 Purge session when logging out
fixes #6739
2014-07-16 09:55:22 +02:00
Johannes Meyer 19f05256a0 Only call session_start() when reading from session
fixes #6383
2014-07-16 09:55:22 +02:00
Johannes Meyer 3105c2059e Remove license headers from all files
refs #6309
2014-07-15 13:43:52 +02:00
Matthias Jentsch 57f3023ec4 Fix coding style 2014-07-03 16:20:45 +02:00
Matthias Jentsch c18b6f26f0 Throw Ldap\Exception when something goes wrong in a Ldap connection 2014-06-25 12:41:17 +02:00
Matthias Jentsch 77a9dd1e6e Throw exception on fetchDN, when no row exists
Instead of fetchDN, authentication now uses hasUser to check if the user
exists before querying the password, to prevent the exception from messing
up the whole authentication process
2014-06-23 14:02:45 +02:00
Thomas Gelf 4bada86731 Authentication\Manager: fix fromRemoteUser boolean
This used to be always true in case an autologin backend was enabled.
We only have a REMOTE_USER if there is such.
2014-06-20 12:58:17 +02:00
Thomas Gelf d2ccc68214 Merge remote-tracking branch 'origin/master' into feature/query-interfaces-6018
Conflicts:
	modules/monitoring/application/controllers/ListController.php
2014-06-17 09:47:14 +00:00
Eric Lippmann db73d324de Autologin: Fix that the backend name must have been `autologin'
Before, the code validated the name of the backend instead of the `backend' directive against `autologin'.
2014-06-12 17:05:54 +02:00
Eric Lippmann 7d2ee41f42 Autologin: Fix PHPDoc 2014-06-11 15:46:59 +02:00
Eric Lippmann 992ccf4f6d Autologin: Actually set the username upon authentication
Before, when using autologin the username of the authenticated user always was the empty string.
2014-06-11 15:46:59 +02:00
Eric Lippmann 65a2bd41bc Autologin: Do not use absolute `use' 2014-06-11 15:46:58 +02:00
Eric Lippmann 7215ba4f59 Autologin: Do not require a bogus password in the source code 2014-06-11 15:46:58 +02:00
Eric Lippmann 63fc8eb27e Autologin: Use REMOTE_USER for authentication
It's not safe to rely on PHP_AUTH_USER and PHP_AUTH_TYPE because
PHP cgi handlers (fgcid for example) only set the REMOTE_USER environment variable
and the authentication type for negogiation methods (Kerberos for example) is neither
Basic nor Digest.
We may have to add REDIRECT_REMOTE_USER for authentication for proxy setups.
2014-06-11 15:46:58 +02:00
Eric Lippmann c09341d77e Autologin: Do NOT sanitize username
I don't know the reason why this was done initially but a username must not be changed.
2014-06-11 15:46:58 +02:00
Matthias Jentsch c42c7977be Call extended backend health checks when creating ldap authentication backends
fixes #6457
2014-06-11 15:09:36 +02:00
Matthias Jentsch 6c82cb8988 Check ldap backend health during Authentication
Check if authentication is possible during authentication, to generate more
useful error and log messages, in case the backend configuration is wrong

ref #6457
2014-06-11 15:08:05 +02:00
Matthias Jentsch bca166c644 Do not throw an exception when the username does not exist
refs #6457
2014-06-11 15:08:05 +02:00
Thomas Gelf db3accc704 Data\Db: rename Query and Connection to Db...
Class names in namespaces should not be chosen as once we didn't have
such. The fact that we already did "use Db\Connection as DbConnection"
is the best hint that naming was wrong.

So this patch renames Db\Connection to Db\DbConnection and does the
same with DbQuery. DbQuery has been adjusted to fit our new SimpleQuery
and to handle the new Filter implementation.
2014-06-06 06:43:13 +00:00
Marius Hein 29f593a357 Authentication: Add backend to handle external authentication
Drop external auth configuration from config.ini and move
implementation into a single backend provider named
'autologin'. This provider can strip realm names from
username with a custom regexp.

fixes #6081
2014-06-03 17:59:22 +02:00
Eric Lippmann cfcaf019bd User backends: Throw exception when authentication fails due to an exception
refs #5685
2014-06-02 15:52:58 +02:00