tyler.durden
/
icingaweb2
mirror of https://github.com/Icinga/icingaweb2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
icingaweb2/library/Icinga/Authentication/Manager.php

467 lines
14 KiB
PHP
Raw Blame History

<?php
// {{{ICINGA_LICENSE_HEADER}}}
/**
* This file is part of Icinga Web 2.
*
* Icinga Web 2 - Head for multiple monitoring backends.
* Copyright (C) 2014 Icinga Development Team
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* @copyright 2014 Icinga Development Team <info@icinga.org>
* @license http://www.gnu.org/licenses/gpl-2.0.txt GPL, version 2
* @author Icinga Development Team <info@icinga.org>
*
*/
// {{{ICINGA_LICENSE_HEADER}}}
namespace Icinga\Authentication;
use \Exception;
use \Zend_Config;
use Icinga\User;
use Icinga\Web\Session;
use Icinga\Data\ResourceFactory;
use Icinga\Application\Logger;
use Icinga\Exception\ConfigurationError;
use Icinga\Application\Config as IcingaConfig;
use Icinga\Authentication\Backend\DbUserBackend;
use Icinga\Authentication\Backend\LdapUserBackend;
/**
* The authentication manager allows to identify users and
* to persist authentication information in a session.
*
* Direct instantiation is not permitted, the AuthenticationManager
* must be created using the getInstance method. Subsequent getInstance
* calls return the same object and ignore any additional configuration.
*
* @TODO(mh): Group support is not implemented yet (#4624)
**/
class Manager
{
/**
* Singleton instance
*
* @var self
*/
private static $instance;
/**
* Instance of authenticated user
*
* @var User
**/
private $user;
/**
* Array of user backends
*
* @var array
**/
private $userBackends = array();
/**
* Array of group backends
*
* @var array
**/
private $groupBackends = array();
/**
* The configuration
*
* @var Zend_Config
*/
private $config = null;
/**
* If the backends are already created.
*
* @var Boolean
*/
private $initialized = false;
/**
* Creates a new authentication manager using the provided config (or the
* configuration provided in the authentication.ini if no config is given)
* and with the given options.
*
* @param Zend_Config $config The configuration to use for authentication
* instead of the authentication.ini
* @param array $options Additional options that affect the managers behaviour.
* Supported values:
* * noDefaultConfig: Disable default configuration from authentication.ini
**/
private function __construct(Zend_Config $config = null, array $options = array())
{
if ($config === null && !(isset($options['noDefaultConfig']) && $options['noDefaultConfig'] == true)) {
$config = IcingaConfig::app('authentication');
}
$this->config = $config;
}
/**
* Get a singleton instance of our self
*
* @param Zend_Config $config
* @param array $options
*
* @return self
* @see Manager:__construct
*/
public static function getInstance(Zend_Config $config = null, array $options = array())
{
if (self::$instance === null) {
self::$instance = new Manager($config, $options);
}
return self::$instance;
}
/**
* Initialize multiple backends from Zend Config
*/
private function setupBackends(Zend_Config $config)
{
foreach ($config as $name => $backendConfig) {
// We won't initialize disabled backends
if ($backendConfig->get('disabled') == '1') {
continue;
}
if ($backendConfig->name === null) {
$backendConfig->name = $name;
}
$backend = $this->createBackend($backendConfig);
if ($backend instanceof UserBackend) {
$backend->connect();
$this->userBackends[$backend->getName()] = $backend;
} elseif ($backend instanceof GroupBackend) {
$backend->connect();
$this->groupBackends[$backend->getName()] = $backend;
}
}
}
/**
* Create a single backend from the given Zend_Config
*
* @param Zend_Config $backendConfig
*
* @return null|UserBackend
*/
private function createBackend(Zend_Config $backendConfig)
{
$target = ucwords(strtolower($backendConfig->target));
$name = $backendConfig->name;
// TODO: implement support for groups (#4624) and remove OR-Clause
if ((!$target || strtolower($target) != "user") && !$backendConfig->class) {
Logger::warn('AuthManager: Backend "%s" has no target configuration. (e.g. target=user|group)', $name);
return null;
}
try {
if (isset($backendConfig->class)) {
// use a custom backend class, this is probably only useful for testing
if (!class_exists($backendConfig->class)) {
Logger::error('AuthManager: Class not found (%s) for backend %s', $backendConfig->class, $name);
return null;
}
$class = $backendConfig->class;
return new $class($backendConfig);
}
switch (ResourceFactory::getResourceConfig($backendConfig->resource)->type) {
case 'db':
return new DbUserBackend($backendConfig);
case 'ldap':
return new LdapUserBackend($backendConfig);
default:
Logger::warn('AuthManager: Resource type ' . $backendConfig->type . ' not available.');
}
} catch (Exception $e) {
Logger::warn('AuthManager: Not able to create backend. Exception was thrown: %s', $e->getMessage());
}
return null;
}
/**
* Add a user backend to the stack
*
* @param UserBackend $userBackend
*/
public function addUserBackend(UserBackend $userBackend)
{
$this->userBackends[$userBackend->getName()] = $userBackend;
}
/**
* Get a user backend by name
*
* @param string $name
*
* @return UserBackend|null
*/
public function getUserBackend($name)
{
$this->initBackends();
return (isset($this->userBackends[$name])) ? $this->userBackends[$name] : null;
}
/**
* Add a group backend to the stack
*
* @param GroupBackend $groupBackend
*/
public function addGroupBackend(GroupBackend $groupBackend)
{
$this->groupBackends[$groupBackend->getName()] = $groupBackend;
}
/**
* Get a group backend by name
*
* @param string $name
*
* @return GroupBackend|null
*/
public function getGroupBackend($name)
{
$this->initBackends();
return (isset($this->groupBackends[$name])) ? $this->groupBackends[$name] : null;
}
/**
* Find a backend for the given credentials
*
* @param Credential $credentials
*
* @return UserBackend|null
* @throws ConfigurationError
*/
private function getBackendForCredential(Credential $credentials)
{
$this->initBackends();
$authErrors = 0;
foreach ($this->userBackends as $userBackend) {
$flag = false;
try {
Logger::debug(
'AuthManager: Try backend %s for user %s',
$userBackend->getName(),
$credentials->getUsername()
);
$flag = $userBackend->hasUsername($credentials);
} catch (Exception $e) {
Logger::error(
'AuthManager: Backend "%s" has errors. Exception was thrown: %s',
$userBackend->getName(),
$e->getMessage()
);
$authErrors++;
continue;
}
if ($flag === true) {
Logger::debug(
'AuthManager: Backend %s has user %s',
$userBackend->getName(),
$credentials->getUsername()
);
return $userBackend;
}
}
if ($authErrors >= count($this->userBackends)) {
Logger::fatal('AuthManager: No working backend found, unable to authenticate any user');
throw new ConfigurationError(
'No working backend found. Unable to authenticate any user.' .
"\nPlease examine the logs for more information."
);
}
return null;
}
/**
* Ensures that all backends are initialized
*/
private function initBackends()
{
if (!$this->initialized) {
$this->setupBackends($this->config);
$this->initialized = true;
}
}
/**
* Try to authenticate a user with the given credentials
*
* @param Credential $credentials The credentials to use for authentication
* @param Boolean $persist Whether to persist the authentication result in the current session
*
* @return Boolean Whether the authentication was successful or not
* @throws ConfigurationError
*/
public function authenticate(Credential $credentials, $persist = true)
{
$this->initBackends();
if (count($this->userBackends) === 0) {
Logger::error('AuthManager: No authentication backend provided, your users will never be able to login.');
throw new ConfigurationError(
'No authentication backend set - login will never succeed as icinga-web ' .
'doesn\'t know how to determine your user. ' . "\n" .
'To fix this error, setup your authentication.ini with at least one valid authentication backend.'
);
}
$userBackend = $this->getBackendForCredential($credentials);
if ($userBackend === null) {
Logger::info('AuthManager: Unknown user %s tried to log in', $credentials->getUsername());
return false;
}
$this->user = $userBackend->authenticate($credentials);
if ($this->user === null) {
Logger::info('AuthManager: Invalid credentials for user %s provided', $credentials->getUsername());
return false;
}
// TODO: We want to separate permissions and restrictions from
// the user object. This will be possible once session
// had been refactored.
$this->user->loadPermissions();
$this->user->loadRestrictions();
if ($persist == true) {
$this->persistCurrentUser();
}
Logger::info('AuthManager: User successfully logged in: %s', $credentials->getUsername());
return true;
}
/**
* Writes the current user to the session
**/
public function persistCurrentUser()
{
$session = Session::getSession();
$session->set('user', $this->user);
$session->write();
}
/**
* Tries to authenticate the user with the current session
**/
public function authenticateFromSession()
{
$this->user = Session::getSession()->get('user');
}
/**
* Returns true when the user is currently authenticated
*
* @param Boolean $ignoreSession Set to true to prevent authentication by session
*
* @return bool
*/
public function isAuthenticated($ignoreSession = false)
{
if ($this->user === null && !$ignoreSession) {
$this->authenticateFromSession();
}
return is_object($this->user);
}
/**
* Whether an authenticated user has a given permission
*
* This is true if the user owns this permission, false if not.
* Also false if there is no authenticated user
*
* TODO: I'd like to see wildcard support, e.g. module/*
*
* @param string $permission Permission name
* @return bool
*/
public function hasPermission($permission)
{
if (! $this->isAuthenticated()) {
return false;
}
foreach ($this->user->getPermissions() as $p) {
if ($p === $permission) {
return true;
}
}
return false;
}
/**
* Get applied restrictions matching a given restriction name
*
* Returns a list of applied restrictions, empty if no user is
* authenticated
*
* @param string $restriction Restriction name
* @return array
*/
public function getRestrictions($restriction)
{
if (! $this->isAuthenticated()) {
return array();
}
return $this->user->getRestrictions($restriction);
}
/**
* Purges the current authorization information and removes the user from the session
**/
public function removeAuthorization()
{
$this->user = null;
$this->persistCurrentUser();
}
/**
* Returns the current user or null if no user is authenticated
*
* @return User
**/
public function getUser()
{
return $this->user;
}
/**
* Getter for groups belonged to authenticated user
*
* @return array
* @see User::getGroups
**/
public function getGroups()
{
return $this->user->getGroups();
}
}
Reference in New Issue View Git Blame Copy Permalink