#13548 new method login ldap from nodo when metaconsole is centralized
This commit is contained in:
parent
25d17fb990
commit
38a886f4bf
|
@ -712,6 +712,29 @@ if ($login_screen === 'disabled_access_node') {
|
|||
echo '</div>';
|
||||
}
|
||||
|
||||
if (empty($process_error_message) === true
|
||||
&& isset($config['pending_sync_process_message']) === true
|
||||
&& $login_screen === 'login'
|
||||
) {
|
||||
echo '<div id="pending_sync_process" title="'.__('Centralized user in metaconsole').'">';
|
||||
echo '<div class="content_alert">';
|
||||
echo '<div class="icon_message_alert">';
|
||||
echo html_print_image('images/icono_logo_pandora.png', true, ['alt' => __('Pending synchronization process'), 'border' => 0]);
|
||||
echo '</div>';
|
||||
echo '<div class="content_message_alert">';
|
||||
echo '<div class="text_message_alert">';
|
||||
echo '<h1>'.__('Access granted').'</h1>';
|
||||
echo '<p>'.$config['pending_sync_process_message'].'</p>';
|
||||
echo '</div>';
|
||||
echo '<br>';
|
||||
echo '<div class="button_message_alert">';
|
||||
html_print_submit_button('Ok', 'hide-sync-process', false, ['class' => 'mini float-right']);
|
||||
echo '</div>';
|
||||
echo '</div>';
|
||||
echo '</div>';
|
||||
echo '</div>';
|
||||
}
|
||||
|
||||
switch ($login_screen) {
|
||||
case 'error_dbconfig':
|
||||
case 'error_authconfig':
|
||||
|
@ -966,6 +989,24 @@ html_print_div(['id' => 'forced_title_layer', 'class' => 'forced_title_layer', '
|
|||
$("#login_failed" ).dialog('close');
|
||||
$("#login_correct_pass").dialog('close');
|
||||
});
|
||||
|
||||
if ($('#pending_sync_process').length > 0) {
|
||||
$('#pending_sync_process').dialog({
|
||||
resizable: true,
|
||||
draggable: true,
|
||||
modal: true,
|
||||
height: 230,
|
||||
width: 530,
|
||||
overlay: {
|
||||
opacity: 0.5,
|
||||
background: "black"
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
$('#button-hide-sync-process').click(function() {
|
||||
$('#pending_sync_process').dialog('close')
|
||||
})
|
||||
});
|
||||
$('#nick').focus();
|
||||
break;
|
||||
|
|
|
@ -72,6 +72,7 @@ if (isset($config) === false) {
|
|||
}
|
||||
|
||||
require_once $config['homedir'].'/include/functions_profile.php';
|
||||
require_once $config['homedir'].'/include/functions_token.php';
|
||||
enterprise_include('include/auth/mysql.php');
|
||||
|
||||
$config['user_can_update_info'] = true;
|
||||
|
@ -220,15 +221,32 @@ function process_user_login_remote($login, $pass, $api=false)
|
|||
{
|
||||
global $config, $mysql_cache;
|
||||
|
||||
$create_by_remote_api = false;
|
||||
if (is_metaconsole() === false && is_management_allowed() === false) {
|
||||
$create_by_remote_api = true;
|
||||
}
|
||||
|
||||
// Remote authentication.
|
||||
switch ($config['auth']) {
|
||||
// LDAP.
|
||||
case 'ldap':
|
||||
if ($create_by_remote_api === true) {
|
||||
$sr = ldap_process_user_login_by_api($login, $pass);
|
||||
if ($sr !== false && isset($sr['uid']) === true && is_array($sr['uid']) === true) {
|
||||
$already_user = db_get_value('id_user', 'tusuario', 'id_user', $sr['uid'][0]);
|
||||
// If the node is centralized, LDAP login is delegated to the metaconsole via the API.
|
||||
// Since the user is not yet on the nodes, they are asked to try again in a few minutes.
|
||||
if ($already_user === false && is_metaconsole() === false) {
|
||||
$config['pending_sync_process_message'] = __('Successful login, please wait a few minutes for the metaconsole to synchronize with the nodes and then log in again with the same credentials.');
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$sr = ldap_process_user_login($login, $pass);
|
||||
// Try with secondary server if not login.
|
||||
if ($sr === false && (bool) $config['secondary_ldap_enabled'] === true) {
|
||||
$sr = ldap_process_user_login($login, $pass, true);
|
||||
}
|
||||
}
|
||||
|
||||
if (!$sr) {
|
||||
return false;
|
||||
|
@ -305,7 +323,7 @@ function process_user_login_remote($login, $pass, $api=false)
|
|||
}
|
||||
} else if ($config['auth'] === 'ldap') {
|
||||
// Check if autocreate remote users is active.
|
||||
if ($config['autocreate_remote_users'] == 1) {
|
||||
if ($create_by_remote_api === false && $config['autocreate_remote_users'] == 1) {
|
||||
if ($config['ldap_save_password']) {
|
||||
$update_credentials = change_local_user_pass_ldap($login, $pass);
|
||||
} else {
|
||||
|
@ -381,11 +399,6 @@ function process_user_login_remote($login, $pass, $api=false)
|
|||
return false;
|
||||
}
|
||||
} else if ($config['auth'] === 'ldap') {
|
||||
if (is_management_allowed() === false) {
|
||||
$config['auth_error'] = __('Please, login into metaconsole first');
|
||||
return false;
|
||||
}
|
||||
|
||||
if (is_metaconsole() === true) {
|
||||
$user_info['metaconsole_access_node'] = $config['ldap_adv_user_node'];
|
||||
}
|
||||
|
@ -401,7 +414,7 @@ function process_user_login_remote($login, $pass, $api=false)
|
|||
} else {
|
||||
$user_info['fullname'] = db_escape_string_sql(io_safe_input($sr['cn'][0]));
|
||||
$user_info['email'] = io_safe_input($sr['mail'][0]);
|
||||
|
||||
if ($create_by_remote_api === false) {
|
||||
// Create the user.
|
||||
$create_user = create_user_and_permisions_ldap(
|
||||
$login,
|
||||
|
@ -411,6 +424,7 @@ function process_user_login_remote($login, $pass, $api=false)
|
|||
is_metaconsole() && is_centralized() === false
|
||||
);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$user_info = [
|
||||
'fullname' => $login,
|
||||
|
@ -988,6 +1002,7 @@ function ldap_process_user_login($login, $password, $secondary_server=false)
|
|||
|
||||
if ($memberof['count'] == 0 && !isset($memberof[0]['memberof'])) {
|
||||
@ldap_close($ds);
|
||||
$config['auth_error'] = 'User not found in database or incorrect password';
|
||||
return false;
|
||||
} else {
|
||||
$memberof = $memberof[0];
|
||||
|
@ -1644,5 +1659,77 @@ function local_ldap_search(
|
|||
}
|
||||
|
||||
|
||||
/**
|
||||
* Performs the LDAP login process by delegating it to the metaconsole via the API.
|
||||
* It will return the user's ID and email if successful in LDAP format. USE ONLY ON NODE.
|
||||
*
|
||||
* @param string $user User to login.
|
||||
* @param string $pass Password of user.
|
||||
*
|
||||
* @return false|array
|
||||
*/
|
||||
function ldap_process_user_login_by_api($user, $pass)
|
||||
{
|
||||
global $config;
|
||||
if (is_metaconsole() === true) {
|
||||
return false;
|
||||
}
|
||||
|
||||
metaconsole_load_external_db(
|
||||
[
|
||||
'dbhost' => $config['replication_dbhost'],
|
||||
'dbuser' => $config['replication_dbuser'],
|
||||
'dbpass' => io_output_password($config['replication_dbpass']),
|
||||
'dbname' => $config['replication_dbname'],
|
||||
]
|
||||
);
|
||||
$serverUniqueIdentifier = db_get_value('value', 'tconfig', 'token', 'server_unique_identifier');
|
||||
$apiPassword = db_get_value('value', 'tconfig', 'token', 'api_password');
|
||||
$token = generate_token_for_system($serverUniqueIdentifier, $apiPassword);
|
||||
metaconsole_restore_db();
|
||||
|
||||
$curl = curl_init();
|
||||
curl_setopt_array(
|
||||
$curl,
|
||||
[
|
||||
CURLOPT_URL => $config['metaconsole_base_url'].'api/v2/user/'.$user.'/login?password='.$pass,
|
||||
CURLOPT_RETURNTRANSFER => true,
|
||||
CURLOPT_FOLLOWLOCATION => true,
|
||||
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
|
||||
CURLOPT_CUSTOMREQUEST => 'GET',
|
||||
CURLOPT_HTTPHEADER => [
|
||||
'Accept: application/json',
|
||||
'Authorization: Bearer '.$token,
|
||||
],
|
||||
CURLOPT_RETURNTRANSFER => true,
|
||||
]
|
||||
);
|
||||
|
||||
$response = json_decode(curl_exec($curl), true);
|
||||
$code = curl_getinfo($curl, CURLINFO_HTTP_CODE);
|
||||
curl_close($curl);
|
||||
if ($code === 200) {
|
||||
if (isset($response['email']) === true
|
||||
&& isset($response['idUser']) === true
|
||||
) {
|
||||
$ldap_format = [
|
||||
'mail' => [$response['email']],
|
||||
'uid' => [$response['idUser']],
|
||||
];
|
||||
|
||||
return $ldap_format;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
} else {
|
||||
if (isset($response['error']) === true) {
|
||||
$config['auth_error'] = $response['error'];
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Reference the global use authorization error to last auth error.
|
||||
$config['auth_error'] = &$mysql_cache['auth_error'];
|
||||
|
|
|
@ -155,3 +155,23 @@ function delete_user_token(int $idToken): bool
|
|||
|
||||
return $result;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Generate token for use ONLY in pandora.
|
||||
*
|
||||
* @param string $serverUniqueIdentifier Value server_unique_identifier from tconfig.
|
||||
* @param string $apiPassword Value api_password from tconfig.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
function generate_token_for_system(string $serverUniqueIdentifier='', string $apiPassword=''):string
|
||||
{
|
||||
if (empty($serverUniqueIdentifier) === true
|
||||
|| empty($apiPassword) === true
|
||||
) {
|
||||
return '';
|
||||
}
|
||||
|
||||
return md5($serverUniqueIdentifier).md5($apiPassword);
|
||||
}
|
||||
|
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
namespace PandoraFMS\Modules\Shared\Middlewares;
|
||||
|
||||
use PandoraFMS\Modules\Shared\Services\Config;
|
||||
use PandoraFMS\Modules\Authentication\Services\GetUserTokenService;
|
||||
use PandoraFMS\Modules\Authentication\Services\UpdateTokenService;
|
||||
use PandoraFMS\Modules\Authentication\Services\ValidateServerIdentifierTokenService;
|
||||
|
@ -20,14 +19,20 @@ final class UserTokenMiddleware
|
|||
private readonly ValidateUserTokenService $validateUserTokenService,
|
||||
private readonly GetUserTokenService $getUserTokenService,
|
||||
private readonly UpdateTokenService $updateTokenService,
|
||||
private readonly Timestamp $timestamp,
|
||||
private readonly Config $config
|
||||
private readonly Timestamp $timestamp
|
||||
) {
|
||||
}
|
||||
|
||||
|
||||
public function check(Request $request): bool
|
||||
{
|
||||
global $config;
|
||||
|
||||
// DO NOT REMOVE THIS LINE.
|
||||
// In case a JSON error occurs outside of the API, it will be reset to handle
|
||||
// formatting errors in the parameters.
|
||||
json_encode([]);
|
||||
|
||||
$authorization = ($request->getHeader('Authorization')[0] ?? '');
|
||||
|
||||
$token = null;
|
||||
|
@ -50,7 +55,7 @@ final class UserTokenMiddleware
|
|||
$validToken = $this->validateUserTokenService->__invoke($uuid, $strToken);
|
||||
$token = $this->getUserTokenService->__invoke($uuid);
|
||||
if ($token !== null && $validToken) {
|
||||
$this->config->set('id_user', $token->getIdUser());
|
||||
$config['id_user'] = $token->getIdUser();
|
||||
$oldToken = clone $token;
|
||||
$token->setLastUsage($this->timestamp->getMysqlCurrentTimestamp(0));
|
||||
$this->updateTokenService->__invoke($token, $oldToken);
|
||||
|
@ -70,10 +75,10 @@ final class UserTokenMiddleware
|
|||
|
||||
if ($validTokenUiniqueServerIdentifier === true) {
|
||||
$_SESSION['id_usuario'] = 'admin';
|
||||
$this->config->set('id_user', 'admin');
|
||||
$config['id_user'] = 'admin';
|
||||
} else {
|
||||
$_SESSION['id_usuario'] = $token->getIdUser();
|
||||
$this->config->set('id_user', $token->getIdUser());
|
||||
$config['id_user'] = $token->getIdUser();
|
||||
}
|
||||
|
||||
if (session_status() === PHP_SESSION_ACTIVE) {
|
||||
|
|
|
@ -578,6 +578,15 @@ if (isset($config['id_user']) === false) {
|
|||
exit('</html>');
|
||||
}
|
||||
|
||||
if (isset($config['pending_sync_process_message']) === true) {
|
||||
include_once 'general/login_page.php';
|
||||
while (ob_get_length() > 0) {
|
||||
ob_end_flush();
|
||||
}
|
||||
|
||||
exit('</html>');
|
||||
}
|
||||
|
||||
// Login ok and password has not expired.
|
||||
$process_login = true;
|
||||
|
||||
|
|
Loading…
Reference in New Issue