LibreNMS/Interfaces/Authentication/Authorizer.php

<?php

namespace LibreNMS\Interfaces\Authentication;

use LibreNMS\Exceptions\AuthenticationException;

interface Authorizer
{
    /**
     * Authenticate the user and password.
     * Some Authorizer methods may only check username.
     *
     * @param  array  $credentials
     * @return true throws an Exception on failure
     *
     * @throws AuthenticationException thrown if the username or password is invalid
     */
    public function authenticate($credentials);

    /**
     * Check if a $username exists.
     *
     * @param  string  $username
     * @param  bool  $throw_exception  Allows for a message to be sent to callers in case the user does not exist
     * @return bool
     */
    public function userExists($username, $throw_exception = false);

    /**
     * Get the userlevel of $username
     *
     * @param  string  $username  The username to check
     * @return int
     */
    public function getUserlevel($username);

    /**
     * Get the user_id of $username
     *
     * @param  string  $username
     * @return int
     */
    public function getUserid($username);

    /**
     * Get an array describing this $user_id.
     *
     * It should contain the fields:
     * user_id
     * username
     * realname
     * email
     * descr
     * level
     * can_modify_passwd
     *
     * @param  int  $user_id
     * @return array|false
     */
    public function getUser($user_id);

    /**
     * Add a new user.
     *
     * @param  string  $username
     * @param  string  $password
     * @param  int  $level
     * @param  string  $email
     * @param  string  $realname
     * @param  int  $can_modify_passwd  If this user is allowed to edit their password
     * @param  string  $description
     * @return int|false Returns the added user_id or false if adding failed
     */
    public function addUser($username, $password, $level = 0, $email = '', $realname = '', $can_modify_passwd = 0, $description = '');

    /**
     * Update the some of the fields of a user
     *
     * @param  int  $user_id  The user_id to update
     * @param  string  $realname
     * @param  int  $level
     * @param  int  $can_modify_passwd
     * @param  string  $email
     * @return bool If the update was successful
     */
    public function updateUser($user_id, $realname, $level, $can_modify_passwd, $email);

    /**
     * Delete a user.
     *
     * @param  int  $user_id
     * @return bool If the deletion was successful
     */
    public function deleteUser($user_id);

    /**
     * Get a list of all users in this Authorizer
     * !Warning! this could be very slow for some Authorizer types or configurations
     *
     * @return array
     */
    public function getUserlist();

    /**
     * Check if this Authorizer can add or remove users.
     * You must also check canUpdateUsers() to see if it can edit users.
     * You must check canUpdatePasswords() to see if it can set passwords.
     *
     * @return bool
     */
    public function canManageUsers();

    /**
     * Check if this Authorizer can modify users.
     *
     * @return bool
     */
    public function canUpdateUsers();

    /**
     * Check if this Authorizer can set new passwords.
     *
     * @param  string  $username  Optionally, check if $username can set their own password
     * @return bool
     */
    public function canUpdatePasswords($username = '');

    /**
     * Indicates if the authentication happens within the LibreNMS process, or external to it.
     * If the former, LibreNMS provides a login form, and the user must supply the username. If the latter, the authenticator supplies it via getExternalUsername() without user interaction.
     * This is an important distinction, because at the point this is called if the authentication happens out of process, the user is already authenticated and LibreNMS must not display a login form - even if something fails.
     *
     * @return bool
     */
    public function authIsExternal();

    /**
     * The username provided by an external authenticator.
     *
     * @return string|null
     */
    public function getExternalUsername();
}
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`<?php`

			`namespace LibreNMS\Interfaces\Authentication;`

			`use LibreNMS\Exceptions\AuthenticationException;`

			`interface Authorizer`
			`{`
			`/**`
			`* Authenticate the user and password.`
			`* Some Authorizer methods may only check username.`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param array $credentials`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @return true throws an Exception on failure`
Apply fixes from StyleCI (#13224) 2021-09-10 20:09:53 +02:00			`*`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @throws AuthenticationException thrown if the username or password is invalid`
			`*/`
Prevent credentials from being leaked in backtrace in some instances (#9817) * Prevent credentials from being leak in backtrace in some instances Particularly before the user is authenticated * fix test 2019-03-05 00:24:14 -06:00			`public function authenticate($credentials);`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00
			`/**`
			`* Check if a $username exists.`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param string $username`
			`* @param bool $throw_exception Allows for a message to be sent to callers in case the user does not exist`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @return bool`
			`*/`
			`public function userExists($username, $throw_exception = false);`

			`/**`
			`* Get the userlevel of $username`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param string $username The username to check`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @return int`
			`*/`
			`public function getUserlevel($username);`

			`/**`
			`* Get the user_id of $username`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param string $username`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @return int`
			`*/`
			`public function getUserid($username);`

			`/**`
			`* Get an array describing this $user_id.`
			`*`
			`* It should contain the fields:`
			`* user_id`
			`* username`
			`* realname`
			`* email`
			`* descr`
			`* level`
			`* can_modify_passwd`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param int $user_id`
Cleanup (#12695) * Use true/false to return booleans * Misc fixes 2021-04-01 17:35:18 +02:00			`* @return array\|false`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`*/`
			`public function getUser($user_id);`

			`/**`
			`* Add a new user.`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param string $username`
			`* @param string $password`
			`* @param int $level`
			`* @param string $email`
			`* @param string $realname`
			`* @param int $can_modify_passwd If this user is allowed to edit their password`
			`* @param string $description`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @return int\|false Returns the added user_id or false if adding failed`
			`*/`
			`public function addUser($username, $password, $level = 0, $email = '', $realname = '', $can_modify_passwd = 0, $description = '');`

			`/**`
			`* Update the some of the fields of a user`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param int $user_id The user_id to update`
			`* @param string $realname`
			`* @param int $level`
			`* @param int $can_modify_passwd`
			`* @param string $email`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @return bool If the update was successful`
			`*/`
			`public function updateUser($user_id, $realname, $level, $can_modify_passwd, $email);`

			`/**`
			`* Delete a user.`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param int $user_id`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @return bool If the deletion was successful`
			`*/`
			`public function deleteUser($user_id);`

			`/**`
			`* Get a list of all users in this Authorizer`
			`* !Warning! this could be very slow for some Authorizer types or configurations`
			`*`
			`* @return array`
			`*/`
			`public function getUserlist();`

			`/**`
			`* Check if this Authorizer can add or remove users.`
			`* You must also check canUpdateUsers() to see if it can edit users.`
			`* You must check canUpdatePasswords() to see if it can set passwords.`
			`*`
			`* @return bool`
			`*/`
			`public function canManageUsers();`

			`/**`
			`* Check if this Authorizer can modify users.`
			`*`
			`* @return bool`
			`*/`
			`public function canUpdateUsers();`

			`/**`
			`* Check if this Authorizer can set new passwords.`
			`*`
Apply fixes from StyleCI (#13208) 2021-09-08 23:35:56 +02:00			`* @param string $username Optionally, check if $username can set their own password`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`* @return bool`
			`*/`
			`public function canUpdatePasswords($username = '');`

Single Sign-On Authentication Mechanism (#7601) * Allow the URL a user is sent to after logging out to be customised This is required for any authentication system that has a magic URL for logging out (e.g. /Shibboleth.sso/Logout). * Allow auth plugins to return a username This is a bit cleaner than the current auth flow, which special cases e.g. http authentication * Add some tests, defaults and documentation * Add single sign-on authentication mechanism * Make HTTPAuth use the authExternal/getExternalUsername methods * Add to acknowledgements * Add reset method to Auth 2017-11-29 02:40:17 +00:00			`/**`
			`* Indicates if the authentication happens within the LibreNMS process, or external to it.`
			`* If the former, LibreNMS provides a login form, and the user must supply the username. If the latter, the authenticator supplies it via getExternalUsername() without user interaction.`
			`* This is an important distinction, because at the point this is called if the authentication happens out of process, the user is already authenticated and LibreNMS must not display a login form - even if something fails.`
			`*`
			`* @return bool`
			`*/`
			`public function authIsExternal();`

			`/**`
			`* The username provided by an external authenticator.`
			`*`
			`* @return string\|null`
			`*/`
			`public function getExternalUsername();`
refactor: Refactored authorizers to classes (#7497) * Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style 2017-11-18 11:33:03 +01:00			`}`