From 588b115d66e291b46935893571eef1dd199e681d Mon Sep 17 00:00:00 2001 From: Tony Murray Date: Wed, 12 Sep 2018 12:51:24 -0500 Subject: [PATCH] Fix up ldap-authorizer, create non-existent users (#9192) * First attempt at ldap-auth fixes * no, guest, so it is not allowed. * cast to int * don't count on Session * return full user * Specific error for guest not allowed. * fix up external auth user creation * fix check * Fix user level missing Simplify middleware * use guard if configured --- .../LdapAuthorizationAuthorizer.php | 67 +++++++++++-------- app/Http/Middleware/LegacyExternalAuth.php | 24 +++---- app/Listeners/AuthEventListener.php | 7 +- 3 files changed, 53 insertions(+), 45 deletions(-) diff --git a/LibreNMS/Authentication/LdapAuthorizationAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizationAuthorizer.php index ce9f708790..4aa2252f72 100644 --- a/LibreNMS/Authentication/LdapAuthorizationAuthorizer.php +++ b/LibreNMS/Authentication/LdapAuthorizationAuthorizer.php @@ -39,8 +39,11 @@ namespace LibreNMS\Authentication; +use App\Models\User; +use Carbon\Carbon; use LibreNMS\Config; use LibreNMS\Exceptions\AuthenticationException; +use Session; class LdapAuthorizationAuthorizer extends AuthorizerBase { @@ -49,10 +52,6 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase public function __construct() { - if (! isset($_SESSION['username'])) { - $_SESSION['username'] = ''; - } - if (!function_exists('ldap_connect')) { throw new AuthenticationException("PHP does not support LDAP, please install or enable the PHP LDAP extension."); } @@ -76,17 +75,14 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase } } - public function authenticate($username, $password) { - if (isset($_SERVER['REMOTE_USER'])) { - $_SESSION['username'] = mres($_SERVER['REMOTE_USER']); + if ($this->userExists($username)) { + return true; + } - if ($this->userExists($_SESSION['username'])) { - return true; - } - - $_SESSION['username'] = Config::get('http_auth_guest'); + $guest = Config::get('http_auth_guest'); + if ($guest && User::thisAuth()->where('username', $guest)->exists()) { return true; } @@ -154,16 +150,26 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase $user_id = $this->authLdapSessionCacheGet('userid'); if (isset($user_id)) { return $user_id; - } else { - $user_id = -1; } + $guest_username = Config::get('http_auth_guest'); + $user_id = User::thisAuth()->where('username', $guest_username)->value('auth_id') ?: -1; + $filter = '(' . Config::get('auth_ldap_prefix') . $username . ')'; $search = ldap_search($this->ldap_connection, trim(Config::get('auth_ldap_suffix'), ','), $filter); $entries = ldap_get_entries($this->ldap_connection, $search); if ($entries['count']) { - $user_id = $entries[0]['uidnumber'][0]; + $user_id = (int)$entries[0]['uidnumber'][0]; + } + + if ($user_id === -1) { + // no user or guest user, don't allow + if ($guest_username) { + throw new AuthenticationException(); + } else { + throw new AuthenticationException('Guest login allowed.'); + } } $this->authLdapSessionCacheSet('userid', $user_id); @@ -212,9 +218,10 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase public function getUser($user_id) { - foreach ($this->getUserlist() as $users) { - if ($users['user_id'] === $user_id) { - return $users['username']; + foreach ($this->getUserlist() as $user) { + if ((int)$user['user_id'] === (int)$user_id) { + $user['level'] = $this->getUserlevel($user['username']); + return $user; } } return 0; @@ -240,17 +247,19 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase protected function authLdapSessionCacheGet($attr) { - $ttl = 300; - if (Config::get('auth_ldap_cache_ttl')) { - $ttl = Config::get('auth_ldap_cache_ttl'); - } + $ttl = Config::get('auth_ldap_cache_ttl', 300); - // auth_ldap cache present in this session? - if (! isset($_SESSION['auth_ldap'])) { + // no session, don't cache + if (!class_exists('Session')) { return null; } - $cache = $_SESSION['auth_ldap']; + // auth_ldap cache present in this session? + if (!Session::has('auth_ldap')) { + return null; + } + + $cache = Session::get('auth_ldap'); // $attr present in cache? if (! isset($cache[$attr])) { @@ -268,8 +277,12 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase protected function authLdapSessionCacheSet($attr, $value) { - $_SESSION['auth_ldap'][$attr]['value'] = $value; - $_SESSION['auth_ldap'][$attr]['last_updated'] = time(); + if (class_exists('Session')) { + Session::put($attr, [ + 'value' => $value, + 'last_updated' => Carbon::now(), + ]); + } } diff --git a/app/Http/Middleware/LegacyExternalAuth.php b/app/Http/Middleware/LegacyExternalAuth.php index 36c3ce3a10..4752103eda 100644 --- a/app/Http/Middleware/LegacyExternalAuth.php +++ b/app/Http/Middleware/LegacyExternalAuth.php @@ -19,24 +19,16 @@ class LegacyExternalAuth * @param \Closure $next * @return mixed */ - public function handle($request, Closure $next) + public function handle($request, Closure $next, $guard = null) { - if (!Auth::check() && LegacyAuth::get()->authIsExternal()) { - try { - $username = LegacyAuth::get()->getExternalUsername(); - $password = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''; + if (!Auth::guard($guard)->check() && LegacyAuth::get()->authIsExternal()) { + $credentials = [ + 'username' => LegacyAuth::get()->getExternalUsername(), + 'password' => isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : '' + ]; - if (LegacyAuth::get()->authenticate($username, $password)) { - $user_id = User::thisAuth()->where('username', $username)->value('user_id'); - Auth::loginUsingId($user_id); - } - } catch (AuthenticationException $e) { - $message = $e->getMessage(); - Log::critical('HTTP Auth Error: ' . $message); - - if (!Config::get('auth.debug', false)) { - $message = ''; - } + if (!Auth::guard($guard)->attempt($credentials)) { + $message = ''; // no debug info for now... // force user to failure page return response(view('auth.external-auth-failed')->with('message', $message)); diff --git a/app/Listeners/AuthEventListener.php b/app/Listeners/AuthEventListener.php index dec7d2690e..83a51fea96 100644 --- a/app/Listeners/AuthEventListener.php +++ b/app/Listeners/AuthEventListener.php @@ -34,7 +34,7 @@ class AuthEventListener public function login(Login $event) { /** @var User $user */ - $user = $event->user; + $user = $event->user ?: (object)['username' => 'Not found']; DB::table('authlog')->insert(['user' => $user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged In']); @@ -52,7 +52,10 @@ class AuthEventListener */ public function logout(Logout $event) { - DB::table('authlog')->insert(['user' => $event->user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged Out']); + /** @var User $user */ + $user = $event->user ?: (object)['username' => 'Not found']; + + DB::table('authlog')->insert(['user' => $user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged Out']); @session_start(); unset($_SESSION['authenticated']);