mirror of
https://github.com/librenms/librenms.git
synced 2024-10-07 16:52:45 +00:00
Fix up ldap-authorizer, create non-existent users (#9192)
* First attempt at ldap-auth fixes * no, guest, so it is not allowed. * cast to int * don't count on Session * return full user * Specific error for guest not allowed. * fix up external auth user creation * fix check * Fix user level missing Simplify middleware * use guard if configured
This commit is contained in:
Tony Murray
GitHub
@@ -39,8 +39,11 @@
|
||||
|
||||
namespace LibreNMS\Authentication;
|
||||
|
||||
use App\Models\User;
|
||||
use Carbon\Carbon;
|
||||
use LibreNMS\Config;
|
||||
use LibreNMS\Exceptions\AuthenticationException;
|
||||
use Session;
|
||||
|
||||
class LdapAuthorizationAuthorizer extends AuthorizerBase
|
||||
{
|
||||
@@ -49,10 +52,6 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
if (! isset($_SESSION['username'])) {
|
||||
$_SESSION['username'] = '';
|
||||
}
|
||||
|
||||
if (!function_exists('ldap_connect')) {
|
||||
throw new AuthenticationException("PHP does not support LDAP, please install or enable the PHP LDAP extension.");
|
||||
}
|
||||
@@ -76,17 +75,14 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
public function authenticate($username, $password)
|
||||
{
|
||||
if (isset($_SERVER['REMOTE_USER'])) {
|
||||
$_SESSION['username'] = mres($_SERVER['REMOTE_USER']);
|
||||
|
||||
if ($this->userExists($_SESSION['username'])) {
|
||||
if ($this->userExists($username)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
$_SESSION['username'] = Config::get('http_auth_guest');
|
||||
$guest = Config::get('http_auth_guest');
|
||||
if ($guest && User::thisAuth()->where('username', $guest)->exists()) {
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -154,16 +150,26 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
|
||||
$user_id = $this->authLdapSessionCacheGet('userid');
|
||||
if (isset($user_id)) {
|
||||
return $user_id;
|
||||
} else {
|
||||
$user_id = -1;
|
||||
}
|
||||
|
||||
$guest_username = Config::get('http_auth_guest');
|
||||
$user_id = User::thisAuth()->where('username', $guest_username)->value('auth_id') ?: -1;
|
||||
|
||||
$filter = '(' . Config::get('auth_ldap_prefix') . $username . ')';
|
||||
$search = ldap_search($this->ldap_connection, trim(Config::get('auth_ldap_suffix'), ','), $filter);
|
||||
$entries = ldap_get_entries($this->ldap_connection, $search);
|
||||
|
||||
if ($entries['count']) {
|
||||
$user_id = $entries[0]['uidnumber'][0];
|
||||
$user_id = (int)$entries[0]['uidnumber'][0];
|
||||
}
|
||||
|
||||
if ($user_id === -1) {
|
||||
// no user or guest user, don't allow
|
||||
if ($guest_username) {
|
||||
throw new AuthenticationException();
|
||||
} else {
|
||||
throw new AuthenticationException('Guest login allowed.');
|
||||
}
|
||||
}
|
||||
|
||||
$this->authLdapSessionCacheSet('userid', $user_id);
|
||||
@@ -212,9 +218,10 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
|
||||
|
||||
public function getUser($user_id)
|
||||
{
|
||||
foreach ($this->getUserlist() as $users) {
|
||||
if ($users['user_id'] === $user_id) {
|
||||
return $users['username'];
|
||||
foreach ($this->getUserlist() as $user) {
|
||||
if ((int)$user['user_id'] === (int)$user_id) {
|
||||
$user['level'] = $this->getUserlevel($user['username']);
|
||||
return $user;
|
||||
}
|
||||
}
|
||||
return 0;
|
||||
@@ -240,17 +247,19 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
|
||||
|
||||
protected function authLdapSessionCacheGet($attr)
|
||||
{
|
||||
$ttl = 300;
|
||||
if (Config::get('auth_ldap_cache_ttl')) {
|
||||
$ttl = Config::get('auth_ldap_cache_ttl');
|
||||
}
|
||||
$ttl = Config::get('auth_ldap_cache_ttl', 300);
|
||||
|
||||
// auth_ldap cache present in this session?
|
||||
if (! isset($_SESSION['auth_ldap'])) {
|
||||
// no session, don't cache
|
||||
if (!class_exists('Session')) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$cache = $_SESSION['auth_ldap'];
|
||||
// auth_ldap cache present in this session?
|
||||
if (!Session::has('auth_ldap')) {
|
||||
return null;
|
||||
}
|
||||
|
||||
$cache = Session::get('auth_ldap');
|
||||
|
||||
// $attr present in cache?
|
||||
if (! isset($cache[$attr])) {
|
||||
@@ -268,8 +277,12 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
|
||||
|
||||
protected function authLdapSessionCacheSet($attr, $value)
|
||||
{
|
||||
$_SESSION['auth_ldap'][$attr]['value'] = $value;
|
||||
$_SESSION['auth_ldap'][$attr]['last_updated'] = time();
|
||||
if (class_exists('Session')) {
|
||||
Session::put($attr, [
|
||||
'value' => $value,
|
||||
'last_updated' => Carbon::now(),
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
@@ -19,24 +19,16 @@ class LegacyExternalAuth
|
||||
* @param \Closure $next
|
||||
* @return mixed
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
public function handle($request, Closure $next, $guard = null)
|
||||
{
|
||||
if (!Auth::check() && LegacyAuth::get()->authIsExternal()) {
|
||||
try {
|
||||
$username = LegacyAuth::get()->getExternalUsername();
|
||||
$password = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : '';
|
||||
if (!Auth::guard($guard)->check() && LegacyAuth::get()->authIsExternal()) {
|
||||
$credentials = [
|
||||
'username' => LegacyAuth::get()->getExternalUsername(),
|
||||
'password' => isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''
|
||||
];
|
||||
|
||||
if (LegacyAuth::get()->authenticate($username, $password)) {
|
||||
$user_id = User::thisAuth()->where('username', $username)->value('user_id');
|
||||
Auth::loginUsingId($user_id);
|
||||
}
|
||||
} catch (AuthenticationException $e) {
|
||||
$message = $e->getMessage();
|
||||
Log::critical('HTTP Auth Error: ' . $message);
|
||||
|
||||
if (!Config::get('auth.debug', false)) {
|
||||
$message = '';
|
||||
}
|
||||
if (!Auth::guard($guard)->attempt($credentials)) {
|
||||
$message = ''; // no debug info for now...
|
||||
|
||||
// force user to failure page
|
||||
return response(view('auth.external-auth-failed')->with('message', $message));
|
||||
|
||||
@@ -34,7 +34,7 @@ class AuthEventListener
|
||||
public function login(Login $event)
|
||||
{
|
||||
/** @var User $user */
|
||||
$user = $event->user;
|
||||
$user = $event->user ?: (object)['username' => 'Not found'];
|
||||
|
||||
DB::table('authlog')->insert(['user' => $user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged In']);
|
||||
|
||||
@@ -52,7 +52,10 @@ class AuthEventListener
|
||||
*/
|
||||
public function logout(Logout $event)
|
||||
{
|
||||
DB::table('authlog')->insert(['user' => $event->user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged Out']);
|
||||
/** @var User $user */
|
||||
$user = $event->user ?: (object)['username' => 'Not found'];
|
||||
|
||||
DB::table('authlog')->insert(['user' => $user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged Out']);
|
||||
|
||||
@session_start();
|
||||
unset($_SESSION['authenticated']);
|
||||
|
||||
Reference in New Issue
Block a user