From 5c6c8844e8270f2f565577444c8ed6497c4fac56 Mon Sep 17 00:00:00 2001 From: Tony Murray Date: Fri, 5 Jun 2020 11:50:58 -0500 Subject: [PATCH] Auth middleware refinement (#11767) * auth middleware group * dummy page for legacy php scripts instead of recursively calling init.php * Test and fix routing scenarios * fix api auth * disable unused auth routes --- LibreNMS/Util/Laravel.php | 31 ++++++++++++++++++++--- app/Http/Controllers/LegacyController.php | 5 ++++ app/Http/Kernel.php | 10 +++++--- includes/init.php | 4 +-- routes/web.php | 15 ++++++----- 5 files changed, 51 insertions(+), 14 deletions(-) diff --git a/LibreNMS/Util/Laravel.php b/LibreNMS/Util/Laravel.php index 9a5055e1b4..c83b4f0dd5 100644 --- a/LibreNMS/Util/Laravel.php +++ b/LibreNMS/Util/Laravel.php @@ -29,6 +29,7 @@ use App; use Illuminate\Database\Events\QueryExecuted; use LibreNMS\DB\Eloquent; use Log; +use Symfony\Component\HttpFoundation\HeaderBag; class Laravel { @@ -46,7 +47,12 @@ class Laravel $kernel->bootstrap(); } - public static function bootWeb() + /** + * Boot Laravel in a non-Laravel web script + * + * @param bool $authenticate Use session+db to authenticate user (does not authorize) + */ + public static function bootWeb($authenticate = false) { // this is not a substitute for the normal Laravel boot, just a way to make auth work for external php if (self::isBooted()) { @@ -59,8 +65,9 @@ class Laravel $kernel = $app->make(\Illuminate\Contracts\Http\Kernel::class); $request = \Illuminate\Http\Request::capture(); - // strip .php to make the url helper in non-laravel pages - $request->server->set('REQUEST_URI', str_replace('.php', '', $_SERVER['REQUEST_URI'])); + + self::rewriteDummyHeaders($request, $authenticate); + $response = $kernel->handle($request); // $response->send(); // don't send response, legacy code will @@ -118,4 +125,22 @@ class Laravel Log::setDefaultDriver('logfile'); } } + + /** + * Add prefix and strip .php to make the url helper work in non-laravel php scripts + * + * @param $request + * @param $auth + */ + private static function rewriteDummyHeaders($request, $auth) + { + // set dummy path allows url helper to work and prevents full init again + $new_uri = ($auth ? '/dummy_legacy_auth' : '/dummy_legacy_unauth'); + $request->server->set('REQUEST_URI', $new_uri); + + // set json type to prevent redirects in the dummy page + $request->server->set('HTTP_ACCEPT', 'dummy/json'); + + $request->headers = new HeaderBag($request->server->getHeaders()); + } } diff --git a/app/Http/Controllers/LegacyController.php b/app/Http/Controllers/LegacyController.php index 61c5907977..d45590a4b3 100644 --- a/app/Http/Controllers/LegacyController.php +++ b/app/Http/Controllers/LegacyController.php @@ -80,4 +80,9 @@ class LegacyController extends Controller 'refresh' => $no_refresh ? 0 : Config::get('page_refresh'), ]); } + + public function dummy() + { + return 'Dummy page'; + } } diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 461beeb77b..7536964f78 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -34,13 +34,18 @@ class Kernel extends HttpKernel \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class, \Illuminate\Session\Middleware\StartSession::class, // \Illuminate\Session\Middleware\AuthenticateSession::class, - \App\Http\Middleware\LoadUserPreferences::class, \Illuminate\View\Middleware\ShareErrorsFromSession::class, \App\Http\Middleware\VerifyCsrfToken::class, - \App\Http\Middleware\LegacyExternalAuth::class, \Illuminate\Routing\Middleware\SubstituteBindings::class, ], + 'auth.web' => [ + \App\Http\Middleware\LegacyExternalAuth::class, + 'auth', + \App\Http\Middleware\VerifyTwoFactor::class, + \App\Http\Middleware\LoadUserPreferences::class, + ], + 'minimal' => [ \App\Http\Middleware\EncryptCookies::class, \Illuminate\Session\Middleware\StartSession::class, @@ -62,7 +67,6 @@ class Kernel extends HttpKernel */ protected $routeMiddleware = [ 'auth' => \App\Http\Middleware\Authenticate::class, - '2fa' => \App\Http\Middleware\VerifyTwoFactor::class, 'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class, 'bindings' => \Illuminate\Routing\Middleware\SubstituteBindings::class, 'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class, diff --git a/includes/init.php b/includes/init.php index 68dca3fa5d..aea74192ed 100644 --- a/includes/init.php +++ b/includes/init.php @@ -86,8 +86,8 @@ if (module_selected('alerts', $init_modules)) { } // Boot Laravel -if (module_selected('auth', $init_modules)) { - \LibreNMS\Util\Laravel::bootWeb(); +if (module_selected('web', $init_modules)) { + \LibreNMS\Util\Laravel::bootWeb(module_selected('auth', $init_modules)); } else { \LibreNMS\Util\Laravel::bootCli(); } diff --git a/routes/web.php b/routes/web.php index 60cf027d5a..874643554a 100644 --- a/routes/web.php +++ b/routes/web.php @@ -12,10 +12,10 @@ */ // Auth -Auth::routes(); +Auth::routes(['register' => false, 'reset' => false, 'verify' => false]); // WebUI -Route::group(['middleware' => ['auth', '2fa'], 'guard' => 'auth'], function () { +Route::group(['middleware' => ['auth.web'], 'guard' => 'auth'], function () { // pages Route::resource('device-groups', 'DeviceGroupController'); @@ -141,8 +141,11 @@ Route::group(['middleware' => ['auth', '2fa'], 'guard' => 'auth'], function () { // demo helper Route::permanentRedirect('demo', '/'); - - // Legacy routes - Route::any('/{path?}', 'LegacyController@index') - ->where('path', '^((?!_debugbar).)*'); }); + +// Legacy routes +Route::any('/dummy_legacy_auth/{path?}', 'LegacyController@dummy')->middleware('auth.web'); +Route::any('/dummy_legacy_unauth/{path?}', 'LegacyController@dummy'); +Route::any('/{path?}', 'LegacyController@index') + ->where('path', '^((?!_debugbar).)*') + ->middleware('auth.web');