mirror of
https://github.com/librenms/librenms.git
synced 2024-10-07 16:52:45 +00:00
refactor: Refactored authorizers to classes (#7497)
* Refactored authorizers to classes * Merge changes for #7335 * ! fix php 5.3 incompatibility * Update ADAuthorizationAuthorizer.php * Fix get_user -> getUser * Rename AuthorizerFactory to Auth, fix interface missing functions * Add phpdocs to all interface methods and normalize the names a bit. * Re-work auth_test.php AD bind tests to work properly with the new class. Reflection is not the nicest tool, but I think it is appropriate here. Handle exceptions more nicely in auth_test.php * Restore AD getUseList fix Not sure how it got removed * fix auth_test.php style
This commit is contained in:
mcq8
Neil Lathwood
@@ -1,6 +1,7 @@
|
||||
#!/usr/bin/php
|
||||
<?php
|
||||
|
||||
use LibreNMS\Authentication\Auth;
|
||||
use Phpass\PasswordHash;
|
||||
|
||||
$options = getopt('u:rdvh');
|
||||
@@ -42,85 +43,108 @@ if ($config['auth_mechanism'] = 'ldap' || $config['auth_mechanism'] = "active_di
|
||||
}
|
||||
}
|
||||
}
|
||||
try {
|
||||
$authorizer = Auth::get();
|
||||
|
||||
if (function_exists('ad_bind')) {
|
||||
if (isset($config['auth_ad_binduser']) && isset($config['auth_ad_bindpassword'])) {
|
||||
if (!ad_bind($ldap_connection, false)) {
|
||||
$ldap_error = ldap_error($ldap_connection);
|
||||
echo $ldap_error . PHP_EOL;
|
||||
if ($ldap_error == 'Invalid credentials') {
|
||||
print_error('AD bind failed for user ' . $config['auth_ad_binduser'] . '@' . $config['auth_ad_domain'] .
|
||||
'. Check $config[\'auth_ad_binduser\'] and $config[\'auth_ad_bindpassword\'] in your config.php');
|
||||
// AD bind tests
|
||||
if ($authorizer instanceof \LibreNMS\Authentication\ActiveDirectoryAuthorizer) {
|
||||
// peek inside the class
|
||||
$lc_rp = new ReflectionProperty($authorizer, 'ldap_connection');
|
||||
$lc_rp->setAccessible(true);
|
||||
$adbind_rm = new ReflectionMethod($authorizer, 'adBind');
|
||||
$adbind_rm->setAccessible(true);
|
||||
|
||||
$bind_success = false;
|
||||
if (isset($config['auth_ad_binduser']) && isset($config['auth_ad_bindpassword'])) {
|
||||
$bind_success = $adbind_rm->invoke($authorizer, false, true);
|
||||
if (!$bind_success) {
|
||||
$ldap_error = ldap_error($lc_rp->getValue($authorizer));
|
||||
echo $ldap_error . PHP_EOL;
|
||||
if ($ldap_error == 'Invalid credentials') {
|
||||
print_error('AD bind failed for user ' . $config['auth_ad_binduser'] . '@' . $config['auth_ad_domain'] .
|
||||
'. Check $config[\'auth_ad_binduser\'] and $config[\'auth_ad_bindpassword\'] in your config.php');
|
||||
}
|
||||
} else {
|
||||
print_message('AD bind success');
|
||||
}
|
||||
} else {
|
||||
print_message('AD bind success');
|
||||
$bind_success = $adbind_rm->invoke($authorizer, true, true);
|
||||
if (!$bind_success) {
|
||||
echo ldap_error($lc_rp->getValue($authorizer)) . PHP_EOL;
|
||||
print_message("Could not anonymous bind to AD");
|
||||
} else {
|
||||
print_message('AD bind anonymous successful');
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if (!ad_bind($ldap_connection)) {
|
||||
echo ldap_error($ldap_connection) . PHP_EOL;
|
||||
print_message("Could not anonymous bind to AD");
|
||||
|
||||
if (!$bind_success) {
|
||||
print_error("Could not bind to AD, you will not be able to use the API or alert AD users");
|
||||
}
|
||||
}
|
||||
|
||||
$auth = false;
|
||||
if (isset($options['r'])) {
|
||||
echo "Reauthenticate Test\n";
|
||||
|
||||
$session = dbFetchRow(
|
||||
'SELECT * FROM `session` WHERE `session_username`=? ORDER BY `session_id` DESC LIMIT 1',
|
||||
array($test_username)
|
||||
);
|
||||
d_echo($session);
|
||||
if (empty($session)) {
|
||||
print_error('Requires previous login with \'Remember me\' box checked on the webui');
|
||||
exit;
|
||||
}
|
||||
|
||||
$hasher = new PasswordHash(8, false);
|
||||
$token = $session['session_username'] . '|' . $hasher->HashPassword($session['session_username'] . $session['session_token']);
|
||||
|
||||
$auth = $authorizer->reauthenticate($session['session_value'], $token);
|
||||
if ($auth) {
|
||||
print_message("Reauthentication successful.\n");
|
||||
} else {
|
||||
print_message('AD bind anonymous successful');
|
||||
print_error('Reauthentication failed or is unsupported');
|
||||
}
|
||||
} else {
|
||||
echo 'Password: ';
|
||||
`stty -echo`;
|
||||
$test_password = trim(fgets(STDIN));
|
||||
`stty echo`;
|
||||
echo PHP_EOL;
|
||||
|
||||
echo "Authenticate user $test_username: \n";
|
||||
$auth = $authorizer->authenticate($test_username, $test_password);
|
||||
unset($test_password);
|
||||
|
||||
if ($auth) {
|
||||
print_message("AUTH SUCCESS\n");
|
||||
} else {
|
||||
if (isset($ldap_connection)) {
|
||||
echo ldap_error($ldap_connection) . PHP_EOL;
|
||||
}
|
||||
print_error('AUTH FAILURE');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$auth = false;
|
||||
if (isset($options['r'])) {
|
||||
echo "Reauthenticate Test\n";
|
||||
|
||||
$session = dbFetchRow('SELECT * FROM `session` WHERE `session_username`=? ORDER BY `session_id` DESC LIMIT 1', array($test_username));
|
||||
d_echo($session);
|
||||
if (empty($session)) {
|
||||
print_error('Requires previous login with \'Remember me\' box checked on the webui');
|
||||
exit;
|
||||
}
|
||||
|
||||
$hasher = new PasswordHash(8, false);
|
||||
$token = $session['session_username'] . '|' . $hasher->HashPassword($session['session_username'] . $session['session_token']);
|
||||
|
||||
$auth = reauthenticate($session['session_value'], $token);
|
||||
if ($auth) {
|
||||
print_message("Reauthentication successful.\n");
|
||||
} else {
|
||||
print_error('Reauthentication failed or is unsupported');
|
||||
}
|
||||
} else {
|
||||
echo 'Password: ';
|
||||
`stty -echo`;
|
||||
$test_password = trim(fgets(STDIN));
|
||||
`stty echo`;
|
||||
echo PHP_EOL;
|
||||
|
||||
echo "Authenticate user $test_username: \n";
|
||||
$auth = authenticate($test_username, $test_password);
|
||||
unset($test_password);
|
||||
|
||||
if ($auth) {
|
||||
print_message("AUTH SUCCESS\n");
|
||||
} else {
|
||||
if (isset($ldap_connection)) {
|
||||
echo ldap_error($ldap_connection) . PHP_EOL;
|
||||
$user_id = $authorizer->getUserid($test_username);
|
||||
|
||||
echo "User ($user_id):\n";
|
||||
if (method_exists($authorizer, 'getUser')) {
|
||||
$user = $authorizer->getUser($user_id);
|
||||
|
||||
unset($user['password']);
|
||||
unset($user['remember_token']);
|
||||
foreach ($user as $property => $value) {
|
||||
echo " $property => $value\n";
|
||||
}
|
||||
}
|
||||
print_error('AUTH FAILURE');
|
||||
}
|
||||
}
|
||||
|
||||
if ($auth) {
|
||||
$user_id = get_userid($test_username);
|
||||
|
||||
echo "User ($user_id):\n";
|
||||
if (function_exists('get_user')) {
|
||||
$user = get_user($user_id);
|
||||
|
||||
unset($user['password']);
|
||||
unset($user['remember_token']);
|
||||
foreach ($user as $property => $value) {
|
||||
echo " $property => $value\n";
|
||||
if (method_exists($authorizer, 'getGroupList')) {
|
||||
echo 'Groups: ' . implode('; ', $authorizer->getGroupList()) . PHP_EOL;
|
||||
}
|
||||
}
|
||||
|
||||
if (function_exists('get_group_list')) {
|
||||
echo 'Groups: ' . implode('; ', get_group_list()) . PHP_EOL;
|
||||
}
|
||||
} catch (Exception $e) {
|
||||
echo "Error: " . get_class($e) . " thrown!\n";
|
||||
echo $e->getMessage() . PHP_EOL;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user