mirror of
https://github.com/librenms/librenms.git
synced 2024-10-07 16:52:45 +00:00
32a7c50189
* Use Laravel for authentication Support legacy auth methods Always create DB entry for users (segregate by auth method) Port api auth to Laravel restrict poller errors to devices the user has access to Run checks on every page load. But set a 5 minute (configurable) timer. Only run some checks if the user is an admin Move toastr down a few pixels so it isn't as annoying. Fix menu not loaded on laravel pages when twofactor is enabled for the system, but disabled for the user. Add two missing menu entries in the laravel menu Rewrite 2FA code Simplify some and verify code before applying Get http-auth working Handle legacy $_SESSION differently. Allows Auth::once(), etc to work. * Fix tests and mysqli extension check * remove duplicate Toastr messages * Fix new items * Rename 266.sql to 267.sql
138 lines
4.4 KiB
PHP
Executable File
138 lines
4.4 KiB
PHP
Executable File
#!/usr/bin/php
|
|
<?php
|
|
|
|
use LibreNMS\Authentication\LegacyAuth;
|
|
|
|
$options = getopt('u:rldvh');
|
|
if (isset($options['h']) || (!isset($options['l']) && !isset($options['u']))) {
|
|
echo ' -u <username> (Required) username to test
|
|
-l List all users (checks that auth can enumerate all allowed users)
|
|
-d Enable debug output
|
|
-v Enable verbose debug output
|
|
-h Display this help message
|
|
';
|
|
exit;
|
|
}
|
|
|
|
if (isset($options['d'])) {
|
|
$debug = true;
|
|
}
|
|
|
|
$init_modules = [];
|
|
require realpath(__DIR__ . '/..') . '/includes/init.php';
|
|
|
|
if (isset($options['v'])) {
|
|
// Enable debug mode for auth methods that have it
|
|
$config['auth_ad_debug'] = 1;
|
|
$config['auth_ldap_debug'] = 1;
|
|
}
|
|
|
|
echo "Authentication Method: {$config['auth_mechanism']}\n";
|
|
|
|
// if ldap like, check selinux
|
|
if ($config['auth_mechanism'] == 'ldap' || $config['auth_mechanism'] == "active_directory") {
|
|
$enforce = shell_exec('getenforce 2>/dev/null');
|
|
if (str_contains($enforce, 'Enforcing')) {
|
|
// has selinux
|
|
$output = shell_exec('getsebool httpd_can_connect_ldap');
|
|
if ($output != "httpd_can_connect_ldap --> on\n") {
|
|
print_error("You need to run: setsebool -P httpd_can_connect_ldap=1");
|
|
exit;
|
|
}
|
|
}
|
|
}
|
|
try {
|
|
$authorizer = LegacyAuth::get();
|
|
|
|
// AD bind tests
|
|
if ($authorizer instanceof \LibreNMS\Authentication\ActiveDirectoryAuthorizer) {
|
|
// peek inside the class
|
|
$lc_rp = new ReflectionProperty($authorizer, 'ldap_connection');
|
|
$lc_rp->setAccessible(true);
|
|
$adbind_rm = new ReflectionMethod($authorizer, 'bind');
|
|
$adbind_rm->setAccessible(true);
|
|
|
|
$bind_success = false;
|
|
if (isset($config['auth_ad_binduser']) && isset($config['auth_ad_bindpassword'])) {
|
|
$bind_success = $adbind_rm->invoke($authorizer, false, true);
|
|
if (!$bind_success) {
|
|
$ldap_error = ldap_error($lc_rp->getValue($authorizer));
|
|
echo $ldap_error . PHP_EOL;
|
|
if ($ldap_error == 'Invalid credentials') {
|
|
print_error('AD bind failed for user ' . $config['auth_ad_binduser'] . '@' . $config['auth_ad_domain'] .
|
|
'. Check $config[\'auth_ad_binduser\'] and $config[\'auth_ad_bindpassword\'] in your config.php');
|
|
}
|
|
} else {
|
|
print_message('AD bind success');
|
|
}
|
|
} else {
|
|
$bind_success = $adbind_rm->invoke($authorizer, true, true);
|
|
if (!$bind_success) {
|
|
echo ldap_error($lc_rp->getValue($authorizer)) . PHP_EOL;
|
|
print_message("Could not anonymous bind to AD");
|
|
} else {
|
|
print_message('AD bind anonymous successful');
|
|
}
|
|
}
|
|
|
|
if (!$bind_success) {
|
|
print_error("Could not bind to AD, you will not be able to use the API or alert AD users");
|
|
}
|
|
}
|
|
|
|
if (isset($options['l'])) {
|
|
$users = $authorizer->getUserlist();
|
|
$output = array_map(function ($user) {
|
|
return "{$user['username']} ({$user['user_id']})";
|
|
}, $users);
|
|
|
|
echo "Users: " . implode(', ', $output) . PHP_EOL;
|
|
echo "Total users: " . count($users) . PHP_EOL;
|
|
exit;
|
|
}
|
|
|
|
$test_username = $options['u'];
|
|
$auth = false;
|
|
|
|
echo 'Password: ';
|
|
`stty -echo`;
|
|
$test_password = trim(fgets(STDIN));
|
|
`stty echo`;
|
|
echo PHP_EOL;
|
|
|
|
echo "Authenticate user $test_username: \n";
|
|
$auth = $authorizer->authenticate($test_username, $test_password);
|
|
unset($test_password);
|
|
|
|
if ($auth) {
|
|
print_message("AUTH SUCCESS\n");
|
|
} else {
|
|
if (isset($ldap_connection)) {
|
|
echo ldap_error($ldap_connection) . PHP_EOL;
|
|
}
|
|
print_error('AUTH FAILURE');
|
|
}
|
|
|
|
if ($auth) {
|
|
$user_id = $authorizer->getUserid($test_username);
|
|
|
|
echo "User ($user_id):\n";
|
|
if (method_exists($authorizer, 'getUser')) {
|
|
$user = $authorizer->getUser($user_id);
|
|
|
|
unset($user['password']);
|
|
unset($user['remember_token']);
|
|
foreach ($user as $property => $value) {
|
|
echo " $property => $value\n";
|
|
}
|
|
}
|
|
|
|
if (method_exists($authorizer, 'getGroupList')) {
|
|
echo 'Groups: ' . implode('; ', $authorizer->getGroupList()) . PHP_EOL;
|
|
}
|
|
}
|
|
} catch (Exception $e) {
|
|
echo "Error: " . get_class($e) . " thrown!\n";
|
|
echo $e->getMessage() . PHP_EOL;
|
|
}
|