mirror of
https://github.com/librenms/librenms.git
synced 2024-10-07 16:52:45 +00:00
2cd207028a
* Install bouncer * Seeder and level migration * Display and edit roles * remove unused deluser page * Update Radius and SSO to assign roles * update AlertUtil direct level check to use roles instead * rewrite ircbot auth handling * Remove legacy auth getUserlist and getUserlevel methods, add getRoles Set roles in LegacyUserProvider * Small cleanups * centralize role sync code show roles on user preferences page * VueSelect component WIP and a little docs * WIP * SelectControllers id and text fields. * LibrenmsSelect component extracted from SettingSelectDynamic * Handle multiple selections * allow type coercion * full width settings * final style adjustments * Final compiled assets update * Style fixes * Fix SSO tests * Lint cleanups * small style fix * don't use json yet * Update baseline for usptream package issues * Change schema, not 100% sure it is correct not sure why xor doesn't work
73 lines
2.4 KiB
PHP
73 lines
2.4 KiB
PHP
<?php
|
|
|
|
namespace LibreNMS\Authentication;
|
|
|
|
use App\Models\User;
|
|
use Dapphp\Radius\Radius;
|
|
use Illuminate\Support\Arr;
|
|
use Illuminate\Support\Str;
|
|
use LibreNMS\Config;
|
|
use LibreNMS\Enum\LegacyAuthLevel;
|
|
use LibreNMS\Exceptions\AuthenticationException;
|
|
use LibreNMS\Util\Debug;
|
|
|
|
class RadiusAuthorizer extends MysqlAuthorizer
|
|
{
|
|
protected static $HAS_AUTH_USERMANAGEMENT = true;
|
|
protected static $CAN_UPDATE_USER = true;
|
|
protected static $CAN_UPDATE_PASSWORDS = false;
|
|
|
|
protected Radius $radius;
|
|
|
|
private array $roles = []; // temp cache of roles
|
|
|
|
public function __construct()
|
|
{
|
|
$this->radius = new Radius(Config::get('radius.hostname'), Config::get('radius.secret'), Config::get('radius.suffix'), Config::get('radius.timeout'), Config::get('radius.port'));
|
|
}
|
|
|
|
public function authenticate($credentials)
|
|
{
|
|
if (empty($credentials['username'])) {
|
|
throw new AuthenticationException('Username is required');
|
|
}
|
|
|
|
if (Debug::isEnabled()) {
|
|
$this->radius->setDebug(true);
|
|
}
|
|
|
|
$password = $credentials['password'] ?? null;
|
|
if ($this->radius->accessRequest($credentials['username'], $password) === true) {
|
|
$user = User::thisAuth()->firstOrNew(['username' => $credentials['username']], [
|
|
'auth_type' => LegacyAuth::getType(),
|
|
'can_modify_passwd' => 0,
|
|
]);
|
|
$user->save();
|
|
|
|
$this->roles[$credentials['username']] = $this->getDefaultRoles();
|
|
|
|
// cache a single role from the Filter-ID attribute now because attributes are cleared every accessRequest
|
|
$filter_id_attribute = $this->radius->getAttribute(11);
|
|
if ($filter_id_attribute && Str::startsWith($filter_id_attribute, 'librenms_role_')) {
|
|
$this->roles[$credentials['username']] = [substr($filter_id_attribute, 14)];
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
throw new AuthenticationException();
|
|
}
|
|
|
|
public function getRoles(string $username): array
|
|
{
|
|
return $this->roles[$username] ?? $this->getDefaultRoles();
|
|
}
|
|
|
|
private function getDefaultRoles(): array
|
|
{
|
|
// return roles or translate from the old radius.default_level
|
|
return Config::get('radius.default_roles')
|
|
?: Arr::wrap(LegacyAuthLevel::from(Config::get('radius.default_level') ?? 1)->getName());
|
|
}
|
|
}
|