/**
* Find a user (eg. look up the user record in database when a login is sent)
*
* @return mixed user array or FALSE
* @throws UnsupportedLoginSecurityLevelException
*/
public function getUser()
{
$user = FALSE;
$userRecordOrIsValid = FALSE;
$enableFrontendSso = TYPO3_MODE === 'FE' && (bool) $this->config['enableFESSO'] && !empty($_SERVER['REMOTE_USER']);
// This simple check is the key to prevent your log being filled up with warnings
// due to the AJAX calls to maintain the session active if your configuration forces
// the authentication stack to always fetch the user:
// $TYPO3_CONF_VARS['SVCONF']['auth']['setup']['BE_alwaysFetchUser'] = true;
// This is the case, e.g., when using EXT:crawler.
if ($this->login['status'] !== 'login' && !$enableFrontendSso) {
return $user;
}
/** @var \Causal\IgLdapSsoAuth\Domain\Repository\ConfigurationRepository $configurationRepository */
$configurationRepository = GeneralUtility::makeInstance('Causal\\IgLdapSsoAuth\\Domain\\Repository\\ConfigurationRepository');
$configurationRecords = $configurationRepository->findAll();
if (count($configurationRecords) === 0) {
// Early return since LDAP is not configured
static::getLogger()->warning('Skipping LDAP authentication as extension is not yet configured');
$this->cleanUpExtbaseDataMapper();
return FALSE;
}
foreach ($configurationRecords as $configurationRecord) {
Configuration::initialize(TYPO3_MODE, $configurationRecord);
if (!Configuration::isEnabledForCurrentHost()) {
$msg = sprintf('Configuration record #%s is not enabled for domain %s', $configurationRecord->getUid(), GeneralUtility::getIndpEnv('TYPO3_HOST_ONLY'));
static::getLogger()->info($msg);
continue;
}
// Enable feature
$userRecordOrIsValid = FALSE;
// Single Sign-On authentication
if ($enableFrontendSso) {
$remoteUser = $_SERVER['REMOTE_USER'];
// Strip the domain name
if ($pos = strpos($remoteUser, '@')) {
$remoteUser = substr($remoteUser, 0, $pos);
} elseif ($pos = strrpos($remoteUser, '\\')) {
$remoteUser = substr($remoteUser, $pos + 1);
}
$userRecordOrIsValid = Authentication::ldapAuthenticate($remoteUser);
if (is_array($userRecordOrIsValid)) {
// Useful for debugging purpose
$this->login['uname'] = $remoteUser;
}
// Authenticate user from LDAP
} elseif ($this->login['status'] === 'login' && $this->login['uident']) {
// Configuration of authentication service.
$loginSecurityLevel = $GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['loginSecurityLevel'];
// normal case
// Check if $loginSecurityLevel is set to "challenged" or "superchallenged" and throw an error if the configuration allows it
// By default, it will not throw an exception
if (isset($this->config['throwExceptionAtLogin']) && $this->config['throwExceptionAtLogin'] == 1) {
if ($loginSecurityLevel === 'challenged' || $loginSecurityLevel === 'superchallenged') {
$message = "ig_ldap_sso_auth error: current login security level '" . $loginSecurityLevel . "' is not supported.";
$message .= " Try to use 'normal' or 'rsa' (highly recommended): ";
$message .= "\$GLOBALS['TYPO3_CONF_VARS']['" . TYPO3_MODE . "']['loginSecurityLevel'] = 'rsa';";
$this->cleanUpExtbaseDataMapper();
throw new UnsupportedLoginSecurityLevelException($message, 1324313489);
}
}
// normal case
$password = $this->login['uident_text'];
try {
if ($password !== NULL) {
$userRecordOrIsValid = Authentication::ldapAuthenticate($this->login['uname'], $password);
} else {
// Could not decrypt password
$userRecordOrIsValid = FALSE;
}
} catch (UnresolvedPhpDependencyException $e) {
// Possible known exception: 1409566275, LDAP extension is not available for PHP
$userRecordOrIsValid = FALSE;
}
}
if (is_array($userRecordOrIsValid)) {
$user = $userRecordOrIsValid;
break;
} elseif ($userRecordOrIsValid) {
// Authentication is valid
break;
} else {
$diagnostic = Authentication::getLastAuthenticationDiagnostic();
$info = array('username' => $this->login['uname'], 'remote' => sprintf('%s (%s)', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST']), 'diagnostic' => $diagnostic, 'configUid' => $configurationRecord->getUid());
static::getLogger()->error('Authentication failed', $info);
NotificationUtility::dispatch(__CLASS__, 'authenticationFailed', $info);
}
// Continue and try with next configuration record...
}
if (!$user && $userRecordOrIsValid) {
$user = $this->fetchUserRecord($this->login['uname']);
}
if (is_array($user)) {
static::getLogger()->debug(sprintf('User found: "%s"', $this->login['uname']));
}
$this->cleanUpExtbaseDataMapper();
return $user;
}
