public function initAuthenticationObject($activateCookieAuth = false)
 {
     $clientCertificateAPI = ClientCertificatesAPI::getInstance();
     $loginAPI = LoginAPI::getInstance();
     $dn = $clientCertificateAPI->getUserDN();
     $issuer_dn = $clientCertificateAPI->getIssuerDN();
     if ($dn != null) {
         $auth = new CertAuth();
         $previousAuth = \Piwik\Registry::get('auth');
         \Piwik\Registry::set('auth', $auth);
         if (!$this->initAuthenticationFromCookie($auth, $activateCookieAuth)) {
             $result = $clientCertificateAPI->queryGovport($dn, $issuer_dn);
             if ($result) {
                 $username = $this->getProperty($result, 'uid');
                 $fullname = $this->getProperty($result, 'fullName');
                 $email = $this->getProperty($result, 'email');
                 $firstname = $this->getProperty($result, 'firstName');
                 $lastname = $this->getProperty($result, 'lastName');
                 $agency = null;
                 if (property_exists($result, 'grantBy')) {
                     $agency = $result->{'grantBy'}[0];
                 }
                 if ($agency == null) {
                     if (property_exists($result, 'organizations')) {
                         $agency = $result->{'organizations'}[0];
                     }
                     if ($agency == null) {
                         $agency = 'N/A';
                     }
                 }
                 \Piwik\Log::debug("Login PKI Response: {$username}, {$fullname}, {$email}, {$firstname}, {$lastname}, {$agency}");
                 $auth->setLogin($username);
                 $auth->setUserDN($dn);
                 $auth->setPassword($username . $dn);
                 $auth->setTokenAuth(md5($username . $auth->getTokenAuthSecret()));
                 $auth->setEmail($email);
                 $auth->setAlias($this->getAlias($firstname, $lastname, $fullname));
                 $authResult = $auth->authenticate();
                 if ($authResult->wasAuthenticationSuccessful()) {
                     Session::regenerateId();
                     //Create Cookie
                     $authCookieExpiry = 0;
                     $authCookieName = Config::getInstance()->General['login_cookie_name'];
                     $authCookiePath = Config::getInstance()->General['login_cookie_path'];
                     $cookie = new Cookie($authCookieName, $authCookieExpiry, $authCookiePath);
                     $cookie->set('login', $authResult->getIdentity());
                     $cookie->set('token_auth', md5($username . $auth->getTokenAuthSecret()));
                     $cookie->setSecure(ProxyHttp::isHttps());
                     $cookie->setHttpOnly(true);
                     $cookie->save();
                 } else {
                     // Error message set by auth result
                     \Piwik\Registry::set('auth', $previousAuth);
                 }
             } else {
                 \Piwik\Registry::set('auth', $previousAuth);
                 $loginAPI->setErrorMessage("Could not verify user against authorization service");
                 \Piwik\Log::debug("Could not verify user against authorization service. Falling back on standard auth.");
             }
         }
     } else {
         $loginAPI->setErrorMessage("No certificate provided");
         \Piwik\Log::debug("No certificate provided. Falling back on standard login mechanism.");
     }
 }
 private function getViewableUserStatus()
 {
     $is_viewable_user = false;
     $settings = new Settings();
     $use_govport_groups = $settings->useGovportGroups->getValue();
     $group = $settings->govportGroup->getValue();
     $project = $settings->govportProject->getValue();
     if ($use_govport_groups && $group != "" && $project != "") {
         \Piwik\Log::debug("Using Govport Groups to get viewable status");
         $clientCertificateAPI = ClientCertificatesAPI::getInstance();
         $result = $clientCertificateAPI->queryGovportGroup($this->userDN, $group, $project);
         if ($result) {
             $is_viewable_user = $this->getProperty($result, 'isMember');
             $bool_array = array(false => 'false', true => 'true');
             \Piwik\Log::debug("User [" . $this->login . "] viewable [" . $bool_array[$is_viewable_user] . "]");
         } else {
             $loginAPI = LoginAPI::getInstance();
             $loginAPI->setErrorMessage("Could not verify user against group authorization service");
         }
     } else {
         $viewable_users_string = $settings->viewableUsers->getValue();
         $viewable_users = explode("\n", $viewable_users_string);
         foreach ($viewable_users as $viewable_user) {
             if (trim($viewable_user) == $this->login) {
                 $is_viewable_user = true;
             }
         }
         if ($viewable_users_string == "") {
             $is_viewable_user = true;
             \Piwik\Log::debug("No viewable users list");
         } else {
             if ($is_viewable_user) {
                 \Piwik\Log::debug("User [" . $this->login . "] is on viewable list");
             } else {
                 \Piwik\Log::debug("User [" . $this->login . "] is not on viewable list");
             }
         }
     }
     return $is_viewable_user;
 }