/**
* Apply permissions, restrictions and roles to the given user
*
* @param User $user
*/
public function applyRoles(User $user)
{
$username = $user->getUsername();
try {
$roles = Config::app('roles');
} catch (NotReadableError $e) {
Logger::error('Can\'t get permissions and restrictions for user \'%s\'. An exception was thrown:', $username, $e);
return;
}
$userGroups = $user->getGroups();
$permissions = array();
$restrictions = array();
$roleObjs = array();
foreach ($roles as $roleName => $role) {
if ($this->match($username, $userGroups, $role)) {
$permissionsFromRole = StringHelper::trimSplit($role->permissions);
$permissions = array_merge($permissions, array_diff($permissionsFromRole, $permissions));
$restrictionsFromRole = $role->toArray();
unset($restrictionsFromRole['users']);
unset($restrictionsFromRole['groups']);
unset($restrictionsFromRole['permissions']);
foreach ($restrictionsFromRole as $name => $restriction) {
if (!isset($restrictions[$name])) {
$restrictions[$name] = array();
}
$restrictions[$name][] = $restriction;
}
$roleObj = new Role();
$roleObjs[] = $roleObj->setName($roleName)->setPermissions($permissionsFromRole)->setRestrictions($restrictionsFromRole);
}
}
$user->setPermissions($permissions);
$user->setRestrictions($restrictions);
$user->setRoles($roleObjs);
}
/**
* Append the given log entry and fail this inspection with the given error
*
* @param $entry string|Inspection A log entry or nested inspection
*
* @throws ProgrammingError When called multiple times
*
* @return this fluent interface
*/
public function error($entry)
{
if (isset($this->error)) {
throw new ProgrammingError('Inspection object used after error');
}
Logger::error($entry);
$this->log[] = $entry;
$this->error = $entry;
return $this;
}
/**
* Display exception
*/
public function errorAction()
{
$error = $this->_getParam('error_handler');
$exception = $error->exception;
/** @var \Exception $exception */
Logger::error($exception);
Logger::error('Stacktrace: %s', $exception->getTraceAsString());
switch ($error->type) {
case Zend_Controller_Plugin_ErrorHandler::EXCEPTION_NO_ROUTE:
case Zend_Controller_Plugin_ErrorHandler::EXCEPTION_NO_CONTROLLER:
case Zend_Controller_Plugin_ErrorHandler::EXCEPTION_NO_ACTION:
$modules = Icinga::app()->getModuleManager();
$path = ltrim($this->_request->get('PATH_INFO'), '/');
$path = preg_split('~/~', $path);
$path = array_shift($path);
$this->getResponse()->setHttpResponseCode(404);
$this->view->message = $this->translate('Page not found.');
if ($this->Auth()->isAuthenticated() && $modules->hasInstalled($path) && !$modules->hasEnabled($path)) {
$this->view->message .= ' ' . sprintf($this->translate('Enabling the "%s" module might help!'), $path);
}
break;
default:
switch (true) {
case $exception instanceof HttpMethodNotAllowedException:
$this->getResponse()->setHttpResponseCode(405);
$this->getResponse()->setHeader('Allow', $exception->getAllowedMethods());
break;
case $exception instanceof HttpNotFoundException:
$this->getResponse()->setHttpResponseCode(404);
break;
case $exception instanceof MissingParameterException:
$this->getResponse()->setHttpResponseCode(400);
$this->getResponse()->setHeader('X-Status-Reason', 'Missing parameter ' . $exception->getParameter());
break;
case $exception instanceof HttpBadRequestException:
$this->getResponse()->setHttpResponseCode(400);
break;
case $exception instanceof SecurityException:
$this->getResponse()->setHttpResponseCode(403);
break;
default:
$this->getResponse()->setHttpResponseCode(500);
break;
}
$this->view->message = $exception->getMessage();
if ($this->getInvokeArg('displayExceptions')) {
$this->view->stackTrace = $exception->getTraceAsString();
}
break;
}
if ($this->getRequest()->isApiRequest()) {
$this->getResponse()->json()->setErrorMessage($this->view->message)->sendResponse();
}
$this->view->request = $error->request;
}
/**
* Parse the given query text and returns the json as expected by the semantic search box
*
* @param String $text The query to parse
* @return array The result structure to be returned in json format
*/
private function parse($text, $target)
{
try {
$queryTree = $this->registry->createQueryTreeForFilter($text);
$registry = $this->moduleRegistry;
return array('state' => 'success', 'proposals' => $this->registry->getProposalsForQuery($text), 'urlParam' => $registry::getUrlForTarget($target, $queryTree), 'valid' => count($this->registry->getIgnoredQueryParts()) === 0);
} catch (\Exception $exc) {
Logger::error($exc);
$this->getResponse()->setHttpResponseCode(500);
return array('state' => 'error', 'message' => 'Search service is currently not available');
}
}
public function setAuthenticated(User $user, $persist = true)
{
$username = $user->getUsername();
try {
$config = Config::app();
} catch (NotReadableError $e) {
Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e));
$config = new Config();
}
if ($config->get('preferences', 'store', 'ini') !== 'none') {
$preferencesConfig = $config->getSection('preferences');
try {
$preferencesStore = PreferencesStore::create($preferencesConfig, $user);
$preferences = new Preferences($preferencesStore->load());
} catch (Exception $e) {
Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e));
$preferences = new Preferences();
}
} else {
$preferences = new Preferences();
}
$user->setPreferences($preferences);
$groups = $user->getGroups();
foreach (Config::app('groups') as $name => $config) {
try {
$groupBackend = UserGroupBackend::create($name, $config);
$groupsFromBackend = $groupBackend->getMemberships($user);
} catch (Exception $e) {
Logger::error('Can\'t get group memberships for user \'%s\' from backend \'%s\'. An exception was thrown: %s', $username, $name, $e);
continue;
}
if (empty($groupsFromBackend)) {
continue;
}
$groupsFromBackend = array_values($groupsFromBackend);
$groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend));
}
$user->setGroups($groups);
$admissionLoader = new AdmissionLoader();
list($permissions, $restrictions) = $admissionLoader->getPermissionsAndRestrictions($user);
$user->setPermissions($permissions);
$user->setRestrictions($restrictions);
$this->user = $user;
if ($persist) {
$this->persistCurrentUser();
}
}
protected function addMessage($message, $type = 'info')
{
if (!in_array($type, array('info', 'error', 'warning', 'success'))) {
throw new ProgrammingError('"%s" is not a valid notification type', $type);
}
if ($this->isCli) {
$msg = sprintf('[%s] %s', $type, $message);
switch ($type) {
case 'info':
case 'success':
Logger::info($msg);
break;
case 'warning':
Logger::warn($msg);
break;
case 'error':
Logger::error($msg);
break;
}
return;
}
$this->messages[] = (object) array('type' => $type, 'message' => $message);
}
/**
* Set up internationalization using gettext
*
* @return $this
*/
protected final function setupInternationalization()
{
if ($this->hasLocales()) {
Translator::registerDomain(Translator::DEFAULT_DOMAIN, $this->getLocaleDir());
}
$locale = $this->detectLocale();
if ($locale === null) {
$locale = Translator::DEFAULT_LOCALE;
}
try {
Translator::setupLocale($locale);
} catch (Exception $error) {
Logger::error($error);
}
return $this;
}
/**
* Return a javascript file from the application's or the module's public folder
*/
public function javascriptAction()
{
$module = $this->_getParam('module_name');
$file = $this->_getParam('file');
if ($module == 'app') {
$basedir = Icinga::app()->getApplicationDir('../public/js/icinga/components/');
$filePath = $basedir . $file;
} else {
if (!Icinga::app()->getModuleManager()->hasEnabled($module)) {
Logger::error('Non-existing frontend component "' . $module . '/' . $file . '" was requested. The module "' . $module . '" does not exist or is not active.');
echo "/** Module not enabled **/";
return;
}
$basedir = Icinga::app()->getModuleManager()->getModule($module)->getBaseDir();
$filePath = $basedir . '/public/js/' . $file;
}
if (!file_exists($filePath)) {
Logger::error('Non-existing frontend component "' . $module . '/' . $file . '" was requested, which would resolve to the the path: ' . $filePath);
echo '/** Module has no js files **/';
return;
}
$response = $this->getResponse();
$response->setHeader('Content-Type', 'text/javascript');
$this->setCacheHeader();
$response->setHeader('Last-Modified', gmdate('D, d M Y H:i:s', filemtime($filePath)) . ' GMT');
readfile($filePath);
}
/**
* {@inheritdoc}
*/
public function authenticate(User $user, $password = null)
{
list($username, $field) = static::getRemoteUserInformation();
if ($username !== null) {
$user->setExternalUserInformation($username, $field);
if ($this->stripUsernameRegexp) {
$stripped = @preg_replace($this->stripUsernameRegexp, '', $username);
if ($stripped === false) {
Logger::error('Failed to strip external username. The configured regular expression is invalid.');
return false;
}
$username = $stripped;
}
$user->setUsername($username);
return true;
}
return false;
}
/**
* Render the stylesheet
*
* @return string
*/
public function __toString()
{
try {
return $this->render();
} catch (Exception $e) {
Logger::error($e);
return IcingaException::describe($e);
}
}
/**
* Fetch and return the given user's groups from all user group backends
*
* @param User $user
*
* @return ArrayDatasource
*/
protected function loadMemberships(User $user)
{
$groups = $alreadySeen = array();
foreach ($this->loadUserGroupBackends() as $backend) {
try {
foreach ($backend->getMemberships($user) as $groupName) {
if (array_key_exists($groupName, $alreadySeen)) {
continue;
// Ignore duplicate memberships
}
$alreadySeen[$groupName] = null;
$groups[] = (object) array('group_name' => $groupName, 'backend' => $backend);
}
} catch (Exception $e) {
Logger::error($e);
Notification::warning(sprintf($this->translate('Failed to fetch memberships from backend %s. Please check your log'), $backend->getName()));
}
}
return new ArrayDatasource($groups);
}
/**
* Add a notification message
*
* @param string $message
* @param string $type
*/
protected function addMessage($message, $type = self::INFO)
{
if ($this->isCli) {
$msg = sprintf('[%s] %s', $type, $message);
switch ($type) {
case self::INFO:
case self::SUCCESS:
Logger::info($msg);
break;
case self::ERROR:
Logger::error($msg);
break;
case self::WARNING:
Logger::warning($msg);
break;
}
} else {
$this->messages[] = (object) array('type' => $type, 'message' => $message);
}
}
/**
* Send the given command over an appropriate Icinga command transport
*
* This will try one configured transport after another until the command has been successfully sent.
*
* @param IcingaCommand $command The command to send
* @param int|null $now Timestamp of the command or null for now
*
* @throws CommandTransportException If sending the Icinga command failed
*/
public function send(IcingaCommand $command, $now = null)
{
$errors = array();
foreach (static::getConfig() as $name => $transportConfig) {
$transport = static::createTransport($transportConfig);
if ($this->transferPossible($command, $transport)) {
try {
$transport->send($command, $now);
} catch (CommandTransportException $e) {
Logger::error($e);
$errors[] = sprintf('%s: %s.', $name, rtrim($e->getMessage(), '.'));
continue;
// Try the next transport
}
return;
// The command was successfully sent
}
}
if (!empty($errors)) {
throw new CommandTransportException(implode("\n", $errors));
}
throw new CommandTransportException(mt('monitoring', 'Failed to send external Icinga command. No transport has been configured' . ' for this instance. Please contact your Icinga Web administrator.'));
}
/**
* Send the given command over an appropriate Icinga command transport
*
* This will try one configured transport after another until the command has been successfully sent.
*
* @param IcingaCommand $command The command to send
* @param int|null $now Timestamp of the command or null for now
*
* @throws CommandTransportException If sending the Icinga command failed
*/
public function send(IcingaCommand $command, $now = null)
{
$tries = 0;
foreach (static::getConfig() as $transportConfig) {
$transport = static::createTransport($transportConfig);
if ($this->transferPossible($command, $transport)) {
try {
$transport->send($command, $now);
} catch (CommandTransportException $e) {
Logger::error($e);
$tries += 1;
continue;
// Try the next transport
}
return;
// The command was successfully sent
}
}
if ($tries > 0) {
throw new CommandTransportException(mt('monitoring', 'Failed to send external Icinga command. None of the configured transports' . ' was able to transfer the command. Please see the log for more details.'));
}
throw new CommandTransportException(mt('monitoring', 'Failed to send external Icinga command. No transport has been configured' . ' for this instance. Please contact your Icinga Web administrator.'));
}
/**
* Check whether the current user backend is valid, i.e. it's enabled, not an external user backend and whether its
* config is valid
*
* @return bool
*/
public function valid()
{
if (!$this->config->valid()) {
// Stop when there are no more backends to check
return false;
}
$backendConfig = $this->config->current();
if ((bool) $backendConfig->get('disabled', false)) {
$this->next();
return $this->valid();
}
$name = $this->key();
try {
$backend = UserBackend::create($name, $backendConfig);
} catch (ConfigurationError $e) {
Logger::error(new ConfigurationError('Can\'t create authentication backend "%s". An exception was thrown:', $name, $e));
$this->next();
return $this->valid();
}
if ($this->getSkipExternalBackends() && $backend instanceof ExternalBackend) {
$this->next();
return $this->valid();
}
$this->currentBackend = $backend;
return true;
}
/**
* Render the given child
*
* @param Menu $child The menu's child to render
*
* @return string The child rendered as html
*/
public function renderChild(Menu $child)
{
if ($child->getRenderer() !== null && $this->useCustomRenderer) {
try {
return $child->getRenderer()->render($child);
} catch (Exception $e) {
Logger::error('Could not invoke custom renderer. Exception: ' . $e->getMessage());
}
}
return $this->defaultRenderer->render($child);
}
/**
* Set the path to the LESS theme
*
* @param string $theme Path to the LESS theme
*
* @return $this
*/
public function setTheme($theme)
{
if (is_file($theme) && is_readable($theme)) {
$this->theme = $theme;
} else {
Logger::error('Can\\t load theme %s. Make sure that the theme exists and is readable', $theme);
}
return $this;
}
/**
* Adjust preferences and persist them
*
* @see Form::onSuccess()
*/
public function onSuccess()
{
$this->preferences = new Preferences($this->store ? $this->store->load() : array());
$oldTheme = $this->preferences->getValue('icingaweb', 'theme');
$webPreferences = $this->preferences->get('icingaweb', array());
foreach ($this->getValues() as $key => $value) {
if ($value === '' || $value === 'autodetect' || $key === 'theme' && $value === Config::app()->get('themes', 'default', StyleSheet::DEFAULT_THEME)) {
if (isset($webPreferences[$key])) {
unset($webPreferences[$key]);
}
} else {
$webPreferences[$key] = $value;
}
}
$this->preferences->icingaweb = $webPreferences;
Session::getSession()->user->setPreferences($this->preferences);
if (($theme = $this->getElement('theme')) !== null && ($theme = $theme->getValue()) !== $oldTheme) {
$this->getResponse()->setReloadCss(true);
}
try {
if ($this->store && $this->getElement('btn_submit_preferences')->isChecked()) {
$this->save();
Notification::success($this->translate('Preferences successfully saved'));
} else {
Notification::success($this->translate('Preferences successfully saved for the current session'));
}
} catch (Exception $e) {
Logger::error($e);
Notification::error($e->getMessage());
}
}
/**
* Prepare and establish a connection with the LDAP server
*
* @return resource A LDAP link identifier
*
* @throws LdapException In case the connection is not possible
*/
protected function prepareNewConnection()
{
if ($this->encryption === static::STARTTLS || $this->encryption === static::LDAPS) {
$this->prepareTlsEnvironment();
}
$hostname = $this->hostname;
if ($this->encryption === static::LDAPS) {
$hostname = 'ldaps://' . $hostname;
}
$ds = ldap_connect($hostname, $this->port);
// Usage of ldap_rename, setting LDAP_OPT_REFERRALS to 0 or using STARTTLS requires LDAPv3.
// If this does not work we're probably not in a PHP 5.3+ environment as it is VERY
// unlikely that the server complains about it by itself prior to a bind request
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
// Not setting this results in "Operations error" on AD when using the whole domain as search base
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
if ($this->encryption === static::STARTTLS) {
if ($this->encryptionSuccess = @ldap_start_tls($ds)) {
Logger::debug('LDAP STARTTLS succeeded');
} else {
Logger::error('LDAP STARTTLS failed: %s', ldap_error($ds));
// ldap_start_tls seems to corrupt the connection though if I understand
// https://tools.ietf.org/html/rfc4511#section-4.14.2 correctly, this shouldn't happen
$ds = ldap_connect($hostname, $this->port);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
}
} elseif ($this->encryption === static::LDAPS) {
$this->encryptionSuccess = true;
}
return $ds;
}
/**
* Fetch and return all users from all user backends
*
* @return ArrayDatasource
*/
protected function fetchUsers()
{
$users = array();
foreach ($this->loadUserBackends('Icinga\\Data\\Selectable') as $backend) {
try {
foreach ($backend->select(array('user_name')) as $row) {
$users[] = $row;
}
} catch (Exception $e) {
Logger::error($e);
Notification::warning(sprintf($this->translate('Failed to fetch any users from backend %s. Please check your log'), $backend->getName()));
}
}
return new ArrayDatasource($users);
}
/**
* Create and return a data source to fetch all groups from all backends where the user is not already a member of
*
* @return ArrayDatasource
*/
protected function createDataSource()
{
$groups = $failures = array();
foreach ($this->backends as $backend) {
try {
$memberships = $backend->select()->from('group_membership', array('group_name'))->where('user_name', $this->userName)->fetchColumn();
foreach ($backend->select(array('group_name')) as $row) {
if (!in_array($row->group_name, $memberships)) {
// TODO(jom): Apply this as native query filter
$row->backend_name = $backend->getName();
$groups[] = $row;
}
}
} catch (Exception $e) {
$failures[] = array($backend->getName(), $e);
}
}
if (empty($groups) && !empty($failures)) {
// In case there are only failures, throw the very first exception again
throw $failures[0][1];
} elseif (!empty($failures)) {
foreach ($failures as $failure) {
Logger::error($failure[1]);
Notification::warning(sprintf($this->translate('Failed to fetch any groups from backend %s. Please check your log'), $failure[0]));
}
}
return new ArrayDatasource($groups);
}
/**
* Render the given child
*
* @param Menu $child The menu's child to render
*
* @return string The child rendered as html
*/
public function renderChild(Menu $child)
{
if ($child->getRenderer() !== null && $this->useCustomRenderer) {
try {
return $child->getRenderer()->render($child);
} catch (Exception $e) {
Logger::error('Could not invoke custom menu renderer. %s in %s:%d with message: %s', get_class($e), $e->getFile(), $e->getLine(), $e->getMessage());
}
}
return $this->defaultRenderer->render($child);
}
/**
* Adjust preferences and persist them
*
* @see Form::onSuccess()
*/
public function onSuccess()
{
$this->preferences = new Preferences($this->store ? $this->store->load() : array());
$webPreferences = $this->preferences->get('icingaweb', array());
foreach ($this->getValues() as $key => $value) {
if ($value === null || $value === 'autodetect') {
if (isset($webPreferences[$key])) {
unset($webPreferences[$key]);
}
} else {
$webPreferences[$key] = $value;
}
}
$this->preferences->icingaweb = $webPreferences;
Session::getSession()->user->setPreferences($this->preferences);
try {
if ($this->store && $this->getElement('btn_submit_preferences')->isChecked()) {
$this->save();
Notification::success($this->translate('Preferences successfully saved'));
} else {
Notification::success($this->translate('Preferences successfully saved for the current session'));
}
} catch (Exception $e) {
Logger::error($e);
Notification::error($e->getMessage());
}
}
/**
* Detect installed modules from every path provided in modulePaths
*
* @param array $availableDirs Installed modules location
*
* @return $this
*/
public function detectInstalledModules(array $availableDirs = null)
{
$modulePaths = $availableDirs !== null ? $availableDirs : $this->modulePaths;
foreach ($modulePaths as $basedir) {
$canonical = realpath($basedir);
if ($canonical === false) {
Logger::warning('Module path "%s" does not exist', $basedir);
continue;
}
if (!is_dir($canonical)) {
Logger::error('Module path "%s" is not a directory', $canonical);
continue;
}
if (!is_readable($canonical)) {
Logger::error('Module path "%s" is not readable', $canonical);
continue;
}
if (($dh = opendir($canonical)) !== false) {
while (($file = readdir($dh)) !== false) {
if ($file[0] === '.') {
continue;
}
if (is_dir($canonical . '/' . $file)) {
if (!array_key_exists($file, $this->installedBaseDirs)) {
$this->installedBaseDirs[$file] = $canonical . '/' . $file;
} else {
Logger::debug('Module "%s" already exists in installation path "%s" and is ignored.', $canonical . '/' . $file, $this->installedBaseDirs[$file]);
}
}
}
closedir($dh);
}
}
ksort($this->installedBaseDirs);
return $this;
}
/**
* Log into the application
*/
public function loginAction()
{
$icinga = Icinga::app();
if ($icinga->setupTokenExists() && $icinga->requiresSetup()) {
$this->redirectNow(Url::fromPath('setup'));
}
$triedOnlyExternalAuth = null;
$auth = $this->Auth();
$this->view->form = $form = new LoginForm();
$this->view->title = $this->translate('Icingaweb Login');
try {
$redirectUrl = $this->view->form->getValue('redirect');
if ($redirectUrl) {
$redirectUrl = Url::fromPath($redirectUrl);
} else {
$redirectUrl = Url::fromPath('dashboard');
}
if ($auth->isAuthenticated()) {
$this->rerenderLayout()->redirectNow($redirectUrl);
}
try {
$config = Config::app('authentication');
} catch (NotReadableError $e) {
throw new ConfigurationError($this->translate('Could not read your authentication.ini, no authentication methods are available.'), 0, $e);
}
$chain = new AuthChain($config);
$request = $this->getRequest();
if ($request->isPost() && $this->view->form->isValid($request->getPost())) {
$user = new User($this->view->form->getValue('username'));
$password = $this->view->form->getValue('password');
$backendsTried = 0;
$backendsWithError = 0;
$redirectUrl = $form->getValue('redirect');
if ($redirectUrl) {
$redirectUrl = Url::fromPath($redirectUrl);
} else {
$redirectUrl = Url::fromPath('dashboard');
}
foreach ($chain as $backend) {
if ($backend instanceof ExternalBackend) {
continue;
}
++$backendsTried;
try {
$authenticated = $backend->authenticate($user, $password);
} catch (AuthenticationException $e) {
Logger::error($e);
++$backendsWithError;
continue;
}
if ($authenticated === true) {
$auth->setAuthenticated($user);
$this->rerenderLayout()->redirectNow($redirectUrl);
}
}
if ($backendsTried === 0) {
$this->view->form->addError($this->translate('No authentication methods available. Did you create' . ' authentication.ini when setting up Icinga Web 2?'));
} else {
if ($backendsTried === $backendsWithError) {
$this->view->form->addError($this->translate('All configured authentication methods failed.' . ' Please check the system log or Icinga Web 2 log for more information.'));
} elseif ($backendsWithError) {
$this->view->form->addError($this->translate('Please note that not all authentication methods were available.' . ' Check the system log or Icinga Web 2 log for more information.'));
}
}
if ($backendsTried > 0 && $backendsTried !== $backendsWithError) {
$this->view->form->getElement('password')->addError($this->translate('Incorrect username or password'));
}
} elseif ($request->isGet()) {
$user = new User('');
foreach ($chain as $backend) {
$triedOnlyExternalAuth = $triedOnlyExternalAuth === null;
if ($backend instanceof ExternalBackend) {
$authenticated = $backend->authenticate($user);
if ($authenticated === true) {
$auth->setAuthenticated($user);
$this->rerenderLayout()->redirectNow(Url::fromPath(Url::fromRequest()->getParam('redirect', 'dashboard')));
}
} else {
$triedOnlyExternalAuth = false;
}
}
}
} catch (Exception $e) {
$this->view->form->addError($e->getMessage());
}
$this->view->requiresExternalAuth = $triedOnlyExternalAuth && !$auth->isAuthenticated();
$this->view->requiresSetup = Icinga::app()->requiresSetup();
}
public function setAuthenticated(User $user, $persist = true)
{
$username = $user->getUsername();
try {
$config = Config::app();
} catch (NotReadableError $e) {
Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e));
$config = new Config();
}
if ($config->get('global', 'config_backend', 'ini') !== 'none') {
$preferencesConfig = new ConfigObject(array('store' => $config->get('global', 'config_backend', 'ini'), 'resource' => $config->get('global', 'config_resource')));
try {
$preferencesStore = PreferencesStore::create($preferencesConfig, $user);
$preferences = new Preferences($preferencesStore->load());
} catch (Exception $e) {
Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e));
$preferences = new Preferences();
}
} else {
$preferences = new Preferences();
}
// TODO(el): Quick-fix for #10957. Only reload CSS if the theme changed.
$this->getResponse()->setReloadCss(true);
$user->setPreferences($preferences);
$groups = $user->getGroups();
foreach (Config::app('groups') as $name => $config) {
try {
$groupBackend = UserGroupBackend::create($name, $config);
$groupsFromBackend = $groupBackend->getMemberships($user);
} catch (Exception $e) {
Logger::error('Can\'t get group memberships for user \'%s\' from backend \'%s\'. An exception was thrown: %s', $username, $name, $e);
continue;
}
if (empty($groupsFromBackend)) {
continue;
}
$groupsFromBackend = array_values($groupsFromBackend);
$groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend));
}
$user->setGroups($groups);
$admissionLoader = new AdmissionLoader();
$admissionLoader->applyRoles($user);
$this->user = $user;
if ($persist) {
$this->persistCurrentUser();
}
}
/**
* Return this item rendered to HTML
*
* @return string
*/
public function render()
{
try {
return $this->getRenderer()->setItem($this)->render();
} catch (Exception $e) {
Logger::error('Could not invoke custom navigation item renderer. %s in %s:%d with message: %s', get_class($e), $e->getFile(), $e->getLine(), $e->getMessage());
$renderer = new NavigationItemRenderer();
return $renderer->render($this);
}
}
/**
* Prepare and establish a connection with the LDAP server
*
* @return resource A positive LDAP link identifier
*
* @throws LdapException In case the connection is not possible
*/
protected function prepareNewConnection()
{
if ($this->encryption === static::STARTTLS || $this->encryption === static::LDAPS) {
$this->prepareTlsEnvironment();
}
$hostname = $this->hostname;
if ($this->encryption === static::LDAPS) {
$hostname = 'ldaps://' . $hostname;
}
$ds = ldap_connect($hostname, $this->port);
try {
$this->capabilities = $this->discoverCapabilities($ds);
$this->discoverySuccess = true;
} catch (LdapException $e) {
Logger::debug($e);
Logger::warning('LADP discovery failed, assuming default LDAP capabilities.');
$this->capabilities = new Capability();
// create empty default capabilities
$this->discoverySuccess = false;
}
if ($this->encryption === static::STARTTLS) {
$force_tls = false;
if ($this->capabilities->hasStartTls()) {
if (@ldap_start_tls($ds)) {
Logger::debug('LDAP STARTTLS succeeded');
} else {
Logger::error('LDAP STARTTLS failed: %s', ldap_error($ds));
throw new LdapException('LDAP STARTTLS failed: %s', ldap_error($ds));
}
} elseif ($force_tls) {
throw new LdapException('STARTTLS is required but not announced by %s', $this->hostname);
} else {
Logger::warning('LDAP STARTTLS enabled but not announced');
}
}
// ldap_rename requires LDAPv3:
if ($this->capabilities->hasLdapV3()) {
if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
throw new LdapException('LDAPv3 is required');
}
} else {
// TODO: remove this -> FORCING v3 for now
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
Logger::warning('No LDAPv3 support detected');
}
// Not setting this results in "Operations error" on AD when using the whole domain as search base
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
// ldap_set_option($ds, LDAP_OPT_DEREF, LDAP_DEREF_NEVER);
return $ds;
}
