function authenticate()
{
global $remote_username, $remote_displayname, $auto_tags, $user_given_tags, $user_auth_src, $script_mode, $require_local_account;
if (!isset($user_auth_src) or !isset($require_local_account)) {
throw new RackTablesError('secret.php: either user_auth_src or require_local_account are missing', RackTablesError::MISCONFIGURED);
}
if (isset($_REQUEST['logout'])) {
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}
// Reset browser credentials cache.
if (!isset($script_mode) || !$script_mode || !(isset($remote_username) && strlen($remote_username))) {
switch ($user_auth_src) {
case 'database':
case 'ldap':
if (!isset($_SERVER['PHP_AUTH_USER']) or !strlen($_SERVER['PHP_AUTH_USER']) or !isset($_SERVER['PHP_AUTH_PW']) or !strlen($_SERVER['PHP_AUTH_PW'])) {
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}
$remote_username = $_SERVER['PHP_AUTH_USER'];
break;
case 'httpd':
if (!isset($_SERVER['REMOTE_USER']) or !strlen($_SERVER['REMOTE_USER'])) {
throw new RackTablesError('The web-server didn\'t authenticate the user, although ought to do.', RackTablesError::MISCONFIGURED);
}
$remote_username = $_SERVER['REMOTE_USER'];
break;
default:
throw new RackTablesError('Invalid authentication source!', RackTablesError::MISCONFIGURED);
die;
}
}
$userinfo = constructUserCell($remote_username);
if ($require_local_account and !isset($userinfo['user_id'])) {
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}
$user_given_tags = $userinfo['etags'];
$auto_tags = array_merge($auto_tags, $userinfo['atags']);
switch (TRUE) {
case isset($script_mode) && $script_mode:
return;
// success
// Just trust the server, because the password isn't known.
// success
// Just trust the server, because the password isn't known.
case 'httpd' == $user_auth_src:
$remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : $remote_username;
return;
// success
// When using LDAP, leave a mean to fix things. Admin user is always authenticated locally.
// success
// When using LDAP, leave a mean to fix things. Admin user is always authenticated locally.
case 'database' == $user_auth_src or array_key_exists('user_id', $userinfo) and $userinfo['user_id'] == 1:
$remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : $remote_username;
if (authenticated_via_database($userinfo, $_SERVER['PHP_AUTH_PW'])) {
return;
}
// success
break;
// failure
// failure
case 'ldap' == $user_auth_src:
$ldap_dispname = '';
$ldap_success = authenticated_via_ldap($remote_username, $_SERVER['PHP_AUTH_PW'], $ldap_dispname);
if (!$ldap_success) {
break;
}
// failure
$remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : (strlen($ldap_dispname) ? $ldap_dispname : $remote_username);
// then one from LDAP
return;
// success
// success
default:
throw new RackTablesError('Invalid authentication source!', RackTablesError::MISCONFIGURED);
}
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}
function authenticate()
{
global $remote_username, $remote_displayname, $auto_tags, $user_given_tags, $user_auth_src, $script_mode, $require_local_account;
// Phase 1. Assert basic pre-requisites, short-circuit the logout request.
if (!isset($user_auth_src) or !isset($require_local_account)) {
throw new RackTablesError('secret.php: either user_auth_src or require_local_account are missing', RackTablesError::MISCONFIGURED);
}
if (isset($_REQUEST['logout'])) {
if (isset($user_auth_src) and 'saml' == $user_auth_src) {
saml_logout();
}
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
// Reset browser credentials cache.
}
// Phase 2. Do some method-specific processing, initialize $remote_username on success.
switch (TRUE) {
case isset($script_mode) && $script_mode && isset($remote_username) && strlen($remote_username):
break;
// skip this phase
// skip this phase
case 'database' == $user_auth_src:
case 'ldap' == $user_auth_src:
if (!isset($_SERVER['PHP_AUTH_USER']) or !strlen($_SERVER['PHP_AUTH_USER']) or !isset($_SERVER['PHP_AUTH_PW']) or !strlen($_SERVER['PHP_AUTH_PW'])) {
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}
$remote_username = $_SERVER['PHP_AUTH_USER'];
break;
case 'httpd' == $user_auth_src:
if (!isset($_SERVER['REMOTE_USER']) or !strlen($_SERVER['REMOTE_USER'])) {
throw new RackTablesError('The web-server didn\'t authenticate the user, although ought to do.', RackTablesError::MISCONFIGURED);
}
$remote_username = $_SERVER['REMOTE_USER'];
break;
case 'saml' == $user_auth_src:
$saml_username = '';
$saml_dispname = '';
if (!authenticated_via_saml($saml_username, $saml_dispname)) {
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}
$remote_username = $saml_username;
break;
default:
throw new RackTablesError('Invalid authentication source!', RackTablesError::MISCONFIGURED);
}
// Phase 3. Handle local account requirement, pull user tags into security context.
$userinfo = constructUserCell($remote_username);
if ($require_local_account and !isset($userinfo['user_id'])) {
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}
$user_given_tags = $userinfo['etags'];
$auto_tags = array_merge($auto_tags, $userinfo['atags']);
// Phase 4. Do more method-specific processing, initialize $remote_displayname on success.
switch (TRUE) {
case isset($script_mode) && $script_mode:
return;
// success
// Just trust the server, because the password isn't known.
// success
// Just trust the server, because the password isn't known.
case 'httpd' == $user_auth_src:
$remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : $remote_username;
return;
// success
// When using LDAP, leave a mean to fix things. Admin user is always authenticated locally.
// success
// When using LDAP, leave a mean to fix things. Admin user is always authenticated locally.
case array_key_exists('user_id', $userinfo) and $userinfo['user_id'] == 1:
case 'database' == $user_auth_src:
$remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : $remote_username;
if (authenticated_via_database($userinfo, $_SERVER['PHP_AUTH_PW'])) {
return;
}
// success
break;
// failure
// failure
case 'ldap' == $user_auth_src:
$ldap_dispname = '';
if (!authenticated_via_ldap($remote_username, $_SERVER['PHP_AUTH_PW'], $ldap_dispname)) {
break;
}
// failure
$remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : (strlen($ldap_dispname) ? $ldap_dispname : $remote_username);
// then one from LDAP
return;
// success
// success
case 'saml' == $user_auth_src:
$remote_displayname = strlen($saml_dispname) ? $saml_dispname : $saml_username;
return;
// success
// success
default:
throw new RackTablesError('Invalid authentication source!', RackTablesError::MISCONFIGURED);
}
throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}