/** * Get config file * * @return string */ public function getConfigFile() { if ($this->user === null) { throw new ProgrammingError('Can\'t load dashboards. User is not set'); } return Config::resolvePath('dashboards/' . $this->user->getUsername() . '/dashboard.ini'); }
/** * Apply permissions, restrictions and roles to the given user * * @param User $user */ public function applyRoles(User $user) { $username = $user->getUsername(); try { $roles = Config::app('roles'); } catch (NotReadableError $e) { Logger::error('Can\'t get permissions and restrictions for user \'%s\'. An exception was thrown:', $username, $e); return; } $userGroups = $user->getGroups(); $permissions = array(); $restrictions = array(); $roleObjs = array(); foreach ($roles as $roleName => $role) { if ($this->match($username, $userGroups, $role)) { $permissionsFromRole = StringHelper::trimSplit($role->permissions); $permissions = array_merge($permissions, array_diff($permissionsFromRole, $permissions)); $restrictionsFromRole = $role->toArray(); unset($restrictionsFromRole['users']); unset($restrictionsFromRole['groups']); unset($restrictionsFromRole['permissions']); foreach ($restrictionsFromRole as $name => $restriction) { if (!isset($restrictions[$name])) { $restrictions[$name] = array(); } $restrictions[$name][] = $restriction; } $roleObj = new Role(); $roleObjs[] = $roleObj->setName($roleName)->setPermissions($permissionsFromRole)->setRestrictions($restrictionsFromRole); } } $user->setPermissions($permissions); $user->setRestrictions($restrictions); $user->setRoles($roleObjs); }
/** * Authenticate the given user and return true on success, false on failure and null on error * * @param User $user * @param string $password * * @return bool|null * @throws AuthenticationException */ public function authenticate(User $user, $password) { try { $salt = $this->getSalt($user->getUsername()); if ($salt === null) { return false; } if ($salt === '') { throw new Exception('Cannot find salt for user ' . $user->getUsername()); } $select = new Zend_Db_Select($this->conn->getConnection()); $row = $select->from('account', array(new Zend_Db_Expr(1)))->where('username = ?', $user->getUsername())->where('active = ?', true)->where('password = ?', $this->hashPassword($password, $salt))->query()->fetchObject(); return $row !== false ? true : false; } catch (Exception $e) { throw new AuthenticationException(sprintf('Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName()), 0, $e); } }
/** * Return the app's menu * * @return Navigation */ public function getMenu() { if ($this->user !== null) { $menu = array('dashboard' => array('label' => t('Dashboard'), 'url' => 'dashboard', 'icon' => 'dashboard', 'priority' => 10), 'system' => array('label' => t('System'), 'icon' => 'services', 'priority' => 700, 'renderer' => array('SummaryNavigationItemRenderer', 'state' => 'critical'), 'children' => array('about' => array('label' => t('About'), 'url' => 'about', 'priority' => 700), 'announcements' => array('label' => t('Announcements'), 'url' => 'announcements', 'priority' => 710))), 'configuration' => array('label' => t('Configuration'), 'icon' => 'wrench', 'permission' => 'config/*', 'priority' => 800, 'children' => array('application' => array('label' => t('Application'), 'url' => 'config/general', 'permission' => 'config/application/*', 'priority' => 810), 'authentication' => array('label' => t('Authentication'), 'permission' => 'config/authentication/*', 'priority' => 830, 'url' => 'role/list'), 'navigation' => array('label' => t('Shared Navigation'), 'url' => 'navigation/shared', 'permission' => 'config/application/navigation', 'priority' => 840), 'modules' => array('label' => t('Modules'), 'url' => 'config/modules', 'permission' => 'config/modules', 'priority' => 890))), 'user' => array('cssClass' => 'user-nav-item', 'label' => $this->user->getUsername(), 'icon' => 'user', 'priority' => 900, 'children' => array('account' => array('label' => t('My Account'), 'priority' => 100, 'url' => 'account'), 'logout' => array('label' => t('Logout'), 'priority' => 200, 'attributes' => array('target' => '_self'), 'url' => 'authentication/logout')))); if (Logger::writesToFile()) { $menu['system']['children']['application_log'] = array('label' => t('Application Log'), 'url' => 'list/applicationlog', 'permission' => 'application/log', 'priority' => 900); } } else { $menu = array(); } return Navigation::fromArray($menu)->load('menu-item'); }
/** * Return the app's menu * * @return Navigation */ public function getMenu() { if ($this->user !== null) { $menu = array('dashboard' => array('label' => t('Dashboard'), 'url' => 'dashboard', 'icon' => 'dashboard', 'priority' => 10), 'system' => array('label' => t('System'), 'icon' => 'services', 'priority' => 700, 'renderer' => array('SummaryNavigationItemRenderer', 'state' => 'critical'), 'children' => array('about' => array('label' => t('About'), 'url' => 'about', 'priority' => 701))), 'configuration' => array('label' => t('Configuration'), 'icon' => 'wrench', 'permission' => 'config/*', 'priority' => 800, 'children' => array('application' => array('label' => t('Application'), 'url' => 'config/general', 'permission' => 'config/application/*', 'priority' => 810), 'navigation' => array('label' => t('Shared Navigation'), 'url' => 'navigation/shared', 'permission' => 'config/application/navigation', 'priority' => 820), 'authentication' => array('label' => t('Authentication'), 'url' => 'config/userbackend', 'permission' => 'config/authentication/*', 'priority' => 830), 'roles' => array('label' => t('Roles'), 'url' => 'role/list', 'permission' => 'config/authentication/roles/show', 'priority' => 840), 'users' => array('label' => t('Users'), 'url' => 'user/list', 'permission' => 'config/authentication/users/show', 'priority' => 850), 'groups' => array('label' => t('Usergroups'), 'url' => 'group/list', 'permission' => 'config/authentication/groups/show', 'priority' => 860), 'modules' => array('label' => t('Modules'), 'url' => 'config/modules', 'permission' => 'config/modules', 'priority' => 890))), 'user' => array('label' => $this->user->getUsername(), 'icon' => 'user', 'priority' => 900, 'children' => array('preferences' => array('label' => t('Preferences'), 'url' => 'preference', 'priority' => 910), 'navigation' => array('label' => t('Navigation'), 'url' => 'navigation', 'priority' => 920), 'logout' => array('label' => t('Logout'), 'url' => 'authentication/logout', 'priority' => 990, 'renderer' => array('NavigationItemRenderer', 'target' => '_self'))))); if (Logger::writesToFile()) { $menu['system']['children']['application_log'] = array('label' => t('Application Log'), 'url' => 'list/applicationlog', 'priority' => 710); } } else { $menu = array(); } return Navigation::fromArray($menu)->load('menu-item'); }
/** * Tries to authenticate the user from the session, and then from the REMOTE_USER superglobal, that can be set by * an external authentication provider. */ public function authenticateFromRemoteUser() { $this->fromRemoteUser = true; $this->authenticateFromSession(); if ($this->user !== null) { if (array_key_exists('REMOTE_USER', $_SERVER) && $this->user->getUsername() !== $_SERVER["REMOTE_USER"]) { // Remote user has changed, clear all sessions $this->removeAuthorization(); } return; } if (array_key_exists('REMOTE_USER', $_SERVER) && $_SERVER["REMOTE_USER"]) { $this->user = new User($_SERVER["REMOTE_USER"]); $this->persistCurrentUser(); } }
public function setAuthenticated(User $user, $persist = true) { $username = $user->getUsername(); try { $config = Config::app(); } catch (NotReadableError $e) { Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e)); $config = new Config(); } if ($config->get('preferences', 'store', 'ini') !== 'none') { $preferencesConfig = $config->getSection('preferences'); try { $preferencesStore = PreferencesStore::create($preferencesConfig, $user); $preferences = new Preferences($preferencesStore->load()); } catch (Exception $e) { Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e)); $preferences = new Preferences(); } } else { $preferences = new Preferences(); } $user->setPreferences($preferences); $groups = $user->getGroups(); foreach (Config::app('groups') as $name => $config) { try { $groupBackend = UserGroupBackend::create($name, $config); $groupsFromBackend = $groupBackend->getMemberships($user); } catch (Exception $e) { Logger::error('Can\'t get group memberships for user \'%s\' from backend \'%s\'. An exception was thrown: %s', $username, $name, $e); continue; } if (empty($groupsFromBackend)) { continue; } $groupsFromBackend = array_values($groupsFromBackend); $groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend)); } $user->setGroups($groups); $admissionLoader = new AdmissionLoader(); list($permissions, $restrictions) = $admissionLoader->getPermissionsAndRestrictions($user); $user->setPermissions($permissions); $user->setRestrictions($restrictions); $this->user = $user; if ($persist) { $this->persistCurrentUser(); } }
/** * List all dashboard configuration files that match the given user * * @param User $user * * @return string[] */ public static function listConfigFilesForUser(User $user) { $files = array(); $dashboards = static::resolvePath('dashboards'); if ($handle = @opendir($dashboards)) { while (false !== ($entry = readdir($handle))) { if ($entry[0] === '.' || !is_dir($dashboards . '/' . $entry)) { continue; } if (strtolower($entry) === strtolower($user->getUsername())) { $files[] = $dashboards . '/' . $entry . '/dashboard.ini'; } } closedir($handle); } return $files; }
/** * Return the groups the given user is a member of * * @param User $user * * @return array */ public function getMemberships(User $user) { $result = $this->select()->fetchAll(); $groups = array(); foreach ($result as $group) { $groups[$group->group_name] = $group->parent; } $username = strtolower($user->getUsername()); $memberships = array(); foreach ($result as $group) { if ($group->users && !in_array($group->group_name, $memberships)) { $users = array_map('strtolower', String::trimSplit($group->users)); if (in_array($username, $users)) { $memberships[] = $group->group_name; $parent = $groups[$group->group_name]; while ($parent !== null) { $memberships[] = $parent; $parent = isset($groups[$parent]) ? $groups[$parent] : null; } } } } return $memberships; }
/** * Authenticate the given user * * @param User $user * @param string $password * * @return bool True on success, false on failure * * @throws AuthenticationException In case authentication is not possible due to an error */ public function authenticate(User $user, $password) { try { $passwordHash = $this->getPasswordHash($user->getUsername()); $passwordSalt = $this->getSalt($passwordHash); $hashToCompare = $this->hashPassword($password, $passwordSalt); return $hashToCompare === $passwordHash; } catch (Exception $e) { throw new AuthenticationException('Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName(), $e); } }
/** * Authenticate the given user and return true on success, false on failure and null on error * * @param User $user * @param string $password * * @return bool|null * @throws AuthenticationException */ public function authenticate(User $user, $password) { try { return $this->conn->testCredentials($this->conn->fetchDN($this->createQuery($user->getUsername())), $password); } catch (Exception $e) { throw new AuthenticationException(sprintf('Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName()), 0, $e); } }
/** * Return the groups the given user is a member of * * @param User $user * * @return array */ public function getMemberships(User $user) { $groupQuery = $this->ds->select()->from(array('g' => $this->prependTablePrefix('group')), array('group_name' => 'g.name', 'parent_name' => 'gg.name'))->joinLeft(array('gg' => $this->prependTablePrefix('group')), 'g.parent = gg.id', array()); $groups = array(); foreach ($groupQuery as $group) { $groups[$group->group_name] = $group->parent_name; } $membershipQuery = $this->select()->from('group_membership', array('group_name'))->where('user_name', $user->getUsername()); $memberships = array(); foreach ($membershipQuery as $membership) { $memberships[] = $membership->group_name; $parent = $groups[$membership->group_name]; while ($parent !== null) { $memberships[] = $parent; // Usually a parent is an existing group, but since we do not have a constraint on our table.. $parent = isset($groups[$parent]) ? $groups[$parent] : null; } } return $memberships; }
/** * Return the groups the given user is a member of * * @param User $user * * @return array */ public function getMemberships(User $user) { if ($this->isMemberAttributeAmbiguous()) { $queryValue = $user->getUsername(); } elseif (($queryValue = $user->getAdditional('ldap_dn')) === null) { $userQuery = $this->ds->select()->from($this->userClass)->where($this->userNameAttribute, $user->getUsername())->setBase($this->userBaseDn)->setUsePagedResults(false); if ($this->userFilter) { $userQuery->setNativeFilter($this->userFilter); } if (($queryValue = $userQuery->fetchDn()) === null) { return array(); } } if ($this->nestedGroupSearch) { $groupMemberAttribute = $this->groupMemberAttribute . ':1.2.840.113556.1.4.1941:'; } else { $groupMemberAttribute = $this->groupMemberAttribute; } $groupQuery = $this->ds->select()->from($this->groupClass, array($this->groupNameAttribute))->where($groupMemberAttribute, $queryValue)->setBase($this->groupBaseDn); if ($this->groupFilter) { $groupQuery->setNativeFilter($this->groupFilter); } $groups = array(); foreach ($groupQuery as $row) { $groups[] = $row->{$this->groupNameAttribute}; } return $groups; }
/** * Authenticate the given user * * @param User $user * @param string $password * * @return bool True on success, false on failure * * @throws AuthenticationException In case authentication is not possible due to an error */ public function authenticate(User $user, $password) { try { $userDn = $this->select()->where('user_name', str_replace('*', '', $user->getUsername()))->getQuery()->setUsePagedResults(false)->fetchDn(); if ($userDn === null) { return false; } return $this->ds->testCredentials($userDn, $password); } catch (LdapException $e) { throw new AuthenticationException('Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName(), $e); } }
public function setAuthenticated(User $user, $persist = true) { $username = $user->getUsername(); try { $config = Config::app(); } catch (NotReadableError $e) { Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e)); $config = new Config(); } if ($config->get('global', 'config_backend', 'ini') !== 'none') { $preferencesConfig = new ConfigObject(array('store' => $config->get('global', 'config_backend', 'ini'), 'resource' => $config->get('global', 'config_resource'))); try { $preferencesStore = PreferencesStore::create($preferencesConfig, $user); $preferences = new Preferences($preferencesStore->load()); } catch (Exception $e) { Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e)); $preferences = new Preferences(); } } else { $preferences = new Preferences(); } // TODO(el): Quick-fix for #10957. Only reload CSS if the theme changed. $this->getResponse()->setReloadCss(true); $user->setPreferences($preferences); $groups = $user->getGroups(); foreach (Config::app('groups') as $name => $config) { try { $groupBackend = UserGroupBackend::create($name, $config); $groupsFromBackend = $groupBackend->getMemberships($user); } catch (Exception $e) { Logger::error('Can\'t get group memberships for user \'%s\' from backend \'%s\'. An exception was thrown: %s', $username, $name, $e); continue; } if (empty($groupsFromBackend)) { continue; } $groupsFromBackend = array_values($groupsFromBackend); $groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend)); } $user->setGroups($groups); $admissionLoader = new AdmissionLoader(); $admissionLoader->applyRoles($user); $this->user = $user; if ($persist) { $this->persistCurrentUser(); } }
/** * Setup internationalization using gettext * * Uses the preferred user language or the configured default and system default, respectively. * * @return self */ protected function setupInternationalization() { parent::setupInternationalization(); if ($this->user !== null && $this->user->getPreferences() !== null && ($locale = $this->user->getPreferences()->get('app.language') !== null)) { try { Translator::setupLocale($locale); } catch (Exception $error) { Logger::warning('Cannot set locale "' . $locale . '" configured in ' . 'preferences of user "' . $this->user->getUsername() . '"'); } } return $this; }
/** * Return the groups the given user is a member of * * @param User $user * * @return array */ public function getMemberships(User $user) { if ($this->isAmbiguous($this->groupClass, $this->groupMemberAttribute)) { $queryValue = $user->getUsername(); } elseif (($queryValue = $user->getAdditional('ldap_dn')) === null) { $userQuery = $this->ds->select()->from($this->userClass)->where($this->userNameAttribute, $user->getUsername())->setBase($this->userBaseDn)->setUsePagedResults(false); if ($this->userFilter) { $userQuery->where(new Expression($this->userFilter)); } if (($queryValue = $userQuery->fetchDn()) === null) { return array(); } } $groupQuery = $this->ds->select()->from($this->groupClass, array($this->groupNameAttribute))->where($this->groupMemberAttribute, $queryValue)->setBase($this->groupBaseDn); if ($this->groupFilter) { $groupQuery->where(new Expression($this->groupFilter)); } $groups = array(); foreach ($groupQuery as $row) { $groups[] = $row->{$this->groupNameAttribute}; } return $groups; }
/** * Return the groups the given user is a member of * * @param User $user * * @return array */ public function getMemberships(User $user) { if ($this->groupClass === 'posixGroup') { // Posix group only uses simple user name $userDn = $user->getUsername(); } else { // LDAP groups use the complete DN if (($userDn = $user->getAdditional('ldap_dn')) === null) { $userQuery = $this->ds->select()->from($this->userClass)->where($this->userNameAttribute, $user->getUsername())->setBase($this->userBaseDn)->setUsePagedResults(false); if ($this->userFilter) { $userQuery->where(new Expression($this->userFilter)); } if (($userDn = $userQuery->fetchDn()) === null) { return array(); } } } $groupQuery = $this->ds->select()->from($this->groupClass, array($this->groupNameAttribute))->where($this->groupMemberAttribute, $userDn)->setBase($this->groupBaseDn); if ($this->groupFilter) { $groupQuery->where(new Expression($this->groupFilter)); } Logger::debug('Fetching groups for user %s using filter %s.', $user->getUsername(), $groupQuery->__toString()); $groups = array(); foreach ($groupQuery as $row) { $groups[] = $row->{$this->groupNameAttribute}; } Logger::debug('Fetched %d groups: %s.', count($groups), join(', ', $groups)); return $groups; }