public function initAuthenticationObject($activateCookieAuth = false)
{
$clientCertificateAPI = ClientCertificatesAPI::getInstance();
$loginAPI = LoginAPI::getInstance();
$dn = $clientCertificateAPI->getUserDN();
$issuer_dn = $clientCertificateAPI->getIssuerDN();
if ($dn != null) {
$auth = new CertAuth();
$previousAuth = \Piwik\Registry::get('auth');
\Piwik\Registry::set('auth', $auth);
if (!$this->initAuthenticationFromCookie($auth, $activateCookieAuth)) {
$result = $clientCertificateAPI->queryGovport($dn, $issuer_dn);
if ($result) {
$username = $this->getProperty($result, 'uid');
$fullname = $this->getProperty($result, 'fullName');
$email = $this->getProperty($result, 'email');
$firstname = $this->getProperty($result, 'firstName');
$lastname = $this->getProperty($result, 'lastName');
$agency = null;
if (property_exists($result, 'grantBy')) {
$agency = $result->{'grantBy'}[0];
}
if ($agency == null) {
if (property_exists($result, 'organizations')) {
$agency = $result->{'organizations'}[0];
}
if ($agency == null) {
$agency = 'N/A';
}
}
\Piwik\Log::debug("Login PKI Response: {$username}, {$fullname}, {$email}, {$firstname}, {$lastname}, {$agency}");
$auth->setLogin($username);
$auth->setUserDN($dn);
$auth->setPassword($username . $dn);
$auth->setTokenAuth(md5($username . $auth->getTokenAuthSecret()));
$auth->setEmail($email);
$auth->setAlias($this->getAlias($firstname, $lastname, $fullname));
$authResult = $auth->authenticate();
if ($authResult->wasAuthenticationSuccessful()) {
Session::regenerateId();
//Create Cookie
$authCookieExpiry = 0;
$authCookieName = Config::getInstance()->General['login_cookie_name'];
$authCookiePath = Config::getInstance()->General['login_cookie_path'];
$cookie = new Cookie($authCookieName, $authCookieExpiry, $authCookiePath);
$cookie->set('login', $authResult->getIdentity());
$cookie->set('token_auth', md5($username . $auth->getTokenAuthSecret()));
$cookie->setSecure(ProxyHttp::isHttps());
$cookie->setHttpOnly(true);
$cookie->save();
} else {
// Error message set by auth result
\Piwik\Registry::set('auth', $previousAuth);
}
} else {
\Piwik\Registry::set('auth', $previousAuth);
$loginAPI->setErrorMessage("Could not verify user against authorization service");
\Piwik\Log::debug("Could not verify user against authorization service. Falling back on standard auth.");
}
}
} else {
$loginAPI->setErrorMessage("No certificate provided");
\Piwik\Log::debug("No certificate provided. Falling back on standard login mechanism.");
}
}
private function getViewableUserStatus()
{
$is_viewable_user = false;
$settings = new Settings();
$use_govport_groups = $settings->useGovportGroups->getValue();
$group = $settings->govportGroup->getValue();
$project = $settings->govportProject->getValue();
if ($use_govport_groups && $group != "" && $project != "") {
\Piwik\Log::debug("Using Govport Groups to get viewable status");
$clientCertificateAPI = ClientCertificatesAPI::getInstance();
$result = $clientCertificateAPI->queryGovportGroup($this->userDN, $group, $project);
if ($result) {
$is_viewable_user = $this->getProperty($result, 'isMember');
$bool_array = array(false => 'false', true => 'true');
\Piwik\Log::debug("User [" . $this->login . "] viewable [" . $bool_array[$is_viewable_user] . "]");
} else {
$loginAPI = LoginAPI::getInstance();
$loginAPI->setErrorMessage("Could not verify user against group authorization service");
}
} else {
$viewable_users_string = $settings->viewableUsers->getValue();
$viewable_users = explode("\n", $viewable_users_string);
foreach ($viewable_users as $viewable_user) {
if (trim($viewable_user) == $this->login) {
$is_viewable_user = true;
}
}
if ($viewable_users_string == "") {
$is_viewable_user = true;
\Piwik\Log::debug("No viewable users list");
} else {
if ($is_viewable_user) {
\Piwik\Log::debug("User [" . $this->login . "] is on viewable list");
} else {
\Piwik\Log::debug("User [" . $this->login . "] is not on viewable list");
}
}
}
return $is_viewable_user;
}
