Esempio n. 1
0
function authenticate()
{
    global $remote_username, $remote_displayname, $auto_tags, $user_given_tags, $user_auth_src, $script_mode, $require_local_account;
    if (!isset($user_auth_src) or !isset($require_local_account)) {
        throw new RackTablesError('secret.php: either user_auth_src or require_local_account are missing', RackTablesError::MISCONFIGURED);
    }
    if (isset($_REQUEST['logout'])) {
        throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
    }
    // Reset browser credentials cache.
    if (!isset($script_mode) || !$script_mode || !(isset($remote_username) && strlen($remote_username))) {
        switch ($user_auth_src) {
            case 'database':
            case 'ldap':
                if (!isset($_SERVER['PHP_AUTH_USER']) or !strlen($_SERVER['PHP_AUTH_USER']) or !isset($_SERVER['PHP_AUTH_PW']) or !strlen($_SERVER['PHP_AUTH_PW'])) {
                    throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
                }
                $remote_username = $_SERVER['PHP_AUTH_USER'];
                break;
            case 'httpd':
                if (!isset($_SERVER['REMOTE_USER']) or !strlen($_SERVER['REMOTE_USER'])) {
                    throw new RackTablesError('The web-server didn\'t authenticate the user, although ought to do.', RackTablesError::MISCONFIGURED);
                }
                $remote_username = $_SERVER['REMOTE_USER'];
                break;
            default:
                throw new RackTablesError('Invalid authentication source!', RackTablesError::MISCONFIGURED);
                die;
        }
    }
    $userinfo = constructUserCell($remote_username);
    if ($require_local_account and !isset($userinfo['user_id'])) {
        throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
    }
    $user_given_tags = $userinfo['etags'];
    $auto_tags = array_merge($auto_tags, $userinfo['atags']);
    switch (TRUE) {
        case isset($script_mode) && $script_mode:
            return;
            // success
            // Just trust the server, because the password isn't known.
        // success
        // Just trust the server, because the password isn't known.
        case 'httpd' == $user_auth_src:
            $remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : $remote_username;
            return;
            // success
            // When using LDAP, leave a mean to fix things. Admin user is always authenticated locally.
        // success
        // When using LDAP, leave a mean to fix things. Admin user is always authenticated locally.
        case 'database' == $user_auth_src or array_key_exists('user_id', $userinfo) and $userinfo['user_id'] == 1:
            $remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : $remote_username;
            if (authenticated_via_database($userinfo, $_SERVER['PHP_AUTH_PW'])) {
                return;
            }
            // success
            break;
            // failure
        // failure
        case 'ldap' == $user_auth_src:
            $ldap_dispname = '';
            $ldap_success = authenticated_via_ldap($remote_username, $_SERVER['PHP_AUTH_PW'], $ldap_dispname);
            if (!$ldap_success) {
                break;
            }
            // failure
            $remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : (strlen($ldap_dispname) ? $ldap_dispname : $remote_username);
            // then one from LDAP
            return;
            // success
        // success
        default:
            throw new RackTablesError('Invalid authentication source!', RackTablesError::MISCONFIGURED);
    }
    throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}
Esempio n. 2
0
function authenticate()
{
    global $remote_username, $remote_displayname, $auto_tags, $user_given_tags, $user_auth_src, $script_mode, $require_local_account;
    // Phase 1. Assert basic pre-requisites, short-circuit the logout request.
    if (!isset($user_auth_src) or !isset($require_local_account)) {
        throw new RackTablesError('secret.php: either user_auth_src or require_local_account are missing', RackTablesError::MISCONFIGURED);
    }
    if (isset($_REQUEST['logout'])) {
        if (isset($user_auth_src) and 'saml' == $user_auth_src) {
            saml_logout();
        }
        throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
        // Reset browser credentials cache.
    }
    // Phase 2. Do some method-specific processing, initialize $remote_username on success.
    switch (TRUE) {
        case isset($script_mode) && $script_mode && isset($remote_username) && strlen($remote_username):
            break;
            // skip this phase
        // skip this phase
        case 'database' == $user_auth_src:
        case 'ldap' == $user_auth_src:
            if (!isset($_SERVER['PHP_AUTH_USER']) or !strlen($_SERVER['PHP_AUTH_USER']) or !isset($_SERVER['PHP_AUTH_PW']) or !strlen($_SERVER['PHP_AUTH_PW'])) {
                throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
            }
            $remote_username = $_SERVER['PHP_AUTH_USER'];
            break;
        case 'httpd' == $user_auth_src:
            if (!isset($_SERVER['REMOTE_USER']) or !strlen($_SERVER['REMOTE_USER'])) {
                throw new RackTablesError('The web-server didn\'t authenticate the user, although ought to do.', RackTablesError::MISCONFIGURED);
            }
            $remote_username = $_SERVER['REMOTE_USER'];
            break;
        case 'saml' == $user_auth_src:
            $saml_username = '';
            $saml_dispname = '';
            if (!authenticated_via_saml($saml_username, $saml_dispname)) {
                throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
            }
            $remote_username = $saml_username;
            break;
        default:
            throw new RackTablesError('Invalid authentication source!', RackTablesError::MISCONFIGURED);
    }
    // Phase 3. Handle local account requirement, pull user tags into security context.
    $userinfo = constructUserCell($remote_username);
    if ($require_local_account and !isset($userinfo['user_id'])) {
        throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
    }
    $user_given_tags = $userinfo['etags'];
    $auto_tags = array_merge($auto_tags, $userinfo['atags']);
    // Phase 4. Do more method-specific processing, initialize $remote_displayname on success.
    switch (TRUE) {
        case isset($script_mode) && $script_mode:
            return;
            // success
            // Just trust the server, because the password isn't known.
        // success
        // Just trust the server, because the password isn't known.
        case 'httpd' == $user_auth_src:
            $remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : $remote_username;
            return;
            // success
            // When using LDAP, leave a mean to fix things. Admin user is always authenticated locally.
        // success
        // When using LDAP, leave a mean to fix things. Admin user is always authenticated locally.
        case array_key_exists('user_id', $userinfo) and $userinfo['user_id'] == 1:
        case 'database' == $user_auth_src:
            $remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : $remote_username;
            if (authenticated_via_database($userinfo, $_SERVER['PHP_AUTH_PW'])) {
                return;
            }
            // success
            break;
            // failure
        // failure
        case 'ldap' == $user_auth_src:
            $ldap_dispname = '';
            if (!authenticated_via_ldap($remote_username, $_SERVER['PHP_AUTH_PW'], $ldap_dispname)) {
                break;
            }
            // failure
            $remote_displayname = strlen($userinfo['user_realname']) ? $userinfo['user_realname'] : (strlen($ldap_dispname) ? $ldap_dispname : $remote_username);
            // then one from LDAP
            return;
            // success
        // success
        case 'saml' == $user_auth_src:
            $remote_displayname = strlen($saml_dispname) ? $saml_dispname : $saml_username;
            return;
            // success
        // success
        default:
            throw new RackTablesError('Invalid authentication source!', RackTablesError::MISCONFIGURED);
    }
    throw new RackTablesError('', RackTablesError::NOT_AUTHENTICATED);
}