Special method for LDAP auth
sync LDAP groups to Scalr groups
| public applyLdapGroups ( $groups ) | ||
| $groups | ||
/**
* @param Scalr_Account_User $user
* @param bool $keepSession
*/
private function loginUserCreate($user, $keepSession)
{
$user->updateLastLogin();
Scalr_Session::create($user->getId());
if (Scalr::config('scalr.auth_mode') == 'ldap') {
$user->applyLdapGroups($this->ldapGroups);
} else {
if ($keepSession) {
Scalr_Session::keepSession();
}
}
$this->response->data(array('userId' => $user->getId(), 'specialToken' => Scalr_Session::getInstance()->getToken()));
}
private function AuthenticateRESTv3($request)
{
if (!$request['Signature']) {
throw new Exception("Signature is missing");
}
if (!$request['KeyID']) {
throw new Exception("KeyID is missing");
}
if (!$request['Timestamp'] && !$request['TimeStamp']) {
throw new Exception("Timestamp is missing");
}
if ($request['Timestamp']) {
$request['TimeStamp'] = $request['Timestamp'];
}
//You mustn't do urldecode here in the next API version!
$string_to_sign = "{$request['Action']}:{$request['KeyID']}:" . urldecode($request['TimeStamp']);
$this->debug['stringToSign'] = $string_to_sign;
try {
$this->user = Scalr_Account_User::init()->loadByApiAccessKey($request['KeyID']);
} catch (Exception $e) {
}
if (!$this->user) {
throw new Exception("The specified KeyID does not exist");
}
$auth_key = $this->user->getSetting(Scalr_Account_User::SETTING_API_SECRET_KEY);
if ($this->user->getAccountId()) {
if (\Scalr::config('scalr.auth_mode') == 'ldap') {
$this->Environment = Scalr_Environment::init()->loadById($request['EnvID']);
try {
$user = strtok($this->user->getEmail(), '@');
$ldap = \Scalr::getContainer()->ldap($user, null);
if (!$ldap->isValidUsername()) {
throw new Exception('Incorrect login or password (1)');
}
$this->user->applyLdapGroups($ldap->getUserGroups());
} catch (Exception $e) {
throw new Exception("Incorrect login or password (1)" . "\n" . $ldap->getLog());
}
} else {
if (!$request['EnvID']) {
$envs = $this->user->getEnvironments();
if (!$envs[0]['id']) {
throw new Exception("User has no access to any environments");
}
$this->Environment = Scalr_Environment::init()->loadById($envs[0]['id']);
} else {
$this->Environment = Scalr_Environment::init()->loadById($request['EnvID']);
}
}
$this->user->getPermissions()->setEnvironmentId($this->Environment->id)->validate($this->Environment);
//We must set environment to DI Container.
$this->getContainer()->environment = $this->Environment;
}
$valid_sign = base64_encode(hash_hmac(self::HASH_ALGO, trim($string_to_sign), $auth_key, 1));
//You mustn't do this in the next API version!
$request['Signature'] = str_replace(" ", "+", urldecode($request['Signature']));
//You mustn't do urldecode here in the next API version!
$this->debug['reqSignature'] = urldecode($request['Signature']);
$this->debug['validSignature'] = $valid_sign;
$this->debug['usedAuthVersion'] = 3;
$this->debug['sha256AccessKey'] = hash(self::HASH_ALGO, $auth_key);
if ($valid_sign != $request['Signature']) {
//This is workaround to bugfix SCALRCORE-400.
//It needn't have made unnecessary urldecode operation with request parameters.
$sts2 = "{$request['Action']}:{$request['KeyID']}:{$request['TimeStamp']}";
$vs2 = base64_encode(hash_hmac(self::HASH_ALGO, trim($sts2), $auth_key, 1));
if ($vs2 != $request['Signature']) {
throw new Exception("Signature doesn't match");
}
}
}
/**
* @param Scalr_Account_User $user
*/
private function loginUserCreate($user)
{
$user->updateLastLogin();
Scalr_Session::create($user->getId());
if (Scalr::config('scalr.auth_mode') == 'ldap') {
$user->applyLdapGroups($this->ldapGroups);
} else {
if ($this->getParam('scalrKeepSession') == 'on') {
Scalr_Session::keepSession();
}
}
$this->response->data(array('userId' => $user->getId()));
}
