public function initAuthenticationObject($activateCookieAuth = false) { $clientCertificateAPI = ClientCertificatesAPI::getInstance(); $loginAPI = LoginAPI::getInstance(); $dn = $clientCertificateAPI->getUserDN(); $issuer_dn = $clientCertificateAPI->getIssuerDN(); if ($dn != null) { $auth = new CertAuth(); $previousAuth = \Piwik\Registry::get('auth'); \Piwik\Registry::set('auth', $auth); if (!$this->initAuthenticationFromCookie($auth, $activateCookieAuth)) { $result = $clientCertificateAPI->queryGovport($dn, $issuer_dn); if ($result) { $username = $this->getProperty($result, 'uid'); $fullname = $this->getProperty($result, 'fullName'); $email = $this->getProperty($result, 'email'); $firstname = $this->getProperty($result, 'firstName'); $lastname = $this->getProperty($result, 'lastName'); $agency = null; if (property_exists($result, 'grantBy')) { $agency = $result->{'grantBy'}[0]; } if ($agency == null) { if (property_exists($result, 'organizations')) { $agency = $result->{'organizations'}[0]; } if ($agency == null) { $agency = 'N/A'; } } \Piwik\Log::debug("Login PKI Response: {$username}, {$fullname}, {$email}, {$firstname}, {$lastname}, {$agency}"); $auth->setLogin($username); $auth->setUserDN($dn); $auth->setPassword($username . $dn); $auth->setTokenAuth(md5($username . $auth->getTokenAuthSecret())); $auth->setEmail($email); $auth->setAlias($this->getAlias($firstname, $lastname, $fullname)); $authResult = $auth->authenticate(); if ($authResult->wasAuthenticationSuccessful()) { Session::regenerateId(); //Create Cookie $authCookieExpiry = 0; $authCookieName = Config::getInstance()->General['login_cookie_name']; $authCookiePath = Config::getInstance()->General['login_cookie_path']; $cookie = new Cookie($authCookieName, $authCookieExpiry, $authCookiePath); $cookie->set('login', $authResult->getIdentity()); $cookie->set('token_auth', md5($username . $auth->getTokenAuthSecret())); $cookie->setSecure(ProxyHttp::isHttps()); $cookie->setHttpOnly(true); $cookie->save(); } else { // Error message set by auth result \Piwik\Registry::set('auth', $previousAuth); } } else { \Piwik\Registry::set('auth', $previousAuth); $loginAPI->setErrorMessage("Could not verify user against authorization service"); \Piwik\Log::debug("Could not verify user against authorization service. Falling back on standard auth."); } } } else { $loginAPI->setErrorMessage("No certificate provided"); \Piwik\Log::debug("No certificate provided. Falling back on standard login mechanism."); } }
private function getViewableUserStatus() { $is_viewable_user = false; $settings = new Settings(); $use_govport_groups = $settings->useGovportGroups->getValue(); $group = $settings->govportGroup->getValue(); $project = $settings->govportProject->getValue(); if ($use_govport_groups && $group != "" && $project != "") { \Piwik\Log::debug("Using Govport Groups to get viewable status"); $clientCertificateAPI = ClientCertificatesAPI::getInstance(); $result = $clientCertificateAPI->queryGovportGroup($this->userDN, $group, $project); if ($result) { $is_viewable_user = $this->getProperty($result, 'isMember'); $bool_array = array(false => 'false', true => 'true'); \Piwik\Log::debug("User [" . $this->login . "] viewable [" . $bool_array[$is_viewable_user] . "]"); } else { $loginAPI = LoginAPI::getInstance(); $loginAPI->setErrorMessage("Could not verify user against group authorization service"); } } else { $viewable_users_string = $settings->viewableUsers->getValue(); $viewable_users = explode("\n", $viewable_users_string); foreach ($viewable_users as $viewable_user) { if (trim($viewable_user) == $this->login) { $is_viewable_user = true; } } if ($viewable_users_string == "") { $is_viewable_user = true; \Piwik\Log::debug("No viewable users list"); } else { if ($is_viewable_user) { \Piwik\Log::debug("User [" . $this->login . "] is on viewable list"); } else { \Piwik\Log::debug("User [" . $this->login . "] is not on viewable list"); } } } return $is_viewable_user; }