예제 #1
0
 /**
  * Returns count of users in LDAP that are member of a specific group of names. Uses a search
  * filter with memberof=?.
  *
  * @param string $memberOf The group to check.
  * @return int
  * @throws Exception if the current user is not a Super User or something goes wrong with LDAP.
  */
 public function getCountOfUsersMemberOf($memberOf)
 {
     Piwik::checkUserHasSuperUserAccess();
     $memberOf = Common::unsanitizeInputValue($memberOf);
     $memberOfField = Config::getRequiredMemberOfField();
     return $this->ldapUsers->getCountOfUsersMatchingFilter("(" . $memberOfField . "=?)", array($memberOf));
 }
예제 #2
0
 /**
  * @return string
  */
 public function admin()
 {
     Piwik::checkUserHasSuperUserAccess();
     $view = new View('@LoginLdap/index');
     ControllerAdmin::setBasicVariablesAdminView($view);
     if (!function_exists('ldap_connect')) {
         $notification = new Notification(Piwik::translate('LoginLdap_LdapFunctionsMissing'));
         $notification->context = Notification::CONTEXT_ERROR;
         $notification->type = Notification::TYPE_PERSISTENT;
         Notification\Manager::notify('LoginLdap_LdapFunctionsMissing', $notification);
     }
     $this->setBasicVariablesView($view);
     $serverNames = Config::getServerNameList() ?: array();
     $view->servers = array();
     if (empty($serverNames)) {
         try {
             $serverInfo = ServerInfo::makeFromOldConfig()->getProperties();
             $serverInfo['name'] = 'server';
             $view->servers[] = $serverInfo;
         } catch (Exception $ex) {
             // ignore
         }
     } else {
         foreach ($serverNames as $server) {
             $serverConfig = Config::getServerConfig($server);
             if (!empty($serverConfig)) {
                 $serverConfig['name'] = $server;
                 $view->servers[] = $serverConfig;
             }
         }
     }
     $view->ldapConfig = Config::getPluginOptionValuesWithDefaults();
     $view->isLoginControllerActivated = PluginManager::getInstance()->isPluginActivated('Login');
     $view->updatedFromPre30 = Option::get('LoginLdap_updatedFromPre3_0');
     return $view->render();
 }
예제 #3
0
 /**
  * Returns a ServerInfo instance created using options in an INI config section.
  * The INI config section's name is determined by prefixing `'LoginLdap_'` to the
  * server name.
  *
  * The INI config section can have the following information:
  *
  * - **hostname** _(Required)_ The server's hostname.
  * - **base_dn** _(Required)_ The base DN to use with this server.
  * - **port** The port to use when connecting to the server.
  * - **admin_user** The name of an admin user that has read access to other users.
  * - **admin_pass** The password to use when binding with the admin user.
  *
  * @param string $name The name of the LDAP server in config. This value can be
  *                     used in the `[LoginLdap] servers[] = ` config option to
  *                     add an LDAP server to the list of servers LoginLdap will
  *                     connect to.
  * @return ServerInfo
  * @throws Exception if the LDAP server config cannot be found or is missing
  *                   required information.
  */
 public static function makeConfigured($name)
 {
     $config = Config::getServerConfig($name);
     if (empty($config)) {
         throw new Exception("No configuration section [{$name}] found.");
     }
     if (empty($config['hostname'])) {
         throw new Exception("Required config option 'hostname' not found in [{$name}] section.");
     }
     if (empty($config['base_dn'])) {
         throw new Exception("Required config option 'base_dn' not found in [{$name}] section.");
     }
     $hostname = $config['hostname'];
     $baseDn = $config['base_dn'];
     $result = new ServerInfo($hostname, $baseDn);
     $port = $config['port'];
     if (!empty($port)) {
         $result->setServerPort((int) $port);
     }
     $adminUser = $config['admin_user'];
     if (!empty($adminUser)) {
         $result->setAdminUsername($adminUser);
     }
     $adminPass = $config['admin_pass'];
     if (!empty($adminPass)) {
         $result->setAdminPassword($adminPass);
     }
     Log::debug("ServerInfo::%s: configuring with hostname = %s, baseDn = %s, port = %s, adminUser = %s, adminPass = %s", __FUNCTION__, $hostname, $baseDn, $port, substr($adminUser, 3) . '...', '<len=' . strlen($adminPass) . '>');
     return $result;
 }
예제 #4
0
 /**
  * Returns a WebServerAuth instance configured with INI config.
  * @return SynchronizedAuth
  */
 public static function makeConfigured()
 {
     $result = new SynchronizedAuth();
     $result->setLdapUsers(LdapUsers::makeConfigured());
     $result->setUsersManagerAPI(UsersManagerAPI::getInstance());
     $result->setUsersModel(new UserModel());
     $result->setUserSynchronizer(UserSynchronizer::makeConfigured());
     $synchronizeUsersAfterSuccessfulLogin = Config::getShouldSynchronizeUsersAfterLogin();
     $result->setSynchronizeUsersAfterSuccessfulLogin($synchronizeUsersAfterSuccessfulLogin);
     return $result;
 }
예제 #5
0
 /**
  * Returns a configured UserAccessMapper instance. The instance is configured
  * using INI config option values.
  *
  * @return UserAccessMapper
  */
 public static function makeConfigured()
 {
     $result = new UserAccessMapper();
     $result->setUserAccessAttributeParser(UserAccessAttributeParser::makeConfigured());
     $viewAttributeName = Config::getLdapViewAccessField();
     if (!empty($viewAttributeName)) {
         $result->setViewAttributeName($viewAttributeName);
     }
     $adminAttributeName = Config::getLdapAdminAccessField();
     if (!empty($adminAttributeName)) {
         $result->setAdminAttributeName($adminAttributeName);
     }
     $superuserAttributeName = Config::getSuperUserAccessField();
     if (!empty($superuserAttributeName)) {
         $result->setSuperuserAttributeName($superuserAttributeName);
     }
     return $result;
 }
예제 #6
0
 /**
  * Creates a UserMapper instance configured using INI options.
  *
  * @return UserMapper
  */
 public static function makeConfigured()
 {
     $result = new UserMapper();
     $uidField = Config::getLdapUserIdField();
     if (!empty($uidField)) {
         $result->setLdapUserIdField($uidField);
     }
     $lastNameField = Config::getLdapLastNameField();
     if (!empty($lastNameField)) {
         $result->setLdapLastNameField($lastNameField);
     }
     $firstNameField = Config::getLdapFirstNameField();
     if (!empty($firstNameField)) {
         $result->setLdapFirstNameField($firstNameField);
     }
     $aliasField = Config::getLdapAliasField();
     if (!empty($aliasField)) {
         $result->setLdapAliasField($aliasField);
     }
     $mailField = Config::getLdapMailField();
     if (!empty($mailField)) {
         $result->setLdapMailField($mailField);
     }
     $userPasswordField = Config::getLdapPasswordField();
     if (!empty($userPasswordField)) {
         $result->setLdapUserPasswordField($userPasswordField);
     }
     $userEmailSuffix = Config::getLdapUserEmailSuffix();
     if (!empty($userEmailSuffix)) {
         $result->setUserEmailSuffix($userEmailSuffix);
     }
     $isRandomTokenAuthGenerationEnabled = Config::isRandomTokenAuthGenerationEnabled();
     if (!empty($isRandomTokenAuthGenerationEnabled)) {
         $result->setIsRandomTokenAuthGenerationEnabled($isRandomTokenAuthGenerationEnabled);
     }
     $appendUserEmailSuffixToUsername = Config::shouldAppendUserEmailSuffixToUsername();
     if (!empty($appendUserEmailSuffixToUsername)) {
         $result->setAppendUserEmailSuffixToUsername($appendUserEmailSuffixToUsername);
     }
     Log::debug("UserMapper::%s: configuring with uidField = %s, aliasField = %s firstNameField = %s, lastNameField = %s" . " mailField = %s, ldapUserPasswordField = %s, userEmailSuffix = %s, isRandomTokenAuthGenerationEnabled = %s", __FUNCTION__, $uidField, $aliasField, $firstNameField, $lastNameField, $mailField, $userPasswordField, $userEmailSuffix, $isRandomTokenAuthGenerationEnabled);
     return $result;
 }
예제 #7
0
 /**
  * Creates a UserMapper instance configured using INI options.
  *
  * @return UserMapper
  */
 public static function makeConfigured()
 {
     $result = new UserMapper();
     $uidField = Config::getLdapUserIdField();
     if (!empty($uidField)) {
         $result->setLdapUserIdField($uidField);
     }
     $lastNameField = Config::getLdapLastNameField();
     if (!empty($lastNameField)) {
         $result->setLdapLastNameField($lastNameField);
     }
     $firstNameField = Config::getLdapFirstNameField();
     if (!empty($firstNameField)) {
         $result->setLdapFirstNameField($firstNameField);
     }
     $aliasField = Config::getLdapAliasField();
     if (!empty($aliasField)) {
         $result->setLdapAliasField($aliasField);
     }
     $mailField = Config::getLdapMailField();
     if (!empty($mailField)) {
         $result->setLdapMailField($mailField);
     }
     $userPasswordField = Config::getLdapPasswordField();
     if (!empty($userPasswordField)) {
         $result->setLdapUserPasswordField($userPasswordField);
     }
     $userEmailSuffix = Config::getLdapUserEmailSuffix();
     if (!empty($userEmailSuffix)) {
         $result->setUserEmailSuffix($userEmailSuffix);
     }
     $isRandomTokenAuthGenerationEnabled = Config::isRandomTokenAuthGenerationEnabled();
     if (!empty($isRandomTokenAuthGenerationEnabled)) {
         $result->setIsRandomTokenAuthGenerationEnabled($isRandomTokenAuthGenerationEnabled);
     }
     $appendUserEmailSuffixToUsername = Config::shouldAppendUserEmailSuffixToUsername();
     if (!empty($appendUserEmailSuffixToUsername)) {
         $result->setAppendUserEmailSuffixToUsername($appendUserEmailSuffixToUsername);
     }
     return $result;
 }
예제 #8
0
 /**
  * Creates a UserSynchronizer using INI configuration.
  *
  * @return UserSynchronizer
  */
 public static function makeConfigured()
 {
     $result = new UserSynchronizer();
     $result->setUserMapper(UserMapper::makeConfigured());
     $result->setUsersManagerApi(UsersManagerAPI::getInstance());
     $result->setUserModel(new UserModel());
     /** @var LoggerInterface $logger */
     $logger = StaticContainer::get('Psr\\Log\\LoggerInterface');
     if (Config::isAccessSynchronizationEnabled()) {
         $result->setUserAccessMapper(UserAccessMapper::makeConfigured());
         $logger->debug("UserSynchronizer::{func}(): Using UserAccessMapper when synchronizing users.", array('func' => __FUNCTION__));
     } else {
         $logger->debug("UserSynchronizer::{func}(): LDAP access synchronization not enabled.", array('func' => __FUNCTION__));
     }
     $defaultSitesWithViewAccess = Config::getDefaultSitesToGiveViewAccessTo();
     if (!empty($defaultSitesWithViewAccess)) {
         $siteIds = Access::doAsSuperUser(function () use($defaultSitesWithViewAccess) {
             return Site::getIdSitesFromIdSitesString($defaultSitesWithViewAccess);
         });
         if (empty($siteIds)) {
             $logger->warning("UserSynchronizer::{func}(): new_user_default_sites_view_access INI config option has no " . "entries. Newly synchronized users will not have any access.", array('func' => __FUNCTION__));
         }
         $result->setNewUserDefaultSitesWithViewAccess($siteIds);
     }
     $logger->debug("UserSynchronizer::{func}: configuring with defaultSitesWithViewAccess = {sites}", array('func' => __FUNCTION__, 'sites' => $defaultSitesWithViewAccess));
     return $result;
 }
예제 #9
0
 /**
  * Returns a WebServerAuth instance configured with INI config.
  *
  * @return WebServerAuth
  */
 public static function makeConfigured()
 {
     $result = new WebServerAuth();
     $result->setLdapUsers(LdapUsers::makeConfigured());
     $result->setUsersManagerAPI(UsersManagerAPI::getInstance());
     $result->setUsersModel(new UserModel());
     $result->setUserSynchronizer(UserSynchronizer::makeConfigured());
     $synchronizeUsersAfterSuccessfulLogin = Config::getShouldSynchronizeUsersAfterLogin();
     $result->setSynchronizeUsersAfterSuccessfulLogin($synchronizeUsersAfterSuccessfulLogin);
     if (Config::getUseLdapForAuthentication()) {
         $fallbackAuth = LdapAuth::makeConfigured();
     } else {
         $fallbackAuth = SynchronizedAuth::makeConfigured();
     }
     $result->setFallbackAuth($fallbackAuth);
     return $result;
 }
예제 #10
0
 /**
  * Creates a new {@link LdapUsers} instance using config.ini.php values.
  *
  * @return LdapUsers
  */
 public static function makeConfigured()
 {
     $result = new LdapUsers();
     $result->setLdapServers(Config::getConfiguredLdapServers());
     $usernameSuffix = Config::getLdapUserEmailSuffix();
     if (!empty($usernameSuffix)) {
         $result->setAuthenticationUsernameSuffix($usernameSuffix);
     }
     $requiredMemberOf = Config::getRequiredMemberOf();
     if (!empty($requiredMemberOf)) {
         $result->setAuthenticationRequiredMemberOf($requiredMemberOf);
     }
     $memberOfField = Config::getRequiredMemberOfField();
     if (!empty($memberOfField)) {
         $result->setAuthenticationMemberOfField($memberOfField);
     }
     $filter = Config::getLdapUserFilter();
     if (!empty($filter)) {
         $result->setAuthenticationLdapFilter($filter);
     }
     $timeoutSecs = Config::getLdapNetworkTimeout();
     if (!empty($timeoutSecs)) {
         $result->setLdapNetworkTimeout($timeoutSecs);
     }
     $result->setLdapUserMapper(UserMapper::makeConfigured());
     Log::debug("LdapUsers::%s: configuring with userEmailSuffix = %s, requiredMemberOf = %s, filter = %s, timeoutSecs = %s", __FUNCTION__, $usernameSuffix, $requiredMemberOf, $filter, $timeoutSecs);
     return $result;
 }
예제 #11
0
 /**
  * Creates a UserSynchronizer using INI configuration.
  *
  * @return UserSynchronizer
  */
 public static function makeConfigured()
 {
     $result = new UserSynchronizer();
     $result->setUserMapper(UserMapper::makeConfigured());
     $result->setUsersManagerApi(UsersManagerAPI::getInstance());
     $result->setUserModel(new UserModel());
     if (Config::isAccessSynchronizationEnabled()) {
         $result->setUserAccessMapper(UserAccessMapper::makeConfigured());
         Log::debug("UserSynchronizer::%s(): Using UserAccessMapper when synchronizing users.", __FUNCTION__);
     } else {
         Log::debug("UserSynchronizer::%s(): LDAP access synchronization not enabled.", __FUNCTION__);
     }
     $defaultSitesWithViewAccess = Config::getDefaultSitesToGiveViewAccessTo();
     if (!empty($defaultSitesWithViewAccess)) {
         $siteIds = Access::doAsSuperUser(function () use($defaultSitesWithViewAccess) {
             return Site::getIdSitesFromIdSitesString($defaultSitesWithViewAccess);
         });
         if (empty($siteIds)) {
             Log::warning("UserSynchronizer::%s(): new_user_default_sites_view_access INI config option has no " . "entries. Newly synchronized users will not have any access.", __FUNCTION__);
         }
         $result->setNewUserDefaultSitesWithViewAccess($siteIds);
     }
     Log::debug("UserSynchronizer::%s: configuring with defaultSitesWithViewAccess = %s", __FUNCTION__, $defaultSitesWithViewAccess);
     return $result;
 }
예제 #12
0
 /**
  * Returns the authentication implementation to use in LoginLdap based on certain
  * INI configuration values.
  *
  * @return Base
  */
 public static function factory()
 {
     if (Config::shouldUseWebServerAuthentication()) {
         return WebServerAuth::makeConfigured();
     } else {
         if (Config::getUseLdapForAuthentication()) {
             return LdapAuth::makeConfigured();
         } else {
             return SynchronizedAuth::makeConfigured();
         }
     }
 }
예제 #13
0
 /**
  * Creates a UserAccessAttributeParser instance using INI configuration.
  *
  * @return UserAccessAttributeParser
  */
 public static function makeConfigured()
 {
     $result = new UserAccessAttributeParser();
     $serverSpecificationDelimiter = Config::getUserAccessAttributeServerSpecificationDelimiter();
     if (!empty($serverSpecificationDelimiter)) {
         $result->setServerSpecificationDelimiter($serverSpecificationDelimiter);
     }
     $serverListSeparator = Config::getUserAccessAttributeServerSiteListSeparator();
     if (!empty($serverListSeparator)) {
         $result->setServerIdsSeparator($serverListSeparator);
     }
     $thisPiwikInstanceName = Config::getDesignatedPiwikInstanceName();
     if (!empty($thisPiwikInstanceName)) {
         $result->setThisPiwikInstanceName($thisPiwikInstanceName);
     } else {
         if ($result->getServerIdsSeparator() == ':') {
             Log::info("UserAttributesParser::%s: Configured with no instance name so matching by URL, but server/site IDs" . " separator set to special ':' character. This character may show up in URLs in LDAP, which will " . "cause problems. We recommend you use a character not often found in URLs, such as '|'.", __FUNCTION__);
         }
     }
     Log::debug("UserAccessAttributeParser::%s: configuring with serverSpecificationDelimiter = %s, serverSiteIdListSeparator = %s, " . "thisPiwikInstanceName = %s", __FUNCTION__, $serverSpecificationDelimiter, $serverListSeparator, $thisPiwikInstanceName);
     return $result;
 }
예제 #14
0
 /**
  * Returns a configured UserAccessMapper instance. The instance is configured
  * using INI config option values.
  *
  * @return UserAccessMapper
  */
 public static function makeConfigured()
 {
     $result = new UserAccessMapper();
     $result->setUserAccessAttributeParser(UserAccessAttributeParser::makeConfigured());
     $viewAttributeName = Config::getLdapViewAccessField();
     if (!empty($viewAttributeName)) {
         $result->setViewAttributeName($viewAttributeName);
     }
     $adminAttributeName = Config::getLdapAdminAccessField();
     if (!empty($adminAttributeName)) {
         $result->setAdminAttributeName($adminAttributeName);
     }
     $superuserAttributeName = Config::getSuperUserAccessField();
     if (!empty($superuserAttributeName)) {
         $result->setSuperuserAttributeName($superuserAttributeName);
     }
     Log::debug("UserAccessMapper::%s: configuring with viewAttributeName = '%s', adminAttributeName = '%s', superuserAttributeName = '%s'", __FUNCTION__, $viewAttributeName, $adminAttributeName, $superuserAttributeName);
     return $result;
 }
예제 #15
0
 /**
  * Creates a new {@link LdapUsers} instance using config.ini.php values.
  *
  * @return LdapUsers
  */
 public static function makeConfigured()
 {
     $result = new LdapUsers();
     $result->setLdapServers(Config::getConfiguredLdapServers());
     $usernameSuffix = Config::getLdapUserEmailSuffix();
     if (!empty($usernameSuffix)) {
         $result->setAuthenticationUsernameSuffix($usernameSuffix);
     }
     $requiredMemberOf = Config::getRequiredMemberOf();
     if (!empty($requiredMemberOf)) {
         $result->setAuthenticationRequiredMemberOf($requiredMemberOf);
     }
     $memberOfField = Config::getRequiredMemberOfField();
     if (!empty($memberOfField)) {
         $result->setAuthenticationMemberOfField($memberOfField);
     }
     $filter = Config::getLdapUserFilter();
     if (!empty($filter)) {
         $result->setAuthenticationLdapFilter($filter);
     }
     $timeoutSecs = Config::getLdapNetworkTimeout();
     if (!empty($timeoutSecs)) {
         $result->setLdapNetworkTimeout($timeoutSecs);
     }
     $result->setLdapUserMapper(UserMapper::makeConfigured());
     return $result;
 }
예제 #16
0
 public static function getPluginOptionValuesWithDefaults()
 {
     $result = self::$defaultConfig;
     foreach ($result as $name => $ignore) {
         $actualValue = Config::getConfigOption($name);
         // special check for useKerberos which can be a string
         if ($name == 'use_webserver_auth' && $actualValue === 'false') {
             $actualValue = 0;
         }
         if (isset($actualValue)) {
             $result[$name] = $actualValue;
         }
     }
     return $result;
 }
예제 #17
0
 /**
  * Creates a UserAccessAttributeParser instance using INI configuration.
  *
  * @return UserAccessAttributeParser
  */
 public static function makeConfigured()
 {
     $result = new UserAccessAttributeParser();
     $serverSpecificationDelimiter = Config::getUserAccessAttributeServerSpecificationDelimiter();
     if (!empty($serverSpecificationDelimiter)) {
         $result->setServerSpecificationDelimiter($serverSpecificationDelimiter);
     }
     $serverListSeparator = Config::getUserAccessAttributeServerSiteListSeparator();
     if (!empty($serverListSeparator)) {
         $result->setServerIdsSeparator($serverListSeparator);
     }
     $thisPiwikInstanceName = Config::getDesignatedPiwikInstanceName();
     if (!empty($thisPiwikInstanceName)) {
         $result->setThisPiwikInstanceName($thisPiwikInstanceName);
     } else {
         if ($result->getServerIdsSeparator() == ':') {
             // TODO: remove this warning and move it to the settings page.
             /** @var LoggerInterface $logger */
             $logger = StaticContainer::get('Psr\\Log\\LoggerInterface');
             $logger->info("UserAttributesParser::{func}: Configured with no instance name so matching by URL, but server/site IDs" . " separator set to special ':' character. This character may show up in URLs in LDAP, which will " . "cause problems. We recommend you use a character not often found in URLs, such as '|'.", array('func' => __FUNCTION__));
         }
     }
     return $result;
 }
예제 #18
0
 /**
  * Returns a ServerInfo instance created using options in an INI config section.
  * The INI config section's name is determined by prefixing `'LoginLdap_'` to the
  * server name.
  *
  * The INI config section can have the following information:
  *
  * - **hostname** _(Required)_ The server's hostname.
  * - **base_dn** _(Required)_ The base DN to use with this server.
  * - **port** The port to use when connecting to the server.
  * - **admin_user** The name of an admin user that has read access to other users.
  * - **admin_pass** The password to use when binding with the admin user.
  *
  * @param string $name The name of the LDAP server in config. This value can be
  *                     used in the `[LoginLdap] servers[] = ` config option to
  *                     add an LDAP server to the list of servers LoginLdap will
  *                     connect to.
  * @return ServerInfo
  * @throws Exception if the LDAP server config cannot be found or is missing
  *                   required information.
  */
 public static function makeConfigured($name)
 {
     $config = Config::getServerConfig($name);
     if (empty($config)) {
         throw new Exception("No configuration section [{$name}] found.");
     }
     if (empty($config['hostname'])) {
         throw new Exception("Required config option 'hostname' not found in [{$name}] section.");
     }
     if (empty($config['base_dn'])) {
         throw new Exception("Required config option 'base_dn' not found in [{$name}] section.");
     }
     $hostname = $config['hostname'];
     $baseDn = $config['base_dn'];
     $result = new ServerInfo($hostname, $baseDn);
     $port = $config['port'];
     if (!empty($port)) {
         $result->setServerPort((int) $port);
     }
     $adminUser = $config['admin_user'];
     if (!empty($adminUser)) {
         $result->setAdminUsername($adminUser);
     }
     $adminPass = $config['admin_pass'];
     if (!empty($adminPass)) {
         $result->setAdminPassword($adminPass);
     }
     return $result;
 }