/**
* Get config file
*
* @return string
*/
public function getConfigFile()
{
if ($this->user === null) {
throw new ProgrammingError('Can\'t load dashboards. User is not set');
}
return Config::resolvePath('dashboards/' . $this->user->getUsername() . '/dashboard.ini');
}
/**
* Apply permissions, restrictions and roles to the given user
*
* @param User $user
*/
public function applyRoles(User $user)
{
$username = $user->getUsername();
try {
$roles = Config::app('roles');
} catch (NotReadableError $e) {
Logger::error('Can\'t get permissions and restrictions for user \'%s\'. An exception was thrown:', $username, $e);
return;
}
$userGroups = $user->getGroups();
$permissions = array();
$restrictions = array();
$roleObjs = array();
foreach ($roles as $roleName => $role) {
if ($this->match($username, $userGroups, $role)) {
$permissionsFromRole = StringHelper::trimSplit($role->permissions);
$permissions = array_merge($permissions, array_diff($permissionsFromRole, $permissions));
$restrictionsFromRole = $role->toArray();
unset($restrictionsFromRole['users']);
unset($restrictionsFromRole['groups']);
unset($restrictionsFromRole['permissions']);
foreach ($restrictionsFromRole as $name => $restriction) {
if (!isset($restrictions[$name])) {
$restrictions[$name] = array();
}
$restrictions[$name][] = $restriction;
}
$roleObj = new Role();
$roleObjs[] = $roleObj->setName($roleName)->setPermissions($permissionsFromRole)->setRestrictions($restrictionsFromRole);
}
}
$user->setPermissions($permissions);
$user->setRestrictions($restrictions);
$user->setRoles($roleObjs);
}
/**
* Authenticate the given user and return true on success, false on failure and null on error
*
* @param User $user
* @param string $password
*
* @return bool|null
* @throws AuthenticationException
*/
public function authenticate(User $user, $password)
{
try {
$salt = $this->getSalt($user->getUsername());
if ($salt === null) {
return false;
}
if ($salt === '') {
throw new Exception('Cannot find salt for user ' . $user->getUsername());
}
$select = new Zend_Db_Select($this->conn->getConnection());
$row = $select->from('account', array(new Zend_Db_Expr(1)))->where('username = ?', $user->getUsername())->where('active = ?', true)->where('password = ?', $this->hashPassword($password, $salt))->query()->fetchObject();
return $row !== false ? true : false;
} catch (Exception $e) {
throw new AuthenticationException(sprintf('Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName()), 0, $e);
}
}
/**
* Return the app's menu
*
* @return Navigation
*/
public function getMenu()
{
if ($this->user !== null) {
$menu = array('dashboard' => array('label' => t('Dashboard'), 'url' => 'dashboard', 'icon' => 'dashboard', 'priority' => 10), 'system' => array('label' => t('System'), 'icon' => 'services', 'priority' => 700, 'renderer' => array('SummaryNavigationItemRenderer', 'state' => 'critical'), 'children' => array('about' => array('label' => t('About'), 'url' => 'about', 'priority' => 700), 'announcements' => array('label' => t('Announcements'), 'url' => 'announcements', 'priority' => 710))), 'configuration' => array('label' => t('Configuration'), 'icon' => 'wrench', 'permission' => 'config/*', 'priority' => 800, 'children' => array('application' => array('label' => t('Application'), 'url' => 'config/general', 'permission' => 'config/application/*', 'priority' => 810), 'authentication' => array('label' => t('Authentication'), 'permission' => 'config/authentication/*', 'priority' => 830, 'url' => 'role/list'), 'navigation' => array('label' => t('Shared Navigation'), 'url' => 'navigation/shared', 'permission' => 'config/application/navigation', 'priority' => 840), 'modules' => array('label' => t('Modules'), 'url' => 'config/modules', 'permission' => 'config/modules', 'priority' => 890))), 'user' => array('cssClass' => 'user-nav-item', 'label' => $this->user->getUsername(), 'icon' => 'user', 'priority' => 900, 'children' => array('account' => array('label' => t('My Account'), 'priority' => 100, 'url' => 'account'), 'logout' => array('label' => t('Logout'), 'priority' => 200, 'attributes' => array('target' => '_self'), 'url' => 'authentication/logout'))));
if (Logger::writesToFile()) {
$menu['system']['children']['application_log'] = array('label' => t('Application Log'), 'url' => 'list/applicationlog', 'permission' => 'application/log', 'priority' => 900);
}
} else {
$menu = array();
}
return Navigation::fromArray($menu)->load('menu-item');
}
/**
* Return the app's menu
*
* @return Navigation
*/
public function getMenu()
{
if ($this->user !== null) {
$menu = array('dashboard' => array('label' => t('Dashboard'), 'url' => 'dashboard', 'icon' => 'dashboard', 'priority' => 10), 'system' => array('label' => t('System'), 'icon' => 'services', 'priority' => 700, 'renderer' => array('SummaryNavigationItemRenderer', 'state' => 'critical'), 'children' => array('about' => array('label' => t('About'), 'url' => 'about', 'priority' => 701))), 'configuration' => array('label' => t('Configuration'), 'icon' => 'wrench', 'permission' => 'config/*', 'priority' => 800, 'children' => array('application' => array('label' => t('Application'), 'url' => 'config/general', 'permission' => 'config/application/*', 'priority' => 810), 'navigation' => array('label' => t('Shared Navigation'), 'url' => 'navigation/shared', 'permission' => 'config/application/navigation', 'priority' => 820), 'authentication' => array('label' => t('Authentication'), 'url' => 'config/userbackend', 'permission' => 'config/authentication/*', 'priority' => 830), 'roles' => array('label' => t('Roles'), 'url' => 'role/list', 'permission' => 'config/authentication/roles/show', 'priority' => 840), 'users' => array('label' => t('Users'), 'url' => 'user/list', 'permission' => 'config/authentication/users/show', 'priority' => 850), 'groups' => array('label' => t('Usergroups'), 'url' => 'group/list', 'permission' => 'config/authentication/groups/show', 'priority' => 860), 'modules' => array('label' => t('Modules'), 'url' => 'config/modules', 'permission' => 'config/modules', 'priority' => 890))), 'user' => array('label' => $this->user->getUsername(), 'icon' => 'user', 'priority' => 900, 'children' => array('preferences' => array('label' => t('Preferences'), 'url' => 'preference', 'priority' => 910), 'navigation' => array('label' => t('Navigation'), 'url' => 'navigation', 'priority' => 920), 'logout' => array('label' => t('Logout'), 'url' => 'authentication/logout', 'priority' => 990, 'renderer' => array('NavigationItemRenderer', 'target' => '_self')))));
if (Logger::writesToFile()) {
$menu['system']['children']['application_log'] = array('label' => t('Application Log'), 'url' => 'list/applicationlog', 'priority' => 710);
}
} else {
$menu = array();
}
return Navigation::fromArray($menu)->load('menu-item');
}
/**
* Tries to authenticate the user from the session, and then from the REMOTE_USER superglobal, that can be set by
* an external authentication provider.
*/
public function authenticateFromRemoteUser()
{
$this->fromRemoteUser = true;
$this->authenticateFromSession();
if ($this->user !== null) {
if (array_key_exists('REMOTE_USER', $_SERVER) && $this->user->getUsername() !== $_SERVER["REMOTE_USER"]) {
// Remote user has changed, clear all sessions
$this->removeAuthorization();
}
return;
}
if (array_key_exists('REMOTE_USER', $_SERVER) && $_SERVER["REMOTE_USER"]) {
$this->user = new User($_SERVER["REMOTE_USER"]);
$this->persistCurrentUser();
}
}
public function setAuthenticated(User $user, $persist = true)
{
$username = $user->getUsername();
try {
$config = Config::app();
} catch (NotReadableError $e) {
Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e));
$config = new Config();
}
if ($config->get('preferences', 'store', 'ini') !== 'none') {
$preferencesConfig = $config->getSection('preferences');
try {
$preferencesStore = PreferencesStore::create($preferencesConfig, $user);
$preferences = new Preferences($preferencesStore->load());
} catch (Exception $e) {
Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e));
$preferences = new Preferences();
}
} else {
$preferences = new Preferences();
}
$user->setPreferences($preferences);
$groups = $user->getGroups();
foreach (Config::app('groups') as $name => $config) {
try {
$groupBackend = UserGroupBackend::create($name, $config);
$groupsFromBackend = $groupBackend->getMemberships($user);
} catch (Exception $e) {
Logger::error('Can\'t get group memberships for user \'%s\' from backend \'%s\'. An exception was thrown: %s', $username, $name, $e);
continue;
}
if (empty($groupsFromBackend)) {
continue;
}
$groupsFromBackend = array_values($groupsFromBackend);
$groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend));
}
$user->setGroups($groups);
$admissionLoader = new AdmissionLoader();
list($permissions, $restrictions) = $admissionLoader->getPermissionsAndRestrictions($user);
$user->setPermissions($permissions);
$user->setRestrictions($restrictions);
$this->user = $user;
if ($persist) {
$this->persistCurrentUser();
}
}
/**
* List all dashboard configuration files that match the given user
*
* @param User $user
*
* @return string[]
*/
public static function listConfigFilesForUser(User $user)
{
$files = array();
$dashboards = static::resolvePath('dashboards');
if ($handle = @opendir($dashboards)) {
while (false !== ($entry = readdir($handle))) {
if ($entry[0] === '.' || !is_dir($dashboards . '/' . $entry)) {
continue;
}
if (strtolower($entry) === strtolower($user->getUsername())) {
$files[] = $dashboards . '/' . $entry . '/dashboard.ini';
}
}
closedir($handle);
}
return $files;
}
/**
* Return the groups the given user is a member of
*
* @param User $user
*
* @return array
*/
public function getMemberships(User $user)
{
$result = $this->select()->fetchAll();
$groups = array();
foreach ($result as $group) {
$groups[$group->group_name] = $group->parent;
}
$username = strtolower($user->getUsername());
$memberships = array();
foreach ($result as $group) {
if ($group->users && !in_array($group->group_name, $memberships)) {
$users = array_map('strtolower', String::trimSplit($group->users));
if (in_array($username, $users)) {
$memberships[] = $group->group_name;
$parent = $groups[$group->group_name];
while ($parent !== null) {
$memberships[] = $parent;
$parent = isset($groups[$parent]) ? $groups[$parent] : null;
}
}
}
}
return $memberships;
}
/**
* Authenticate the given user
*
* @param User $user
* @param string $password
*
* @return bool True on success, false on failure
*
* @throws AuthenticationException In case authentication is not possible due to an error
*/
public function authenticate(User $user, $password)
{
try {
$passwordHash = $this->getPasswordHash($user->getUsername());
$passwordSalt = $this->getSalt($passwordHash);
$hashToCompare = $this->hashPassword($password, $passwordSalt);
return $hashToCompare === $passwordHash;
} catch (Exception $e) {
throw new AuthenticationException('Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName(), $e);
}
}
/**
* Authenticate the given user and return true on success, false on failure and null on error
*
* @param User $user
* @param string $password
*
* @return bool|null
* @throws AuthenticationException
*/
public function authenticate(User $user, $password)
{
try {
return $this->conn->testCredentials($this->conn->fetchDN($this->createQuery($user->getUsername())), $password);
} catch (Exception $e) {
throw new AuthenticationException(sprintf('Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName()), 0, $e);
}
}
/**
* Return the groups the given user is a member of
*
* @param User $user
*
* @return array
*/
public function getMemberships(User $user)
{
$groupQuery = $this->ds->select()->from(array('g' => $this->prependTablePrefix('group')), array('group_name' => 'g.name', 'parent_name' => 'gg.name'))->joinLeft(array('gg' => $this->prependTablePrefix('group')), 'g.parent = gg.id', array());
$groups = array();
foreach ($groupQuery as $group) {
$groups[$group->group_name] = $group->parent_name;
}
$membershipQuery = $this->select()->from('group_membership', array('group_name'))->where('user_name', $user->getUsername());
$memberships = array();
foreach ($membershipQuery as $membership) {
$memberships[] = $membership->group_name;
$parent = $groups[$membership->group_name];
while ($parent !== null) {
$memberships[] = $parent;
// Usually a parent is an existing group, but since we do not have a constraint on our table..
$parent = isset($groups[$parent]) ? $groups[$parent] : null;
}
}
return $memberships;
}
/**
* Return the groups the given user is a member of
*
* @param User $user
*
* @return array
*/
public function getMemberships(User $user)
{
if ($this->isMemberAttributeAmbiguous()) {
$queryValue = $user->getUsername();
} elseif (($queryValue = $user->getAdditional('ldap_dn')) === null) {
$userQuery = $this->ds->select()->from($this->userClass)->where($this->userNameAttribute, $user->getUsername())->setBase($this->userBaseDn)->setUsePagedResults(false);
if ($this->userFilter) {
$userQuery->setNativeFilter($this->userFilter);
}
if (($queryValue = $userQuery->fetchDn()) === null) {
return array();
}
}
if ($this->nestedGroupSearch) {
$groupMemberAttribute = $this->groupMemberAttribute . ':1.2.840.113556.1.4.1941:';
} else {
$groupMemberAttribute = $this->groupMemberAttribute;
}
$groupQuery = $this->ds->select()->from($this->groupClass, array($this->groupNameAttribute))->where($groupMemberAttribute, $queryValue)->setBase($this->groupBaseDn);
if ($this->groupFilter) {
$groupQuery->setNativeFilter($this->groupFilter);
}
$groups = array();
foreach ($groupQuery as $row) {
$groups[] = $row->{$this->groupNameAttribute};
}
return $groups;
}
/**
* Authenticate the given user
*
* @param User $user
* @param string $password
*
* @return bool True on success, false on failure
*
* @throws AuthenticationException In case authentication is not possible due to an error
*/
public function authenticate(User $user, $password)
{
try {
$userDn = $this->select()->where('user_name', str_replace('*', '', $user->getUsername()))->getQuery()->setUsePagedResults(false)->fetchDn();
if ($userDn === null) {
return false;
}
return $this->ds->testCredentials($userDn, $password);
} catch (LdapException $e) {
throw new AuthenticationException('Failed to authenticate user "%s" against backend "%s". An exception was thrown:', $user->getUsername(), $this->getName(), $e);
}
}
public function setAuthenticated(User $user, $persist = true)
{
$username = $user->getUsername();
try {
$config = Config::app();
} catch (NotReadableError $e) {
Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e));
$config = new Config();
}
if ($config->get('global', 'config_backend', 'ini') !== 'none') {
$preferencesConfig = new ConfigObject(array('store' => $config->get('global', 'config_backend', 'ini'), 'resource' => $config->get('global', 'config_resource')));
try {
$preferencesStore = PreferencesStore::create($preferencesConfig, $user);
$preferences = new Preferences($preferencesStore->load());
} catch (Exception $e) {
Logger::error(new IcingaException('Cannot load preferences for user "%s". An exception was thrown: %s', $username, $e));
$preferences = new Preferences();
}
} else {
$preferences = new Preferences();
}
// TODO(el): Quick-fix for #10957. Only reload CSS if the theme changed.
$this->getResponse()->setReloadCss(true);
$user->setPreferences($preferences);
$groups = $user->getGroups();
foreach (Config::app('groups') as $name => $config) {
try {
$groupBackend = UserGroupBackend::create($name, $config);
$groupsFromBackend = $groupBackend->getMemberships($user);
} catch (Exception $e) {
Logger::error('Can\'t get group memberships for user \'%s\' from backend \'%s\'. An exception was thrown: %s', $username, $name, $e);
continue;
}
if (empty($groupsFromBackend)) {
continue;
}
$groupsFromBackend = array_values($groupsFromBackend);
$groups = array_merge($groups, array_combine($groupsFromBackend, $groupsFromBackend));
}
$user->setGroups($groups);
$admissionLoader = new AdmissionLoader();
$admissionLoader->applyRoles($user);
$this->user = $user;
if ($persist) {
$this->persistCurrentUser();
}
}
/**
* Setup internationalization using gettext
*
* Uses the preferred user language or the configured default and system default, respectively.
*
* @return self
*/
protected function setupInternationalization()
{
parent::setupInternationalization();
if ($this->user !== null && $this->user->getPreferences() !== null && ($locale = $this->user->getPreferences()->get('app.language') !== null)) {
try {
Translator::setupLocale($locale);
} catch (Exception $error) {
Logger::warning('Cannot set locale "' . $locale . '" configured in ' . 'preferences of user "' . $this->user->getUsername() . '"');
}
}
return $this;
}
/**
* Return the groups the given user is a member of
*
* @param User $user
*
* @return array
*/
public function getMemberships(User $user)
{
if ($this->isAmbiguous($this->groupClass, $this->groupMemberAttribute)) {
$queryValue = $user->getUsername();
} elseif (($queryValue = $user->getAdditional('ldap_dn')) === null) {
$userQuery = $this->ds->select()->from($this->userClass)->where($this->userNameAttribute, $user->getUsername())->setBase($this->userBaseDn)->setUsePagedResults(false);
if ($this->userFilter) {
$userQuery->where(new Expression($this->userFilter));
}
if (($queryValue = $userQuery->fetchDn()) === null) {
return array();
}
}
$groupQuery = $this->ds->select()->from($this->groupClass, array($this->groupNameAttribute))->where($this->groupMemberAttribute, $queryValue)->setBase($this->groupBaseDn);
if ($this->groupFilter) {
$groupQuery->where(new Expression($this->groupFilter));
}
$groups = array();
foreach ($groupQuery as $row) {
$groups[] = $row->{$this->groupNameAttribute};
}
return $groups;
}
/**
* Return the groups the given user is a member of
*
* @param User $user
*
* @return array
*/
public function getMemberships(User $user)
{
if ($this->groupClass === 'posixGroup') {
// Posix group only uses simple user name
$userDn = $user->getUsername();
} else {
// LDAP groups use the complete DN
if (($userDn = $user->getAdditional('ldap_dn')) === null) {
$userQuery = $this->ds->select()->from($this->userClass)->where($this->userNameAttribute, $user->getUsername())->setBase($this->userBaseDn)->setUsePagedResults(false);
if ($this->userFilter) {
$userQuery->where(new Expression($this->userFilter));
}
if (($userDn = $userQuery->fetchDn()) === null) {
return array();
}
}
}
$groupQuery = $this->ds->select()->from($this->groupClass, array($this->groupNameAttribute))->where($this->groupMemberAttribute, $userDn)->setBase($this->groupBaseDn);
if ($this->groupFilter) {
$groupQuery->where(new Expression($this->groupFilter));
}
Logger::debug('Fetching groups for user %s using filter %s.', $user->getUsername(), $groupQuery->__toString());
$groups = array();
foreach ($groupQuery as $row) {
$groups[] = $row->{$this->groupNameAttribute};
}
Logger::debug('Fetched %d groups: %s.', count($groups), join(', ', $groups));
return $groups;
}
