Пример #1
0
 /**
  * Find a user (eg. look up the user record in database when a login is sent)
  *
  * @return mixed user array or FALSE
  * @throws UnsupportedLoginSecurityLevelException
  */
 public function getUser()
 {
     $user = FALSE;
     $userRecordOrIsValid = FALSE;
     $enableFrontendSso = TYPO3_MODE === 'FE' && (bool) $this->config['enableFESSO'] && !empty($_SERVER['REMOTE_USER']);
     // This simple check is the key to prevent your log being filled up with warnings
     // due to the AJAX calls to maintain the session active if your configuration forces
     // the authentication stack to always fetch the user:
     // $TYPO3_CONF_VARS['SVCONF']['auth']['setup']['BE_alwaysFetchUser'] = true;
     // This is the case, e.g., when using EXT:crawler.
     if ($this->login['status'] !== 'login' && !$enableFrontendSso) {
         return $user;
     }
     /** @var \Causal\IgLdapSsoAuth\Domain\Repository\ConfigurationRepository $configurationRepository */
     $configurationRepository = GeneralUtility::makeInstance('Causal\\IgLdapSsoAuth\\Domain\\Repository\\ConfigurationRepository');
     $configurationRecords = $configurationRepository->findAll();
     if (count($configurationRecords) === 0) {
         // Early return since LDAP is not configured
         static::getLogger()->warning('Skipping LDAP authentication as extension is not yet configured');
         $this->cleanUpExtbaseDataMapper();
         return FALSE;
     }
     foreach ($configurationRecords as $configurationRecord) {
         Configuration::initialize(TYPO3_MODE, $configurationRecord);
         if (!Configuration::isEnabledForCurrentHost()) {
             $msg = sprintf('Configuration record #%s is not enabled for domain %s', $configurationRecord->getUid(), GeneralUtility::getIndpEnv('TYPO3_HOST_ONLY'));
             static::getLogger()->info($msg);
             continue;
         }
         // Enable feature
         $userRecordOrIsValid = FALSE;
         // Single Sign-On authentication
         if ($enableFrontendSso) {
             $remoteUser = $_SERVER['REMOTE_USER'];
             // Strip the domain name
             if ($pos = strpos($remoteUser, '@')) {
                 $remoteUser = substr($remoteUser, 0, $pos);
             } elseif ($pos = strrpos($remoteUser, '\\')) {
                 $remoteUser = substr($remoteUser, $pos + 1);
             }
             $userRecordOrIsValid = Authentication::ldapAuthenticate($remoteUser);
             if (is_array($userRecordOrIsValid)) {
                 // Useful for debugging purpose
                 $this->login['uname'] = $remoteUser;
             }
             // Authenticate user from LDAP
         } elseif ($this->login['status'] === 'login' && $this->login['uident']) {
             // Configuration of authentication service.
             $loginSecurityLevel = $GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['loginSecurityLevel'];
             // normal case
             // Check if $loginSecurityLevel is set to "challenged" or "superchallenged" and throw an error if the configuration allows it
             // By default, it will not throw an exception
             if (isset($this->config['throwExceptionAtLogin']) && $this->config['throwExceptionAtLogin'] == 1) {
                 if ($loginSecurityLevel === 'challenged' || $loginSecurityLevel === 'superchallenged') {
                     $message = "ig_ldap_sso_auth error: current login security level '" . $loginSecurityLevel . "' is not supported.";
                     $message .= " Try to use 'normal' or 'rsa' (highly recommended): ";
                     $message .= "\$GLOBALS['TYPO3_CONF_VARS']['" . TYPO3_MODE . "']['loginSecurityLevel'] = 'rsa';";
                     $this->cleanUpExtbaseDataMapper();
                     throw new UnsupportedLoginSecurityLevelException($message, 1324313489);
                 }
             }
             // normal case
             $password = $this->login['uident_text'];
             try {
                 if ($password !== NULL) {
                     $userRecordOrIsValid = Authentication::ldapAuthenticate($this->login['uname'], $password);
                 } else {
                     // Could not decrypt password
                     $userRecordOrIsValid = FALSE;
                 }
             } catch (UnresolvedPhpDependencyException $e) {
                 // Possible known exception: 1409566275, LDAP extension is not available for PHP
                 $userRecordOrIsValid = FALSE;
             }
         }
         if (is_array($userRecordOrIsValid)) {
             $user = $userRecordOrIsValid;
             break;
         } elseif ($userRecordOrIsValid) {
             // Authentication is valid
             break;
         } else {
             $diagnostic = Authentication::getLastAuthenticationDiagnostic();
             $info = array('username' => $this->login['uname'], 'remote' => sprintf('%s (%s)', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST']), 'diagnostic' => $diagnostic, 'configUid' => $configurationRecord->getUid());
             static::getLogger()->error('Authentication failed', $info);
             NotificationUtility::dispatch(__CLASS__, 'authenticationFailed', $info);
         }
         // Continue and try with next configuration record...
     }
     if (!$user && $userRecordOrIsValid) {
         $user = $this->fetchUserRecord($this->login['uname']);
     }
     if (is_array($user)) {
         static::getLogger()->debug(sprintf('User found: "%s"', $this->login['uname']));
     }
     $this->cleanUpExtbaseDataMapper();
     return $user;
 }