/** * Identify * * We are authoritative and so we stop event propagation as we have fully identified the user * * @param Event $event * @return int */ public function discern(Event $event) { if (session_status() === PHP_SESSION_ACTIVE && $event instanceof Identify && isset($_SESSION[$this->namespace]['identity'])) { $event->identity()->setIdentified($_SESSION[$this->namespace]['identity']); $event->stopPropagation(); } }
/** * Attempts to identify the user based on the passed in credentials * * @param Event $event * @return bool */ public function discern(Event $event) { if ($event instanceof Identify) { $identity = $event->identity(); if (isset($this->data[$identity->identity()])) { $identity->setIdentified($this->data[$identity->identity()]); } else { $this->setErrorOnEvent($event, Sentry::NOT_FOUND, "Identity Not Found"); } } }
/** * Authenticates the credentials * * The ip must be set in order for this to bother test * * @param Event $event * @return int */ public function discern(Event $event) { if ($event instanceof Identify && isset($this->ip)) { $ip = ip2long($this->ip); $identity = $event->identity(); foreach ($this->allowedCidrBlocks as $cidr) { list($quad, $bits) = explode('/', $cidr); $bits = 32 - intval($bits); if ($ip >> $bits == ip2long($quad) >> $bits) { $obj = new \stdClass(); $obj->ip = $ip; $identity->setIdentified($obj); } } } }
/** * Returns whether or not the given identity/credential are valid * * @param Event $event * @return mixed|void */ public function discern(Event $event) { if (!$event instanceof Authenticate) { return; } $identity = $event->identity(); $imap = imap_open($this->server, $identity->identity() . $this->appendToUsername, $identity->credential()); if ($imap === false) { if (strpos(imap_last_error(), 'Connection timed out') !== false) { $this->setErrorOnEvent($event, Sentry::INTERNAL, "Connection timed out"); } else { $this->setErrorOnEvent($event, Sentry::INVALID, "Invalid Credentials"); } } imap_close($imap); }
/** * Returns whether or not the given identity/credential are valid * * @param Event $event * @return boolean */ public function discern(Event $event) { if (!$event instanceof Authenticate) { return; } $identity = $event->identity(); $search = ['{{username}}', '{{password}}']; $replace = [urlencode($identity->identity()), urlencode($identity->credential())]; $url = str_replace($search, $replace, $this->url); // I do not like the use @ but this the only way to suppress the warning $response = @file_get_contents($url); if ($response === false) { $this->setErrorOnEvent($event, Sentry::INTERNAL, "Unable to contact the url: {$this->url}"); return; } if (strpos($response, $this->matchStringInResponse) === false) { $this->setErrorOnEvent($event, Sentry::INVALID, "Invalid credentials"); } }
/** * Checks that the LDAP entry has one of the listed groups * * @param $ldap * @param Event $event * @return mixed */ private function checkGroups($ldap, Event $event) { $searchResult = ldap_search($ldap, $this->baseDn, sprintf("%s=%s", $this->identityField, $event->identity()->identity()), ['memberOf']); if ($searchResult === false) { // failed to search (unknown reason) $code = Sentry::INTERNAL; $reason = "Unable to search for groups on {$this->server}"; } else { $code = Sentry::INVALID; $reason = "Identity has no groups assigned"; $attrs = ldap_get_attributes($ldap, ldap_first_entry($ldap, $searchResult)); ldap_free_result($searchResult); if (isset($attrs['memberOf']['count']) && $attrs['memberOf']['count'] > 0) { foreach ($this->groups as $group) { if (in_array($group, $attrs['memberOf'])) { // return early if a member of any group return true; } } // if we haven't returned by now there is a problem $reason = "Not in allowed groups"; } } $this->setErrorOnEvent($ldap, $event, $code, $reason); }