/** * @see Form::createElements() */ public function createElements(array $formData) { if (isset($formData['type']) && $formData['type'] === 'external') { list($username, $_) = ExternalBackend::getRemoteUserInformation(); if ($username === null) { $this->info($this->translate('You\'re currently not authenticated using any of the web server\'s authentication ' . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to ' . 'log into Icinga Web 2.'), false); } } $backendTypes = array(); if (Platform::hasMysqlSupport() || Platform::hasPostgresqlSupport()) { $backendTypes['db'] = $this->translate('Database'); } if (Platform::extensionLoaded('ldap')) { $backendTypes['ldap'] = 'LDAP'; } $backendTypes['external'] = $this->translate('External'); $this->addElement('select', 'type', array('required' => true, 'autosubmit' => true, 'label' => $this->translate('Authentication Type'), 'description' => $this->translate('The type of authentication to use when accessing Icinga Web 2'), 'multiOptions' => $backendTypes)); }
/** * Create and return a user backend with the given name and given configuration applied to it * * @param string $name * @param ConfigObject $backendConfig * * @return UserBackendInterface * * @throws ConfigurationError */ public static function create($name, ConfigObject $backendConfig = null) { if ($backendConfig === null) { self::assertBackendsExist(); if (self::$backends->hasSection($name)) { $backendConfig = self::$backends->getSection($name); } else { throw new ConfigurationError('User backend "%s" does not exist', $name); } } if ($backendConfig->name !== null) { $name = $backendConfig->name; } if (!($backendType = strtolower($backendConfig->backend))) { throw new ConfigurationError('Authentication configuration for user backend "%s" is missing the \'backend\' directive', $name); } if ($backendType === 'external') { $backend = new ExternalBackend($backendConfig); $backend->setName($name); return $backend; } if (in_array($backendType, static::$defaultBackends)) { // The default backend check is the first one because of performance reasons: // Do not attempt to load a custom user backend unless it's actually required } elseif (($customClass = static::getCustomUserBackend($backendType)) !== null) { $backend = new $customClass($backendConfig); if (!is_a($backend, 'Icinga\\Authentication\\User\\UserBackendInterface')) { throw new ConfigurationError('Cannot utilize user backend of type "%s". Class "%s" does not implement UserBackendInterface', $backendType, $customClass); } $backend->setName($name); return $backend; } else { throw new ConfigurationError('Authentication configuration for user backend "%s" defines an invalid backend type.' . ' Backend type "%s" is not supported', $name, $backendType); } if ($backendConfig->resource === null) { throw new ConfigurationError('Authentication configuration for user backend "%s" is missing the \'resource\' directive', $name); } $resource = ResourceFactory::create($backendConfig->resource); switch ($backendType) { case 'db': $backend = new DbUserBackend($resource); break; case 'msldap': $backend = new LdapUserBackend($resource); $backend->setBaseDn($backendConfig->base_dn); $backend->setUserClass($backendConfig->get('user_class', 'user')); $backend->setUserNameAttribute($backendConfig->get('user_name_attribute', 'sAMAccountName')); $backend->setFilter($backendConfig->filter); break; case 'ldap': $backend = new LdapUserBackend($resource); $backend->setBaseDn($backendConfig->base_dn); $backend->setUserClass($backendConfig->get('user_class', 'inetOrgPerson')); $backend->setUserNameAttribute($backendConfig->get('user_name_attribute', 'uid')); $backend->setFilter($backendConfig->filter); break; } $backend->setName($name); return $backend; }
/** * Try to authenticate the user with the current session * * Authentication for externally-authenticated users will be revoked if the username changed or external * authentication is no longer in effect */ public function authenticateFromSession() { $this->user = Session::getSession()->get('user'); if ($this->user !== null && $this->user->isExternalUser()) { list($originUsername, $field) = $this->user->getExternalUserInformation(); $username = ExternalBackend::getRemoteUser($field); if ($username === null || $username !== $originUsername) { $this->removeAuthorization(); } } }
/** * Return the name of the externally authenticated user * * @return string */ protected function getUsername() { list($name, $_) = ExternalBackend::getRemoteUserInformation(); if ($name === null) { return ''; } if (isset($this->backendConfig['strip_username_regexp']) && $this->backendConfig['strip_username_regexp']) { // No need to silence or log anything here because the pattern has // already been successfully compiled during backend configuration $name = preg_replace($this->backendConfig['strip_username_regexp'], '', $name); } return $name; }