icingaweb2/library/Icinga/Authentication/User/ExternalBackend.php

<?php
/* Icinga Web 2 | (c) 2014 Icinga Development Team | GPLv2+ */

namespace Icinga\Authentication\User;

use Icinga\Application\Logger;
use Icinga\Data\ConfigObject;
use Icinga\User;

/**
 * Test login with external authentication mechanism, e.g. Apache
 */
class ExternalBackend implements UserBackendInterface
{
    /**
     * Possible variables where to read the user from
     *
     * @var string[]
     */
    public static $remoteUserEnvvars = array('REMOTE_USER', 'REDIRECT_REMOTE_USER');

    /**
     * The name of this backend
     *
     * @var string
     */
    protected $name;

    /**
     * Regexp expression to strip values from a username
     *
     * @var string
     */
    protected $stripUsernameRegexp;

    /**
     * Create new authentication backend of type "external"
     *
     * @param ConfigObject $config
     */
    public function __construct(ConfigObject $config)
    {
        $this->stripUsernameRegexp = $config->get('strip_username_regexp');
    }

    /**
     * {@inheritdoc}
     */
    public function getName()
    {
        return $this->name;
    }

    /**
     * {@inheritdoc}
     */
    public function setName($name)
    {
        $this->name = $name;
        return $this;
    }

    /**
     * Get the remote user from environment or $_SERVER, if any
     *
     * @param   string  $variable   The name of the variable where to read the user from
     *
     * @return  string|null
     */
    public static function getRemoteUser($variable = 'REMOTE_USER')
    {
        $username = getenv($variable);
        if (! empty($username)) {
            return $username;
        }

        if (array_key_exists($variable, $_SERVER) && ! empty($_SERVER[$variable])) {
            return $_SERVER[$variable];
        }
    }

    /**
     * Get the remote user information from environment or $_SERVER, if any
     *
     * @return  array   Contains always two entries, the username and origin which may both set to null.
     */
    public static function getRemoteUserInformation()
    {
        foreach (static::$remoteUserEnvvars as $envVar) {
            $username = static::getRemoteUser($envVar);
            if ($username !== null) {
                return array($username, $envVar);
            }
        }

        return array(null, null);
    }

    /**
     * {@inheritdoc}
     */
    public function authenticate(User $user, $password = null)
    {
        list($username, $field) = static::getRemoteUserInformation();
        if ($username !== null) {
            $user->setExternalUserInformation($username, $field);

            if ($this->stripUsernameRegexp) {
                $stripped = @preg_replace($this->stripUsernameRegexp, '', $username);
                if ($stripped === false) {
                    Logger::error('Failed to strip external username. The configured regular expression is invalid.');
                    return false;
                }

                $username = $stripped;
            }

            $user->setUsername($username);
            return true;
        }

        return false;
    }
}
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`<?php`
Change all license headers to only reflect a file's year of creation refs #11000 2016-02-08 09:41:00 -05:00			`/* Icinga Web 2 \| (c) 2014 Icinga Development Team \| GPLv2+ */`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00
Move concrete UserBackend classes to Icinga\Authentication\User refs #8826 2015-04-21 06:51:31 -04:00			`namespace Icinga\Authentication\User;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00
ExternalBackend: Don't throw an error if it's not possible to clean usernames 2016-11-16 06:04:46 -05:00			`use Icinga\Application\Logger;`
Adjust usages of Icinga\Application\Config refs #7147 2014-11-18 07:11:52 -05:00			`use Icinga\Data\ConfigObject;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`use Icinga\User;`

			`/**`
			`* Test login with external authentication mechanism, e.g. Apache`
			`*/`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 06:15:50 -04:00			`class ExternalBackend implements UserBackendInterface`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`{`
Replace ExternalBackend::getRemoteUserEnvvars() with an attribute refs #12164 2016-11-04 12:27:36 -04:00			`/**`
			`* Possible variables where to read the user from`
			`*`
			`* @var string[]`
			`*/`
ExternalBackend: Simplify how remote users are identified refs #12164 2016-11-16 05:55:54 -05:00			`public static $remoteUserEnvvars = array('REMOTE_USER', 'REDIRECT_REMOTE_USER');`
Replace ExternalBackend::getRemoteUserEnvvars() with an attribute refs #12164 2016-11-04 12:27:36 -04:00
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 06:15:50 -04:00			`/**`
			`* The name of this backend`
			`*`
			`* @var string`
			`*/`
			`protected $name;`

Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`/**`
			`* Regexp expression to strip values from a username`
			`*`
			`* @var string`
			`*/`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 06:15:50 -04:00			`protected $stripUsernameRegexp;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00
			`/**`
Rename authentication type "autologin" to "external" refs #8274 2015-01-27 03:49:36 -05:00			`* Create new authentication backend of type "external"`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`*`
Adjust usages of Icinga\Application\Config refs #7147 2014-11-18 07:11:52 -05:00			`* @param ConfigObject $config`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`*/`
Adjust usages of Icinga\Application\Config refs #7147 2014-11-18 07:11:52 -05:00			`public function __construct(ConfigObject $config)`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`{`
			`$this->stripUsernameRegexp = $config->get('strip_username_regexp');`
			`}`

			`/**`
lib: Fix PHPDoc in ExternalBackend refs #9660 2015-07-29 09:46:40 -04:00			`* {@inheritdoc}`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 06:15:50 -04:00			`*/`
lib: Move getters before setters in ExternalBackend 2016-04-11 04:57:01 -04:00			`public function getName()`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 06:15:50 -04:00			`{`
lib: Move getters before setters in ExternalBackend 2016-04-11 04:57:01 -04:00			`return $this->name;`
ExternalBackend: Implement UserBackendInterface refs #8826 2015-05-04 06:15:50 -04:00			`}`

			`/**`
lib: Fix PHPDoc in ExternalBackend refs #9660 2015-07-29 09:46:40 -04:00			`* {@inheritdoc}`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`*/`
lib: Move getters before setters in ExternalBackend 2016-04-11 04:57:01 -04:00			`public function setName($name)`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`{`
lib: Move getters before setters in ExternalBackend 2016-04-11 04:57:01 -04:00			`$this->name = $name;`
			`return $this;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`}`

lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 2016-04-11 08:01:36 -04:00			`/**`
			`* Get the remote user from environment or $_SERVER, if any`
			`*`
ExternalBackend: Simplify how remote users are identified refs #12164 2016-11-16 05:55:54 -05:00			`* @param string $variable The name of the variable where to read the user from`
lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 2016-04-11 08:01:36 -04:00			`*`
			`* @return string\|null`
			`*/`
ExternalBackend: Simplify how remote users are identified refs #12164 2016-11-16 05:55:54 -05:00			`public static function getRemoteUser($variable = 'REMOTE_USER')`
lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 2016-04-11 08:01:36 -04:00			`{`
ExternalBackend::getRemoteUser(): restore previous default behavior refs #12164 2016-10-18 04:22:06 -04:00			`$username = getenv($variable);`
ExternalBackend: Don't authenticate a user if `REMOTE_USER` is empty 2019-12-05 09:13:02 -05:00			`if (! empty($username)) {`
ExternalBackend::getRemoteUser(): restore previous default behavior refs #12164 2016-10-18 04:22:06 -04:00			`return $username;`
			`}`
ExternalBackend: Simplify how remote users are identified refs #12164 2016-11-16 05:55:54 -05:00
ExternalBackend: Don't authenticate a user if `REMOTE_USER` is empty 2019-12-05 09:13:02 -05:00			`if (array_key_exists($variable, $_SERVER) && ! empty($_SERVER[$variable])) {`
ExternalBackend::getRemoteUser(): restore previous default behavior refs #12164 2016-10-18 04:22:06 -04:00			`return $_SERVER[$variable];`
lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 2016-04-11 08:01:36 -04:00			`}`
ExternalBackend: Simplify how remote users are identified refs #12164 2016-11-16 05:55:54 -05:00			`}`

			`/**`
			`* Get the remote user information from environment or $_SERVER, if any`
			`*`
			`* @return array Contains always two entries, the username and origin which may both set to null.`
			`*/`
			`public static function getRemoteUserInformation()`
			`{`
			`foreach (static::$remoteUserEnvvars as $envVar) {`
			`$username = static::getRemoteUser($envVar);`
			`if ($username !== null) {`
			`return array($username, $envVar);`
			`}`
			`}`

			`return array(null, null);`
lib: Add ExternalBackend::getRemoteUser() If the user is authenticated via the web server, this method should be used to retrieve the user because it supports both reading the user from the environment or from the $_SERVER variable as fallback. refs #11391 2016-04-11 08:01:36 -04:00			`}`

Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`/**`
lib: Fix PHPDoc in ExternalBackend refs #9660 2015-07-29 09:46:40 -04:00			`* {@inheritdoc}`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`*/`
ExternalBackend: Drop redundant method hasUser refs #8826 2015-04-21 07:15:06 -04:00			`public function authenticate(User $user, $password = null)`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`{`
ExternalBackend: Simplify how remote users are identified refs #12164 2016-11-16 05:55:54 -05:00			`list($username, $field) = static::getRemoteUserInformation();`
Get remote user from $_SERVER if env does not have it in external auth refs #11391 2016-04-11 08:07:44 -04:00			`if ($username !== null) {`
ExternalBackend: Simplify how remote users are identified refs #12164 2016-11-16 05:55:54 -05:00			`$user->setExternalUserInformation($username, $field);`
ExternalBackend: Drop redundant method hasUser refs #8826 2015-04-21 07:15:06 -04:00
Make regular expression pattern in autologin backend being fully optional 2014-10-20 09:14:14 -04:00			`if ($this->stripUsernameRegexp) {`
ExternalBackend: Don't throw an error if it's not possible to clean usernames 2016-11-16 06:04:46 -05:00			`$stripped = @preg_replace($this->stripUsernameRegexp, '', $username);`
			`if ($stripped === false) {`
			`Logger::error('Failed to strip external username. The configured regular expression is invalid.');`
			`return false;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`}`
ExternalBackend: Don't throw an error if it's not possible to clean usernames 2016-11-16 06:04:46 -05:00
			`$username = $stripped;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`}`
ExternalBackend: Drop redundant method hasUser refs #8826 2015-04-21 07:15:06 -04:00
Autologin: Actually set the username upon authentication Before, when using autologin the username of the authenticated user always was the empty string. 2014-06-11 09:27:36 -04:00			`$user->setUsername($username);`
			`return true;`
Authentication: Add backend to handle external authentication Drop external auth configuration from config.ini and move implementation into a single backend provider named 'autologin'. This provider can strip realm names from username with a custom regexp. fixes #6081 2014-06-03 11:59:22 -04:00			`}`

			`return false;`
			`}`
			`}`