mirror of https://github.com/MISP/MISP
fix rest authentication and further auth clean up
parent
6332dbf05b
commit
73e1053f4e
|
@ -86,29 +86,19 @@ class AppController extends Controller {
|
|||
|
||||
// Authenticate user with authkey in Authorization HTTP header
|
||||
if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
|
||||
if (!$this->checkAuthUser($_SERVER['HTTP_AUTHORIZATION'])) {
|
||||
$user = $this->checkAuthUser($_SERVER['HTTP_AUTHORIZATION']);
|
||||
if ($user) {
|
||||
// User found in the db, add the user info to the session
|
||||
$this->Session->renew();
|
||||
$this->Session->write(AuthComponent::$sessionKey, $user['User']);
|
||||
}
|
||||
else {
|
||||
// User not authenticated correctly
|
||||
// reset the session information
|
||||
$this->Session->destroy();
|
||||
throw new ForbiddenException('The authentication key provided cannot be used for syncing.');
|
||||
}
|
||||
$this->loadModel('User');
|
||||
$params = array(
|
||||
'conditions' => array('User.authkey' => $authkey),
|
||||
'recursive' => 0,
|
||||
);
|
||||
$user = $this->User->find('first', $params);
|
||||
|
||||
if ($user) {
|
||||
// User found in the db, add the user info to the session
|
||||
$this->Session->renew();
|
||||
$this->Session->write(AuthComponent::$sessionKey, $user['User']);
|
||||
} else {
|
||||
// User not authenticated correctly
|
||||
// reset the session information
|
||||
$this->Session->destroy();
|
||||
throw new ForbiddenException('Incorrect authentication key');
|
||||
}
|
||||
}
|
||||
} else {
|
||||
//$this->Security->blackHoleCallback = 'blackhole'; // TODO needs more investigation
|
||||
}
|
||||
|
||||
// We don't want to run these role checks before the user is logged in, but we want them available for every view once the user is logged on
|
||||
|
@ -234,10 +224,9 @@ class AppController extends Controller {
|
|||
/**
|
||||
*
|
||||
* @param unknown $authkey
|
||||
* @return boolean
|
||||
* @return boolean or user array
|
||||
*/
|
||||
public function checkAuthUser($authkey) {
|
||||
$result = false;
|
||||
$this->loadModel('User');
|
||||
$this->User->recursive = -1;
|
||||
$user = $this->User->findByAuthkey($authkey);
|
||||
|
@ -246,10 +235,10 @@ class AppController extends Controller {
|
|||
$this->Role->recursive = -1;
|
||||
$role = $this->Role->findById($user['User']['role_id']);
|
||||
if ($role['Role']['perm_auth']) {
|
||||
$result = true;
|
||||
return $user;
|
||||
}
|
||||
}
|
||||
return $result;
|
||||
return false;
|
||||
}
|
||||
|
||||
public function generatePrivate() {
|
||||
|
|
|
@ -1129,12 +1129,8 @@ class EventsController extends AppController {
|
|||
|
||||
public function xml($key, $eventid=null) {
|
||||
// check if the key is valid -> search for users based on key
|
||||
$this->loadModel('User');
|
||||
$user = $this->User->findByAuthkey($key);
|
||||
if (empty($user)) {
|
||||
throw new UnauthorizedException('Incorrect authentication key');
|
||||
}
|
||||
if (!$this->checkAuthUser($key)) {
|
||||
$user = $this->checkAuthUser($key);
|
||||
if (!$user) {
|
||||
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
|
||||
}
|
||||
// display the full xml
|
||||
|
@ -1193,15 +1189,8 @@ class EventsController extends AppController {
|
|||
|
||||
public function nids($key) {
|
||||
// check if the key is valid -> search for users based on key
|
||||
$this->loadModel('User');
|
||||
// no input sanitization necessary, it's done by model
|
||||
// do not fetch recursive
|
||||
$this->User->recursive = 0;
|
||||
$user = $this->User->findByAuthkey($key);
|
||||
if (empty($user)) {
|
||||
throw new UnauthorizedException('Incorrect authentication key');
|
||||
}
|
||||
if (!$this->checkAuthUser($key)) {
|
||||
$user = $this->checkAuthUser($key);
|
||||
if (!$user) {
|
||||
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
|
||||
}
|
||||
// display the full snort rulebase
|
||||
|
@ -1243,15 +1232,8 @@ class EventsController extends AppController {
|
|||
|
||||
public function hids_md5($key) {
|
||||
// check if the key is valid -> search for users based on key
|
||||
$this->loadModel('User');
|
||||
// no input sanitization necessary, it's done by model
|
||||
// do not fetch recursive
|
||||
$this->User->recursive = 0;
|
||||
$user = $this->User->findByAuthkey($key);
|
||||
if (empty($user)) {
|
||||
throw new UnauthorizedException('Incorrect authentication key');
|
||||
}
|
||||
if (!$this->checkAuthUser($key)) {
|
||||
$user = $this->checkAuthUser($key);
|
||||
if (!$user) {
|
||||
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
|
||||
}
|
||||
// display the full md5 set
|
||||
|
@ -1298,15 +1280,8 @@ class EventsController extends AppController {
|
|||
|
||||
public function hids_sha1($key) {
|
||||
// check if the key is valid -> search for users based on key
|
||||
$this->loadModel('User');
|
||||
// no input sanitization necessary, it's done by model
|
||||
// do not fetch recursive
|
||||
$this->User->recursive = 0;
|
||||
$user = $this->User->findByAuthkey($key);
|
||||
if (empty($user)) {
|
||||
throw new UnauthorizedException('Incorrect authentication key');
|
||||
}
|
||||
if (!$this->checkAuthUser($key)) {
|
||||
$user = $this->checkAuthUser($key);
|
||||
if (!$user) {
|
||||
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
|
||||
}
|
||||
// display the full SHA-1 set
|
||||
|
@ -1354,13 +1329,8 @@ class EventsController extends AppController {
|
|||
|
||||
public function text($key, $type="") {
|
||||
// check if the key is valid -> search for users based on key
|
||||
$this->loadModel('User');
|
||||
// no input sanitization necessary, it's done by model
|
||||
$user = $this->User->findByAuthkey($key);
|
||||
if (empty($user)) {
|
||||
throw new UnauthorizedException('Incorrect authentication key');
|
||||
}
|
||||
if (!$this->checkAuthUser($key)) {
|
||||
$user = $this->checkAuthUser($key);
|
||||
if (!$user) {
|
||||
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
|
||||
}
|
||||
$this->response->type('txt'); // set the content type
|
||||
|
|
Loading…
Reference in New Issue