MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

fix rest authentication and further auth clean up

pull/64/merge
Christophe Vandeplas 2013-04-29 11:22:46 +02:00
parent 6332dbf05b
commit 73e1053f4e
2 changed files with 23 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
app/Controller/AppController.php
View File

@ -86,29 +86,19 @@ class AppController extends Controller {
// Authenticate user with authkey in Authorization HTTP header
if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
if (!$this->checkAuthUser($_SERVER['HTTP_AUTHORIZATION'])) {
$user = $this->checkAuthUser($_SERVER['HTTP_AUTHORIZATION']);
if ($user) {
// User found in the db, add the user info to the session
$this->Session->renew();
$this->Session->write(AuthComponent::$sessionKey, $user['User']);
}
else {
// User not authenticated correctly
// reset the session information
$this->Session->destroy();
throw new ForbiddenException('The authentication key provided cannot be used for syncing.');
}
$this->loadModel('User');
$params = array(
'conditions' => array('User.authkey' => $authkey),
'recursive' => 0,
);
$user = $this->User->find('first', $params);
if ($user) {
// User found in the db, add the user info to the session
$this->Session->renew();
$this->Session->write(AuthComponent::$sessionKey, $user['User']);
} else {
// User not authenticated correctly
// reset the session information
$this->Session->destroy();
throw new ForbiddenException('Incorrect authentication key');
}
}
} else {
//$this->Security->blackHoleCallback = 'blackhole'; // TODO needs more investigation
}
// We don't want to run these role checks before the user is logged in, but we want them available for every view once the user is logged on
@ -234,10 +224,9 @@ class AppController extends Controller {
/**
*
* @param unknown $authkey
* @return boolean
* @return boolean or user array
*/
public function checkAuthUser($authkey) {
$result = false;
$this->loadModel('User');
$this->User->recursive = -1;
$user = $this->User->findByAuthkey($authkey);
@ -246,10 +235,10 @@ class AppController extends Controller {
$this->Role->recursive = -1;
$role = $this->Role->findById($user['User']['role_id']);
if ($role['Role']['perm_auth']) {
$result = true;
return $user;
}
}
return $result;
return false;
}
public function generatePrivate() {

50
app/Controller/EventsController.php
View File

@ -1129,12 +1129,8 @@ class EventsController extends AppController {
public function xml($key, $eventid=null) {
// check if the key is valid -> search for users based on key
$this->loadModel('User');
$user = $this->User->findByAuthkey($key);
if (empty($user)) {
throw new UnauthorizedException('Incorrect authentication key');
}
if (!$this->checkAuthUser($key)) {
$user = $this->checkAuthUser($key);
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
// display the full xml
@ -1193,15 +1189,8 @@ class EventsController extends AppController {
public function nids($key) {
// check if the key is valid -> search for users based on key
$this->loadModel('User');
// no input sanitization necessary, it's done by model
// do not fetch recursive
$this->User->recursive = 0;
$user = $this->User->findByAuthkey($key);
if (empty($user)) {
throw new UnauthorizedException('Incorrect authentication key');
}
if (!$this->checkAuthUser($key)) {
$user = $this->checkAuthUser($key);
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
// display the full snort rulebase
@ -1243,15 +1232,8 @@ class EventsController extends AppController {
public function hids_md5($key) {
// check if the key is valid -> search for users based on key
$this->loadModel('User');
// no input sanitization necessary, it's done by model
// do not fetch recursive
$this->User->recursive = 0;
$user = $this->User->findByAuthkey($key);
if (empty($user)) {
throw new UnauthorizedException('Incorrect authentication key');
}
if (!$this->checkAuthUser($key)) {
$user = $this->checkAuthUser($key);
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
// display the full md5 set
@ -1298,15 +1280,8 @@ class EventsController extends AppController {
public function hids_sha1($key) {
// check if the key is valid -> search for users based on key
$this->loadModel('User');
// no input sanitization necessary, it's done by model
// do not fetch recursive
$this->User->recursive = 0;
$user = $this->User->findByAuthkey($key);
if (empty($user)) {
throw new UnauthorizedException('Incorrect authentication key');
}
if (!$this->checkAuthUser($key)) {
$user = $this->checkAuthUser($key);
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
// display the full SHA-1 set
@ -1354,13 +1329,8 @@ class EventsController extends AppController {
public function text($key, $type="") {
// check if the key is valid -> search for users based on key
$this->loadModel('User');
// no input sanitization necessary, it's done by model
$user = $this->User->findByAuthkey($key);
if (empty($user)) {
throw new UnauthorizedException('Incorrect authentication key');
}
if (!$this->checkAuthUser($key)) {
$user = $this->checkAuthUser($key);
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
$this->response->type('txt'); // set the content type