MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
MISP/app/Plugin/CertAuth/Controller/Component/Auth/CertificateAuthenticate.php

296 lines
11 KiB
PHP
Raw Blame History

<?php
/**
* Client SSL Certificate Authentication component
*
* Authorizes users based on their SSL credentials.
*
* Copyright (c) FIRST.Org, Inc. (https://first.org)
*
* Licensed under The MIT License
* For full copyright and license information, please see the LICENSE.txt
* Redistributions of files must retain the above copyright notice.
*
* @author Guilherme Capilé, Tecnodesign (https://tecnodz.com)
* @copyright Copyright (c) FIRST.Org, Inc. (https://first.org)
* @link http://github.com/FIRSTdotorg/cakephp-CertAuth
* @package CertAuth.Certificate
* @license http://www.opensource.org/licenses/mit-license.php MIT License
*/
App::uses('AuthComponent', 'Controller/Component');
App::uses('BaseAuthenticate', 'Controller/Component/Auth');
class CertificateAuthenticate extends BaseAuthenticate
{
/**
* Holds the certificate issuer information (available at SSL_CLIENT_I_DN)
*
* @var array
*/
protected static $ca;
/**
* Holds the certificate user information (available at SSL_CLIENT_S_DN)
*
* @var array
*/
protected static $client;
/**
* Holds the user information
*
* @var array
*/
protected static $user;
/**
* Class constructor.
*
* This should only be called once per request, so it doesn't need to store values in
* the instance. Simply checks if the certificate is valid (against configured valid issuers)
* and returns the user information encoded.
*/
public function __construct()
{
self::$ca = self::$client = false;
if (isset($_SERVER['SSL_CLIENT_I_DN'])) {
$CA = self::parse($_SERVER['SSL_CLIENT_I_DN'], Configure::read('CertAuth.mapCa'));
// only valid CAs, if this was configured
if ($ca=Configure::read('CertAuth.ca')) {
$k = Configure::read('CertAuth.caId');
if (!$k) $k = 'CN';
$id = (isset($CA[$k]))?($CA[$k]):(false);
if (!$id) {
$CA = false;
} else if (is_array($ca)) {
if (!in_array($id, $ca)) $CA = false;
} else if ($ca!=$id) {
$CA = false;
}
unset($id, $k);
}
self::$ca = $CA;
unset($CA, $ca);
}
if (self::$ca) {
$map = Configure::read('CertAuth.map');
if(isset($_SERVER['SSL_CLIENT_S_DN'])) {
self::$client = self::parse($_SERVER['SSL_CLIENT_S_DN'], $map);
} else {
self::$client = array();
}
foreach($map as $n=>$d) {
if(isset($_SERVER[$n])) {
self::$client[$d] = $_SERVER[$n];
}
unset($map[$n], $n, $d);
}
unset($map);
if(!self::$client) {
self::$client = false;
}
}
}
/**
* Parse certificate extensions
*
* @TODO this should properly address the RFC
* @param string $s text to be parsed
* @param (optional) array $map array of mapping extension to User fields
* @return array parsed values
*/
private static function parse($s, $map=null)
{
$r=array();
if (preg_match_all('#(^/?|\/|\,)([a-zA-Z]+)\=([^\/\,]+)#', $s, $m)) {
foreach ($m[2] as $i=>$k) {
if ($map) {
if (isset($map[$k])) {
$k = $map[$k];
} else {
$k = null;
}
}
if ($k) {
$v = $m[3][$i];
$r[$k] = $v;
}
unset($m[0][$i], $m[1][$i], $m[2][$i], $m[3][$i], $k, $v, $i);
}
}
return $r;
}
// to enable stateless authentication
public function getUser(CakeRequest $request)
{
if (empty(self::$user)) {
if (self::$client) {
self::$user = self::$client;
// If $sync is true, allow the creation of the user from the certificate
$sync = Configure::read('CertAuth.syncUser');
$url = Configure::read('CertAuth.restApi.url');
if ($sync && $url) {
if (!self::getRestUser()) return false;
}
// find and fill user with model
$userModelKey = empty(Configure::read('CertAuth.userModelKey')) ? 'email' : Configure::read('CertAuth.userModelKey');
$userDefaults = Configure::read('CertAuth.userDefaults');
$this->User = ClassRegistry::init('User');
if (!empty(self::$user[$userModelKey])) {
$existingUser = $this->User->find('first', array(
'conditions' => array($userModelKey => self::$user[$userModelKey]),
'recursive' => false
));
}
if ($existingUser) {
if ($sync) {
if (!isset(self::$user['org_id']) && isset(self::$user['org'])) {
self::$user['org_id'] = $this->User->Organisation->createOrgFromName(self::$user['org'], $existingUser['User']['id'], true);
// reset user defaults in case it's a different org_id
if (self::$user['org_id'] && $existingUser['User']['org_id'] != self::$user['org_id']) {
if ($userDefaults && is_array($userDefaults)) {
self::$user = array_merge($userDefaults + self::$user);
}
}
unset(self::$user['org']);
}
$write = array();
foreach (self::$user as $k => $v) {
if (isset($existingUser['User'][$k]) && trim($existingUser['User'][$k]) != trim($v)) {
$write[] = $k;
$existingUser['User'][$k] = trim($v);
}
}
if (!empty($write) && !$this->User->save($existingUser['User'], true, $write)) {
CakeLog::write('alert', 'Could not update model at database with RestAPI data.');
}
}
self::$user = $this->User->getAuthUser($existingUser['User']['id']);
if (isset(self::$user['gpgkey'])) unset(self::$user['gpgkey']);
} else if ($sync && !empty(self::$user)) {
$org = isset(self::$client['org']) ? self::$client['org'] : null;
if ($org == null) return false;
if (!isset(self::$user['org_id']) && isset(self::$user['org'])) {
self::$user['org_id'] = $this->User->Organisation->createOrgFromName($org, 0, true);
unset(self::$user['org']);
}
if ($userDefaults && is_array($userDefaults)) {
self::$user = array_merge(self::$user, $userDefaults);
}
$this->User->create();
if ($this->User->save(self::$user)) {
$id = $this->User->id;
self::$user = $this->User->getAuthUser($id);
if (isset(self::$user['gpgkey'])) unset(self::$user['gpgkey']);
} else {
CakeLog::write('alert', 'Could not insert model at database from RestAPI data. Reason: ' . json_encode($this->User->validationErrors));
}
} else {
// No match -- User doesn't exist !!!
self::$user = false;
}
}
}
return self::$user;
}
// to enable stateless authentication
public function authenticate(CakeRequest $request, CakeResponse $response)
{
return self::getUser($request);
}
/**
* Fetches user information from external REST API
*
* Valid options (should be configured under CertAuth.restApi):
*
* @param (optional) array $options API configuration
* url (string) Where to fetch information from
* headers (array) list of additional headers to be used, reserved for authentication tokens
* params (array) mapping of additional params to be included at the url, uses $user values
* map (array) mapping of the return values to be added to the self::$user
* @return array updated user object
*/
public function getRestUser($options=null, $user=null)
{
if (is_null($options)) {
$options = Configure::read('CertAuth.restApi');
}
if (!is_null($user)) {
self::$user = $user;
}
if (!isset($options['url'])) {
return null;
}
// Create a stream
$req = array(
'http'=>array(
'method'=>'GET',
'header'=>"Accept: application/json\r\n"
),
);
if (isset($options['headers'])) {
foreach ($options['headers'] as $k=>$v) {
if (is_int($k)) {
$req['header'] .= "{$v}\r\n";
} else {
$req['header'] .= "{$k}: {$v}\r\n";
}
unset($k, $v);
}
}
$url = $options['url'];
if (isset($options['param'])) {
foreach ($options['param'] as $k=>$v) {
if (isset(self::$user[$v])) {
$url .= ((strpos($url, '?'))?('&'):('?'))
. $k . '=' . urlencode(self::$user[$v]);
}
unset($k, $v);
}
}
$ctx = stream_context_create($req);
$url = mb_ereg_replace("/phar\:\/\//i", '', $url);
$a = file_get_contents($url, false, $ctx);
if (!$a) return null;
$A = json_decode($a, true);
if (!isset($A['data'][0])) {
self::$user = false;
} else if (isset($options['map'])) {
foreach ($options['map'] as $k=>$v) {
if (isset($A['data'][0][$k])) {
self::$user[$v] = $A['data'][0][$k];
}
unset($k, $v);
}
}
return self::$user;
}
protected static $instance;
public static function ca()
{
if (is_null(self::$ca)) new CertificateAuthenticate();
return self::$ca;
}
public static function client()
{
if (is_null(self::$client)) new CertificateAuthenticate();
return self::$client;
}
}
Reference in New Issue View Git Blame Copy Permalink