MISP/app/Controller/Component/Auth/ApacheAuthenticate.php

115 lines
4.1 KiB
PHP

<?php
App::uses('BaseAuthenticate', 'Controller/Component/Auth');
/*
* custom class for Apache-based authentication
*
* User for ApacheAuthenticate you can pass in settings to which fields, model and additional conditions
* are used. See FormAuthenticate::$settings for more information.
* TODO: clarification needed, text almost the same as in lib/Cake/Controller/Component/Auth/FormAuthenticate.php
*
* @package Controller.Component.Auth
* @since 2.0
* @see ApacheAuthComponent::$authenticate
*/
class ApacheAuthenticate extends BaseAuthenticate {
/**
* Authentication class
*
* @param CakeRequest $request The request that contains login information.
* @param CakeResponse $response Unused response object.
* @return mixed False on login failure. An array of User data on success.
*/
public function authenticate(CakeRequest $request, CakeResponse $response) {
// Get information user for MISP auth
$envvar = $this->settings['fields']['envvar'];
$mispUsername = $_SERVER[$envvar];
// make LDAP request to get user email required for MISP auth
$ldapdn = Configure::read('ApacheSecureAuth.ldapDN');
$ldaprdn = Configure::read('ApacheSecureAuth.ldapReaderUser'); // DN ou RDN LDAP
$ldappass = Configure::read('ApacheSecureAuth.ldapReaderPassword');
// LDAP connection
$ldapconn = ldap_connect(Configure::read('ApacheSecureAuth.ldapServer'))
or die('LDAP server connection failed');
// LDAP protocol configuration
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, Configure::read('ApacheSecureAuth.ldapProtocol'));
if ($ldapconn) {
// LDAP bind
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// authentication verification
if (!$ldapbind) {
die("LDAP bind failed");
}
// example: '(uuid=ApacheUser)'
$filter = '('.Configure::read('ApacheSecureAuth.ldapSearchAttribut').'=' . $_SERVER[$envvar] . ')';
// example: mail
$getLdapUserInfo = Configure::read('ApacheSecureAuth.ldapFilter');
$result = ldap_search($ldapconn, $ldapdn, $filter, $getLdapUserInfo)
or die("Error in LDAP search query: " . ldap_error($ldapconn));
$ldapUserData = ldap_get_entries($ldapconn, $result);
// the request returns only 1 field
if (isset($ldapUserData[0]['mail'][0])) {
// assign the real user for MISP
$mispUsername = $ldapUserData[0]['mail'][0];
} else {
die("User not found in LDAP");
}
// close LDAP connection
ldap_close($ldapconn);
}
// Find user with real username (mail)
$user = $this->_findUser($mispUsername);
if ($user) {
return $user;
}
// insert user in database if not existent
$userModel = ClassRegistry::init($this->settings['userModel']);
$org_id = Configure::read('ApacheSecureAuth.ldapDefaultOrg');
// If not in config, take default org
if(!isset($org_id)) {
$firstOrg = $userModel->Organisation->find(
'first', array(
'conditions' => array(
'Organisation.local' => true),
'order' => 'Organisation.id ASC'
)
);
$org_id = $firstOrg['Organisation']['id'];
}
// create user
$userData = array('User' => array(
'email' => $mispUsername,
'org_id' => $org_id,
'password' => '',
'confirm_password' => '',
'authkey' => $userModel->generateAuthKey(),
'nids_sid' => 4000000,
'newsread' => date('Y-m-d'),
'role_id' => Configure::read('ApacheSecureAuth.ldapDefaultRoleId'),
'change_pw' => 0
));
// save user
$userModel->save($userData, false);
return $this->_findUser(
$mispUsername
);
}
}