mirror of https://github.com/MISP/MISP
115 lines
4.1 KiB
PHP
115 lines
4.1 KiB
PHP
<?php
|
|
|
|
App::uses('BaseAuthenticate', 'Controller/Component/Auth');
|
|
|
|
/*
|
|
* custom class for Apache-based authentication
|
|
*
|
|
* User for ApacheAuthenticate you can pass in settings to which fields, model and additional conditions
|
|
* are used. See FormAuthenticate::$settings for more information.
|
|
* TODO: clarification needed, text almost the same as in lib/Cake/Controller/Component/Auth/FormAuthenticate.php
|
|
*
|
|
* @package Controller.Component.Auth
|
|
* @since 2.0
|
|
* @see ApacheAuthComponent::$authenticate
|
|
*/
|
|
|
|
class ApacheAuthenticate extends BaseAuthenticate {
|
|
|
|
/**
|
|
* Authentication class
|
|
*
|
|
* @param CakeRequest $request The request that contains login information.
|
|
* @param CakeResponse $response Unused response object.
|
|
* @return mixed False on login failure. An array of User data on success.
|
|
*/
|
|
public function authenticate(CakeRequest $request, CakeResponse $response) {
|
|
|
|
// Get information user for MISP auth
|
|
$envvar = $this->settings['fields']['envvar'];
|
|
$mispUsername = $_SERVER[$envvar];
|
|
|
|
// make LDAP request to get user email required for MISP auth
|
|
$ldapdn = Configure::read('ApacheSecureAuth.ldapDN');
|
|
$ldaprdn = Configure::read('ApacheSecureAuth.ldapReaderUser'); // DN ou RDN LDAP
|
|
$ldappass = Configure::read('ApacheSecureAuth.ldapReaderPassword');
|
|
|
|
// LDAP connection
|
|
$ldapconn = ldap_connect(Configure::read('ApacheSecureAuth.ldapServer'))
|
|
or die('LDAP server connection failed');
|
|
|
|
// LDAP protocol configuration
|
|
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, Configure::read('ApacheSecureAuth.ldapProtocol'));
|
|
|
|
if ($ldapconn) {
|
|
// LDAP bind
|
|
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
|
|
// authentication verification
|
|
if (!$ldapbind) {
|
|
die("LDAP bind failed");
|
|
}
|
|
// example: '(uuid=ApacheUser)'
|
|
$filter = '('.Configure::read('ApacheSecureAuth.ldapSearchAttribut').'=' . $_SERVER[$envvar] . ')';
|
|
// example: mail
|
|
$getLdapUserInfo = Configure::read('ApacheSecureAuth.ldapFilter');
|
|
|
|
$result = ldap_search($ldapconn, $ldapdn, $filter, $getLdapUserInfo)
|
|
or die("Error in LDAP search query: " . ldap_error($ldapconn));
|
|
|
|
$ldapUserData = ldap_get_entries($ldapconn, $result);
|
|
|
|
// the request returns only 1 field
|
|
if (isset($ldapUserData[0]['mail'][0])) {
|
|
// assign the real user for MISP
|
|
$mispUsername = $ldapUserData[0]['mail'][0];
|
|
} else {
|
|
die("User not found in LDAP");
|
|
}
|
|
// close LDAP connection
|
|
ldap_close($ldapconn);
|
|
}
|
|
|
|
// Find user with real username (mail)
|
|
$user = $this->_findUser($mispUsername);
|
|
|
|
if ($user) {
|
|
return $user;
|
|
}
|
|
|
|
// insert user in database if not existent
|
|
$userModel = ClassRegistry::init($this->settings['userModel']);
|
|
$org_id = Configure::read('ApacheSecureAuth.ldapDefaultOrg');
|
|
// If not in config, take default org
|
|
if(!isset($org_id)) {
|
|
$firstOrg = $userModel->Organisation->find(
|
|
'first', array(
|
|
'conditions' => array(
|
|
'Organisation.local' => true),
|
|
'order' => 'Organisation.id ASC'
|
|
)
|
|
);
|
|
$org_id = $firstOrg['Organisation']['id'];
|
|
}
|
|
|
|
// create user
|
|
$userData = array('User' => array(
|
|
'email' => $mispUsername,
|
|
'org_id' => $org_id,
|
|
'password' => '',
|
|
'confirm_password' => '',
|
|
'authkey' => $userModel->generateAuthKey(),
|
|
'nids_sid' => 4000000,
|
|
'newsread' => date('Y-m-d'),
|
|
'role_id' => Configure::read('ApacheSecureAuth.ldapDefaultRoleId'),
|
|
'change_pw' => 0
|
|
));
|
|
// save user
|
|
$userModel->save($userData, false);
|
|
|
|
return $this->_findUser(
|
|
$mispUsername
|
|
);
|
|
}
|
|
|
|
}
|