Skip to content

Commit

Permalink
remove duplicate user fields (and thus the need for synchronization)
Browse files Browse the repository at this point in the history
  • Loading branch information
@flack
flack committed Oct 22, 2017
1 parent 678c5b0 commit 77e754b
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 63 deletions.
40 changes: 15 additions & 25 deletions lib/midcom/services/auth/backend.php
View file
Expand Up @@ -21,14 +21,6 @@
*/
abstract class midcom_services_auth_backend
{
/**
* This variable holds the user that has been successfully authenticated by the class,
* it is considered to be read-only.
*
* @var midcom_core_user
*/
var $user;

/**
* @var midcom_services_auth
*/
Expand Down Expand Up @@ -84,12 +76,11 @@ abstract public function update_session();
* Checks for a running login session.
*
* @param Request $request
* @return boolean
* @return boolean|midcom_core_user
*/
public function check_for_active_login_session(Request $request)
{
$data = $this->read_session($request);
if (!$data) {
if (!$data = $this->read_session($request)) {
return false;
}

Expand All @@ -100,20 +91,19 @@ public function check_for_active_login_session(Request $request)
return false;
}

$this->user = $this->auth->get_user($data['userid']);
if (!$this->user) {
if (!$user = $this->auth->get_user($data['userid'])) {
debug_add("The user ID {$data['userid']} is invalid, could not load the user from the database, assuming tampered session.",
MIDCOM_LOG_ERROR);
$this->delete_session();
return false;
}

if ( !$this->check_timestamp($data['timestamp'], $this->user)
|| !$this->authenticate($this->user->username, '', true)) {
$this->logout();
if ( !$this->check_timestamp($data['timestamp'], $user)
|| !$this->authenticate($user->username, '', true)) {
$this->logout($user);
return false;
}
return true;
return $user;
}

private function check_timestamp($timestamp, midcom_core_user $user)
Expand Down Expand Up @@ -172,29 +162,29 @@ public function authenticate($username, $password, $trusted = false)
* @param string $clientip The client IP to which this session is assigned to. This
* defaults to the client IP reported by the web server
* @param boolean $trusted Do a trusted login
* @return boolean Indicating success.
* @return boolean|midcom_core_user
*/
public function login($username, $password, $clientip = null, $trusted = false)
{
$this->user = $this->authenticate($username, $password, $trusted);
if (!$this->user) {
$user = $this->authenticate($username, $password, $trusted);
if (!$user) {
return false;
}

if ($this->create_session($clientip, $this->user)) {
$person = $this->user->get_storage();
if ($this->create_session($clientip, $user)) {
$person = $user->get_storage();
$person->set_parameter('midcom', 'online', time());
return true;
return $user;
}
return false;
}

/**
* Deletes login information and session
*/
public function logout()
public function logout(midcom_core_user $user)
{
if ($person = $this->user->get_storage()) {
if ($person = $user->get_storage()) {
$person->delete_parameter('midcom', 'online');
}
$this->delete_session();
Expand Down
66 changes: 28 additions & 38 deletions lib/midcom/services/auth/main.php
View file
Expand Up @@ -123,7 +123,12 @@ public function __construct()
{
$this->acl = new midcom_services_auth_acl($this);

$this->_initialize_user_from_midgard();
// Initialize from midgard
if ( midcom_connection::get_user()
&& $user = $this->get_user(midcom_connection::get_user())) {
$this->set_user($user);
}

$this->_prepare_authentication_drivers();
}

Expand All @@ -136,23 +141,22 @@ public function check_for_login_session(Request $request)
$credentials = $this->_auth_frontend->read_login_data($request);
if (!$credentials) {
// No new login detected, so we check if there is a running session.
if ($this->_auth_backend->check_for_active_login_session($request)) {
$this->_sync_user_with_backend();
if ($user = $this->_auth_backend->check_for_active_login_session($request)) {
$this->set_user($user);
}
return;
}

// Try to start up a new session, this will authenticate as well.
if (!$this->_auth_backend->login($credentials['username'], $credentials['password'], $request->getClientIp())) {
if (!$user = $this->_auth_backend->login($credentials['username'], $credentials['password'], $request->getClientIp())) {
debug_add('The login information passed to the system was invalid.', MIDCOM_LOG_ERROR);
debug_add("Username was {$credentials['username']}");
// No password logging for security reasons.
return;
}

debug_add('Authentication was successful, we have a new login session now. Updating timestamps');

$this->_sync_user_with_backend();
$this->set_user($user);

$person_class = midcom::get()->config->get('person_class');
$person = new $person_class($this->user->guid);
Expand All @@ -175,28 +179,12 @@ public function check_for_login_session(Request $request)
}

/**
* Internal helper, synchronizes the main service class with the authentication state
* of the authentication backend.
*/
private function _sync_user_with_backend()
{
$this->user =& $this->_auth_backend->user;
// This check is a bit fuzzy but will work as long as MidgardAuth is in sync with
// MidCOM auth.
$this->admin = midcom_connection::is_admin();
}

/**
* Internal startup helper, synchronizes the authenticated user with the Midgard Authentication
* for startup. This will be overridden by MidCOM Auth, but is there for compatibility reasons.
* @param midcom_core_user $user
*/
private function _initialize_user_from_midgard()
private function set_user(midcom_core_user $user)
{
if ( midcom_connection::get_user()
&& $user = $this->get_user(midcom_connection::get_user())) {
$this->user = $user;
$this->admin = midcom_connection::is_admin();
}
$this->user = $user;
$this->admin = $user->is_admin();
}

/**
Expand Down Expand Up @@ -566,14 +554,12 @@ private function _http_basic_auth()
// TODO: more fancy 401 output ?
echo "<h1>Authorization required</h1>\n";
midcom::get()->finish();
} elseif ($user = $this->_auth_backend->authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
$this->set_user($user);
} else {
if (!$this->_auth_backend->authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'])) {
// Wrong password: Recurse until auth ok or user gives up
unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
$this->_http_basic_auth();
}
// Figure out how to update midcom auth status
$this->_initialize_user_from_midgard();
// Wrong password: Recurse until auth ok or user gives up
unset($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
$this->_http_basic_auth();
}
}

Expand Down Expand Up @@ -719,8 +705,8 @@ public function get_group($id)
*/
public function login($username, $password)
{
if ($this->_auth_backend->login($username, $password)) {
$this->_sync_user_with_backend();
if ($user = $this->_auth_backend->login($username, $password)) {
$this->set_user($user);
return true;
}
return false;
Expand All @@ -733,7 +719,11 @@ public function trusted_login($username)
return false;
}

return $this->_auth_backend->login($username, '', null, true);
if ($user = $this->_auth_backend->login($username, '', null, true)) {
$this->set_user($user);
return true;
}
return false;
}

/**
Expand All @@ -756,10 +746,10 @@ public function logout()
*/
function drop_login_session()
{
if (is_null($this->_auth_backend->user)) {
if (is_null($this->user)) {
debug_add('The backend has no authenticated user set, so we should be fine, doing the relocate nevertheless though.');
} else {
$this->_auth_backend->logout();
$this->_auth_backend->logout($this->user);
}

// Kill the session forcibly:
Expand Down

0 comments on commit 77e754b

Please sign in to comment.