Fix up ldap-authorizer, create non-existent users (#9192)

* First attempt at ldap-auth fixes * no, guest, so it is not allowed. * cast to int * don't count on Session * return full user * Specific error for guest not allowed. * fix up external auth user creation * fix check * Fix user level missing Simplify middleware * use guard if configured
librenms · Sep 12, 2018 · 588b115 · 588b115
1 parent 31e931d
commit 588b115
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 43 deletions.
diff --git a/LibreNMS/Authentication/LdapAuthorizationAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizationAuthorizer.php
@@ -39,8 +39,11 @@
 
 namespace LibreNMS\Authentication;
 
+use App\Models\User;
+use Carbon\Carbon;
 use LibreNMS\Config;
 use LibreNMS\Exceptions\AuthenticationException;
+use Session;
 
 class LdapAuthorizationAuthorizer extends AuthorizerBase
 {
@@ -49,10 +52,6 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
 
     public function __construct()
     {
-        if (! isset($_SESSION['username'])) {
-            $_SESSION['username'] = '';
-        }
-
         if (!function_exists('ldap_connect')) {
             throw new AuthenticationException("PHP does not support LDAP, please install or enable the PHP LDAP extension.");
         }
@@ -76,17 +75,14 @@ public function __construct()
         }
     }
 
-
     public function authenticate($username, $password)
     {
-        if (isset($_SERVER['REMOTE_USER'])) {
-            $_SESSION['username'] = mres($_SERVER['REMOTE_USER']);
-
-            if ($this->userExists($_SESSION['username'])) {
-                return true;
-            }
+        if ($this->userExists($username)) {
+            return true;
+        }
 
-            $_SESSION['username'] = Config::get('http_auth_guest');
+        $guest = Config::get('http_auth_guest');
+        if ($guest && User::thisAuth()->where('username', $guest)->exists()) {
             return true;
         }
 
@@ -154,16 +150,26 @@ public function getUserid($username)
         $user_id = $this->authLdapSessionCacheGet('userid');
         if (isset($user_id)) {
             return $user_id;
-        } else {
-            $user_id = -1;
         }
 
+        $guest_username = Config::get('http_auth_guest');
+        $user_id = User::thisAuth()->where('username', $guest_username)->value('auth_id') ?: -1;
+
         $filter  = '(' . Config::get('auth_ldap_prefix') . $username . ')';
         $search  = ldap_search($this->ldap_connection, trim(Config::get('auth_ldap_suffix'), ','), $filter);
         $entries = ldap_get_entries($this->ldap_connection, $search);
 
         if ($entries['count']) {
-            $user_id = $entries[0]['uidnumber'][0];
+            $user_id = (int)$entries[0]['uidnumber'][0];
+        }
+
+        if ($user_id === -1) {
+            // no user or guest user, don't allow
+            if ($guest_username) {
+                throw new AuthenticationException();
+            } else {
+                throw new AuthenticationException('Guest login allowed.');
+            }
         }
 
         $this->authLdapSessionCacheSet('userid', $user_id);
@@ -212,9 +218,10 @@ public function getUserlist()
 
     public function getUser($user_id)
     {
-        foreach ($this->getUserlist() as $users) {
-            if ($users['user_id'] === $user_id) {
-                return $users['username'];
+        foreach ($this->getUserlist() as $user) {
+            if ((int)$user['user_id'] === (int)$user_id) {
+                $user['level'] = $this->getUserlevel($user['username']);
+                return $user;
             }
         }
         return 0;
@@ -240,17 +247,19 @@ protected function getMembername($username)
 
     protected function authLdapSessionCacheGet($attr)
     {
-        $ttl = 300;
-        if (Config::get('auth_ldap_cache_ttl')) {
-            $ttl = Config::get('auth_ldap_cache_ttl');
+        $ttl = Config::get('auth_ldap_cache_ttl', 300);
+
+        // no session, don't cache
+        if (!class_exists('Session')) {
+            return null;
         }
 
         // auth_ldap cache present in this session?
-        if (! isset($_SESSION['auth_ldap'])) {
+        if (!Session::has('auth_ldap')) {
             return null;
         }
 
-        $cache = $_SESSION['auth_ldap'];
+        $cache = Session::get('auth_ldap');
 
         // $attr present in cache?
         if (! isset($cache[$attr])) {
@@ -268,8 +277,12 @@ protected function authLdapSessionCacheGet($attr)
 
     protected function authLdapSessionCacheSet($attr, $value)
     {
-        $_SESSION['auth_ldap'][$attr]['value'] = $value;
-        $_SESSION['auth_ldap'][$attr]['last_updated'] = time();
+        if (class_exists('Session')) {
+            Session::put($attr, [
+                'value' => $value,
+                'last_updated' => Carbon::now(),
+            ]);
+        }
     }
 
 

diff --git a/app/Http/Middleware/LegacyExternalAuth.php b/app/Http/Middleware/LegacyExternalAuth.php
@@ -19,24 +19,16 @@ class LegacyExternalAuth
      * @param  \Closure  $next
      * @return mixed
      */
-    public function handle($request, Closure $next)
+    public function handle($request, Closure $next, $guard = null)
     {
-        if (!Auth::check() && LegacyAuth::get()->authIsExternal()) {
-            try {
-                $username = LegacyAuth::get()->getExternalUsername();
-                $password = isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : '';
+        if (!Auth::guard($guard)->check() && LegacyAuth::get()->authIsExternal()) {
+            $credentials = [
+                'username' => LegacyAuth::get()->getExternalUsername(),
+                'password' => isset($_SERVER['PHP_AUTH_PW']) ? $_SERVER['PHP_AUTH_PW'] : ''
+            ];
 
-                if (LegacyAuth::get()->authenticate($username, $password)) {
-                    $user_id = User::thisAuth()->where('username', $username)->value('user_id');
-                     Auth::loginUsingId($user_id);
-                }
-            } catch (AuthenticationException $e) {
-                $message = $e->getMessage();
-                Log::critical('HTTP Auth Error: ' . $message);
-
-                if (!Config::get('auth.debug', false)) {
-                    $message = '';
-                }
+            if (!Auth::guard($guard)->attempt($credentials)) {
+                $message = ''; // no debug info for now...
 
                 // force user to failure page
                 return response(view('auth.external-auth-failed')->with('message', $message));

diff --git a/app/Listeners/AuthEventListener.php b/app/Listeners/AuthEventListener.php
@@ -34,7 +34,7 @@ public function __construct()
     public function login(Login $event)
     {
         /** @var User $user */
-        $user = $event->user;
+        $user = $event->user ?: (object)['username' => 'Not found'];
 
         DB::table('authlog')->insert(['user' => $user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged In']);
 
@@ -52,7 +52,10 @@ public function login(Login $event)
      */
     public function logout(Logout $event)
     {
-        DB::table('authlog')->insert(['user' => $event->user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged Out']);
+        /** @var User $user */
+        $user = $event->user ?: (object)['username' => 'Not found'];
+
+        DB::table('authlog')->insert(['user' => $user->username ?: '', 'address' => Request::ip(), 'result' => 'Logged Out']);
 
         @session_start();
         unset($_SESSION['authenticated']);