LSauth add filter_function parameter

This commit is contained in:
Benjamin Renard 2023-08-18 15:45:07 +02:00
parent 05519c5432
commit 0c171789d3
Signed by: bn8
GPG key ID: 3E2E1CE1907115BC
5 changed files with 117 additions and 18 deletions

View file

@ -25,6 +25,7 @@ serveur LDAP.</para>
'[object type 1]',
'[object type 2]' => array(
'filter' => '[LDAP filter]',
'filter_function' => [callable],
'password_attribute' => '[attribute name]',
'web_access' => [booléen],
'api_access' => [booléen],
@ -170,6 +171,21 @@ serveur LDAP.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>filter_function</term>
<listitem>
<simpara><emphasis>Callable</emphasis> (au sens PHP) utilisé pour filtrer les utilisateurs
trouvés dans l'annuaire à partir des autres paramètres : cette fonction, si elle est définie,
sera appelée pour chaque utilisateur trouvé, avec pour unique paramètre, une référence à l'objet
LDAP correspondant (<literal>LSldapObject</literal>). Cette méthode devra alors retourner
<literal>true</literal> ou <literal>false</literal> pour respectivement autoriser ou interdire
l'accès à l'application à l'utilisateur.</simpara>
<note><simpara>Si un utilisateur est exclus par cette méthode et qu'aucun autre utilisateur
correspondant n'a été trouvé dans l'annuaire, une page d'erreur sera affichée et indiquera que
l'accès à l'application est refusée.</simpara></note>
</listitem>
</varlistentry>
<varlistentry>
<term>password_attribute</term>
<listitem>

View file

@ -132,6 +132,7 @@ class LSauth extends LSlog_staticLoggerClass {
$objTypes[$objType] = array(
'filter' => self :: getConfig("LSobjects.$objType.filter", null, 'string'),
'filter_function' => self :: getConfig("LSobjects.$objType.filter_function", null),
'password_attribute' => self :: getConfig("LSobjects.$objType.password_attribute", 'userPassword', 'string'),
);
}
@ -169,11 +170,19 @@ class LSauth extends LSlog_staticLoggerClass {
*/
public static function username2LSobjects($username) {
$user_objects = array();
$excluded_objects = false;
foreach (self :: getAuthObjectTypes() as $objType => $objParams) {
if (!LSsession :: loadLSobject($objType)) {
LSerror :: addErrorCode('LSauth_03', $objType);
return false;
}
if (isset($objParams['filter_function']) && !is_callable($objParams['filter_function'])) {
LSerror :: addErrorCode(
'LSauth_09',
['objtype' => $objType, 'function' => format_callable($objParams['filter_function'])]
);
return false;
}
$authobject = new $objType();
$result = $authobject -> searchObject(
$username,
@ -181,12 +190,28 @@ class LSauth extends LSlog_staticLoggerClass {
$objParams['filter'],
array('withoutCache' => true, 'onlyAccessible' => false)
);
for($i=0; $i<count($result); $i++)
for($i=0; $i<count($result); $i++) {
if (
isset($objParams['filter_function'])
&& !call_user_func_array($objParams['filter_function'], [$result[$i]])
) {
self :: log_debug(
sprintf(
'username2LSobjects(%s): user %s filtered out by filter function %s',
$username, $result[$i]->getDn(), format_callable($objParams['filter_function'])
)
);
$excluded_objects = true;
continue;
}
$user_objects[$result[$i] -> getDn()] = $result[$i];
}
}
$nbresult = count($user_objects);
if ($nbresult == 0) {
if ($excluded_objects)
self :: accessDenied();
// incorrect login
self :: log_debug('Invalid username');
LSerror :: addErrorCode('LSauth_01');
@ -306,6 +331,29 @@ class LSauth extends LSlog_staticLoggerClass {
return self :: $params['displayLoginForm'];
}
/**
* Handle access denied error
*
* @return never
**/
public static function accessDenied() {
http_response_code(401);
if (LSsession :: get('api_mode') || LSsession :: getAjaxDisplay()) {
header('Content-Type: application/json');
$errors = array(_("You are not authorized to access this application."));
echo json_encode(
['errors' => [_("You are not authorized to access this application.")], 'success' => false],
(isset($_REQUEST['pretty'])?JSON_PRETTY_PRINT:0)
);
}
else if (class_exists('LStemplate')) {
LStemplate :: assign('pagetitle', _("Access denied."));
LStemplate :: assign('error', _("You are not authorized to access this application."));
LStemplate :: display("error.tpl");
}
exit();
}
}
/*
@ -335,3 +383,6 @@ ___("LSauth : Failed to get authentication informations from provider.")
LSerror :: defineError('LSauth_08',
___("LSauth : Method %{method} configured doesn't support API mode.")
);
LSerror :: defineError('LSauth_09',
___("LSauth : The filter function speficied for %{objtype} is not callable (%{function}).")
);

View file

@ -8,7 +8,7 @@ msgstr ""
"Project-Id-Version: LdapSaisie\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: \n"
"PO-Revision-Date: 2023-07-19 12:07+0200\n"
"PO-Revision-Date: 2023-08-18 15:44+0200\n"
"Last-Translator: Benjamin Renard <brenard@easter-eggs.com>\n"
"Language-Team: LdapSaisie <ldapsaisie-users@lists.labs.libre-entreprise."
"org>\n"
@ -2708,43 +2708,60 @@ msgstr ""
"LSattr_ldap_password : La fonction d'encodage %{function} n'est pas "
"disponible. Le mot de passe sera stocké en clair."
#: includes/class/class.LSauth.php:315
#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
#: includes/class/class.LSauth.php:351
msgid "You are not authorized to access this application."
msgstr "Vous n'êtes pas autorisé à accéder à cette application."
#: includes/class/class.LSauth.php:350
msgid "Access denied."
msgstr "Accès interdit."
#: includes/class/class.LSauth.php:363
msgid "LSauth : Login or password incorrect."
msgstr "LSauth : Identifiant ou mot de passe incorrects."
#: includes/class/class.LSauth.php:318
#: includes/class/class.LSauth.php:366
msgid "LSauth : Impossible to identify you : Duplication of identities."
msgstr "LSauth : Impossible de vous identifier : Duplication d'identité."
#: includes/class/class.LSauth.php:321
#: includes/class/class.LSauth.php:369
msgid "LSauth : Could not load type of identifiable objects %{type}."
msgstr "LSauth : Impossible de charger le type d'objets identifiables %{type}."
#: includes/class/class.LSauth.php:324
#: includes/class/class.LSauth.php:372
msgid "LSauth : Can't load authentication method %{method}."
msgstr ""
"LSauth : Impossible de charger la méthode d'authentification %{method}."
#: includes/class/class.LSauth.php:327
#: includes/class/class.LSauth.php:375
msgid "LSauth : Failed to build the authentication provider %{method}."
msgstr ""
"LSauth : Impossible de construire le gestionnaire d'authentification "
"%{method}."
#: includes/class/class.LSauth.php:330
#: includes/class/class.LSauth.php:378
msgid "LSauth : Not correctly initialized."
msgstr "LSauth : Mauvaise initialisation."
#: includes/class/class.LSauth.php:333
#: includes/class/class.LSauth.php:381
msgid "LSauth : Failed to get authentication informations from provider."
msgstr ""
"LSauth : Impossible de récupérer les informations authentification auprès du "
"gestionnaire."
#: includes/class/class.LSauth.php:336
#: includes/class/class.LSauth.php:384
msgid "LSauth : Method %{method} configured doesn't support API mode."
msgstr "LSauth : La méthode %{method} configurée ne supporte pas le mode API."
#: includes/class/class.LSauth.php:387
msgid ""
"LSauth : The filter function speficied for %{objtype} is not callable "
"(%{function})."
msgstr ""
"LSauth : La fonction de filtrage pour les %{objtype} n'est pas exécutable "
"(%{function})."
#: includes/class/class.LSformElement_supannEtuInscription.php:41
msgid "Organism"
msgstr "Etablissement"

View file

@ -2299,38 +2299,53 @@ msgid ""
"password will be stored in clear text."
msgstr ""
#: includes/class/class.LSauth.php:315
#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
#: includes/class/class.LSauth.php:351
msgid "You are not authorized to access this application."
msgstr ""
#: includes/class/class.LSauth.php:350
msgid "Access denied."
msgstr ""
#: includes/class/class.LSauth.php:363
msgid "LSauth : Login or password incorrect."
msgstr ""
#: includes/class/class.LSauth.php:318
#: includes/class/class.LSauth.php:366
msgid "LSauth : Impossible to identify you : Duplication of identities."
msgstr ""
#: includes/class/class.LSauth.php:321
#: includes/class/class.LSauth.php:369
msgid "LSauth : Could not load type of identifiable objects %{type}."
msgstr ""
#: includes/class/class.LSauth.php:324
#: includes/class/class.LSauth.php:372
msgid "LSauth : Can't load authentication method %{method}."
msgstr ""
#: includes/class/class.LSauth.php:327
#: includes/class/class.LSauth.php:375
msgid "LSauth : Failed to build the authentication provider %{method}."
msgstr ""
#: includes/class/class.LSauth.php:330
#: includes/class/class.LSauth.php:378
msgid "LSauth : Not correctly initialized."
msgstr ""
#: includes/class/class.LSauth.php:333
#: includes/class/class.LSauth.php:381
msgid "LSauth : Failed to get authentication informations from provider."
msgstr ""
#: includes/class/class.LSauth.php:336
#: includes/class/class.LSauth.php:384
msgid "LSauth : Method %{method} configured doesn't support API mode."
msgstr ""
#: includes/class/class.LSauth.php:387
msgid ""
"LSauth : The filter function speficied for %{objtype} is not callable "
"(%{function})."
msgstr ""
#: includes/class/class.LSformElement_supannEtuInscription.php:41
msgid "Organism"
msgstr ""