Improve LSauthMethod::HTTP to support multiple methods to retreive user and password from HTTP server

This commit is contained in:
Benjamin Renard 2018-09-07 18:42:24 +02:00
parent b9452f2057
commit c551b954fe
6 changed files with 130 additions and 9 deletions

View file

@ -46,5 +46,59 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>LSAUTHMETHOD_HTTP_METHOD</term>
<listitem>
<simpara>Permet de définir la méthode utilisée par le serveur HTTP pour
passer à PHP l'identifiant de l'utilisateur connecté et son mot de passe.
Cette constance peut pendre les valeurs suivantes :
<variablelist>
<varlistentry>
<term>PHP_PASS</term>
<listitem>
<simpara>Dans cette méthode, le serveur HTTP défini les variables
d'environnement <literal>PHP_AUTH_USER</literal> et <literal>
PHP_AUTH_PW</literal>. Cette méthode est la méthode par défaut et
convient en cas d'utilisation de <literal>mod_php</literal>.</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term>REMOTE_USER</term>
<listitem>
<simpara>Dans cette méthode, le serveur HTTP défini la variable
d'environnement <literal>REMOTE_USER</literal>. Cette variable ne contient
que l'identifiant de l'utilisateur connecté. Cette méthode ne peut donc
être utilisée que conjointement avec l'activation du paramètre
<literal>LSAUTHMETHOD_HTTP_TRUST_WITHOUT_PASSWORD_CHALLENGE</literal>.
</simpara>
</listitem>
</varlistentry>
<varlistentry>
<term>AUTHORIZATION</term>
<listitem>
<simpara>Dans cette méthode, le serveur HTTP passe le contenu de l'entête
HTTP <literal>Authorization</literal> dans la variable d'environnement
<literal>HTTP_AUTHORIZATION</literal>. Cette méthode convient en cas d'
utilisation de PHP en mode CGI ou encore via PHP-FPM. Pour utiliser cette
méthode, il faudra adapter la configuration du serveur HTTP. Par exemple,
pour Apache HTTPd, vous pouvez utiliser le module <literal>rewrite</literal>
et la règle de réécriture suivante :
<programlisting linenumbering="unnumbered">
<![CDATA[RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]]]>
</programlisting>
</simpara>
</listitem>
</varlistentry>
</variablelist>
</simpara>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</sect2> </sect2>

View file

@ -28,3 +28,21 @@
// Don't check HTTP server's login/password by LDAP authentication challenge // Don't check HTTP server's login/password by LDAP authentication challenge
//define('LSAUTHMETHOD_HTTP_TRUST_WITHOUT_PASSWORD_CHALLENGE',true); //define('LSAUTHMETHOD_HTTP_TRUST_WITHOUT_PASSWORD_CHALLENGE',true);
/*
* Set the HTTP server's method to pass authentifcated user/password informations
* to PHP :
* - PHP_PASS : server define the PHP_AUTH_USER and PHP_AUTH_PW environnement
* variables. This is the default way using mod_php.
* - REMOTE_USER : server define the REMOTE_USER environnement variable. By using
* this method, only the user is pass by HTTP server to PHP and it
* could be only used if you enable the "don't check HTTP server's
* login/password by LDAP authentication challenge" option.
* - AUTHORIZATION : server pass HTTP Authorization header value to PHP by setting
* the HTTP_AUTHORIZATION environnement variable. This way could
* be use when using PHP in CGI-mode or with PHP-FPM. When using
* Apache, you could pass this information by using the rewrite module
* and setting the following rewrite rule :
* RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
*/
//define('LSAUTHMETHOD_HTTP_METHOD', 'PHP_PASS');

View file

@ -43,13 +43,47 @@ class LSauthMethod_HTTP extends LSauthMethod_basic {
* @retval Array|false Array of authentication data or False * @retval Array|false Array of authentication data or False
**/ **/
public function getAuthData() { public function getAuthData() {
if (!defined('LSAUTHMETHOD_HTTP_METHOD'))
define('LSAUTHMETHOD_HTTP_METHOD', 'PHP_AUTH');
switch(constant('LSAUTHMETHOD_HTTP_METHOD')) {
case 'AUTHORIZATION':
if (isset($_SERVER['HTTP_AUTHORIZATION']) && !empty($_SERVER['HTTP_AUTHORIZATION'])) {
$authData = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
if (is_array($authData) && count($authData) == 2) {
$this -> authData = array(
'username' => $authData[0],
'password' => $authData[1],
);
}
return $this -> authData;
}
else
LSerror :: addErrorCode('LSauthMethod_HTTP_01', 'HTTP_AUTHORIZATION');
break;
case 'REMOTE_USER':
if (isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {
$this -> authData = array(
'username' => $_SERVER['REMOTE_USER'],
'password' => false,
);
return $this -> authData;
}
else
LSerror :: addErrorCode('LSauthMethod_HTTP_01', 'REMOTE_USER');
break;
case 'PHP_AUTH':
default:
if (isset($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) { if (isset($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) {
$this -> authData = array( $this -> authData = array(
'username' => $_SERVER['PHP_AUTH_USER'], 'username' => $_SERVER['PHP_AUTH_USER'],
'password' => $_SERVER['PHP_AUTH_PW'] 'password' => $_SERVER['PHP_AUTH_PW'],
); );
return $this -> authData; return $this -> authData;
} }
else
LSerror :: addErrorCode('LSauthMethod_HTTP_01', 'PHP_AUTH_USER');
}
return; return;
} }
@ -69,3 +103,10 @@ class LSauthMethod_HTTP extends LSauthMethod_basic {
} }
} }
/*
* Error Codes
*/
LSerror :: defineError('LSauthMethod_HTTP_01',
_("LSauthMethod_HTTP : the %{var} environnement variable is missing.")
);

View file

@ -7,8 +7,8 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: LdapSaisie\n" "Project-Id-Version: LdapSaisie\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2018-08-31 17:08+0200\n" "POT-Creation-Date: 2018-09-07 18:40+0200\n"
"PO-Revision-Date: 2018-08-31 17:10+0200\n" "PO-Revision-Date: 2018-09-07 18:41+0200\n"
"Last-Translator: Benjamin Renard <brenard@zionetrix.net>\n" "Last-Translator: Benjamin Renard <brenard@zionetrix.net>\n"
"Language-Team: LdapSaisie <ldapsaisie-users@lists.labs.libre-entreprise." "Language-Team: LdapSaisie <ldapsaisie-users@lists.labs.libre-entreprise."
"org>\n" "org>\n"
@ -1426,6 +1426,10 @@ msgstr "Afficher la fenêtre de recherche et de sélection étendue."
msgid "Invalid value" msgid "Invalid value"
msgstr "Valeur invalide" msgstr "Valeur invalide"
#: includes/class/class.LSauthMethod_HTTP.php:111
msgid "LSauthMethod_HTTP : the %{var} environnement variable is missing."
msgstr "LSauthMethod_HTTP : la variable d'environnement %{var} est manquante."
#: includes/class/class.LSformElement_mail.php:51 #: includes/class/class.LSformElement_mail.php:51
msgid "Send a mail from here." msgid "Send a mail from here."
msgstr "Envoyer un mail depuis l'interface." msgstr "Envoyer un mail depuis l'interface."

View file

@ -8,7 +8,7 @@ msgid ""
msgstr "" msgstr ""
"Project-Id-Version: PACKAGE VERSION\n" "Project-Id-Version: PACKAGE VERSION\n"
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2018-08-31 17:07+0200\n" "POT-Creation-Date: 2018-09-07 18:40+0200\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n" "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n" "Language-Team: LANGUAGE <LL@li.org>\n"
@ -1215,6 +1215,10 @@ msgstr ""
msgid "Invalid value" msgid "Invalid value"
msgstr "" msgstr ""
#: includes/class/class.LSauthMethod_HTTP.php:111
msgid "LSauthMethod_HTTP : the %{var} environnement variable is missing."
msgstr ""
#: includes/class/class.LSformElement_mail.php:51 #: includes/class/class.LSformElement_mail.php:51
msgid "Send a mail from here." msgid "Send a mail from here."
msgstr "" msgstr ""