From d288d3e99ccea2ebed658fcaaea5bf4533faad77 Mon Sep 17 00:00:00 2001 From: Benjamin Renard Date: Wed, 24 Nov 2010 19:12:21 +0100 Subject: [PATCH] LSauth : Recasted - Creation of LSauthMethod class --- public_html/includes/class/class.LSauth.php | 177 +++++++++--------- ....LSauthHTTP.php => class.LSauthMethod.php} | 95 +++++----- ...authCAS.php => class.LSauthMethod_CAS.php} | 107 ++++------- .../class/class.LSauthMethod_HTTP.php | 58 ++++++ .../class/class.LSauthMethod_basic.php | 84 +++++++++ .../includes/class/class.LSsession.php | 105 ++++------- public_html/templates/default/login.tpl | 4 +- 7 files changed, 359 insertions(+), 271 deletions(-) rename public_html/includes/class/{class.LSauthHTTP.php => class.LSauthMethod.php} (50%) rename public_html/includes/class/{class.LSauthCAS.php => class.LSauthMethod_CAS.php} (50%) create mode 100644 public_html/includes/class/class.LSauthMethod_HTTP.php create mode 100644 public_html/includes/class/class.LSauthMethod_basic.php diff --git a/public_html/includes/class/class.LSauth.php b/public_html/includes/class/class.LSauth.php index e83085bd..27274204 100644 --- a/public_html/includes/class/class.LSauth.php +++ b/public_html/includes/class/class.LSauth.php @@ -30,107 +30,103 @@ class LSauth { static private $authData=NULL; + static private $authObject=NULL; + static private $config=array(); + static private $provider=NULL; - var $params = array ( + static private $params = array ( 'displayLoginForm' => true, 'displayLogoutBtn' => true ); - - /** - * Check Post Data - * - * @retval boolean True if post data permit the authentification or False - **/ - public function getPostData() { - if (isset($_POST['LSsession_user']) && !empty($_POST['LSsession_user'])) { - $this -> authData = array( - 'username' => $_POST['LSsession_user'], - 'password' => $_POST['LSsession_pwd'], - 'ldapserver' => $_POST['LSsession_ldapserver'], - 'topDn' => $_POST['LSsession_topDn'] - ); + + function start() { + LSdebug('LSauth :: start()'); + // Load Config + if (isset(LSsession :: $ldapServer['LSauth']) && is_array(LSsession :: $ldapServer['LSauth'])) { + self :: $config = LSsession :: $ldapServer['LSauth']; + } + if (!LSsession :: loadLSclass('LSauthMethod')) { + LSdebug('LSauth :: Failed to load LSauthMethod'); + return; + } + if (!isset(self :: $config['method'])) { + self :: $config['method']='basic'; + } + $class='LSauthMethod_'.self :: $config['method']; + LSdebug('LSauth : provider -> '.$class); + if (LSsession :: loadLSclass($class)) { + self :: $provider = new $class(); + if (!self :: $provider) { + LSerror :: addErrorCode('LSauth_05',self :: $config['method']); + } + LSdebug('LSauth : Provider Started !'); return true; } - return; - } - - /** - * Check user login - * - * @param[in] $username The username - * @param[in] $password The password - * - * @retval LSldapObject|false The LSldapObject of the user authificated or false - */ - public function authenticate() { - if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) { - $authobject = new LSsession :: $ldapServer['authObjectType'](); - $result = $authobject -> searchObject( - $this -> authData['username'], - LSsession :: getTopDn(), - LSsession :: $ldapServer['authObjectFilter'] - ); - $nbresult=count($result); - - if ($nbresult==0) { - // identifiant incorrect - LSdebug('identifiant incorrect'); - LSerror :: addErrorCode('LSauth_01'); - } - else if ($nbresult>1) { - // duplication d'authentité - LSerror :: addErrorCode('LSauth_02'); - } - elseif ( $this -> checkUserPwd($result[0],$this -> authData['password']) ) { - // Authentication succeeded - return $result[0]; - } - else { - LSerror :: addErrorCode('LSauth_01'); - LSdebug('mdp incorrect'); - } - } else { - LSerror :: addErrorCode('LSauth_03'); + LSerror :: addErrorCode('LSauth_04',self :: $config['method']); + return; } - return; - } - - /** - * Test un couple LSobject/pwd - * - * Test un bind sur le serveur avec le dn de l'objet et le mot de passe fourni. - * - * @param[in] LSobject L'object "user" pour l'authentification - * @param[in] string Le mot de passe à tester - * - * @retval boolean True si l'authentification à réussi, false sinon. - */ - public static function checkUserPwd($object,$pwd) { - return LSldap :: checkBind($object -> getValue('dn'),$pwd); - } - - /** - * Define if login form can be displayed or not - * - * @retval boolean - **/ - public function __get($key) { - if ($key=='params') { - return $this -> params; - } - return; } + function forceAuthentication() { + LSdebug('LSauth :: forceAuthentication()'); + if (!is_null(self :: $provider)) { + self :: $authData = self :: $provider -> getAuthData(); + if (self :: $authData) { + self :: $authObject = self :: $provider -> authenticate(); + return self :: $authObject; + } + // No data : user has not filled the login form + LSdebug('LSauth : No data -> user has not filled the login form'); + return; + } + LSerror :: addErrorCode('LSauth_06'); + return; + } + /** * Logout * * @retval void **/ public function logout() { - // Do nothing in the standard LSauth class + if (!is_null(self :: $provider)) { + return self :: $provider -> logout(); + } + LSerror :: addErrorCode('LSauth_06'); + return; } + + /** + * Disable logout button in LSauth parameters + * + * @retval void + **/ + public function disableLogoutBtn() { + self :: $params['displayLogoutBtn'] = false; + } + + /** + * Can display or not logout button in LSauth parameters + * + * @retval boolean + **/ + public function displayLogoutBtn() { + return self :: $params['displayLogoutBtn']; + } + /* + * For compatibillity until loginForm is migrated in LSauth + */ + public function disableLoginForm() { + self :: $params['displayLoginForm'] = false; + } + + public function displayLoginForm() { + return self :: $params['displayLoginForm']; + } + + } /* @@ -143,6 +139,19 @@ LSerror :: defineError('LSauth_02', _("LSauth : Impossible to identify you : Duplication of identities.") ); LSerror :: defineError('LSauth_03', -_("LSsession : Could not load type of identifiable objects.") +_("LSauth : Could not load type of identifiable objects.") ); +LSerror :: defineError('LSauth_04', +_("LSauth : Can't load authentication method %{method}.") +); +LSerror :: defineError('LSauth_05', +_("LSauth : Failed to build the authentication provider %{method}.") +); +LSerror :: defineError('LSauth_06', +_("LSauth : Not correctly initialized.") +); +LSerror :: defineError('LSauth_07', +_("LSauth : Failed to get authentication informations from provider.") +); + ?> diff --git a/public_html/includes/class/class.LSauthHTTP.php b/public_html/includes/class/class.LSauthMethod.php similarity index 50% rename from public_html/includes/class/class.LSauthHTTP.php rename to public_html/includes/class/class.LSauthMethod.php index c5bc7317..b269e24b 100644 --- a/public_html/includes/class/class.LSauthHTTP.php +++ b/public_html/includes/class/class.LSauthMethod.php @@ -21,67 +21,61 @@ ******************************************************************************/ /** - * Gestion de l'authentification d'un utilisateur suite à une authentification - * HTTP + * Base of a authentication provider for LSauth * * @author Benjamin Renard */ -class LSauthHTTP extends LSauth { - - var $params = array ( - 'displayLoginForm' => false, - 'displayLogoutBtn' => false - ); +class LSauthMethod { + + var $authData = array(); + function LSauthMethod() { + // Load config + LSsession :: includeFile(LS_CONF_DIR."LSauth/config.".get_class($this).".php"); + LSdebug(LS_CONF_DIR."LSauth/config.".get_class($this).".php"); + return true; + } + /** - * Check Post Data + * Check Auth Data * - * @retval array|False Array of post data if exist or False + * Return authentication data or false + * + * @retval Array|false Array of authentication data or False **/ - public function getPostData() { - if (isset($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) { - $this -> authData = array( - 'username' => $_SERVER['PHP_AUTH_USER'], - 'password' => $_SERVER['PHP_AUTH_PW'], - 'ldapserver' => $_REQUEST['LSsession_ldapserver'], - 'topDn' => $_REQUEST['LSsession_topDn'] - ); - return true; - } - return; + public function getAuthData() { + // Do nothing in the standard LSauthMethod class + // This method have to define $this -> authData['username'] + return false; } /** - * Check user login - * - * @param[in] $username The username - * @param[in] $password The password + * Check authentication * * @retval LSldapObject|false The LSldapObject of the user authificated or false */ public function authenticate() { if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) { $authobject = new LSsession :: $ldapServer['authObjectType'](); - $result = $authobject -> searchObject( - $this -> authData['username'], - LSsession :: getTopDn(), - LSsession :: $ldapServer['authObjectFilter'] - ); - $nbresult=count($result); - - if ($nbresult==0) { - // identifiant incorrect - LSdebug('identifiant incorrect'); - LSerror :: addErrorCode('LSauth_01'); - } - else if ($nbresult>1) { - // duplication d'authentité - LSerror :: addErrorCode('LSauth_02'); - } - else { - // Authentication succeeded - return $result[0]; - } + $result = $authobject -> searchObject( + $this -> authData['username'], + LSsession :: getTopDn(), + LSsession :: $ldapServer['authObjectFilter'] + ); + $nbresult=count($result); + + if ($nbresult==0) { + // incorrect login + LSdebug('identifiant incorrect'); + LSerror :: addErrorCode('LSauth_01'); + } + else if ($nbresult>1) { + // duplication of identity + LSerror :: addErrorCode('LSauth_02'); + } + else { + return $result[0]; + } } else { LSerror :: addErrorCode('LSauth_03'); @@ -89,5 +83,16 @@ class LSauthHTTP extends LSauth { return; } + /** + * Logout + * + * @retval boolean True on success or False + **/ + public function logout() { + // Do nothing in the standard LSauthMethod class + return true; + } + } + ?> diff --git a/public_html/includes/class/class.LSauthCAS.php b/public_html/includes/class/class.LSauthMethod_CAS.php similarity index 50% rename from public_html/includes/class/class.LSauthCAS.php rename to public_html/includes/class/class.LSauthMethod_CAS.php index 8c25b4a9..fe9f71b2 100644 --- a/public_html/includes/class/class.LSauthCAS.php +++ b/public_html/includes/class/class.LSauthMethod_CAS.php @@ -11,32 +11,28 @@ * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ******************************************************************************/ /** - * Gestion de l'authentification d'un utilisateur via une authentification - * CAS + * CAS Authentication provider for LSauth * * @author Benjamin Renard */ -class LSauthCAS extends LSauth { - - var $params = array ( - 'displayLoginForm' => false, - 'displayLogoutBtn' => true - ); +class LSauthMethod_CAS extends LSauthMethod { + + function LSauthMethod_CAS() { + LSauth :: disableLoginForm(); + + if (!parent :: LSauthMethod()) + return; - /** - * Constructor - */ - public function LSauthCAS() { if (LSsession :: includeFile(PHP_CAS_PATH)) { if (defined('PHP_CAS_DEBUG_FILE')) { phpCAS::setDebug(PHP_CAS_DEBUG_FILE); @@ -55,89 +51,60 @@ class LSauthCAS extends LSauth { } if (LSAUTH_CAS_DISABLE_LOGOUT) { - $this -> params['displayLogoutBtn'] = false; + LSauth :: disableLogoutBtn(); } return true; } else { - LSerror :: addErrorCode('LSauthCAS_01'); + LSerror :: addErrorCode('LSauthMethod_CAS_01'); } return false; } - /** - * Check Post Data - * - * @retval array|False Array of post data if exist or False - **/ - public function getPostData() { + /** + * Check Auth Data + * + * Return authentication data or false + * + * @retval Array|false Array of authentication data or False + **/ + public function getAuthData() { + if (class_exists('phpCAS')) { + // Launch Auth phpCAS::forceAuthentication(); $this -> authData = array( - 'username' => phpCAS::getUser(), - 'password' => '', - 'ldapserver' => $_REQUEST['LSsession_ldapserver'], - 'topDn' => $_REQUEST['LSsession_topDn'] + 'username' => phpCAS::getUser() ); - return true; + return $this -> authData; } return; } - /** - * Check user login - * - * @param[in] $username The username - * @param[in] $password The password - * - * @retval LSldapObject|false The LSldapObject of the user authificated or false - */ - public function authenticate() { - if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) { - $authobject = new LSsession :: $ldapServer['authObjectType'](); - $result = $authobject -> searchObject( - $this -> authData['username'], - LSsession :: getTopDn(), - LSsession :: $ldapServer['authObjectFilter'] - ); - $nbresult=count($result); - - if ($nbresult==0) { - // identifiant incorrect - LSdebug('identifiant incorrect'); - LSerror :: addErrorCode('LSauth_01'); + /** + * Logout + * + * @retval boolean True on success or False + **/ + public function logout() { + if(class_exists('phpCAS')) { + if (LSauth :: displayLogoutBtn()) { + phpCAS :: forceAuthentication(); + phpCAS :: logout(); + return true; } - else if ($nbresult>1) { - // duplication d'authentité - LSerror :: addErrorCode('LSauth_02'); - } - else { - // Authentication succeeded - return $result[0]; - } - } - else { - LSerror :: addErrorCode('LSauth_03'); } return; } - public function logout() { - if(class_exists('phpCAS')) { - if ($this -> params['displayLogoutBtn']) { - phpCAS :: forceAuthentication(); - phpCAS :: logout(); - } - } - } } /* * Error Codes */ -LSerror :: defineError('LSauthCAS_01', -_("LSauthCAS : Failed to load phpCAS.") +LSerror :: defineError('LSauthMethod_CAS_01', +_("LSauthMethod_CAS : Failed to load phpCAS.") ); ?> diff --git a/public_html/includes/class/class.LSauthMethod_HTTP.php b/public_html/includes/class/class.LSauthMethod_HTTP.php new file mode 100644 index 00000000..9ef30c16 --- /dev/null +++ b/public_html/includes/class/class.LSauthMethod_HTTP.php @@ -0,0 +1,58 @@ + + */ +class LSauthMethod_HTTP extends LSauthMethod_basic { + + function LSauthMethod_HTTP() { + LSauth :: disableLoginForm(); + LSauth :: disableLogoutBtn(); + return parent :: LSauthMethod_basic(); + } + + /** + * Check Auth Data + * + * Return authentication data or false + * + * @retval Array|false Array of authentication data or False + **/ + public function getAuthData() { + if (isset($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) { + $this -> authData = array( + 'username' => $_SERVER['PHP_AUTH_USER'], + 'password' => $_SERVER['PHP_AUTH_PW'] + ); + return $this -> authData; + } + return; + } + +} + +?> diff --git a/public_html/includes/class/class.LSauthMethod_basic.php b/public_html/includes/class/class.LSauthMethod_basic.php new file mode 100644 index 00000000..f1ae5a10 --- /dev/null +++ b/public_html/includes/class/class.LSauthMethod_basic.php @@ -0,0 +1,84 @@ + + */ +class LSauthMethod_basic extends LSauthMethod { + + /** + * Check Auth Data + * + * Return authentication data or false + * + * @retval Array|false Array of authentication data or False + **/ + public function getAuthData() { + if (isset($_POST['LSauth_user']) && !empty($_POST['LSauth_user'])) { + $this -> authData = array( + 'username' => $_POST['LSauth_user'], + 'password' => (isset($_POST['LSauth_pwd'])?$_POST['LSauth_pwd']:'') + ); + return $this -> authData; + } + return; + } + + /** + * Check authentication + * + * @retval LSldapObject|false The LSldapObject of the user authificated or false + */ + public function authenticate() { + $authobject = parent :: authenticate(); + if ($authobject) { + if ( $this -> checkUserPwd($authobject,$this -> authData['password']) ) { + // Authentication succeeded + return $authobject; + } + else { + LSerror :: addErrorCode('LSauth_01'); + LSdebug('mdp incorrect'); + } + } + return; + } + + /** + * Test un couple LSobject/pwd + * + * Test un bind sur le serveur avec le dn de l'objet et le mot de passe fourni. + * + * @param[in] LSobject L'object "user" pour l'authentification + * @param[in] string Le mot de passe à tester + * + * @retval boolean True si l'authentification a reussi, false sinon. + **/ + public static function checkUserPwd($object,$pwd) { + return LSldap :: checkBind($object -> getValue('dn'),$pwd); + } + +} + +?> diff --git a/public_html/includes/class/class.LSsession.php b/public_html/includes/class/class.LSsession.php index 0613e656..1bd90d68 100644 --- a/public_html/includes/class/class.LSsession.php +++ b/public_html/includes/class/class.LSsession.php @@ -50,9 +50,6 @@ class LSsession { // Les droits d'accès de l'utilisateur private static $LSaccess = array(); - // Authentification parameters - private static $authParams = array(); - // Les fichiers temporaires private static $tmp_file = array(); @@ -292,23 +289,13 @@ class LSsession { /** * Chargement d'une classe d'authentification d'LdapSaisie * - * @param[in] $auth Nom de la classe d'authentification a charger (Exemple : HTTP) - * * @author Benjamin Renard stop"); + return; + } self :: $LSprofiles = $_SESSION['LSsession']['LSprofiles']; self :: $LSaccess = $_SESSION['LSsession']['LSaccess']; if (!self :: LSldapConnect()) @@ -510,6 +502,10 @@ class LSsession { } else { self :: setLdapServer(self :: $ldapServerId); + if (!LSauth :: start()) { + LSdebug("LSsession : can't start LSauth -> stop"); + return; + } if (!self :: LSldapConnect()) return; self :: loadLSprofiles(); @@ -524,10 +520,7 @@ class LSsession { } if (isset($_GET['LSsession_logout'])) { - $authObj = self :: getLSauthObject(); - if ($authObj) { - $authObj -> logout(); - } + LSauth :: logout(); session_destroy(); if (is_array($_SESSION['LSsession']['tmp_file'])) { @@ -540,8 +533,6 @@ class LSsession { return; } - self :: getLSuserObject(); - if ( !self :: cacheLSprofiles() || isset($_REQUEST['LSsession_refresh']) ) { self :: loadLSaccess(); } @@ -559,6 +550,7 @@ class LSsession { } else { + // --------------------- Session inexistante --------------------- // if (isset($_GET['LSsession_recoverPassword'])) { session_destroy(); } @@ -581,7 +573,12 @@ class LSsession { self :: $topDn = self :: $ldapServer['ldap_config']['basedn']; } $_SESSION['LSsession_topDn']=self :: $topDn; - + + if (!LSauth :: start()) { + LSdebug("LSsession : can't start LSauth -> stop"); + return; + } + if (isset($_GET['LSsession_recoverPassword'])) { $recoveryPasswordInfos = self :: recoverPasswd( $_REQUEST['LSsession_user'], @@ -589,22 +586,17 @@ class LSsession { ); } else { - $authObj=self :: getLSauthObject(); - if ($authObj) { - if ($authObj -> getPostData()) { - $LSuserObject = $authObj -> authenticate(); - if ($LSuserObject) { - // Authentication successful - self :: $LSuserObject = $LSuserObject; - self :: $dn = $LSuserObject->getValue('dn'); - self :: $rdn = $LSuserObject->getValue('rdn'); - self :: loadLSprofiles(); - self :: loadLSaccess(); - $GLOBALS['Smarty'] -> assign('LSsession_username',self :: getLSuserObject() -> getDisplayName()); - $_SESSION['LSsession']=self :: getContextInfos(); - return true; - } - } + $LSuserObject = LSauth :: forceAuthentication(); + if ($LSuserObject) { + // Authentication successful + self :: $LSuserObject = $LSuserObject; + self :: $dn = $LSuserObject->getValue('dn'); + self :: $rdn = $LSuserObject->getValue('rdn'); + self :: loadLSprofiles(); + self :: loadLSaccess(); + $GLOBALS['Smarty'] -> assign('LSsession_username',self :: getLSuserObject() -> getDisplayName()); + $_SESSION['LSsession']=self :: getContextInfos(); + return true; } } } @@ -619,7 +611,7 @@ class LSsession { if (isset($_GET['LSsession_recoverPassword'])) { self :: displayRecoverPasswordForm($recoveryPasswordInfos); } - elseif(self :: $authParams['displayLoginForm']) { + elseif(LSauth :: displayLoginForm()) { self :: displayLoginForm(); } else { @@ -629,32 +621,6 @@ class LSsession { return; } } - - /** - * Get LSauthObject - * - * @retval LSauth object or false - **/ - private static function getLSauthObject() { - if (!self :: $LSauthObject) { - if (self :: loadLSauth()) { - if (isset(self :: $ldapServer['LSauth']['method'])) { - $LSauthClass = 'LSauth'.self :: $ldapServer['LSauth']['method']; - if (!self :: loadLSauth(self :: $ldapServer['LSauth']['method'])) { - LSerror :: addErrorCode('LSsession_08',self :: $ldapServer['LSauth']['method']); - $LSauthClass = 'LSauth'; - } - } - else { - $LSauthClass = 'LSauth'; - } - - self :: $LSauthObject = new $LSauthClass(); - self :: $authParams = self :: $LSauthObject->params; - } - } - return self :: $LSauthObject; - } /** * Do recover password @@ -896,8 +862,7 @@ class LSsession { 'ldapServerId' => self :: $ldapServerId, 'ldapServer' => self :: $ldapServer, 'LSprofiles' => self :: $LSprofiles, - 'LSaccess' => self :: $LSaccess, - 'authParams' => self :: $authParams + 'LSaccess' => self :: $LSaccess ); } @@ -1406,7 +1371,7 @@ class LSsession { $GLOBALS['Smarty'] -> assign('LSencoding',self :: $encoding); $GLOBALS['Smarty'] -> assign('lang_label',_('Language')); - $GLOBALS['Smarty'] -> assign('displayLogoutBtn',self :: $authParams['displayLogoutBtn']); + $GLOBALS['Smarty'] -> assign('displayLogoutBtn',LSauth :: displayLogoutBtn()); // Infos if((!empty($_SESSION['LSsession_infos']))&&(is_array($_SESSION['LSsession_infos']))) { diff --git a/public_html/templates/default/login.tpl b/public_html/templates/default/login.tpl index 830aae2d..8467fcfd 100644 --- a/public_html/templates/default/login.tpl +++ b/public_html/templates/default/login.tpl @@ -25,9 +25,9 @@
{$loginform_label_level}
{$loginform_label_user}
-
+
{$loginform_label_pwd}
-
+
{$lang_label}