LSauth : Recasted - Creation of LSauthMethod class

This commit is contained in:
Benjamin Renard 2010-11-24 19:12:21 +01:00
parent 086ffb3641
commit d288d3e99c
7 changed files with 359 additions and 271 deletions

View file

@ -30,97 +30,59 @@
class LSauth {
static private $authData=NULL;
static private $authObject=NULL;
static private $config=array();
static private $provider=NULL;
var $params = array (
static private $params = array (
'displayLoginForm' => true,
'displayLogoutBtn' => true
);
/**
* Check Post Data
*
* @retval boolean True if post data permit the authentification or False
**/
public function getPostData() {
if (isset($_POST['LSsession_user']) && !empty($_POST['LSsession_user'])) {
$this -> authData = array(
'username' => $_POST['LSsession_user'],
'password' => $_POST['LSsession_pwd'],
'ldapserver' => $_POST['LSsession_ldapserver'],
'topDn' => $_POST['LSsession_topDn']
);
function start() {
LSdebug('LSauth :: start()');
// Load Config
if (isset(LSsession :: $ldapServer['LSauth']) && is_array(LSsession :: $ldapServer['LSauth'])) {
self :: $config = LSsession :: $ldapServer['LSauth'];
}
if (!LSsession :: loadLSclass('LSauthMethod')) {
LSdebug('LSauth :: Failed to load LSauthMethod');
return;
}
if (!isset(self :: $config['method'])) {
self :: $config['method']='basic';
}
$class='LSauthMethod_'.self :: $config['method'];
LSdebug('LSauth : provider -> '.$class);
if (LSsession :: loadLSclass($class)) {
self :: $provider = new $class();
if (!self :: $provider) {
LSerror :: addErrorCode('LSauth_05',self :: $config['method']);
}
LSdebug('LSauth : Provider Started !');
return true;
}
return;
}
/**
* Check user login
*
* @param[in] $username The username
* @param[in] $password The password
*
* @retval LSldapObject|false The LSldapObject of the user authificated or false
*/
public function authenticate() {
if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) {
$authobject = new LSsession :: $ldapServer['authObjectType']();
$result = $authobject -> searchObject(
$this -> authData['username'],
LSsession :: getTopDn(),
LSsession :: $ldapServer['authObjectFilter']
);
$nbresult=count($result);
if ($nbresult==0) {
// identifiant incorrect
LSdebug('identifiant incorrect');
LSerror :: addErrorCode('LSauth_01');
}
else if ($nbresult>1) {
// duplication d'authentité
LSerror :: addErrorCode('LSauth_02');
}
elseif ( $this -> checkUserPwd($result[0],$this -> authData['password']) ) {
// Authentication succeeded
return $result[0];
}
else {
LSerror :: addErrorCode('LSauth_01');
LSdebug('mdp incorrect');
}
}
else {
LSerror :: addErrorCode('LSauth_03');
LSerror :: addErrorCode('LSauth_04',self :: $config['method']);
return;
}
return;
}
/**
* Test un couple LSobject/pwd
*
* Test un bind sur le serveur avec le dn de l'objet et le mot de passe fourni.
*
* @param[in] LSobject L'object "user" pour l'authentification
* @param[in] string Le mot de passe à tester
*
* @retval boolean True si l'authentification à réussi, false sinon.
*/
public static function checkUserPwd($object,$pwd) {
return LSldap :: checkBind($object -> getValue('dn'),$pwd);
}
/**
* Define if login form can be displayed or not
*
* @retval boolean
**/
public function __get($key) {
if ($key=='params') {
return $this -> params;
}
return;
}
function forceAuthentication() {
LSdebug('LSauth :: forceAuthentication()');
if (!is_null(self :: $provider)) {
self :: $authData = self :: $provider -> getAuthData();
if (self :: $authData) {
self :: $authObject = self :: $provider -> authenticate();
return self :: $authObject;
}
// No data : user has not filled the login form
LSdebug('LSauth : No data -> user has not filled the login form');
return;
}
LSerror :: addErrorCode('LSauth_06');
return;
}
/**
* Logout
@ -128,9 +90,43 @@ class LSauth {
* @retval void
**/
public function logout() {
// Do nothing in the standard LSauth class
if (!is_null(self :: $provider)) {
return self :: $provider -> logout();
}
LSerror :: addErrorCode('LSauth_06');
return;
}
/**
* Disable logout button in LSauth parameters
*
* @retval void
**/
public function disableLogoutBtn() {
self :: $params['displayLogoutBtn'] = false;
}
/**
* Can display or not logout button in LSauth parameters
*
* @retval boolean
**/
public function displayLogoutBtn() {
return self :: $params['displayLogoutBtn'];
}
/*
* For compatibillity until loginForm is migrated in LSauth
*/
public function disableLoginForm() {
self :: $params['displayLoginForm'] = false;
}
public function displayLoginForm() {
return self :: $params['displayLoginForm'];
}
}
/*
@ -143,6 +139,19 @@ LSerror :: defineError('LSauth_02',
_("LSauth : Impossible to identify you : Duplication of identities.")
);
LSerror :: defineError('LSauth_03',
_("LSsession : Could not load type of identifiable objects.")
_("LSauth : Could not load type of identifiable objects.")
);
LSerror :: defineError('LSauth_04',
_("LSauth : Can't load authentication method %{method}.")
);
LSerror :: defineError('LSauth_05',
_("LSauth : Failed to build the authentication provider %{method}.")
);
LSerror :: defineError('LSauth_06',
_("LSauth : Not correctly initialized.")
);
LSerror :: defineError('LSauth_07',
_("LSauth : Failed to get authentication informations from provider.")
);
?>

View file

@ -21,67 +21,61 @@
******************************************************************************/
/**
* Gestion de l'authentification d'un utilisateur suite à une authentification
* HTTP
* Base of a authentication provider for LSauth
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*/
class LSauthHTTP extends LSauth {
class LSauthMethod {
var $params = array (
'displayLoginForm' => false,
'displayLogoutBtn' => false
);
var $authData = array();
function LSauthMethod() {
// Load config
LSsession :: includeFile(LS_CONF_DIR."LSauth/config.".get_class($this).".php");
LSdebug(LS_CONF_DIR."LSauth/config.".get_class($this).".php");
return true;
}
/**
* Check Post Data
* Check Auth Data
*
* @retval array|False Array of post data if exist or False
* Return authentication data or false
*
* @retval Array|false Array of authentication data or False
**/
public function getPostData() {
if (isset($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) {
$this -> authData = array(
'username' => $_SERVER['PHP_AUTH_USER'],
'password' => $_SERVER['PHP_AUTH_PW'],
'ldapserver' => $_REQUEST['LSsession_ldapserver'],
'topDn' => $_REQUEST['LSsession_topDn']
);
return true;
}
return;
public function getAuthData() {
// Do nothing in the standard LSauthMethod class
// This method have to define $this -> authData['username']
return false;
}
/**
* Check user login
*
* @param[in] $username The username
* @param[in] $password The password
* Check authentication
*
* @retval LSldapObject|false The LSldapObject of the user authificated or false
*/
public function authenticate() {
if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) {
$authobject = new LSsession :: $ldapServer['authObjectType']();
$result = $authobject -> searchObject(
$this -> authData['username'],
LSsession :: getTopDn(),
LSsession :: $ldapServer['authObjectFilter']
);
$nbresult=count($result);
$result = $authobject -> searchObject(
$this -> authData['username'],
LSsession :: getTopDn(),
LSsession :: $ldapServer['authObjectFilter']
);
$nbresult=count($result);
if ($nbresult==0) {
// identifiant incorrect
LSdebug('identifiant incorrect');
LSerror :: addErrorCode('LSauth_01');
}
else if ($nbresult>1) {
// duplication d'authentité
LSerror :: addErrorCode('LSauth_02');
}
else {
// Authentication succeeded
return $result[0];
}
if ($nbresult==0) {
// incorrect login
LSdebug('identifiant incorrect');
LSerror :: addErrorCode('LSauth_01');
}
else if ($nbresult>1) {
// duplication of identity
LSerror :: addErrorCode('LSauth_02');
}
else {
return $result[0];
}
}
else {
LSerror :: addErrorCode('LSauth_03');
@ -89,5 +83,16 @@ class LSauthHTTP extends LSauth {
return;
}
/**
* Logout
*
* @retval boolean True on success or False
**/
public function logout() {
// Do nothing in the standard LSauthMethod class
return true;
}
}
?>

View file

@ -11,32 +11,28 @@
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
******************************************************************************/
/**
* Gestion de l'authentification d'un utilisateur via une authentification
* CAS
* CAS Authentication provider for LSauth
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*/
class LSauthCAS extends LSauth {
class LSauthMethod_CAS extends LSauthMethod {
var $params = array (
'displayLoginForm' => false,
'displayLogoutBtn' => true
);
function LSauthMethod_CAS() {
LSauth :: disableLoginForm();
if (!parent :: LSauthMethod())
return;
/**
* Constructor
*/
public function LSauthCAS() {
if (LSsession :: includeFile(PHP_CAS_PATH)) {
if (defined('PHP_CAS_DEBUG_FILE')) {
phpCAS::setDebug(PHP_CAS_DEBUG_FILE);
@ -55,89 +51,60 @@ class LSauthCAS extends LSauth {
}
if (LSAUTH_CAS_DISABLE_LOGOUT) {
$this -> params['displayLogoutBtn'] = false;
LSauth :: disableLogoutBtn();
}
return true;
}
else {
LSerror :: addErrorCode('LSauthCAS_01');
LSerror :: addErrorCode('LSauthMethod_CAS_01');
}
return false;
}
/**
* Check Post Data
*
* @retval array|False Array of post data if exist or False
**/
public function getPostData() {
/**
* Check Auth Data
*
* Return authentication data or false
*
* @retval Array|false Array of authentication data or False
**/
public function getAuthData() {
if (class_exists('phpCAS')) {
// Launch Auth
phpCAS::forceAuthentication();
$this -> authData = array(
'username' => phpCAS::getUser(),
'password' => '',
'ldapserver' => $_REQUEST['LSsession_ldapserver'],
'topDn' => $_REQUEST['LSsession_topDn']
'username' => phpCAS::getUser()
);
return true;
}
return;
}
/**
* Check user login
*
* @param[in] $username The username
* @param[in] $password The password
*
* @retval LSldapObject|false The LSldapObject of the user authificated or false
*/
public function authenticate() {
if (LSsession :: loadLSobject(LSsession :: $ldapServer['authObjectType'])) {
$authobject = new LSsession :: $ldapServer['authObjectType']();
$result = $authobject -> searchObject(
$this -> authData['username'],
LSsession :: getTopDn(),
LSsession :: $ldapServer['authObjectFilter']
);
$nbresult=count($result);
if ($nbresult==0) {
// identifiant incorrect
LSdebug('identifiant incorrect');
LSerror :: addErrorCode('LSauth_01');
}
else if ($nbresult>1) {
// duplication d'authentité
LSerror :: addErrorCode('LSauth_02');
}
else {
// Authentication succeeded
return $result[0];
}
}
else {
LSerror :: addErrorCode('LSauth_03');
return $this -> authData;
}
return;
}
/**
* Logout
*
* @retval boolean True on success or False
**/
public function logout() {
if(class_exists('phpCAS')) {
if ($this -> params['displayLogoutBtn']) {
if (LSauth :: displayLogoutBtn()) {
phpCAS :: forceAuthentication();
phpCAS :: logout();
return true;
}
}
return;
}
}
/*
* Error Codes
*/
LSerror :: defineError('LSauthCAS_01',
_("LSauthCAS : Failed to load phpCAS.")
LSerror :: defineError('LSauthMethod_CAS_01',
_("LSauthMethod_CAS : Failed to load phpCAS.")
);
?>

View file

@ -0,0 +1,58 @@
<?php
/*******************************************************************************
* Copyright (C) 2007 Easter-eggs
* http://ldapsaisie.labs.libre-entreprise.org
*
* Author: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
******************************************************************************/
LSsession :: loadLSclass('LSauthMethod_basic');
/**
* HTTP Authentication provider for LSauth
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*/
class LSauthMethod_HTTP extends LSauthMethod_basic {
function LSauthMethod_HTTP() {
LSauth :: disableLoginForm();
LSauth :: disableLogoutBtn();
return parent :: LSauthMethod_basic();
}
/**
* Check Auth Data
*
* Return authentication data or false
*
* @retval Array|false Array of authentication data or False
**/
public function getAuthData() {
if (isset($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_USER'])) {
$this -> authData = array(
'username' => $_SERVER['PHP_AUTH_USER'],
'password' => $_SERVER['PHP_AUTH_PW']
);
return $this -> authData;
}
return;
}
}
?>

View file

@ -0,0 +1,84 @@
<?php
/*******************************************************************************
* Copyright (C) 2007 Easter-eggs
* http://ldapsaisie.labs.libre-entreprise.org
*
* Author: See AUTHORS file in top-level directory.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
******************************************************************************/
/**
* Basic authentication provider for LSauth
*
* @author Benjamin Renard <brenard@easter-eggs.com>
*/
class LSauthMethod_basic extends LSauthMethod {
/**
* Check Auth Data
*
* Return authentication data or false
*
* @retval Array|false Array of authentication data or False
**/
public function getAuthData() {
if (isset($_POST['LSauth_user']) && !empty($_POST['LSauth_user'])) {
$this -> authData = array(
'username' => $_POST['LSauth_user'],
'password' => (isset($_POST['LSauth_pwd'])?$_POST['LSauth_pwd']:'')
);
return $this -> authData;
}
return;
}
/**
* Check authentication
*
* @retval LSldapObject|false The LSldapObject of the user authificated or false
*/
public function authenticate() {
$authobject = parent :: authenticate();
if ($authobject) {
if ( $this -> checkUserPwd($authobject,$this -> authData['password']) ) {
// Authentication succeeded
return $authobject;
}
else {
LSerror :: addErrorCode('LSauth_01');
LSdebug('mdp incorrect');
}
}
return;
}
/**
* Test un couple LSobject/pwd
*
* Test un bind sur le serveur avec le dn de l'objet et le mot de passe fourni.
*
* @param[in] LSobject L'object "user" pour l'authentification
* @param[in] string Le mot de passe à tester
*
* @retval boolean True si l'authentification a reussi, false sinon.
**/
public static function checkUserPwd($object,$pwd) {
return LSldap :: checkBind($object -> getValue('dn'),$pwd);
}
}
?>

View file

@ -50,9 +50,6 @@ class LSsession {
// Les droits d'accès de l'utilisateur
private static $LSaccess = array();
// Authentification parameters
private static $authParams = array();
// Les fichiers temporaires
private static $tmp_file = array();
@ -292,23 +289,13 @@ class LSsession {
/**
* Chargement d'une classe d'authentification d'LdapSaisie
*
* @param[in] $auth Nom de la classe d'authentification a charger (Exemple : HTTP)
*
* @author Benjamin Renard <brenard@easter-eggs.com
*
* @retval boolean true si le chargement a reussi, false sinon.
*/
public static function loadLSauth($auth=false) {
public static function loadLSauth() {
if (self :: loadLSclass('LSauth')) {
if ($auth) {
if(self :: includeFile(LS_CLASS_DIR .'class.LSauth'.$auth.'.php')) {
self :: includeFile(LS_CONF_DIR."LSauth/config.LSauth".$auth.".php");
return true;
}
}
else {
return true;
}
return true;
}
else {
LSerror :: addErrorCode('LSsession_05','LSauth');
@ -473,6 +460,7 @@ class LSsession {
self :: startLSerror();
self :: loadLSaddons();
self :: loadLSauth();
return true;
}
@ -493,16 +481,20 @@ class LSsession {
}
if(isset($_SESSION['LSsession']['dn']) && !isset($_GET['LSsession_recoverPassword'])) {
// Session existante
LSdebug('LSsession : Session existente');
// --------------------- Session existante --------------------- //
self :: $topDn = $_SESSION['LSsession']['topDn'];
self :: $dn = $_SESSION['LSsession']['dn'];
self :: $rdn = $_SESSION['LSsession']['rdn'];
self :: $ldapServerId = $_SESSION['LSsession']['ldapServerId'];
self :: $tmp_file = $_SESSION['LSsession']['tmp_file'];
self :: $authParams = $_SESSION['LSsession']['authParams'];
if ( self :: cacheLSprofiles() && !isset($_REQUEST['LSsession_refresh']) ) {
self :: setLdapServer(self :: $ldapServerId);
if (!LSauth :: start()) {
LSdebug("LSsession : can't start LSauth -> stop");
return;
}
self :: $LSprofiles = $_SESSION['LSsession']['LSprofiles'];
self :: $LSaccess = $_SESSION['LSsession']['LSaccess'];
if (!self :: LSldapConnect())
@ -510,6 +502,10 @@ class LSsession {
}
else {
self :: setLdapServer(self :: $ldapServerId);
if (!LSauth :: start()) {
LSdebug("LSsession : can't start LSauth -> stop");
return;
}
if (!self :: LSldapConnect())
return;
self :: loadLSprofiles();
@ -524,10 +520,7 @@ class LSsession {
}
if (isset($_GET['LSsession_logout'])) {
$authObj = self :: getLSauthObject();
if ($authObj) {
$authObj -> logout();
}
LSauth :: logout();
session_destroy();
if (is_array($_SESSION['LSsession']['tmp_file'])) {
@ -540,8 +533,6 @@ class LSsession {
return;
}
self :: getLSuserObject();
if ( !self :: cacheLSprofiles() || isset($_REQUEST['LSsession_refresh']) ) {
self :: loadLSaccess();
}
@ -559,6 +550,7 @@ class LSsession {
}
else {
// --------------------- Session inexistante --------------------- //
if (isset($_GET['LSsession_recoverPassword'])) {
session_destroy();
}
@ -582,6 +574,11 @@ class LSsession {
}
$_SESSION['LSsession_topDn']=self :: $topDn;
if (!LSauth :: start()) {
LSdebug("LSsession : can't start LSauth -> stop");
return;
}
if (isset($_GET['LSsession_recoverPassword'])) {
$recoveryPasswordInfos = self :: recoverPasswd(
$_REQUEST['LSsession_user'],
@ -589,22 +586,17 @@ class LSsession {
);
}
else {
$authObj=self :: getLSauthObject();
if ($authObj) {
if ($authObj -> getPostData()) {
$LSuserObject = $authObj -> authenticate();
if ($LSuserObject) {
// Authentication successful
self :: $LSuserObject = $LSuserObject;
self :: $dn = $LSuserObject->getValue('dn');
self :: $rdn = $LSuserObject->getValue('rdn');
self :: loadLSprofiles();
self :: loadLSaccess();
$GLOBALS['Smarty'] -> assign('LSsession_username',self :: getLSuserObject() -> getDisplayName());
$_SESSION['LSsession']=self :: getContextInfos();
return true;
}
}
$LSuserObject = LSauth :: forceAuthentication();
if ($LSuserObject) {
// Authentication successful
self :: $LSuserObject = $LSuserObject;
self :: $dn = $LSuserObject->getValue('dn');
self :: $rdn = $LSuserObject->getValue('rdn');
self :: loadLSprofiles();
self :: loadLSaccess();
$GLOBALS['Smarty'] -> assign('LSsession_username',self :: getLSuserObject() -> getDisplayName());
$_SESSION['LSsession']=self :: getContextInfos();
return true;
}
}
}
@ -619,7 +611,7 @@ class LSsession {
if (isset($_GET['LSsession_recoverPassword'])) {
self :: displayRecoverPasswordForm($recoveryPasswordInfos);
}
elseif(self :: $authParams['displayLoginForm']) {
elseif(LSauth :: displayLoginForm()) {
self :: displayLoginForm();
}
else {
@ -630,32 +622,6 @@ class LSsession {
}
}
/**
* Get LSauthObject
*
* @retval LSauth object or false
**/
private static function getLSauthObject() {
if (!self :: $LSauthObject) {
if (self :: loadLSauth()) {
if (isset(self :: $ldapServer['LSauth']['method'])) {
$LSauthClass = 'LSauth'.self :: $ldapServer['LSauth']['method'];
if (!self :: loadLSauth(self :: $ldapServer['LSauth']['method'])) {
LSerror :: addErrorCode('LSsession_08',self :: $ldapServer['LSauth']['method']);
$LSauthClass = 'LSauth';
}
}
else {
$LSauthClass = 'LSauth';
}
self :: $LSauthObject = new $LSauthClass();
self :: $authParams = self :: $LSauthObject->params;
}
}
return self :: $LSauthObject;
}
/**
* Do recover password
*
@ -896,8 +862,7 @@ class LSsession {
'ldapServerId' => self :: $ldapServerId,
'ldapServer' => self :: $ldapServer,
'LSprofiles' => self :: $LSprofiles,
'LSaccess' => self :: $LSaccess,
'authParams' => self :: $authParams
'LSaccess' => self :: $LSaccess
);
}
@ -1406,7 +1371,7 @@ class LSsession {
$GLOBALS['Smarty'] -> assign('LSencoding',self :: $encoding);
$GLOBALS['Smarty'] -> assign('lang_label',_('Language'));
$GLOBALS['Smarty'] -> assign('displayLogoutBtn',self :: $authParams['displayLogoutBtn']);
$GLOBALS['Smarty'] -> assign('displayLogoutBtn',LSauth :: displayLogoutBtn());
// Infos
if((!empty($_SESSION['LSsession_infos']))&&(is_array($_SESSION['LSsession_infos']))) {

View file

@ -25,9 +25,9 @@
<dt class='loginform-level' id='LSsession_topDn_label' {$loginform_ldapserver_style}>{$loginform_label_level}</dt>
<dd class='loginform-level' {$loginform_ldapserver_style}><select name='LSsession_topDn' id='LSsession_topDn'>{html_options values=$loginform_topdn_index output=$loginform_topdn_name selected=$topDn}</select></dd>
<dt>{$loginform_label_user}</dt>
<dd><input type='text' name='LSsession_user' /></dd>
<dd><input type='text' name='LSauth_user' /></dd>
<dt>{$loginform_label_pwd}</dt>
<dd><input type='password' name='LSsession_pwd' /></dd>
<dd><input type='password' name='LSauth_pwd' /></dd>
<dt class='LSlang_hidden'>{$lang_label}</dt>
<dd class='LSlang_hidden'>
<select name='lang'>