From 4eed1d8982625a90d8738cbda0f9681f7b8efdbf Mon Sep 17 00:00:00 2001 From: Deon George Date: Sat, 11 Jul 2009 10:18:48 +1000 Subject: [PATCH] Enabled HTTP auth --- htdocs/js/pla_ajax.js | 2 +- htdocs/login_form.php | 81 ++++++++++++++++++++++++++++--------------- lib/HTMLTree.php | 12 +++++-- lib/ds.php | 70 ++++++++++++++++++++++++++++++++++--- lib/ds_ldap.php | 4 +-- lib/ds_ldap_pla.php | 2 +- 6 files changed, 133 insertions(+), 38 deletions(-) diff --git a/htdocs/js/pla_ajax.js b/htdocs/js/pla_ajax.js index 2eeaea0..a0570c0 100644 --- a/htdocs/js/pla_ajax.js +++ b/htdocs/js/pla_ajax.js @@ -42,7 +42,7 @@ function includeHTML(component, html) { // callback function function alertHttpRequest() { if (http_request && (http_request.readyState == 4)) { - if (http_request.status == 200) { + if (http_request.status == 200 || http_request.status == 401) { response = http_request.responseText; http_request = null; //alert(response); diff --git a/htdocs/login_form.php b/htdocs/login_form.php index 669e915..f5cb5c2 100644 --- a/htdocs/login_form.php +++ b/htdocs/login_form.php @@ -29,44 +29,68 @@ if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') { } echo '
'; -# Login form. -echo '
'; -echo ''; -printf('',$app['server']->getIndex()); +# HTTP Basic Auth Form. +if ($app['server']->getAuthType() == 'http') { + ob_end_clean(); -if (get_request('redirect','GET',false,false)) - printf('',rawurlencode(get_request('redirect','GET'))); + # When we pop up the basic athentication, we come back to this script, so try the login again. + if ($app['server']->isLoggedIn('user')) { + system_message(array( + 'title'=>_('Authenticate to server'), + 'body'=>_('Successfully logged into server.'), + 'type'=>'info'), + sprintf('cmd.php?server_id=%s&refresh=SID_%s',$app['server']->getIndex(),$app['server']->getIndex())); -echo '
'; -echo ''; + die(); + } -printf('', - $app['server']->getValue('login','auth_text') ? $app['server']->getValue('login','auth_text') : - ($app['server']->getValue('login','attr') == 'dn' ? _('Login DN') : $_SESSION[APPCONFIG]->getFriendlyName($app['server']->getValue('login','attr')))); + header(sprintf('WWW-Authenticate: Basic realm="%s %s"',app_name(),_('login'))); -printf('', - $app['server']->getValue('login','attr',false) == 'dn' ? $app['server']->getValue('login','bind_id') : ''); + if ($_SERVER['SERVER_PROTOCOL'] == 'HTTP/1.0') + header('HTTP/1.0 401 Unauthorized'); // http 1.0 method + else + header('Status: 401 Unauthorized'); // http 1.1 method -echo ''; -printf('',_('Password')); -echo ''; -echo ''; + return; +# HTML Login Form +} else { + echo ''; + echo ''; + printf('',$app['server']->getIndex()); -# If Anon bind allowed, then disable the form if the user choose to bind anonymously. -if ($app['server']->isAnonBindAllowed()) - printf('', - _('Anonymous')); + if (get_request('redirect','GET',false,false)) + printf('',rawurlencode(get_request('redirect','GET'))); -printf('', - _('Authenticate')); + echo '
'; + echo '
%s:
 
%s:
 
%s
'; -echo '
'; -echo '
'; -echo '
'; + printf('%s:', + $app['server']->getValue('login','auth_text') ? $app['server']->getValue('login','auth_text') : + ($app['server']->getValue('login','attr') == 'dn' ? _('Login DN') : $_SESSION[APPCONFIG]->getFriendlyName($app['server']->getValue('login','attr')))); -echo ''; + printf('', + $app['server']->getValue('login','attr',false) == 'dn' ? $app['server']->getValue('login','bind_id') : ''); -if ($app['server']->isAnonBindAllowed() ) { + echo ' '; + printf('%s:',_('Password')); + echo ''; + echo ' '; + + # If Anon bind allowed, then disable the form if the user choose to bind anonymously. + if ($app['server']->isAnonBindAllowed()) + printf('%s ', + _('Anonymous')); + + printf('
', + _('Authenticate')); + + echo ''; + echo ''; + echo ''; + + echo ''; + + if ($app['server']->isAnonBindAllowed() ) { ?> diff --git a/lib/HTMLTree.php b/lib/HTMLTree.php index 7e2be73..193c062 100644 --- a/lib/HTMLTree.php +++ b/lib/HTMLTree.php @@ -121,8 +121,16 @@ class HTMLTree extends Tree { # We are not logged in, draw a login... link. } else { - if ($server->getAuthType() != 'config') - $this->draw_login_link(); + switch ($server->getAuthType()) { + + case 'http': + case 'session': + $this->draw_login_link(); + break; + + default: + die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$server->getAuthType())); + } } # Tree Footer. diff --git a/lib/ds.php b/lib/ds.php index bd8cc5e..7101265 100644 --- a/lib/ds.php +++ b/lib/ds.php @@ -127,6 +127,7 @@ abstract class DS { public function getAuthType() { switch ($this->getValue('login','auth_type')) { case 'config': + case 'http': case 'session': return $this->getValue('login','auth_type'); @@ -154,6 +155,7 @@ abstract class DS { else return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['name']); + case 'http': case 'session': if (! isset($_SESSION['USER'][$this->index][$method]['name'])) return null; @@ -173,6 +175,7 @@ abstract class DS { switch ($this->getAuthType()) { case 'config': + case 'http': case 'session': $_SESSION['USER'][$this->index][$method]['name'] = blowfish_encrypt($user); $_SESSION['USER'][$this->index][$method]['pass'] = blowfish_encrypt($pass); @@ -200,6 +203,7 @@ abstract class DS { else return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['pass']); + case 'http': case 'session': if (! isset($_SESSION['USER'][$this->index][$method]['pass'])) return null; @@ -215,9 +219,56 @@ abstract class DS { * Return if this datastore's connection method has been logged into */ public function isLoggedIn($method=null) { + static $CACHE = null; + $method = $this->getMethod($method); - return is_null($this->getLogin($method)) ? false : true; + if (! is_null($CACHE)) + return $CACHE; + + # For some authentication types, we need to do the login here + switch ($this->getAuthType()) { + case 'http': + # If our auth vars are not set, throw up a login box. + if (! isset($_SERVER['PHP_AUTH_USER'])) { + header(sprintf('WWW-Authenticate: Basic realm="%s %s"',app_name(),_('login'))); + + if ($_SERVER['SERVER_PROTOCOL'] == 'HTTP/1.0') + header('HTTP/1.0 401 Unauthorized'); // http 1.0 method + else + header('Status: 401 Unauthorized'); // http 1.1 method + + # If we still dont have login details... + if (! isset($_SERVER['PHP_AUTH_USER'])) { + system_message(array( + 'title'=>_('Unable to login.'), + 'body'=>_('Your configuration file has authentication set to HTTP based authentication, however, there was none presented'), + 'type'=>'error')); + + $CACHE = false; + } + + # Check our auth vars are valid. + } else { + if (! $this->login($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'],$method)) { + system_message(array( + 'title'=>_('Unable to login.'), + 'body'=>_('Your HTTP based authentication is not accepted by the LDAP server'), + 'type'=>'error')); + + $CACHE = false; + + } else + $CACHE = true; + } + + break; + + default: + $CACHE = is_null($this->getLogin($method)) ? false : true; + } + + return $CACHE; } /** @@ -233,6 +284,9 @@ abstract class DS { return true; + case 'http': + return true; + case 'session': if (isset($_SESSION['USER'][$this->index][$method])) unset($_SESSION['USER'][$this->index][$method]); @@ -272,14 +326,22 @@ abstract class DS { * @return string Connection Method */ protected function getMethod($method=null) { + static $CACHE = null; + # Immediately return if method is set. if (! is_null($method)) return $method; + # If we have been here already, then return our result + if (! is_null($CACHE)) + return $CACHE; + + $CACHE = 'anon'; + if ($this->isLoggedIn('user')) - return 'user'; - else - return 'anon'; + $CACHE = 'user'; + + return $CACHE; } } diff --git a/lib/ds_ldap.php b/lib/ds_ldap.php index 8890ffb..2534ac8 100644 --- a/lib/ds_ldap.php +++ b/lib/ds_ldap.php @@ -137,8 +137,8 @@ class ldap extends DS { return $CACHE[$this->index][$method]; # Check if we have logged in and therefore need to use those details as our bind. - $bind['id'] = is_null($this->getLogin($method)) ? $this->getLogin('user') : $this->getLogin($method); - $bind['pass'] = is_null($this->getPassword($method)) ? $this->getPassword('user') : $this->getPassword($method); + $bind['id'] = is_null($this->getLogin($method)) && $method != 'anon' ? $this->getLogin('user') : $this->getLogin($method); + $bind['pass'] = is_null($this->getPassword($method)) && $method != 'anon' ? $this->getPassword('user') : $this->getPassword($method); # If our bind id is still null, we are not logged in. if (is_null($bind['id'])) diff --git a/lib/ds_ldap_pla.php b/lib/ds_ldap_pla.php index 59f5b11..620a734 100644 --- a/lib/ds_ldap_pla.php +++ b/lib/ds_ldap_pla.php @@ -404,7 +404,7 @@ class ldap_pla extends ldap { * this function will return null. */ public function inactivityTime() { - if ($this->isLoggedIn() && ! in_array($this->getAuthType(),array('config','httpd'))) + if ($this->isLoggedIn() && ! in_array($this->getAuthType(),array('config','http'))) return time()+($this->getValue('login','timeout')*60); else return null;