ILIAS  release_10 Revision v10.1-43-ga1241a92c2f
class.ilAuthProviderApache.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
26 final class ilAuthProviderApache extends ilAuthProvider implements ilAuthProviderAccountMigrationInterface
27 {
28  public const APACHE_AUTH_TYPE_DIRECT_MAPPING = 1;
29  public const APACHE_AUTH_TYPE_EXTENDED_MAPPING = 2;
30  public const APACHE_AUTH_TYPE_BY_FUNCTION = 3;
31 
32  private const ENV_APACHE_AUTH_INDICATOR_NAME = 'apache_auth_indicator_name';
33 
34  private const ERR_WRONG_LOGIN = 'err_wrong_login';
35 
36  private const APACHE_ENABLE_LDAP = 'apache_enable_ldap';
37  private const APACHE_LDAP_SID = 'apache_ldap_sid';
38 
39  private readonly ilSetting $settings;
40  private string $migration_account = '';
41  private bool $force_new_account = false;
42 
43  public function __construct(ilAuthCredentials $credentials)
44  {
45  parent::__construct($credentials);
46  $this->settings = new ilSetting('apache_auth');
47  }
48 
49  public function doAuthentication(ilAuthStatus $status): bool
50  {
51  if (!$this->settings->get('apache_enable_auth', '0')) {
52  $this->getLogger()->info('Apache auth disabled.');
53  $this->handleAuthenticationFail($status, 'apache_auth_err_disabled');
54  return false;
55  }
56 
57  if (
58  !$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '') ||
59  !$this->settings->get('apache_auth_indicator_value', '')
60  ) {
61  $this->getLogger()->warning('Apache auth indicator match failure.');
62  $this->handleAuthenticationFail($status, 'apache_auth_err_indicator_match_failure');
63  return false;
64  }
65 
66  $validIndicatorValues = array_filter(array_map(
67  'trim',
68  str_getcsv($this->settings->get('apache_auth_indicator_value', ''))
69  ));
70  //TODO PHP8-REVIEW: $DIC->http()->request()->getServerParams()['apache_auth_indicator_name']
71  if (
72  !isset($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')]) ||
73  !in_array($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')], $validIndicatorValues, true)
74  ) {
75  $this->getLogger()->warning('Apache authentication failed (indicator name <-> value');
76  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
77  return false;
78  }
79 
80  if (!ilUtil::isLogin($this->getCredentials()->getUsername())) {
81  $this->getLogger()->warning('Invalid login name given: ' . $this->getCredentials()->getUsername());
82  $this->handleAuthenticationFail($status, 'apache_auth_err_invalid_login');
83  return false;
84  }
85 
86  if ($this->getCredentials()->getUsername() === '') {
87  $this->getLogger()->info('No username given');
88  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
89  return false;
90  }
91 
92  // Apache with ldap as data source
93  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
94  return $this->handleLDAPDataSource($status);
95  }
96 
97  $login = ilObjUser::_checkExternalAuthAccount('apache', $this->getCredentials()->getUsername());
98  $usr_id = ilObjUser::_lookupId($login);
99  if (!$usr_id) {
100  $this->getLogger()->info('Cannot find user id for external account: ' . $this->getCredentials()->getUsername());
101  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
102  return false;
103  }
104 
105  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
106  $status->setAuthenticatedUserId($usr_id);
107  return true;
108  }
109 
110  public function migrateAccount(ilAuthStatus $status): void
111  {
112  $this->force_new_account = true;
113  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
114  $this->handleLDAPDataSource($status);
115  }
116  }
117 
118  public function createNewAccount(ilAuthStatus $status): void
119  {
120  $this->force_new_account = true;
121  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
122  $this->handleLDAPDataSource($status);
123  }
124  }
125 
126  public function getExternalAccountName(): string
127  {
128  return $this->migration_account;
129  }
130 
131  public function setExternalAccountName(string $name): void
132  {
133  $this->migration_account = $name;
134  }
135 
136  public function getTriggerAuthMode(): string
137  {
138  return (string) ilAuthUtils::AUTH_APACHE;
139  }
140 
141  public function getUserAuthModeName(): string
142  {
143  if ($this->settings->get(self::APACHE_LDAP_SID, '0')) {
144  return 'ldap_' . $this->settings->get(self::APACHE_LDAP_SID, '');
145  }
146 
147  return 'apache';
148  }
149 
150  private function handleLDAPDataSource(ilAuthStatus $status): bool
151  {
152  $server = ilLDAPServer::getInstanceByServerId(
153  (int) $this->settings->get(self::APACHE_LDAP_SID, '0')
154  );
155 
156  $this->getLogger()->debug('Using ldap data source with server configuration: ' . $server->getName());
157 
158  $sync = new ilLDAPUserSynchronisation('ldap_' . $server->getServerId(), $server->getServerId());
159  $sync->setExternalAccount($this->getCredentials()->getUsername());
160  $sync->setUserData([]);
161  $sync->forceCreation($this->force_new_account);
162  $sync->forceReadLdapData(true);
163 
164  try {
165  $internal_account = $sync->sync();
166  $this->getLogger()->debug('Internal account: ' . $internal_account);
167  } catch (UnexpectedValueException $e) {
168  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
169  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
170  return false;
171  } catch (ilLDAPSynchronisationFailedException) {
172  $this->handleAuthenticationFail($status, 'err_auth_ldap_failed');
173  return false;
174  } catch (ilLDAPSynchronisationForbiddenException $e) {
175  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
176  $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
177  return false;
178  } catch (ilLDAPAccountMigrationRequiredException) {
179  $this->setExternalAccountName($this->getCredentials()->getUsername());
180  $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
181  $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
182  return false;
183  }
184 
185  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
186  $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
187  return true;
188  }
189 }
ilAuthProviderApache\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderApache.php:110
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:27
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId(int $a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:101
ilAuthProviderApache\doAuthentication
doAuthentication(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:49
array_map
ilLDAPSynchronisationFailedException
Thrown in case of failed synchronisation settings.
Definition: class.ilLDAPSynchronisationFailedException.php:26
ilAuthProviderApache\handleLDAPDataSource
handleLDAPDataSource(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:150
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, cas,...
Definition: class.ilLDAPUserSynchronisation.php:26
ilObjUser\_lookupId
static _lookupId($a_user_str)
Definition: class.ilObjUser.php:694
ilAuthProviderApache\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderApache.php:118
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2745
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, string $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:71
ilAuthProvider
Base class for authentication providers (ldap, apache, ...)
Definition: class.ilAuthProvider.php:27
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount(string $a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:66
ilAuthProviderApache\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
Definition: class.ilAuthProviderApache.php:136
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:69
$_SERVER
$_SERVER['HTTP_HOST']
Definition: raiseError.php:10
ilUtil\isLogin
static isLogin(string $a_login)
Definition: class.ilUtil.php:293
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:37
ilAuthProviderApache\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderApache.php:126
ilAuthProviderApache\__construct
__construct(ilAuthCredentials $credentials)
Definition: class.ilAuthProviderApache.php:43
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:55
ilAuthProviderApache\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth...
Definition: class.ilAuthProviderApache.php:141
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:37
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:120
$server
$server
Definition: shib_login.php:27
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:36