ILIAS  release_10 Revision v10.1-43-ga1241a92c2f
Public Member Functions | Data Fields | Private Member Functions | Private Attributes
ilAuthProviderApache Class Reference

Apache auth provider. More...

+ Inheritance diagram for ilAuthProviderApache:
+ Collaboration diagram for ilAuthProviderApache:

Public Member Functions

 __construct (ilAuthCredentials $credentials)
 
 doAuthentication (ilAuthStatus $status)
 
 migrateAccount (ilAuthStatus $status)
 Create new account. More...
 
 createNewAccount (ilAuthStatus $status)
 Create new ILIAS account for external_account. More...
 
 getExternalAccountName ()
 Get external account name. More...
 
 setExternalAccountName (string $name)
 
 getTriggerAuthMode ()
 Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 11 for apache auth. More...
 
 getUserAuthModeName ()
 Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth. More...
 
- Public Member Functions inherited from ilAuthProvider
 __construct (ilAuthCredentials $credentials)
 Constructor. More...
 
 getLogger ()
 Get logger. More...
 
 getCredentials ()
 
- Public Member Functions inherited from ilAuthProviderInterface
 doAuthentication (\ilAuthStatus $status)
 Do authentication. More...
 

Data Fields

const APACHE_AUTH_TYPE_DIRECT_MAPPING = 1
 
const APACHE_AUTH_TYPE_EXTENDED_MAPPING = 2
 
const APACHE_AUTH_TYPE_BY_FUNCTION = 3
 

Private Member Functions

 handleLDAPDataSource (ilAuthStatus $status)
 

Private Attributes

const ENV_APACHE_AUTH_INDICATOR_NAME = 'apache_auth_indicator_name'
 
const ERR_WRONG_LOGIN = 'err_wrong_login'
 
const APACHE_ENABLE_LDAP = 'apache_enable_ldap'
 
const APACHE_LDAP_SID = 'apache_ldap_sid'
 
readonly ilSetting $settings
 
string $migration_account = ''
 
bool $force_new_account = false
 

Additional Inherited Members

- Protected Member Functions inherited from ilAuthProvider
 handleAuthenticationFail (ilAuthStatus $status, string $a_reason)
 Handle failed authentication. More...
 

Detailed Description

Apache auth provider.

Author
Stefan Meyer smeye.nosp@m.r.il.nosp@m.ias@g.nosp@m.mx.d.nosp@m.e
Michael Jansen mjans.nosp@m.en@d.nosp@m.ataba.nosp@m.y.de

Definition at line 26 of file class.ilAuthProviderApache.php.

Constructor & Destructor Documentation

◆ __construct()

ilAuthProviderApache::__construct ( ilAuthCredentials  $credentials)

Definition at line 43 of file class.ilAuthProviderApache.php.

References ILIAS\GlobalScreen\Provider\__construct(), and ILIAS\Repository\settings().

44  {
45  parent::__construct($credentials);
46  $this->settings = new ilSetting('apache_auth');
47  }
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:37
+ Here is the call graph for this function:

Member Function Documentation

◆ createNewAccount()

ilAuthProviderApache::createNewAccount ( ilAuthStatus  $status)

Create new ILIAS account for external_account.

Implements ilAuthProviderAccountMigrationInterface.

Definition at line 118 of file class.ilAuthProviderApache.php.

References handleLDAPDataSource(), and ILIAS\Repository\settings().

118  : void
119  {
120  $this->force_new_account = true;
121  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
122  $this->handleLDAPDataSource($status);
123  }
124  }
ilAuthProviderApache\handleLDAPDataSource
handleLDAPDataSource(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:150
+ Here is the call graph for this function:

◆ doAuthentication()

ilAuthProviderApache::doAuthentication ( ilAuthStatus  $status)

Definition at line 49 of file class.ilAuthProviderApache.php.

References $_SERVER, ilObjUser\_checkExternalAuthAccount(), ilObjUser\_lookupId(), ilAuthProvider\getCredentials(), ilAuthProvider\getLogger(), ilAuthProvider\handleAuthenticationFail(), handleLDAPDataSource(), ilUtil\isLogin(), ilAuthStatus\setAuthenticatedUserId(), ilAuthStatus\setStatus(), ILIAS\Repository\settings(), and ilAuthStatus\STATUS_AUTHENTICATED.

49  : bool
50  {
51  if (!$this->settings->get('apache_enable_auth', '0')) {
52  $this->getLogger()->info('Apache auth disabled.');
53  $this->handleAuthenticationFail($status, 'apache_auth_err_disabled');
54  return false;
55  }
56 
57  if (
58  !$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '') ||
59  !$this->settings->get('apache_auth_indicator_value', '')
60  ) {
61  $this->getLogger()->warning('Apache auth indicator match failure.');
62  $this->handleAuthenticationFail($status, 'apache_auth_err_indicator_match_failure');
63  return false;
64  }
65 
66  $validIndicatorValues = array_filter(array_map(
67  'trim',
68  str_getcsv($this->settings->get('apache_auth_indicator_value', ''))
69  ));
70  //TODO PHP8-REVIEW: $DIC->http()->request()->getServerParams()['apache_auth_indicator_name']
71  if (
72  !isset($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')]) ||
73  !in_array($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')], $validIndicatorValues, true)
74  ) {
75  $this->getLogger()->warning('Apache authentication failed (indicator name <-> value');
76  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
77  return false;
78  }
79 
80  if (!ilUtil::isLogin($this->getCredentials()->getUsername())) {
81  $this->getLogger()->warning('Invalid login name given: ' . $this->getCredentials()->getUsername());
82  $this->handleAuthenticationFail($status, 'apache_auth_err_invalid_login');
83  return false;
84  }
85 
86  if ($this->getCredentials()->getUsername() === '') {
87  $this->getLogger()->info('No username given');
88  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
89  return false;
90  }
91 
92  // Apache with ldap as data source
93  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
94  return $this->handleLDAPDataSource($status);
95  }
96 
97  $login = ilObjUser::_checkExternalAuthAccount('apache', $this->getCredentials()->getUsername());
98  $usr_id = ilObjUser::_lookupId($login);
99  if (!$usr_id) {
100  $this->getLogger()->info('Cannot find user id for external account: ' . $this->getCredentials()->getUsername());
101  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
102  return false;
103  }
104 
105  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
106  $status->setAuthenticatedUserId($usr_id);
107  return true;
108  }
array_map
ilAuthProviderApache\handleLDAPDataSource
handleLDAPDataSource(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:150
ilObjUser\_lookupId
static _lookupId($a_user_str)
Definition: class.ilObjUser.php:694
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2745
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, string $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:71
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:69
$_SERVER
$_SERVER['HTTP_HOST']
Definition: raiseError.php:10
ilUtil\isLogin
static isLogin(string $a_login)
Definition: class.ilUtil.php:293
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:55
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:120
+ Here is the call graph for this function:

◆ getExternalAccountName()

ilAuthProviderApache::getExternalAccountName ( )

Get external account name.

Implements ilAuthProviderAccountMigrationInterface.

Definition at line 126 of file class.ilAuthProviderApache.php.

References $migration_account.

126  : string
127  {
128  return $this->migration_account;
129  }

◆ getTriggerAuthMode()

ilAuthProviderApache::getTriggerAuthMode ( )

Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 11 for apache auth.

See also
ilAuthUtils

Implements ilAuthProviderAccountMigrationInterface.

Definition at line 136 of file class.ilAuthProviderApache.php.

References ilAuthUtils\AUTH_APACHE.

136  : string
137  {
138  return (string) ilAuthUtils::AUTH_APACHE;
139  }

◆ getUserAuthModeName()

ilAuthProviderApache::getUserAuthModeName ( )

Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth.

Implements ilAuthProviderAccountMigrationInterface.

Definition at line 141 of file class.ilAuthProviderApache.php.

References ILIAS\Repository\settings().

141  : string
142  {
143  if ($this->settings->get(self::APACHE_LDAP_SID, '0')) {
144  return 'ldap_' . $this->settings->get(self::APACHE_LDAP_SID, '');
145  }
146 
147  return 'apache';
148  }
+ Here is the call graph for this function:

◆ handleLDAPDataSource()

ilAuthProviderApache::handleLDAPDataSource ( ilAuthStatus  $status)
private

Definition at line 150 of file class.ilAuthProviderApache.php.

References Vendor\Package\$e, $server, ilObjUser\_lookupId(), ilAuthProvider\getCredentials(), ilLDAPServer\getInstanceByServerId(), ilAuthProvider\getLogger(), ilAuthProvider\handleAuthenticationFail(), ilAuthStatus\setAuthenticatedUserId(), ilLDAPUserSynchronisation\setExternalAccount(), setExternalAccountName(), ilAuthStatus\setStatus(), ILIAS\Repository\settings(), ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED, and ilAuthStatus\STATUS_AUTHENTICATED.

Referenced by createNewAccount(), doAuthentication(), and migrateAccount().

150  : bool
151  {
152  $server = ilLDAPServer::getInstanceByServerId(
153  (int) $this->settings->get(self::APACHE_LDAP_SID, '0')
154  );
155 
156  $this->getLogger()->debug('Using ldap data source with server configuration: ' . $server->getName());
157 
158  $sync = new ilLDAPUserSynchronisation('ldap_' . $server->getServerId(), $server->getServerId());
159  $sync->setExternalAccount($this->getCredentials()->getUsername());
160  $sync->setUserData([]);
161  $sync->forceCreation($this->force_new_account);
162  $sync->forceReadLdapData(true);
163 
164  try {
165  $internal_account = $sync->sync();
166  $this->getLogger()->debug('Internal account: ' . $internal_account);
167  } catch (UnexpectedValueException $e) {
168  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
169  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
170  return false;
171  } catch (ilLDAPSynchronisationFailedException) {
172  $this->handleAuthenticationFail($status, 'err_auth_ldap_failed');
173  return false;
174  } catch (ilLDAPSynchronisationForbiddenException $e) {
175  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
176  $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
177  return false;
178  } catch (ilLDAPAccountMigrationRequiredException) {
179  $this->setExternalAccountName($this->getCredentials()->getUsername());
180  $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
181  $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
182  return false;
183  }
184 
185  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
186  $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
187  return true;
188  }
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId(int $a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:101
ilLDAPSynchronisationFailedException
Thrown in case of failed synchronisation settings.
Definition: class.ilLDAPSynchronisationFailedException.php:26
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, cas,...
Definition: class.ilLDAPUserSynchronisation.php:26
ilObjUser\_lookupId
static _lookupId($a_user_str)
Definition: class.ilObjUser.php:694
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, string $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:71
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount(string $a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:66
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:69
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:55
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:120
$server
$server
Definition: shib_login.php:27
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:36
+ Here is the call graph for this function:
+ Here is the caller graph for this function:

◆ migrateAccount()

ilAuthProviderApache::migrateAccount ( ilAuthStatus  $status)

Create new account.

Implements ilAuthProviderAccountMigrationInterface.

Definition at line 110 of file class.ilAuthProviderApache.php.

References handleLDAPDataSource(), and ILIAS\Repository\settings().

110  : void
111  {
112  $this->force_new_account = true;
113  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
114  $this->handleLDAPDataSource($status);
115  }
116  }
ilAuthProviderApache\handleLDAPDataSource
handleLDAPDataSource(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:150
+ Here is the call graph for this function:

◆ setExternalAccountName()

ilAuthProviderApache::setExternalAccountName ( string  $name)

Definition at line 131 of file class.ilAuthProviderApache.php.

Referenced by handleLDAPDataSource().

131  : void
132  {
133  $this->migration_account = $name;
134  }
+ Here is the caller graph for this function:

Field Documentation

◆ $force_new_account

bool ilAuthProviderApache::$force_new_account = false
private

Definition at line 41 of file class.ilAuthProviderApache.php.

◆ $migration_account

string ilAuthProviderApache::$migration_account = ''
private

Definition at line 40 of file class.ilAuthProviderApache.php.

Referenced by getExternalAccountName().

◆ $settings

readonly ilSetting ilAuthProviderApache::$settings
private

Definition at line 39 of file class.ilAuthProviderApache.php.

◆ APACHE_AUTH_TYPE_BY_FUNCTION

const ilAuthProviderApache::APACHE_AUTH_TYPE_BY_FUNCTION = 3

Definition at line 30 of file class.ilAuthProviderApache.php.

Referenced by ilAuthFrontendCredentialsApache\initFromRequest().

◆ APACHE_AUTH_TYPE_DIRECT_MAPPING

const ilAuthProviderApache::APACHE_AUTH_TYPE_DIRECT_MAPPING = 1

Definition at line 28 of file class.ilAuthProviderApache.php.

Referenced by ilAuthFrontendCredentialsApache\initFromRequest().

◆ APACHE_AUTH_TYPE_EXTENDED_MAPPING

const ilAuthProviderApache::APACHE_AUTH_TYPE_EXTENDED_MAPPING = 2

Definition at line 29 of file class.ilAuthProviderApache.php.

◆ APACHE_ENABLE_LDAP

const ilAuthProviderApache::APACHE_ENABLE_LDAP = 'apache_enable_ldap'
private

Definition at line 36 of file class.ilAuthProviderApache.php.

◆ APACHE_LDAP_SID

const ilAuthProviderApache::APACHE_LDAP_SID = 'apache_ldap_sid'
private

Definition at line 37 of file class.ilAuthProviderApache.php.

◆ ENV_APACHE_AUTH_INDICATOR_NAME

const ilAuthProviderApache::ENV_APACHE_AUTH_INDICATOR_NAME = 'apache_auth_indicator_name'
private

Definition at line 32 of file class.ilAuthProviderApache.php.

◆ ERR_WRONG_LOGIN

const ilAuthProviderApache::ERR_WRONG_LOGIN = 'err_wrong_login'
private

Definition at line 34 of file class.ilAuthProviderApache.php.

The documentation for this class was generated from the following file: