ILIAS  trunk Revision v11.0_alpha-3011-gc6b235a2e85
class.ilAuthProviderApache.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
21final class ilAuthProviderApache extends ilAuthProvider implements ilAuthProviderAccountMigrationInterface
22{
23 public const int APACHE_AUTH_TYPE_DIRECT_MAPPING = 1;
24 public const int APACHE_AUTH_TYPE_EXTENDED_MAPPING = 2;
25 public const int APACHE_AUTH_TYPE_BY_FUNCTION = 3;
26
27 private const string ENV_APACHE_AUTH_INDICATOR_NAME = 'apache_auth_indicator_name';
28
29 private const string ERR_WRONG_LOGIN = 'err_wrong_login';
30
31 private const string APACHE_ENABLE_LDAP = 'apache_enable_ldap';
32 private const string APACHE_LDAP_SID = 'apache_ldap_sid';
33
34 private readonly ilSetting $settings;
35 private string $migration_account = '';
36 private bool $force_new_account = false;
37
38 public function __construct(ilAuthCredentials $credentials)
39 {
40 parent::__construct($credentials);
41 $this->settings = new ilSetting('apache_auth');
42 }
43
44 public function doAuthentication(ilAuthStatus $status): bool
45 {
46 if (!$this->settings->get('apache_enable_auth', '0')) {
47 $this->getLogger()->info('Apache auth disabled.');
48 $this->handleAuthenticationFail($status, 'apache_auth_err_disabled');
49 return false;
50 }
51
52 if (
53 !$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '') ||
54 !$this->settings->get('apache_auth_indicator_value', '')
55 ) {
56 $this->getLogger()->warning('Apache auth indicator match failure.');
57 $this->handleAuthenticationFail($status, 'apache_auth_err_indicator_match_failure');
58 return false;
59 }
60
61 $validIndicatorValues = array_filter(array_map(
62 'trim',
63 str_getcsv($this->settings->get('apache_auth_indicator_value', ''), ',', '"', '\\')
64 ));
65 //TODO PHP8-REVIEW: $DIC->http()->request()->getServerParams()['apache_auth_indicator_name']
66 if (
67 !isset($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')]) ||
68 !in_array($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')], $validIndicatorValues, true)
69 ) {
70 $this->getLogger()->warning('Apache authentication failed (indicator name <-> value');
71 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
72 return false;
73 }
74
75 if (!ilUtil::isLogin($this->getCredentials()->getUsername())) {
76 $this->getLogger()->warning('Invalid login name given: ' . $this->getCredentials()->getUsername());
77 $this->handleAuthenticationFail($status, 'apache_auth_err_invalid_login');
78 return false;
79 }
80
81 if ($this->getCredentials()->getUsername() === '') {
82 $this->getLogger()->info('No username given');
83 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
84 return false;
85 }
86
87 // Apache with ldap as data source
88 if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
89 return $this->handleLDAPDataSource($status);
90 }
91
92 $login = ilObjUser::_checkExternalAuthAccount('apache', $this->getCredentials()->getUsername());
93 $usr_id = ilObjUser::_lookupId($login);
94 if (!$usr_id) {
95 $this->getLogger()->info('Cannot find user id for external account: ' . $this->getCredentials()->getUsername());
96 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
97 return false;
98 }
99
100 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
101 $status->setAuthenticatedUserId($usr_id);
102 return true;
103 }
104
105 public function migrateAccount(ilAuthStatus $status): void
106 {
107 $this->force_new_account = true;
108 if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
109 $this->handleLDAPDataSource($status);
110 }
111 }
112
113 public function createNewAccount(ilAuthStatus $status): void
114 {
115 $this->force_new_account = true;
116 if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
117 $this->handleLDAPDataSource($status);
118 }
119 }
120
121 public function getExternalAccountName(): string
122 {
123 return $this->migration_account;
124 }
125
126 public function setExternalAccountName(string $name): void
127 {
128 $this->migration_account = $name;
129 }
130
131 public function getTriggerAuthMode(): string
132 {
133 return (string) ilAuthUtils::AUTH_APACHE;
134 }
135
136 public function getUserAuthModeName(): string
137 {
138 if ($this->settings->get(self::APACHE_LDAP_SID, '0')) {
139 return 'ldap_' . $this->settings->get(self::APACHE_LDAP_SID, '');
140 }
141
142 return 'apache';
143 }
144
145 private function handleLDAPDataSource(ilAuthStatus $status): bool
146 {
147 $server = ilLDAPServer::getInstanceByServerId(
148 (int) $this->settings->get(self::APACHE_LDAP_SID, '0')
149 );
150
151 $this->getLogger()->debug('Using ldap data source with server configuration: ' . $server->getName());
152
153 $sync = new ilLDAPUserSynchronisation('ldap_' . $server->getServerId(), $server->getServerId());
154 $sync->setExternalAccount($this->getCredentials()->getUsername());
155 $sync->setUserData([]);
156 $sync->forceCreation($this->force_new_account);
157 $sync->forceReadLdapData(true);
158
159 try {
160 $internal_account = $sync->sync();
161 $this->getLogger()->debug('Internal account: ' . $internal_account);
162 } catch (UnexpectedValueException $e) {
163 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
164 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
165 return false;
166 } catch (ilLDAPSynchronisationFailedException) {
167 $this->handleAuthenticationFail($status, 'err_auth_ldap_failed');
168 return false;
169 } catch (ilLDAPSynchronisationForbiddenException $e) {
170 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
171 $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
172 return false;
173 } catch (ilLDAPAccountMigrationRequiredException) {
174 $this->setExternalAccountName($this->getCredentials()->getUsername());
175 $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
176 $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
177 return false;
178 }
179
180 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
181 $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
182 return true;
183 }
184}
ilAuthProviderApache\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderApache.php:113
ilAuthProviderApache\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
Definition: class.ilAuthProviderApache.php:131
ilAuthProviderApache\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderApache.php:105
ilAuthProviderApache\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderApache.php:121
ilAuthProviderApache\handleLDAPDataSource
handleLDAPDataSource(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:145
ilAuthProviderApache\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth.
Definition: class.ilAuthProviderApache.php:136
ilAuthProviderApache\doAuthentication
doAuthentication(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:44
ilAuthProviderApache\__construct
__construct(ilAuthCredentials $credentials)
Definition: class.ilAuthProviderApache.php:38
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, string $a_reason)
Definition: class.ilAuthProvider.php:43
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:24
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const int STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:30
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:114
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilAuthStatus\STATUS_AUTHENTICATED
const int STATUS_AUTHENTICATED
Definition: class.ilAuthStatus.php:28
ilAuthUtils\AUTH_APACHE
const int AUTH_APACHE
Definition: class.ilAuthUtils.php:36
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId(int $a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:101
ilLDAPSynchronisationFailedException
Thrown in case of failed synchronisation settings.
Definition: class.ilLDAPSynchronisationFailedException.php:27
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, ,...
Definition: class.ilLDAPUserSynchronisation.php:27
ilObjUser\_lookupId
static _lookupId(string|array $a_user_str)
Definition: class.ilObjUser.php:2915
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2813
ilSetting
ILIAS Setting Class.
Definition: class.ilSetting.php:27
ilUtil\isLogin
static isLogin(string $a_login)
Definition: class.ilUtil.php:299
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:38
$_SERVER
$_SERVER['HTTP_HOST']
Definition: raiseError.php:26
$server
$server
Definition: shib_login.php:28