ILIAS  trunk Revision v11.0_alpha-1689-g66c127b4ae8
All Data Structures Namespaces Files Functions Variables Enumerations Enumerator Modules Pages
class.ilAuthProviderApache.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
21 final class ilAuthProviderApache extends ilAuthProvider implements ilAuthProviderAccountMigrationInterface
22 {
23  public const APACHE_AUTH_TYPE_DIRECT_MAPPING = 1;
24  public const APACHE_AUTH_TYPE_EXTENDED_MAPPING = 2;
25  public const APACHE_AUTH_TYPE_BY_FUNCTION = 3;
26 
27  private const ENV_APACHE_AUTH_INDICATOR_NAME = 'apache_auth_indicator_name';
28 
29  private const ERR_WRONG_LOGIN = 'err_wrong_login';
30 
31  private const APACHE_ENABLE_LDAP = 'apache_enable_ldap';
32  private const APACHE_LDAP_SID = 'apache_ldap_sid';
33 
34  private readonly ilSetting $settings;
35  private string $migration_account = '';
36  private bool $force_new_account = false;
37 
38  public function __construct(ilAuthCredentials $credentials)
39  {
40  parent::__construct($credentials);
41  $this->settings = new ilSetting('apache_auth');
42  }
43 
44  public function doAuthentication(ilAuthStatus $status): bool
45  {
46  if (!$this->settings->get('apache_enable_auth', '0')) {
47  $this->getLogger()->info('Apache auth disabled.');
48  $this->handleAuthenticationFail($status, 'apache_auth_err_disabled');
49  return false;
50  }
51 
52  if (
53  !$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '') ||
54  !$this->settings->get('apache_auth_indicator_value', '')
55  ) {
56  $this->getLogger()->warning('Apache auth indicator match failure.');
57  $this->handleAuthenticationFail($status, 'apache_auth_err_indicator_match_failure');
58  return false;
59  }
60 
61  $validIndicatorValues = array_filter(array_map(
62  'trim',
63  str_getcsv($this->settings->get('apache_auth_indicator_value', ''))
64  ));
65  //TODO PHP8-REVIEW: $DIC->http()->request()->getServerParams()['apache_auth_indicator_name']
66  if (
67  !isset($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')]) ||
68  !in_array($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')], $validIndicatorValues, true)
69  ) {
70  $this->getLogger()->warning('Apache authentication failed (indicator name <-> value');
71  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
72  return false;
73  }
74 
75  if (!ilUtil::isLogin($this->getCredentials()->getUsername())) {
76  $this->getLogger()->warning('Invalid login name given: ' . $this->getCredentials()->getUsername());
77  $this->handleAuthenticationFail($status, 'apache_auth_err_invalid_login');
78  return false;
79  }
80 
81  if ($this->getCredentials()->getUsername() === '') {
82  $this->getLogger()->info('No username given');
83  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
84  return false;
85  }
86 
87  // Apache with ldap as data source
88  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
89  return $this->handleLDAPDataSource($status);
90  }
91 
92  $login = ilObjUser::_checkExternalAuthAccount('apache', $this->getCredentials()->getUsername());
93  $usr_id = ilObjUser::_lookupId($login);
94  if (!$usr_id) {
95  $this->getLogger()->info('Cannot find user id for external account: ' . $this->getCredentials()->getUsername());
96  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
97  return false;
98  }
99 
100  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
101  $status->setAuthenticatedUserId($usr_id);
102  return true;
103  }
104 
105  public function migrateAccount(ilAuthStatus $status): void
106  {
107  $this->force_new_account = true;
108  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
109  $this->handleLDAPDataSource($status);
110  }
111  }
112 
113  public function createNewAccount(ilAuthStatus $status): void
114  {
115  $this->force_new_account = true;
116  if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
117  $this->handleLDAPDataSource($status);
118  }
119  }
120 
121  public function getExternalAccountName(): string
122  {
123  return $this->migration_account;
124  }
125 
126  public function setExternalAccountName(string $name): void
127  {
128  $this->migration_account = $name;
129  }
130 
131  public function getTriggerAuthMode(): string
132  {
133  return (string) ilAuthUtils::AUTH_APACHE;
134  }
135 
136  public function getUserAuthModeName(): string
137  {
138  if ($this->settings->get(self::APACHE_LDAP_SID, '0')) {
139  return 'ldap_' . $this->settings->get(self::APACHE_LDAP_SID, '');
140  }
141 
142  return 'apache';
143  }
144 
145  private function handleLDAPDataSource(ilAuthStatus $status): bool
146  {
147  $server = ilLDAPServer::getInstanceByServerId(
148  (int) $this->settings->get(self::APACHE_LDAP_SID, '0')
149  );
150 
151  $this->getLogger()->debug('Using ldap data source with server configuration: ' . $server->getName());
152 
153  $sync = new ilLDAPUserSynchronisation('ldap_' . $server->getServerId(), $server->getServerId());
154  $sync->setExternalAccount($this->getCredentials()->getUsername());
155  $sync->setUserData([]);
156  $sync->forceCreation($this->force_new_account);
157  $sync->forceReadLdapData(true);
158 
159  try {
160  $internal_account = $sync->sync();
161  $this->getLogger()->debug('Internal account: ' . $internal_account);
162  } catch (UnexpectedValueException $e) {
163  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
164  $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
165  return false;
166  } catch (ilLDAPSynchronisationFailedException) {
167  $this->handleAuthenticationFail($status, 'err_auth_ldap_failed');
168  return false;
169  } catch (ilLDAPSynchronisationForbiddenException $e) {
170  $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
171  $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
172  return false;
173  } catch (ilLDAPAccountMigrationRequiredException) {
174  $this->setExternalAccountName($this->getCredentials()->getUsername());
175  $this->getLogger()->info('Authentication failed: account migration required for external account: ' . $this->getCredentials()->getUsername());
176  $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
177  return false;
178  }
179 
180  $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
181  $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
182  return true;
183  }
184 }
ilAuthProviderApache\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: class.ilAuthProviderApache.php:105
ilAuthCredentials
Interface of auth credentials.
Definition: interface.ilAuthCredentials.php:27
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId(int $a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:101
ilAuthProviderApache\doAuthentication
doAuthentication(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:44
array_map
ilLDAPSynchronisationFailedException
Thrown in case of failed synchronisation settings.
Definition: class.ilLDAPSynchronisationFailedException.php:26
ilAuthProviderApache\handleLDAPDataSource
handleLDAPDataSource(ilAuthStatus $status)
Definition: class.ilAuthProviderApache.php:145
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, cas,...
Definition: class.ilLDAPUserSynchronisation.php:26
ilObjUser\_lookupId
static _lookupId($a_user_str)
Definition: class.ilObjUser.php:692
ilAuthProviderApache\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: class.ilAuthProviderApache.php:113
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2746
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, string $a_reason)
Handle failed authentication.
Definition: class.ilAuthProvider.php:71
ilAuthProvider
Base class for authentication providers (ldap, apache, ...)
Definition: class.ilAuthProvider.php:27
ilLDAPUserSynchronisation\setExternalAccount
setExternalAccount(string $a_ext)
Set external account (unique for each auth mode)
Definition: class.ilLDAPUserSynchronisation.php:66
ilAuthProviderApache\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
Definition: class.ilAuthProviderApache.php:131
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:69
$_SERVER
$_SERVER['HTTP_HOST']
Definition: raiseError.php:26
ilUtil\isLogin
static isLogin(string $a_login)
Definition: class.ilUtil.php:292
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:37
ilAuthProviderApache\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: class.ilAuthProviderApache.php:121
ilAuthProviderApache\__construct
__construct(ilAuthCredentials $credentials)
Definition: class.ilAuthProviderApache.php:38
ilAuthProvider\getLogger
getLogger()
Get logger.
Definition: class.ilAuthProvider.php:55
ilAuthProviderApache\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth...
Definition: class.ilAuthProviderApache.php:136
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
Definition: PluginProviderHelper.php:37
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:120
$server
$server
Definition: shib_login.php:24
ilAuthStatus
Auth status implementation.
Definition: class.ilAuthStatus.php:27
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:36