ILIAS  trunk Revision v12.0_alpha-377-g3641b37b9db
AuthProviderApache.php
Go to the documentation of this file.
1<?php
2
19declare(strict_types=1);
20
21namespace ILIAS\AuthApache;
22
23use ilUtil;
24use ilAuthCredentials;
25use ilLDAPSynchronisationFailedException;
26use ilSetting;
27use ilAuthUtils;
28use ilObjUser;
29use ilAuthProvider;
30use ilLDAPServer;
31use ilLDAPSynchronisationForbiddenException;
32use ilAuthStatus;
33use ilAuthProviderAccountMigrationInterface;
34use ilLDAPAccountMigrationRequiredException;
35use ilLDAPUserSynchronisation;
36
37final class AuthProviderApache extends ilAuthProvider implements ilAuthProviderAccountMigrationInterface
38{
39 public const int APACHE_AUTH_TYPE_DIRECT_MAPPING = 1;
40 public const int APACHE_AUTH_TYPE_EXTENDED_MAPPING = 2;
41 public const int APACHE_AUTH_TYPE_BY_FUNCTION = 3;
42
43 private const string ENV_APACHE_AUTH_INDICATOR_NAME = 'apache_auth_indicator_name';
44 private const string ENV_APACHE_AUTH_INDICATOR_VALUE = 'apache_auth_indicator_value';
45
46 private const string ERR_WRONG_LOGIN = 'err_wrong_login';
47
48 private const string APACHE_ENABLE_LDAP = 'apache_enable_ldap';
49 private const string APACHE_LDAP_SID = 'apache_ldap_sid';
50
51 private readonly ilSetting $settings;
52 private string $migration_account = '';
53 private bool $force_new_account = false;
54
55 public function __construct(ilAuthCredentials $credentials)
56 {
57 parent::__construct($credentials);
58 $this->settings = new ilSetting('apache_auth');
59 }
60
61 public function doAuthentication(ilAuthStatus $status): bool
62 {
63 if (!$this->settings->get('apache_enable_auth', '0')) {
64 $this->getLogger()->info('Apache auth disabled.');
65 $this->handleAuthenticationFail($status, 'apache_auth_err_disabled');
66 return false;
67 }
68
69 if (!$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '') ||
70 !$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_VALUE, '')) {
71 $this->getLogger()->warning('Apache auth indicator match failure.');
72 $this->handleAuthenticationFail($status, 'apache_auth_err_indicator_match_failure');
73 return false;
74 }
75
76 $validIndicatorValues = array_filter(
77 array_map(
78 'trim',
79 str_getcsv($this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_VALUE, ''), ',', '"', '\\')
80 )
81 );
82
83 //TODO PHP8-REVIEW: $DIC->http()->request()->getServerParams()['apache_auth_indicator_name']
84 if (!isset($_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')]) ||
85 !\in_array(
86 $_SERVER[$this->settings->get(self::ENV_APACHE_AUTH_INDICATOR_NAME, '')],
87 $validIndicatorValues,
88 true
89 )) {
90 $this->getLogger()->warning('Apache authentication failed (indicator name <-> value');
91 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
92 return false;
93 }
94
95 if (!ilUtil::isLogin($this->getCredentials()->getUsername())) {
96 $this->getLogger()->warning('Invalid login name given: ' . $this->getCredentials()->getUsername());
97 $this->handleAuthenticationFail($status, 'apache_auth_err_invalid_login');
98 return false;
99 }
100
101 if ($this->getCredentials()->getUsername() === '') {
102 $this->getLogger()->info('No username given');
103 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
104 return false;
105 }
106
107 // Apache with ldap as data source
108 if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
109 return $this->handleLDAPDataSource($status);
110 }
111
112 $login = ilObjUser::_checkExternalAuthAccount('apache', $this->getCredentials()->getUsername());
113 $usr_id = ilObjUser::_lookupId($login);
114 if (!$usr_id) {
115 $this->getLogger()->info(
116 'Cannot find user id for external account: ' . $this->getCredentials()->getUsername()
117 );
118 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
119 return false;
120 }
121
122 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
123 $status->setAuthenticatedUserId($usr_id);
124 return true;
125 }
126
127 public function migrateAccount(ilAuthStatus $status): void
128 {
129 $this->force_new_account = true;
130 if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
131 $this->handleLDAPDataSource($status);
132 }
133 }
134
135 public function createNewAccount(ilAuthStatus $status): void
136 {
137 $this->force_new_account = true;
138 if ($this->settings->get(self::APACHE_ENABLE_LDAP, '0')) {
139 $this->handleLDAPDataSource($status);
140 }
141 }
142
143 public function getExternalAccountName(): string
144 {
145 return $this->migration_account;
146 }
147
148 public function setExternalAccountName(string $name): void
149 {
150 $this->migration_account = $name;
151 }
152
153 public function getTriggerAuthMode(): string
154 {
155 return (string) ilAuthUtils::AUTH_APACHE;
156 }
157
158 public function getUserAuthModeName(): string
159 {
160 if ($this->settings->get(self::APACHE_LDAP_SID, '0')) {
161 return 'ldap_' . $this->settings->get(self::APACHE_LDAP_SID, '');
162 }
163
164 return 'apache';
165 }
166
167 private function handleLDAPDataSource(ilAuthStatus $status): bool
168 {
169 $server = ilLDAPServer::getInstanceByServerId(
170 (int) $this->settings->get(self::APACHE_LDAP_SID, '0')
171 );
172
173 $this->getLogger()->debug('Using ldap data source with server configuration: ' . $server->getName());
174
175 $sync = new ilLDAPUserSynchronisation('ldap_' . $server->getServerId(), $server->getServerId());
176 $sync->setExternalAccount($this->getCredentials()->getUsername());
177 $sync->setUserData([]);
178 $sync->forceCreation($this->force_new_account);
179 $sync->forceReadLdapData(true);
180
181 try {
182 $internal_account = $sync->sync();
183 $this->getLogger()->debug('Internal account: ' . $internal_account);
184 } catch (\UnexpectedValueException $e) {
185 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
186 $this->handleAuthenticationFail($status, self::ERR_WRONG_LOGIN);
187 return false;
188 } catch (ilLDAPSynchronisationFailedException) {
189 $this->handleAuthenticationFail($status, 'err_auth_ldap_failed');
190 return false;
191 } catch (ilLDAPSynchronisationForbiddenException $e) {
192 $this->getLogger()->info('Login failed with message: ' . $e->getMessage());
193 $this->handleAuthenticationFail($status, 'err_auth_ldap_no_ilias_user');
194 return false;
195 } catch (ilLDAPAccountMigrationRequiredException) {
196 $this->setExternalAccountName($this->getCredentials()->getUsername());
197 $this->getLogger()->info(\sprintf(
198 'Authentication failed: account migration required for external account: %s',
199 $this->getCredentials()->getUsername()
200 ));
201 $status->setStatus(ilAuthStatus::STATUS_ACCOUNT_MIGRATION_REQUIRED);
202 return false;
203 }
204
205 $status->setStatus(ilAuthStatus::STATUS_AUTHENTICATED);
206 $status->setAuthenticatedUserId(ilObjUser::_lookupId($internal_account));
207 return true;
208 }
209}
ILIAS\AuthApache\AuthProviderApache\getTriggerAuthMode
getTriggerAuthMode()
Get auth mode which triggered the account migration 2_1 for ldap account migration with server id 1 1...
Definition: AuthProviderApache.php:153
ILIAS\AuthApache\AuthProviderApache\getExternalAccountName
getExternalAccountName()
Get external account name.
Definition: AuthProviderApache.php:143
ILIAS\AuthApache\AuthProviderApache\getUserAuthModeName
getUserAuthModeName()
Get user auth mode name ldap_1 for ldap account migration with server id 1 apache for apache auth.
Definition: AuthProviderApache.php:158
ILIAS\AuthApache\AuthProviderApache\migrateAccount
migrateAccount(ilAuthStatus $status)
Create new account.
Definition: AuthProviderApache.php:127
ILIAS\AuthApache\AuthProviderApache\createNewAccount
createNewAccount(ilAuthStatus $status)
Create new ILIAS account for external_account.
Definition: AuthProviderApache.php:135
ILIAS\AuthApache\AuthProviderApache\__construct
__construct(ilAuthCredentials $credentials)
Definition: AuthProviderApache.php:55
ilAuthProvider\handleAuthenticationFail
handleAuthenticationFail(ilAuthStatus $status, string $a_reason)
Definition: class.ilAuthProvider.php:43
ilAuthProvider\$credentials
ilAuthCredentials $credentials
Definition: class.ilAuthProvider.php:24
ilAuthStatus\STATUS_ACCOUNT_MIGRATION_REQUIRED
const int STATUS_ACCOUNT_MIGRATION_REQUIRED
Definition: class.ilAuthStatus.php:30
ilAuthStatus\setAuthenticatedUserId
setAuthenticatedUserId(int $a_id)
Definition: class.ilAuthStatus.php:114
ilAuthStatus\setStatus
setStatus(int $a_status)
Set auth status.
Definition: class.ilAuthStatus.php:63
ilAuthStatus\STATUS_AUTHENTICATED
const int STATUS_AUTHENTICATED
Definition: class.ilAuthStatus.php:28
ilAuthUtils\AUTH_APACHE
const int AUTH_APACHE
Definition: class.ilAuthUtils.php:36
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId(int $a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:101
ilLDAPSynchronisationFailedException
Thrown in case of failed synchronisation settings.
Definition: class.ilLDAPSynchronisationFailedException.php:27
ilLDAPUserSynchronisation
Synchronization of user accounts used in auth container ldap, ,...
Definition: class.ilLDAPUserSynchronisation.php:27
ilObjUser
User class.
Definition: class.ilObjUser.php:48
ilObjUser\_lookupId
static _lookupId(string|array $a_user_str)
Definition: class.ilObjUser.php:2823
ilObjUser\_checkExternalAuthAccount
static _checkExternalAuthAccount(string $a_auth, string $a_account, bool $tryFallback=true)
check whether external account and authentication method matches with a user
Definition: class.ilObjUser.php:2721
ilSetting
ILIAS Setting Class.
Definition: class.ilSetting.php:27
ilUtil
Util class various functions, usage as namespace.
Definition: class.ilUtil.php:39
ilUtil\isLogin
static isLogin(string $a_login)
Definition: class.ilUtil.php:299
ILIAS\GlobalScreen\Provider\__construct
__construct(Container $dic, ilPlugin $plugin)
@inheritDoc
Definition: PluginProviderHelper.php:38
$_SERVER
$_SERVER['HTTP_HOST']
Definition: raiseError.php:26
$server
$server
Definition: shib_login.php:28