Nouvelle technique pour usurper une identité.

config/module.config.php

@@ -122,6 +122,7 @@ return [
                 ['controller' => 'UnicaenApp\Controller\Application', 'action' => 'informatique-et-libertes', 'roles' => []],
                 ['controller' => 'UnicaenApp\Controller\Application', 'action' => 'refresh-session', 'roles' => []],
                 ['controller' => 'UnicaenAuth\Controller\Utilisateur', 'action' => 'selectionner-profil', 'roles' => []],
+                ['controller' => 'UnicaenAuth\Controller\Utilisateur', 'action' => 'usurper-identite', 'roles' => []],
 
                 ['controller' => 'UnicaenAuth\Controller\Auth', 'action' => 'shibboleth', 'roles' => []],
             ],

src/UnicaenAuth/Controller/UtilisateurController.php

@@ -2,7 +2,13 @@
 
 namespace UnicaenAuth\Controller;
 
+use UnicaenAuth\Entity\Db\UserInterface;
+use UnicaenAuth\Entity\Ldap\People;
+use UnicaenAuth\Entity\Shibboleth\ShibUser;
+use UnicaenAuth\Options\ModuleOptions;
+use Zend\Authentication\AuthenticationService;
 use Zend\Http\Request;
+use Zend\Http\Response;
 use Zend\Mvc\Controller\AbstractActionController;
 
 /**
@@ -12,6 +18,62 @@ use Zend\Mvc\Controller\AbstractActionController;
  */
 class UtilisateurController extends AbstractActionController
 {
+    /**
+     * Usurpe l'identité d'un autre utilisateur.
+     *
+     * @return Response
+     */
+    public function usurperIdentiteAction()
+    {
+        $request = $this->getRequest();
+        if (! $request instanceof Request) {
+            exit(1);
+        }
+
+        $redirection = $this->redirect()->toRoute('home');
+
+        $newIdentity = $request->getQuery('identity', $request->getPost('identity'));
+        if (! $newIdentity) {
+            return $redirection;
+        }
+
+        /** @var AuthenticationService $authenticationService */
+        $authenticationService = $this->getServiceLocator()->get(AuthenticationService::class);
+
+        /** @var ModuleOptions $options */
+        $options = $this->getServiceLocator()->get('unicaen-auth_module_options');
+
+        $currentIdentity = $authenticationService->getIdentity();
+        if (! $currentIdentity) {
+            return $redirection;
+        }
+        if (! is_array($currentIdentity)) {
+            return $redirection;
+        }
+
+        if (isset($currentIdentity['shib'])) {
+            /** @var ShibUser $currentIdentity */
+            $currentIdentity = $currentIdentity['shib'];
+        } elseif (isset($currentIdentity['ldap'])) {
+            /** @var People $currentIdentity */
+            $currentIdentity = $currentIdentity['ldap'];
+        } elseif (isset($currentIdentity['db'])) {
+            /** @var UserInterface $currentIdentity */
+            $currentIdentity = $currentIdentity['db'];
+        } else {
+            return $redirection;
+        }
+
+        $currentIdentity = $currentIdentity->getUsername();
+        if (! in_array($currentIdentity, $options->getUsurpationAllowedUsernames())) {
+            return $redirection;
+        }
+
+        $authenticationService->getStorage()->write($newIdentity);
+
+        return $redirection;
+    }
+
     /**
      * Traite les requêtes AJAX POST de sélection d'un profil utilisateur.
      * La sélection est mémorisé en session par le service AuthUserContext.