Commit 6c7147c5 authored by Bertrand Gauthier's avatar Bertrand Gauthier
Browse files

Le type d'authentification souhaité (local, shib ou cas) peut être spécifié...

Le type d'authentification souhaité (local, shib ou cas) peut être spécifié dans l'URL de redirection via le query param 'authtype'
parent f908e668
Pipeline #9978 passed with stage
in 18 seconds
CHANGELOG
=========
3.2.1
-----
- Le type d'authentification souhaité (local, shib ou cas) peut être spécifié dans l'URL de redirection via le
query param 'authtype'
- [FIX] Usurpation d'un compte local (db) depuis une authentification shib
3.2.0
-----
- Configuration de la stratégie d'extraction d'un identifiant utile parmi les données d'authentification shibboleth
......
......@@ -33,13 +33,24 @@ use ZfcUser\Controller\Plugin\ZfcUserAuthentication;
*/
class AuthController extends AbstractActionController
{
const TYPES_LOCAL = ['db', 'ldap'];
const TYPE_LOCAL = 'local';
const AUTH_TYPE_LOCAL = 'local';
const AUTH_TYPE_LOCAL_DB = 'db';
const AUTH_TYPE_LOCAL_LDAP = 'ldap';
const AUTH_TYPES_LOCAL = [self::AUTH_TYPE_LOCAL_DB, self::AUTH_TYPE_LOCAL_LDAP];
const AUTH_TYPE_TOKEN = 'token';
const AUTH_TYPE_QUERY_PARAM = 'authtype';
use ShibServiceAwareTrait;
use UserServiceAwareTrait;
use ModuleOptionsAwareTrait;
/**
* @var string
*/
protected $defaultAuthType = self::AUTH_TYPE_LOCAL_DB;
/**
* @var FormInterface[] ['type' => FormInterface]
*/
......@@ -66,9 +77,8 @@ class AuthController extends AbstractActionController
*/
public function getLoginFormForType(string $type): FormInterface
{
if ($type === self::TYPE_LOCAL) {
$types = self::TYPES_LOCAL;
$type = reset($types);
if ($type === self::AUTH_TYPE_LOCAL) {
$type = $this->defaultAuthType;
}
if (! isset($this->loginFormForType[$type])) {
......@@ -105,14 +115,14 @@ class AuthController extends AbstractActionController
return $this->redirect()->toRoute($this->moduleOptions->getLoginRedirectRoute());
}
$request = $this->getRequest();
$originalType = $this->params('type');
$type = $this->processedType($originalType);
if ($type !== $originalType) {
$typeFromRoute = $this->params('type');
$typeFromRequest = $this->getRequestedAuthenticationType();
$type = $this->processedType($typeFromRequest);
if ($type !== $typeFromRoute) {
return $this->redirect()->toRoute(null, ['type' => $type], ['query' => $this->params()->fromQuery()], true);
}
$request = $this->getRequest();
$form = $this->getLoginFormForType($type);
// si le formulaire POSTé ne possède aucun champ identifiant, on va directement à authenticateAction()
......@@ -120,13 +130,8 @@ class AuthController extends AbstractActionController
return $this->redirect()->toRoute('zfcuser/authenticate', [], ['query' => $this->params()->fromQuery()], true);
}
if ($this->moduleOptions->getUseRedirectParameterIfPresent() && $request->getQuery()->get('redirect')) {
$redirect = $request->getQuery()->get('redirect');
} else {
$redirect = false;
}
$queryParams = ['query' => $redirect ? ['redirect' => $redirect] : []];
$redirect = $this->getRequestedRedirect();
$queryParams = ['query' => ($redirect ? ['redirect' => $redirect] : [])];
$url = $this->url()->fromRoute(null, [], $queryParams, true);
$form->setAttribute('action', $url);
......@@ -155,13 +160,48 @@ class AuthController extends AbstractActionController
return $this->authenticateAction();
}
/**
* @return string|null
*/
protected function getRequestedAuthenticationType(): ?string
{
// si un type est spécifié dans la route, on prend
if ($requestedType = $this->params('type')) {
return $requestedType;
}
$requestedType = null;
// un type d'auth peut être demandé dans l'URL de redirection
if ($redirect = $this->getRequestedRedirect()) {
parse_str(parse_url(urldecode($redirect), PHP_URL_QUERY), $queryParams);
if (isset($queryParams[self::AUTH_TYPE_QUERY_PARAM])) {
$requestedType = $queryParams[self::AUTH_TYPE_QUERY_PARAM];
}
}
return $requestedType;
}
/**
* @return string|null
*/
protected function getRequestedRedirect(): ?string
{
if (! $this->moduleOptions->getUseRedirectParameterIfPresent()) {
return null;
}
return $this->params()->fromQuery('redirect');
}
/**
* @param string|null $type
* @return string
*/
private function processedType(string $type = null): string
{
if ($type === self::TYPE_LOCAL) {
if ($type === self::AUTH_TYPE_LOCAL) {
return $type;
}
......@@ -173,13 +213,21 @@ class AuthController extends AbstractActionController
}
// type spécial pour les modes d'authentification nécessitant un formulaire username/password
if (in_array($type, self::TYPES_LOCAL)) {
$type = self::TYPE_LOCAL;
if (in_array($type, self::AUTH_TYPES_LOCAL)) {
$type = self::AUTH_TYPE_LOCAL;
}
return $type;
}
/**
* Authentification à l'aide d'un token.
*/
public function tokenAction()
{
}
/**
* General-purpose authentication action
*/
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment