Commit 6c7147c5 authored by Bertrand Gauthier's avatar Bertrand Gauthier
Browse files

Le type d'authentification souhaité (local, shib ou cas) peut être spécifié...

Le type d'authentification souhaité (local, shib ou cas) peut être spécifié dans l'URL de redirection via le query param 'authtype'
parent f908e668
Pipeline #9978 passed with stage
in 18 seconds
CHANGELOG CHANGELOG
========= =========
3.2.1
-----
- Le type d'authentification souhaité (local, shib ou cas) peut être spécifié dans l'URL de redirection via le
query param 'authtype'
- [FIX] Usurpation d'un compte local (db) depuis une authentification shib
3.2.0 3.2.0
----- -----
- Configuration de la stratégie d'extraction d'un identifiant utile parmi les données d'authentification shibboleth - Configuration de la stratégie d'extraction d'un identifiant utile parmi les données d'authentification shibboleth
......
...@@ -33,13 +33,24 @@ use ZfcUser\Controller\Plugin\ZfcUserAuthentication; ...@@ -33,13 +33,24 @@ use ZfcUser\Controller\Plugin\ZfcUserAuthentication;
*/ */
class AuthController extends AbstractActionController class AuthController extends AbstractActionController
{ {
const TYPES_LOCAL = ['db', 'ldap']; const AUTH_TYPE_LOCAL = 'local';
const TYPE_LOCAL = 'local'; const AUTH_TYPE_LOCAL_DB = 'db';
const AUTH_TYPE_LOCAL_LDAP = 'ldap';
const AUTH_TYPES_LOCAL = [self::AUTH_TYPE_LOCAL_DB, self::AUTH_TYPE_LOCAL_LDAP];
const AUTH_TYPE_TOKEN = 'token';
const AUTH_TYPE_QUERY_PARAM = 'authtype';
use ShibServiceAwareTrait; use ShibServiceAwareTrait;
use UserServiceAwareTrait; use UserServiceAwareTrait;
use ModuleOptionsAwareTrait; use ModuleOptionsAwareTrait;
/**
* @var string
*/
protected $defaultAuthType = self::AUTH_TYPE_LOCAL_DB;
/** /**
* @var FormInterface[] ['type' => FormInterface] * @var FormInterface[] ['type' => FormInterface]
*/ */
...@@ -66,9 +77,8 @@ class AuthController extends AbstractActionController ...@@ -66,9 +77,8 @@ class AuthController extends AbstractActionController
*/ */
public function getLoginFormForType(string $type): FormInterface public function getLoginFormForType(string $type): FormInterface
{ {
if ($type === self::TYPE_LOCAL) { if ($type === self::AUTH_TYPE_LOCAL) {
$types = self::TYPES_LOCAL; $type = $this->defaultAuthType;
$type = reset($types);
} }
if (! isset($this->loginFormForType[$type])) { if (! isset($this->loginFormForType[$type])) {
...@@ -105,14 +115,14 @@ class AuthController extends AbstractActionController ...@@ -105,14 +115,14 @@ class AuthController extends AbstractActionController
return $this->redirect()->toRoute($this->moduleOptions->getLoginRedirectRoute()); return $this->redirect()->toRoute($this->moduleOptions->getLoginRedirectRoute());
} }
$request = $this->getRequest(); $typeFromRoute = $this->params('type');
$originalType = $this->params('type'); $typeFromRequest = $this->getRequestedAuthenticationType();
$type = $this->processedType($typeFromRequest);
$type = $this->processedType($originalType); if ($type !== $typeFromRoute) {
if ($type !== $originalType) {
return $this->redirect()->toRoute(null, ['type' => $type], ['query' => $this->params()->fromQuery()], true); return $this->redirect()->toRoute(null, ['type' => $type], ['query' => $this->params()->fromQuery()], true);
} }
$request = $this->getRequest();
$form = $this->getLoginFormForType($type); $form = $this->getLoginFormForType($type);
// si le formulaire POSTé ne possède aucun champ identifiant, on va directement à authenticateAction() // si le formulaire POSTé ne possède aucun champ identifiant, on va directement à authenticateAction()
...@@ -120,13 +130,8 @@ class AuthController extends AbstractActionController ...@@ -120,13 +130,8 @@ class AuthController extends AbstractActionController
return $this->redirect()->toRoute('zfcuser/authenticate', [], ['query' => $this->params()->fromQuery()], true); return $this->redirect()->toRoute('zfcuser/authenticate', [], ['query' => $this->params()->fromQuery()], true);
} }
if ($this->moduleOptions->getUseRedirectParameterIfPresent() && $request->getQuery()->get('redirect')) { $redirect = $this->getRequestedRedirect();
$redirect = $request->getQuery()->get('redirect'); $queryParams = ['query' => ($redirect ? ['redirect' => $redirect] : [])];
} else {
$redirect = false;
}
$queryParams = ['query' => $redirect ? ['redirect' => $redirect] : []];
$url = $this->url()->fromRoute(null, [], $queryParams, true); $url = $this->url()->fromRoute(null, [], $queryParams, true);
$form->setAttribute('action', $url); $form->setAttribute('action', $url);
...@@ -155,13 +160,48 @@ class AuthController extends AbstractActionController ...@@ -155,13 +160,48 @@ class AuthController extends AbstractActionController
return $this->authenticateAction(); return $this->authenticateAction();
} }
/**
* @return string|null
*/
protected function getRequestedAuthenticationType(): ?string
{
// si un type est spécifié dans la route, on prend
if ($requestedType = $this->params('type')) {
return $requestedType;
}
$requestedType = null;
// un type d'auth peut être demandé dans l'URL de redirection
if ($redirect = $this->getRequestedRedirect()) {
parse_str(parse_url(urldecode($redirect), PHP_URL_QUERY), $queryParams);
if (isset($queryParams[self::AUTH_TYPE_QUERY_PARAM])) {
$requestedType = $queryParams[self::AUTH_TYPE_QUERY_PARAM];
}
}
return $requestedType;
}
/**
* @return string|null
*/
protected function getRequestedRedirect(): ?string
{
if (! $this->moduleOptions->getUseRedirectParameterIfPresent()) {
return null;
}
return $this->params()->fromQuery('redirect');
}
/** /**
* @param string|null $type * @param string|null $type
* @return string * @return string
*/ */
private function processedType(string $type = null): string private function processedType(string $type = null): string
{ {
if ($type === self::TYPE_LOCAL) { if ($type === self::AUTH_TYPE_LOCAL) {
return $type; return $type;
} }
...@@ -173,13 +213,21 @@ class AuthController extends AbstractActionController ...@@ -173,13 +213,21 @@ class AuthController extends AbstractActionController
} }
// type spécial pour les modes d'authentification nécessitant un formulaire username/password // type spécial pour les modes d'authentification nécessitant un formulaire username/password
if (in_array($type, self::TYPES_LOCAL)) { if (in_array($type, self::AUTH_TYPES_LOCAL)) {
$type = self::TYPE_LOCAL; $type = self::AUTH_TYPE_LOCAL;
} }
return $type; return $type;
} }
/**
* Authentification à l'aide d'un token.
*/
public function tokenAction()
{
}
/** /**
* General-purpose authentication action * General-purpose authentication action
*/ */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment