Commit 90f2e862 authored by Bertrand Gauthier's avatar Bertrand Gauthier
Browse files

Merge branch 'sb/ldap_fail_event' into 'master'

- Remise d'un événement 'authentification.ldap.fail' captable dans les...

See merge request !2
parents 44707588 3345f8a9
Pipeline #10967 passed with stage
in 32 seconds
...@@ -24,11 +24,13 @@ use ZfcUser\Authentication\Adapter\AdapterChainEvent; ...@@ -24,11 +24,13 @@ use ZfcUser\Authentication\Adapter\AdapterChainEvent;
class Ldap extends AbstractAdapter implements EventManagerAwareInterface class Ldap extends AbstractAdapter implements EventManagerAwareInterface
{ {
use ModuleOptionsAwareTrait; use ModuleOptionsAwareTrait;
const TYPE = 'ldap'; const TYPE = 'ldap';
const USURPATION_USERNAMES_SEP = '='; const USURPATION_USERNAMES_SEP = '=';
const LDAP_AUTHENTIFICATION_FAIL = 'authentification.ldap.fail';
/** /**
* @var string * @var string
*/ */
...@@ -88,7 +90,8 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface ...@@ -88,7 +90,8 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface
// NB: Dans la version 3.0.0 de zf-commons/zfc-user, cette méthode prend un EventInterface. // NB: Dans la version 3.0.0 de zf-commons/zfc-user, cette méthode prend un EventInterface.
// Mais dans la branche 3.x, c'est un AdapterChainEvent ! // Mais dans la branche 3.x, c'est un AdapterChainEvent !
// Si un jour c'est un AdapterChainEvent qui est attendu, plus besoin de faire $e->getTarget(). // Si un jour c'est un AdapterChainEvent qui est attendu, plus besoin de faire $e->getTarget().
$event = $e->getTarget(); /* @var $event AdapterChainEvent */ $event = $e->getTarget();
/* @var $event AdapterChainEvent */
if ($this->isSatisfied()) { if ($this->isSatisfied()) {
try { try {
...@@ -103,7 +106,7 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface ...@@ -103,7 +106,7 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface
return true; return true;
} }
$username = $event->getRequest()->getPost()->get('identity'); $username = $event->getRequest()->getPost()->get('identity');
$credential = $event->getRequest()->getPost()->get('credential'); $credential = $event->getRequest()->getPost()->get('credential');
if (function_exists('mb_strtolower')) { if (function_exists('mb_strtolower')) {
...@@ -115,7 +118,7 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface ...@@ -115,7 +118,7 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface
$success = $this->authenticateUsername($username, $credential); $success = $this->authenticateUsername($username, $credential);
// Failure! // Failure!
if (! $success) { if (!$success) {
$event $event
->setCode(AuthenticationResult::FAILURE) ->setCode(AuthenticationResult::FAILURE)
->setMessages([/*'LDAP bind failed.'*/]); ->setMessages([/*'LDAP bind failed.'*/]);
...@@ -201,16 +204,33 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface ...@@ -201,16 +204,33 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface
} }
// LDAP auth // LDAP auth
$result = $this->getLdapAuthAdapter()->setUsername($username)->setPassword($credential)->authenticate(); $result = $this->getLdapAuthAdapter()->setUsername($username)->setPassword($credential)->authenticate();
// Envoi des erreurs LDAP dans un événement
if (!$result->isValid()) {
$messages = "LDAP ERROR : ";
$errorMessages = $result->getMessages();
if (count($errorMessages) > 0) {
// On ne prend que les 2 premières lignes d'erreur (les suivantes contiennent souvent
// les mots de passe de l'utilisateur, et les mot de passe dans les logs... bof bof).
for ($i = 0; $i < 2 && count($errorMessages) >= $i; $i++) {
$messages .= $errorMessages[$i] . " ";
}
}
$errorEvent = new Event(self::LDAP_AUTHENTIFICATION_FAIL, null, ['messages' => $messages]);
$this->getEventManager()->triggerEvent($errorEvent);
}
$success = $result->isValid(); $success = $result->isValid();
// verif existence du login usurpé // verif existence du login usurpé
if ($this->usernameUsurpe) { if ($this->usernameUsurpe) {
// s'il nexiste pas, échec de l'authentification // s'il nexiste pas, échec de l'authentification
if (!@$this->getLdapAuthAdapter()->getLdap()->searchEntries("(".$this->moduleOptions->getLdapUsername()."=$this->usernameUsurpe)")) { if (!@$this->getLdapAuthAdapter()->getLdap()->searchEntries(
"(" . $this->moduleOptions->getLdapUsername() . "=$this->usernameUsurpe)"
)) {
$this->usernameUsurpe = null; $this->usernameUsurpe = null;
$success = false; $success = false;
} }
} }
...@@ -293,10 +313,12 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface ...@@ -293,10 +313,12 @@ class Ldap extends AbstractAdapter implements EventManagerAwareInterface
*/ */
public function setEventManager(EventManagerInterface $eventManager): self public function setEventManager(EventManagerInterface $eventManager): self
{ {
$eventManager->setIdentifiers([ $eventManager->setIdentifiers(
__NAMESPACE__, [
__CLASS__, __NAMESPACE__,
]); __CLASS__,
]
);
$this->eventManager = $eventManager; $this->eventManager = $eventManager;
return $this; return $this;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment