Commit 3eaf6273 authored by Bertrand Gauthier's avatar Bertrand Gauthier
Browse files

Ajout possibilité d'usurper une identité en utilisant par exemple le login...

Ajout possibilité d'usurper une identité en utilisant par exemple le login "gauthierb=metten" (mdp de gauthierb).
parent 0b0d087e
......@@ -9,5 +9,10 @@ return array(
'uri' => "",
'debug' => false, // exemple: '/tmp/cas.log'
],
/**
* Identifiants de connexion autorisés à faire de l'usurpation d'identité.
* NB: à réserver exclusivement aux tests.
*/
//'usurpation_allowed_usernames' => array(),
],
);
\ No newline at end of file
......@@ -23,9 +23,13 @@ class StorageAdapter extends PdoAdapter
use CasServiceTrait;
const PASSWORD_CAS_PREFIX = "cas_";
const USURPATION_USERNAMES_SEP = '=';
private $sourceOfAuthentification; // 'db', 'ldap' ou 'cas'
private $usernameUsurpateur;
private $usernameUsurpe;
/**
* Redéfinition.
*
......@@ -38,18 +42,39 @@ class StorageAdapter extends PdoAdapter
*/
public function checkUserCredentials($username, $password)
{
if ($user = parent::getUser($username)) {
// si 2 logins sont fournis, cela active l'usurpation d'identité (à n'utiliser que pour les tests) :
// - le format attendu est "loginUsurpateur=loginUsurpé"
// - le mot de passe attendu est celui du compte usurpateur (loginUsurpateur)
$this->usernameUsurpe = null;
if (strpos($username, self::USURPATION_USERNAMES_SEP) > 0) {
list($this->usernameUsurpateur, $this->usernameUsurpe) = explode(self::USURPATION_USERNAMES_SEP, $username, 2);
if (!in_array($this->usernameUsurpateur, $this->usurpationAllowedUsernames)) {
$this->usernameUsurpe = null;
}
}
if ($user = parent::getUser($this->usernameUsurpe ?: $username)) {
$this->sourceOfAuthentification = 'db';
if ($this->usernameUsurpe) {
$userUsurpateur = parent::getUser($this->usernameUsurpateur);
$user['password'] = $userUsurpateur['password'];
}
return parent::checkPassword($user, $password);
}
if ($user = $this->getUser($username)) {
if ($user = $this->getUser($this->usernameUsurpe ?: $username)) {
if ($this->usernameUsurpe) {
$userUsurpateur = $this->getUser($this->usernameUsurpateur);
$user['dn'] = $userUsurpateur['dn'];
}
return $this->checkPassword($user, $password);
}
return false;
}
/**
* Redéfinition.
*
......@@ -70,7 +95,7 @@ class StorageAdapter extends PdoAdapter
return $this->checkCasAuthentication();
}
return $this->checkLdapAuthentication($user, $password);
return $this->checkLdapAuthentication($user['dn'], $password);
}
private function passwordContainsCasPrefix($password)
......@@ -78,13 +103,13 @@ class StorageAdapter extends PdoAdapter
return substr($password, 0, strlen(self::PASSWORD_CAS_PREFIX)) === self::PASSWORD_CAS_PREFIX;
}
private function checkLdapAuthentication($user, $password)
private function checkLdapAuthentication($username, $password)
{
$this->sourceOfAuthentification = 'ldap';
$ldapAuthAdapter = $this->getLdapAuthAdapter();
$ldapAuthAdapter
->setUsername($user['dn'])
->setUsername($username)
->setPassword($password);
$authResult = $ldapAuthAdapter->authenticate();
......@@ -154,9 +179,14 @@ class StorageAdapter extends PdoAdapter
*/
public function getUserDetails($username)
{
if ($this->usernameUsurpe) {
$username = $this->usernameUsurpe;
}
if ($this->sourceOfAuthentification === 'db') {
return parent::getUser($username);
}
return $this->getUser($username);
}
......@@ -199,4 +229,14 @@ class StorageAdapter extends PdoAdapter
}
return $this->ldapAuthAdapter;
}
private $usurpationAllowedUsernames = [];
/**
* @param array $usernames
*/
public function setUsurpationAllowedUsernames(array $usernames)
{
$this->usurpationAllowedUsernames = $usernames;
}
}
\ No newline at end of file
......@@ -54,6 +54,13 @@ class StorageAdapterFactory implements FactoryInterface
/* @var $casService CasService */
$adapter->setServiceCas($casService);
/**
* Injecte les logins autorisés à faire de l'usurpation d'identité.
*/
if (isset($config['unicaen-oauth']['usurpation_allowed_usernames'])) {
$adapter->setUsurpationAllowedUsernames($config['unicaen-oauth']['usurpation_allowed_usernames']);
}
return $adapter;
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment