Skip to content
Snippets Groups Projects
Commit 3eaf6273 authored by Bertrand Gauthier's avatar Bertrand Gauthier
Browse files

Ajout possibilité d'usurper une identité en utilisant par exemple le login...

Ajout possibilité d'usurper une identité en utilisant par exemple le login "gauthierb=metten" (mdp de gauthierb).
parent 0b0d087e
No related branches found
No related tags found
No related merge requests found
......@@ -9,5 +9,10 @@ return array(
'uri' => "",
'debug' => false, // exemple: '/tmp/cas.log'
],
/**
* Identifiants de connexion autorisés à faire de l'usurpation d'identité.
* NB: à réserver exclusivement aux tests.
*/
//'usurpation_allowed_usernames' => array(),
],
);
\ No newline at end of file
......@@ -23,9 +23,13 @@ class StorageAdapter extends PdoAdapter
use CasServiceTrait;
const PASSWORD_CAS_PREFIX = "cas_";
const USURPATION_USERNAMES_SEP = '=';
private $sourceOfAuthentification; // 'db', 'ldap' ou 'cas'
private $usernameUsurpateur;
private $usernameUsurpe;
/**
* Redéfinition.
*
......@@ -38,18 +42,39 @@ class StorageAdapter extends PdoAdapter
*/
public function checkUserCredentials($username, $password)
{
if ($user = parent::getUser($username)) {
// si 2 logins sont fournis, cela active l'usurpation d'identité (à n'utiliser que pour les tests) :
// - le format attendu est "loginUsurpateur=loginUsurpé"
// - le mot de passe attendu est celui du compte usurpateur (loginUsurpateur)
$this->usernameUsurpe = null;
if (strpos($username, self::USURPATION_USERNAMES_SEP) > 0) {
list($this->usernameUsurpateur, $this->usernameUsurpe) = explode(self::USURPATION_USERNAMES_SEP, $username, 2);
if (!in_array($this->usernameUsurpateur, $this->usurpationAllowedUsernames)) {
$this->usernameUsurpe = null;
}
}
if ($user = parent::getUser($this->usernameUsurpe ?: $username)) {
$this->sourceOfAuthentification = 'db';
if ($this->usernameUsurpe) {
$userUsurpateur = parent::getUser($this->usernameUsurpateur);
$user['password'] = $userUsurpateur['password'];
}
return parent::checkPassword($user, $password);
}
if ($user = $this->getUser($username)) {
if ($user = $this->getUser($this->usernameUsurpe ?: $username)) {
if ($this->usernameUsurpe) {
$userUsurpateur = $this->getUser($this->usernameUsurpateur);
$user['dn'] = $userUsurpateur['dn'];
}
return $this->checkPassword($user, $password);
}
return false;
}
/**
* Redéfinition.
*
......@@ -70,7 +95,7 @@ class StorageAdapter extends PdoAdapter
return $this->checkCasAuthentication();
}
return $this->checkLdapAuthentication($user, $password);
return $this->checkLdapAuthentication($user['dn'], $password);
}
private function passwordContainsCasPrefix($password)
......@@ -78,13 +103,13 @@ class StorageAdapter extends PdoAdapter
return substr($password, 0, strlen(self::PASSWORD_CAS_PREFIX)) === self::PASSWORD_CAS_PREFIX;
}
private function checkLdapAuthentication($user, $password)
private function checkLdapAuthentication($username, $password)
{
$this->sourceOfAuthentification = 'ldap';
$ldapAuthAdapter = $this->getLdapAuthAdapter();
$ldapAuthAdapter
->setUsername($user['dn'])
->setUsername($username)
->setPassword($password);
$authResult = $ldapAuthAdapter->authenticate();
......@@ -154,9 +179,14 @@ class StorageAdapter extends PdoAdapter
*/
public function getUserDetails($username)
{
if ($this->usernameUsurpe) {
$username = $this->usernameUsurpe;
}
if ($this->sourceOfAuthentification === 'db') {
return parent::getUser($username);
}
return $this->getUser($username);
}
......@@ -199,4 +229,14 @@ class StorageAdapter extends PdoAdapter
}
return $this->ldapAuthAdapter;
}
private $usurpationAllowedUsernames = [];
/**
* @param array $usernames
*/
public function setUsurpationAllowedUsernames(array $usernames)
{
$this->usurpationAllowedUsernames = $usernames;
}
}
\ No newline at end of file
......@@ -54,6 +54,13 @@ class StorageAdapterFactory implements FactoryInterface
/* @var $casService CasService */
$adapter->setServiceCas($casService);
/**
* Injecte les logins autorisés à faire de l'usurpation d'identité.
*/
if (isset($config['unicaen-oauth']['usurpation_allowed_usernames'])) {
$adapter->setUsurpationAllowedUsernames($config['unicaen-oauth']['usurpation_allowed_usernames']);
}
return $adapter;
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment