mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-22 18:18:46 +02:00
Added self-registering / user synchronization extensibility
SVN:1.2[1757]
This commit is contained in:
Denis Flaven
@@ -29,7 +29,9 @@ require_once(APPROOT."/application/nicewebpage.class.inc.php");
|
||||
*/
|
||||
|
||||
class LoginWebPage extends NiceWebPage
|
||||
{
|
||||
{
|
||||
protected static $m_sLoginFailedMessage = '';
|
||||
|
||||
public function __construct()
|
||||
{
|
||||
parent::__construct("iTop Login");
|
||||
@@ -89,6 +91,11 @@ EOF
|
||||
);
|
||||
}
|
||||
|
||||
public static function SetLoginFailedMessage($sMessage)
|
||||
{
|
||||
self::$m_sLoginFailedMessage = $sMessage;
|
||||
}
|
||||
|
||||
public function DisplayLoginForm($sLoginType, $bFailedLogin = false)
|
||||
{
|
||||
switch($sLoginType)
|
||||
@@ -119,7 +126,14 @@ EOF
|
||||
$this->add("<h1>".Dict::S('UI:Login:Welcome')."</h1>\n");
|
||||
if ($bFailedLogin)
|
||||
{
|
||||
$this->add("<p class=\"hilite\">".Dict::S('UI:Login:IncorrectLoginPassword')."</p>\n");
|
||||
if (self::$m_sLoginFailedMessage != '')
|
||||
{
|
||||
$this->add("<p class=\"hilite\">".self::$m_sLoginFailedMessage."</p>\n");
|
||||
}
|
||||
else
|
||||
{
|
||||
$this->add("<p class=\"hilite\">".Dict::S('UI:Login:IncorrectLoginPassword')."</p>\n");
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
@@ -250,99 +264,10 @@ EOF
|
||||
// check CAS authentication
|
||||
if (phpCAS::isAuthenticated())
|
||||
{
|
||||
// Check is a membership is required
|
||||
$sCASMemberships = MetaModel::GetConfig()->Get('cas_memberof');
|
||||
$bFound = false;
|
||||
if (!empty($sCASMemberships))
|
||||
{
|
||||
if (phpCAS::hasAttribute('memberOf'))
|
||||
{
|
||||
// A list of groups is specified, the user must a be member of (at least) one of them to pass
|
||||
$aCASMemberships = array();
|
||||
$aTmp = explode(';', $sCASMemberships);
|
||||
setlocale(LC_ALL, "en_US.utf8"); // !!! WARNING: this is needed to have the iconv //TRANSLIT working fine below !!!
|
||||
foreach($aTmp as $sGroupName)
|
||||
{
|
||||
$aCASMemberships[] = trim(iconv('UTF-8', 'ASCII//TRANSLIT', $sGroupName)); // Just in case remove accents and spaces...
|
||||
}
|
||||
|
||||
$aMemberOf = phpCAS::getAttribute('memberOf');
|
||||
if (!is_array($aMemberOf)) $aMemberOf = array($aMemberOf); // Just one entry, turn it into an array
|
||||
$aFilteredGroupNames = array();
|
||||
foreach($aMemberOf as $sGroupName)
|
||||
{
|
||||
phpCAS::log("Info: user if a member of the group: ".$sGroupName);
|
||||
$sGroupName = trim(iconv('UTF-8', 'ASCII//TRANSLIT', $sGroupName)); // Remove accents and spaces as well
|
||||
$aFilteredGroupNames[] = $sGroupName;
|
||||
$bIsMember = false;
|
||||
foreach($aCASMemberships as $sCASPattern)
|
||||
{
|
||||
if (self::IsPattern($sCASPattern))
|
||||
{
|
||||
if (preg_match($sCASPattern, $sGroupName))
|
||||
{
|
||||
$bIsMember = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
else if ($sPattern == $sGroupName)
|
||||
{
|
||||
$bIsMember = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if ($bIsMember)
|
||||
{
|
||||
$bCASUserSynchro = MetaModel::GetConfig()->Get('cas_user_synchro');
|
||||
if ($bCASUserSynchro)
|
||||
{
|
||||
// If needed create a new user for this email/profile
|
||||
phpCAS::log('Info: cas_user_synchro is ON');
|
||||
self::CreateCASUser(phpCAS::getUser(), $aMemberOf);
|
||||
}
|
||||
else
|
||||
{
|
||||
phpCAS::log('Info: cas_user_synchro is OFF');
|
||||
}
|
||||
$bFound = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if(!$bFound)
|
||||
{
|
||||
phpCAS::log("User ".phpCAS::getUser().", none of his/her groups (".implode('; ', $aFilteredGroupNames).") match any of the required groups: ".implode('; ', $aCASMemberships));
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// Too bad, the user is not part of any of the group => not allowed
|
||||
phpCAS::log("No 'memberOf' attribute found for user ".phpCAS::getUser().". Are you using the SAML protocol (S1) ?");
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
// No membership required, anybody will pass
|
||||
$bFound = true;
|
||||
}
|
||||
|
||||
if ($bFound)
|
||||
{
|
||||
$sAuthUser = phpCAS::getUser();
|
||||
$sAuthPwd = '';
|
||||
$sLoginMode = 'cas';
|
||||
$sAuthentication = 'external';
|
||||
}
|
||||
else
|
||||
{
|
||||
// The user is not part of the allowed groups, => log out
|
||||
$sUrl = utils::GetAbsoluteUrlAppRoot().'pages/UI.php';
|
||||
$sCASLogoutUrl = MetaModel::GetConfig()->Get('cas_logout_redirect_service');
|
||||
if (empty($sCASLogoutUrl))
|
||||
{
|
||||
$sCASLogoutUrl = $sUrl;
|
||||
}
|
||||
phpCAS::logoutWithRedirectService($sCASLogoutUrl); // Redirects to the CAS logout page
|
||||
}
|
||||
$sAuthUser = phpCAS::getUser();
|
||||
$sAuthPwd = '';
|
||||
$sLoginMode = 'cas';
|
||||
$sAuthentication = 'external';
|
||||
}
|
||||
break;
|
||||
|
||||
@@ -388,9 +313,9 @@ EOF
|
||||
case 'url':
|
||||
// Credentials passed directly in the url
|
||||
$sAuthUser = utils::ReadParam('auth_user', '', false, 'raw_data');
|
||||
if ($sAuthUser != '')
|
||||
$sAuthPwd = utils::ReadParam('auth_pwd', null, false, 'raw_data');
|
||||
if (($sAuthUser != '') && ($sAuthPwd != null))
|
||||
{
|
||||
$sAuthPwd = utils::ReadParam('auth_pwd', '', false, 'raw_data');
|
||||
$sLoginMode = 'url';
|
||||
}
|
||||
break;
|
||||
@@ -417,7 +342,7 @@ EOF
|
||||
}
|
||||
else
|
||||
{
|
||||
if (!UserRights::CheckCredentials($sAuthUser, $sAuthPwd, $sAuthentication))
|
||||
if (!UserRights::CheckCredentials($sAuthUser, $sAuthPwd, $sLoginMode, $sAuthentication))
|
||||
{
|
||||
//echo "Check Credentials returned false for user $sAuthUser!";
|
||||
self::ResetSession();
|
||||
@@ -526,124 +451,6 @@ EOF
|
||||
header('Location: '.utils::GetAbsoluteUrlAppRoot().'portal/index.php');
|
||||
}
|
||||
return $sMessage;
|
||||
}
|
||||
|
||||
protected static function CreateCASUser($sEmail, $aGroups)
|
||||
{
|
||||
if (!MetaModel::IsValidClass('URP_Profiles'))
|
||||
{
|
||||
phpCAS::log("URP_Profiles is not a valid class. Automatic creation of Users is not supported in this context, sorry.");
|
||||
return;
|
||||
}
|
||||
|
||||
// read all the existing profiles
|
||||
$oProfilesSearch = new DBObjectSearch('URP_Profiles');
|
||||
$oProfilesSet = new DBObjectSet($oProfilesSearch);
|
||||
$aAllProfiles = array();
|
||||
while($oProfile = $oProfilesSet->Fetch())
|
||||
{
|
||||
$aAllProfiles[strtolower($oProfile->GetName())] = $oProfile->GetKey();
|
||||
}
|
||||
|
||||
// Translate the CAS/LDAP group names into iTop profile names
|
||||
$aProfiles = array();
|
||||
$sPattern = MetaModel::GetConfig()->Get('cas_profile_pattern');
|
||||
foreach($aGroups as $sGroupName)
|
||||
{
|
||||
if (preg_match($sPattern, $sGroupName, $aMatches))
|
||||
{
|
||||
if (array_key_exists(strtolower($aMatches[1]), $aAllProfiles))
|
||||
{
|
||||
$aProfiles[] = $aAllProfiles[strtolower($aMatches[1])];
|
||||
}
|
||||
else
|
||||
{
|
||||
phpCAS::log("Warning: {$aMatches[1]} is not a valid iTop profile (extracted from group name: '$sGroupName'). Ignored.");
|
||||
}
|
||||
}
|
||||
}
|
||||
if (count($aProfiles) == 0)
|
||||
{
|
||||
phpCAS::log("Error: no group name matches the pattern: '$sPattern'. The user '$sEmail' has no profiles in iTop, and therefore cannot be created.");
|
||||
return;
|
||||
}
|
||||
|
||||
$oUser = MetaModel::GetObjectByName('UserExternal', $sEmail, false);
|
||||
if ($oUser == null)
|
||||
{
|
||||
// Create the user, link it to a contact
|
||||
phpCAS::log("Info: the user '$sEmail' does not exist. A new UserExternal will be created.");
|
||||
$oSearch = new DBObjectSearch('Person');
|
||||
$oSearch->AddCondition('email', $sEmail);
|
||||
$oSet = new DBObjectSet($oSearch);
|
||||
$iContactId = 0;
|
||||
switch($oSet->Count())
|
||||
{
|
||||
case 0:
|
||||
phpCAS::log("Error: found no contact with the email: '$sEmail'. Cannot create the user in iTop.");
|
||||
return;
|
||||
|
||||
case 1:
|
||||
$oContact = $oSet->Fetch();
|
||||
$iContactId = $oContact->GetKey();
|
||||
phpCAS::log("Info: Found 1 contact '".$oContact->GetName()."' (id=$iContactId) corresponding to the email '$sEmail'.");
|
||||
break;
|
||||
|
||||
default:
|
||||
phpCAS::log("Error: ".$oSet->Count()." contacts have the same email: '$sEmail'. Cannot create a user for this email.");
|
||||
return;
|
||||
}
|
||||
|
||||
$oUser = new UserExternal();
|
||||
$oUser->Set('login', $sEmail);
|
||||
$oUser->Set('contactid', $iContactId);
|
||||
$oUser->Set('language', MetaModel::GetConfig()->GetDefaultLanguage());
|
||||
}
|
||||
else
|
||||
{
|
||||
phpCAS::log("Info: the user '$sEmail' already exists (id=".$oUser->GetKey().").");
|
||||
}
|
||||
|
||||
// Now synchronize the profiles
|
||||
$oProfilesSet = DBObjectSet::FromScratch('URP_UserProfile');
|
||||
foreach($aProfiles as $iProfileId)
|
||||
{
|
||||
$oLink = new URP_UserProfile();
|
||||
$oLink->Set('profileid', $iProfileId);
|
||||
$oLink->Set('reason', 'CAS/LDAP Synchro');
|
||||
$oProfilesSet->AddObject($oLink);
|
||||
}
|
||||
$oUser->Set('profile_list', $oProfilesSet);
|
||||
phpCAS::log("Info: the user $sEmail (id=".$oUser->GetKey().") now has the following profiles: '".implode("', '", $aProfiles)."'.");
|
||||
|
||||
if ($oUser->IsNew() || $oUser->IsModified())
|
||||
{
|
||||
$oMyChange = MetaModel::NewObject("CMDBChange");
|
||||
$oMyChange->Set("date", time());
|
||||
$oMyChange->Set("userinfo", 'CAS/LDAP Synchro');
|
||||
$oMyChange->DBInsert();
|
||||
if ($oUser->IsNew())
|
||||
{
|
||||
$oUser->DBInsertTracked($oMyChange);
|
||||
}
|
||||
else
|
||||
{
|
||||
$oUser->DBUpdateTracked($oMyChange);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
protected static function IsPattern($sCASPattern)
|
||||
{
|
||||
if ((substr($sCASPattern, 0, 1) == '/') && (substr($sCASPattern, -1) == '/'))
|
||||
{
|
||||
// the string is enclosed by slashes, let's assume it's a pattern
|
||||
return true;
|
||||
}
|
||||
else
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
} // End of class
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user