Compare commits

...

3 commits

Author SHA1 Message Date
baz
6b0ef3d211 logout location is configurable
Useful for installations where you want to "cascade" logout to a central
authentication system
2018-10-16 13:14:56 +02:00
d6ab5df482 auth_proxy: proxy MUST be whitelisted 2018-09-17 12:02:28 +02:00
7e1a483db2 auth_proxy draft 2018-09-05 12:35:34 +02:00
3 changed files with 98 additions and 1 deletions

View file

@ -263,7 +263,11 @@ class Handler_Public extends Handler {
function logout() {
logout_user();
header("Location: index.php");
$location = 'index.php';
if(defined('LOGOUT_LOCATION')) {
$location = LOGOUT_LOCATION;
}
header("Location: $location");
}
function share() {

View file

@ -90,6 +90,10 @@
// If set to true, users won't be able to set application language
// and settings profile.
define ('LOGIN_LOCATION', 'index.php');
// When a user logs out, redirect to this location. This is useful when you have some central
// authentication system, and you want to reach the main logout page
// *********************
// *** Feed settings ***
// *********************

View file

@ -0,0 +1,89 @@
<?php
class Auth_Proxy extends Plugin implements IAuthModule {
private $host;
/* @var Auth_Base $base */
private $base;
function about() {
return array(1.0,
"Trust proxy X-Forwarded-User. May be dangerous, see doc",
"boyska",
true);
}
/* @var PluginHost $host */
function init($host ) {
$this->host = $host;
$this->base = new Auth_Base();
$host->add_hook($host::HOOK_AUTH_USER, $this);
}
/*
* is_whitelisted check if an IP is whitelisted by defined values in config.php
* it will check by-IP and by-NAME
* currently, only exact IP is supported (no cidr, no wildcard); this is a TODO
* check by
*/
private function is_whitelisted($client_ip) {
if(!defined('AUTHPROXY_WHITELIST_IP') && !defined('AUTHPROXY_WHITELIST_NAME')) {
// TODO: send a warning: this is a misconfiguration!
return false;
}
if(defined('AUTHPROXY_WHITELIST_IP')) {
$whitelist = explode(' ', AUTHPROXY_WHITELIST_IP);
foreach($whitelist as $w_ip) {
if($client_ip === $w_ip) {
return true;
}
}
}
if(defined('AUTHPROXY_WHITELIST_NAME')) {
$whitelist = explode(' ', AUTHPROXY_WHITELIST_NAME);
foreach($whitelist as $w_name) {
foreach(gethostbynamel($w_name) as $w_ip) {
if($client_ip === $w_ip) {
return true;
}
}
}
}
return false;
}
/**
* @SuppressWarnings(PHPMD.UnusedFormalParameter)
*/
function authenticate($login, $password) {
$client_ip = $_SERVER['REMOTE_ADDR'];
if($this->is_whitelisted($client_ip) === false) {
return false;
}
if(!array_key_exists("HTTP_X_FORWARDED_USER", $_SERVER)) {
return false;
}
$try_login = $_SERVER["HTTP_X_FORWARDED_USER"];
if ($try_login) {
$user_id = $this->base->auto_create_user($try_login, $password);
if ($user_id) {
$_SESSION["fake_login"] = $try_login;
$_SESSION["fake_password"] = "******";
$_SESSION["hide_hello"] = true;
$_SESSION["hide_logout"] = true;
return $user_id;
}
}
return false;
}
function api_version() {
return 2;
}
}