X-Git-Url: http://wagnertech.de/git?a=blobdiff_plain;f=SL%2FAuth.pm;h=6be693382b0e2c44dfa34f8605ddd8480a41801d;hb=5474d397bbc42ffaea0b51ebb4bb9a4c7afaa881;hp=baa1edafc4fe5dd8468057f888540c9040f3c2a5;hpb=be096dae11c4f53d55330d405a89d637e1c56bfe;p=kivitendo-erp.git diff --git a/SL/Auth.pm b/SL/Auth.pm index baa1edafc..6be693382 100644 --- a/SL/Auth.pm +++ b/SL/Auth.pm @@ -5,7 +5,7 @@ use DBI; use Digest::MD5 qw(md5_hex); use IO::File; use Time::HiRes qw(gettimeofday); -use List::MoreUtils qw(uniq); +use List::MoreUtils qw(any uniq); use YAML; use Regexp::IPv6 qw($IPv6_re); @@ -20,7 +20,7 @@ use SL::SessionFile; use SL::User; use SL::DBConnect; use SL::DBUpgrade2; -use SL::DBUtils qw(do_query do_statement prepare_execute_query prepare_query selectall_array_query selectrow_query); +use SL::DBUtils qw(do_query do_statement prepare_execute_query prepare_query selectall_array_query selectrow_query selectall_ids); use strict; @@ -37,12 +37,12 @@ sub new { my $self = bless {}, $type; $self->_read_auth_config(%params); - $self->reset; + $self->init; return $self; } -sub reset { +sub init { my ($self, %params) = @_; $self->{SESSION} = { }; @@ -50,7 +50,29 @@ sub reset { $self->{RIGHTS} = { }; $self->{unique_counter} = 0; $self->{column_information} = SL::Auth::ColumnInformation->new(auth => $self); - $self->{authenticator}->reset; +} + +sub reset { + my ($self, %params) = @_; + + $self->{SESSION} = { }; + $self->{FULL_RIGHTS} = { }; + $self->{RIGHTS} = { }; + $self->{unique_counter} = 0; + + if ($self->is_db_connected) { + # reset is called during request shutdown already. In case of a + # completely new auth DB this would fail and generate an error + # message even if the user is currently trying to create said auth + # DB. Therefore only fetch the column information if a connection + # has been established. + $self->{column_information} = SL::Auth::ColumnInformation->new(auth => $self); + $self->{column_information}->_fetch; + } else { + delete $self->{column_information}; + } + + $_->reset for @{ $self->{authenticators} }; $self->client(undef); } @@ -72,6 +94,18 @@ sub set_client { return $self->client; } +sub get_default_client_id { + my ($self) = @_; + + my $dbh = $self->dbconnect; + + return unless $dbh; + + my $row = $dbh->selectrow_hashref(qq|SELECT id FROM auth.clients WHERE is_default = TRUE LIMIT 1|); + + return $row->{id} if $row; +} + sub DESTROY { my $self = shift; @@ -84,7 +118,10 @@ sub mini_error { my ($self, @msg) = @_; if ($ENV{HTTP_USER_AGENT}) { - print Form->create_http_response(content_type => 'text/html'); + # $::form might not be initialized yet at this point â therefore + # we cannot use "create_http_response" yet. + my $cgi = CGI->new(''); + print $cgi->header('-type' => 'text/html', '-charset' => 'UTF-8'); print "
", join ('"; } else { print STDERR "Error: @msg\n"; @@ -106,19 +143,33 @@ sub _read_auth_config { } else { $self->{DB_config} = $::lx_office_conf{'authentication/database'}; - $self->{LDAP_config} = $::lx_office_conf{'authentication/ldap'}; } - if ($self->{module} eq 'DB') { - $self->{authenticator} = SL::Auth::DB->new($self); + $self->{authenticators} = []; + $self->{module} ||= 'DB'; + $self->{module} =~ s{^ +| +$}{}g; - } elsif ($self->{module} eq 'LDAP') { - $self->{authenticator} = SL::Auth::LDAP->new($self); - } + foreach my $module (split m{ +}, $self->{module}) { + my $config_name; + ($module, $config_name) = split m{:}, $module, 2; + $config_name ||= $module eq 'DB' ? 'database' : lc($module); + my $config = $::lx_office_conf{'authentication/' . $config_name}; - if (!$self->{authenticator}) { - my $locale = Locale->new('en'); - $self->mini_error($locale->text('No or an unknown authenticantion module specified in "config/kivitendo.conf".')); + if (!$config) { + my $locale = Locale->new('en'); + $self->mini_error($locale->text('Missing configuration section "authentication/#1" in "config/kivitendo.conf".', $config_name)); + } + + if ($module eq 'DB') { + push @{ $self->{authenticators} }, SL::Auth::DB->new($self); + + } elsif ($module eq 'LDAP') { + push @{ $self->{authenticators} }, SL::Auth::LDAP->new($config); + + } else { + my $locale = Locale->new('en'); + $self->mini_error($locale->text('Unknown authenticantion module #1 specified in "config/kivitendo.conf".', $module)); + } } my $cfg = $self->{DB_config}; @@ -133,7 +184,7 @@ sub _read_auth_config { $self->mini_error($locale->text('config/kivitendo.conf: Missing parameters in "authentication/database". Required parameters are "host", "db" and "user".')); } - $self->{authenticator}->verify_config(); + $_->verify_config for @{ $self->{authenticators} }; $self->{session_timeout} *= 1; $self->{session_timeout} = 8 * 60 if (!$self->{session_timeout}); @@ -193,7 +244,14 @@ sub authenticate { return ERR_PASSWORD; } - my $result = $login ? $self->{authenticator}->authenticate($login, $password) : ERR_USER; + my $result = ERR_USER; + if ($login) { + foreach my $authenticator (@{ $self->{authenticators} }) { + $result = $authenticator->authenticate($login, $password); + last if $result == OK; + } + } + $self->set_session_value(SESSION_KEY_USER_AUTH() => $result, login => $login, client_id => $self->client->{id}); return $result; } @@ -236,6 +294,7 @@ sub dbconnect { $self->{dbh} = SL::DBConnect->connect($dsn, $cfg->{user}, $cfg->{password}, { pg_enable_utf8 => 1, AutoCommit => 1 }); if (!$may_fail && !$self->{dbh}) { + delete $self->{dbh}; $main::form->error($main::locale->text('The connection to the authentication database failed:') . "\n" . $DBI::errstr); } @@ -251,6 +310,11 @@ sub dbdisconnect { } } +sub is_db_connected { + my ($self) = @_; + return !!$self->{dbh}; +} + sub check_tables { my ($self, $dbh) = @_; @@ -372,15 +436,22 @@ sub save_user { sub can_change_password { my $self = shift; - return $self->{authenticator}->can_change_password(); + return any { $_->can_change_password } @{ $self->{authenticators} }; } sub change_password { my ($self, $login, $new_password) = @_; - my $result = $self->{authenticator}->change_password($login, $new_password); + my $overall_result = OK; - return $result; + foreach my $authenticator (@{ $self->{authenticators} }) { + next unless $authenticator->can_change_password; + + my $result = $authenticator->change_password($login, $new_password); + $overall_result = $result if $result != OK; + } + + return $overall_result; } sub read_all_users { @@ -537,12 +608,10 @@ sub restore_session { # 1. session ID exists in the database # 2. hasn't expired yet # 3. if cookie for the API token is given: the cookie's value equal database column 'auth.session.api_token' for the session ID - # 4. if cookie for the API token is NOT given then: the requestee's IP address must match the stored IP address $self->{api_token} = $cookie->{api_token} if $cookie; my $api_token_cookie = $self->get_api_token_cookie; my $cookie_is_bad = !$cookie || $cookie->{is_expired}; $cookie_is_bad ||= $api_token_cookie && ($api_token_cookie ne $cookie->{api_token}) if $api_token_cookie; - $cookie_is_bad ||= $cookie->{ip_address} ne $ENV{REMOTE_ADDR} if !$api_token_cookie && $ENV{REMOTE_ADDR} !~ /^$IPv6_re$/; if ($cookie_is_bad) { $self->destroy_session(); return $self->session_restore_result($cookie ? SESSION_EXPIRED() : SESSION_NONE()); @@ -592,18 +661,18 @@ SQL sub _load_with_auto_restore_column { my ($self, $dbh, $session_id) = @_; - my $auto_restore_keys = join ', ', map { "'${_}'" } qw(login password rpw); + my %auto_restore_keys = map { $_ => 1 } qw(login password rpw client_id), SESSION_KEY_ROOT_AUTH, SESSION_KEY_USER_AUTH; my $query = <
', @msg), "