Commit 11321f75 authored by MARTINEZ Benedicte's avatar MARTINEZ Benedicte
Browse files

Ajout authentification Kerberos et x509

parent 81c77b03
<script>
window.location.href = 'dist/index.html';
</script>
<?php
require 'vendor/autoload.php';
use Configuration\models\ConfigurationModel;
use SrcCore\models\CoreConfigModel;
use SrcCore\controllers\AuthenticationController;
$connection=ConfigurationModel::getConnection();
$localtoken='';
$localrefresh='';
if ($connection == 'kerberos' || $connection == 'x509' ) {
$path = CoreConfigModel::getConfigPath();
$hashedPath = md5($path);
$result = AuthenticationController::connectSSO();
if ($result['Status'] != 204) {
echo $result['Status'].' - '. $result['errors'];
exit;
}
$localtoken = 'localStorage.setItem("MaarchParapheurToken_'.$hashedPath.'", "'.$result['Token'].'");';
$localrefresh= 'localStorage.setItem("MaarchParapheurRefreshToken_'.$hashedPath.'", "'.$result['Refresh-Token'].'");';
}
?>
<script>
window.location.href = 'dist/index.html';
</script>
......@@ -191,6 +191,8 @@
"yes": "Yes",
"no": "No",
"ldapEnabled": "LDAP enabled",
"kerberosEnabled": "Kerberos enabled",
"x509Enabled": "Certificate x509 enbaled",
"userCreation": "Add a user",
"manage_ldap_configurations": "Ldap",
"manage_ldap_configurationsDesc": "Add / Update / Delete ldap entries in order to authenticate users.",
......@@ -211,6 +213,8 @@
"manage_connectionsDesc" : "Manage all available connections modes in application.",
"defaultConnection" : "Default",
"ldapConnection" : "Ldap",
"kerberosConnection" : "Kerberos",
"x509Connection" : "Certificate x509",
"connectionMode" : "Connection mode",
"connectionModeUpdated" : "Connection mode updated",
"changeConnectionWarn" : "This cause a change in login mechanics for users !",
......
......@@ -191,6 +191,8 @@
"yes": "Oui",
"no": "Non",
"ldapEnabled": "LDAP activé",
"kerberosEnabled": "Kerberos activé",
"x509Enabled": "Certificat x509 activé",
"userCreation": "Ajouter un utilisateur",
"manage_ldap_configurations": "Annuaires ldap",
"manage_ldap_configurationsAlt": "Annuaire(s) ldap",
......@@ -212,6 +214,8 @@
"manage_connectionsDesc" : "Administrer les différents modes de connexion disponibles de l'application.",
"defaultConnection" : "Standard",
"ldapConnection" : "Ldap",
"kerberosConnection" : "Kerberos",
"x509Connection" : "Certificat x509",
"connectionMode" : "Mode de connexion",
"connectionModeUpdated" : "Mode de connexion mis à jour",
"changeConnectionWarn" : "Cela modifie le mode de connexion à l'application !",
......
......@@ -24,7 +24,7 @@ use SrcCore\models\AuthenticationModel;
class ConfigurationController
{
const CONNECTION_MODES = ['default', 'ldap'];
const CONNECTION_MODES = ['default', 'ldap', 'kerberos', 'x509'];
public function get(Request $request, Response $response)
{
......@@ -48,7 +48,7 @@ class ConfigurationController
$ldapConfigurations = ConfigurationModel::getByIdentifier(['identifier' => 'ldapServer', 'select' => [1]]);
$configurations = $configurations[0];
$configurations['value'] = json_decode($configurations['value']);
$configurations['availableConnections'] = [['id' => 'default', 'allowed' => true], ['id' => 'ldap', 'allowed' => !empty($ldapConfigurations)]];
$configurations['availableConnections'] = [['id' => 'default', 'allowed' => true], ['id' => 'kerberos', 'allowed' => true], ['id' => 'x509', 'allowed' => true], ['id' => 'ldap', 'allowed' => !empty($ldapConfigurations)]];
}
return $response->withJson(['configurations' => $configurations]);
......
......@@ -84,18 +84,88 @@ class AuthenticationController
return $id;
}
public static function connectSSO()
{
$connection = ConfigurationModel::getConnection();
if ($connection == 'x509' || $connection == 'kerberos')
{
if ($connection == 'x509' && $_SERVER['SSL_CLIENT_CERT'] <> '') {
$x509_data=openssl_x509_parse($_SERVER["SSL_CLIENT_CERT"]);
list($label, $login) = explode(":", $x509_data["extensions"]["subjectAltName"]);
}
elseif ($connection == 'kerberos' && $_SERVER['REMOTE_USER'] <> '' && $_SERVER['AUTH_TYPE'] == 'Negotiate' ) {
$login = strtolower($_SERVER['REMOTE_USER']);
}
$user = UserModel::getByLogin(['login' => $login, 'select' => ['id', '"isRest"', 'refresh_token']]);
if (empty($user) || $user['isRest']) {
$result = [
'Status' => 403,
'errors' => 'Authentication unauthorized'
];
}
$GLOBALS['id'] = $user['id'];
$user['refresh_token'] = json_decode($user['refresh_token'], true);
foreach ($user['refresh_token'] as $key => $refreshToken) {
try {
JWT::decode($refreshToken, CoreConfigModel::getEncryptKey(), ['HS256']);
} catch (\Exception $e) {
unset($user['refresh_token'][$key]);
}
}
$user['refresh_token'] = array_values($user['refresh_token']);
if (count($user['refresh_token']) > 10) {
array_shift($user['refresh_token']);
}
$refreshToken = AuthenticationController::getRefreshJWT();
$user['refresh_token'][] = $refreshToken;
UserModel::update([
'set' => ['reset_token' => null, 'refresh_token' => json_encode($user['refresh_token'])],
'where' => ['id = ?'],
'data' => [$user['id']]
]);
$result = [
'Status' => 204,
'USer' => $login,
'Token' => AuthenticationController::getJWT(),
'Refresh-Token' => $refreshToken
];
HistoryController::add([
'code' => 'OK',
'objectType' => 'users',
'objectId' => $user['id'],
'type' => 'LOGIN',
'message' => '{userLogIn}'
]);
}
else {
$result = [
'Status' => 401,
'errors' => 'SSO not set'
];
}
return $result;
}
public function authenticate(Request $request, Response $response)
{
$body = $request->getParsedBody();
$connection = ConfigurationModel::getConnection();
if ($connection == 'kerberos' || $connection == 'x509') {
return $response->withStatus(400)->withJson(['errors' => 'SSO is activated, use SSO button']);
}
$body = $request->getParsedBody();
$check = Validator::stringType()->notEmpty()->validate($body['login']);
$check = $check && Validator::stringType()->notEmpty()->validate($body['password']);
if (!$check) {
return $response->withStatus(400)->withJson(['errors' => 'Bad Request']);
}
$login = strtolower($body['login']);
$connection = ConfigurationModel::getConnection();
if ($connection == 'ldap') {
$ldapConfigurations = ConfigurationModel::getByIdentifier(['identifier' => 'ldapServer', 'select' => ['value']]);
if (empty($ldapConfigurations)) {
......
......@@ -15,6 +15,10 @@
class="forgot-password">{{'lang.forgotPassword' | translate}}</a>
<a href="" *ngIf="authService.authMode === 'ldap'"
class="forgot-password">{{'lang.ldapEnabled' | translate}}</a>
<a href="" *ngIf="authService.authMode === 'kerberos'"
class="forgot-password">{{'lang.kerberosEnabled' | translate}}</a>
<a href="" *ngIf="authService.authMode === 'x509'"
class="forgot-password">{{'lang.x509Enabled' | translate}}</a>
<ion-button type="submit" expand="block" [disabled]="loginForm.invalid || loading">{{'lang.connect' | translate}}
</ion-button>
</form>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment