Code Coverage |
||||||||||
Lines |
Functions and Methods |
Classes and Traits |
||||||||
Total | |
62.22% |
28 / 45 |
|
42.86% |
3 / 7 |
CRAP | |
0.00% |
0 / 1 |
MultiAuth | |
62.22% |
28 / 45 |
|
42.86% |
3 / 7 |
38.46 | |
0.00% |
0 / 1 |
validateConfig | |
100.00% |
5 / 5 |
|
100.00% |
1 / 1 |
2 | |||
setConfig | |
58.33% |
7 / 12 |
|
0.00% |
0 / 1 |
5.16 | |||
authenticate | |
100.00% |
6 / 6 |
|
100.00% |
1 / 1 |
3 | |||
filterCredentials | |
42.86% |
3 / 7 |
|
0.00% |
0 / 1 |
4.68 | |||
authUser | |
36.36% |
4 / 11 |
|
0.00% |
0 / 1 |
8.12 | |||
setPluginManager | |
100.00% |
1 / 1 |
|
100.00% |
1 / 1 |
1 | |||
getPluginManager | |
66.67% |
2 / 3 |
|
0.00% |
0 / 1 |
2.15 |
1 | <?php |
2 | |
3 | /** |
4 | * MultiAuth Authentication plugin |
5 | * |
6 | * PHP version 8 |
7 | * |
8 | * Copyright (C) Villanova University 2010. |
9 | * |
10 | * This program is free software; you can redistribute it and/or modify |
11 | * it under the terms of the GNU General Public License version 2, |
12 | * as published by the Free Software Foundation. |
13 | * |
14 | * This program is distributed in the hope that it will be useful, |
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
17 | * GNU General Public License for more details. |
18 | * |
19 | * You should have received a copy of the GNU General Public License |
20 | * along with this program; if not, write to the Free Software |
21 | * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
22 | * |
23 | * @category VuFind |
24 | * @package Authentication |
25 | * @author Sam Moffatt <vufind-tech@lists.sourceforge.net> |
26 | * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License |
27 | * @link https://vufind.org/wiki/development:plugins:authentication_handlers Wiki |
28 | */ |
29 | |
30 | namespace VuFind\Auth; |
31 | |
32 | use VuFind\Db\Entity\UserEntityInterface; |
33 | use VuFind\Exception\Auth as AuthException; |
34 | |
35 | use function call_user_func; |
36 | use function strlen; |
37 | |
38 | /** |
39 | * MultiAuth Authentication plugin |
40 | * |
41 | * This module enables chaining of multiple authentication plugins. Authentication |
42 | * plugins are executed in order, and the first successful authentication is |
43 | * returned with the rest ignored. The last error message is used to be returned |
44 | * to the calling function. |
45 | * |
46 | * The plugin works by being defined as the authentication handler for the system |
47 | * and then defining its own order for plugins. For example, you could edit |
48 | * config.ini like this: |
49 | * |
50 | * [Authentication] |
51 | * method = MultiAuth |
52 | * |
53 | * [MultiAuth] |
54 | * method_order = "ILS,LDAP" |
55 | * filters = "username:strtoupper,username:trim,password:trim" |
56 | * |
57 | * This example uses a combination of ILS and LDAP authentication, checking the ILS |
58 | * first and then failing over to LDAP. |
59 | * |
60 | * The filters follow the format fieldname:PHP string function, where fieldname is |
61 | * either "username" or "password." In the example, we uppercase the username and |
62 | * trim the username and password fields. This is done to enable common filtering |
63 | * before handing off to the authentication handlers. |
64 | * |
65 | * @category VuFind |
66 | * @package Authentication |
67 | * @author Sam Moffatt <vufind-tech@lists.sourceforge.net> |
68 | * @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License |
69 | * @link https://vufind.org/wiki/development:plugins:authentication_handlers Wiki |
70 | */ |
71 | class MultiAuth extends AbstractBase |
72 | { |
73 | /** |
74 | * Filter configuration for credentials |
75 | * |
76 | * @var array |
77 | */ |
78 | protected $filters = []; |
79 | |
80 | /** |
81 | * Authentication methods to try |
82 | * |
83 | * @var array |
84 | */ |
85 | protected $methods = []; |
86 | |
87 | /** |
88 | * Username input |
89 | * |
90 | * @var string |
91 | */ |
92 | protected $username; |
93 | |
94 | /** |
95 | * Password input |
96 | * |
97 | * @var string |
98 | */ |
99 | protected $password; |
100 | |
101 | /** |
102 | * Plugin manager for obtaining other authentication objects |
103 | * |
104 | * @var PluginManager |
105 | */ |
106 | protected $manager; |
107 | |
108 | /** |
109 | * Validate configuration parameters. This is a support method for getConfig(), |
110 | * so the configuration MUST be accessed using $this->config; do not call |
111 | * $this->getConfig() from within this method! |
112 | * |
113 | * @throws AuthException |
114 | * @return void |
115 | */ |
116 | protected function validateConfig() |
117 | { |
118 | if (empty($this->config->MultiAuth->method_order)) { |
119 | throw new AuthException( |
120 | 'One or more MultiAuth parameters are missing. ' . |
121 | 'Check your config.ini!' |
122 | ); |
123 | } |
124 | } |
125 | |
126 | /** |
127 | * Set configuration; throw an exception if it is invalid. |
128 | * |
129 | * @param \Laminas\Config\Config $config Configuration to set |
130 | * |
131 | * @throws AuthException |
132 | * @return void |
133 | */ |
134 | public function setConfig($config) |
135 | { |
136 | parent::setConfig($config); |
137 | if (isset($config->MultiAuth->method_order)) { |
138 | $this->methods = array_map( |
139 | 'trim', |
140 | explode(',', $config->MultiAuth->method_order) |
141 | ); |
142 | } |
143 | if ( |
144 | isset($config->MultiAuth->filters) |
145 | && strlen($config->MultiAuth->filters) |
146 | ) { |
147 | $this->filters = array_map( |
148 | 'trim', |
149 | explode(',', $config->MultiAuth->filters) |
150 | ); |
151 | } |
152 | } |
153 | |
154 | /** |
155 | * Attempt to authenticate the current user. Throws exception if login fails. |
156 | * |
157 | * @param \Laminas\Http\PhpEnvironment\Request $request Request object containing |
158 | * account credentials. |
159 | * |
160 | * @throws AuthException |
161 | * @return UserEntityInterface Object representing logged-in user. |
162 | */ |
163 | public function authenticate($request) |
164 | { |
165 | $this->filterCredentials($request); |
166 | |
167 | // Check for empty credentials before we do any extra work: |
168 | if ($this->username == '' || $this->password == '') { |
169 | throw new AuthException('authentication_error_blank'); |
170 | } |
171 | |
172 | // Update request with our filtered credentials: |
173 | $request->getPost()->set('username', $this->username); |
174 | $request->getPost()->set('password', $this->password); |
175 | |
176 | // Do the actual authentication work: |
177 | return $this->authUser($request); |
178 | } |
179 | |
180 | /** |
181 | * Load credentials into the object and apply internal filter settings to them. |
182 | * |
183 | * @param \Laminas\Http\PhpEnvironment\Request $request Request object containing |
184 | * account credentials. |
185 | * |
186 | * @return void |
187 | */ |
188 | protected function filterCredentials($request) |
189 | { |
190 | $this->username = $request->getPost()->get('username'); |
191 | $this->password = $request->getPost()->get('password'); |
192 | |
193 | foreach ($this->filters as $filter) { |
194 | $parts = explode(':', $filter); |
195 | $property = trim($parts[0]); |
196 | if (isset($this->$property)) { |
197 | $this->$property = call_user_func(trim($parts[1]), $this->$property); |
198 | } |
199 | } |
200 | } |
201 | |
202 | /** |
203 | * Do the actual work of authenticating the user (support method for |
204 | * authenticate()). |
205 | * |
206 | * @param \Laminas\Http\PhpEnvironment\Request $request Request object containing |
207 | * account credentials. |
208 | * |
209 | * @throws AuthException |
210 | * @return UserEntityInterface Object representing logged-in user. |
211 | */ |
212 | protected function authUser($request) |
213 | { |
214 | $exception = null; |
215 | $manager = $this->getPluginManager(); |
216 | |
217 | // Try authentication methods until we find one that works: |
218 | foreach ($this->methods as $method) { |
219 | $authenticator = $manager->get($method); |
220 | $authenticator->setConfig($this->getConfig()); |
221 | try { |
222 | $user = $authenticator->authenticate($request); |
223 | |
224 | // If we got this far without throwing an exception, we can break |
225 | // out of the loop -- we are logged in! |
226 | break; |
227 | } catch (AuthException $exception) { |
228 | // Do nothing -- just keep looping! We'll deal with the exception |
229 | // below if we don't find a successful login anywhere. |
230 | } |
231 | } |
232 | |
233 | // At this point, there are three possibilities: $user is a valid, |
234 | // logged-in user; $exception is an Exception that we need to forward |
235 | // along; or both variables are undefined, indicating that $this->methods |
236 | // is empty and thus something is wrong! |
237 | if (!isset($user)) { |
238 | throw $exception ?? new AuthException('authentication_error_technical'); |
239 | } |
240 | return $user; |
241 | } |
242 | |
243 | /** |
244 | * Set the manager for loading other authentication plugins. |
245 | * |
246 | * @param PluginManager $manager Plugin manager |
247 | * |
248 | * @return void |
249 | */ |
250 | public function setPluginManager(PluginManager $manager) |
251 | { |
252 | $this->manager = $manager; |
253 | } |
254 | |
255 | /** |
256 | * Get the manager for loading other authentication plugins. |
257 | * |
258 | * @throws \Exception |
259 | * @return PluginManager |
260 | */ |
261 | public function getPluginManager() |
262 | { |
263 | if (null === $this->manager) { |
264 | throw new \Exception('Plugin manager missing.'); |
265 | } |
266 | return $this->manager; |
267 | } |
268 | } |