summaryrefslogtreecommitdiff
path: root/manager/application/controllers/LoginController.php
diff options
context:
space:
mode:
Diffstat (limited to 'manager/application/controllers/LoginController.php')
-rw-r--r--manager/application/controllers/LoginController.php260
1 files changed, 260 insertions, 0 deletions
diff --git a/manager/application/controllers/LoginController.php b/manager/application/controllers/LoginController.php
new file mode 100644
index 0000000..e007e05
--- /dev/null
+++ b/manager/application/controllers/LoginController.php
@@ -0,0 +1,260 @@
+<?php
+/**
+ * @author markus
+ * $Id: LoginController.php 75 2010-02-25 14:40:10Z markus $
+ */
+
+require_once('helpers/GetEnv.php');
+require_once('config/Config.php');
+
+class LoginController extends Zend_Controller_Action
+{
+
+ public function init() {
+ /* Initialize action controller here */
+ }
+
+ public function indexAction() {
+ $this->view->form = $this->getForm();
+ $this->render('index');
+ }
+
+ public function loginAction() {
+ $form = $this->getForm();
+ if ($form->isValid($_POST)) {
+ $config = new Zend_Config_Ini(APPLICATION_PATH . '/configs/application.ini', APPLICATION_ENV);
+
+ $db = Zend_Db::factory($config->ca_mgr->db->auth->pdo, $config->ca_mgr->db->auth);
+ Zend_Registry::set('auth_dbc', $db);
+ $db2 = Zend_Db::factory($config->ca_mgr->db->auth2->pdo, $config->ca_mgr->db->auth2);
+ Zend_Registry::set('auth2_dbc', $db2);
+
+ $auth = new Zend_Auth_Adapter_DbTable($db);
+
+ $auth->setTableName($config->ca_mgr->db->auth->tablename)
+ ->setIdentityColumn('email')
+ ->setCredentialColumn('password');
+
+ $auth->setIdentity( $this->getRequest()->getParam('login_name'))
+ ->setCredential( sha1($this->getRequest()->getParam('login_password')))
+ ->setCredentialTreatment('?');
+
+ $result = $auth->authenticate();
+
+ $code = $result->getCode();
+ switch ($code) {
+ case Zend_Auth_Result::FAILURE:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE) to log in ' . $this->getRequest()->getParam('login_name'));
+ throw new Exception(__METHOD__ . ': unknown error');
+ case Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND) to log in ' . $this->getRequest()->getParam('login_name'));
+ throw new Exception(__METHOD__ . ': ID unknown');
+ case Zend_Auth_Result::FAILURE_IDENTITY_AMBIGUOUS:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE_IDENTITY_AMBIGUOUS) to log in ' . $this->getRequest()->getParam('login_name'));
+ throw new Exception(__METHOD__ . ': ID not unique');
+ case Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID) to log in ' . $this->getRequest()->getParam('login_name'));
+ throw new Exception(__METHOD__ . ': ID unknown'); // to prevent brute force password attachs
+ case Zend_Auth_Result::FAILURE_UNCATEGORIZED:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE_UNCATEGORIZED) to log in ' . $this->getRequest()->getParam('login_name'));
+ throw new Exception(__METHOD__ . ': unknown error');
+ }
+
+ $this->getAuthDetailsIntoSession($auth, false);
+
+ Log::Log()->info(__METHOD__ . ' user logged in ' . $this->view->session->authdata['authed_username'] .
+ ' (' . $this->getRequest()->getParam('login_name') . ')');
+
+ #$this->_forward('index', 'index'); // only "soft" forward, we need to change the url in browser
+ $this->_redirect($this->view->url(array('controller' => 'index', 'action' => 'index'), 'default', true));
+
+ /*
+ $viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper('viewRenderer');
+ $viewRenderer->setRender('loginresult');
+ $this->view->request = $this->getRequest();
+ */
+ }
+ else {
+ $this->view->form = $form;
+ return $this->render('index');
+ }
+ }
+
+ public function crtAction() {
+ $ssl_client_s_dn = GetEnv::getEnvVar('SSL_CLIENT_S_DN');
+ $ssl_client_i_dn = GetEnv::getEnvVar('SSL_CLIENT_I_DN');
+
+ $config = new Zend_Config_Ini(APPLICATION_PATH . '/configs/application.ini', APPLICATION_ENV);
+
+ $db = Zend_Db::factory($config->ca_mgr->db->auth->pdo, $config->ca_mgr->db->auth);
+ Zend_Registry::set('auth_dbc', $db);
+ $db2 = Zend_Db::factory($config->ca_mgr->db->auth2->pdo, $config->ca_mgr->db->auth2);
+ Zend_Registry::set('auth2_dbc', $db2);
+
+ $auth = new Zend_Auth_Adapter_DbTable($db);
+
+ $auth->setTableName($config->ca_mgr->db->auth->tablename)
+ ->setIdentityColumn('user_client_crt_s_dn_i_dn')
+ ->setCredentialColumn('user_client_crt_s_dn_i_dn');
+
+ $auth->setIdentity( $ssl_client_s_dn . '//' . $ssl_client_i_dn)
+ ->setCredential($ssl_client_s_dn . '//' . $ssl_client_i_dn)
+ ->setCredentialTreatment('?');
+
+ $result = $auth->authenticate();
+
+ $code = $result->getCode();
+ switch ($code) {
+ case Zend_Auth_Result::FAILURE:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
+ throw new Exception(__METHOD__ . ': unknown error');
+ case Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
+ throw new Exception(__METHOD__ . ': ID unknown');
+ case Zend_Auth_Result::FAILURE_IDENTITY_AMBIGUOUS:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE_IDENTITY_AMBIGUOUS) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
+ throw new Exception(__METHOD__ . ': ID not unique');
+ case Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
+ throw new Exception(__METHOD__ . ': ID unknown'); // to prevent brute force password attachs
+ case Zend_Auth_Result::FAILURE_UNCATEGORIZED:
+ Log::Log()->info(__METHOD__ . ' user failed (Zend_Auth_Result::FAILURE_UNCATEGORIZED) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
+ throw new Exception(__METHOD__ . ': unknown error');
+ }
+
+ $this->getAuthDetailsIntoSession($auth, true);
+
+ /*
+ $viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper('viewRenderer');
+ $viewRenderer->setRender('loginresult');
+ */
+
+ Log::Log()->info(__METHOD__ . ' user logged in ' . $this->view->session->authdata['authed_username'] .
+ ' (' . $ssl_client_s_dn . '//' . $ssl_client_i_dn . ')');
+
+ #$this->_forward('index', 'index'); // only "soft" forward, we need to change the url in browser
+ $this->_redirect($this->view->url(array('controller' => 'index', 'action' => 'index'), 'default', true));
+ }
+
+ /**
+ * get user data from Zend_Auth result and store data in session
+ * @param Zend_Auth_Result $auth
+ */
+ protected function getAuthDetailsIntoSession($auth, $crt) {
+ $session = Zend_Registry::get('session');
+
+ /**
+ * non existent in our case, look up a 2nd table (ca_mgr.system_user by login name (email)) and
+ * get id from there, defaulting to User (1) when no db entry exists
+ */
+ $auth_res = $auth->getResultRowObject();
+ $system_roles_id = 1;
+
+ $session->authdata['authed'] = true;
+ $session->authdata['authed_id'] = $auth_res->id;
+ $session->authdata['authed_username'] = $auth_res->email;
+ $session->authdata['authed_fname'] = $auth_res->fname;
+ $session->authdata['authed_lname'] = $auth_res->lname;
+ $session->authdata['authed_by_crt'] = $crt;
+ $session->authdata['authed_by_cli'] = true;
+
+ $db = Zend_Registry::get('auth2_dbc');
+ $res = $db->query('select * from system_role where id=?', array($system_roles_id));
+ $res_ar = $res->fetch();
+ $session->authdata['authed_role'] = $res_ar['role'];
+
+ $acl = $this->makeAcl($db);
+
+ $session->authdata['authed_permissions'] = $acl;
+
+ /* test cases
+ Log::Log()->debug(($acl->isAllowed('User', 'Administration', 'view') == true)?'true':'false');
+ Log::Log()->debug(($acl->isAllowed('User', 'Administration', 'edit') == true)?'true':'false');
+ Log::Log()->debug(($acl->isAllowed('User', 'Account', 'view') == true)?'true':'false');
+ Log::Log()->debug(($acl->isAllowed('User', 'Account', 'edit') == true)?'true':'false');
+ Log::Log()->debug(($acl->isAllowed('Admin', 'Administration', 'view') == true)?'true':'false');
+ Log::Log()->debug(($acl->isAllowed('Admin', 'Account', 'view') == true)?'true':'false');
+ */
+
+ $this->view->session = $session;
+ }
+
+ /**
+ * build login form and return to requesting method
+ * @return Zend_Form
+ */
+ protected function getForm() {
+ $form = new Zend_Form();
+ $form->setAction('/login/login')
+ ->setMethod('post');
+ #$form->setAttrib('id', 'loginform');
+ $al = new Zend_Validate_Alnum();
+ $al->setDefaultTranslator(I18n::getTranslate());
+ $al->setDisableTranslator(false);
+ $username = new Zend_Form_Element_Text('login_name');
+ $username->addValidator(new Zend_Validate_StringLength(2,20))
+ ->setRequired(true)
+ ->addFilter('StringToLower')
+ ->setLabel(I18n::_('User Name'));
+ $password = new Zend_Form_Element_Password('login_password');
+ $password->addValidator(new Zend_Validate_Alnum())
+ ->addValidator(new Zend_Validate_StringLength(8,20))
+ ->setRequired(true)
+ ->setLabel(I18n::_('Password'));
+ $submit = new Zend_Form_Element_Submit('submit');
+ $submit->setLabel(I18n::_('Login'));
+ $form->addElement($username)
+ ->addElement($password)
+ ->addElement($submit);
+
+ return $form;
+ }
+
+ /**
+ * get roles and resources from db, build Zend_Acl structure and add permissions
+ * @param Zend_Db $db
+ */
+ protected function makeAcl($db) {
+ $acl = new Zend_Acl();
+
+ $res = $db->fetchAll('select * from system_role');
+ foreach ($res as $obj) {
+ if ($obj['inherit_role'] != '') {
+ if ($acl->hasRole($obj['inherit_role'])) {
+ $acl->addRole(new Zend_Acl_Role($obj['role']), $obj['inherit_role']);
+ }
+ else {
+ /**
+ * @todo very simply system to order roles, add role before inherited role
+ */
+ $res[] = $obj;
+ continue;
+ }
+ }
+ else {
+ $acl->addRole(new Zend_Acl_Role($obj['role']));
+ }
+ }
+
+ $res = $db->fetchAll('select * from system_resource');
+ foreach ($res as $obj) {
+ $acl->addResource(new Zend_Acl_Resource($obj['resource']));
+ }
+
+ $res = $db->fetchAll('select r.role as role, rs.resource as resource, permission, privilege '.
+ 'from system_role as r join system_role_has_system_resource as m on ' .
+ '(r.id = m.system_role_id) join system_resource as rs on (m.system_resource_id = rs.id)');
+
+ foreach ($res as $obj) {
+ $privilege = explode(',', $obj['privilege']);
+ if ($obj['permission'] == 'allow') {
+ $acl->allow($obj['role'], $obj['resource'], $privilege);
+ }
+ else {
+ $acl->deny($obj['role'], $obj['resource'], $privilege);
+ }
+ }
+
+ return $acl;
+ }
+}