4 * $Id: LoginController.php 75 2010-02-25 14:40:10Z markus $
7 require_once('helpers/GetEnv.php');
8 require_once('config/Config.php');
10 class LoginController
extends Zend_Controller_Action
13 public function init() {
14 /* Initialize action controller here */
15 $config = new Zend_Config_Ini(APPLICATION_PATH
. '/configs/application.ini', APPLICATION_ENV
);
17 $db = Zend_Db
::factory($config->ca_mgr
->db
->auth
->pdo
, $config->ca_mgr
->db
->auth
);
18 Zend_Registry
::set('auth_dbc', $db);
19 $db2 = Zend_Db
::factory($config->ca_mgr
->db
->auth2
->pdo
, $config->ca_mgr
->db
->auth2
);
20 Zend_Registry
::set('auth2_dbc', $db2);
23 public function indexAction() {
24 $this->view
->form
= $this->getForm();
25 $this->render('index');
28 public function loginAction() {
29 $form = $this->getForm();
30 if ($form->isValid($_POST)) {
31 $config = new Zend_Config_Ini(APPLICATION_PATH
. '/configs/application.ini', APPLICATION_ENV
);
33 $db = Zend_Registry
::get('auth_dbc');
34 $db2 = Zend_Registry
::get('auth2_dbc');
36 $auth = new Zend_Auth_Adapter_DbTable($db);
38 $auth->setTableName($config->ca_mgr
->db
->auth
->tablename
)
39 ->setIdentityColumn('email')
40 ->setCredentialColumn('password');
42 $auth->setIdentity( $this->getRequest()->getParam('login_name'))
43 ->setCredential( sha1($this->getRequest()->getParam('login_password')))
44 ->setCredentialTreatment('?');
46 $result = $auth->authenticate();
48 $code = $result->getCode();
50 case Zend_Auth_Result
::FAILURE
:
51 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE) to log in ' . $this->getRequest()->getParam('login_name'));
52 throw new Exception(__METHOD__
. ': unknown error');
53 case Zend_Auth_Result
::FAILURE_IDENTITY_NOT_FOUND
:
54 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND) to log in ' . $this->getRequest()->getParam('login_name'));
55 throw new Exception(__METHOD__
. ': ID unknown');
56 case Zend_Auth_Result
::FAILURE_IDENTITY_AMBIGUOUS
:
57 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE_IDENTITY_AMBIGUOUS) to log in ' . $this->getRequest()->getParam('login_name'));
58 throw new Exception(__METHOD__
. ': ID not unique');
59 case Zend_Auth_Result
::FAILURE_CREDENTIAL_INVALID
:
60 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID) to log in ' . $this->getRequest()->getParam('login_name'));
61 throw new Exception(__METHOD__
. ': ID unknown'); // to prevent brute force password attachs
62 case Zend_Auth_Result
::FAILURE_UNCATEGORIZED
:
63 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE_UNCATEGORIZED) to log in ' . $this->getRequest()->getParam('login_name'));
64 throw new Exception(__METHOD__
. ': unknown error');
67 $this->getAuthDetailsIntoSession($auth, false
);
69 Log
::Log()->info(__METHOD__
. ' user logged in ' . $this->view
->session
->authdata
['authed_username'] .
70 ' (' . $this->getRequest()->getParam('login_name') . ')');
72 #$this->_forward('index', 'index'); // only "soft" forward, we need to change the url in browser
73 $this->_redirect($this->view
->url(array('controller' => 'index', 'action' => 'index'), 'default', true
));
76 $viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper('viewRenderer');
77 $viewRenderer->setRender('loginresult');
78 $this->view->request = $this->getRequest();
82 $this->view
->form
= $form;
83 return $this->render('index');
87 public function crtAction() {
88 $ssl_client_s_dn = GetEnv
::getEnvVar('SSL_CLIENT_S_DN');
89 $ssl_client_i_dn = GetEnv
::getEnvVar('SSL_CLIENT_I_DN');
91 $config = new Zend_Config_Ini(APPLICATION_PATH
. '/configs/application.ini', APPLICATION_ENV
);
93 $db = Zend_Registry
::get('auth_dbc');
94 $db2 = Zend_Registry
::get('auth2_dbc');
96 $auth = new Zend_Auth_Adapter_DbTable($db2);
98 $auth->setTableName($config->ca_mgr
->db
->auth2
->tablename
)
99 ->setIdentityColumn('user_client_crt_s_dn_i_dn')
100 ->setCredentialColumn('user_client_crt_s_dn_i_dn');
102 $auth->setIdentity( $ssl_client_s_dn . '//' . $ssl_client_i_dn)
103 ->setCredential($ssl_client_s_dn . '//' . $ssl_client_i_dn)
104 ->setCredentialTreatment('?');
106 $result = $auth->authenticate();
108 $code = $result->getCode();
110 case Zend_Auth_Result
::FAILURE
:
111 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
112 throw new Exception(__METHOD__
. ': unknown error');
113 case Zend_Auth_Result
::FAILURE_IDENTITY_NOT_FOUND
:
114 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE_IDENTITY_NOT_FOUND) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
115 throw new Exception(__METHOD__
. ': ID unknown');
116 case Zend_Auth_Result
::FAILURE_IDENTITY_AMBIGUOUS
:
117 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE_IDENTITY_AMBIGUOUS) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
118 throw new Exception(__METHOD__
. ': ID not unique');
119 case Zend_Auth_Result
::FAILURE_CREDENTIAL_INVALID
:
120 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE_CREDENTIAL_INVALID) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
121 throw new Exception(__METHOD__
. ': ID unknown'); // to prevent brute force password attachs
122 case Zend_Auth_Result
::FAILURE_UNCATEGORIZED
:
123 Log
::Log()->info(__METHOD__
. ' user failed (Zend_Auth_Result::FAILURE_UNCATEGORIZED) to log in ' . $ssl_client_s_dn . '//' . $ssl_client_i_dn);
124 throw new Exception(__METHOD__
. ': unknown error');
127 $this->getAuthDetailsIntoSession($auth, true
);
130 $viewRenderer = Zend_Controller_Action_HelperBroker::getStaticHelper('viewRenderer');
131 $viewRenderer->setRender('loginresult');
134 Log
::Log()->info(__METHOD__
. ' user logged in ' . $this->view
->session
->authdata
['authed_username'] .
135 ' (' . $ssl_client_s_dn . '//' . $ssl_client_i_dn . ')');
137 #$this->_forward('index', 'index'); // only "soft" forward, we need to change the url in browser
138 $this->_redirect($this->view
->url(array('controller' => 'index', 'action' => 'index'), 'default', true
));
142 * get user data from Zend_Auth result and store data in session
143 * @param Zend_Auth_Result $auth
145 protected function getAuthDetailsIntoSession($auth, $crt) {
146 $session = Zend_Registry
::get('session');
148 $db = Zend_Registry
::get('auth_dbc');
149 $db2 = Zend_Registry
::get('auth2_dbc');
152 * non existent in our case, look up a 2nd table (ca_mgr.system_user by login name (email)) and
153 * get id from there, defaulting to User (1) when no db entry exists
155 $auth_res = $auth->getResultRowObject();
157 if (!isset($auth_res->system_role_id
) ||
$auth_res->system_role_id
== 0) {
158 $res = $db2->query('select * from system_user where login=?', array($auth_res->email
));
159 if ($res->rowCount() > 0) {
160 $res_ar = $res->fetch();
161 $system_roles_id = $res_ar['system_role_id'];
164 // no extra user info in manager database, assume standard user
165 $system_roles_id = 1;
169 $system_roles_id = $auth_res->system_role_id
;
171 $session->authdata
['authed'] = true
;
172 $session->authdata
['authed_id'] = $auth_res->id
;
173 if (!isset($auth_res->fname
) ||
!isset($auth_res->lname
)) {
174 $res = $db->query('select * from users where email=?', array($auth_res->login
));
175 $res_ar = $res->fetch();
176 $session->authdata
['authed_username'] = 'crt' . $res_ar['login'];
177 $session->authdata
['authed_fname'] = $res_ar['fname'];
178 $session->authdata
['authed_lname'] = $res_ar['lname'];
181 $session->authdata
['authed_username'] = $auth_res->email
;
182 $session->authdata
['authed_fname'] = $auth_res->fname
;
183 $session->authdata
['authed_lname'] = $auth_res->lname
;
185 $session->authdata
['authed_by_crt'] = $crt;
186 $session->authdata
['authed_by_cli'] = true
;
188 $res = $db2->query('select * from system_role where id=?', array($system_roles_id));
189 $res_ar = $res->fetch();
190 $session->authdata
['authed_role'] = $res_ar['role'];
192 $acl = $this->makeAcl($db2);
194 $session->authdata
['authed_permissions'] = $acl;
197 Log::Log()->debug(($acl->isAllowed('User', 'Administration', 'view') == true)?'true':'false');
198 Log::Log()->debug(($acl->isAllowed('User', 'Administration', 'edit') == true)?'true':'false');
199 Log::Log()->debug(($acl->isAllowed('User', 'Account', 'view') == true)?'true':'false');
200 Log::Log()->debug(($acl->isAllowed('User', 'Account', 'edit') == true)?'true':'false');
201 Log::Log()->debug(($acl->isAllowed('Admin', 'Administration', 'view') == true)?'true':'false');
202 Log::Log()->debug(($acl->isAllowed('Admin', 'Account', 'view') == true)?'true':'false');
205 $this->view
->session
= $session;
209 * build login form and return to requesting method
212 protected function getForm() {
213 $form = new Zend_Form();
214 $form->setAction('/login/login')
216 #$form->setAttrib('id', 'loginform');
217 $al = new Zend_Validate_Alnum();
218 $al->setDefaultTranslator(I18n
::getTranslate());
219 $al->setDisableTranslator(false
);
220 $username = new Zend_Form_Element_Text('login_name');
221 $username->setRequired(true
)
222 ->setLabel(I18n
::_('User Name'));
223 $password = new Zend_Form_Element_Password('login_password');
224 $password->setRequired(true
)
225 ->setLabel(I18n
::_('Password'));
226 $submit = new Zend_Form_Element_Submit('submit');
227 $submit->setLabel(I18n
::_('Login'));
228 $form->addElement($username)
229 ->addElement($password)
230 ->addElement($submit);
236 * get roles and resources from db, build Zend_Acl structure and add permissions
239 protected function makeAcl($db) {
240 $acl = new Zend_Acl();
242 $res = $db->fetchAll('select * from system_role');
243 foreach ($res as $obj) {
244 if ($obj['inherit_role'] != '') {
245 if ($acl->hasRole($obj['inherit_role'])) {
246 $acl->addRole(new Zend_Acl_Role($obj['role']), $obj['inherit_role']);
250 * @todo very simply system to order roles, add role before inherited role
257 $acl->addRole(new Zend_Acl_Role($obj['role']));
261 $res = $db->fetchAll('select * from system_resource');
262 foreach ($res as $obj) {
263 $acl->addResource(new Zend_Acl_Resource($obj['resource']));
266 $res = $db->fetchAll('select r.role as role, rs.resource as resource, permission, privilege '.
267 'from system_role as r join system_role_has_system_resource as m on ' .
268 '(r.id = m.system_role_id) join system_resource as rs on (m.system_resource_id = rs.id)');
270 foreach ($res as $obj) {
271 $privilege = explode(',', $obj['privilege']);
272 if ($obj['permission'] == 'allow') {
273 $acl->allow($obj['role'], $obj['resource'], $privilege);
276 $acl->deny($obj['role'], $obj['resource'], $privilege);