Authentication framework, complete interface to support most currently known scenarios, for https://github.com/opnsense/core/issues/3242

* using setUserName() --> getUsername() we could support additional services per pam service registration (which would be needed for OpenVPN) * checkConstraints() can be used to implement current "has group" patterns
2026-03-13 16:14:40 +00:00 · 2019-02-24 19:31:04 +01:00 · 2019-02-24 19:31:04 +01:00 · 88ee92f63c
commit 88ee92f63c
parent 5ef4318c6b
3 changed files with 52 additions and 2 deletions
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php
@ -171,11 +171,12 @@ class AuthenticationFactory
    {
        $service = $this->getService($service_name);
        if ($service !== null) {
+            $service->setUserName($username);
            foreach ($service->supportedAuthenticators() as $authname) {
                $authenticator = $this->get($authname);
                if ($authenticator !== null) {
-                    if ($authenticator->authenticate($username, $password)) {
-                        return true;
+                    if ($authenticator->authenticate($service->getUserName(), $password)) {
+                        return $service->checkConstraints();
                    }
                }
            }
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/IService.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/IService.php
@ -40,4 +40,25 @@ interface IService
     * @return array list of configured authenticators (defined in system->authserver)
     */
     public function supportedAuthenticators();
+
+     /**
+      * set the username for this service, in some scenarios this might be prefixed with some addtional
+      * logic to determine which authenticators are actually supported.
+      * (in case one pam service has multiple real services assigned)
+      * @param $username string
+      */
+     public function setUserName($username);
+
+     /**
+      * return the username for authentication.
+      * @return string username
+      */
+     public function getUserName();
+
+     /**
+      * When authenticated, validate if this user is actually allowed to access the service, there might be
+      * other constraints, such as required gropu memberships.
+      * @return boolean is authenticated
+      */
+     public function checkConstraints();
 }
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Services/System.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Services/System.php
@ -37,6 +37,11 @@ use OPNsense\Auth\IService;
 */
 class System implements IService
 {
+    /**
+     * @var string username for the current request
+     */
+    private $username;
+
    /**
     * {@inheritdoc}
     */
@ -53,4 +58,27 @@ class System implements IService
        return $result;
     }

+     /**
+      * {@inheritdoc}
+      */
+     public function setUserName($username)
+     {
+        $this->username = $username;
+     }
+
+     /**
+      * {@inheritdoc}
+      */
+     public function getUserName()
+     {
+        return $this->username;
+     }
+
+     /**
+      * {@inheritdoc}
+      */
+     public function checkConstraints()
+     {
+          return true;
+     }
 }