From 88ee92f63c7cebb3bf12f8be0e197a0590968870 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Sun, 24 Feb 2019 19:31:04 +0100 Subject: [PATCH] Authentication framework, complete interface to support most currently known scenarios, for https://github.com/opnsense/core/issues/3242 * using setUserName() --> getUsername() we could support additional services per pam service registration (which would be needed for OpenVPN) * checkConstraints() can be used to implement current "has group" patterns --- .../OPNsense/Auth/AuthenticationFactory.php | 5 ++-- .../app/library/OPNsense/Auth/IService.php | 21 ++++++++++++++ .../library/OPNsense/Auth/Services/System.php | 28 +++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php b/src/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php index a8737dae5..3413ee2fa 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/AuthenticationFactory.php @@ -171,11 +171,12 @@ class AuthenticationFactory { $service = $this->getService($service_name); if ($service !== null) { + $service->setUserName($username); foreach ($service->supportedAuthenticators() as $authname) { $authenticator = $this->get($authname); if ($authenticator !== null) { - if ($authenticator->authenticate($username, $password)) { - return true; + if ($authenticator->authenticate($service->getUserName(), $password)) { + return $service->checkConstraints(); } } } diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/IService.php b/src/opnsense/mvc/app/library/OPNsense/Auth/IService.php index 0935523ce..8dc34e1cd 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/IService.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/IService.php @@ -40,4 +40,25 @@ interface IService * @return array list of configured authenticators (defined in system->authserver) */ public function supportedAuthenticators(); + + /** + * set the username for this service, in some scenarios this might be prefixed with some addtional + * logic to determine which authenticators are actually supported. + * (in case one pam service has multiple real services assigned) + * @param $username string + */ + public function setUserName($username); + + /** + * return the username for authentication. + * @return string username + */ + public function getUserName(); + + /** + * When authenticated, validate if this user is actually allowed to access the service, there might be + * other constraints, such as required gropu memberships. + * @return boolean is authenticated + */ + public function checkConstraints(); } diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Services/System.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Services/System.php index cbc4974dc..9edb03128 100644 --- a/src/opnsense/mvc/app/library/OPNsense/Auth/Services/System.php +++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Services/System.php @@ -37,6 +37,11 @@ use OPNsense\Auth\IService; */ class System implements IService { + /** + * @var string username for the current request + */ + private $username; + /** * {@inheritdoc} */ @@ -53,4 +58,27 @@ class System implements IService return $result; } + /** + * {@inheritdoc} + */ + public function setUserName($username) + { + $this->username = $username; + } + + /** + * {@inheritdoc} + */ + public function getUserName() + { + return $this->username; + } + + /** + * {@inheritdoc} + */ + public function checkConstraints() + { + return true; + } }