forked from mneitsabes/Wikimedia-SimpleRadiusAuth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SimpleRadiusAuthProvider.php
172 lines (150 loc) · 6.03 KB
/
SimpleRadiusAuthProvider.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
<?php
use MediaWiki\Auth\AuthenticationRequest;
use MediaWiki\Auth\PasswordAuthenticationRequest;
use MediaWiki\Auth\AuthenticationResponse;
use MediaWiki\Auth\AuthManager;
/**
* Provide a simple RADIUS Primary Authentification Provider.
*
* This extension allows you to delegate authentication to a RADIUS server.
*
* Class SimpleRadiusAuthProvider
*/
class SimpleRadiusAuthProvider extends \MediaWiki\Auth\AbstractPasswordPrimaryAuthenticationProvider {
/**
* SimpleRadiusAuthProvider constructor.
*
* Do some checks.
*/
public function SimpleRadiusAuthProvider() {
global $wgSimpleRadiusAuthServer, $wgSimpleRadiusAuthPort, $wgSimpleRadiusAuthSecret, $wgSimpleRadiusAuthTimeout, $wgSimpleRadiusAuthMaxTries;
parent::__construct();
// Simple checks
if( !isset( $wgSimpleRadiusAuthServer ) || strlen( $wgSimpleRadiusAuthServer ) == 0 ) {
wfDebug("\$wgSimpleRadiusAuthServer is not defined");
}
if( !isset( $wgSimpleRadiusAuthPort ) || !is_int( $wgSimpleRadiusAuthPort ) || $wgSimpleRadiusAuthMaxTries < 0 || $wgSimpleRadiusAuthMaxTries > 65535 ) {
wfDebug("\$$wgSimpleRadiusAuthPort is not defined or is not a valid integer");
}
if( !isset( $wgSimpleRadiusAuthSecret ) || strlen( $wgSimpleRadiusAuthSecret ) == 0 ) {
wfDebug("\$$wgSimpleRadiusAuthSecret is not defined");
}
if( !isset( $wgSimpleRadiusAuthTimeout ) || !is_int( $wgSimpleRadiusAuthTimeout ) || $wgSimpleRadiusAuthMaxTries < 0) {
wfDebug("\$$wgSimpleRadiusAuthTimeout is not defined or is not a valid integer");
}
if( !isset( $wgSimpleRadiusAuthMaxTries ) || !is_int( $wgSimpleRadiusAuthMaxTries ) || $wgSimpleRadiusAuthMaxTries < 0) {
wfDebug("\$$wgSimpleRadiusAuthMaxTries is not defined or is not a valid integer");
}
if( function_exists( 'radius_auth_open' ) ) {
wfDebug("RADIUS extension for PHP is not installed");
}
}
/**
* Start an authentication flow.
*
* The credentials are send to the RADIUS server.
*
* @param array $reqs
* @return AuthenticationResponse
*/
public function beginPrimaryAuthentication(array $reqs) {
global $wgSimpleRadiusAuthServer, $wgSimpleRadiusAuthPort, $wgSimpleRadiusAuthSecret, $wgSimpleRadiusAuthTimeout, $wgSimpleRadiusAuthMaxTries;
// Check if the username and password are defined
$req = AuthenticationRequest::getRequestByClass( $reqs, PasswordAuthenticationRequest::class );
if ( !$req || $req->username === null || $req->password === null ) {
return AuthenticationResponse::newAbstain();
}
$username = User::getCanonicalName( $req->username, 'usable' );
if ( $username === false ) {
return AuthenticationResponse::newAbstain();
}
// Use RADIUS for the authentification
$radius = radius_auth_open();
radius_add_server( $radius,
$wgSimpleRadiusAuthServer,
$wgSimpleRadiusAuthPort,
$wgSimpleRadiusAuthSecret,
$wgSimpleRadiusAuthTimeout,
$wgSimpleRadiusAuthMaxTries);
radius_create_request( $radius, RADIUS_ACCESS_REQUEST );
radius_put_attr( $radius, RADIUS_USER_NAME, strtolower( $username ) );
radius_put_attr( $radius, RADIUS_USER_PASSWORD, $req->password );
// If RADIUS accept the credentials, we're good to go
if( radius_send_request( $radius ) == RADIUS_ACCESS_ACCEPT )
return AuthenticationResponse::newPass( $username );
else
return AuthenticationResponse::newFail( new Message( 'authmanager-authn-no-primary' ) );
}
/**
* Test whether the named user exists : always returns true because we cannot ask the RADIUS server for that.
*
* @param string $username
* @param int $flags
* @return bool
*/
public function testUserExists($username, $flags = User::READ_NORMAL) {
return true;
}
/**
* The extension doesn't support a change of authentication data.
*
* @param AuthenticationRequest $req
* @param bool $checkData
* @return StatusValue
*/
public function providerAllowsAuthenticationDataChange(AuthenticationRequest $req, $checkData = true) {
return StatusValue::newGood( 'ignored' );
}
/**
* The providerAllowsAuthenticationDataChange() method returns that we don't support that so we don't implement it.
*
* Always throw BadMethodCallException.
*
* @param AuthenticationRequest $req
* @throws BadMethodCallException
*/
public function providerChangeAuthenticationData(AuthenticationRequest $req) {
throw new \BadMethodCallException( __METHOD__ . ' is not implemented.' );
}
/**
* Fetch the account-creation type, always return TYPE_CREATE.
*
* @return string
*/
public function accountCreationType() {
return self::TYPE_CREATE;
}
/**
* We're not involved in the creation user process.
*
* Always return AuthenticationResponse::newAbstain().
*
* @param User $user
* @param User $creator
* @param array $reqs
* @return AuthenticationResponse
*/
public function beginPrimaryAccountCreation($user, $creator, array $reqs) {
return AuthenticationResponse::newAbstain();
}
/**
* Returns the applicable list of AuthenticationRequests
*
* We only support the ACTION_LOGIN.
*
* @param string $action
* @param array $options
* @return array
*/
public function getAuthenticationRequests($action, array $options) {
switch ( $action ) {
case AuthManager::ACTION_LOGIN:
return [ new PasswordAuthenticationRequest() ];
case AuthManager::ACTION_CHANGE:
case AuthManager::ACTION_CREATE:
case AuthManager::ACTION_REMOVE:
default:
}
return [];
}
}