init III
This commit is contained in:
293
Perl OTRS/Kernel/System/Auth/DB.pm
Normal file
293
Perl OTRS/Kernel/System/Auth/DB.pm
Normal file
@@ -0,0 +1,293 @@
|
||||
# --
|
||||
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
|
||||
# --
|
||||
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
|
||||
# the enclosed file COPYING for license information (GPL). If you
|
||||
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
|
||||
# --
|
||||
|
||||
package Kernel::System::Auth::DB;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use Crypt::PasswdMD5 qw(unix_md5_crypt apache_md5_crypt);
|
||||
use Digest::SHA;
|
||||
|
||||
our @ObjectDependencies = (
|
||||
'Kernel::Config',
|
||||
'Kernel::System::DB',
|
||||
'Kernel::System::Encode',
|
||||
'Kernel::System::Log',
|
||||
'Kernel::System::Main',
|
||||
'Kernel::System::Valid',
|
||||
);
|
||||
|
||||
sub new {
|
||||
my ( $Type, %Param ) = @_;
|
||||
|
||||
# allocate new hash for object
|
||||
my $Self = {};
|
||||
bless( $Self, $Type );
|
||||
|
||||
# Debug 0=off 1=on
|
||||
$Self->{Debug} = 0;
|
||||
|
||||
# get config object
|
||||
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
||||
|
||||
# get user table
|
||||
$Self->{UserTable} = $ConfigObject->Get( 'DatabaseUserTable' . $Param{Count} )
|
||||
|| 'users';
|
||||
$Self->{UserTableUserID} = $ConfigObject->Get( 'DatabaseUserTableUserID' . $Param{Count} )
|
||||
|| 'id';
|
||||
$Self->{UserTableUserPW} = $ConfigObject->Get( 'DatabaseUserTableUserPW' . $Param{Count} )
|
||||
|| 'pw';
|
||||
$Self->{UserTableUser} = $ConfigObject->Get( 'DatabaseUserTableUser' . $Param{Count} )
|
||||
|| 'login';
|
||||
|
||||
return $Self;
|
||||
}
|
||||
|
||||
sub GetOption {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
if ( !$Param{What} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need What!"
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# module options
|
||||
my %Option = (
|
||||
PreAuth => 0,
|
||||
);
|
||||
|
||||
# return option
|
||||
return $Option{ $Param{What} };
|
||||
}
|
||||
|
||||
sub Auth {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
if ( !$Param{User} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need User!"
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# get params
|
||||
my $User = $Param{User} || '';
|
||||
my $Pw = $Param{Pw} || '';
|
||||
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
|
||||
my $UserID = '';
|
||||
my $GetPw = '';
|
||||
my $Method;
|
||||
|
||||
# get database object
|
||||
my $DBObject = $Kernel::OM->Get('Kernel::System::DB');
|
||||
|
||||
# sql query
|
||||
my $SQL = "SELECT $Self->{UserTableUserPW}, $Self->{UserTableUserID}, $Self->{UserTableUser} "
|
||||
. " FROM "
|
||||
. " $Self->{UserTable} "
|
||||
. " WHERE "
|
||||
. " valid_id IN ( ${\(join ', ', $Kernel::OM->Get('Kernel::System::Valid')->ValidIDsGet())} ) AND "
|
||||
. " $Self->{UserTableUser} = '" . $DBObject->Quote($User) . "'";
|
||||
$DBObject->Prepare( SQL => $SQL );
|
||||
|
||||
while ( my @Row = $DBObject->FetchrowArray() ) {
|
||||
$GetPw = $Row[0];
|
||||
$UserID = $Row[1];
|
||||
$User = $Row[2];
|
||||
}
|
||||
|
||||
# get needed objects
|
||||
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
|
||||
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
||||
|
||||
# crypt given pw
|
||||
my $CryptedPw = '';
|
||||
my $Salt = $GetPw;
|
||||
if (
|
||||
$ConfigObject->Get('AuthModule::DB::CryptType')
|
||||
&& $ConfigObject->Get('AuthModule::DB::CryptType') eq 'plain'
|
||||
)
|
||||
{
|
||||
$CryptedPw = $Pw;
|
||||
$Method = 'plain';
|
||||
}
|
||||
|
||||
# md5, bcrypt or sha pw
|
||||
elsif ( $GetPw !~ /^.{13}$/ ) {
|
||||
|
||||
# md5 pw
|
||||
if ( $GetPw =~ m{\A \$.+? \$.+? \$.* \z}xms ) {
|
||||
|
||||
# strip Salt
|
||||
$Salt =~ s/^(\$.+?\$)(.+?)\$.*$/$2/;
|
||||
my $Magic = $1;
|
||||
|
||||
# encode output, needed by unix_md5_crypt() only non utf8 signs
|
||||
$EncodeObject->EncodeOutput( \$Pw );
|
||||
$EncodeObject->EncodeOutput( \$Salt );
|
||||
|
||||
if ( $Magic eq '$apr1$' ) {
|
||||
$CryptedPw = apache_md5_crypt( $Pw, $Salt );
|
||||
$Method = 'apache_md5_crypt';
|
||||
}
|
||||
else {
|
||||
$CryptedPw = unix_md5_crypt( $Pw, $Salt );
|
||||
$Method = 'unix_md5_crypt';
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
# sha256 pw
|
||||
elsif ( $GetPw =~ m{\A [0-9a-f]{64} \z}xmsi ) {
|
||||
|
||||
my $SHAObject = Digest::SHA->new('sha256');
|
||||
$EncodeObject->EncodeOutput( \$Pw );
|
||||
$SHAObject->add($Pw);
|
||||
$CryptedPw = $SHAObject->hexdigest();
|
||||
$Method = 'sha256';
|
||||
}
|
||||
|
||||
# sha512 pw
|
||||
elsif ( $GetPw =~ m{\A [0-9a-f]{128} \z}xmsi ) {
|
||||
|
||||
my $SHAObject = Digest::SHA->new('sha512');
|
||||
$EncodeObject->EncodeOutput( \$Pw );
|
||||
$SHAObject->add($Pw);
|
||||
$CryptedPw = $SHAObject->hexdigest();
|
||||
$Method = 'sha256';
|
||||
}
|
||||
|
||||
elsif ( $GetPw =~ m{^BCRYPT:} ) {
|
||||
|
||||
# require module, log errors if module was not found
|
||||
if ( !$Kernel::OM->Get('Kernel::System::Main')->Require('Crypt::Eksblowfish::Bcrypt') )
|
||||
{
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message =>
|
||||
"User: '$User' tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# get salt and cost from stored PW string
|
||||
my ( $Cost, $Salt, $Base64Hash ) = $GetPw =~ m{^BCRYPT:(\d+):(.{16}):(.*)$}xms;
|
||||
|
||||
# remove UTF8 flag, required by Crypt::Eksblowfish::Bcrypt
|
||||
$EncodeObject->EncodeOutput( \$Pw );
|
||||
|
||||
# calculate password hash with the same cost and hash settings
|
||||
my $Octets = Crypt::Eksblowfish::Bcrypt::bcrypt_hash(
|
||||
{
|
||||
key_nul => 1,
|
||||
cost => $Cost,
|
||||
salt => $Salt,
|
||||
},
|
||||
$Pw
|
||||
);
|
||||
|
||||
$CryptedPw = "BCRYPT:$Cost:$Salt:" . Crypt::Eksblowfish::Bcrypt::en_base64($Octets);
|
||||
$Method = 'bcrypt';
|
||||
}
|
||||
|
||||
# sha1 pw
|
||||
elsif ( $GetPw =~ m{\A [0-9a-f]{40} \z}xmsi ) {
|
||||
|
||||
my $SHAObject = Digest::SHA->new('sha1');
|
||||
|
||||
# encode output, needed by sha1_hex() only non utf8 signs
|
||||
$EncodeObject->EncodeOutput( \$Pw );
|
||||
|
||||
$SHAObject->add($Pw);
|
||||
$CryptedPw = $SHAObject->hexdigest();
|
||||
$Method = 'sha1';
|
||||
}
|
||||
|
||||
# No-13-chars-long crypt pw (e.g. in Fedora28).
|
||||
else {
|
||||
$EncodeObject->EncodeOutput( \$Pw );
|
||||
$EncodeObject->EncodeOutput( \$User );
|
||||
|
||||
# Encode output, needed by crypt() only non utf8 signs.
|
||||
$CryptedPw = crypt( $Pw, $User );
|
||||
$EncodeObject->EncodeInput( \$CryptedPw );
|
||||
$Method = 'crypt';
|
||||
}
|
||||
}
|
||||
|
||||
# crypt pw
|
||||
else {
|
||||
|
||||
# strip Salt only for (Extended) DES, not for any of Modular crypt's
|
||||
if ( $Salt !~ /^\$\d\$/ ) {
|
||||
$Salt =~ s/^(..).*/$1/;
|
||||
}
|
||||
|
||||
# encode output, needed by crypt() only non utf8 signs
|
||||
$EncodeObject->EncodeOutput( \$Pw );
|
||||
$EncodeObject->EncodeOutput( \$Salt );
|
||||
$CryptedPw = crypt( $Pw, $Salt );
|
||||
$Method = 'crypt';
|
||||
}
|
||||
|
||||
# just in case for debug!
|
||||
if ( $Self->{Debug} > 0 ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message =>
|
||||
"User: '$User' tried to authenticate with Pw: '$Pw' ($UserID/$Method/$CryptedPw/$GetPw/$Salt/$RemoteAddr)",
|
||||
);
|
||||
}
|
||||
|
||||
# just a note
|
||||
if ( !$Pw ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $User without Pw!!! (REMOTE_ADDR: $RemoteAddr)",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# login note
|
||||
elsif ( ( ($GetPw) && ($User) && ($UserID) ) && $CryptedPw eq $GetPw ) {
|
||||
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $User authentication ok (Method: $Method, REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
return $User;
|
||||
}
|
||||
|
||||
# just a note
|
||||
elsif ( ($UserID) && ($GetPw) ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message =>
|
||||
"User: $User authentication with wrong Pw!!! (Method: $Method, REMOTE_ADDR: $RemoteAddr)"
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# just a note
|
||||
else {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $User doesn't exist or is invalid!!! (REMOTE_ADDR: $RemoteAddr)"
|
||||
);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
107
Perl OTRS/Kernel/System/Auth/HTTPBasicAuth.pm
Normal file
107
Perl OTRS/Kernel/System/Auth/HTTPBasicAuth.pm
Normal file
@@ -0,0 +1,107 @@
|
||||
# --
|
||||
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
|
||||
# --
|
||||
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
|
||||
# the enclosed file COPYING for license information (GPL). If you
|
||||
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
|
||||
# --
|
||||
# Note:
|
||||
#
|
||||
# If you use this module, you should use as fallback the following
|
||||
# config settings:
|
||||
#
|
||||
# If use isn't login through apache ($ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER})
|
||||
# $Self->{LoginURL} = 'http://host.example.com/not-authorised-for-otrs.html';
|
||||
#
|
||||
# $Self->{LogoutURL} = 'http://host.example.com/thanks-for-using-otrs.html';
|
||||
# --
|
||||
|
||||
package Kernel::System::Auth::HTTPBasicAuth;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
our @ObjectDependencies = (
|
||||
'Kernel::Config',
|
||||
'Kernel::System::Log',
|
||||
);
|
||||
|
||||
sub new {
|
||||
my ( $Type, %Param ) = @_;
|
||||
|
||||
# allocate new hash for object
|
||||
my $Self = {};
|
||||
bless( $Self, $Type );
|
||||
|
||||
$Self->{Count} = $Param{Count} || '';
|
||||
|
||||
return $Self;
|
||||
}
|
||||
|
||||
sub GetOption {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
if ( !$Param{What} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need What!"
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# module options
|
||||
my %Option = (
|
||||
PreAuth => 1,
|
||||
);
|
||||
|
||||
# return option
|
||||
return $Option{ $Param{What} };
|
||||
}
|
||||
|
||||
sub Auth {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# get params
|
||||
my $User = $ENV{REMOTE_USER} || $ENV{HTTP_REMOTE_USER};
|
||||
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
|
||||
|
||||
# return on no user
|
||||
if ( !$User ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message =>
|
||||
"User: No \$ENV{REMOTE_USER} or \$ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# get config object
|
||||
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
||||
|
||||
# replace login parts
|
||||
my $Replace = $ConfigObject->Get(
|
||||
'AuthModule::HTTPBasicAuth::Replace' . $Self->{Count},
|
||||
);
|
||||
if ($Replace) {
|
||||
$User =~ s/^\Q$Replace\E//;
|
||||
}
|
||||
|
||||
# regexp on login
|
||||
my $ReplaceRegExp = $ConfigObject->Get(
|
||||
'AuthModule::HTTPBasicAuth::ReplaceRegExp' . $Self->{Count},
|
||||
);
|
||||
if ($ReplaceRegExp) {
|
||||
$User =~ s/$ReplaceRegExp/$1/;
|
||||
}
|
||||
|
||||
# log
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $User authentication ok (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
|
||||
return $User;
|
||||
}
|
||||
|
||||
1;
|
||||
392
Perl OTRS/Kernel/System/Auth/LDAP.pm
Normal file
392
Perl OTRS/Kernel/System/Auth/LDAP.pm
Normal file
@@ -0,0 +1,392 @@
|
||||
# --
|
||||
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
|
||||
# --
|
||||
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
|
||||
# the enclosed file COPYING for license information (GPL). If you
|
||||
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
|
||||
# --
|
||||
|
||||
package Kernel::System::Auth::LDAP;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use Net::LDAP;
|
||||
use Net::LDAP::Util qw(escape_filter_value);
|
||||
|
||||
our @ObjectDependencies = (
|
||||
'Kernel::Config',
|
||||
'Kernel::System::Encode',
|
||||
'Kernel::System::Log',
|
||||
);
|
||||
|
||||
sub new {
|
||||
my ( $Type, %Param ) = @_;
|
||||
|
||||
# allocate new hash for object
|
||||
my $Self = {};
|
||||
bless( $Self, $Type );
|
||||
|
||||
# Debug 0=off 1=on
|
||||
$Self->{Debug} = 0;
|
||||
|
||||
# get config object
|
||||
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
||||
|
||||
# get ldap preferences
|
||||
$Self->{Count} = $Param{Count} || '';
|
||||
$Self->{Die} = $ConfigObject->Get( 'AuthModule::LDAP::Die' . $Param{Count} );
|
||||
if ( $ConfigObject->Get( 'AuthModule::LDAP::Host' . $Param{Count} ) ) {
|
||||
$Self->{Host} = $ConfigObject->Get( 'AuthModule::LDAP::Host' . $Param{Count} );
|
||||
}
|
||||
else {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need AuthModule::LDAP::Host$Param{Count} in Kernel/Config.pm",
|
||||
);
|
||||
return;
|
||||
}
|
||||
if ( defined( $ConfigObject->Get( 'AuthModule::LDAP::BaseDN' . $Param{Count} ) ) ) {
|
||||
$Self->{BaseDN} = $ConfigObject->Get( 'AuthModule::LDAP::BaseDN' . $Param{Count} );
|
||||
}
|
||||
else {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need AuthModule::LDAP::BaseDN$Param{Count} in Kernel/Config.pm",
|
||||
);
|
||||
return;
|
||||
}
|
||||
if ( $ConfigObject->Get( 'AuthModule::LDAP::UID' . $Param{Count} ) ) {
|
||||
$Self->{UID} = $ConfigObject->Get( 'AuthModule::LDAP::UID' . $Param{Count} );
|
||||
}
|
||||
else {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need AuthModule::LDAP::UID$Param{Count} in Kernel/Config.pm",
|
||||
);
|
||||
return;
|
||||
}
|
||||
$Self->{SearchUserDN} = $ConfigObject->Get( 'AuthModule::LDAP::SearchUserDN' . $Param{Count} ) || '';
|
||||
$Self->{SearchUserPw} = $ConfigObject->Get( 'AuthModule::LDAP::SearchUserPw' . $Param{Count} ) || '';
|
||||
$Self->{GroupDN} = $ConfigObject->Get( 'AuthModule::LDAP::GroupDN' . $Param{Count} )
|
||||
|| '';
|
||||
$Self->{AccessAttr} = $ConfigObject->Get( 'AuthModule::LDAP::AccessAttr' . $Param{Count} )
|
||||
|| 'memberUid';
|
||||
$Self->{UserAttr} = $ConfigObject->Get( 'AuthModule::LDAP::UserAttr' . $Param{Count} )
|
||||
|| 'DN';
|
||||
$Self->{UserSuffix} = $ConfigObject->Get( 'AuthModule::LDAP::UserSuffix' . $Param{Count} ) || '';
|
||||
$Self->{UserLowerCase} = $ConfigObject->Get( 'AuthModule::LDAP::UserLowerCase' . $Param{Count} ) || 0;
|
||||
$Self->{DestCharset} = $ConfigObject->Get( 'AuthModule::LDAP::Charset' . $Param{Count} )
|
||||
|| 'utf-8';
|
||||
|
||||
# ldap filter always used
|
||||
$Self->{AlwaysFilter} = $ConfigObject->Get( 'AuthModule::LDAP::AlwaysFilter' . $Param{Count} ) || '';
|
||||
|
||||
# Net::LDAP new params
|
||||
if ( $ConfigObject->Get( 'AuthModule::LDAP::Params' . $Param{Count} ) ) {
|
||||
$Self->{Params} = $ConfigObject->Get( 'AuthModule::LDAP::Params' . $Param{Count} );
|
||||
}
|
||||
else {
|
||||
$Self->{Params} = {};
|
||||
}
|
||||
|
||||
return $Self;
|
||||
}
|
||||
|
||||
sub GetOption {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
if ( !$Param{What} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need What!"
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# module options
|
||||
my %Option = (
|
||||
PreAuth => 0,
|
||||
);
|
||||
|
||||
# return option
|
||||
return $Option{ $Param{What} };
|
||||
}
|
||||
|
||||
sub Auth {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
for (qw(User Pw)) {
|
||||
if ( !$Param{$_} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need $_!"
|
||||
);
|
||||
return;
|
||||
}
|
||||
}
|
||||
$Param{User} = $Self->_ConvertTo( $Param{User}, 'utf-8' );
|
||||
$Param{Pw} = $Self->_ConvertTo( $Param{Pw}, 'utf-8' );
|
||||
|
||||
# get params
|
||||
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
|
||||
|
||||
# remove leading and trailing spaces
|
||||
$Param{User} =~ s/^\s+//;
|
||||
$Param{User} =~ s/\s+$//;
|
||||
|
||||
# Convert username to lower case letters
|
||||
if ( $Self->{UserLowerCase} ) {
|
||||
$Param{User} = lc $Param{User};
|
||||
}
|
||||
|
||||
# add user suffix
|
||||
if ( $Self->{UserSuffix} ) {
|
||||
$Param{User} .= $Self->{UserSuffix};
|
||||
|
||||
# just in case for debug
|
||||
if ( $Self->{Debug} > 0 ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: ($Param{User}) added $Self->{UserSuffix} to username!",
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
# just in case for debug!
|
||||
if ( $Self->{Debug} > 0 ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: '$Param{User}' tried to authenticate with Pw: '$Param{Pw}' "
|
||||
. "(REMOTE_ADDR: $RemoteAddr)",
|
||||
);
|
||||
}
|
||||
|
||||
# ldap connect and bind (maybe with SearchUserDN and SearchUserPw)
|
||||
my $LDAP = Net::LDAP->new( $Self->{Host}, %{ $Self->{Params} } );
|
||||
if ( !$LDAP ) {
|
||||
if ( $Self->{Die} ) {
|
||||
die "Can't connect to $Self->{Host}: $@";
|
||||
}
|
||||
else {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Can't connect to $Self->{Host}: $@",
|
||||
);
|
||||
return;
|
||||
}
|
||||
}
|
||||
my $Result = '';
|
||||
if ( $Self->{SearchUserDN} && $Self->{SearchUserPw} ) {
|
||||
$Result = $LDAP->bind(
|
||||
dn => $Self->{SearchUserDN},
|
||||
password => $Self->{SearchUserPw}
|
||||
);
|
||||
}
|
||||
else {
|
||||
$Result = $LDAP->bind();
|
||||
}
|
||||
if ( $Result->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => 'First bind failed! ' . $Result->error(),
|
||||
);
|
||||
$LDAP->disconnect();
|
||||
return;
|
||||
}
|
||||
|
||||
# build filter
|
||||
my $Filter = "($Self->{UID}=" . escape_filter_value( $Param{User} ) . ')';
|
||||
|
||||
# prepare filter
|
||||
if ( $Self->{AlwaysFilter} ) {
|
||||
$Filter = "(&$Filter$Self->{AlwaysFilter})";
|
||||
}
|
||||
|
||||
# perform user search
|
||||
$Result = $LDAP->search(
|
||||
base => $Self->{BaseDN},
|
||||
filter => $Filter,
|
||||
attrs => [ $Self->{UID} ],
|
||||
);
|
||||
if ( $Result->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => 'Search failed! ' . $Result->error(),
|
||||
);
|
||||
$LDAP->unbind();
|
||||
$LDAP->disconnect();
|
||||
return;
|
||||
}
|
||||
|
||||
# get whole user dn
|
||||
my $UserDN = '';
|
||||
my $User = '';
|
||||
for my $Entry ( $Result->all_entries() ) {
|
||||
$UserDN = $Entry->dn();
|
||||
$User = $Entry->get_value( $Self->{UID} );
|
||||
}
|
||||
|
||||
# log if there is no LDAP user entry
|
||||
if ( !$UserDN || !$User ) {
|
||||
|
||||
# failed login note
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} authentication failed, no LDAP entry found!"
|
||||
. "BaseDN='$Self->{BaseDN}', Filter='$Filter', (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
|
||||
# take down session
|
||||
$LDAP->unbind();
|
||||
$LDAP->disconnect();
|
||||
return;
|
||||
}
|
||||
|
||||
# check if user need to be in a group!
|
||||
if ( $Self->{AccessAttr} && $Self->{GroupDN} ) {
|
||||
|
||||
# just in case for debug
|
||||
if ( $Self->{Debug} > 0 ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => 'check for groupdn!',
|
||||
);
|
||||
}
|
||||
|
||||
# search if we're allowed to
|
||||
my $Filter2 = '';
|
||||
if ( $Self->{UserAttr} eq 'DN' ) {
|
||||
$Filter2 = "($Self->{AccessAttr}=" . escape_filter_value($UserDN) . ')';
|
||||
}
|
||||
else {
|
||||
$Filter2 = "($Self->{AccessAttr}=" . escape_filter_value( $Param{User} ) . ')';
|
||||
}
|
||||
my $Result2 = $LDAP->search(
|
||||
base => $Self->{GroupDN},
|
||||
filter => $Filter2,
|
||||
attrs => ['1.1'],
|
||||
);
|
||||
if ( $Result2->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Search failed! base='$Self->{GroupDN}', filter='$Filter2', "
|
||||
. $Result2->error(),
|
||||
);
|
||||
|
||||
# take down session
|
||||
$LDAP->unbind();
|
||||
$LDAP->disconnect();
|
||||
return;
|
||||
}
|
||||
|
||||
# extract it
|
||||
my $GroupDN = '';
|
||||
for my $Entry ( $Result2->all_entries() ) {
|
||||
$GroupDN = $Entry->dn();
|
||||
}
|
||||
|
||||
# log if there is no LDAP entry
|
||||
if ( !$GroupDN ) {
|
||||
|
||||
# failed login note
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} authentication failed, no LDAP group entry found"
|
||||
. "GroupDN='$Self->{GroupDN}', Filter='$Filter2'! (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
|
||||
# take down session
|
||||
$LDAP->unbind();
|
||||
$LDAP->disconnect();
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
# bind with user data -> real user auth.
|
||||
$Result = $LDAP->bind(
|
||||
dn => $UserDN,
|
||||
password => $Param{Pw}
|
||||
);
|
||||
if ( $Result->code() ) {
|
||||
|
||||
# failed login note
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} ($UserDN) authentication failed: '"
|
||||
. $Result->error()
|
||||
. "' (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
|
||||
# take down session
|
||||
$LDAP->unbind();
|
||||
$LDAP->disconnect();
|
||||
return;
|
||||
}
|
||||
|
||||
# maybe check if pw is expired
|
||||
# if () {
|
||||
# $Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
# Priority => 'info',
|
||||
# Message => "Password is expired!",
|
||||
# );
|
||||
# return;
|
||||
# }
|
||||
|
||||
# login note
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} ($UserDN) authentication ok (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
|
||||
# take down session
|
||||
$LDAP->unbind();
|
||||
$LDAP->disconnect();
|
||||
return $User;
|
||||
}
|
||||
|
||||
sub _ConvertTo {
|
||||
my ( $Self, $Text, $Charset ) = @_;
|
||||
|
||||
return if !defined $Text;
|
||||
|
||||
# get encode object
|
||||
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
|
||||
|
||||
if ( !$Charset || !$Self->{DestCharset} ) {
|
||||
$EncodeObject->EncodeInput( \$Text );
|
||||
return $Text;
|
||||
}
|
||||
|
||||
# convert from input charset ($Charset) to directory charset ($Self->{DestCharset})
|
||||
return $EncodeObject->Convert(
|
||||
Text => $Text,
|
||||
From => $Charset,
|
||||
To => $Self->{DestCharset},
|
||||
);
|
||||
}
|
||||
|
||||
sub _ConvertFrom {
|
||||
my ( $Self, $Text, $Charset ) = @_;
|
||||
|
||||
return if !defined $Text;
|
||||
|
||||
# get encode object
|
||||
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
|
||||
|
||||
if ( !$Charset || !$Self->{DestCharset} ) {
|
||||
$EncodeObject->EncodeInput( \$Text );
|
||||
return $Text;
|
||||
}
|
||||
|
||||
# convert from directory charset ($Self->{DestCharset}) to input charset ($Charset)
|
||||
return $EncodeObject->Convert(
|
||||
Text => $Text,
|
||||
From => $Self->{DestCharset},
|
||||
To => $Charset,
|
||||
);
|
||||
}
|
||||
|
||||
1;
|
||||
147
Perl OTRS/Kernel/System/Auth/Radius.pm
Normal file
147
Perl OTRS/Kernel/System/Auth/Radius.pm
Normal file
@@ -0,0 +1,147 @@
|
||||
# --
|
||||
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
|
||||
# --
|
||||
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
|
||||
# the enclosed file COPYING for license information (GPL). If you
|
||||
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
|
||||
# --
|
||||
|
||||
package Kernel::System::Auth::Radius;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use Authen::Radius;
|
||||
|
||||
our @ObjectDependencies = (
|
||||
'Kernel::Config',
|
||||
'Kernel::System::Log',
|
||||
);
|
||||
|
||||
sub new {
|
||||
my ( $Type, %Param ) = @_;
|
||||
|
||||
# allocate new hash for object
|
||||
my $Self = {};
|
||||
bless( $Self, $Type );
|
||||
|
||||
# Debug 0=off 1=on
|
||||
$Self->{Debug} = 0;
|
||||
|
||||
# get config object
|
||||
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
||||
|
||||
# get config
|
||||
$Self->{Die} = $ConfigObject->Get( 'AuthModule::Radius::Die' . $Param{Count} );
|
||||
|
||||
# get user table
|
||||
$Self->{RadiusHost} = $ConfigObject->Get( 'AuthModule::Radius::Host' . $Param{Count} )
|
||||
|| die "Need AuthModule::Radius::Host$Param{Count} in Kernel/Config.pm";
|
||||
$Self->{RadiusSecret} = $ConfigObject->Get( 'AuthModule::Radius::Password' . $Param{Count} )
|
||||
|| die "Need AuthModule::Radius::Password$Param{Count} in Kernel/Config.pm";
|
||||
|
||||
return $Self;
|
||||
}
|
||||
|
||||
sub GetOption {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
if ( !$Param{What} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need What!"
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# module options
|
||||
my %Option = ( PreAuth => 0 );
|
||||
|
||||
return $Option{ $Param{What} };
|
||||
}
|
||||
|
||||
sub Auth {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
if ( !$Param{User} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need User!"
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# get params
|
||||
my $User = $Param{User} || '';
|
||||
my $Pw = $Param{Pw} || '';
|
||||
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
|
||||
my $UserID = '';
|
||||
my $GetPw = '';
|
||||
|
||||
# just in case for debug!
|
||||
if ( $Self->{Debug} > 0 ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: '$User' tried to authenticate with Pw: '$Pw' ($RemoteAddr)",
|
||||
);
|
||||
}
|
||||
|
||||
# just a note
|
||||
if ( !$User ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "No User given!!! (REMOTE_ADDR: $RemoteAddr)",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# just a note
|
||||
if ( !$Pw ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $User authentication without Pw!!! (REMOTE_ADDR: $RemoteAddr)",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# Create a radius object
|
||||
my $Radius = Authen::Radius->new(
|
||||
Host => $Self->{RadiusHost},
|
||||
Secret => $Self->{RadiusSecret},
|
||||
);
|
||||
if ( !$Radius ) {
|
||||
if ( $Self->{Die} ) {
|
||||
die "Can't connect to $Self->{RadiusHost}: $@";
|
||||
}
|
||||
else {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Can't connect to $Self->{RadiusHost}: $@",
|
||||
);
|
||||
return;
|
||||
}
|
||||
}
|
||||
my $AuthResult = $Radius->check_pwd( $User, $Pw );
|
||||
|
||||
# login note
|
||||
if ( defined($AuthResult) && $AuthResult == 1 ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $User authentication ok (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
return $User;
|
||||
}
|
||||
|
||||
# just a note
|
||||
else {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $User authentication with wrong Pw!!! (REMOTE_ADDR: $RemoteAddr)"
|
||||
);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
798
Perl OTRS/Kernel/System/Auth/Sync/LDAP.pm
Normal file
798
Perl OTRS/Kernel/System/Auth/Sync/LDAP.pm
Normal file
@@ -0,0 +1,798 @@
|
||||
# --
|
||||
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
|
||||
# --
|
||||
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
|
||||
# the enclosed file COPYING for license information (GPL). If you
|
||||
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
|
||||
# --
|
||||
|
||||
package Kernel::System::Auth::Sync::LDAP;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use Net::LDAP;
|
||||
use Net::LDAP::Util qw(escape_filter_value);
|
||||
|
||||
our @ObjectDependencies = (
|
||||
'Kernel::Config',
|
||||
'Kernel::System::Encode',
|
||||
'Kernel::System::Group',
|
||||
'Kernel::System::Log',
|
||||
'Kernel::System::User',
|
||||
);
|
||||
|
||||
sub new {
|
||||
my ( $Type, %Param ) = @_;
|
||||
|
||||
# allocate new hash for object
|
||||
my $Self = {};
|
||||
bless( $Self, $Type );
|
||||
|
||||
# Debug 0=off 1=on
|
||||
$Self->{Debug} = 0;
|
||||
|
||||
# get config object
|
||||
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
||||
|
||||
# get ldap preferences
|
||||
if ( !$ConfigObject->Get( 'AuthSyncModule::LDAP::Host' . $Param{Count} ) ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need AuthSyncModule::LDAP::Host$Param{Count} in Kernel/Config.pm",
|
||||
);
|
||||
return;
|
||||
}
|
||||
if ( !defined $ConfigObject->Get( 'AuthSyncModule::LDAP::BaseDN' . $Param{Count} ) ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need AuthSyncModule::LDAP::BaseDN$Param{Count} in Kernel/Config.pm",
|
||||
);
|
||||
return;
|
||||
}
|
||||
if ( !$ConfigObject->Get( 'AuthSyncModule::LDAP::UID' . $Param{Count} ) ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need AuthSyncModule::LDAP::UID$Param{Count} in Kernel/Config.pm",
|
||||
);
|
||||
return;
|
||||
}
|
||||
$Self->{Count} = $Param{Count} || '';
|
||||
$Self->{Die} = $ConfigObject->Get( 'AuthSyncModule::LDAP::Die' . $Param{Count} );
|
||||
$Self->{Host} = $ConfigObject->Get( 'AuthSyncModule::LDAP::Host' . $Param{Count} );
|
||||
$Self->{BaseDN} = $ConfigObject->Get( 'AuthSyncModule::LDAP::BaseDN' . $Param{Count} );
|
||||
$Self->{UID} = $ConfigObject->Get( 'AuthSyncModule::LDAP::UID' . $Param{Count} );
|
||||
$Self->{SearchUserDN} = $ConfigObject->Get( 'AuthSyncModule::LDAP::SearchUserDN' . $Param{Count} ) || '';
|
||||
$Self->{SearchUserPw} = $ConfigObject->Get( 'AuthSyncModule::LDAP::SearchUserPw' . $Param{Count} ) || '';
|
||||
$Self->{GroupDN} = $ConfigObject->Get( 'AuthSyncModule::LDAP::GroupDN' . $Param{Count} )
|
||||
|| '';
|
||||
$Self->{AccessAttr} = $ConfigObject->Get( 'AuthSyncModule::LDAP::AccessAttr' . $Param{Count} )
|
||||
|| 'memberUid';
|
||||
$Self->{UserAttr} = $ConfigObject->Get( 'AuthSyncModule::LDAP::UserAttr' . $Param{Count} )
|
||||
|| 'DN';
|
||||
$Self->{DestCharset} = $ConfigObject->Get( 'AuthSyncModule::LDAP::Charset' . $Param{Count} )
|
||||
|| 'utf-8';
|
||||
|
||||
# ldap filter always used
|
||||
$Self->{AlwaysFilter} = $ConfigObject->Get( 'AuthSyncModule::LDAP::AlwaysFilter' . $Param{Count} ) || '';
|
||||
|
||||
# Net::LDAP new params
|
||||
if ( $ConfigObject->Get( 'AuthSyncModule::LDAP::Params' . $Param{Count} ) ) {
|
||||
$Self->{Params} = $ConfigObject->Get( 'AuthSyncModule::LDAP::Params' . $Param{Count} );
|
||||
}
|
||||
else {
|
||||
$Self->{Params} = {};
|
||||
}
|
||||
|
||||
return $Self;
|
||||
}
|
||||
|
||||
sub Sync {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
if ( !$Param{User} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => 'Need User!'
|
||||
);
|
||||
return;
|
||||
}
|
||||
$Param{User} = $Self->_ConvertTo( $Param{User}, 'utf-8' );
|
||||
|
||||
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
|
||||
|
||||
# remove leading and trailing spaces
|
||||
$Param{User} =~ s{ \A \s* ( [^\s]+ ) \s* \z }{$1}xms;
|
||||
|
||||
# just in case for debug!
|
||||
if ( $Self->{Debug} > 0 ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: '$Param{User}' tried to sync (REMOTE_ADDR: $RemoteAddr)",
|
||||
);
|
||||
}
|
||||
|
||||
# ldap connect and bind (maybe with SearchUserDN and SearchUserPw)
|
||||
my $LDAP = Net::LDAP->new( $Self->{Host}, %{ $Self->{Params} } );
|
||||
if ( !$LDAP ) {
|
||||
if ( $Self->{Die} ) {
|
||||
die "Can't connect to $Self->{Host}: $@";
|
||||
}
|
||||
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Can't connect to $Self->{Host}: $@",
|
||||
);
|
||||
return;
|
||||
}
|
||||
my $Result;
|
||||
if ( $Self->{SearchUserDN} && $Self->{SearchUserPw} ) {
|
||||
$Result = $LDAP->bind(
|
||||
dn => $Self->{SearchUserDN},
|
||||
password => $Self->{SearchUserPw}
|
||||
);
|
||||
}
|
||||
else {
|
||||
$Result = $LDAP->bind();
|
||||
}
|
||||
if ( $Result->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => 'First bind failed! ' . $Result->error(),
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# build filter
|
||||
my $Filter = "($Self->{UID}=" . escape_filter_value( $Param{User} ) . ')';
|
||||
|
||||
# prepare filter
|
||||
if ( $Self->{AlwaysFilter} ) {
|
||||
$Filter = "(&$Filter$Self->{AlwaysFilter})";
|
||||
}
|
||||
|
||||
# perform user search
|
||||
$Result = $LDAP->search(
|
||||
base => $Self->{BaseDN},
|
||||
filter => $Filter,
|
||||
);
|
||||
if ( $Result->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Search failed! ($Self->{BaseDN}) filter='$Filter' " . $Result->error(),
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# get whole user dn
|
||||
my $UserDN;
|
||||
for my $Entry ( $Result->all_entries() ) {
|
||||
$UserDN = $Entry->dn();
|
||||
}
|
||||
|
||||
# log if there is no LDAP user entry
|
||||
if ( !$UserDN ) {
|
||||
|
||||
# failed login note
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} sync failed, no LDAP entry found!"
|
||||
. "BaseDN='$Self->{BaseDN}', Filter='$Filter', (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
|
||||
# take down session
|
||||
$LDAP->unbind();
|
||||
return;
|
||||
}
|
||||
|
||||
# get needed objects
|
||||
my $UserObject = $Kernel::OM->Get('Kernel::System::User');
|
||||
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
||||
|
||||
# get current user id
|
||||
my $UserID = $UserObject->UserLookup(
|
||||
UserLogin => $Param{User},
|
||||
Silent => 1,
|
||||
);
|
||||
|
||||
# system permissions
|
||||
my %PermissionsEmpty =
|
||||
map { $_ => 0 } @{ $ConfigObject->Get('System::Permission') };
|
||||
|
||||
# get group object
|
||||
my $GroupObject = $Kernel::OM->Get('Kernel::System::Group');
|
||||
|
||||
# get system groups and create lookup
|
||||
my %SystemGroups = $GroupObject->GroupList( Valid => 1 );
|
||||
my %SystemGroupsByName = reverse %SystemGroups;
|
||||
|
||||
# get system roles and create lookup
|
||||
my %SystemRoles = $GroupObject->RoleList( Valid => 1 );
|
||||
my %SystemRolesByName = reverse %SystemRoles;
|
||||
|
||||
# sync user from ldap
|
||||
my $UserSyncMap = $ConfigObject->Get( 'AuthSyncModule::LDAP::UserSyncMap' . $Self->{Count} );
|
||||
if ($UserSyncMap) {
|
||||
|
||||
# get whole user dn
|
||||
my %SyncUser;
|
||||
for my $Entry ( $Result->all_entries() ) {
|
||||
for my $Key ( sort keys %{$UserSyncMap} ) {
|
||||
|
||||
# detect old config setting
|
||||
if ( $Key =~ m{ \A (?: Firstname | Lastname | Email ) }xms ) {
|
||||
$Key = 'User' . $Key;
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => 'Old config setting detected, please use the new one '
|
||||
. 'from Kernel/Config/Defaults.pm (User* has been added!).',
|
||||
);
|
||||
}
|
||||
|
||||
my $AttributeNames = $UserSyncMap->{$Key};
|
||||
if ( ref $AttributeNames ne 'ARRAY' ) {
|
||||
$AttributeNames = [$AttributeNames];
|
||||
}
|
||||
ATTRIBUTE_NAME:
|
||||
for my $AttributeName ( @{$AttributeNames} ) {
|
||||
if ( $AttributeName =~ /^_/ ) {
|
||||
$SyncUser{$Key} = substr( $AttributeName, 1 );
|
||||
last ATTRIBUTE_NAME;
|
||||
}
|
||||
elsif ( $Entry->get_value($AttributeName) ) {
|
||||
$SyncUser{$Key} = $Entry->get_value($AttributeName);
|
||||
last ATTRIBUTE_NAME;
|
||||
}
|
||||
}
|
||||
|
||||
# e. g. set utf-8 flag
|
||||
$SyncUser{$Key} = $Self->_ConvertFrom(
|
||||
$SyncUser{$Key},
|
||||
'utf-8',
|
||||
);
|
||||
}
|
||||
if ( $Entry->get_value('userPassword') ) {
|
||||
$SyncUser{UserPw} = $Entry->get_value('userPassword');
|
||||
|
||||
# e. g. set utf-8 flag
|
||||
$SyncUser{UserPw} = $Self->_ConvertFrom(
|
||||
$SyncUser{UserPw},
|
||||
'utf-8',
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
# add new user
|
||||
if ( %SyncUser && !$UserID ) {
|
||||
$UserID = $UserObject->UserAdd(
|
||||
UserTitle => 'Mr/Mrs',
|
||||
UserLogin => $Param{User},
|
||||
%SyncUser,
|
||||
UserType => 'User',
|
||||
ValidID => 1,
|
||||
ChangeUserID => 1,
|
||||
);
|
||||
if ( !$UserID ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Can't create user '$Param{User}' ($UserDN) in RDBMS!",
|
||||
);
|
||||
|
||||
# take down session
|
||||
$LDAP->unbind();
|
||||
return;
|
||||
}
|
||||
else {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "Initial data for '$Param{User}' ($UserDN) created in RDBMS.",
|
||||
);
|
||||
|
||||
# sync initial groups
|
||||
my $UserSyncInitialGroups = $ConfigObject->Get(
|
||||
'AuthSyncModule::LDAP::UserSyncInitialGroups' . $Self->{Count}
|
||||
);
|
||||
if ($UserSyncInitialGroups) {
|
||||
GROUP:
|
||||
for my $Group ( @{$UserSyncInitialGroups} ) {
|
||||
|
||||
# only for valid groups
|
||||
if ( !$SystemGroupsByName{$Group} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message =>
|
||||
"Invalid group '$Group' in "
|
||||
. "'AuthSyncModule::LDAP::UserSyncInitialGroups"
|
||||
. "$Self->{Count}'!",
|
||||
);
|
||||
next GROUP;
|
||||
}
|
||||
|
||||
$GroupObject->PermissionGroupUserAdd(
|
||||
GID => $SystemGroupsByName{$Group},
|
||||
UID => $UserID,
|
||||
Permission => {
|
||||
rw => 1,
|
||||
},
|
||||
UserID => 1,
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# update user attributes (only if changed)
|
||||
elsif (%SyncUser) {
|
||||
|
||||
# get user data
|
||||
my %UserData = $UserObject->GetUserData( User => $Param{User} );
|
||||
|
||||
# check for changes
|
||||
my $AttributeChange;
|
||||
ATTRIBUTE:
|
||||
for my $Attribute ( sort keys %SyncUser ) {
|
||||
next ATTRIBUTE if defined $SyncUser{$Attribute} && $SyncUser{$Attribute} eq $UserData{$Attribute};
|
||||
$AttributeChange = 1;
|
||||
last ATTRIBUTE;
|
||||
}
|
||||
|
||||
if ($AttributeChange) {
|
||||
$UserObject->UserUpdate(
|
||||
%UserData,
|
||||
UserID => $UserID,
|
||||
UserLogin => $Param{User},
|
||||
%SyncUser,
|
||||
UserType => 'User',
|
||||
ChangeUserID => 1,
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# variable to store group permissions from ldap
|
||||
my %GroupPermissionsFromLDAP;
|
||||
|
||||
# sync ldap group 2 otrs group permissions
|
||||
my $UserSyncGroupsDefinition = $ConfigObject->Get(
|
||||
'AuthSyncModule::LDAP::UserSyncGroupsDefinition' . $Self->{Count}
|
||||
);
|
||||
if ($UserSyncGroupsDefinition) {
|
||||
|
||||
# read and remember groups from ldap
|
||||
GROUPDN:
|
||||
for my $GroupDN ( sort keys %{$UserSyncGroupsDefinition} ) {
|
||||
|
||||
# search if we are allowed to
|
||||
my $Filter;
|
||||
if ( $Self->{UserAttr} eq 'DN' ) {
|
||||
$Filter = "($Self->{AccessAttr}=" . escape_filter_value($UserDN) . ')';
|
||||
}
|
||||
else {
|
||||
$Filter = "($Self->{AccessAttr}=" . escape_filter_value( $Param{User} ) . ')';
|
||||
}
|
||||
my $Result = $LDAP->search(
|
||||
base => $GroupDN,
|
||||
filter => $Filter,
|
||||
);
|
||||
if ( $Result->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Search failed! ($GroupDN) filter='$Filter' " . $Result->error(),
|
||||
);
|
||||
next GROUPDN;
|
||||
}
|
||||
|
||||
# extract it
|
||||
my $Valid;
|
||||
for my $Entry ( $Result->all_entries() ) {
|
||||
$Valid = $Entry->dn();
|
||||
}
|
||||
|
||||
# log if there is no LDAP entry
|
||||
if ( !$Valid ) {
|
||||
|
||||
# failed login note
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} not in "
|
||||
. "GroupDN='$GroupDN', Filter='$Filter'! (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
next GROUPDN;
|
||||
}
|
||||
|
||||
# remember group permissions
|
||||
my %SyncGroups = %{ $UserSyncGroupsDefinition->{$GroupDN} };
|
||||
SYNCGROUP:
|
||||
for my $SyncGroup ( sort keys %SyncGroups ) {
|
||||
|
||||
# only for valid groups
|
||||
if ( !$SystemGroupsByName{$SyncGroup} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message =>
|
||||
"Invalid group '$SyncGroup' in "
|
||||
. "'AuthSyncModule::LDAP::UserSyncGroupsDefinition"
|
||||
. "$Self->{Count}'!",
|
||||
);
|
||||
next SYNCGROUP;
|
||||
}
|
||||
|
||||
# set/overwrite remembered permissions
|
||||
|
||||
# if rw permission exists, discard all other permissions
|
||||
if ( $SyncGroups{$SyncGroup}->{rw} ) {
|
||||
$GroupPermissionsFromLDAP{ $SystemGroupsByName{$SyncGroup} } = {
|
||||
rw => 1,
|
||||
};
|
||||
next SYNCGROUP;
|
||||
}
|
||||
|
||||
# remember permissions as provided
|
||||
$GroupPermissionsFromLDAP{ $SystemGroupsByName{$SyncGroup} } = {
|
||||
%PermissionsEmpty,
|
||||
%{ $SyncGroups{$SyncGroup} },
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# sync ldap attribute 2 otrs group permissions
|
||||
my $UserSyncAttributeGroupsDefinition = $ConfigObject->Get(
|
||||
'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition' . $Self->{Count}
|
||||
);
|
||||
if ($UserSyncAttributeGroupsDefinition) {
|
||||
|
||||
# build filter
|
||||
my $Filter = "($Self->{UID}=" . escape_filter_value( $Param{User} ) . ')';
|
||||
|
||||
# perform search
|
||||
$Result = $LDAP->search(
|
||||
base => $Self->{BaseDN},
|
||||
filter => $Filter,
|
||||
);
|
||||
if ( $Result->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Search failed! ($Self->{BaseDN}) filter='$Filter' " . $Result->error(),
|
||||
);
|
||||
}
|
||||
else {
|
||||
my %SyncConfig = %{$UserSyncAttributeGroupsDefinition};
|
||||
for my $Attribute ( sort keys %SyncConfig ) {
|
||||
|
||||
my %AttributeValues = %{ $SyncConfig{$Attribute} };
|
||||
ATTRIBUTEVALUE:
|
||||
for my $AttributeValue ( sort keys %AttributeValues ) {
|
||||
|
||||
for my $Entry ( $Result->all_entries() ) {
|
||||
|
||||
# Check if configured value exists in values of group attribute
|
||||
# If yes, add sync groups to the user
|
||||
my $GotValue;
|
||||
my @Values = $Entry->get_value($Attribute);
|
||||
VALUE:
|
||||
for my $Value (@Values) {
|
||||
next VALUE if $Value !~ m{ \A \Q$AttributeValue\E \z }xmsi;
|
||||
$GotValue = 1;
|
||||
last VALUE;
|
||||
}
|
||||
next ATTRIBUTEVALUE if !$GotValue;
|
||||
|
||||
# remember group permissions
|
||||
my %SyncGroups = %{ $AttributeValues{$AttributeValue} };
|
||||
SYNCGROUP:
|
||||
for my $SyncGroup ( sort keys %SyncGroups ) {
|
||||
|
||||
# only for valid groups
|
||||
if ( !$SystemGroupsByName{$SyncGroup} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message =>
|
||||
"Invalid group '$SyncGroup' in "
|
||||
. "'AuthSyncModule::LDAP::UserSyncAttributeGroupsDefinition"
|
||||
. "$Self->{Count}'!",
|
||||
);
|
||||
next SYNCGROUP;
|
||||
}
|
||||
|
||||
# set/overwrite remembered permissions
|
||||
|
||||
# if rw permission exists, discard all other permissions
|
||||
if ( $SyncGroups{$SyncGroup}->{rw} ) {
|
||||
$GroupPermissionsFromLDAP{ $SystemGroupsByName{$SyncGroup} } = {
|
||||
rw => 1,
|
||||
};
|
||||
next SYNCGROUP;
|
||||
}
|
||||
|
||||
# remember permissions as provided
|
||||
$GroupPermissionsFromLDAP{ $SystemGroupsByName{$SyncGroup} } = {
|
||||
%PermissionsEmpty,
|
||||
%{ $SyncGroups{$SyncGroup} },
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# Compare group permissions from LDAP with current user group permissions.
|
||||
my %GroupPermissionsChanged;
|
||||
|
||||
if (%GroupPermissionsFromLDAP) {
|
||||
|
||||
PERMISSIONTYPE:
|
||||
for my $PermissionType ( @{ $ConfigObject->Get('System::Permission') } ) {
|
||||
|
||||
# get current permission for type
|
||||
my %GroupPermissions = $GroupObject->PermissionUserGroupGet(
|
||||
UserID => $UserID,
|
||||
Type => $PermissionType,
|
||||
);
|
||||
|
||||
GROUPID:
|
||||
for my $GroupID ( sort keys %SystemGroups ) {
|
||||
|
||||
my $OldPermission = $GroupPermissions{$GroupID} ? 1 : 0;
|
||||
|
||||
# Set the new permission (from LDAP) if exist, if not set it to a default value
|
||||
# regularly 0 but it LDAP has rw permission set it to 1 as PermissionUserGroupGet()
|
||||
# gets all system permissions to 1 if stored permission is rw.
|
||||
my $NewPermission = $GroupPermissionsFromLDAP{$GroupID}->{$PermissionType}
|
||||
|| $GroupPermissionsFromLDAP{$GroupID}->{rw} ? 1 : 0;
|
||||
|
||||
# Skip permission if is identical as in the DB
|
||||
next GROUPID if $OldPermission == $NewPermission;
|
||||
|
||||
# Remember the LDAP permission if they are not identical as in the DB.
|
||||
$GroupPermissionsChanged{$GroupID} = $GroupPermissionsFromLDAP{$GroupID};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# update changed group permissions
|
||||
if (%GroupPermissionsChanged) {
|
||||
for my $GroupID ( sort keys %GroupPermissionsChanged ) {
|
||||
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: '$Param{User}' sync ldap group $SystemGroups{$GroupID}!",
|
||||
);
|
||||
$GroupObject->PermissionGroupUserAdd(
|
||||
GID => $GroupID,
|
||||
UID => $UserID,
|
||||
Permission => $GroupPermissionsChanged{$GroupID} || \%PermissionsEmpty,
|
||||
UserID => 1,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
# variable to store role permissions from ldap
|
||||
my %RolePermissionsFromLDAP;
|
||||
|
||||
# sync ldap group 2 otrs role permissions
|
||||
my $UserSyncRolesDefinition = $ConfigObject->Get(
|
||||
'AuthSyncModule::LDAP::UserSyncRolesDefinition' . $Self->{Count}
|
||||
);
|
||||
if ($UserSyncRolesDefinition) {
|
||||
|
||||
# read and remember roles from ldap
|
||||
GROUPDN:
|
||||
for my $GroupDN ( sort keys %{$UserSyncRolesDefinition} ) {
|
||||
|
||||
# search if we're allowed to
|
||||
my $Filter;
|
||||
if ( $Self->{UserAttr} eq 'DN' ) {
|
||||
$Filter = "($Self->{AccessAttr}=" . escape_filter_value($UserDN) . ')';
|
||||
}
|
||||
else {
|
||||
$Filter = "($Self->{AccessAttr}=" . escape_filter_value( $Param{User} ) . ')';
|
||||
}
|
||||
my $Result = $LDAP->search(
|
||||
base => $GroupDN,
|
||||
filter => $Filter,
|
||||
);
|
||||
if ( $Result->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Search failed! ($GroupDN) filter='$Filter' " . $Result->error(),
|
||||
);
|
||||
next GROUPDN;
|
||||
}
|
||||
|
||||
# extract it
|
||||
my $Valid;
|
||||
for my $Entry ( $Result->all_entries() ) {
|
||||
$Valid = $Entry->dn();
|
||||
}
|
||||
|
||||
# log if there is no LDAP entry
|
||||
if ( !$Valid ) {
|
||||
|
||||
# failed login note
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} not in "
|
||||
. "GroupDN='$GroupDN', Filter='$Filter'! (REMOTE_ADDR: $RemoteAddr).",
|
||||
);
|
||||
next GROUPDN;
|
||||
}
|
||||
|
||||
# remember role permissions
|
||||
my %SyncRoles = %{ $UserSyncRolesDefinition->{$GroupDN} };
|
||||
SYNCROLE:
|
||||
for my $SyncRole ( sort keys %SyncRoles ) {
|
||||
|
||||
# only for valid roles
|
||||
if ( !$SystemRolesByName{$SyncRole} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message =>
|
||||
"Invalid role '$SyncRole' in "
|
||||
. "'AuthSyncModule::LDAP::UserSyncRolesDefinition"
|
||||
. "$Self->{Count}'!",
|
||||
);
|
||||
next SYNCROLE;
|
||||
}
|
||||
|
||||
# set/overwrite remembered permissions
|
||||
$RolePermissionsFromLDAP{ $SystemRolesByName{$SyncRole} } =
|
||||
$SyncRoles{$SyncRole};
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# sync ldap attribute 2 otrs role permissions
|
||||
my $UserSyncAttributeRolesDefinition = $ConfigObject->Get(
|
||||
'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition' . $Self->{Count}
|
||||
);
|
||||
if ($UserSyncAttributeRolesDefinition) {
|
||||
|
||||
# build filter
|
||||
my $Filter = "($Self->{UID}=" . escape_filter_value( $Param{User} ) . ')';
|
||||
|
||||
# perform search
|
||||
$Result = $LDAP->search(
|
||||
base => $Self->{BaseDN},
|
||||
filter => $Filter,
|
||||
);
|
||||
if ( $Result->code() ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Search failed! ($Self->{BaseDN}) filter='$Filter' " . $Result->error(),
|
||||
);
|
||||
}
|
||||
else {
|
||||
my %SyncConfig = %{$UserSyncAttributeRolesDefinition};
|
||||
for my $Attribute ( sort keys %SyncConfig ) {
|
||||
|
||||
my %AttributeValues = %{ $SyncConfig{$Attribute} };
|
||||
ATTRIBUTEVALUE:
|
||||
for my $AttributeValue ( sort keys %AttributeValues ) {
|
||||
|
||||
for my $Entry ( $Result->all_entries() ) {
|
||||
|
||||
# Check if configured value exists in values of role attribute
|
||||
# If yes, add sync roles to the user
|
||||
my $GotValue;
|
||||
my @Values = $Entry->get_value($Attribute);
|
||||
VALUE:
|
||||
for my $Value (@Values) {
|
||||
next VALUE if $Value !~ m{ \A \Q$AttributeValue\E \z }xmsi;
|
||||
$GotValue = 1;
|
||||
last VALUE;
|
||||
}
|
||||
next ATTRIBUTEVALUE if !$GotValue;
|
||||
|
||||
# remember role permissions
|
||||
my %SyncRoles = %{ $AttributeValues{$AttributeValue} };
|
||||
SYNCROLE:
|
||||
for my $SyncRole ( sort keys %SyncRoles ) {
|
||||
|
||||
# only for valid roles
|
||||
if ( !$SystemRolesByName{$SyncRole} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message =>
|
||||
"Invalid role '$SyncRole' in "
|
||||
. "'AuthSyncModule::LDAP::UserSyncAttributeRolesDefinition"
|
||||
. "$Self->{Count}'!",
|
||||
);
|
||||
next SYNCROLE;
|
||||
}
|
||||
|
||||
# set/overwrite remembered permissions
|
||||
$RolePermissionsFromLDAP{ $SystemRolesByName{$SyncRole} } =
|
||||
$SyncRoles{$SyncRole};
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
# compare role permissions from ldap with current user role permissions and update if necessary
|
||||
if (%RolePermissionsFromLDAP) {
|
||||
|
||||
# get current user roles
|
||||
my %UserRoles = $GroupObject->PermissionUserRoleGet(
|
||||
UserID => $UserID,
|
||||
);
|
||||
|
||||
ROLEID:
|
||||
for my $RoleID ( sort keys %SystemRoles ) {
|
||||
|
||||
# if old and new permission for role matches, do nothing
|
||||
if (
|
||||
( $UserRoles{$RoleID} && $RolePermissionsFromLDAP{$RoleID} )
|
||||
||
|
||||
( !$UserRoles{$RoleID} && !$RolePermissionsFromLDAP{$RoleID} )
|
||||
)
|
||||
{
|
||||
next ROLEID;
|
||||
}
|
||||
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: '$Param{User}' sync ldap role $SystemRoles{$RoleID}!",
|
||||
);
|
||||
$GroupObject->PermissionRoleUserAdd(
|
||||
UID => $UserID,
|
||||
RID => $RoleID,
|
||||
Active => $RolePermissionsFromLDAP{$RoleID} || 0,
|
||||
UserID => 1,
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
# take down session
|
||||
$LDAP->unbind();
|
||||
|
||||
return $Param{User};
|
||||
}
|
||||
|
||||
sub _ConvertTo {
|
||||
my ( $Self, $Text, $Charset ) = @_;
|
||||
|
||||
return if !defined $Text;
|
||||
|
||||
# get encode object
|
||||
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
|
||||
|
||||
if ( !$Charset || !$Self->{DestCharset} ) {
|
||||
$EncodeObject->EncodeInput( \$Text );
|
||||
return $Text;
|
||||
}
|
||||
|
||||
# convert from input charset ($Charset) to directory charset ($Self->{DestCharset})
|
||||
return $EncodeObject->Convert(
|
||||
Text => $Text,
|
||||
From => $Charset,
|
||||
To => $Self->{DestCharset},
|
||||
);
|
||||
}
|
||||
|
||||
sub _ConvertFrom {
|
||||
my ( $Self, $Text, $Charset ) = @_;
|
||||
|
||||
return if !defined $Text;
|
||||
|
||||
# get encode object
|
||||
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
|
||||
|
||||
if ( !$Charset || !$Self->{DestCharset} ) {
|
||||
$EncodeObject->EncodeInput( \$Text );
|
||||
return $Text;
|
||||
}
|
||||
|
||||
# convert from directory charset ($Self->{DestCharset}) to input charset ($Charset)
|
||||
return $EncodeObject->Convert(
|
||||
Text => $Text,
|
||||
From => $Self->{DestCharset},
|
||||
To => $Charset,
|
||||
);
|
||||
}
|
||||
|
||||
1;
|
||||
193
Perl OTRS/Kernel/System/Auth/TwoFactor/GoogleAuthenticator.pm
Normal file
193
Perl OTRS/Kernel/System/Auth/TwoFactor/GoogleAuthenticator.pm
Normal file
@@ -0,0 +1,193 @@
|
||||
# --
|
||||
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
|
||||
# --
|
||||
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
|
||||
# the enclosed file COPYING for license information (GPL). If you
|
||||
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
|
||||
# --
|
||||
|
||||
package Kernel::System::Auth::TwoFactor::GoogleAuthenticator;
|
||||
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use Digest::SHA qw(sha1);
|
||||
use Digest::HMAC qw(hmac_hex);
|
||||
|
||||
our @ObjectDependencies = (
|
||||
'Kernel::Config',
|
||||
'Kernel::System::DateTime',
|
||||
'Kernel::System::Log',
|
||||
'Kernel::System::User',
|
||||
);
|
||||
|
||||
sub new {
|
||||
my ( $Type, %Param ) = @_;
|
||||
|
||||
# allocate new hash for object
|
||||
my $Self = {};
|
||||
bless( $Self, $Type );
|
||||
|
||||
$Self->{Count} = $Param{Count} || '';
|
||||
|
||||
return $Self;
|
||||
}
|
||||
|
||||
sub Auth {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# check needed stuff
|
||||
for my $Needed (qw(User UserID)) {
|
||||
if ( !$Param{$Needed} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Need $Needed!"
|
||||
);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
|
||||
my $SecretPreferencesKey = $ConfigObject->Get("AuthTwoFactorModule$Self->{Count}::SecretPreferencesKey") || '';
|
||||
if ( !$SecretPreferencesKey ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Found no configuration for SecretPreferencesKey in AuthTwoFactorModule.",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# check if user has secret stored in preferences
|
||||
my %UserPreferences = $Kernel::OM->Get('Kernel::System::User')->GetPreferences(
|
||||
UserID => $Param{UserID},
|
||||
);
|
||||
if ( !$UserPreferences{$SecretPreferencesKey} ) {
|
||||
|
||||
# if login without a stored secret key is permitted, this counts as passed
|
||||
if ( $ConfigObject->Get("AuthTwoFactorModule$Self->{Count}::AllowEmptySecret") ) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
# otherwise login counts as failed
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'error',
|
||||
Message => "Found no SecretPreferencesKey for user $Param{User}.",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# if we get to here (user has preference), we need a passed token
|
||||
if ( !$Param{TwoFactorToken} ) {
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} two factor authentication failed (TwoFactorToken missing).",
|
||||
);
|
||||
return;
|
||||
}
|
||||
|
||||
# generate otp based on secret from preferences
|
||||
my $OTP = $Self->_GenerateOTP(
|
||||
Secret => $UserPreferences{$SecretPreferencesKey},
|
||||
);
|
||||
|
||||
# compare against user provided otp
|
||||
if ( $Param{TwoFactorToken} ne $OTP ) {
|
||||
|
||||
# check if previous token is also to be accepted
|
||||
if ( $ConfigObject->Get("AuthTwoFactorModule$Self->{Count}::AllowPreviousToken") ) {
|
||||
|
||||
# try again with previous otp (from 30 seconds ago)
|
||||
$OTP = $Self->_GenerateOTP(
|
||||
Secret => $UserPreferences{$SecretPreferencesKey},
|
||||
Previous => 1,
|
||||
);
|
||||
}
|
||||
|
||||
if ( $Param{TwoFactorToken} ne $OTP ) {
|
||||
|
||||
# log failure
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} two factor authentication failed (non-matching otp).",
|
||||
);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
# log success
|
||||
$Kernel::OM->Get('Kernel::System::Log')->Log(
|
||||
Priority => 'notice',
|
||||
Message => "User: $Param{User} two factor authentication ok.",
|
||||
);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
sub _GenerateOTP {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# algorithm based on RfC 6238
|
||||
|
||||
#
|
||||
# get unix timestamp divided by 30
|
||||
#
|
||||
my $DateTimeObject = $Kernel::OM->Create('Kernel::System::DateTime');
|
||||
my $TimeStamp = $DateTimeObject->ToEpoch();
|
||||
$TimeStamp = int( $TimeStamp / 30 );
|
||||
|
||||
# on request use previous 30-second time period
|
||||
if ( $Param{Previous} ) {
|
||||
--$TimeStamp;
|
||||
}
|
||||
|
||||
# extend to 16 character hex value
|
||||
my $PaddedTimeStamp = sprintf "%016x", $TimeStamp;
|
||||
|
||||
# encrypt timestamp with secret
|
||||
my $PackedTimeStamp = pack 'H*', $PaddedTimeStamp;
|
||||
my $Base32Secret = $Self->_DecodeBase32( Secret => $Param{Secret} );
|
||||
my $HMAC = hmac_hex( $PackedTimeStamp, $Base32Secret, \&sha1 );
|
||||
|
||||
# now treat hmac to get 6 numerical digits
|
||||
|
||||
# Use 4 last bits as offset, then truncate to 4 bytes starting at the offset and remove most significant bit
|
||||
my $Offset = hex( substr( $HMAC, -1 ) );
|
||||
my $TruncatedHMAC = hex( substr( $HMAC, $Offset * 2, 8 ) ) & 0x7fffffff;
|
||||
|
||||
# use last 6 digits (modulo 1.000.000) as token
|
||||
my $Token = $TruncatedHMAC % 1000000;
|
||||
|
||||
# make sure to use all 6 digits (0-padded)
|
||||
return sprintf( "%06d", $Token );
|
||||
}
|
||||
|
||||
sub _DecodeBase32 {
|
||||
my ( $Self, %Param ) = @_;
|
||||
|
||||
# based on RfC 3548, code inspired by MIME::Base32
|
||||
|
||||
# convert all characters to upper case and remove whitespace (not allowed for base32)
|
||||
my $Key = uc $Param{Secret};
|
||||
$Key =~ s{ [ ]+ }{}xmsg;
|
||||
|
||||
# turn into binary characters
|
||||
$Key =~ tr|A-Z2-7|\0-\37|;
|
||||
|
||||
# unpack into binary
|
||||
$Key = unpack 'B*', $Key;
|
||||
|
||||
# cut three most significant bits for each byte
|
||||
$Key =~ s{ 0{3} ( .{5} ) }{$1}xmsg;
|
||||
|
||||
# trim string to full 8 bit units
|
||||
my $Length = length $Key;
|
||||
if ( $Length % 8 ) {
|
||||
$Key = substr( $Key, 0, $Length - $Length % 8 );
|
||||
}
|
||||
|
||||
# pack back up
|
||||
$Key = pack 'B*', $Key;
|
||||
return $Key;
|
||||
}
|
||||
|
||||
1;
|
||||
Reference in New Issue
Block a user