andre/scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init III

Browse Source
This commit is contained in:
Andre Geißler
2024-10-14 00:08:40 +02:00
parent dbfba56f66
commit 1462d52e13
4572 changed files with 2658864 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

324
Perl OTRS/Kernel/System/CustomerAuth/DB.pm Normal file
View File

@@ -0,0 +1,324 @@
# --
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
# --
package Kernel::System::CustomerAuth::DB;
use strict;
use warnings;
use Crypt::PasswdMD5 qw(unix_md5_crypt apache_md5_crypt);
use Digest::SHA;
our @ObjectDependencies = (
'Kernel::Config',
'Kernel::System::DB',
'Kernel::System::Encode',
'Kernel::System::Log',
'Kernel::System::Main',
);
sub new {
my ( $Type, %Param ) = @_;
# allocate new hash for object
my $Self = {};
bless( $Self, $Type );
# get database object
$Self->{DBObject} = $Kernel::OM->Get('Kernel::System::DB');
# Debug 0=off 1=on
$Self->{Debug} = 0;
# get config object
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
# config options
$Self->{Table} = $ConfigObject->Get( 'Customer::AuthModule::DB::Table' . $Param{Count} )
|| die "Need CustomerAuthModule::DB::Table$Param{Count} in Kernel/Config.pm!";
$Self->{Key} = $ConfigObject->Get( 'Customer::AuthModule::DB::CustomerKey' . $Param{Count} )
|| die "Need CustomerAuthModule::DB::CustomerKey$Param{Count} in Kernel/Config.pm!";
$Self->{Pw} = $ConfigObject->Get( 'Customer::AuthModule::DB::CustomerPassword' . $Param{Count} )
|| die "Need CustomerAuthModule::DB::CustomerPw$Param{Count} in Kernel/Config.pm!";
$Self->{CryptType} = $ConfigObject->Get( 'Customer::AuthModule::DB::CryptType' . $Param{Count} )
|| '';
if ( $ConfigObject->Get( 'Customer::AuthModule::DB::DSN' . $Param{Count} ) ) {
$Self->{DBObject} = Kernel::System::DB->new(
DatabaseDSN =>
$ConfigObject->Get( 'Customer::AuthModule::DB::DSN' . $Param{Count} ),
DatabaseUser =>
$ConfigObject->Get( 'Customer::AuthModule::DB::User' . $Param{Count} ),
DatabasePw =>
$ConfigObject->Get( 'Customer::AuthModule::DB::Password' . $Param{Count} ),
Type => $ConfigObject->Get( 'Customer::AuthModule::DB::Type' . $Param{Count} )
|| '',
)
|| die "Can't connect to "
. $ConfigObject->Get( 'Customer::AuthModule::DB::DSN' . $Param{Count} );
# remember that we have the DBObject not from parent call
$Self->{NotParentDBObject} = 1;
}
return $Self;
}
sub GetOption {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{What} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need What!"
);
return;
}
# module options
my %Option = (
PreAuth => 0,
);
# return option
return $Option{ $Param{What} };
}
sub Auth {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{User} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need User!"
);
return;
}
# get params
my $User = $Param{User} || '';
my $Pw = $Param{Pw} || '';
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
my $UserID = '';
my $GetPw = '';
# sql query
$Self->{DBObject}->Prepare(
SQL => "
SELECT $Self->{Pw}, $Self->{Key} FROM $Self->{Table} WHERE
$Self->{Key} = ?
",
Bind => [ \$Param{User} ],
);
while ( my @Row = $Self->{DBObject}->FetchrowArray() ) {
$GetPw = $Row[0] || '';
$UserID = $Row[1];
}
# check if user exists in auth table
if ( !$UserID ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: No auth record in '$Self->{Table}' for '$User' "
. "(REMOTE_ADDR: $RemoteAddr)",
);
return;
}
# get encode object
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
# crypt given pw
my $CryptedPw = '';
my $Salt = $GetPw;
if ( $Self->{CryptType} eq 'plain' ) {
$CryptedPw = $Pw;
}
# md5 or sha pw
elsif ( $GetPw !~ /^.{13}$/ ) {
# md5 pw
if ( $GetPw =~ m{\A \$.+? \$.+? \$.* \z}xms ) {
# strip Salt
$Salt =~ s/^(\$.+?\$)(.+?)\$.*$/$2/;
my $Magic = $1;
# encode output, needed by unix_md5_crypt() only non utf8 signs
$EncodeObject->EncodeOutput( \$Pw );
$EncodeObject->EncodeOutput( \$Salt );
if ( $Magic eq '$apr1$' ) {
$CryptedPw = apache_md5_crypt( $Pw, $Salt );
}
else {
$CryptedPw = unix_md5_crypt( $Pw, $Salt );
}
$EncodeObject->EncodeInput( \$CryptedPw );
}
# sha256 pw
elsif ( $GetPw =~ m{\A [0-9a-f]{64} \z}xmsi ) {
my $SHAObject = Digest::SHA->new('sha256');
$EncodeObject->EncodeOutput( \$Pw );
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
}
# sha512 pw
elsif ( $GetPw =~ m{\A [0-9a-f]{128} \z}xmsi ) {
my $SHAObject = Digest::SHA->new('sha512');
$EncodeObject->EncodeOutput( \$Pw );
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
}
elsif ( $GetPw =~ m{^BCRYPT:} ) {
# require module, log errors if module was not found
if ( !$Kernel::OM->Get('Kernel::System::Main')->Require('Crypt::Eksblowfish::Bcrypt') )
{
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message =>
"User: '$User' tried to authenticate with bcrypt but 'Crypt::Eksblowfish::Bcrypt' is not installed!",
);
return;
}
# get salt and cost from stored PW string
my ( $Cost, $Salt, $Base64Hash ) = $GetPw =~ m{^BCRYPT:(\d+):(.{16}):(.*)$}xms;
# remove UTF8 flag, required by Crypt::Eksblowfish::Bcrypt
$EncodeObject->EncodeOutput( \$Pw );
# calculate password hash with the same cost and hash settings
my $Octets = Crypt::Eksblowfish::Bcrypt::bcrypt_hash(
{
key_nul => 1,
cost => $Cost,
salt => $Salt,
},
$Pw
);
$CryptedPw = "BCRYPT:$Cost:$Salt:" . Crypt::Eksblowfish::Bcrypt::en_base64($Octets);
}
# sha1 pw
elsif ( $GetPw =~ m{\A [0-9a-f]{40} \z}xmsi ) {
my $SHAObject = Digest::SHA->new('sha1');
# encode output, needed by sha1_hex() only non utf8 signs
$EncodeObject->EncodeOutput( \$Pw );
$SHAObject->add($Pw);
$CryptedPw = $SHAObject->hexdigest();
$EncodeObject->EncodeInput( \$CryptedPw );
}
# No-13-chars-long crypt pw (e.g. in Fedora28).
else {
my $SaltUser = $User;
$EncodeObject->EncodeOutput( \$Pw );
$EncodeObject->EncodeOutput( \$SaltUser );
# Encode output, needed by crypt() only non utf8 signs.
$CryptedPw = crypt( $Pw, $SaltUser );
$EncodeObject->EncodeInput( \$CryptedPw );
}
}
# crypt pw
else {
# strip salt only for (Extended) DES, not for any of modular crypt's
if ( $Salt !~ /^\$\d\$/ ) {
$Salt =~ s/^(..).*/$1/;
}
$EncodeObject->EncodeOutput( \$Pw );
$EncodeObject->EncodeOutput( \$Salt );
# encode output, needed by crypt() only non utf8 signs
$CryptedPw = crypt( $Pw, $Salt );
$EncodeObject->EncodeInput( \$CryptedPw );
}
# just in case!
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: '$User' tried to authenticate with Pw: '$Pw' "
. "($UserID/$CryptedPw/$GetPw/$Salt/$RemoteAddr)",
);
}
# just a note
if ( !$Pw ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"CustomerUser: $User authentication without Pw!!! (REMOTE_ADDR: $RemoteAddr)",
);
return;
}
# login note
elsif ( ( $GetPw && $User && $UserID ) && $CryptedPw eq $GetPw ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: $User Authentication ok (REMOTE_ADDR: $RemoteAddr).",
);
return $User;
}
# just a note
elsif ( $UserID && $GetPw ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"CustomerUser: $User Authentication with wrong Pw!!! (REMOTE_ADDR: $RemoteAddr)"
);
return;
}
# just a note
else {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"CustomerUser: $User doesn't exist or is invalid!!! (REMOTE_ADDR: $RemoteAddr)"
);
return;
}
}
sub DESTROY {
my $Self = shift;
# disconnect if it's not a parent DBObject
if ( $Self->{NotParentDBObject} ) {
if ( $Self->{DBObject} ) {
$Self->{DBObject}->Disconnect();
}
}
return 1;
}
1;

110
Perl OTRS/Kernel/System/CustomerAuth/HTTPBasicAuth.pm Normal file
View File

@@ -0,0 +1,110 @@
# --
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
# --
# Note:
#
# If you use this module, you should use as fallback the following
# config settings:
#
# If use isn't login through apache ($ENV{REMOTE_USER} or $ENV{HTTP_REMOTE_USER})
# $Self->{CustomerPanelLoginURL} = 'http://host.example.com/not-authorised-for-otrs.html';
#
# $Self->{CustomerPanelLogoutURL} = 'http://host.example.com/thanks-for-using-otrs.html';
# --
package Kernel::System::CustomerAuth::HTTPBasicAuth;
use strict;
use warnings;
our @ObjectDependencies = (
'Kernel::Config',
'Kernel::System::Log',
);
sub new {
my ( $Type, %Param ) = @_;
# allocate new hash for object
my $Self = {};
bless( $Self, $Type );
# Debug 0=off 1=on
$Self->{Debug} = 0;
$Self->{Count} = $Param{Count} || '';
return $Self;
}
sub GetOption {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{What} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need What!"
);
return;
}
# module options
my %Option = (
PreAuth => 1,
);
# return option
return $Option{ $Param{What} };
}
sub Auth {
my ( $Self, %Param ) = @_;
# get params
my $User = $ENV{REMOTE_USER} || $ENV{HTTP_REMOTE_USER};
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
# return on on user
if ( !$User ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"User: No \$ENV{REMOTE_USER} or \$ENV{HTTP_REMOTE_USER} !(REMOTE_ADDR: $RemoteAddr).",
);
return;
}
# get config object
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
# replace parts of login
my $Replace = $ConfigObject->Get(
'Customer::AuthModule::HTTPBasicAuth::Replace' . $Self->{Count},
);
if ($Replace) {
$User =~ s/^\Q$Replace\E//;
}
# regexp on login
my $ReplaceRegExp = $ConfigObject->Get(
'Customer::AuthModule::HTTPBasicAuth::ReplaceRegExp' . $Self->{Count},
);
if ($ReplaceRegExp) {
$User =~ s/$ReplaceRegExp/$1/;
}
# log
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: $User Authentication ok (REMOTE_ADDR: $RemoteAddr).",
);
return $User;
}
1;

356
Perl OTRS/Kernel/System/CustomerAuth/LDAP.pm Normal file
View File

@@ -0,0 +1,356 @@
# --
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
# --
package Kernel::System::CustomerAuth::LDAP;
use strict;
use warnings;
use Net::LDAP;
use Net::LDAP::Util qw(escape_filter_value);
our @ObjectDependencies = (
'Kernel::Config',
'Kernel::System::Encode',
'Kernel::System::Log',
);
sub new {
my ( $Type, %Param ) = @_;
# allocate new hash for object
my $Self = {};
bless( $Self, $Type );
# Debug 0=off 1=on
$Self->{Debug} = 0;
# get config object
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
# get ldap preferences
$Self->{Die} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::Die' . $Param{Count} );
if ( $ConfigObject->Get( 'Customer::AuthModule::LDAP::Host' . $Param{Count} ) ) {
$Self->{Host} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::Host' . $Param{Count} );
}
else {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need Customer::AuthModule::LDAPHost$Param{Count} in Kernel/Config.pm",
);
return;
}
if (
defined(
$ConfigObject->Get( 'Customer::AuthModule::LDAP::BaseDN' . $Param{Count} )
)
)
{
$Self->{BaseDN} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::BaseDN' . $Param{Count} );
}
else {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need Customer::AuthModule::LDAPBaseDN$Param{Count} in Kernel/Config.pm",
);
return;
}
if ( $ConfigObject->Get( 'Customer::AuthModule::LDAP::UID' . $Param{Count} ) ) {
$Self->{UID} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::UID' . $Param{Count} );
}
else {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need 'Customer::AuthModule::LDAP::UID$Param{Count} in Kernel/Config.pm",
);
return;
}
$Self->{SearchUserDN} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::SearchUserDN' . $Param{Count} )
|| '';
$Self->{SearchUserPw} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::SearchUserPw' . $Param{Count} )
|| '';
$Self->{GroupDN} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::GroupDN' . $Param{Count} ) || '';
$Self->{AccessAttr} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::AccessAttr' . $Param{Count} )
|| '';
$Self->{UserAttr} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::UserAttr' . $Param{Count} )
|| 'DN';
$Self->{UserSuffix} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::UserSuffix' . $Param{Count} )
|| '';
$Self->{DestCharset} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::Charset' . $Param{Count} )
|| 'utf-8';
# ldap filter always used
$Self->{AlwaysFilter} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::AlwaysFilter' . $Param{Count} )
|| '';
# Net::LDAP new params
if ( $ConfigObject->Get( 'Customer::AuthModule::LDAP::Params' . $Param{Count} ) ) {
$Self->{Params} = $ConfigObject->Get( 'Customer::AuthModule::LDAP::Params' . $Param{Count} );
}
else {
$Self->{Params} = {};
}
return $Self;
}
sub GetOption {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{What} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need What!"
);
return;
}
# module options
my %Option = (
PreAuth => 0,
);
# return option
return $Option{ $Param{What} };
}
sub Auth {
my ( $Self, %Param ) = @_;
# check needed stuff
for (qw(User Pw)) {
if ( !$Param{$_} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need $_!"
);
return;
}
}
$Param{User} = $Self->_ConvertTo( $Param{User}, 'utf-8' );
$Param{Pw} = $Self->_ConvertTo( $Param{Pw}, 'utf-8' );
# get params
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
# remove leading and trailing spaces
$Param{User} =~ s/^\s+//;
$Param{User} =~ s/\s+$//;
# add user suffix
if ( $Self->{UserSuffix} ) {
$Param{User} .= $Self->{UserSuffix};
# just in case for debug
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: ($Param{User}) added $Self->{UserSuffix} to username!",
);
}
}
# just in case for debug!
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: '$Param{User}' tried to authenticate with Pw: '$Param{Pw}' "
. "(REMOTE_ADDR: $RemoteAddr)",
);
}
# ldap connect and bind (maybe with SearchUserDN and SearchUserPw)
my $LDAP = Net::LDAP->new( $Self->{Host}, %{ $Self->{Params} } );
if ( !$LDAP ) {
if ( $Self->{Die} ) {
die "Can't connect to $Self->{Host}: $@";
}
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Can't connect to $Self->{Host}: $@",
);
return;
}
my $Result = '';
if ( $Self->{SearchUserDN} && $Self->{SearchUserPw} ) {
$Result = $LDAP->bind(
dn => $Self->{SearchUserDN},
password => $Self->{SearchUserPw}
);
}
else {
$Result = $LDAP->bind();
}
if ( $Result->code() ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => 'First bind failed! ' . $Result->error(),
);
return;
}
# build filter
my $Filter = "($Self->{UID}=" . escape_filter_value( $Param{User} ) . ')';
# prepare filter
if ( $Self->{AlwaysFilter} ) {
$Filter = "(&$Filter$Self->{AlwaysFilter})";
}
# perform user search
$Result = $LDAP->search(
base => $Self->{BaseDN},
filter => $Filter,
attrs => ['1.1'],
);
if ( $Result->code() ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => 'Search failed! ' . $Result->error(),
);
$LDAP->disconnect();
return;
}
# get whole user dn
my $UserDN = '';
for my $Entry ( $Result->all_entries() ) {
$UserDN = $Entry->dn();
}
# log if there is no LDAP user entry
if ( !$UserDN ) {
# failed login note
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: $Param{User} authentication failed, no LDAP entry found!"
. "BaseDN='$Self->{BaseDN}', Filter='$Filter', (REMOTE_ADDR: $RemoteAddr).",
);
# take down session
$LDAP->unbind();
$LDAP->disconnect();
return;
}
# check if user need to be in a group!
if ( $Self->{AccessAttr} && $Self->{GroupDN} ) {
# just in case for debug
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => 'check for groupdn!',
);
}
# search if we're allowed to
my $Filter2 = '';
if ( $Self->{UserAttr} eq 'DN' ) {
$Filter2 = "($Self->{AccessAttr}=" . escape_filter_value($UserDN) . ')';
}
else {
$Filter2 = "($Self->{AccessAttr}=" . escape_filter_value( $Param{User} ) . ')';
}
my $Result2 = $LDAP->search(
base => $Self->{GroupDN},
filter => $Filter2,
attrs => ['1.1'],
);
if ( $Result2->code() ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Search failed! base='$Self->{GroupDN}', filter='$Filter2', "
. $Result2->error(),
);
$LDAP->unbind();
$LDAP->disconnect();
return;
}
# extract it
my $GroupDN = '';
for my $Entry ( $Result2->all_entries() ) {
$GroupDN = $Entry->dn();
}
# log if there is no LDAP entry
if ( !$GroupDN ) {
# failed login note
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"CustomerUser: $Param{User} authentication failed, no LDAP group entry found"
. "GroupDN='$Self->{GroupDN}', Filter='$Filter2'! (REMOTE_ADDR: $RemoteAddr).",
);
# take down session
$LDAP->unbind();
$LDAP->disconnect();
return;
}
}
# bind with user data -> real user auth.
$Result = $LDAP->bind(
dn => $UserDN,
password => $Param{Pw}
);
if ( $Result->code() ) {
# failed login note
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: $Param{User} ($UserDN) authentication failed: '"
. $Result->error() . "' (REMOTE_ADDR: $RemoteAddr).",
);
# take down session
$LDAP->unbind();
$LDAP->disconnect();
return;
}
# login note
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message =>
"CustomerUser: $Param{User} ($UserDN) authentication ok (REMOTE_ADDR: $RemoteAddr).",
);
# take down session
$LDAP->unbind();
$LDAP->disconnect();
return $Param{User};
}
sub _ConvertTo {
my ( $Self, $Text, $Charset ) = @_;
return if !defined $Text;
# get encode object
my $EncodeObject = $Kernel::OM->Get('Kernel::System::Encode');
if ( !$Charset || !$Self->{DestCharset} ) {
$EncodeObject->EncodeInput( \$Text );
return $Text;
}
# convert from input charset ($Charset) to directory charset ($Self->{DestCharset})
return $EncodeObject->Convert(
Text => $Text,
From => $Charset,
To => $Self->{DestCharset},
);
}
1;

150
Perl OTRS/Kernel/System/CustomerAuth/Radius.pm Normal file
View File

@@ -0,0 +1,150 @@
# --
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
# --
package Kernel::System::CustomerAuth::Radius;
use strict;
use warnings;
use Authen::Radius;
our @ObjectDependencies = (
'Kernel::Config',
'Kernel::System::Log',
);
sub new {
my ( $Type, %Param ) = @_;
# allocate new hash for object
my $Self = {};
bless( $Self, $Type );
# Debug 0=off 1=on
$Self->{Debug} = 0;
# get config object
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
# get config
$Self->{Die} = $ConfigObject->Get( 'Customer::AuthModule::Radius::Die' . $Param{Count} );
# get user table
$Self->{RadiusHost} = $ConfigObject->Get( 'Customer::AuthModule::Radius::Host' . $Param{Count} )
|| die "Need Customer::AuthModule::Radius::Host$Param{Count} in Kernel/Config.pm";
$Self->{RadiusSecret} = $ConfigObject->Get( 'Customer::AuthModule::Radius::Password' . $Param{Count} )
|| die "Need Customer::AuthModule::Radius::Password$Param{Count} in Kernel/Config.pm";
return $Self;
}
sub GetOption {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{What} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need What!"
);
return;
}
# module options
my %Option = (
PreAuth => 0,
);
# return option
return $Option{ $Param{What} };
}
sub Auth {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{User} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need User!"
);
return;
}
# get params
my $User = $Param{User} || '';
my $Pw = $Param{Pw} || '';
my $RemoteAddr = $ENV{REMOTE_ADDR} || 'Got no REMOTE_ADDR env!';
my $UserID = '';
my $GetPw = '';
# just in case for debug!
if ( $Self->{Debug} > 0 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: '$User' tried to authenticate with Pw: '$Pw' ($RemoteAddr)",
);
}
# just a note
if ( !$User ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "No User given!!! (REMOTE_ADDR: $RemoteAddr)",
);
return;
}
# just a note
if ( !$Pw ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: $User Authentication without Pw!!! (REMOTE_ADDR: $RemoteAddr)",
);
return;
}
# Create a radius object
my $Radius = Authen::Radius->new(
Host => $Self->{RadiusHost},
Secret => $Self->{RadiusSecret},
);
if ( !$Radius ) {
if ( $Self->{Die} ) {
die "Can't connect to $Self->{RadiusHost}: $@";
}
else {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Can't connect to $Self->{RadiusHost}: $@",
);
return;
}
}
my $AuthResult = $Radius->check_pwd( $User, $Pw );
# login note
if ( defined($AuthResult) && $AuthResult == 1 ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: $User Authentication ok (REMOTE_ADDR: $RemoteAddr).",
);
return $User;
}
# just a note
else {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "User: $User Authentication with wrong Pw!!! (REMOTE_ADDR: $RemoteAddr)"
);
return;
}
}
1;

126
Perl OTRS/Kernel/System/CustomerAuth/TwoFactor/GoogleAuthenticator.pm Normal file
View File

@@ -0,0 +1,126 @@
# --
# Copyright (C) 2001-2019 OTRS AG, https://otrs.com/
# --
# This software comes with ABSOLUTELY NO WARRANTY. For details, see
# the enclosed file COPYING for license information (GPL). If you
# did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt.
# --
package Kernel::System::CustomerAuth::TwoFactor::GoogleAuthenticator;
use strict;
use warnings;
use Digest::SHA qw(sha1);
use Digest::HMAC qw(hmac_hex);
use parent qw(Kernel::System::Auth::TwoFactor::GoogleAuthenticator);
our @ObjectDependencies = (
'Kernel::Config',
'Kernel::System::CustomerUser',
'Kernel::System::Log',
);
sub new {
my ( $Type, %Param ) = @_;
# allocate new hash for object
my $Self = {};
bless( $Self, $Type );
$Self->{Count} = $Param{Count} || '';
return $Self;
}
sub Auth {
my ( $Self, %Param ) = @_;
# check needed stuff
if ( !$Param{User} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Need User!"
);
return;
}
my $ConfigObject = $Kernel::OM->Get('Kernel::Config');
my $SecretPreferencesKey
= $ConfigObject->Get("Customer::AuthTwoFactorModule$Self->{Count}::SecretPreferencesKey") || '';
if ( !$SecretPreferencesKey ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Found no configuration for SecretPreferencesKey in Customer::AuthTwoFactorModule.",
);
return;
}
# check if customer has secret stored in preferences
my %UserPreferences = $Kernel::OM->Get('Kernel::System::CustomerUser')->GetPreferences(
UserID => $Param{User},
);
if ( !$UserPreferences{$SecretPreferencesKey} ) {
# if login without a stored secret key is permitted, this counts as passed
if ( $ConfigObject->Get("Customer::AuthTwoFactorModule$Self->{Count}::AllowEmptySecret") ) {
return 1;
}
# otherwise login counts as failed
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'error',
Message => "Found no SecretPreferencesKey for customer $Param{User}.",
);
return;
}
# if we get to here (user has preference), we need a passed token
if ( !$Param{TwoFactorToken} ) {
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: $Param{User} two factor customer authentication failed (TwoFactorToken missing)."
);
return;
}
# generate otp based on secret from preferences
my $OTP = $Self->_GenerateOTP(
Secret => $UserPreferences{$SecretPreferencesKey},
);
# compare against user provided otp
if ( $Param{TwoFactorToken} ne $OTP ) {
# check if previous token is also to be accepted
if ( $ConfigObject->Get("Customer::AuthTwoFactorModule$Self->{Count}::AllowPreviousToken") ) {
# try again with previous otp (from 30 seconds ago)
$OTP = $Self->_GenerateOTP(
Secret => $UserPreferences{$SecretPreferencesKey},
Previous => 1,
);
}
if ( $Param{TwoFactorToken} ne $OTP ) {
# log failure
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: $Param{User} two factor customer authentication failed (non-matching otp).",
);
return;
}
}
# log success
$Kernel::OM->Get('Kernel::System::Log')->Log(
Priority => 'notice',
Message => "CustomerUser: $Param{User} two factor customer authentication ok.",
);
return 1;
}
1;