Added Authorization plugin
Added LDAPAuthorization plugin
This commit is contained in:
parent
1d6bacc681
commit
d07df8a796
22
EVENTS.txt
22
EVENTS.txt
|
@ -535,6 +535,28 @@ StartChangePassword: Before changing a password
|
||||||
EndChangePassword: After changing a password
|
EndChangePassword: After changing a password
|
||||||
- $user: user
|
- $user: user
|
||||||
|
|
||||||
|
StartSetUser: Before setting the currently logged in user
|
||||||
|
- $user: user
|
||||||
|
|
||||||
|
EndSetUser: After setting the currently logged in user
|
||||||
|
- $user: user
|
||||||
|
|
||||||
|
StartSetApiUser: Before setting the current API user
|
||||||
|
- $user: user
|
||||||
|
|
||||||
|
EndSetApiUser: After setting the current API user
|
||||||
|
- $user: user
|
||||||
|
|
||||||
|
StartHasRole: Before determing if the a profile has a given role
|
||||||
|
- $profile: profile in question
|
||||||
|
- $name: name of the role in question
|
||||||
|
- &$has_role: does this profile have the named role?
|
||||||
|
|
||||||
|
EndHasRole: Before determing if the a profile has a given role
|
||||||
|
- $profile: profile in question
|
||||||
|
- $name: name of the role in question
|
||||||
|
- $has_role: does this profile have the named role?
|
||||||
|
|
||||||
UserDeleteRelated: Specify additional tables to delete entries from when deleting users
|
UserDeleteRelated: Specify additional tables to delete entries from when deleting users
|
||||||
- $user: User object
|
- $user: User object
|
||||||
- &$related: array of DB_DataObject class names to delete entries on matching user_id.
|
- &$related: array of DB_DataObject class names to delete entries on matching user_id.
|
||||||
|
|
|
@ -594,9 +594,14 @@ class Profile extends Memcached_DataObject
|
||||||
|
|
||||||
function hasRole($name)
|
function hasRole($name)
|
||||||
{
|
{
|
||||||
|
$has_role = false;
|
||||||
|
if (Event::handle('StartHasRole', array($this, $name, &$has_role))) {
|
||||||
$role = Profile_role::pkeyGet(array('profile_id' => $this->id,
|
$role = Profile_role::pkeyGet(array('profile_id' => $this->id,
|
||||||
'role' => $name));
|
'role' => $name));
|
||||||
return (!empty($role));
|
$has_role = !empty($role);
|
||||||
|
Event::handle('EndHasRole', array($this, $name, $has_role));
|
||||||
|
}
|
||||||
|
return $has_role;
|
||||||
}
|
}
|
||||||
|
|
||||||
function grantRole($name)
|
function grantRole($name)
|
||||||
|
|
|
@ -110,7 +110,11 @@ class ApiAuthAction extends ApiAction
|
||||||
} else {
|
} else {
|
||||||
$nickname = $this->auth_user;
|
$nickname = $this->auth_user;
|
||||||
$password = $this->auth_pw;
|
$password = $this->auth_pw;
|
||||||
$this->auth_user = common_check_user($nickname, $password);
|
$user = common_check_user($nickname, $password);
|
||||||
|
if (Event::handle('StartSetApiUser', array(&$user))) {
|
||||||
|
$this->auth_user = $user;
|
||||||
|
Event::handle('EndSetApiUser', array($user));
|
||||||
|
}
|
||||||
|
|
||||||
if (empty($this->auth_user)) {
|
if (empty($this->auth_user)) {
|
||||||
|
|
||||||
|
|
|
@ -195,12 +195,17 @@ function common_set_user($user)
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ($user) {
|
||||||
|
if (Event::handle('StartSetUser', array(&$user))) {
|
||||||
if($user){
|
if($user){
|
||||||
common_ensure_session();
|
common_ensure_session();
|
||||||
$_SESSION['userid'] = $user->id;
|
$_SESSION['userid'] = $user->id;
|
||||||
$_cur = $user;
|
$_cur = $user;
|
||||||
|
Event::handle('EndSetUser', array($user));
|
||||||
return $_cur;
|
return $_cur;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
112
plugins/Authorization/AuthorizationPlugin.php
Normal file
112
plugins/Authorization/AuthorizationPlugin.php
Normal file
|
@ -0,0 +1,112 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* StatusNet, the distributed open-source microblogging tool
|
||||||
|
*
|
||||||
|
* Superclass for plugins that do authorization
|
||||||
|
*
|
||||||
|
* PHP version 5
|
||||||
|
*
|
||||||
|
* LICENCE: This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as published by
|
||||||
|
* the Free Software Foundation, either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
* @category Plugin
|
||||||
|
* @package StatusNet
|
||||||
|
* @author Craig Andrews <candrews@integralblue.com>
|
||||||
|
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
|
||||||
|
* @link http://status.net/
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (!defined('STATUSNET') && !defined('LACONICA')) {
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Superclass for plugins that do authorization
|
||||||
|
*
|
||||||
|
* @category Plugin
|
||||||
|
* @package StatusNet
|
||||||
|
* @author Craig Andrews <candrews@integralblue.com>
|
||||||
|
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
|
||||||
|
* @link http://status.net/
|
||||||
|
*/
|
||||||
|
|
||||||
|
abstract class AuthorizationPlugin extends Plugin
|
||||||
|
{
|
||||||
|
//is this plugin authoritative for authorization?
|
||||||
|
public $authoritative = false;
|
||||||
|
|
||||||
|
//------------Auth plugin should implement some (or all) of these methods------------\\
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Is a user allowed to log in?
|
||||||
|
* @param user
|
||||||
|
* @return boolean true if the user is allowed to login, false if explicitly not allowed to login, null if we don't explicitly allow or deny login
|
||||||
|
*/
|
||||||
|
function loginAllowed($user) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Does a profile grant the user a named role?
|
||||||
|
* @param profile
|
||||||
|
* @return boolean true if the profile has the role, false if not
|
||||||
|
*/
|
||||||
|
function hasRole($profile, $name) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
//------------Below are the methods that connect StatusNet to the implementing Auth plugin------------\\
|
||||||
|
function onInitializePlugin(){
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
function onStartSetUser(&$user) {
|
||||||
|
$loginAllowed = $this->loginAllowed($user);
|
||||||
|
if($loginAllowed === true){
|
||||||
|
if($this->authoritative) {
|
||||||
|
return false;
|
||||||
|
}else{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}else if($loginAllowed === false){
|
||||||
|
$user = null;
|
||||||
|
return false;
|
||||||
|
}else{
|
||||||
|
if($this->authoritative) {
|
||||||
|
$user = null;
|
||||||
|
return false;
|
||||||
|
}else{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function onStartSetApiUser(&$user) {
|
||||||
|
return onStartSetUser(&$user);
|
||||||
|
}
|
||||||
|
|
||||||
|
function onStartHasRole($profile, $name, &$has_role) {
|
||||||
|
if($this->hasRole($profile, $name)){
|
||||||
|
$has_role = true;
|
||||||
|
return false;
|
||||||
|
}else{
|
||||||
|
if($this->authoritative) {
|
||||||
|
$has_role = false;
|
||||||
|
return false;
|
||||||
|
}else{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
/**
|
/**
|
||||||
* StatusNet, the distributed open-source microblogging tool
|
* StatusNet, the distributed open-source microblogging tool
|
||||||
*
|
*
|
||||||
* Plugin to enable LDAP Authentication and Authorization
|
* Plugin to enable LDAP Authentication
|
||||||
*
|
*
|
||||||
* PHP version 5
|
* PHP version 5
|
||||||
*
|
*
|
||||||
|
@ -66,6 +66,7 @@ class LdapAuthenticationPlugin extends AuthenticationPlugin
|
||||||
if($this->password_changeable && (! isset($this->attributes['password']) || !isset($this->password_encoding))){
|
if($this->password_changeable && (! isset($this->attributes['password']) || !isset($this->password_encoding))){
|
||||||
throw new Exception("if password_changeable is set, the password attribute and password_encoding must also be specified");
|
throw new Exception("if password_changeable is set, the password attribute and password_encoding must also be specified");
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
//---interface implementation---//
|
//---interface implementation---//
|
||||||
|
|
||||||
|
|
129
plugins/LdapAuthorization/LdapAuthorizationPlugin.php
Normal file
129
plugins/LdapAuthorization/LdapAuthorizationPlugin.php
Normal file
|
@ -0,0 +1,129 @@
|
||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* StatusNet, the distributed open-source microblogging tool
|
||||||
|
*
|
||||||
|
* Plugin to enable LDAP Authorization
|
||||||
|
*
|
||||||
|
* PHP version 5
|
||||||
|
*
|
||||||
|
* LICENCE: This program is free software: you can redistribute it and/or modify
|
||||||
|
* it under the terms of the GNU Affero General Public License as published by
|
||||||
|
* the Free Software Foundation, either version 3 of the License, or
|
||||||
|
* (at your option) any later version.
|
||||||
|
*
|
||||||
|
* This program is distributed in the hope that it will be useful,
|
||||||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
* GNU Affero General Public License for more details.
|
||||||
|
*
|
||||||
|
* You should have received a copy of the GNU Affero General Public License
|
||||||
|
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*
|
||||||
|
* @category Plugin
|
||||||
|
* @package StatusNet
|
||||||
|
* @author Craig Andrews <candrews@integralblue.com>
|
||||||
|
* @copyright 2009 Craig Andrews http://candrews.integralblue.com
|
||||||
|
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
|
||||||
|
* @link http://status.net/
|
||||||
|
*/
|
||||||
|
|
||||||
|
if (!defined('STATUSNET') && !defined('LACONICA')) {
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
|
||||||
|
require_once INSTALLDIR.'/plugins/Authorization/AuthorizationPlugin.php';
|
||||||
|
require_once 'Net/LDAP2.php';
|
||||||
|
|
||||||
|
class LdapAuthorizationPlugin extends AuthorizationPlugin
|
||||||
|
{
|
||||||
|
public $host=null;
|
||||||
|
public $port=null;
|
||||||
|
public $version=null;
|
||||||
|
public $starttls=null;
|
||||||
|
public $binddn=null;
|
||||||
|
public $bindpw=null;
|
||||||
|
public $basedn=null;
|
||||||
|
public $options=null;
|
||||||
|
public $filter=null;
|
||||||
|
public $scope=null;
|
||||||
|
public $provider_name = null;
|
||||||
|
public $uniqueMember_attribute = null;
|
||||||
|
public $roles_to_groups = null;
|
||||||
|
|
||||||
|
function onInitializePlugin(){
|
||||||
|
parent::onInitializePlugin();
|
||||||
|
if(!isset($this->host)){
|
||||||
|
throw new Exception("must specify a host");
|
||||||
|
}
|
||||||
|
if(!isset($this->basedn)){
|
||||||
|
throw new Exception("must specify a basedn");
|
||||||
|
}
|
||||||
|
if(!isset($this->provider_name)){
|
||||||
|
throw new Exception("provider_name must be set. Use the provider_name from the LDAP Authentication plugin.");
|
||||||
|
}
|
||||||
|
if(!isset($this->uniqueMember_attribute)){
|
||||||
|
throw new Exception("uniqueMember_attribute must be set.");
|
||||||
|
}
|
||||||
|
if(!isset($this->roles_to_groups)){
|
||||||
|
throw new Exception("roles_to_groups must be set.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
//---interface implementation---//
|
||||||
|
function loginAllowed($user) {
|
||||||
|
$user_username = new User_username();
|
||||||
|
$user_username->user_id=$user->id;
|
||||||
|
$user_username->provider_name=$this->provider_name;
|
||||||
|
if($user_username->find() && $user_username->fetch()){
|
||||||
|
$entry = $this->ldap_get_user($user_username->username);
|
||||||
|
if($entry){
|
||||||
|
//if a user exists, we can assume he's allowed to login
|
||||||
|
return true;
|
||||||
|
}else{
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function hasRole($profile, $name) {
|
||||||
|
$user_username = new User_username();
|
||||||
|
$user_username->user_id=$profile->id;
|
||||||
|
$user_username->provider_name=$this->provider_name;
|
||||||
|
if($user_username->find() && $user_username->fetch()){
|
||||||
|
$entry = $this->ldap_get_user($user_username->username);
|
||||||
|
if($entry){
|
||||||
|
if(isset($this->roles_to_groups[$name])){
|
||||||
|
if(is_array($this->roles_to_groups[$name])){
|
||||||
|
foreach($this->roles_to_groups[$name] as $group){
|
||||||
|
if($this->isMemberOfGroup($entry->dn(),$group)){
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
if($this->isMemberOfGroup($entry->dn(),$this->roles_to_groups[$name])){
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
function isMemberOfGroup($userDn, $groupDn)
|
||||||
|
{
|
||||||
|
$ldap = ldap_get_connection();
|
||||||
|
$link = $ldap->getLink();
|
||||||
|
$r = ldap_compare($link, $groupDn, $this->uniqueMember_attribute, $userDn);
|
||||||
|
if ($r === true){
|
||||||
|
return true;
|
||||||
|
}else if($r === false){
|
||||||
|
return false;
|
||||||
|
}else{
|
||||||
|
common_log(LOG_ERR, ldap_error($r));
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
84
plugins/LdapAuthorization/README
Normal file
84
plugins/LdapAuthorization/README
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
The LDAP Authorization plugin allows for StatusNet to handle authorization
|
||||||
|
through LDAP.
|
||||||
|
|
||||||
|
Installation
|
||||||
|
============
|
||||||
|
add "addPlugin('ldapAuthorization',
|
||||||
|
array('setting'=>'value', 'setting2'=>'value2', ...);"
|
||||||
|
to the bottom of your config.php
|
||||||
|
|
||||||
|
You *cannot* use this plugin without the LDAP Authentication plugin
|
||||||
|
|
||||||
|
Settings
|
||||||
|
========
|
||||||
|
provider_name*: name of the LDAP authentication provider that this plugin works with.
|
||||||
|
authoritative (false): should this plugin be authoritative for
|
||||||
|
authorization?
|
||||||
|
uniqueMember_attribute ('uniqueMember')*: the attribute of a group
|
||||||
|
that lists the DNs of its members
|
||||||
|
roles_to_groups*: array that maps StatusNet roles to LDAP groups
|
||||||
|
some StatusNet roles are: moderator, administrator, sandboxed, silenced
|
||||||
|
|
||||||
|
The below settings must be exact copies of the settings used for the
|
||||||
|
corresponding LDAP Authentication plugin.
|
||||||
|
|
||||||
|
host*: LDAP server name to connect to. You can provide several hosts in an
|
||||||
|
array in which case the hosts are tried from left to right.
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
port: Port on the server.
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
version: LDAP version.
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
starttls: TLS is started after connecting.
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
binddn: The distinguished name to bind as (username).
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
bindpw: Password for the binddn.
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
basedn*: LDAP base name (root directory).
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
options: See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
filter: Default search filter.
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
scope: Default search scope.
|
||||||
|
See http://pear.php.net/manual/en/package.networking.net-ldap2.connecting.php
|
||||||
|
|
||||||
|
* required
|
||||||
|
default values are in (parenthesis)
|
||||||
|
|
||||||
|
Example
|
||||||
|
=======
|
||||||
|
Here's an example of an LDAP plugin configuration that connects to
|
||||||
|
Microsoft Active Directory.
|
||||||
|
|
||||||
|
addPlugin('ldapAuthentication', array(
|
||||||
|
'provider_name'=>'Example',
|
||||||
|
'authoritative'=>true,
|
||||||
|
'autoregistration'=>true,
|
||||||
|
'binddn'=>'username',
|
||||||
|
'bindpw'=>'password',
|
||||||
|
'basedn'=>'OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc',
|
||||||
|
'host'=>array('server1', 'server2'),
|
||||||
|
'password_encoding'=>'ad',
|
||||||
|
'attributes'=>array(
|
||||||
|
'username'=>'sAMAccountName',
|
||||||
|
'nickname'=>'sAMAccountName',
|
||||||
|
'email'=>'mail',
|
||||||
|
'fullname'=>'displayName',
|
||||||
|
'password'=>'unicodePwd')
|
||||||
|
));
|
||||||
|
addPlugin('ldapAuthorization', array(
|
||||||
|
'provider_name'=>'Example',
|
||||||
|
'authoritative'=>false,
|
||||||
|
'uniqueMember_attribute'=>'uniqueMember',
|
||||||
|
'roles_to_groups'=> array(
|
||||||
|
'moderator'=>'CN=SN-Moderators,OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc',
|
||||||
|
'administrator'=> array('CN=System-Adminstrators,OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc',
|
||||||
|
'CN=SN-Administrators,OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc')
|
||||||
|
),
|
||||||
|
'binddn'=>'username',
|
||||||
|
'bindpw'=>'password',
|
||||||
|
'basedn'=>'OU=Users,OU=StatusNet,OU=US,DC=americas,DC=global,DC=loc',
|
||||||
|
'host'=>array('server1', 'server2')
|
||||||
|
));
|
||||||
|
|
Loading…
Reference in New Issue
Block a user