1<?php
2
3/**
4 * Manages user authentication with Apache's SSO authentication, e.g. mod_sspi
5 * or mod_auth_kerb.
6 *
7 * This Source Code Form is subject to the terms of the Mozilla Public License,
8 * v. 2.0. If a copy of the MPL was not distributed with this file, You can
9 * obtain one at http://mozilla.org/MPL/2.0/.
10 *
11 * @package   phpMyFAQ
12 * @author    Thorsten Rinne <thorsten@phpmyfaq.de>
13 * @copyright 2011-2020 phpMyFAQ Team
14 * @license   http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
15 * @link      https://www.phpmyfaq.de
16 * @since     2011-06-22
17 */
18
19namespace phpMyFAQ\Auth;
20
21use phpMyFAQ\Auth;
22use phpMyFAQ\User;
23
24/**
25 * Class Sso
26 *
27 * @package phpMyFAQ\Auth
28 */
29class AuthSso extends Auth implements AuthDriverInterface
30{
31    /**
32     * Always returns true because of SSO.
33     *
34     * @param string $login Loginname
35     * @param string $pass  Password
36     *
37     * @return bool
38     */
39    public function changePassword($login, $pass): bool
40    {
41        return true;
42    }
43
44    /**
45     * Always returns true because of SSO.
46     *
47     * @param string $login Loginname
48     *
49     * @return bool
50     */
51    public function delete($login): bool
52    {
53        return true;
54    }
55
56    /**
57     * Checks if the username of the remote user is equal to the login name.
58     *
59     * @param string $login        Loginname
60     * @param string $pass         Password
61     * @param array  $optionalData Optional data
62     *
63     * @return bool
64     */
65    public function checkPassword($login, $pass, array $optionalData = null): bool
66    {
67        if (!isset($_SERVER['REMOTE_USER'])) {
68            return false;
69        } else {
70            // Check if "DOMAIN\user", "user@DOMAIN" or only "user"
71            $remoteUser = explode('\\', $_SERVER['REMOTE_USER']);
72            if (is_array($remoteUser) && count($remoteUser) > 1) {
73                $user = $remoteUser[1];
74            } else {
75                $remoteUser = explode('@', $_SERVER['REMOTE_USER']);
76                if (is_array($remoteUser) && count($remoteUser) > 1) {
77                    $user = $remoteUser[0];
78                } else {
79                    $user = $_SERVER['REMOTE_USER'];
80                }
81            }
82            if ($user === $login) {
83                $this->add($login, $pass);
84
85                return true;
86            } else {
87                return false;
88            }
89        }
90    }
91
92    /**
93     * Always returns true because of SSO.
94     *
95     * @param  string $login
96     * @param  string $pass
97     * @param  string $domain
98     * @return bool
99     * @throws
100     */
101    public function add($login, $pass, $domain = ''): bool
102    {
103        if ($this->config->get('ldap.ldapSupport')) {
104            // LDAP/AD + SSO
105            $authLdap = new AuthLdap($this->config);
106            $result = $authLdap->add($login, null, $domain);
107
108            return $result;
109        } else {
110            // SSO without LDAP/AD
111            $user = new User($this->config);
112            $result = $user->createUser($login, null, $domain);
113
114            if ($result) {
115                $user->setStatus('active');
116            }
117
118            // Set user information
119            $user->setUserData(
120                array(
121                    'display_name' => $login,
122                )
123            );
124
125            return $result;
126        }
127    }
128
129    /**
130     * Returns 1, if $_SERVER['REMOTE_USER'] is set.
131     *
132     * @param string $login        Loginname
133     * @param array  $optionalData Optional data
134     *
135     * @return int
136     */
137    public function checkLogin($login, array $optionalData = null): int
138    {
139        return isset($_SERVER['REMOTE_USER']) ? 1 : 0;
140    }
141}
142