From b92935d2dc7e02b19f60fef37e6139197b054e30 Mon Sep 17 00:00:00 2001
From: Frédéric Guillot <fred@kanboard.net>
Date: Wed, 13 Aug 2014 12:47:17 -0700
Subject: Add ReverseProxy authentication (pull-request #199)

---
 app/Model/LastLogin.php        |  1 +
 app/Model/ReverseProxyAuth.php | 70 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 71 insertions(+)
 create mode 100644 app/Model/ReverseProxyAuth.php

(limited to 'app/Model')

diff --git a/app/Model/LastLogin.php b/app/Model/LastLogin.php
index db4c4a57..e2ea63e1 100644
--- a/app/Model/LastLogin.php
+++ b/app/Model/LastLogin.php
@@ -34,6 +34,7 @@ class LastLogin extends Base
     const AUTH_LDAP        = 'ldap';
     const AUTH_GOOGLE      = 'google';
     const AUTH_GITHUB      = 'github';
+    const AUTH_REVERSE_PROXY = 'reverse_proxy';
 
     /**
      * Create a new record
diff --git a/app/Model/ReverseProxyAuth.php b/app/Model/ReverseProxyAuth.php
new file mode 100644
index 00000000..1b9ed06c
--- /dev/null
+++ b/app/Model/ReverseProxyAuth.php
@@ -0,0 +1,70 @@
+<?php
+
+namespace Model;
+
+use Core\Security;
+
+/**
+ * ReverseProxyAuth model
+ *
+ * @package  model
+ * @author   Sylvain Veyrié
+ */
+class ReverseProxyAuth extends Base
+{
+    /**
+     * Authenticate the user with the HTTP header
+     *
+     * @access public
+     * @return bool
+     */
+    public function authenticate()
+    {
+        if (isset($_SERVER[REVERSE_PROXY_USER_HEADER])) {
+
+            $login = $_SERVER[REVERSE_PROXY_USER_HEADER];
+            $userModel = new User($this->db, $this->event);
+            $user = $userModel->getByUsername($login);
+
+            if (! $user) {
+                $this->createUser($login);
+                $user = $userModel->getByUsername($login);
+            }
+
+            // Create the user session
+            $userModel->updateSession($user);
+
+            // Update login history
+            $lastLogin = new LastLogin($this->db, $this->event);
+            $lastLogin->create(
+                LastLogin::AUTH_REVERSE_PROXY,
+                $user['id'],
+                $userModel->getIpAddress(),
+                $userModel->getUserAgent()
+            );
+
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Create automatically a new local user after the authentication
+     *
+     * @access private
+     * @param  string  $login  Username
+     * @return bool
+     */
+    private function createUser($login)
+    {
+        $userModel = new User($this->db, $this->event);
+
+        return $userModel->create(array(
+            'email' => strpos($login, '@') !== false ? $login : '',
+            'username' => $login,
+            'is_admin' => REVERSE_PROXY_DEFAULT_ADMIN === $login,
+            'is_ldap_user' => 1,
+        ));
+    }
+}
-- 
cgit v1.2.3