From 88307db24edbcd846db1793d3598db2aa3309938 Mon Sep 17 00:00:00 2001
From: Rob Tucker <rtucker@mozilla.com>
Date: Tue, 14 Feb 2017 11:06:54 -0500
Subject: [PATCH] Reworking code to function with pluggable authentication.
 Moving PHP_AUTH_USER to variable to be set via config instead of relying
 blindly on PHP_AUTH_USER

---
 auth.php             | 40 ++++------------------------------------
 config-dist.php      |  7 +++++++
 edit.php             |  8 ++++----
 export.php           |  2 +-
 mypto.php            |  3 ++-
 perms.inc            |  2 +-
 report.php           |  2 +-
 submit.php           |  2 +-
 templates/header.php |  2 +-
 9 files changed, 22 insertions(+), 46 deletions(-)

diff --git a/auth.php b/auth.php
index a8a2f62..8bada53 100644
--- a/auth.php
+++ b/auth.php
@@ -1,40 +1,8 @@
 <?php
-
-function ask() {
-  header('WWW-Authenticate: Basic realm="Mozilla Corporation - LDAP Login"');
-}
-
-function wail_and_bail() {
-  header('HTTP/1.0 401 Unauthorized');
-  ask();
-  print "<h1>401 Unauthorized</h1>";
-  die;
-}
-
-if (!isset($_SERVER["PHP_AUTH_USER"])) {
-  ask();
-  wail_and_bail();
-} else {
-  // Check for validity of login
-  $user = $_SERVER["PHP_AUTH_USER"];
-  if (preg_match('/[a-z.]+@(.+?)\.(.+)/', $user, $m)) {
-    $o = "net";
-    if (($m[1] == "mozilla" && $m[2] == "com") ||
-        ($m[1] == "mozilla-japan" && $m[2] == "org")) {
-      $o = "com";
-    } elseif (($m[1] == "mozilla" && $m[2] == "org") ||
-              ($m[1] == "mozillafoundation" && $m[2] == "org")) {
-      $o = "org";
-    }
-    $dn = "mail=$user,o={$o},dc=mozilla";
-    $password = $_SERVER["PHP_AUTH_PW"];
-  } else {
-    wail_and_bail();
-  }
-}
+require_once('config.php');
 
 $connection = ldap_connect($ldap["host"], $ldap["port"]);
-// Actually perform authentication
-if (!ldap_bind($connection, $dn, $password)) {
-  wail_and_bail();
+if (!ldap_bind($connection, $LDAP_BIND_USER, $LDAP_BIND_PASS)) {
+    echo "LDAP conneciton failed";
+    die;
 }
diff --git a/config-dist.php b/config-dist.php
index 6d26eea..fae25b8 100644
--- a/config-dist.php
+++ b/config-dist.php
@@ -13,6 +13,13 @@ $mysql = array(
   "database" => ""
 );
 
+$LDAP_BIND_USER = 'id=username@domain.com,ou=logins,dc=foo';
+$LDAP_BIND_PASS = 'LDAPBINDPASS';
+
+// No longer rely on PHP_AUTH_USER blindly
+// $_SERVER['OIDC_CLAIM_email'] would work for Open ID Connect
+$GLOBAL_AUTH_USERNAME = $_SERVER['PHP_AUTH_USER'];
+
 # Set the constants below to FALSE to do various debugging.
 define("ENABLE_MAIL", TRUE);
 define("ENABLE_DB", TRUE);
diff --git a/edit.php b/edit.php
index 81e5675..13b22df 100644
--- a/edit.php
+++ b/edit.php
@@ -14,10 +14,10 @@ $is_editing = false;
 
 $data = ldap_find(
   	$connection,
-	"mail=". $_SERVER["PHP_AUTH_USER"],
+	"mail=". $GLOBAL_AUTH_USERNAME,
 	array("cn", "manager")
 );
-$notifier_email = $_SERVER["PHP_AUTH_USER"];
+$notifier_email = $GLOBAL_AUTH_USERNAME;
 $notifier_name = $data[0]["cn"][0];
 
 $manager_dn = $data[0]["manager"][0];
@@ -39,11 +39,11 @@ if (ENABLE_MANAGER_NOTIFYING) {
 if (isset($_REQUEST['id']) && $_REQUEST['id']) {
 	$data = ldap_find(
 	  	$connection,
-		"mail=". $_SERVER["PHP_AUTH_USER"],
+		"mail=". $GLOBAL_AUTH_USERNAME,
 		array("cn", "manager")
 	);
 	
-	$notifier_email = $_SERVER["PHP_AUTH_USER"];
+	$notifier_email = $GLOBAL_AUTH_USERNAME;
 	$notifier_name = $data[0]["cn"][0];
 
 	$manager_dn = $data[0]["manager"][0];
diff --git a/export.php b/export.php
index df67293..aa2ecf5 100644
--- a/export.php
+++ b/export.php
@@ -2,7 +2,7 @@
 
 	require("prefetch.inc");
 
-	if (!in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
+	if (!in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
 		include "./templates/header.php";
 		echo "You are not permitted to view this page.";
 		include "./templates/footer.php";
diff --git a/mypto.php b/mypto.php
index 39d5ba7..9d8970f 100644
--- a/mypto.php
+++ b/mypto.php
@@ -4,13 +4,14 @@ require_once('config.php');
 require_once('auth.php');
 
 function pretty_die() {
+    global $GLOBAL_AUTH_USERNAME;
     include './templates/header.php';
     echo 'There was a problem getting your PTO records. Please try again later.';
     include './templates/footer.php';
     exit;
 }
 
-$me = $_SERVER['PHP_AUTH_USER'];
+$me = $GLOBAL_AUTH_USERNAME;
 
 $conn =  @mysql_connect($mysql['host'], $mysql['user'], $mysql['password']) 
              or pretty_die();
diff --git a/perms.inc b/perms.inc
index 53f3795..01ab570 100644
--- a/perms.inc
+++ b/perms.inc
@@ -4,7 +4,7 @@ if (!defined("LIMITED_FIELDS")) {
   define("LIMITED_FIELDS", "id, person, added, hours, start, end, details");
 }
 
-$notifier_email = $_SERVER["PHP_AUTH_USER"];
+$notifier_email = $GLOBAL_AUTH_USERNAME;
 $data = ldap_find($connection, "mail=". $notifier_email, array("manager", "cn"));
 $notifier_name = $data[0]["cn"][0];
 
diff --git a/report.php b/report.php
index bf6d169..c42ef29 100644
--- a/report.php
+++ b/report.php
@@ -1,7 +1,7 @@
 <?php
 require("prefetch.inc");
 
-if (!in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
+if (!in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
         include "./templates/header.php";
         echo "You are not permitted to view this page.";
         include "./templates/footer.php";
diff --git a/submit.php b/submit.php
index cf50930..1e43c8f 100644
--- a/submit.php
+++ b/submit.php
@@ -50,7 +50,7 @@ if (isset($_REQUEST["id"]) && $_REQUEST["id"]) {
 }
 
 
-$notifier_email = $_SERVER["PHP_AUTH_USER"];
+$notifier_email = $GLOBAL_AUTH_USERNAME;
 $data = ldap_find(
   $connection, "mail=". $notifier_email, array("manager", "cn")
 );
diff --git a/templates/header.php b/templates/header.php
index 0d5738b..5808134 100644
--- a/templates/header.php
+++ b/templates/header.php
@@ -23,7 +23,7 @@
         <li><a href="./">Notify</a></li>
         <li><a href="./mypto.php">My PTO</a></li>
         <?php
-          if (in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
+          if (in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
             ?><li><a href="./export.php">List</a></li>
        	    <li><a href="./report.php">Report</a></li><?php
 	  }