Reworking code to function with pluggable authentication. Moving PHP_AUTH_USER to variable to be set via config instead of relying blindly on PHP_AUTH_USER

2017-02-14 11:06:54 -05:00 · 2017-02-14 11:06:54 -05:00 · 88307db24e
--- a/auth.php
+++ b/auth.php
@ -1,40 +1,8 @@
 <?php
-
+require_once('config.php');
 function ask() {
  header('WWW-Authenticate: Basic realm="Mozilla Corporation - LDAP Login"');
 }
 function wail_and_bail() {
  header('HTTP/1.0 401 Unauthorized');
  ask();
  print "<h1>401 Unauthorized</h1>";
  die;
 }
 if (!isset($_SERVER["PHP_AUTH_USER"])) {
  ask();
  wail_and_bail();
 } else {
  // Check for validity of login
  $user = $_SERVER["PHP_AUTH_USER"];
  if (preg_match('/[a-z.]+@(.+?)\.(.+)/', $user, $m)) {
    $o = "net";
    if (($m[1] == "mozilla" && $m[2] == "com") ||
        ($m[1] == "mozilla-japan" && $m[2] == "org")) {
      $o = "com";
    } elseif (($m[1] == "mozilla" && $m[2] == "org") ||
              ($m[1] == "mozillafoundation" && $m[2] == "org")) {
      $o = "org";
    }
    $dn = "mail=$user,o={$o},dc=mozilla";
    $password = $_SERVER["PHP_AUTH_PW"];
  } else {
    wail_and_bail();
  }
 }
 $connection = ldap_connect($ldap["host"], $ldap["port"]);
-// Actually perform authentication
+if (!ldap_bind($connection, $LDAP_BIND_USER, $LDAP_BIND_PASS)) {
-if (!ldap_bind($connection, $dn, $password)) {
+    echo "LDAP conneciton failed";
-  wail_and_bail();
+    die;
 }
--- a/config-dist.php
+++ b/config-dist.php
@ -13,6 +13,13 @@ $mysql = array(
  "database" => ""
 );
 $LDAP_BIND_USER = 'id=username@domain.com,ou=logins,dc=foo';
 $LDAP_BIND_PASS = 'LDAPBINDPASS';
 // No longer rely on PHP_AUTH_USER blindly
 // $_SERVER['OIDC_CLAIM_email'] would work for Open ID Connect
 $GLOBAL_AUTH_USERNAME = $_SERVER['PHP_AUTH_USER'];
 # Set the constants below to FALSE to do various debugging.
 define("ENABLE_MAIL", TRUE);
 define("ENABLE_DB", TRUE);
--- a/edit.php
+++ b/edit.php
@ -14,10 +14,10 @@ $is_editing = false;
 $data = ldap_find(
  	$connection,
-	"mail=". $_SERVER["PHP_AUTH_USER"],
+	"mail=". $GLOBAL_AUTH_USERNAME,
 	array("cn", "manager")
 );
-$notifier_email = $_SERVER["PHP_AUTH_USER"];
+$notifier_email = $GLOBAL_AUTH_USERNAME;
 $notifier_name = $data[0]["cn"][0];
 $manager_dn = $data[0]["manager"][0];
@ -39,11 +39,11 @@ if (ENABLE_MANAGER_NOTIFYING) {
 if (isset($_REQUEST['id']) && $_REQUEST['id']) {
 	$data = ldap_find(
 	  	$connection,
-		"mail=". $_SERVER["PHP_AUTH_USER"],
+		"mail=". $GLOBAL_AUTH_USERNAME,
 		array("cn", "manager")
 	);
-	$notifier_email = $_SERVER["PHP_AUTH_USER"];
+	$notifier_email = $GLOBAL_AUTH_USERNAME;
 	$notifier_name = $data[0]["cn"][0];
 	$manager_dn = $data[0]["manager"][0];
--- a/export.php
+++ b/export.php
@ -2,7 +2,7 @@
 	require("prefetch.inc");
-	if (!in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
+	if (!in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
 		include "./templates/header.php";
 		echo "You are not permitted to view this page.";
 		include "./templates/footer.php";
--- a/mypto.php
+++ b/mypto.php
@ -4,13 +4,14 @@ require_once('config.php');
 require_once('auth.php');
 function pretty_die() {
    global $GLOBAL_AUTH_USERNAME;
    include './templates/header.php';
    echo 'There was a problem getting your PTO records. Please try again later.';
    include './templates/footer.php';
    exit;
 }
-$me = $_SERVER['PHP_AUTH_USER'];
+$me = $GLOBAL_AUTH_USERNAME;
 $conn =  @mysql_connect($mysql['host'], $mysql['user'], $mysql['password']) 
             or pretty_die();
--- a/perms.inc
+++ b/perms.inc
@ -4,7 +4,7 @@ if (!defined("LIMITED_FIELDS")) {
  define("LIMITED_FIELDS", "id, person, added, hours, start, end, details");
 }
-$notifier_email = $_SERVER["PHP_AUTH_USER"];
+$notifier_email = $GLOBAL_AUTH_USERNAME;
 $data = ldap_find($connection, "mail=". $notifier_email, array("manager", "cn"));
 $notifier_name = $data[0]["cn"][0];
--- a/report.php
+++ b/report.php
@ -1,7 +1,7 @@
 <?php
 require("prefetch.inc");
-if (!in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
+if (!in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
        include "./templates/header.php";
        echo "You are not permitted to view this page.";
        include "./templates/footer.php";
--- a/submit.php
+++ b/submit.php
@ -50,7 +50,7 @@ if (isset($_REQUEST["id"]) && $_REQUEST["id"]) {
 }
-$notifier_email = $_SERVER["PHP_AUTH_USER"];
+$notifier_email = $GLOBAL_AUTH_USERNAME;
 $data = ldap_find(
  $connection, "mail=". $notifier_email, array("manager", "cn")
 );
--- a/templates/header.php
+++ b/templates/header.php
@ -23,7 +23,7 @@
        <li><a href="./">Notify</a></li>
        <li><a href="./mypto.php">My PTO</a></li>
        <?php
-          if (in_array($_SERVER["PHP_AUTH_USER"], $export_users)) {
+          if (in_array($GLOBAL_AUTH_USERNAME, $export_users)) {
            ?><li><a href="./export.php">List</a></li>
       	    <li><a href="./report.php">Report</a></li><?php
 	  }