Merge pull request #1555 from OCSInventory-NG/dit-aix-contribution

SSO_ONLY - Dit aix contribution
OCSInventory-NG · Sep 4, 2023 · 7d314f5 · 7d314f5
2 parents 5b9c469 + 6e3d5c6
commit 7d314f5
Show file tree

Hide file tree

Showing 5 changed files with 75 additions and 10 deletions.
diff --git a/backend/AUTH/auth.php b/backend/AUTH/auth.php
@@ -56,6 +56,12 @@
 } elseif ($affich_method == 'SSO' && isset($_SERVER['HTTP_AUTH_USER']) && !empty($_SERVER['HTTP_AUTH_USER'])) {
     $login = $_SERVER['HTTP_AUTH_USER'];
     $mdp = 'NO_PASSWD';
+} elseif ($affich_method == 'SSO_ONLY' && isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {
+    $login = $_SERVER['REMOTE_USER'];
+    $mdp = 'NO_PASSWD';
+} elseif ($affich_method == 'SSO_ONLY' && isset($_SERVER['HTTP_AUTH_USER']) && !empty($_SERVER['HTTP_AUTH_USER'])) {
+    $login = $_SERVER['HTTP_AUTH_USER'];
+    $mdp = 'NO_PASSWD';
 } elseif ($affich_method != 'HTML' && isset($_SERVER['PHP_AUTH_USER'])) {
     $login = $_SERVER['PHP_AUTH_USER'];
     $mdp = $_SERVER['PHP_AUTH_PW'];
@@ -230,7 +236,13 @@
     } else if ($list_methode[0] == 'cas.php') {
         // redirect to CAS login page
         require_once('methode/' . $list_methode[0]);
-    } else {
+    } else if ($affich_method == "SSO_ONLY") {
+        // auth failed in SSO_ONLY mode, we display an error message
+        require_once (HEADER_HTML);
+        msg_error($l->g(180));
+        require_once(FOOTER_HTML);
+        die();
+    }else {
         header('WWW-Authenticate: Basic realm="OcsinventoryNG"');
         header('HTTP/1.0 401 Unauthorized');
         die();

diff --git a/backend/AUTH/methode/sso_only.php b/backend/AUTH/methode/sso_only.php
@@ -0,0 +1,48 @@
+<?php
+/*
+ * Copyright 2005-2016 OCSInventory-NG/OCSInventory-ocsreports contributors.
+ * See the Contributors file for more details about them.
+ *
+ * This file is part of OCSInventory-NG/OCSInventory-ocsreports.
+ *
+ * OCSInventory-NG/OCSInventory-ocsreports is free software: you can redistribute
+ * it and/or modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 2 of the License,
+ * or (at your option) any later version.
+ *
+ * OCSInventory-NG/OCSInventory-ocsreports is distributed in the hope that it
+ * will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ */
+connexion_local_read();
+
+
+
+$reqOp = "SELECT ID, USER_GROUP FROM operators WHERE ID='%s'";
+$arg_reqOp = array($login);
+
+$resOp = mysql2_query_secure($reqOp, $_SESSION['OCS']["readServer"], $arg_reqOp);
+$rowOp = mysqli_fetch_object($resOp);
+
+if (isset($rowOp->ID)) 
+{
+    $login_successful = "OK";
+    $user_group = $rowOp->USER_GROUP;
+    $type_log = 'CONNEXION';
+}
+else 
+{
+    $login_successful = $l->g(180);
+    $type_log = 'BAD CONNEXION';
+}
+
+
+$value_log = 'USER:' . $login;
+$cnx_origine = "SSO_ONLY";
+?>
diff --git a/backend/require/auth.manager.php b/backend/require/auth.manager.php
@@ -1,5 +1,5 @@
-<?php
-
+<?php
+
 /*
  * Copyright 2005-2020 OCSInventory-NG/OCSInventory-ocsreports contributors.
  * See the Contributors file for more details about them.
@@ -20,16 +20,18 @@
  * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the
  * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
  * MA 02110-1301, USA.
- */
+ */
 function get_affiche_methode(){
     if(AUTH_TYPE == 4){
         return "SSO";
     } else if (AUTH_TYPE == 6) {
         return "CAS";
+    } else if (AUTH_TYPE == 7) {
+        return "SSO_ONLY";
     }else{
         return "HTML";
     }
-}
+}
 function get_list_methode($identity = false){
     switch (AUTH_TYPE) {
         case 1:
@@ -68,9 +70,13 @@ function get_list_methode($identity = false){
             );
             break;
 
+        case 7:
+            return array(0=>($identity)?"local.php":"sso_only.php");
+            break;
+
         default:
             return array(
                 0 => "local.php"
             );
-    }
-}
+        }
+}
diff --git a/require/html_header.php b/require/html_header.php
@@ -95,8 +95,7 @@
                     }
                     echo "</li>";
                 }
-
-                if (!isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['HTTP_AUTH_USER']) && (isset($_SESSION['OCS']['cnx_origine']) && $_SESSION['OCS']['cnx_origine'] != 'CAS')) {
+                if (!isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['HTTP_AUTH_USER']) && (isset($_SESSION['OCS']['cnx_origine']) && ($_SESSION['OCS']['cnx_origine'] != 'CAS' && $_SESSION['OCS']['cnx_origine'] != 'SSO_ONLY'))) {
                     echo "<li><a onclick='return pag(\"ON\",\"LOGOUT\",\"log_out\")'>" . $l->g(251) . "</a></li>";
                 }
                 echo open_form('log_out', 'index.php');

diff --git a/var.php b/var.php
@@ -73,7 +73,6 @@
 /**
  * OCS' MySQL database version
  */
-
 define('GUI_VER', '7075');
 
 /**
@@ -149,6 +148,7 @@
  * - 4 : LDAP with SSO
  * - 5 : Always OK, won't ask for user and password
  * - 6 : CAS authentication
+ * - 7 : SSO Only (using $_SERVER['REMOTE_USER'] / $_SERVER['HTTP_AUTH_USER'])
  * 
  * If LDAP / SSO Basic auth is configured, please configure the LDAP Authentication
  */