From f867afe3a54ce5947aafcce5401ad2186face95a Mon Sep 17 00:00:00 2001
From: root <root@ocs.dom-sud-est.justice.fr>
Date: Mon, 23 Jan 2023 16:27:40 +0100
Subject: [PATCH 1/3] adding SSO_ONLY capabilities

---
 backend/AUTH/auth.php                 |  6 ++
 backend/AUTH/methode/sso_only.php     | 50 ++++++++++++++
 backend/identity/methode/sso_only.php | 95 +++++++++++++++++++++++++++
 backend/require/auth.manager.php      | 11 +++-
 var.php                               |  1 +
 5 files changed, 160 insertions(+), 3 deletions(-)
 create mode 100755 backend/AUTH/methode/sso_only.php
 create mode 100644 backend/identity/methode/sso_only.php

diff --git a/backend/AUTH/auth.php b/backend/AUTH/auth.php
index 1601c1c67..8eeaf9dbc 100755
--- a/backend/AUTH/auth.php
+++ b/backend/AUTH/auth.php
@@ -51,6 +51,12 @@
 } elseif ($affich_method == 'SSO' && isset($_SERVER['HTTP_AUTH_USER']) && !empty($_SERVER['HTTP_AUTH_USER'])) {
     $login = $_SERVER['HTTP_AUTH_USER'];
     $mdp = 'NO_PASSWD';
+} elseif ($affich_method == 'SSO_ONLY' && isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {
+    $login = $_SERVER['REMOTE_USER'];
+    $mdp = 'NO_PASSWD';
+} elseif ($affich_method == 'SSO_ONLY' && isset($_SERVER['HTTP_AUTH_USER']) && !empty($_SERVER['HTTP_AUTH_USER'])) {
+    $login = $_SERVER['HTTP_AUTH_USER'];
+    $mdp = 'NO_PASSWD';
 } elseif ($affich_method != 'HTML' && isset($_SERVER['PHP_AUTH_USER'])) {
     $login = $_SERVER['PHP_AUTH_USER'];
     $mdp = $_SERVER['PHP_AUTH_PW'];
diff --git a/backend/AUTH/methode/sso_only.php b/backend/AUTH/methode/sso_only.php
new file mode 100755
index 000000000..15758c942
--- /dev/null
+++ b/backend/AUTH/methode/sso_only.php
@@ -0,0 +1,50 @@
+<?php
+/*
+ * Copyright 2005-2016 OCSInventory-NG/OCSInventory-ocsreports contributors.
+ * See the Contributors file for more details about them.
+ *
+ * This file is part of OCSInventory-NG/OCSInventory-ocsreports.
+ *
+ * OCSInventory-NG/OCSInventory-ocsreports is free software: you can redistribute
+ * it and/or modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 2 of the License,
+ * or (at your option) any later version.
+ *
+ * OCSInventory-NG/OCSInventory-ocsreports is distributed in the hope that it
+ * will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ */
+connexion_local_read();
+
+
+
+$reqOp = "SELECT ID, USER_GROUP FROM operators WHERE ID='%s'";
+$arg_reqOp = array($login);
+
+$resOp = mysql2_query_secure($reqOp, $_SESSION['OCS']["readServer"], $arg_reqOp);
+$rowOp = mysqli_fetch_object($resOp);
+
+if (isset($rowOp->ID)) 
+{
+    $login_successful = "OK";
+    $user_group = $rowOp->USER_GROUP;
+    $type_log = 'CONNEXION';
+}
+else 
+{
+    $login_successful = $l->g(180);
+    $type_log = 'BAD CONNEXION';
+}
+
+
+$value_log = 'USER:' . $login;
+$cnx_origine = "SSO_ONLY";
+
+addLog($type_log, $value_log);
+?>
diff --git a/backend/identity/methode/sso_only.php b/backend/identity/methode/sso_only.php
new file mode 100644
index 000000000..8da770187
--- /dev/null
+++ b/backend/identity/methode/sso_only.php
@@ -0,0 +1,95 @@
+<?php
+
+/*
+ * Copyright 2005-2016 OCSInventory-NG/OCSInventory-ocsreports contributors.
+ * See the Contributors file for more details about them.
+ *
+ * This file is part of OCSInventory-NG/OCSInventory-ocsreports.
+ *
+ * OCSInventory-NG/OCSInventory-ocsreports is free software: you can redistribute
+ * it and/or modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, either version 2 of the License,
+ * or (at your option) any later version.
+ *
+ * OCSInventory-NG/OCSInventory-ocsreports is distributed in the hope that it
+ * will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
+ * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the
+ * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
+ * MA 02110-1301, USA.
+ */
+/* page de récupération en local des droits
+ * et des tags sur lesquels l'utilisateur
+ * a des droits
+ *
+ * on doit renvoyer un tableau array('accesslvl'=>%%,'tag_show'=>array(%,%,%,%,%...))
+ * si une erreur est rencontrée, on retourne un code erreur
+ *
+ */
+require_once ('require/function_files.php');
+//nom de la page
+$name = "sso_only.php";
+connexion_local_read();
+mysqli_select_db($link_ocs, $db_ocs);
+//recherche du niveau de droit de l'utilisateur
+$reqOp = "SELECT new_accesslvl as accesslvl FROM operators WHERE id='%s'";
+$argOp = array($_SESSION['OCS']["loggeduser"]);
+$resOp = mysql2_query_secure($reqOp, $link_ocs, $argOp);
+$rowOp = mysqli_fetch_object($resOp);
+if (isset($rowOp->accesslvl)) {
+    $lvluser = $rowOp->accesslvl;
+
+    $profile_config = PROFILES_DIR . $lvluser . '.xml';
+
+    if (!file_exists($profile_config)) {
+        migrate_config_2_2();
+    }
+
+    $profile_serializer = new XMLProfileSerializer();
+    $profile = $profile_serializer->unserialize($lvluser, file_get_contents($profile_config));
+
+    $restriction = $profile->getRestriction('GUI');
+    $restrictions = $profile->getRestrictions();
+    //Si l'utilisateur a des droits limités
+    //on va rechercher les tags sur lesquels il a des droits
+    if ($restriction == 'YES') {
+        $sql = "select tag from tags where login='%s'";
+        $arg = array($_SESSION['OCS']["loggeduser"]);
+        $res = mysql2_query_secure($sql, $link_ocs, $arg);
+        while ($row = mysqli_fetch_object($res)) {
+            // Check for wildcard
+            if (strpos($row->tag, '*') !== false || strpos($row->tag,'?') !== false) {
+                $wildcard = true;
+                $row->tag = str_replace("*", "%", $row->tag);
+                $row->tag = str_replace("?", "_", $row->tag);
+                if($wildcard === true){
+                    $sql_wildcard = "SELECT TAG FROM `accountinfo` WHERE TAG LIKE '$row->tag' GROUP BY TAG";
+                    $res_wildcard = mysql2_query_secure($sql_wildcard, $link_ocs);
+                    while ($row_wildcard = mysqli_fetch_object($res_wildcard)) {
+                        $list_tag[$row_wildcard->TAG] = $row_wildcard->TAG;
+                    }
+                    
+                }      
+            }else{
+                $list_tag[$row->tag] = $row->tag;
+            }
+        }
+
+        if (!isset($list_tag)) {
+            $ERROR = $l->g(893);
+        }
+
+        // if user is restricted on all pages and has no tag assigned, he has the right to connect but no access
+        if (!isset($list_tag) && !in_array('NO', $restrictions)) {
+            $ERROR = $l->g(896);
+        }
+
+    } elseif ($restriction != 'NO') {
+        $ERROR = $restriction;
+    }
+} else {
+    $ERROR = $l->g(894);
+}
diff --git a/backend/require/auth.manager.php b/backend/require/auth.manager.php
index 54d0da42c..c23e86c8f 100644
--- a/backend/require/auth.manager.php
+++ b/backend/require/auth.manager.php
@@ -23,7 +23,9 @@
 
 function get_affiche_methode(){
     if(AUTH_TYPE == 4){
-        return "SSO";
+	    return "SSO";
+    } else if (AUTH_TYPE == 7) {
+        return "SSO_ONLY";
     }else{
         return "HTML";
     }
@@ -74,11 +76,14 @@ function get_list_methode($identity = false){
                 );
             }
             break;
-        
+        case 7:
+            return array(
+                0 => "sso_only.php"
+            );
         default:
             return array(
                 0 => "local.php"
             );
             break;
     }
-}
\ No newline at end of file
+}
diff --git a/var.php b/var.php
index ecbd2d6d2..435c39c42 100644
--- a/var.php
+++ b/var.php
@@ -145,6 +145,7 @@
  * - 3 : LDAP Only
  * - 4 : LDAP with SSO
  * - 5 : Always OK, won't ask for user and password
+ * - 7 : SSO Only (using $_SERVER['REMOTE_USER'] / $_SERVER['HTTP_AUTH_USER'])
  * 
  * If LDAP / SSO Basic auth is configured, please configure the LDAP Authentication
  */

From 34addb01f777a3706b2bfef863e3be06a7a65e53 Mon Sep 17 00:00:00 2001
From: root <root@ocs.dom-sud-est.justice.fr>
Date: Mon, 30 Jan 2023 11:10:16 +0100
Subject: [PATCH 2/3] simplification

---
 backend/identity/methode/sso_only.php | 95 ---------------------------
 backend/require/auth.manager.php      |  7 +-
 2 files changed, 3 insertions(+), 99 deletions(-)
 delete mode 100644 backend/identity/methode/sso_only.php

diff --git a/backend/identity/methode/sso_only.php b/backend/identity/methode/sso_only.php
deleted file mode 100644
index 8da770187..000000000
--- a/backend/identity/methode/sso_only.php
+++ /dev/null
@@ -1,95 +0,0 @@
-<?php
-
-/*
- * Copyright 2005-2016 OCSInventory-NG/OCSInventory-ocsreports contributors.
- * See the Contributors file for more details about them.
- *
- * This file is part of OCSInventory-NG/OCSInventory-ocsreports.
- *
- * OCSInventory-NG/OCSInventory-ocsreports is free software: you can redistribute
- * it and/or modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, either version 2 of the License,
- * or (at your option) any later version.
- *
- * OCSInventory-NG/OCSInventory-ocsreports is distributed in the hope that it
- * will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
- * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the
- * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
- * MA 02110-1301, USA.
- */
-/* page de récupération en local des droits
- * et des tags sur lesquels l'utilisateur
- * a des droits
- *
- * on doit renvoyer un tableau array('accesslvl'=>%%,'tag_show'=>array(%,%,%,%,%...))
- * si une erreur est rencontrée, on retourne un code erreur
- *
- */
-require_once ('require/function_files.php');
-//nom de la page
-$name = "sso_only.php";
-connexion_local_read();
-mysqli_select_db($link_ocs, $db_ocs);
-//recherche du niveau de droit de l'utilisateur
-$reqOp = "SELECT new_accesslvl as accesslvl FROM operators WHERE id='%s'";
-$argOp = array($_SESSION['OCS']["loggeduser"]);
-$resOp = mysql2_query_secure($reqOp, $link_ocs, $argOp);
-$rowOp = mysqli_fetch_object($resOp);
-if (isset($rowOp->accesslvl)) {
-    $lvluser = $rowOp->accesslvl;
-
-    $profile_config = PROFILES_DIR . $lvluser . '.xml';
-
-    if (!file_exists($profile_config)) {
-        migrate_config_2_2();
-    }
-
-    $profile_serializer = new XMLProfileSerializer();
-    $profile = $profile_serializer->unserialize($lvluser, file_get_contents($profile_config));
-
-    $restriction = $profile->getRestriction('GUI');
-    $restrictions = $profile->getRestrictions();
-    //Si l'utilisateur a des droits limités
-    //on va rechercher les tags sur lesquels il a des droits
-    if ($restriction == 'YES') {
-        $sql = "select tag from tags where login='%s'";
-        $arg = array($_SESSION['OCS']["loggeduser"]);
-        $res = mysql2_query_secure($sql, $link_ocs, $arg);
-        while ($row = mysqli_fetch_object($res)) {
-            // Check for wildcard
-            if (strpos($row->tag, '*') !== false || strpos($row->tag,'?') !== false) {
-                $wildcard = true;
-                $row->tag = str_replace("*", "%", $row->tag);
-                $row->tag = str_replace("?", "_", $row->tag);
-                if($wildcard === true){
-                    $sql_wildcard = "SELECT TAG FROM `accountinfo` WHERE TAG LIKE '$row->tag' GROUP BY TAG";
-                    $res_wildcard = mysql2_query_secure($sql_wildcard, $link_ocs);
-                    while ($row_wildcard = mysqli_fetch_object($res_wildcard)) {
-                        $list_tag[$row_wildcard->TAG] = $row_wildcard->TAG;
-                    }
-                    
-                }      
-            }else{
-                $list_tag[$row->tag] = $row->tag;
-            }
-        }
-
-        if (!isset($list_tag)) {
-            $ERROR = $l->g(893);
-        }
-
-        // if user is restricted on all pages and has no tag assigned, he has the right to connect but no access
-        if (!isset($list_tag) && !in_array('NO', $restrictions)) {
-            $ERROR = $l->g(896);
-        }
-
-    } elseif ($restriction != 'NO') {
-        $ERROR = $restriction;
-    }
-} else {
-    $ERROR = $l->g(894);
-}
diff --git a/backend/require/auth.manager.php b/backend/require/auth.manager.php
index c23e86c8f..cd022e97d 100644
--- a/backend/require/auth.manager.php
+++ b/backend/require/auth.manager.php
@@ -76,10 +76,9 @@ function get_list_methode($identity = false){
                 );
             }
             break;
-        case 7:
-            return array(
-                0 => "sso_only.php"
-            );
+	case 7:
+		return array(0=>($identity)?"local.php":"sso_only.php");
+		break;
         default:
             return array(
                 0 => "local.php"

From 73c33afb0821908cc7c71a022da06304b4174695 Mon Sep 17 00:00:00 2001
From: Lea9250 <lea.droguet@factorfx.com>
Date: Tue, 29 Aug 2023 11:31:43 +0200
Subject: [PATCH 3/3] fix(AUTH): blank page when using SSO_ONLY

---
 backend/AUTH/auth.php             | 8 +++++++-
 backend/AUTH/methode/sso_only.php | 2 --
 require/html_header.php           | 3 +--
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/backend/AUTH/auth.php b/backend/AUTH/auth.php
index 79292d1c1..552221e5b 100755
--- a/backend/AUTH/auth.php
+++ b/backend/AUTH/auth.php
@@ -236,7 +236,13 @@
     } else if ($list_methode[0] == 'cas.php') {
         // redirect to CAS login page
         require_once('methode/' . $list_methode[0]);
-    } else {
+    } else if ($affich_method == "SSO_ONLY") {
+        // auth failed in SSO_ONLY mode, we display an error message
+        require_once (HEADER_HTML);
+        msg_error($l->g(180));
+        require_once(FOOTER_HTML);
+        die();
+    }else {
         header('WWW-Authenticate: Basic realm="OcsinventoryNG"');
         header('HTTP/1.0 401 Unauthorized');
         die();
diff --git a/backend/AUTH/methode/sso_only.php b/backend/AUTH/methode/sso_only.php
index 15758c942..3a59a31df 100755
--- a/backend/AUTH/methode/sso_only.php
+++ b/backend/AUTH/methode/sso_only.php
@@ -45,6 +45,4 @@
 
 $value_log = 'USER:' . $login;
 $cnx_origine = "SSO_ONLY";
-
-addLog($type_log, $value_log);
 ?>
diff --git a/require/html_header.php b/require/html_header.php
index 2e134c6c2..9effb7daf 100644
--- a/require/html_header.php
+++ b/require/html_header.php
@@ -95,8 +95,7 @@
                     }
                     echo "</li>";
                 }
-
-                if (!isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['HTTP_AUTH_USER']) && (isset($_SESSION['OCS']['cnx_origine']) && $_SESSION['OCS']['cnx_origine'] != 'CAS')) {
+                if (!isset($_SERVER['PHP_AUTH_USER']) && !isset($_SERVER['HTTP_AUTH_USER']) && (isset($_SESSION['OCS']['cnx_origine']) && ($_SESSION['OCS']['cnx_origine'] != 'CAS' && $_SESSION['OCS']['cnx_origine'] != 'SSO_ONLY'))) {
                     echo "<li><a onclick='return pag(\"ON\",\"LOGOUT\",\"log_out\")'>" . $l->g(251) . "</a></li>";
                 }
                 echo open_form('log_out', 'index.php');