Merge pull request #45 from NottingHack/kerberosAuth

Implement Kerberos Auth methods and rename IdentityManager to Passwor…

Author: dpslwk

app/HMS/Auth/FileBasedIdentityManager.php app/HMS/Auth/FileBasedPasswordStore.phpapp/HMS/Auth/FileBasedIdentityManager.php renamed to app/HMS/Auth/FileBasedPasswordStore.php

@@ -4,17 +4,18 @@
 
 use Illuminate\Support\Facades\Storage;
 
-class FileBasedIdentityManager implements IdentityManager
+class FileBasedPasswordStore implements PasswordStore
 {
     protected $usersFile;
     protected $users;
 
     /**
-     * FileBasedUserManager constructor.
+     * FileBasedPasswordStore constructor.
      */
-    public function __construct($usersFile = 'users.json')
+    public function __construct($app)
     {
-        $this->usersFile = $usersFile;
+        $config = $app['config']->get('passwordstore.filebased', []);
+        $this->usersFile = $config['name'];
 
         if (Storage::has($this->usersFile)) {
             $this->users = json_decode(Storage::get($this->usersFile), true);

app/HMS/Auth/HmsUserProvider.php

@@ -12,15 +12,15 @@
  */
 class HmsUserProvider extends DoctrineUserProvider
 {
-    /** @var IdentityManager  */
-    protected $identityManager;
+    /** @var PasswordStore  */
+    protected $passwordStore;
 
-    public function __construct(Hasher $hasher, EntityManagerInterface $em, $entity, IdentityManager $identityManager)
+    public function __construct(Hasher $hasher, EntityManagerInterface $em, $entity, PasswordStore $passwordStore)
     {
         // Note: $hasher is never used but required to construct DoctrineUserProvider (parent)
         parent::__construct($hasher, $em, $entity);
 
-        $this->identityManager = $identityManager;
+        $this->passwordStore = $passwordStore;
     }
 
     // overridden because getAuthIdentifier() on our User returns username rather than id
@@ -29,9 +29,9 @@ public function retrieveById($identifier)
         return $this->getRepository()->findOneBy(['username' => $identifier]);
     }
 
-    // overridden because we don't store the password on the user, we use an IdentityManager to check it instead
+    // overridden because we don't store the password on the user, we use an PasswordStore to check it instead
     public function validateCredentials(IlluminateAuthenticatable $user, array $credentials)
     {
-        return $this->identityManager->checkPassword($user->getAuthIdentifier(), $credentials['password']);
+        return $this->passwordStore->checkPassword($user->getAuthIdentifier(), $credentials['password']);
     }
 }

app/HMS/Auth/KerberosIdentityManager.php

@@ -0,0 +1,151 @@
+<?php
+
+namespace HMS\Auth;
+
+
+class KerberosPasswordStore implements PasswordStore  
+{
+
+    /**
+    * The KADM5 connection to use.
+    * @var KADM5.
+    */
+    private $__krbConn;
+
+    /**
+    * The relm to use.
+    * @var string
+    */
+    private $__realm;
+
+    /**
+    * If true, we're in debug mode and shouldn't actually take any action.
+    * @var bool
+    */
+    private $__debug;
+
+    /**
+     * Constructor.
+     *
+     */
+    public function __construct($app) 
+    {
+        $config = $app['config']->get('passwordstore.kerberos', []);
+
+        $this->__debug = $config['debug'];
+        $this->__realm = $config['realm'];
+        $this->__krbConn = new \KADM5($config['username'], $config['keytab'], true); // use keytab=true
+    }
+
+    /**
+     * Add a new identity with the specified username and password.
+     *
+     * @param  string $username
+     * @param  string $password
+     * @return void
+     */
+    public function add($username, $password)
+    {
+        /* Just incase some smartarse appends /admin to their handle
+        * in an attempt to become a krb admin... */
+        if (stristr($username, '/admin') === false) {
+            try {
+                $princ = new \KADM5Principal(strtolower($username));
+                $this->__krbConn->createPrincipal($princ, $password);
+            } catch (\Exception $e) {
+                if ($this->__debug) {
+                    echo "$e\n";
+                }
+                return false;
+            }
+            return true;
+        } else {
+            if ($this->__debug) {
+                echo "Attempt to create admin user stopped.";
+            }
+            return false;
+        }
+    }
+
+    /**
+     * Remove the specified identity.
+     *
+     * @param  string $username
+     * @return void
+     */
+    public function remove($username)
+    {
+        try {
+            $princ = $this->__krbConn->getPrincipal(strtolower($username));
+            $princ->delete();
+        } catch (\Exception $e) {
+            if ($this->__debug) {
+                echo "$e\n";
+            }
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Check if a specified identity exists.
+     *
+     * @param  string $username
+     * @return boolean
+     */
+    public function exists($username)
+    {
+        try {
+            $this->__krbConn->getPrincipal(strtolower($username));
+        } catch (\Exception $e) {
+            if ($e->getMessage() == "Principal does not exist") {
+                return false;
+            } else {
+                return null;
+            }
+        }
+        return true;
+    }
+
+    /**
+     * Set the password for a specified identity.
+     *
+     * @param  string $username
+     * @param  string $password
+     * @return void
+     */
+    public function setPassword($username, $password)
+    {
+        try {
+            $princ = $this->__krbConn->getPrincipal(strtolower($username));
+            $princ->changePassword($newpassword);
+        } catch (\Exception $e) {
+            if ($this->__debug) {
+                echo "$e\n";
+            }
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Check the password for a specified identity is correct.
+     *
+     * @param  string $username
+     * @param  string $password
+     * @return boolean
+     */
+    public function checkPassword($username, $password)
+    {
+        $ticket = new \KRB5CCache();
+        try {
+            $ticket->initPassword(strtolower($username) . "@" . $this->__realm, $password);
+        } catch (\Exception $e) {
+            if ($this->__debug) {
+                echo "$e\n";
+            }
+            return false;
+        }
+        return true;
+    }
+}

app/HMS/Auth/KerberosPasswordStore.php

@@ -3,11 +3,11 @@
 namespace HMS\Auth;
 
 /**
- * An IdentityManager specifies operations for adding, removing and checking the credentials of an identity.
+ * An PasswordStore specifies operations for adding, removing and checking the credentials of a users identity.
  *
  * @author Rob Hunt <rob.hunt@nottinghack.org.uk>
  */
-interface IdentityManager
+interface PasswordStore
 {
     /**
      * Add a new identity with the specified username and password.

app/HMS/Auth/IdentityManager.php app/HMS/Auth/PasswordStore.phpapp/HMS/Auth/IdentityManager.php renamed to app/HMS/Auth/PasswordStore.php

@@ -0,0 +1,41 @@
+<?php
+
+namespace HMS\Auth;
+
+use HMS\Auth\FileBassedPasswordStore;
+use HMS\Auth\KerberosPasswordStore;
+use Illuminate\Support\Manager;
+
+class PasswordStoreManager extends Manager
+{
+    
+    /**
+     * Create an instance of the Kerberos driver
+     *
+     * @return KerberosPasswordStore
+     */
+    protected function createKerberosDriver()
+    {
+        return new KerberosPasswordStore($this->app);
+    }
+
+    /**
+     * Create an instance of the FileBased driver
+     *
+     * @return FileBasedPasswordStore
+     */
+    protected function createFileBasedDriver()
+    {
+        return new FileBasedPasswordStore($this->app);
+    }
+
+    /**
+     * Get the default driver
+     *
+     * @return string
+     */
+    public function getDefaultDriver()
+    {
+        return $this->app['config']['passwordstore.driver'];
+    }
+}

app/HMS/Auth/PasswordStoreManager.php

@@ -2,7 +2,7 @@
 
 namespace App\Http\Controllers\Auth;
 
-use HMS\Auth\IdentityManager;
+use HMS\Auth\PasswordStore;
 use HMS\Entities\Role;
 use HMS\Entities\User;
 
@@ -36,18 +36,18 @@ class RegisterController extends Controller
 
     protected $userRepository;
     protected $roleRepository;
-    protected $identityManager;
+    protected $passwordStore;
 
     /**
      * Create a new controller instance.
      *
      * @return void
      */
-    public function __construct(UserRepository $userRepository, RoleRepository $roleRepository, IdentityManager $identityManager)
+    public function __construct(UserRepository $userRepository, RoleRepository $roleRepository, PasswordStore $passwordStore)
     {
         $this->userRepository = $userRepository;
         $this->roleRepository = $roleRepository;
-        $this->identityManager = $identityManager;
+        $this->passwordStore = $passwordStore;
         $this->middleware('guest');
     }
 
@@ -85,7 +85,7 @@ protected function create(array $data)
 
         // TODO: maybe consolidate these into a single call via a service?
         $this->userRepository->create($user);
-        $this->identityManager->add($user->getUsername(), $data['password']);
+        $this->passwordStore->add($user->getUsername(), $data['password']);
 
         return $user;
     }