diff options
| author | Freya Murphy <freya@freyacat.org> | 2024-05-27 00:29:36 -0400 |
|---|---|---|
| committer | Freya Murphy <freya@freyacat.org> | 2024-05-27 00:29:36 -0400 |
| commit | cb9d1193c37b7567dcad5497330169d43ab1e8a2 (patch) | |
| tree | 41fea58928d5d4cf87306458114f5465b6620711 /src/web | |
| download | ldap_forwardauth-cb9d1193c37b7567dcad5497330169d43ab1e8a2.tar.gz ldap_forwardauth-cb9d1193c37b7567dcad5497330169d43ab1e8a2.tar.bz2 ldap_forwardauth-cb9d1193c37b7567dcad5497330169d43ab1e8a2.zip | |
initial
Diffstat (limited to 'src/web')
| -rw-r--r-- | src/web/helpers/auth.php | 59 | ||||
| -rw-r--r-- | src/web/helpers/ldap.php | 41 | ||||
| -rw-r--r-- | src/web/index.php | 66 | ||||
| -rw-r--r-- | src/web/views/footer.php | 4 | ||||
| -rw-r--r-- | src/web/views/header.php | 13 | ||||
| -rw-r--r-- | src/web/views/login.php | 22 | ||||
| -rw-r--r-- | src/web/views/message.php | 1 |
7 files changed, 206 insertions, 0 deletions
diff --git a/src/web/helpers/auth.php b/src/web/helpers/auth.php new file mode 100644 index 0000000..7aa4aff --- /dev/null +++ b/src/web/helpers/auth.php @@ -0,0 +1,59 @@ +<?php /* Copyright (c) 2024 Freya Murphy */ + +$keys = array(); + +function load_key($key) { + $file = "/tmp/$key"; + if (!file_exists($file)) + return FALSE; + $content = explode("\n", file_get_contents($file)); + return array( + 'user' => $content[0], + 'time' => $content[1] + ); +} + +function store_key($key, $user) { + $file = "/tmp/$key"; + $now = (string)time(); + $content = "$user\n{$now}"; + file_put_contents($file, $content, LOCK_EX); +} + +function get_random($n) +{ + $characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; + $randomString = ''; + + for ($i = 0; $i < $n; $i++) { + $index = rand(0, strlen($characters) - 1); + $randomString .= $characters[$index]; + } + + return $randomString; +} + +function key_auth() { + if (!isset($_SESSION['auth'])) { + return FALSE; + } + $key = $_SESSION['auth']; + $data = load_key($key); + if ($data === FALSE) { + return FALSE; + } + $user = $data['user']; + $time = $data['time']; + $now = time(); + if ($time > $now || $now - $time > 60 * 60 * 24) { + return FALSE; + } + store_key($key, $user); + return $user; +} + +function key_new($user) { + $key = get_random(128); + store_key($key, $user); + $_SESSION['auth'] = $key; +} diff --git a/src/web/helpers/ldap.php b/src/web/helpers/ldap.php new file mode 100644 index 0000000..f3697cc --- /dev/null +++ b/src/web/helpers/ldap.php @@ -0,0 +1,41 @@ +<?php /* Copyright (c) 2024 Freya Murphy */ + +function ldap_auth($auth_username, $auth_password) { + $url = getenv("LDAP_URL"); + $bind = getenv("LDAP_BIND_DN"); + $password = getenv("LDAP_BIND_PASSWORD"); + $bound = getenv("LDAP_BASE_DN"); + $filter = getenv("LDAP_FILTER"); + $uid = getenv("LDAP_UID"); + + $conn = @ldap_connect($url); + if (!$conn) { + return NULL; + } + ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); + + $bind_conn = @ldap_bind($conn, $bind, $password); + if (!$bind_conn) { + return NULL; + } + + $search = @ldap_search($conn, $bound, $filter); + + $info = @ldap_get_entries($conn, $search); + $user = NULL; + for ($i=0; $i<$info['count']; $i++) { + $user = $info[$i]; + if (!array_key_exists($uid, $user)) + continue; + if ($user[$uid][0] == $auth_username) + break; + } + + if ($user == NULL) { + return FALSE; + } + + $succ = @ldap_bind($conn, $user['dn'], $auth_password); + return !!$succ; +} + diff --git a/src/web/index.php b/src/web/index.php new file mode 100644 index 0000000..ffd6b06 --- /dev/null +++ b/src/web/index.php @@ -0,0 +1,66 @@ +<?php /* Copyright (c) 2024 Freya Murphy */ + +ini_set('html_errors', '1'); + +$webroot = dirname(__FILE__); +$publicroot = realpath(dirname(__FILE__) . '/../public'); + +// load stuff +require($webroot . '/helpers/ldap.php'); +require($webroot . '/helpers/auth.php'); + +// start session +session_set_cookie_params( + 60 * 60 * 24, // lifetime (seconds), + '/', // path + NULL, // domain, + TRUE, // secure, + TRUE // http only +); +session_start(); + +function page($file, $data = array()) { + extract($data); + $webroot = $GLOBALS['webroot']; + require($webroot . '/views/header.php'); + require($webroot . "/views/$file.php"); + require($webroot . '/views/footer.php'); +} + +if ($_SERVER['REQUEST_METHOD'] === 'POST') { + parse_str(file_get_contents('php://input'), $post); + $res = ldap_auth($post['username'], $post['password']); + $msg = ''; + $title = ''; + if ($res) { + $msg = 'Authenticated. You can now go back to your content'; + $title = 'Success'; + key_new($post['username']); + } else { + $msg = 'Invalid Credentials'; + $title = 'Error'; + } + page('message', array( + 'title' => $title, + 'msg' => $msg + )); +} else { + if (($user = key_auth())) { + http_response_code(200); + header("X-Webauth-User: $user"); + die(); + } + + $host = $_SERVER['HTTP_HOST']; + $env = getenv("HTTP_HOST"); + if ($host != $env) { + // we are being forwarded authed + // redirect + http_response_code(301); + header("Location: https://$env"); + } else { + page('login', array( + 'title' => 'Login' + )); + } +} diff --git a/src/web/views/footer.php b/src/web/views/footer.php new file mode 100644 index 0000000..eb7ee28 --- /dev/null +++ b/src/web/views/footer.php @@ -0,0 +1,4 @@ +<?php /* Copyright (c) 2024 Freya Murphy */ ?> + </main> + </body> +</html> diff --git a/src/web/views/header.php b/src/web/views/header.php new file mode 100644 index 0000000..c0a0487 --- /dev/null +++ b/src/web/views/header.php @@ -0,0 +1,13 @@ +<?php /* Copyright (c) 2024 Freya Murphy */ ?> +<!DOCTYPE html> +<html> + <head> + <link href="//fonts.googleapis.com/css?family=Open+Sans:300,400,600,700&subset=latin" rel="stylesheet"> + <link rel="stylesheet" href="/public/main.css"> + </head> + <body> + <main id="main" role="main"> + <div class="heading"> + <span><?=$title?></span> + </div> + <div class="content"> diff --git a/src/web/views/login.php b/src/web/views/login.php new file mode 100644 index 0000000..98d69af --- /dev/null +++ b/src/web/views/login.php @@ -0,0 +1,22 @@ +<?php /* Copyright (c) 2024 Freya Murphy */ ?> +<form method="post"> +<label for="username">Username</label> +<input + type="text" + id="username" + name="username" + autofocus="true" +> +<label fot="password">Password</label> +<input + type="password" + id="password" + name="password" +> +<input + type="submit" + role="button" + id="submit" + value="Sign In" +> +<form> diff --git a/src/web/views/message.php b/src/web/views/message.php new file mode 100644 index 0000000..a071409 --- /dev/null +++ b/src/web/views/message.php @@ -0,0 +1 @@ +<center><?=$msg?></center> |