/lib/Thruk/Controller/login.pm

http://github.com/sni/Thruk · Perl · 262 lines · 214 code · 33 blank · 15 comment · 48 complexity · eb890195f99aacca2d32e41520659e6f MD5 · raw file 

    

  1. package Thruk::Controller::login;
    2. 

  2. 

  3. use strict;
    4. 

  4. use warnings;
    5. 

  5. 

  6. =head1 NAME
    7. 

  7. 

  8. Thruk::Controller::login - Thruk Controller
    9. 

  9. 

  10. =head1 DESCRIPTION
    11. 

  11. 

  12. Thruk Controller.
    13. 

  13. 

  14. =head1 METHODS
    15. 

  15. 

  16. =head2 index
    17. 

  17. 

  18. =cut
    19. 

  19. sub index {
    20. 

  20.     my ( $c ) = @_;
    21. 

  21. 

  22.     $c->stats->profile(begin => "login::index");
    23. 

  23. 

  24.     if(!$c->config->{'login_modules_loaded'}) {
    25. 

  25.         require Thruk::Utils::CookieAuth;
    26. 

  26.         $c->config->{'login_modules_loaded'} = 1;
    27. 

  27.     }
    28. 

  28. 

  29.     $c->stash->{'navigation'}     = 'off'; # would be useless here, so set it non-empty, otherwise AddDefaults::end would read it again
    30. 

  30.     $c->stash->{'no_auto_reload'} = 1;
    31. 

  31.     $c->stash->{'theme'}          = $c->config->{'default_theme'} unless defined $c->stash->{'theme'};
    32. 

  32.     $c->stash->{'page'}           = 'splashpage';
    33. 

  33.     $c->stash->{'loginurl'}       = $c->stash->{'url_prefix'}."cgi-bin/login.cgi";
    34. 

  34.     $c->stash->{'template'}       = 'login.tt';
    35. 

  35.     $c->stash->{'title'}          = 'Login';
    36. 

  36.     my $product_prefix            = $c->config->{'product_prefix'};
    37. 

  37. 

  38.     my $cookie_path   = $c->stash->{'cookie_path'};
    39. 

  39.     my $cookie_domain = _get_cookie_domain($c);
    40. 

  40. 

  41.     my $keywords = $c->req->uri->query;
    42. 

  42.     my $logoutref;
    43. 

  43.     if($keywords and $keywords =~ m/^logout(\/.*)/mx) {
    44. 

  44.         $keywords = 'logout';
    45. 

  45.         $logoutref = $1;
    46. 

  46.     }
    47. 

  47.     if($c->req->url =~ m/\/\Q$product_prefix\E\/cgi\-bin\/login\.cgi\?logout(\/.*)/mx) {
    48. 

  48.         $keywords = 'logout';
    49. 

  49.         $logoutref = $1;
    50. 

  50.     }
    51. 

  51. 

  52.     my $login   = $c->req->parameters->{'login'}    || '';
    53. 

  53.     my $pass    = $c->req->parameters->{'password'} || '';
    54. 

  54.     my $submit  = $c->req->parameters->{'submit'}   || '';
    55. 

  55.     my $referer = $c->req->parameters->{'referer'}  || '';
    56. 

  56.     $referer    =~ s#^//#/#gmx;         # strip double slashes
    57. 

  57.     $referer    =~ s#.*/nocookie$##gmx; # strip nocookie
    58. 

  58.     $referer    = $c->stash->{'url_prefix'} unless $referer;
    59. 

  59.     # append slash for omd sites, IE and chrome wont send the login cookie otherwise
    60. 

  60.     if(($ENV{'OMD_SITE'} and $referer eq '/'.$ENV{'OMD_SITE'})
    61. 

  61.        or ($referer eq $c->stash->{'url_prefix'})) {
    62. 

  62.         $referer =~ s/\/*$//gmx;
    63. 

  63.         $referer = $referer.'/';
    64. 

  64.     }
    65. 

  65.     $referer =~ s/%3f/?/mx;
    66. 

  66.     # add trailing slash if referer ends with the product prefix and nothing else
    67. 

  67.     if($referer =~ m|\Q/$product_prefix\E$|mx) {
    68. 

  68.         $referer = $referer.'/';
    69. 

  69.     }
    70. 

    71. 

  71.     if(defined $keywords) {
    72. 

  72.         if($keywords eq 'logout') {
    73. 

  73.             _invalidate_current_session($c, $cookie_path);
    74. 

  74.             Thruk::Utils::set_message( $c, 'success_message', 'logout successful' );
    75. 

  75.             return $c->redirect_to($logoutref) if $logoutref;
    76. 

  76.             return $c->redirect_to($c->stash->{'url_prefix'}."cgi-bin/login.cgi");
    77. 

  77.         }
    78. 

    79. 

  79.         if($keywords eq 'nocookie') {
    80. 

  80.             my $hint = '';
    81. 

  81.             if($cookie_domain) {
    82. 

  82.                 $hint = ' (cookie domain is set to: '.$cookie_domain.')';
    83. 

  83.             }
    84. 

  84.             Thruk::Utils::set_message( $c, 'fail_message', 'login not possible without accepting cookies'.$hint );
    85. 

  85.         }
    86. 

  86.         if($keywords =~ /^expired\&(.*)$/mx or $keywords eq 'expired') {
    87. 

  87.             _invalidate_current_session($c, $cookie_path);
    88. 

  88.             Thruk::Utils::set_message( $c, 'fail_message', 'session has expired' );
    89. 

  89.         }
    90. 

  90.         if($keywords =~ /^invalid\&(.*)$/mx or $keywords eq 'invalid') {
    91. 

  91.             _invalidate_current_session($c, $cookie_path);
    92. 

  92.             Thruk::Utils::set_message( $c, 'fail_message', 'session is not valid (anymore)' );
    93. 

  93.         }
    94. 

  94.         if($keywords =~ /^problem\&(.*)$/mx or $keywords eq 'problem') {
    95. 

  95.             # don't remove all sessions when there is a (temporary) technical problem
    96. 

  96.             #_invalidate_current_session($c, $cookie_path);
    97. 

  97.             Thruk::Utils::set_message( $c, 'fail_message', 'technical problem during login, please have a look at the logfiles.' );
    98. 

  98.         }
    99. 

  99.         if($keywords =~ /^locked\&(.*)$/mx or $keywords eq 'locked') {
    100. 

  100.             _invalidate_current_session($c, $cookie_path);
    101. 

  101.             Thruk::Utils::set_message( $c, 'fail_message', 'account is locked, please contact an administrator' );
    102. 

  102.         }
    103. 

  103.         if($keywords =~ /^setsession\&(.*)$/mx or $keywords eq 'setsession') {
    104. 

  104.             $c->authenticate();
    105. 

  105.             return $c->redirect_to($referer) if $referer;
    106. 

  106.             return $c->redirect_to($c->stash->{'url_prefix'}."cgi-bin/login.cgi");
    107. 

  107.         }
    108. 

  108.     }
    109. 

    110. 

  110.     # make lowercase username
    111. 

  111.     $login      = lc($login) if $c->config->{'make_auth_user_lowercase'};
    112. 

    113. 

  113.     if($submit ne '' || $login ne '') {
    114. 

  114.         my $testcookie = $c->cookie('thruk_test');
    115. 

  115.         $c->cookie('thruk_test' => '', {
    116. 

  116.             expires => 0,
    117. 

  117.             path    => $cookie_path,
    118. 

  118.             domain  => $cookie_domain,
    119. 

  119.         });
    120. 

  120.         if(   (!defined $testcookie || !$testcookie->value)
    121. 

  121.            && (!defined $c->req->header('user-agent') || $c->req->header('user-agent') !~ m/wget/mix)) {
    122. 

  122.             return $c->redirect_to($c->stash->{'url_prefix'}."cgi-bin/login.cgi?nocookie");
    123. 

  123.         } else {
    124. 

  124.             my $userdata = Thruk::Utils::get_user_data($c, $login);
    125. 

  125.             if($userdata->{'login'}->{'locked'}) {
    126. 

  126.                 return $c->redirect_to($c->stash->{'url_prefix'}."cgi-bin/login.cgi?locked&".$referer);
    127. 

  127.             }
    128. 

    129. 

  129.             $c->stats->profile(begin => "login::external_authentication");
    130. 

  130.             my $success = Thruk::Utils::CookieAuth::external_authentication($c->config, $login, $pass, $c->req->address, $c->stats);
    131. 

  131.             $c->stats->profile(end => "login::external_authentication");
    132. 

  132.             if($success eq '-1') {
    133. 

  133.                 return $c->redirect_to($c->stash->{'url_prefix'}."cgi-bin/login.cgi?problem&".$referer);
    134. 

  134.             }
    135. 

  135.             elsif($success) {
    136. 

  136.                 $c->stash->{'remote_user'} = $login;
    137. 

  137.                 $c->cookie('thruk_auth' => $success, {
    138. 

  138.                     path     => $cookie_path,
    139. 

  139.                     domain   => $cookie_domain,
    140. 

  140.                     httponly => 1,
    141. 

  141.                 });
    142. 

    143. 

  143.                 # clean failed logins
    144. 

  144.                 my $userdata = Thruk::Utils::get_user_data($c, $login);
    145. 

  145.                 if($userdata->{'login'}) {
    146. 

  146.                     if($userdata->{'login'}->{'failed'}) {
    147. 

  147.                         Thruk::Utils::set_message( $c, 'warn_message',
    148. 

  148.                             sprintf("There had been %d failed login attempts. (Date: %s - IP: %s%s)",
    149. 

  149.                                         $userdata->{'login'}->{'failed'},
    150. 

  150.                                         Thruk::Utils::Filter::date_format($c, $userdata->{'login'}->{'last_failed'}->{'time'}),
    151. 

  151.                                         $userdata->{'login'}->{'last_failed'}->{'ip'},
    152. 

  152.                                         $userdata->{'login'}->{'last_failed'}->{'forwarded_for'} ? ' ('.$userdata->{'login'}->{'last_failed'}->{'forwarded_for'} : '',
    153. 

  153.                         ));
    154. 

  154.                     }
    155. 

  155.                     delete $userdata->{'login'};
    156. 

  156.                     Thruk::Utils::store_user_data($c, $userdata, $login);
    157. 

  157.                 }
    158. 

    159. 

  159.                 # call a script hook after successful login?
    160. 

  160.                 if($c->config->{'cookie_auth_login_hook'}) {
    161. 

  161.                     Thruk::Utils::IO::cmd($c, $c->config->{'cookie_auth_login_hook'}.' >/dev/null 2>&1 &');
    162. 

  162.                 }
    163. 

  163.                 return $c->redirect_to($referer);
    164. 

  164.             } else {
    165. 

  165.                 $c->log->info(sprintf("login failed for %s on %s from %s%s",
    166. 

  166.                                         $login,
    167. 

  167.                                         $referer,
    168. 

  168.                                         $c->req->address,
    169. 

  169.                                        ($c->env->{'HTTP_X_FORWARDED_FOR'} ? ' ('.$c->env->{'HTTP_X_FORWARDED_FOR'}.')' :''),
    170. 

  170.                               ));
    171. 

  171.                 Thruk::Utils::set_message( $c, 'fail_message', 'login failed' );
    172. 

  172.                 if($c->config->{cookie_auth_disable_after_failed_logins}) {
    173. 

  173.                     # increase failed login counter and disable account if it exceeds
    174. 

  174.                     my $userdata = Thruk::Utils::get_user_data($c, $login);
    175. 

  175.                     $userdata->{'login'}->{'failed'}++;
    176. 

  176.                     $userdata->{'login'}->{'last_failed'} = { time => time(), ip => $c->req->address, forwarded_for => $c->env->{'HTTP_X_FORWARDED_FOR'} };
    177. 

  177.                     if($userdata->{'login'}->{'failed'} >= $c->config->{cookie_auth_disable_after_failed_logins}) {
    178. 

  178.                         $userdata->{'login'}->{'locked'} = 1;
    179. 

  179.                     }
    180. 

    181. 

  181.                     # only update user data if already exist, otherwise we would end up with a new file for each failed login
    182. 

  182.                     my $file = $c->config->{'var_path'}."/users/".$login;
    183. 

  183.                     Thruk::Utils::store_user_data($c, $userdata, $login) if -s $file;
    184. 

    185. 

  185.                     if($userdata->{'login'}->{'locked'}) {
    186. 

  186.                         return $c->redirect_to($c->stash->{'url_prefix'}."cgi-bin/login.cgi?locked&".$referer);
    187. 

  187.                     }
    188. 

  188.                 }
    189. 

  189.                 return $c->redirect_to($c->stash->{'url_prefix'}."cgi-bin/login.cgi?".$referer);
    190. 

  190.             }
    191. 

  191.         }
    192. 

  192.     }
    193. 

    194. 

  194.     Thruk::Utils::ssi_include($c, 'login');
    195. 

    196. 

  196.     # set test cookie
    197. 

  197.     $c->cookie('thruk_test' => '****', {
    198. 

  198.         path    => $cookie_path,
    199. 

  199.         domain  => $cookie_domain,
    200. 

  200.     });
    201. 

  201.     if($c->config->{'cookie_auth_domain'} && $cookie_domain ne $c->config->{'cookie_auth_domain'}) {
    202. 

  202.         Thruk::Utils::set_message( $c, 'warn_message', 'using '.$cookie_domain.' instead of the configured cookie_auth_domain '.$c->config->{'cookie_auth_domain'});
    203. 

  203.     }
    204. 

  204.     $c->stash->{'cookie_domain'} = $cookie_domain;
    205. 

    206. 

  206.     $c->stats->profile(end => "login::index");
    207. 

    208. 

  208.     $c->res->code(401);
    209. 

    210. 

  210.     if(($keywords && $keywords =~ m|/thruk/r/|mx) || $c->want_json_response()) {
    211. 

  211.         # respond with json error for the rest api
    212. 

  212.         my $details = $c->stash->{'thruk_message_details'} || "no or invalid credentials used.";
    213. 

  213.         $details =~ s/^.*~~//mx;
    214. 

  214.         return $c->render(json => {
    215. 

  215.             failed      => Cpanel::JSON::XS::true,
    216. 

  216.             message     => $c->stash->{'thruk_message'} || "login required",
    217. 

  217.             details     => $details,
    218. 

  218.             description => "no or invalid credentials used.",
    219. 

  219.             code        => 401,
    220. 

  220.         });
    221. 

  221.     }
    222. 

    223. 

  223.     return 1;
    224. 

  224. }
    225. 

    226. 

  226. ##########################################################
    227. 

  227. sub _invalidate_current_session {
    228. 

  228.     my($c, $cookie_path) = @_;
    229. 

  229.     my $cookie = $c->cookie('thruk_auth');
    230. 

  230.     $c->cookie('thruk_auth' => '', {
    231. 

  231.         expires  => 0,
    232. 

  232.         path     => $cookie_path,
    233. 

  233.         domain   => _get_cookie_domain($c),
    234. 

  234.         httponly => 1,
    235. 

  235.     });
    236. 

  236.     if(defined $cookie and defined $cookie->value) {
    237. 

  237.         my $session_data = Thruk::Utils::CookieAuth::retrieve_session(config => $c->config, id => $cookie->value);
    238. 

  238.         if($session_data) {
    239. 

  239.             unlink($session_data->{'file'});
    240. 

  240.         }
    241. 

  241.     }
    242. 

  242.     return;
    243. 

  243. }
    244. 

    245. 

  245. ##########################################################
    246. 

  246. sub _get_cookie_domain {
    247. 

  247.     my($c) = @_;
    248. 

  248.     my $domain = $c->config->{'cookie_auth_domain'};
    249. 

  249.     return "" unless $domain;
    250. 

  250.     my $http_host = $c->req->env->{'HTTP_HOST'};
    251. 

  251.     # remove port
    252. 

  252.     $http_host =~ s/:\d+$//gmx;
    253. 

  253.     $domain =~ s/\.$//gmx;
    254. 

  254.     if($http_host !~ m/\Q$domain\E$/mx) {
    255. 

  255.         return($http_host);
    256. 

  256.     }
    257. 

  257.     return $domain;
    258. 

  258. }
    259. 

    260. 

  260. ##########################################################
    261. 

    262. 

  262. 1;
    263.