diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index c9f497b924..940317a2c6 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -50,17 +50,36 @@ class LoginController extends Controller \Session::put('backUrl', \URL::previous()); } - - function showLoginForm() + function showLoginForm(Request $request) { + $this->loginViaRemoteUser($request); if (Auth::check()) { return redirect()->intended('dashboard'); } + + if (Setting::getSettings()->login_common_disabled == "1") { + return view('errors.403'); + } + return view('auth.login'); } + private function loginViaRemoteUser(Request $request) + { + $remote_user = $request->server('REMOTE_USER'); + if (Setting::getSettings()->login_remote_user_enabled == "1" && isset($remote_user) && !empty($remote_user)) { + LOG::debug("Authenticatiing via REMOTE_USER."); + try { + $user = User::where('username', '=', $remote_user)->whereNull('deleted_at')->first(); + LOG::debug("Remote user auth lookup complete"); + if(!is_null($user)) Auth::login($user, true); + } catch(Exception $e) { + LOG::error("There was an error authenticating the Remote user: " . $e->getMessage()); + } + } + } - private function login_via_ldap(Request $request) + private function loginViaLdap(Request $request) { LOG::debug("Binding user to LDAP."); $ldap_user = Ldap::findAndBindUserLdap($request->input('username'), $request->input('password')); @@ -114,6 +133,10 @@ class LoginController extends Controller */ public function login(Request $request) { + if (Setting::getSettings()->login_common_disabled == "1") { + return view('errors.403'); + } + $validator = $this->validator(Input::all()); if ($validator->fails()) { @@ -134,7 +157,7 @@ class LoginController extends Controller if (Setting::getSettings()->ldap_enabled=='1') { LOG::debug("LDAP is enabled."); try { - $user = $this->login_via_ldap($request); + $user = $this->loginViaLdap($request); Auth::login($user, true); // If the user was unable to login via LDAP, log the error and let them fall through to @@ -252,7 +275,15 @@ class LoginController extends Controller public function logout(Request $request) { $request->session()->forget('2fa_authed'); + Auth::logout(); + + $settings = Setting::getSettings(); + $customLogoutUrl = $settings->login_remote_user_custom_logout_url ; + if ($settings->login_remote_user_enabled == '1' && $customLogoutUrl != '') { + return redirect()->away($customLogoutUrl); + } + return redirect()->route('login')->with('success', 'You have successfully logged out!'); } diff --git a/app/Http/Controllers/SettingsController.php b/app/Http/Controllers/SettingsController.php index 464246a969..8db991c3f5 100755 --- a/app/Http/Controllers/SettingsController.php +++ b/app/Http/Controllers/SettingsController.php @@ -485,6 +485,12 @@ class SettingsController extends Controller $setting->pwd_secure_min = (int) $request->input('pwd_secure_min'); $setting->pwd_secure_complexity = ''; + # remote user login + $setting->login_remote_user_enabled = (int)$request->input('login_remote_user_enabled'); + $setting->login_common_disabled= (int)$request->input('login_common_disabled'); + + $setting->login_remote_user_custom_logout_url = $request->input('login_remote_user_custom_logout_url'); + if ($request->has('pwd_secure_complexity')) { $setting->pwd_secure_complexity = implode('|', $request->input('pwd_secure_complexity')); } diff --git a/app/Models/Setting.php b/app/Models/Setting.php index 71dfbbaae3..4f82366808 100755 --- a/app/Models/Setting.php +++ b/app/Models/Setting.php @@ -13,15 +13,15 @@ class Setting extends Model use ValidatingTrait; protected $rules = [ - "brand" => 'required|min:1|numeric', - "qr_text" => 'max:31|nullable', - "logo_img" => 'mimes:jpeg,bmp,png,gif', - "alert_email" => 'email_array|nullable', - "default_currency" => 'required', - "locale" => 'required', - "slack_endpoint" => 'url|required_with:slack_channel|nullable', - "slack_channel" => 'regex:/(? 'string|nullable', + 'brand' => 'required|min:1|numeric', + 'qr_text' => 'max:31|nullable', + 'logo_img' => 'mimes:jpeg,bmp,png,gif', + 'alert_email' => 'email_array|nullable', + 'default_currency' => 'required', + 'locale' => 'required', + 'slack_endpoint' => 'url|required_with:slack_channel|nullable', + 'slack_channel' => 'regex:/(? 'string|nullable', 'labels_per_page' => 'numeric', 'labels_width' => 'numeric', 'labels_height' => 'numeric', @@ -34,11 +34,14 @@ class Setting extends Model 'labels_fontsize' => 'numeric|min:5', 'labels_pagewidth' => 'numeric|nullable', 'labels_pageheight' => 'numeric|nullable', - "thumbnail_max_h" => 'numeric|max:500|min:25', - "pwd_secure_min" => "numeric|required|min:5", - "audit_warning_days" => "numeric|nullable", - "audit_interval" => "numeric|nullable", - "custom_forgot_pass_url" => "url|nullable", + 'login_remote_user_enabled' => 'numeric|nullable', + 'login_common_disabled' => 'numeric|nullable', + 'login_remote_user_custom_logout_url' => 'string|nullable', + 'thumbnail_max_h' => 'numeric|max:500|min:25', + 'pwd_secure_min' => 'numeric|required|min:5', + 'audit_warning_days' => 'numeric|nullable', + 'audit_interval' => 'numeric|nullable', + 'custom_forgot_pass_url' => 'url|nullable', ]; protected $fillable = ['site_name','email_domain','email_format','username_format']; diff --git a/database/migrations/2018_02_22_160436_add_remote_user_settings.php b/database/migrations/2018_02_22_160436_add_remote_user_settings.php new file mode 100644 index 0000000000..b0fae55e5d --- /dev/null +++ b/database/migrations/2018_02_22_160436_add_remote_user_settings.php @@ -0,0 +1,34 @@ +boolean('login_remote_user_enabled')->default(0); + $table->boolean('login_common_disabled')->default(0); + }); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + Schema::table('settings', function (Blueprint $table) { + $table->dropColumn('login_remote_user_enabled'); + $table->dropColumn('login_common_disabled'); + }); + } +} diff --git a/database/migrations/2018_03_01_173800_add_custom_logout_url.php b/database/migrations/2018_03_01_173800_add_custom_logout_url.php new file mode 100644 index 0000000000..67de6f3ff1 --- /dev/null +++ b/database/migrations/2018_03_01_173800_add_custom_logout_url.php @@ -0,0 +1,32 @@ +string('login_remote_user_custom_logout_url')->default(""); + }); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + Schema::table('settings', function (Blueprint $table) { + $table->dropColumn('login_remote_user_custom_logout_url'); + }); + } +} diff --git a/resources/lang/en/admin/settings/general.php b/resources/lang/en/admin/settings/general.php index 2539aee7d3..f19671cf6f 100644 --- a/resources/lang/en/admin/settings/general.php +++ b/resources/lang/en/admin/settings/general.php @@ -78,6 +78,13 @@ return array( 'load_remote_help_text' => 'This Snipe-IT install can load scripts from the outside world.', 'login_note' => 'Login Note', 'login_note_help' => 'Optionally include a few sentences on your login screen, for example to assist people who have found a lost or stolen device. This field accepts Github flavored markdown', + 'login_remote_user_text' => 'Remote User login options', + 'login_remote_user_enabled_text' => 'Enable Login with Remote User Header', + 'login_remote_user_enabled_help' => 'This option enables Authentication via the REMOTE_USER header according to the "Common Gateway Interface (rfc3875)"', + 'login_common_disabled_text' => 'Disable other authentication mechanisms', + 'login_common_disabled_help' => 'This option disables other authentication mechanisms. Just enable this option if you are sure that your REMOTE_USER login is already working', + 'login_remote_user_custom_logout_url_text' => 'Custom logout URL', + 'login_remote_user_custom_logout_url_help' => 'If filled users will get redirected to this URL after the Session of SnipeIT is closed (Logout). This is usefull to close the user sessions of your Authenticationprovider correctly.', 'logo' => 'Logo', 'full_multiple_companies_support_help_text' => 'Restricting users (including admins) assigned to companies to their company\'s assets.', 'full_multiple_companies_support_text' => 'Full Multiple Companies Support', diff --git a/resources/views/settings/security.blade.php b/resources/views/settings/security.blade.php index a7d2b65ac8..cad9419eea 100644 --- a/resources/views/settings/security.blade.php +++ b/resources/views/settings/security.blade.php @@ -35,6 +35,38 @@
+ +
+
+ {{ Form::label('login_remote_user', trans('admin/settings/general.login_remote_user_text')) }} +
+
+ + {{ Form::checkbox('login_remote_user_enabled', '1', Input::old('login_remote_user_enabled', $setting->login_remote_user_enabled),array('class' => 'minimal')) }} + {{ Form::label('login_remote_user_enabled', trans('admin/settings/general.login_remote_user_enabled_text')) }} + {!! $errors->first('login_remote_user_enabled', ':message') !!} +

+ {{ trans('admin/settings/general.login_remote_user_enabled_help') }} +

+ + {{ Form::label('login_remote_user_custom_logout_url', trans('admin/settings/general.login_remote_user_custom_logout_url_text')) }} + {{ Form::text('login_remote_user_custom_logout_url', Input::old('login_remote_user_custom_logout_url', $setting->login_remote_user_custom_logout_url),array('class' => 'form-control')) }} + + {!! $errors->first('login_remote_user_custom_logout_url', ':message') !!} +

+ {{ trans('admin/settings/general.login_remote_user_custom_logout_url_help') }} +

+ + {{ Form::checkbox('login_common_disabled', '1', Input::old('login_common_disabled', $setting->login_common_disabled),array('class' => 'minimal')) }} + {{ Form::label('login_common_disabled', trans('admin/settings/general.login_common_disabled_text')) }} + {!! $errors->first('login_common_disabled', ':message') !!} +

+ {{ trans('admin/settings/general.login_common_disabled_help') }} +

+
+
+ +