PrivacyIdeaUtils: Implement own version of getAuthToken() with check …

…if serviceAccount is admin. Fixes: #82 Upstream bug: privacyidea/php-client#44
gosa-project · Nov 27, 2023 · 581504b · 581504b
1 parent e23ec7e
commit 581504b
Showing 1 changed file with 72 additions and 1 deletion.
diff --git a/personal/privacyidea/class_PrivacyIdeaUtils.inc b/personal/privacyidea/class_PrivacyIdeaUtils.inc
@@ -85,6 +85,75 @@ class PrivacyIdeaUtils implements PILog
         echo "<br><br>";
     }
 
+    /**
+     * Find key recursivly in array (Adapted from GOsa core)
+     *
+     * @param array $haystack the array which will be searched
+     * @param string $needle search string
+     * @return mixed result of key search
+     */
+    public function findRecursive($haystack, $needle): mixed
+    {
+        assert(is_array($haystack));
+        assert(is_string($needle));
+
+        $iterator = new RecursiveArrayIterator($haystack);
+        $recursive = new RecursiveIteratorIterator(
+            $iterator,
+            RecursiveIteratorIterator::SELF_FIRST
+        );
+        foreach ($recursive as $key => $value) {
+            if ($key === $needle) {
+                return $value;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * This function was adapted from privacyidea-php-client.
+     * This implementation checks if serviceAccount is an admin.
+     *
+     * Retrieves an auth token from the server using the service account.
+     * An auth token is required for some requests to privacyIDEA.
+     *
+     * @return string the auth token or empty string if the response did not
+     *                contain a token or no service account is configured.
+     * @throws PIBadRequestException if an error occurs during the request
+     */
+    public function getAuthToken()
+    {
+        if (!$this->pi->serviceAccountAvailable()) {
+            $this->pi->errorLog("Cannot retrieve auth token without service account!");
+            return "";
+        }
+
+        $params = array(
+            "username" => $this->pi->serviceAccountName,
+            "password" => $this->pi->serviceAccountPass
+        );
+
+        if ($this->pi->serviceAccountRealm != null && $this->pi->serviceAccountRealm != "") {
+            $params["realm"] = $this->pi->serviceAccountRealm;
+        }
+
+        $response = json_decode($this->pi->sendRequest($params, array(''), 'POST', '/auth'), true);
+
+        if (isset($response['result']['value']['token']) && !empty($response['result']['value']['token'])) {
+            // Ensure we have an admin account
+            if ($this->findRecursive((array)$response, "role") != 'admin') {
+                $this->pi->debugLog("auth token was of a user without admin role.");
+                return "";
+            }
+
+            return $response['result']['value']["token"];
+        }
+
+        $this->pi->debugLog("/auth response did not contain a auth token.");
+        return "";
+    }
+
     /**
      * Requests a authentication token which will be stored in $this->authToken if successful.
      * @return bool Indicates if authentication was successful.
@@ -101,7 +170,9 @@ class PrivacyIdeaUtils implements PILog
 
         $retString = "";
         try {
-            $retString = $this->pi->getAuthToken();
+            // TODO: Use privacyidea-php-client's implementation instead of our own, if they fixed check if
+            // serviceAccount is admin upstream.
+            $retString = $this->getAuthToken();
         } catch (PIBadRequestException $e) {
             msg_dialog::display(
                 _("Internal error"),