Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getAuthToken(): Check if serviceAccount is admin. #44

Closed
dzatoah opened this issue Nov 27, 2023 · 0 comments · Fixed by #49
Closed

getAuthToken(): Check if serviceAccount is admin. #44

dzatoah opened this issue Nov 27, 2023 · 0 comments · Fixed by #49
Assignees
@lukasmatusiewicz

Comments

@dzatoah
Copy link

dzatoah commented Nov 27, 2023 

    /**
     * Find key recursivly in array (Adapted from GOsa core)
     *
     * @param array $haystack the array which will be searched
     * @param string $needle search string
     * @return mixed result of key search
     */
    public function findRecursive($haystack, $needle): mixed
    {
        assert(is_array($haystack));
        assert(is_string($needle));

        $iterator = new RecursiveArrayIterator($haystack);
        $recursive = new RecursiveIteratorIterator(
            $iterator,
            RecursiveIteratorIterator::SELF_FIRST
        );
        foreach ($recursive as $key => $value) {
            if ($key === $needle) {
                return $value;
            }
        }

        return false;
    }

    /**
     * This function was adapted from privacyidea-php-client.
     * This implementation checks if serviceAccount is an admin.
     *
     * Retrieves an auth token from the server using the service account.
     * An auth token is required for some requests to privacyIDEA.
     *
     * @return string the auth token or empty string if the response did not
     *                contain a token or no service account is configured.
     * @throws PIBadRequestException if an error occurs during the request
     */
    public function getAuthToken()
    {
        if (!$this->pi->serviceAccountAvailable()) {
            $this->pi->errorLog("Cannot retrieve auth token without service account!");
            return "";
        }

        $params = array(
            "username" => $this->pi->serviceAccountName,
            "password" => $this->pi->serviceAccountPass
        );

        if ($this->pi->serviceAccountRealm != null && $this->pi->serviceAccountRealm != "") {
            $params["realm"] = $this->pi->serviceAccountRealm;
        }

        $response = json_decode($this->pi->sendRequest($params, array(''), 'POST', '/auth'), true);

        if (isset($response['result']['value']['token']) && !empty($response['result']['value']['token'])) {
            // Ensure we have an admin account
            if ($this->findRecursive((array)$response, "role") != 'admin') {
                $this->pi->debugLog("auth token was of a user without admin role.");
                return "";
            }

            return $response['result']['value']["token"];
        }

        $this->pi->debugLog("/auth response did not contain a auth token.");
        return "";
    }

Check if the serviceAccount is of role admin. This fix/improvement comes from downstream.
https://github.com/gosa-project/gosa-plugins-privacyidea/
dzatoah added a commit to gosa-project/gosa-plugins-privacyidea that referenced this issue Nov 27, 2023
@dzatoah
PrivacyIdeaUtils: Implement own version of getAuthToken() with check …
581504b 
…if serviceAccount is admin.

Fixes: #82
Upstream bug: privacyidea/php-client#44
sunweaver pushed a commit to gosa-project/gosa-plugins-privacyidea that referenced this issue Nov 27, 2023
@dzatoah @sunweaver
PrivacyIdeaUtils: Implement own version of getAuthToken() with check …
130860d 
…if serviceAccount is admin.

Fixes: #82
Upstream bug: privacyidea/php-client#44
@lukasmatusiewicz lukasmatusiewicz self-assigned this Mar 4, 2024
@lukasmatusiewicz lukasmatusiewicz linked a pull request Mar 5, 2024 that will close this issue
Check if service account has role admin #49
Merged
2 tasks
dzatoah added a commit to gosa-project/gosa-plugins-privacyidea that referenced this issue Mar 6, 2024
@dzatoah
Revert commit 130860d. (PrivacyIdeaUtils: Implement own version of ge…
d5f20cb 
…tAuthToken() with check if serviceAccount is admin).

Fixed in upstream via: privacyidea/php-client#44
@dzatoah dzatoah mentioned this issue Mar 6, 2024
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukasmatusiewicz lukasmatusiewicz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check if service account has role admin privacyidea/php-client
2 participants
@dzatoah @lukasmatusiewicz