forked from librenms/librenms
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth_test.php
executable file
·136 lines (117 loc) · 4.48 KB
/
auth_test.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/usr/bin/php
<?php
use Illuminate\Support\Str;
use LibreNMS\Authentication\LegacyAuth;
use LibreNMS\Config;
use LibreNMS\Util\Debug;
$options = getopt('u:rldvh');
if (isset($options['h']) || (! isset($options['l']) && ! isset($options['u']))) {
echo ' -u <username> (Required) username to test
] -d Enable debug output
-v Enable verbose debug output
-h Display this help message
';
exit;
}
$init_modules = [];
require realpath(__DIR__ . '/..') . '/includes/init.php';
if (isset($options['d'])) {
Debug::set();
}
if (isset($options['v'])) {
// Enable debug mode for auth methods that have it
Config::set('auth_ad_debug', 1);
Config::set('auth_ldap_debug', 1);
}
echo 'Authentication Method: ' . Config::get('auth_mechanism') . PHP_EOL;
// if ldap like, check selinux
if (Config::get('auth_mechanism') == 'ldap' || Config::get('auth_mechanism') == 'active_directory') {
$enforce = shell_exec('getenforce 2>/dev/null');
if (Str::contains($enforce, 'Enforcing')) {
// has selinux
$output = shell_exec('getsebool httpd_can_connect_ldap');
if ($output != "httpd_can_connect_ldap --> on\n") {
print_error('You need to run: setsebool -P httpd_can_connect_ldap=1');
exit;
}
}
}
try {
$authorizer = LegacyAuth::get();
// ldap based auth we should bind before using, otherwise searches may fail due to anonymous bind
if (method_exists($authorizer, 'bind')) {
$authorizer->bind([]);
}
// AD bind tests
if ($authorizer instanceof \LibreNMS\Authentication\ActiveDirectoryAuthorizer) {
// peek inside the class
$lc_rp = new ReflectionProperty($authorizer, 'ldap_connection');
$lc_rp->setAccessible(true);
$adbind_rm = new ReflectionMethod($authorizer, 'bind');
$adbind_rm->setAccessible(true);
$bind_success = false;
if (Config::has('auth_ad_binduser') && Config::has('auth_ad_bindpassword')) {
$bind_success = $adbind_rm->invoke($authorizer, false, true);
if (! $bind_success) {
$ldap_error = ldap_error($lc_rp->getValue($authorizer));
echo $ldap_error . PHP_EOL;
if ($ldap_error == 'Invalid credentials') {
print_error('AD bind failed for user ' . Config::get('auth_ad_binduser') . '@' . Config::get('auth_ad_domain') .
'. Check \'auth_ad_binduser\' and \'auth_ad_bindpassword\' in your config');
}
} else {
print_message('AD bind success');
}
} else {
$bind_success = $adbind_rm->invoke($authorizer, true, true);
if (! $bind_success) {
echo ldap_error($lc_rp->getValue($authorizer)) . PHP_EOL;
print_message('Could not anonymous bind to AD');
} else {
print_message('AD bind anonymous successful');
}
}
if (! $bind_success) {
print_error('Could not bind to AD, you will not be able to use the API or alert AD users');
}
}
$test_username = $options['u'];
$auth = false;
echo 'Password: ';
`stty -echo`;
$test_password = trim(fgets(STDIN));
`stty echo`;
echo PHP_EOL;
echo "Authenticate user $test_username: \n";
$auth = $authorizer->authenticate(['username' => $test_username, 'password' => $test_password]);
unset($test_password);
if ($auth) {
print_message("AUTH SUCCESS\n");
} else {
if (isset($ldap_connection)) {
echo ldap_error($ldap_connection) . PHP_EOL;
}
print_error('AUTH FAILURE');
}
if ($auth) {
$user_id = $authorizer->getUserid($test_username);
echo "User ($user_id):\n";
if (method_exists($authorizer, 'getUser')) {
$user = $authorizer->getUser($user_id);
unset($user['password']);
unset($user['remember_token']);
foreach ($user as $property => $value) {
echo " $property => $value\n";
}
}
if (method_exists($authorizer, 'getGroupList')) {
echo 'Groups: ' . implode('; ', $authorizer->getGroupList()) . PHP_EOL;
}
if (method_exists($authorizer, 'getRoles')) {
echo 'Roles: ' . implode('; ', $authorizer->getRoles($test_username)) . PHP_EOL;
}
}
} catch (Exception $e) {
echo 'Error: ' . get_class($e) . " thrown!\n";
echo $e->getMessage() . PHP_EOL;
}