initial commit; version 22.5.12042

html/includes/authentication/cas.inc.php

@@ -0,0 +1,123 @@
+<?php
+
+/**
+ * Observium
+ *
+ *   This file is part of Observium.
+ *
+ * @package    observium
+ * @subpackage authentication
+ * @copyright  (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited
+ *
+ */
+
+/**
+
+CAS authentication support.
+Uses mysql (same schema as mysql module) for authorization but CAS for authentication.
+Requires phpCAS https://wiki.jasig.org/display/casc/phpcas
+New configuration settings:
+
+auth_cas_host
+auth_cas_port
+auth_cas_context
+auth_cas_ca_cert
+
+FIXME these should go into defaults and sql-config!
+*/
+
+require_once('CAS.php');
+
+phpCAS::client(CAS_VERSION_2_0, $config['auth_cas_host'], $config['auth_cas_port'], $config['auth_cas_context']);
+phpCAS::setCasServerCACert($config['auth_cas_ca_cert']);
+phpCAS::handleLogoutRequests(false);
+phpCAS::forceAuthentication();
+
+if (phpCAS::getUser())
+{
+  session_set_var('username', phpCAS::getUser());
+}
+
+/**
+ * Check username against CAS authentication backend. User needs to exist in MySQL to be able to log in.
+ *
+ * @param string $username User name to check
+ * @param string $password User password to check
+ * @return int Authentication success (0 = fail, 1 = success) FIXME bool
+ */
+function cas_authenticate($username, $password)
+{
+  $row = dbFetchRow("SELECT `username`, `password` FROM `users` WHERE `username`= ?", array($username));
+  if ($row['username'] && $row['username'] == $username)
+  {
+    if ($username == phpCAS::getUser())
+    {
+      return 1;
+    }
+
+    dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'CAS: username does not match CAS user'), 'authlog');
+  } else {
+    dbInsert(array('user' => $_SESSION['username'], 'address' => $_SERVER["REMOTE_ADDR"], 'result' => 'CAS: NOT found in DB'), 'authlog');
+  }
+  //session_logout();
+  return 0;
+}
+
+/**
+ * Check if the backend allows users to log out.
+ * As the login is done outside our system, we don't allow users to log out.
+ *
+ * @return bool TRUE if logout is possible, FALSE if it is not
+ */
+function cas_auth_can_logout()
+{
+  return FALSE;
+}
+
+/**
+ * Check if the backend allows a specific user to change their password.
+ * This is not currently possible using the CAS backend.
+ *
+ * @param string $username Username to check
+ * @return bool TRUE if password change is possible, FALSE if it is not
+ */
+function cas_auth_can_change_password($username = "")
+{
+  return FALSE;
+}
+
+/**
+ * Check if the backend allows user management at all (create/delete/modify users).
+ * The CAS module requires users to exist in MySQL first, so we allow MySQL user management.
+ *
+ * @return bool TRUE if user management is possible, FALSE if it is not
+ */
+function cas_auth_usermanagement()
+{
+  return 1;
+}
+
+/**
+ * Adds a new user to the user backend.
+ *
+ * @param string $username User's username
+ * @param string $password User's password (plain text)
+ * @param int $level User's auth level
+ * @param string $email User's e-mail address
+ * @param string $realname User's real name
+ * @param bool $can_modify_passwd TRUE if user can modify their own password, FALSE if not
+ * @param string $description User's description
+ * @return bool TRUE if user addition is successful, FALSE if it is not
+ */
+function cas_adduser($username, $password, $level, $email = "", $realname = "", $can_modify_passwd='1', $description = "")
+{
+  if (!cas_auth_user_exists($username))
+  {
+    $hash = password_hash($password, PASSWORD_DEFAULT);
+    return dbInsert(array('username' => $username, 'password' => $hash, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description), 'users');
+  } else {
+    return FALSE;
+  }
+}
+
+// EOF

html/includes/authentication/http-auth.inc.php

@@ -0,0 +1,51 @@
+<?php
+
+/**
+ * Observium
+ *
+ *   This file is part of Observium.
+ *
+ * @package    observium
+ * @subpackage authentication
+ * @copyright  (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited
+ *
+ */
+
+if (!$_SESSION['authenticated'] && !is_cli())
+{
+  if (isset($_SERVER['PHP_AUTH_USER']))
+  {
+    $username = $_SERVER['PHP_AUTH_USER'];
+    $password = $_SERVER['PHP_AUTH_PW'];
+  }
+  elseif (isset($_SERVER['HTTP_AUTHENTICATION']))
+  {
+    if (strpos(strtolower($_SERVER['HTTP_AUTHENTICATION']), 'basic') === 0) list($username, $password) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
+  }
+
+  if ($_SESSION['relogin'] || empty($username) || !mysql_authenticate($username, $password))
+  {
+    http_auth_require_login();
+  } else {
+    session_set_var('username', $username);
+    session_set_var('password', $password);
+  }
+}
+
+/**
+ * This function forces a login prompt via basic HTTP authentication by making the browser believe
+ * the authentication has failed. Required to log out a basic HTTP auth session.
+ */
+function http_auth_require_login()
+{
+  $realm = $GLOBALS['config']['login_message'];
+  header('WWW-Authenticate: Basic realm="' . $realm . '"');
+  header('HTTP/1.1 401 Unauthorized');
+
+  print_error_permission();
+
+  session_logout();
+  die();
+}
+
+// EOF

html/includes/authentication/mysql.inc.php

@@ -0,0 +1,223 @@
+<?php
+
+/**
+ * Observium
+ *
+ *   This file is part of Observium.
+ *
+ * @package    observium
+ * @subpackage authentication
+ * @copyright  (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited
+ *
+ */
+
+/**
+ * Check username and password against MySQL authentication backend.
+ * Cut short if remote_user setting is on, as we assume the user has already authed against Apache.
+ *
+ * @param string $username User name to check
+ * @param string $password User password to check
+ * @return int Authentication success (0 = fail, 1 = success) FIXME bool
+ */
+function mysql_authenticate($username, $password)
+{
+  global $config;
+
+  $row = dbFetchRow("SELECT `username`, `password` FROM `users` WHERE `username` = ?", array($username));
+  if ($row['username'] && $row['username'] == $username)
+  {
+    if ($config['auth']['remote_user']) { return 1; }
+
+    if (str_starts($row['password'], '$1$'))
+    {
+      // Old MD5 hashes, need rehash/change passwords
+      if ($row['password'] == crypt($password, $row['password']))
+      {
+        // Rehash password
+        mysql_auth_change_password($username, $password);
+        return 1;
+      }
+    }
+    elseif (password_verify($password, $row['password']))
+    {
+      // New password hash verified
+      if (password_needs_rehash($row['password'], PASSWORD_DEFAULT))
+      {
+        // Required password rehash
+        //$hash = password_hash($password, PASSWORD_DEFAULT);
+        mysql_auth_change_password($username, $password);
+      }
+      return 1;
+    }
+  }
+
+  //session_logout();
+  return 0;
+}
+
+/**
+ * Check if the backend allows users to log out.
+ * We don't check for Apache authentication (remote_user) as this is done already before calling into this function.
+ *
+ * @return bool TRUE if logout is possible, FALSE if it is not
+ */
+function mysql_auth_can_logout()
+{
+  return TRUE;
+}
+
+/**
+ * Check if the backend allows a specific user to change their password.
+ * Default is yes, unless the existing user is explicitly prohibited to do so.
+ * Also, if user authed to Apache, we can't change his password.
+ *
+ * @param string $username Username to check
+ * @return bool TRUE if password change is possible, FALSE if it is not
+ */
+function mysql_auth_can_change_password($username = "")
+{
+  global $config;
+
+  if ((empty($username) || !mysql_auth_user_exists($username)) && !$config['auth']['remote_user'])
+  {
+    return TRUE;
+  } else {
+    return dbFetchCell("SELECT `can_modify_passwd` FROM `users` WHERE `username` = ?", array($username)); // FIXME should return BOOL
+  }
+}
+
+/**
+ * Changes a user's password.
+ *
+ * @param string $username Username to modify the password for
+ * @param string $password New password
+ * @return bool TRUE if password change is successful, FALSE if it is not
+ */
+function mysql_auth_change_password($username,$password)
+{
+  if (get_db_version() < 414) { return 0; } // Do not update if DB schema old, new hashes require longer field
+
+  // $hash = crypt($password, '$1$' . strgen(8).'$'); // This is old hash, do not used anymore (keep for history)
+  $hash = password_hash($password, PASSWORD_DEFAULT);
+  return dbUpdate(array('password' => $hash), 'users', '`username` = ?', array($username)); // FIXME should return BOOL
+}
+
+/**
+ * Check if the backend allows user management at all (create/delete/modify users).
+ *
+ * @return bool TRUE if user management is possible, FALSE if it is not
+ */
+function mysql_auth_usermanagement()
+{
+  return TRUE;
+}
+
+/**
+ * Adds a new user to the user backend.
+ *
+ * @param string $username User's username
+ * @param string $password User's password (plain text)
+ * @param int $level User's auth level
+ * @param string $email User's e-mail address
+ * @param string $realname User's real name
+ * @param bool $can_modify_passwd TRUE if user can modify their own password, FALSE if not
+ * @param string $description User's description
+ * @return bool TRUE if user addition is successful, FALSE if it is not
+ */
+function mysql_adduser($username, $password, $level, $email = "", $realname = "", $can_modify_passwd='1', $description = "")
+{
+  if (!mysql_auth_user_exists($username))
+  {
+    // $hash = crypt($password, '$1$' . strgen(8).'$'); // This is old hash, do not used anymore (keep for history)
+    $hash = password_hash($password, PASSWORD_DEFAULT);
+    return dbInsert(array('username' => $username, 'password' => $hash, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description), 'users');
+  } else {
+    return FALSE;
+  }
+}
+
+/**
+ * Check if a user, specified by username, exists in the user backend.
+ *
+ * @param string $username Username to check
+ * @return bool TRUE if the user exists, FALSE if they do not
+ */
+function mysql_auth_user_exists($username)
+{
+  //return @dbFetchCell("SELECT COUNT(*) FROM `users` WHERE `username` = ?", array($username)); // FIXME should return BOOL
+  return dbExist('users', '`username` = ?', array($username));
+}
+
+/**
+ * Find the user's username by specifying their user ID.
+ *
+ * @param int $user_id The user's ID to look up the username for
+ * @return string The user's user name, or FALSE if the user ID is not found
+ */
+function mysql_auth_username_by_id($user_id)
+{
+  return dbFetchCell("SELECT `username` FROM `users` WHERE `user_id` = ?", array($user_id)); // FIXME should return FALSE if not found
+}
+  
+/**
+ * Retrieve user auth level for specified user.
+ *
+ * @param string $username Username to retrieve the auth level for
+ * @return int User's auth level
+ */
+function mysql_auth_user_level($username)
+{
+  return dbFetchCell("SELECT `level` FROM `users` WHERE `username` = ?", array($username));
+}
+
+/**
+ * Retrieve user id for specified user.
+ *
+ * @param string $username Username to retrieve the ID for
+ * @return int User's ID
+ */
+function mysql_auth_user_id($username)
+{
+  return dbFetchCell("SELECT `user_id` FROM `users` WHERE `username` = ?", array($username));
+}
+
+/**
+ * Deletes a user from the user database.
+ *
+ * @param string $username Username to delete
+ * @return bool TRUE if user deletion is successful, FALSE if it is not
+ */
+function mysql_deluser($username)
+{
+  $user_id = mysql_auth_user_id($username);
+
+  dbDelete('entity_permissions', "`user_id` = ? AND `auth_mechanism` = ?", [ $user_id, $GLOBALS['config']['auth_mechanism'] ]);
+  dbDelete('roles_users',        "`user_id` = ? AND `auth_mechanism` = ?", [ $user_id, $GLOBALS['config']['auth_mechanism'] ]);
+  dbDelete('users_prefs',        "`user_id` = ?", array($user_id));
+  dbDelete('users_ckeys',       "`username` = ?", array($username));
+
+  return dbDelete('users', "`username` =  ?", array($username)); // FIXME should return BOOL
+}
+
+/**
+ * Retrieve list of users with all details.
+ *
+ * @return array Rows of user data
+ */
+function mysql_auth_user_list()
+{
+  return dbFetchRows("SELECT * FROM `users`"); // FIXME hardcode list of returned fields as in all other backends; array content should not depend on db changes/column names.
+}
+
+/**
+ * Get the user information by username
+ *
+ * @param string $username Username
+ * @return string The user's user name, or FALSE if the user ID is not found
+ */
+function mysql_auth_user_info($username)
+{
+  return dbFetchRow("SELECT * FROM `users` WHERE `username` = ?", array($username));
+}
+
+// EOF

html/includes/authentication/radius.inc.php

@@ -0,0 +1,331 @@
+<?php
+
+/**
+ * Observium
+ *
+ *   This file is part of Observium.
+ *
+ * @package    observium
+ * @subpackage authentication
+ * @copyright  (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited
+ *
+ */
+
+/**
+ * Initializes the RADIUS connection to the specified server(s). Cycles through all servers, throws error when no server can be reached.
+ * Private function for this RADIUS module only.
+ */
+function radius_init()
+{
+  global $rad, $config;
+
+  if (!is_resource($rad))
+  {
+    $success = 0;
+    $rad = radius_auth_open();
+
+    foreach ($config['auth_radius_server'] as $server)
+    {
+      if (radius_add_server($rad, $server, $config['auth_radius_port'], $config['auth_radius_secret'], $config['auth_radius_timeout'], $config['auth_radius_retries']))
+      {
+        $success = 1;
+      }
+    }
+
+    if (!$success)
+    {
+      print_error("Fatal error: Could not connect to configured RADIUS server(s).");
+      session_logout();
+      exit;
+    }
+  }
+}
+
+/**
+ * Check username and password against RADIUS authentication backend.
+ *
+ * @param string $username User name to check
+ * @param string $password User password to check
+ * @return int Authentication success (0 = fail, 1 = success) FIXME bool
+ */
+function radius_authenticate($username, $password)
+{
+  global $config, $rad;
+
+  radius_init();
+  if ($username && $rad)
+  {
+    //print_vars(radius_server_secret($rad));
+    radius_create_request($rad, RADIUS_ACCESS_REQUEST);
+
+    radius_put_attr($rad, RADIUS_USER_NAME, $username);
+    switch(strtolower($config['auth_radius_method']))
+    {
+      // CHAP-MD5 see RFC1994
+      case 'chap':
+      case 'chap_md5':
+        $chapid = 1;             // Specify a CHAP identifier
+        //$challenge = mt_rand(); // Generate a challenge
+        //$cresponse = md5(pack('Ca*', $chapid, $password.$challenge), TRUE);
+
+        new Crypt_CHAP(); // Pre load class
+        $crpt = new Crypt_CHAP_MD5();
+        $crpt->password = $password;
+        $challenge = $crpt->challenge;
+        $resp_md5  = $crpt->challengeResponse();
+        $resp      = pack('C', $chapid) . $resp_md5;
+        radius_put_attr($rad, RADIUS_CHAP_PASSWORD, $resp);       // Add the Chap-Password attribute
+        radius_put_attr($rad, RADIUS_CHAP_CHALLENGE, $challenge); // Add the Chap-Challenge attribute.
+        break;
+
+      // MS-CHAPv1 see RFC2433
+      case 'mschapv1':
+        $chapid = 1; // Specify a CHAP identifier
+        $flags  = 1; // 0 = use LM-Response, 1 = use NT-Response (we not use old LM)
+
+        new Crypt_CHAP(); // Pre load class
+        $crpt = new Crypt_CHAP_MSv1();
+        $crpt->password = $password;
+        $challenge = $crpt->challenge;
+        $resp_lm   = str_repeat("\0", 24);
+        $resp_nt   = $crpt->challengeResponse();
+        $resp = pack('CC', $chapid, $flags) . $resp_lm . $resp_nt;
+        radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_RESPONSE, $resp);
+        radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge);
+        break;
+
+      // MS-CHAPv2 see RFC2759
+      case 'mschapv2':
+        $chapid = 1; // Specify a CHAP identifier
+        $flags  = 1; // 0 = use LM-Response, 1 = use NT-Response (we not use old LM)
+
+        new Crypt_CHAP(); // Pre load class
+        $crpt = new Crypt_CHAP_MSv2();
+        $crpt->username = $username;
+        $crpt->password = $password;
+        $challenge   = $crpt->authChallenge;
+        $challenge_p = $crpt->peerChallenge;
+        $resp_nt   = $crpt->challengeResponse();
+
+        // Response: chapid, flags (1 = use NT Response), Peer challenge, reserved, Response
+        $resp = pack('CCa16a8a24', $chapid , $flags, $challenge_p, str_repeat("\0", 8), $resp_nt);
+        radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP2_RESPONSE, $resp);
+        radius_put_vendor_attr($rad, RADIUS_VENDOR_MICROSOFT, RADIUS_MICROSOFT_MS_CHAP_CHALLENGE, $challenge);
+        break;
+
+      // PAP (Plaintext)
+      default:
+        radius_put_attr($rad, RADIUS_USER_PASSWORD, $password);
+    }
+
+    // Puts standard attributes
+    $radius_ip = get_ip_version($config['auth_radius_nas_address']) ? $config['auth_radius_nas_address'] : $_SERVER['SERVER_ADDR'];
+    if (get_ip_version($radius_ip) == 6)
+    {
+      // FIXME, not sure that this work correctly
+      radius_put_attr($rad, RADIUS_NAS_IPV6_ADDRESS, $radius_ip);
+    } else {
+      radius_put_addr($rad, RADIUS_NAS_IP_ADDRESS, $radius_ip);
+    }
+    $radius_id = (empty($config['auth_radius_id']) ? get_localhost() : $config['auth_radius_id']);
+    radius_put_attr($rad, RADIUS_NAS_IDENTIFIER, $radius_id);
+    //radius_put_attr($rad, RADIUS_NAS_PORT_TYPE, RADIUS_VIRTUAL);
+    //radius_put_attr($rad, RADIUS_SERVICE_TYPE, RADIUS_FRAMED);
+    //radius_put_attr($rad, RADIUS_FRAMED_PROTOCOL, RADIUS_PPP);
+    radius_put_attr($rad, RADIUS_CALLING_STATION_ID, isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '127.0.0.1');
+
+    $response = radius_send_request($rad);
+    //print_vars($response);
+    switch ($response)
+    {
+      case RADIUS_ACCESS_ACCEPT:
+        // An Access-Accept response to an Access-Request indicating that the RADIUS server authenticated the user successfully.
+        //echo 'Authentication successful';
+        return 1;
+        break;
+      case RADIUS_ACCESS_REJECT:
+        // An Access-Reject response to an Access-Request indicating that the RADIUS server could not authenticate the user.
+        //echo 'Authentication failed';
+        break;
+      case RADIUS_ACCESS_CHALLENGE:
+        // An Access-Challenge response to an Access-Request indicating that the RADIUS server requires further information
+        // in another Access-Request before authenticating the user.
+        //echo 'Challenge required';
+        break;
+      default:
+        print_error('A RADIUS error has occurred: ' . radius_strerror($rad));
+    }
+  }
+
+  //session_logout();
+  return 0;
+}
+
+/**
+ * Check if the backend allows a specific user to change their password.
+ * This is not currently possible using the RADIUS backend.
+ *
+ * @param string $username Username to check
+ * @return bool TRUE if password change is possible, FALSE if it is not
+ */
+function radius_auth_can_change_password($username = "")
+{
+  return 0;
+}
+
+/**
+ * Changes a user's password.
+ * This is not currently possible using the RADIUS backend.
+ *
+ * @param string $username Username to modify the password for
+ * @param string $password New password
+ * @return bool TRUE if password change is successful, FALSE if it is not
+ */
+function radius_auth_change_password($username, $newpassword)
+{
+  # Not supported
+  return FALSE;
+}
+
+/**
+ * Check if the backend allows user management at all (create/delete/modify users).
+ * This is not currently possible using the RADIUS backend.
+ *
+ * @return bool TRUE if user management is possible, FALSE if it is not
+ */
+function radius_auth_usermanagement()
+{
+  return 0;
+}
+
+/**
+ * Adds a new user to the user backend.
+ * This is not currently possible using the RADIUS backend.
+ *
+ * @param string $username User's username
+ * @param string $password User's password (plain text)
+ * @param int $level User's auth level
+ * @param string $email User's e-mail address
+ * @param string $realname User's real name
+ * @param bool $can_modify_passwd TRUE if user can modify their own password, FALSE if not
+ * @param string $description User's description
+ * @return bool TRUE if user addition is successful, FALSE if it is not
+ */
+function radius_adduser($username, $password, $level, $email = "", $realname = "", $can_modify_passwd = '1')
+{
+  // Not supported
+  return FALSE;
+}
+
+/**
+ * Check if a user, specified by username, exists in the user backend.
+ * This is not currently possible using the RADIUS backend.
+ *
+ * @param string $username Username to check
+ * @return bool TRUE if the user exists, FALSE if they do not
+ */
+function radius_auth_user_exists($username)
+{
+  return FALSE;
+}
+
+/**
+ * Retrieve user auth level for specified user.
+ *
+ * @param string $username Username to retrieve the auth level for
+ * @return int User's auth level
+ */
+function radius_auth_user_level($username)
+{
+  global $config, $rad, $cache;
+
+  $rad_userlevel = 0;
+  if (isset($config['auth_radius_groups']))
+  {
+    // If groups set, try to search group attribute and set user level
+
+    if (!isset($cache['radius']['level'][$username]))
+    {
+      if ($config['auth_radius_groupmemberattr'] == 18 || strtolower($config['auth_radius_groupmemberattr']) == 'reply-message')
+      {
+        // Reply-Message (18)
+        $attribute = RADIUS_REPLY_MESSAGE;
+      } else {
+        // Filter-Id (11)
+        $attribute = RADIUS_FILTER_ID;
+      }
+
+      $rad_groups = array();
+      while ($rad_attr = radius_get_attr($rad))
+      {
+        if ($rad_attr['attr'] == $attribute)
+        {
+          $rad_groups[] = radius_cvt_string($rad_attr['data']);
+          //r($rad_attr);
+          //break;
+        }
+      }
+      //r($rad_groups);
+
+      foreach($rad_groups as $rad_group)
+      {
+        if (isset($config['auth_radius_groups'][$rad_group]) && $config['auth_radius_groups'][$rad_group]['level'] > $rad_userlevel)
+        {
+          $rad_userlevel = intval($config['auth_radius_groups'][$rad_group]['level']);
+        }
+      }
+      $cache['radius']['level'][$username] = $rad_userlevel;
+    } else {
+      $rad_userlevel = $cache['radius']['level'][$username];
+    }
+  } else {
+    // Old non-groups, by default always user level 10
+    if (strlen($username) > 0)
+    {
+      $rad_userlevel = 10;
+    }
+  }
+  //r($rad_userlevel);
+
+  return $rad_userlevel;
+}
+
+/**
+ * Retrieve user id for specified user.
+ * Returns a hash of the username.
+ *
+ * @param string $username Username to retrieve the ID for
+ * @return int User's ID
+ */
+function radius_auth_user_id($username)
+{
+  //return -1;
+  return string_to_id('radius|' . $username);
+}
+
+/**
+ * Deletes a user from the user database.
+ * This is not currently possible using the RADIUS backend.
+ *
+ * @param string $username Username to delete
+ * @return bool TRUE if user deletion is successful, FALSE if it is not
+ */
+function radius_deluser($username)
+{
+  // Not supported
+  return FALSE;
+}
+
+/**
+ * Retrieve list of users with all details.
+ * This is not currently possible using the RADIUS backend.
+ *
+ * @return array Rows of user data
+ */
+function radius_auth_user_list()
+{
+  $userlist = array();
+  return $userlist;
+}
+
+// EOF

html/includes/authentication/remote.inc.php

@@ -0,0 +1,180 @@
+<?php
+
+/**
+ * Observium
+ *
+ *   This file is part of Observium.
+ *
+ * This authentication method assumes that the user has already been authenticated by the web server,
+ * using the trusted specified variable (REMOTE_USER by default). It is important to configure the server
+ * such that this variable cannot be overridden by users.
+ *
+ * There is no local user storage and all users will be assumed to have the privilege level specified
+ * (which defaults to 1).
+ *
+ * A possible future improvement to this auth method would be to have the remote user automatically
+ * created in the mysql auth method upon login with a basic user level, but could later be edited and
+ * assigned higher privileges.
+ *
+ * Configuration variables:
+ *
+ * $config['auth_mechanism'] = "remote";
+ *   - Enables this authentication method
+ *
+ * $config['auth_remote_userlevel'] = 10;
+ *   - What userlevel to assign to users, defaults to 1. https://docs.observium.org/user_levels/
+ *
+ * $config['auth_remote_variable'] = 'REMOTE_USER';
+ *   - What server variable to to use, if unspecified then REMOTE_USER is assumed.
+ *
+ * $config['auth_remote_logout_url'] = 'http://blah';
+ *   - URL to redirect users when they click the logout button. If this is not specified, no logout button
+ *     will be available.
+ *
+ * @package    observium
+ * @subpackage authentication
+ * @copyright  (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited
+ *
+ */
+
+if (!$_SESSION['authenticated'] && !is_cli())
+{
+  $var = isset($config['auth_remote_variable']) ? $config['auth_remote_variable']: 'REMOTE_USER';
+
+  if (isset($_SERVER[$var]) && !empty($_SERVER[$var]))
+  {
+    $username = $_SERVER[$var];
+    session_set_var('username', $username);
+    session_set_var('authenticated', true);
+  }
+  else {
+    header('HTTP/1.1 401 Unauthorized');
+
+    print_error_permission();
+    die();
+  }
+}
+
+/**
+ * Check if the backend allows users to log out.
+ *
+ * @return bool TRUE if logout is possible, FALSE if it is not
+ */
+function remote_auth_can_logout()
+{
+  global $config;
+  return isset($config['auth_remote_logout_url']);
+}
+
+/**
+ * Returns the URL to lgoout.
+ *
+ * @return string logout url
+ */
+function remote_auth_logout_url()
+{
+  global $config;
+  return isset($config['auth_remote_logout_url']) ? $config['auth_remote_logout_url'] : null;
+}
+
+/**
+ * Check if the backend allows a specific user to change their password.
+ * This is not possible using the remote backend.
+ *
+ * @param string $username Username to check
+ * @return bool TRUE if password change is possible, FALSE if it is not
+ */
+function remote_auth_can_change_password($username = "")
+{
+  return 0;
+}
+
+/**
+ * Changes a user's password.
+ * This is not possible using the remote backend.
+ *
+ * @param string $username Username to modify the password for
+ * @param string $password New password
+ * @return bool TRUE if password change is successful, FALSE if it is not
+ */
+function remote_auth_change_password($username, $newpassword)
+{
+  # Not supported
+  return FALSE;
+}
+
+/**
+ * Check if the backend allows user management at all (create/delete/modify users).
+ * This is not possible using the remote backend.
+ *
+ * @return bool TRUE if user management is possible, FALSE if it is not
+ */
+function remote_auth_usermanagement()
+{
+  return 0;
+}
+
+/**
+ * Check if a user, specified by username, exists in the user backend.
+ * This is not possible using the remote backend.
+ *
+ * @param string $username Username to check
+ * @return bool TRUE if the user exists, FALSE if they do not
+ */
+function remote_auth_user_exists($username)
+{
+  return FALSE;
+}
+
+/**
+ * Retrieve user auth level for specified user.
+ *
+ * @param string $username Username to retrieve the auth level for
+ * @return int User's auth level
+ */
+function remote_auth_user_level($username)
+{
+  global $config;
+
+  return isset($config['auth_remote_userlevel']) ? $config['auth_remote_userlevel'] : 1;
+}
+
+/**
+ * Retrieve user id for specified user.
+ * Returns a hash of the username.
+ *
+ * @param string $username Username to retrieve the ID for
+ * @return int User's ID
+ */
+function remote_auth_user_id($username)
+{
+  //return -1;
+  return string_to_id('remote|' . $username);
+}
+
+/**
+ * Deletes a user from the user database.
+ * This is not possible using the remote backend.
+ *
+ * @param string $username Username to delete
+ * @return bool TRUE if user deletion is successful, FALSE if it is not
+ */
+function remote_deluser($username)
+{
+  // Not supported
+  return FALSE;
+}
+
+/**
+ * Retrieve list of users with all details.
+ * This is not possible using the remote backend.
+ *
+ * @return array Rows of user data
+ */
+function remote_auth_user_list()
+{
+  $userlist = array();
+  return $userlist;
+}
+
+// EOF