Add tailscale auth
This commit is contained in:
Karl Cordes
parent
97dbeb6a1c
commit
e469e14ae1
|
|
@ -183,6 +183,28 @@ Configure::write('Security.salt', 'uiPxR3MzVXAID5zucbxLdxP4TX33buPoCWZr4JfroGoaE
|
||||||
Configure::write('Acl.classname', 'DbAcl');
|
Configure::write('Acl.classname', 'DbAcl');
|
||||||
Configure::write('Acl.database', 'default');
|
Configure::write('Acl.database', 'default');
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Tailscale Authentication Configuration
|
||||||
|
*
|
||||||
|
* Enable Tailscale HTTP header authentication support
|
||||||
|
* When enabled, the system will check for Tailscale authentication headers
|
||||||
|
* before falling back to HTTP Basic Auth
|
||||||
|
*/
|
||||||
|
Configure::write('Tailscale.enabled', true);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Auto-create users from Tailscale authentication
|
||||||
|
* When enabled, users authenticated via Tailscale headers will be
|
||||||
|
* automatically created if they don't exist in the database
|
||||||
|
*/
|
||||||
|
Configure::write('Tailscale.autoCreateUsers', false);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Default access level for auto-created Tailscale users
|
||||||
|
* Options: 'user', 'manager', 'admin'
|
||||||
|
*/
|
||||||
|
Configure::write('Tailscale.defaultAccessLevel', 'user');
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,8 +10,66 @@ class AppController extends Controller {
|
||||||
var $helpers = array('Javascript', 'Time', 'Html', 'Form');
|
var $helpers = array('Javascript', 'Time', 'Html', 'Form');
|
||||||
function beforeFilter() {
|
function beforeFilter() {
|
||||||
|
|
||||||
// Find the user that matches the HTTP basic auth user
|
$user = null;
|
||||||
$user = $this->User->find('first', array('recursive' => 0, 'conditions' => array('User.username'=>$_SERVER["PHP_AUTH_USER"])));
|
|
||||||
|
// Check if Tailscale authentication is enabled
|
||||||
|
if (Configure::read('Tailscale.enabled')) {
|
||||||
|
// Check for Tailscale authentication headers
|
||||||
|
$tailscaleLogin = isset($_SERVER['HTTP_TAILSCALE_USER_LOGIN']) ? $_SERVER['HTTP_TAILSCALE_USER_LOGIN'] : null;
|
||||||
|
$tailscaleName = isset($_SERVER['HTTP_TAILSCALE_USER_NAME']) ? $_SERVER['HTTP_TAILSCALE_USER_NAME'] : null;
|
||||||
|
|
||||||
|
if ($tailscaleLogin) {
|
||||||
|
// Try to find user by email address from Tailscale header
|
||||||
|
$user = $this->User->find('first', array(
|
||||||
|
'recursive' => 0,
|
||||||
|
'conditions' => array('User.email' => $tailscaleLogin)
|
||||||
|
));
|
||||||
|
|
||||||
|
// If user not found and auto-creation is enabled, create a new user
|
||||||
|
if (!$user && Configure::read('Tailscale.autoCreateUsers')) {
|
||||||
|
// Parse the name
|
||||||
|
$firstName = '';
|
||||||
|
$lastName = '';
|
||||||
|
if ($tailscaleName) {
|
||||||
|
$nameParts = explode(' ', $tailscaleName);
|
||||||
|
$firstName = $nameParts[0];
|
||||||
|
if (count($nameParts) > 1) {
|
||||||
|
array_shift($nameParts);
|
||||||
|
$lastName = implode(' ', $nameParts);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$userData = array(
|
||||||
|
'User' => array(
|
||||||
|
'email' => $tailscaleLogin,
|
||||||
|
'username' => $tailscaleLogin,
|
||||||
|
'first_name' => $firstName,
|
||||||
|
'last_name' => $lastName,
|
||||||
|
'type' => 'user',
|
||||||
|
'access_level' => Configure::read('Tailscale.defaultAccessLevel'),
|
||||||
|
'enabled' => 1,
|
||||||
|
'by_vault' => 0
|
||||||
|
)
|
||||||
|
);
|
||||||
|
$this->User->create();
|
||||||
|
if ($this->User->save($userData)) {
|
||||||
|
$user = $this->User->find('first', array(
|
||||||
|
'recursive' => 0,
|
||||||
|
'conditions' => array('User.id' => $this->User->id)
|
||||||
|
));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fall back to HTTP basic auth if no Tailscale auth or user not found
|
||||||
|
if (!$user && isset($_SERVER["PHP_AUTH_USER"])) {
|
||||||
|
$user = $this->User->find('first', array(
|
||||||
|
'recursive' => 0,
|
||||||
|
'conditions' => array('User.username' => $_SERVER["PHP_AUTH_USER"])
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
$this->set("currentuser", $user);
|
$this->set("currentuser", $user);
|
||||||
|
|
||||||
if($this->RequestHandler->isAjax()) {
|
if($this->RequestHandler->isAjax()) {
|
||||||
|
|
@ -52,7 +110,29 @@ class AppController extends Controller {
|
||||||
* @return array - the currently logged in user.
|
* @return array - the currently logged in user.
|
||||||
*/
|
*/
|
||||||
function getCurrentUser() {
|
function getCurrentUser() {
|
||||||
$user = $this->User->find('first', array('recursive' => 0, 'conditions' => array('User.username'=>$_SERVER["PHP_AUTH_USER"])));
|
$user = null;
|
||||||
|
|
||||||
|
// Check if Tailscale authentication is enabled
|
||||||
|
if (Configure::read('Tailscale.enabled')) {
|
||||||
|
$tailscaleLogin = isset($_SERVER['HTTP_TAILSCALE_USER_LOGIN']) ? $_SERVER['HTTP_TAILSCALE_USER_LOGIN'] : null;
|
||||||
|
|
||||||
|
if ($tailscaleLogin) {
|
||||||
|
// Try to find user by email address from Tailscale header
|
||||||
|
$user = $this->User->find('first', array(
|
||||||
|
'recursive' => 0,
|
||||||
|
'conditions' => array('User.email' => $tailscaleLogin)
|
||||||
|
));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fall back to HTTP basic auth if no Tailscale auth or user not found
|
||||||
|
if (!$user && isset($_SERVER["PHP_AUTH_USER"])) {
|
||||||
|
$user = $this->User->find('first', array(
|
||||||
|
'recursive' => 0,
|
||||||
|
'conditions' => array('User.username' => $_SERVER["PHP_AUTH_USER"])
|
||||||
|
));
|
||||||
|
}
|
||||||
|
|
||||||
return $user;
|
return $user;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue