Project

General

Profile

User authentication

1 General description

The use of the Operations Portal web interface requires client to present a valid digital user certificate. This certificate enables a web application to authenticate a user previously registered on the GOCDB (GOC Database). The advanced role-based authentication system – which allows a web application to know user's role and sites – makes possible to pre-load actions and sites according to user profile.

In case of pure authentication I think the filter must inherit sfBasicSecurityFilter and set the credentials to respect Symfony philosophy. Unfortunatly, this not the case for the gocUserAuthentication class for historic reasons, and it will be changed in a future release. Indeed, gocUserAuthentication class would use is_secure method and security.yml related file, inherit sfBasicSecurityFilter and set credentials. For furture developements please use lavoisierAuthenticationFilter.class.php model.

2 Technical description

2.1 Certificate and filter

The Operations Portal web application using Symfony framework provides a filter mechanism process called before each web page request.
In the file filters.yml you can enable the filter making a link with a filter ID. You can also add condition parameters. N.B. The order of the filter declarations is important as it defines the filter execution chain.
A filter can extends from two sfFilter class: sfFilter and sfBasicSecurityFilter. If you choose sfBasicSecurityFilter please move your configuration before "security: ~" directive.

sslFilter

For redirection process no parameters are needed, but you can add optional "condition: false" parameter to disable filter if you don't have SSL layout installed on your web server.

sslFilterId:                 
  class: sslFilter
  #condition: false

gocUserAuthentication

For the case gocUserAuthentication
You can define, in the same filters.yml file, the following parameters:

gocUserAuthenticationFilterId:
  class: gocUserAuthenticationFilter
  param:
    fake_cert: <DN>
    condition:  %MOD_CRON_ENABLE_GOC_USER_AUTHENTICATION%
    USER_ROLE : "Site Administrator" 
    ON_ENTITY: GRIDOPS-CICPORTAL
    ENTITY_TYPE: SITE

There are the following types of parameters:

  • The first parameter fake_cert allows you to set any user certificate and act as somebody else.
  • The 3 last parameters defines together the SuperAdmin scope. In this configuration example, the super administrators are those people registered in GOCDB as Site Administrators for the site GRIDOPS-CICPORTAL.
    The role of Super Administrator allows you to:
    -> make any action
    -> close malformed tickets
    -> view Ticket ID
  • => Note that the parameters fake_cert and SuperAdmin authentication are optional.
  • The condition parameter gets the value of the parameter enable_goc_user_authentication in the module/config/module.yml file of the called module. If there is not a module.yml file available in the called module section, the condition will be set to on, and the filter will be executed. But, for example, in the cron module we need to enable access to Lavoisier webservice which is not registered in GOCDB, so there is a config/module.yml:
# modules/cron/config/module.yml
all:
  enable_goc_user_authentication: off
  • => So, all actions of the cron module will be not affected by goc_user_authentication. This parameter can be defined by action.

lavoisierAuthentication

lavoisierAuthentication.class.php is using is_secure method. So this filter extends sfBasicSecurityFilter, and is active when is_secure directive is set to true.
You can find this file in apps/config/ or apps/module/moduleName/config and define a default value or specify the value for one action.
The aim of lavoisierAuthentication class is to set the lavoisier credential for cron module.
Indeed configuration in filter.yml [1] define the certficate(DN) of Lavoisier web Service. lavoisierAuthentication.class.php compares this one
with the one given by web service and set credential to enable url access. The access restriction is defined in modules/cron/security.yml [2].

[1] part of filter.yml

lavoisierAuthenticationFilterId:
  class: lavoisierAuthenticationFilter
  param:
    lavoisierdn: myLavoisierDN *#todo get it from project.yml*

[2]modules/cron/security.yml

default:
  is_secure: true
  credentials: lavoisier

2.2 User classes

There is, in the directory trunk/lib/user, a set of classes for user environment management.

  • The functions called in sslFilter class are methods from myUser class.
  • The myUser class (extending sfBasicSecurityUser) represents the session variables in Symfony. It can be called from everywhere. This class contains an instance of gocUser (extending generalUser class).
  • The gocUser class contains all the functions needed to initialize user data from GOCDB, and
    the generalUser contains some common data which are not depending on GOCDB directly.
  • It will be easy to add a class cicUser (extending generalUser) to manage user's data from CICDB and keep the common treatment in generalUser.
  • => So, after a valid user authentication, you can easily have information about the user environment with the following methods:
 - getFullName()            : get last and first name stored in certificate
 - getDN()                  : retrieve certificate used to authenticate current user
 - getSitesName()           : get the site names of user's scope
 - getRocs()                : get regional centres where user is registered
 - canUpdateSite($sitename) : to know whether a user can do actions on a site (depending on roles and site scope)
 - isSuperAdmin()           : to know whether a user is recognised as a super admin
 - getRoles()               : have a user's roles list
 - isMyRoc($rocname)        : to know whether a user is registered in a specific regional centre
 - isRegionalManager()      : if user have a  Regional Manager role
 - isRegional()             : if user have a  Regional role    
 - isCCOD()                 : if user is a C-COD

2.3 Getting data from GOCDB via Lavoisier web service

User's data initialization are managed by two main classes:
  • gocUser class (extending generalUser), and
  • userRole class (used as an object of generalUser).
Data are retrieved parsing XML files coming from GOCPI:
  • gocUser provides the user's sitenames,
  • userRole build the roles configuration.
In gocUserAuthentication we check whether:
  • Lavoisier web Service is available, and
  • a user is in GOCDB.

An exception will be thrown if these conditions are false, and an error message will appear in the Dashboard.

3 Dependencies

3.1 PHP files

  • A set of classes to manage user, see details above:
apps/frontend/lib/user/*
  • HTTPS redirection:
apps/frontend/config/sslFilter.class.php
  • Call user authentication functions, throw/catch exceptions, set credentials:
apps/frontend/config/gocUserAuthenticationFilter.class.php
apps/frontend/config/lavoisierAuthenticationFilter.class.php
  • Parse user data :
lib/basics/lavoisier.class.php
lib/basics/lavoisierViewHandler.class.php
lib/basics/XMLHandler.class.php
lib/basics/magicArray.class.php

3.2 YAML files

  • Get Lavoisier URLs:
apps/config/project.yml
  • Get sslFilterId and parameters (as fake_cert and SuperAdmin):
apps/frontend/config/filters.yml
  • Optional file to enable/disable authentication:
apps/frontend/module/moduleName/config/module.yml
apps/frontend/module/moduleName/config/security.yml OR apps/frontend/config/security.yml