Add deny-if-empty feature to ENV authentication

.env.example

@@ -79,20 +79,34 @@ SITENAME="MunkiReport"
 #
 # AUTH_METHODS can be one of
 # - "NOAUTH": No authentication
+# - "ENV": Environment variable (without password) Authentication
 # - "LOCAL" : Local Users defined as .yml in the "users" folder
 # - "LDAP": LDAP Authentication
 # - "AD": Active Directory Authentication
 # - Any combination of the above, comma separated.
 #
 # Authentication providers are checked in this order:
 # - Noauth
+# - Environment variable
 # - Generated local user
 # - LDAP
 # - Active Directory
 
 
 AUTH_METHODS="NOAUTH"
 
+# ENVIRONMENT VARIABLE AUTHENTICATION
+# -------------------------------
+#
+# Read the authenticated username from the
+# given server environment variable. Useful
+# for handling authentication via a reverse
+# proxy (i.e. HTTP header, forward auth, Kerberos)
+AUTH_ENV_USER_VAR="REMOTE_USER"
+# Set to TRUE to fail authentication if the
+# above-named variable is empty or missing.
+AUTH_ENV_DENY_EMPTY=FALSE
+
 # ACTIVE DIRECTORY AUTHENTICATION
 # -------------------------------
 #

app/config/auth/env.php

@@ -1,5 +1,6 @@
 <?php
 
 return [
-    'env_user_var'            => 'REMOTE_USER',
+    'env_user_var'            => env('AUTH_ENV_USER_VAR', 'REMOTE_USER'),
+    'env_user_deny_empty'     => env('AUTH_ENV_DENY_EMPTY', false),
 ];

app/lib/munkireport/AuthEnv.php

@@ -4,7 +4,7 @@
 
 class AuthEnv extends AbstractAuth
 {
-    private $config;
+    private $config, $login, $authStatus;
 
     public function __construct($config)
     {
@@ -13,6 +13,19 @@ public function __construct($config)
 
     public function login($login, $password)
     {
+        $this->login = getenv($this->config['env_user_var']);
+
+        if ($this->config['env_user_deny_empty'] && empty($this->login)) {
+            if ($this->login === '') {
+                $this->authStatus = 'unauthorized';
+            } elseif ($this->login === false) {
+                $this->authStatus = 'failed';
+            }
+
+            return false;
+        }
+
+        $this->authStatus = 'success';
         return true;
     }
 
@@ -23,12 +36,12 @@ public function getAuthMechanism()
 
     public function getAuthStatus()
     {
-        return 'success';
+        return $this->authStatus;
     }
 
     public function getUser()
     {
-        return getenv($this->config['env_user_var']);
+        return $this->login;
     }
 
     public function getGroups()

app/lib/munkireport/AuthLDAP.php

@@ -4,7 +4,7 @@
 
 class AuthLDAP extends AbstractAuth
 {
-    private $config, $groups, $login, $auth_status;
+    private $config, $groups, $login, $authStatus;
 
     public function __construct($config)
     {

docs/configure.md

@@ -59,5 +59,7 @@ Munkireport will **not** set the passphrase on the client through the install sc
 - `SITENAME`: The site name which will appear in the title bar of your browser, Default: `MunkiReport`.
 - `AUTH_METHODS`: A comma separated list of supported Authentication methods. Any combination of:
     - `NOAUTH`: No authentication required
+    - `ENV`: Environment variable Authentication
+    - `LOCAL` : Local Users defined as .yml in the `users` folder
     - `LDAP`: LDAP Authentication
     - `AD`: Active Directory Authentication