From cda00c8a62adc8ff05549bca64277b6dbe6fcc9a Mon Sep 17 00:00:00 2001 From: Sean Harvey Date: Thu, 19 Jun 2014 17:31:15 +1200 Subject: [PATCH] Provide a way to enable basic auth for authenticating dev/check URL. In live or test environments, you need to be logged in as an admin to access dev/check, but that's not appropriate if you wish to use that page for a service that automatically checks the health of a site. --- README.md | 15 +++++++++++++++ code/EnvironmentChecker.php | 31 +++++++++++++++++++++++++++++-- 2 files changed, 44 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 84e2420..66f7860 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,21 @@ Register checks in your own `_config.php` - see the `_config.php` in this module * `ExternalURLCheck`: Checks that one or more URLs are reachable via HTTP. * `SMTPConnectCheck`: Checks if the SMTP connection configured through PHP.ini works as expected. +## Authentication + +By default, accessing the `dev/check` URL will not require authentication on CLI and dev environments, but if you're +trying to access it on a live or test environment, it will respond with a 403 HTTP status unless you're logged in as +an administrator on the site. + +You may wish to have an automated service check `dev/check` periodically, but not want to open it up for public access. +You can enable basic authentication by defining the following in your environment: + + define('ENVCHECK_BASICAUTH_USERNAME', 'test'); + define('ENVCHECK_BASICAUTH_PASSWORD', 'password'); + +Now if you access `dev/check` in a browser it will pop up a basic auth popup, and if the submitted username and password +match the ones defined the username and password defined in the environment, access will be granted to the page. + ## Adding more checks To add more checks, you should put additional `EnvironmentCheckSuite::register` calls into your `_config.php`. See the `_config.php` file of this module for examples. diff --git a/code/EnvironmentChecker.php b/code/EnvironmentChecker.php index 3ec749c..ba02bdb 100644 --- a/code/EnvironmentChecker.php +++ b/code/EnvironmentChecker.php @@ -29,7 +29,34 @@ class EnvironmentChecker extends RequestHandler { } function init($permission = 'ADMIN') { - if(!$this->canAccess(null, $permission)) return $this->httpError(403); + // if the environment supports it, provide a basic auth challenge and see if it matches configured credentials + if(defined('ENVCHECK_BASICAUTH_USERNAME') && defined('ENVCHECK_BASICAUTH_PASSWORD')) { + if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { + // authenticate the input user/pass with the configured credentials + if( + !( + $_SERVER['PHP_AUTH_USER'] == ENVCHECK_BASICAUTH_USERNAME + && $_SERVER['PHP_AUTH_PW'] == ENVCHECK_BASICAUTH_PASSWORD + ) + ) { + $response = new SS_HTTPResponse(null, 401); + $response->addHeader('WWW-Authenticate', "Basic realm=\"Environment check\""); + // Exception is caught by RequestHandler->handleRequest() and will halt further execution + $e = new SS_HTTPResponse_Exception(null, 401); + $e->setResponse($response); + throw $e; + } + } else { + $response = new SS_HTTPResponse(null, 401); + $response->addHeader('WWW-Authenticate', "Basic realm=\"Environment check\""); + // Exception is caught by RequestHandler->handleRequest() and will halt further execution + $e = new SS_HTTPResponse_Exception(null, 401); + $e->setResponse($response); + throw $e; + } + } else { + if(!$this->canAccess(null, $permission)) return $this->httpError(403); + } } function canAccess($member = null, $permission = "ADMIN") { @@ -115,4 +142,4 @@ class EnvironmentChecker extends RequestHandler { return self::$email_results; } -} \ No newline at end of file +}