X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/6bccf0e64a2c59d6d7db67472d133df446b91392..refs/pull/2393/head:/app/Auth/Access/LdapService.php diff --git a/app/Auth/Access/LdapService.php b/app/Auth/Access/LdapService.php index c48a72f98..92234edcf 100644 --- a/app/Auth/Access/LdapService.php +++ b/app/Auth/Access/LdapService.php @@ -1,37 +1,29 @@ ldap = $ldap; $this->config = config('services.ldap'); - $this->userRepo = $userRepo; $this->enabled = config('auth.method') === 'ldap'; } @@ -45,17 +37,21 @@ class LdapService } /** - * Search for attributes for a specific user on the ldap - * @param string $userName - * @param array $attributes - * @return null|array + * Search for attributes for a specific user on the ldap. * @throws LdapException */ - private function getUserWithAttributes($userName, $attributes) + private function getUserWithAttributes(string $userName, array $attributes): ?array { $ldapConnection = $this->getConnection(); $this->bindSystemUser($ldapConnection); + // Clean attributes + foreach ($attributes as $index => $attribute) { + if (strpos($attribute, 'BIN;') === 0) { + $attributes[$index] = substr($attribute, strlen('BIN;')); + } + } + // Find user $userFilter = $this->buildFilter($this->config['user_filter'], ['user' => $userName]); $baseDn = $this->config['base_dn']; @@ -73,51 +69,78 @@ class LdapService /** * Get the details of a user from LDAP using the given username. * User found via configurable user filter. - * @param $userName - * @return array|null * @throws LdapException */ - public function getUserDetails($userName) + public function getUserDetails(string $userName): ?array { + $idAttr = $this->config['id_attribute']; $emailAttr = $this->config['email_attribute']; $displayNameAttr = $this->config['display_name_attribute']; - $user = $this->getUserWithAttributes($userName, ['cn', 'uid', 'dn', $emailAttr, $displayNameAttr]); + $user = $this->getUserWithAttributes($userName, ['cn', 'dn', $idAttr, $emailAttr, $displayNameAttr]); if ($user === null) { return null; } - return [ - 'uid' => (isset($user['uid'])) ? $user['uid'][0] : $user['dn'], - 'name' => (isset($user[$displayNameAttr])) ? (is_array($user[$displayNameAttr]) ? $user[$displayNameAttr][0] : $user[$displayNameAttr]) : $user['cn'][0], + $userCn = $this->getUserResponseProperty($user, 'cn', null); + $formatted = [ + 'uid' => $this->getUserResponseProperty($user, $idAttr, $user['dn']), + 'name' => $this->getUserResponseProperty($user, $displayNameAttr, $userCn), 'dn' => $user['dn'], - 'email' => (isset($user[$emailAttr])) ? (is_array($user[$emailAttr]) ? $user[$emailAttr][0] : $user[$emailAttr]) : null + 'email' => $this->getUserResponseProperty($user, $emailAttr, null), ]; + + if ($this->config['dump_user_details']) { + throw new JsonDebugException([ + 'details_from_ldap' => $user, + 'details_bookstack_parsed' => $formatted, + ]); + } + + return $formatted; } /** - * @param Authenticatable $user - * @param string $username - * @param string $password - * @return bool - * @throws LdapException + * Get a property from an LDAP user response fetch. + * Handles properties potentially being part of an array. + * If the given key is prefixed with 'BIN;', that indicator will be stripped + * from the key and any fetched values will be converted from binary to hex. */ - public function validateUserCredentials(Authenticatable $user, $username, $password) + protected function getUserResponseProperty(array $userDetails, string $propertyKey, $defaultValue) { - $ldapUser = $this->getUserDetails($username); - if ($ldapUser === null) { - return false; + $isBinary = strpos($propertyKey, 'BIN;') === 0; + $propertyKey = strtolower($propertyKey); + $value = $defaultValue; + + if ($isBinary) { + $propertyKey = substr($propertyKey, strlen('BIN;')); } - if ($ldapUser['uid'] !== $user->external_auth_id) { + if (isset($userDetails[$propertyKey])) { + $value = (is_array($userDetails[$propertyKey]) ? $userDetails[$propertyKey][0] : $userDetails[$propertyKey]); + if ($isBinary) { + $value = bin2hex($value); + } + } + + return $value; + } + + /** + * Check if the given credentials are valid for the given user. + * @throws LdapException + */ + public function validateUserCredentials(?array $ldapUserDetails, string $password): bool + { + if (is_null($ldapUserDetails)) { return false; } $ldapConnection = $this->getConnection(); try { - $ldapBind = $this->ldap->bind($ldapConnection, $ldapUser['dn'], $password); - } catch (\ErrorException $e) { + $ldapBind = $this->ldap->bind($ldapConnection, $ldapUserDetails['dn'], $password); + } catch (ErrorException $e) { $ldapBind = false; } @@ -164,25 +187,14 @@ class LdapService throw new LdapException(trans('errors.ldap_extension_not_installed')); } - // Get port from server string and protocol if specified. - $ldapServer = explode(':', $this->config['server']); - $hasProtocol = preg_match('/^ldaps{0,1}\:\/\//', $this->config['server']) === 1; - if (!$hasProtocol) { - array_unshift($ldapServer, ''); - } - $hostName = $ldapServer[0] . ($hasProtocol?':':'') . $ldapServer[1]; - $defaultPort = $ldapServer[0] === 'ldaps' ? 636 : 389; - - /* - * Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of - * the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not - * per handle. - */ + // Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of + // the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not per handle. if ($this->config['tls_insecure']) { $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER); } - $ldapConnection = $this->ldap->connect($hostName, count($ldapServer) > 2 ? intval($ldapServer[2]) : $defaultPort); + $serverDetails = $this->parseServerString($this->config['server']); + $ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']); if ($ldapConnection === false) { throw new LdapException(trans('errors.ldap_cannot_connect')); @@ -197,13 +209,29 @@ class LdapService return $this->ldapConnection; } + /** + * Parse a LDAP server string and return the host and port for a connection. + * Is flexible to formats such as 'ldap.example.com:8069' or 'ldaps://ldap.example.com'. + */ + protected function parseServerString(string $serverString): array + { + $serverNameParts = explode(':', $serverString); + + // If we have a protocol just return the full string since PHP will ignore a separate port. + if ($serverNameParts[0] === 'ldaps' || $serverNameParts[0] === 'ldap') { + return ['host' => $serverString, 'port' => 389]; + } + + // Otherwise, extract the port out + $hostName = $serverNameParts[0]; + $ldapPort = (count($serverNameParts) > 1) ? intval($serverNameParts[1]) : 389; + return ['host' => $hostName, 'port' => $ldapPort]; + } + /** * Build a filter string by injecting common variables. - * @param string $filterString - * @param array $attrs - * @return string */ - protected function buildFilter($filterString, array $attrs) + protected function buildFilter(string $filterString, array $attrs): string { $newAttrs = []; foreach ($attrs as $key => $attrText) { @@ -214,12 +242,10 @@ class LdapService } /** - * Get the groups a user is a part of on ldap - * @param string $userName - * @return array + * Get the groups a user is a part of on ldap. * @throws LdapException */ - public function getUserGroups($userName) + public function getUserGroups(string $userName): array { $groupsAttr = $this->config['group_attribute']; $user = $this->getUserWithAttributes($userName, [$groupsAttr]); @@ -234,40 +260,36 @@ class LdapService } /** - * Get the parent groups of an array of groups - * @param array $groupsArray - * @param array $checked - * @return array + * Get the parent groups of an array of groups. * @throws LdapException */ - private function getGroupsRecursive($groupsArray, $checked) + private function getGroupsRecursive(array $groupsArray, array $checked): array { - $groups_to_add = []; + $groupsToAdd = []; foreach ($groupsArray as $groupName) { if (in_array($groupName, $checked)) { continue; } - $groupsToAdd = $this->getGroupGroups($groupName); - $groups_to_add = array_merge($groups_to_add, $groupsToAdd); + $parentGroups = $this->getGroupGroups($groupName); + $groupsToAdd = array_merge($groupsToAdd, $parentGroups); $checked[] = $groupName; } - $groupsArray = array_unique(array_merge($groupsArray, $groups_to_add), SORT_REGULAR); - if (!empty($groups_to_add)) { - return $this->getGroupsRecursive($groupsArray, $checked); - } else { + $groupsArray = array_unique(array_merge($groupsArray, $groupsToAdd), SORT_REGULAR); + + if (empty($groupsToAdd)) { return $groupsArray; } + + return $this->getGroupsRecursive($groupsArray, $checked); } /** - * Get the parent groups of a single group - * @param string $groupName - * @return array + * Get the parent groups of a single group. * @throws LdapException */ - private function getGroupGroups($groupName) + private function getGroupGroups(string $groupName): array { $ldapConnection = $this->getConnection(); $this->bindSystemUser($ldapConnection); @@ -284,27 +306,24 @@ class LdapService return []; } - $groupGroups = $this->groupFilter($groups[0]); - return $groupGroups; + return $this->groupFilter($groups[0]); } /** - * Filter out LDAP CN and DN language in a ldap search return - * Gets the base CN (common name) of the string - * @param array $userGroupSearchResponse - * @return array + * Filter out LDAP CN and DN language in a ldap search return. + * Gets the base CN (common name) of the string. */ - protected function groupFilter(array $userGroupSearchResponse) + protected function groupFilter(array $userGroupSearchResponse): array { $groupsAttr = strtolower($this->config['group_attribute']); $ldapGroups = []; $count = 0; if (isset($userGroupSearchResponse[$groupsAttr]['count'])) { - $count = (int) $userGroupSearchResponse[$groupsAttr]['count']; + $count = (int)$userGroupSearchResponse[$groupsAttr]['count']; } - for ($i=0; $i<$count; $i++) { + for ($i = 0; $i < $count; $i++) { $dnComponents = $this->ldap->explodeDn($userGroupSearchResponse[$groupsAttr][$i], 1); if (!in_array($dnComponents[0], $ldapGroups)) { $ldapGroups[] = $dnComponents[0]; @@ -315,73 +334,12 @@ class LdapService } /** - * Sync the LDAP groups to the user roles for the current user - * @param \BookStack\Auth\User $user - * @param string $username + * Sync the LDAP groups to the user roles for the current user. * @throws LdapException */ public function syncGroups(User $user, string $username) { $userLdapGroups = $this->getUserGroups($username); - - // Get the ids for the roles from the names - $ldapGroupsAsRoles = $this->matchLdapGroupsToSystemsRoles($userLdapGroups); - - // Sync groups - if ($this->config['remove_from_groups']) { - $user->roles()->sync($ldapGroupsAsRoles); - $this->userRepo->attachDefaultRole($user); - } else { - $user->roles()->syncWithoutDetaching($ldapGroupsAsRoles); - } - } - - /** - * Match an array of group names from LDAP to BookStack system roles. - * Formats LDAP group names to be lower-case and hyphenated. - * @param array $groupNames - * @return \Illuminate\Support\Collection - */ - protected function matchLdapGroupsToSystemsRoles(array $groupNames) - { - foreach ($groupNames as $i => $groupName) { - $groupNames[$i] = str_replace(' ', '-', trim(strtolower($groupName))); - } - - $roles = Role::query()->where(function (Builder $query) use ($groupNames) { - $query->whereIn('name', $groupNames); - foreach ($groupNames as $groupName) { - $query->orWhere('external_auth_id', 'LIKE', '%' . $groupName . '%'); - } - })->get(); - - $matchedRoles = $roles->filter(function (Role $role) use ($groupNames) { - return $this->roleMatchesGroupNames($role, $groupNames); - }); - - return $matchedRoles->pluck('id'); - } - - /** - * Check a role against an array of group names to see if it matches. - * Checked against role 'external_auth_id' if set otherwise the name of the role. - * @param \BookStack\Auth\Role $role - * @param array $groupNames - * @return bool - */ - protected function roleMatchesGroupNames(Role $role, array $groupNames) - { - if ($role->external_auth_id) { - $externalAuthIds = explode(',', strtolower($role->external_auth_id)); - foreach ($externalAuthIds as $externalAuthId) { - if (in_array(trim($externalAuthId), $groupNames)) { - return true; - } - } - return false; - } - - $roleName = str_replace(' ', '-', trim(strtolower($role->display_name))); - return in_array($roleName, $groupNames); + $this->syncWithGroups($user, $userLdapGroups); } }