BookStack Code Mirror - bookstack/blob - app/Auth/Access/LdapService.php

1 <?php namespace BookStack\Auth\Access;

3 use BookStack\Auth\User;

4 use BookStack\Exceptions\JsonDebugException;

5 use BookStack\Exceptions\LdapException;

6 use ErrorException;

8 /**

9 * Class LdapService

10 * Handles any app-specific LDAP tasks.

11 */

12 class LdapService extends ExternalAuthService

13 {

15 protected $ldap;

16 protected $ldapConnection;

17 protected $config;

18 protected $enabled;

20 /**

21 * LdapService constructor.

22 */

23 public function __construct(Ldap $ldap)

24 {

25 $this->ldap = $ldap;

26 $this->config = config('services.ldap');

27 $this->enabled = config('auth.method') === 'ldap';

28 }

30 /**

31 * Check if groups should be synced.

32 * @return bool

33 */

34 public function shouldSyncGroups()

35 {

36 return $this->enabled && $this->config['user_to_groups'] !== false;

37 }

39 /**

40 * Search for attributes for a specific user on the ldap.

41 * @throws LdapException

42 */

43 private function getUserWithAttributes(string $userName, array $attributes): ?array

44 {

45 $ldapConnection = $this->getConnection();

46 $this->bindSystemUser($ldapConnection);

48 // Clean attributes

49 foreach ($attributes as $index => $attribute) {

50 if (strpos($attribute, 'BIN;') === 0) {

51 $attributes[$index] = substr($attribute, strlen('BIN;'));

52 }

53 }

55 // Find user

56 $userFilter = $this->buildFilter($this->config['user_filter'], ['user' => $userName]);

57 $baseDn = $this->config['base_dn'];

59 $followReferrals = $this->config['follow_referrals'] ? 1 : 0;

60 $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, $followReferrals);

61 $users = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, $userFilter, $attributes);

62 if ($users['count'] === 0) {

63 return null;

64 }

66 return $users[0];

67 }

69 /**

70 * Get the details of a user from LDAP using the given username.

71 * User found via configurable user filter.

72 * @throws LdapException

73 */

74 public function getUserDetails(string $userName): ?array

75 {

76 $idAttr = $this->config['id_attribute'];

77 $emailAttr = $this->config['email_attribute'];

78 $displayNameAttr = $this->config['display_name_attribute'];

80 $user = $this->getUserWithAttributes($userName, ['cn', 'dn', $idAttr, $emailAttr, $displayNameAttr]);

82 if ($user === null) {

83 return null;

84 }

86 $userCn = $this->getUserResponseProperty($user, 'cn', null);

87 $formatted = [

88 'uid' => $this->getUserResponseProperty($user, $idAttr, $user['dn']),

89 'name' => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),

90 'dn' => $user['dn'],

91 'email' => $this->getUserResponseProperty($user, $emailAttr, null),

92 ];

94 if ($this->config['dump_user_details']) {

95 throw new JsonDebugException([

96 'details_from_ldap' => $user,

97 'details_bookstack_parsed' => $formatted,

98 ]);

99 }

100

101 return $formatted;

102 }

103

104 /**

105 * Get a property from an LDAP user response fetch.

106 * Handles properties potentially being part of an array.

107 * If the given key is prefixed with 'BIN;', that indicator will be stripped

108 * from the key and any fetched values will be converted from binary to hex.

109 */

110 protected function getUserResponseProperty(array $userDetails, string $propertyKey, $defaultValue)

111 {

112 $isBinary = strpos($propertyKey, 'BIN;') === 0;

113 $propertyKey = strtolower($propertyKey);

114 $value = $defaultValue;

115

116 if ($isBinary) {

117 $propertyKey = substr($propertyKey, strlen('BIN;'));

118 }

119

120 if (isset($userDetails[$propertyKey])) {

121 $value = (is_array($userDetails[$propertyKey]) ? $userDetails[$propertyKey][0] : $userDetails[$propertyKey]);

122 if ($isBinary) {

123 $value = bin2hex($value);

124 }

125 }

126

127 return $value;

128 }

129

130 /**

131 * Check if the given credentials are valid for the given user.

132 * @throws LdapException

133 */

134 public function validateUserCredentials(?array $ldapUserDetails, string $password): bool

135 {

136 if (is_null($ldapUserDetails)) {

137 return false;

138 }

139

140 $ldapConnection = $this->getConnection();

141 try {

142 $ldapBind = $this->ldap->bind($ldapConnection, $ldapUserDetails['dn'], $password);

143 } catch (ErrorException $e) {

144 $ldapBind = false;

145 }

146

147 return $ldapBind;

148 }

149

150 /**

151 * Bind the system user to the LDAP connection using the given credentials

152 * otherwise anonymous access is attempted.

153 * @param $connection

154 * @throws LdapException

155 */

156 protected function bindSystemUser($connection)

157 {

158 $ldapDn = $this->config['dn'];

159 $ldapPass = $this->config['pass'];

160

161 $isAnonymous = ($ldapDn === false || $ldapPass === false);

162 if ($isAnonymous) {

163 $ldapBind = $this->ldap->bind($connection);

164 } else {

165 $ldapBind = $this->ldap->bind($connection, $ldapDn, $ldapPass);

166 }

167

168 if (!$ldapBind) {

169 throw new LdapException(($isAnonymous ? trans('errors.ldap_fail_anonymous') : trans('errors.ldap_fail_authed')));

170 }

171 }

172

173 /**

174 * Get the connection to the LDAP server.

175 * Creates a new connection if one does not exist.

176 * @return resource

177 * @throws LdapException

178 */

179 protected function getConnection()

180 {

181 if ($this->ldapConnection !== null) {

182 return $this->ldapConnection;

183 }

184

185 // Check LDAP extension in installed

186 if (!function_exists('ldap_connect') && config('app.env') !== 'testing') {

187 throw new LdapException(trans('errors.ldap_extension_not_installed'));

188 }

189

190 // Check if TLS_INSECURE is set. The handle is set to NULL due to the nature of

191 // the LDAP_OPT_X_TLS_REQUIRE_CERT option. It can only be set globally and not per handle.

192 if ($this->config['tls_insecure']) {

193 $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);

194 }

195

196 $serverDetails = $this->parseServerString($this->config['server']);

197 $ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);

198

199 if ($ldapConnection === false) {

200 throw new LdapException(trans('errors.ldap_cannot_connect'));

201 }

202

203 // Set any required options

204 if ($this->config['version']) {

205 $this->ldap->setVersion($ldapConnection, $this->config['version']);

206 }

207

208 $this->ldapConnection = $ldapConnection;

209 return $this->ldapConnection;

210 }

211

212 /**

213 * Parse a LDAP server string and return the host and port for a connection.

214 * Is flexible to formats such as 'ldap.example.com:8069' or 'ldaps://ldap.example.com'.

215 */

216 protected function parseServerString(string $serverString): array

217 {

218 $serverNameParts = explode(':', $serverString);

219

220 // If we have a protocol just return the full string since PHP will ignore a separate port.

221 if ($serverNameParts[0] === 'ldaps' || $serverNameParts[0] === 'ldap') {

222 return ['host' => $serverString, 'port' => 389];

223 }

224

225 // Otherwise, extract the port out

226 $hostName = $serverNameParts[0];

227 $ldapPort = (count($serverNameParts) > 1) ? intval($serverNameParts[1]) : 389;

228 return ['host' => $hostName, 'port' => $ldapPort];

229 }

230

231 /**

232 * Build a filter string by injecting common variables.

233 */

234 protected function buildFilter(string $filterString, array $attrs): string

235 {

236 $newAttrs = [];

237 foreach ($attrs as $key => $attrText) {

238 $newKey = '${' . $key . '}';

239 $newAttrs[$newKey] = $this->ldap->escape($attrText);

240 }

241 return strtr($filterString, $newAttrs);

242 }

243

244 /**

245 * Get the groups a user is a part of on ldap.

246 * @throws LdapException

247 */

248 public function getUserGroups(string $userName): array

249 {

250 $groupsAttr = $this->config['group_attribute'];

251 $user = $this->getUserWithAttributes($userName, [$groupsAttr]);

252

253 if ($user === null) {

254 return [];

255 }

256

257 $userGroups = $this->groupFilter($user);

258 $userGroups = $this->getGroupsRecursive($userGroups, []);

259 return $userGroups;

260 }

261

262 /**

263 * Get the parent groups of an array of groups.

264 * @throws LdapException

265 */

266 private function getGroupsRecursive(array $groupsArray, array $checked): array

267 {

268 $groupsToAdd = [];

269 foreach ($groupsArray as $groupName) {

270 if (in_array($groupName, $checked)) {

271 continue;

272 }

273

274 $parentGroups = $this->getGroupGroups($groupName);

275 $groupsToAdd = array_merge($groupsToAdd, $parentGroups);

276 $checked[] = $groupName;

277 }

278

279 $groupsArray = array_unique(array_merge($groupsArray, $groupsToAdd), SORT_REGULAR);

280

281 if (empty($groupsToAdd)) {

282 return $groupsArray;

283 }

284

285 return $this->getGroupsRecursive($groupsArray, $checked);

286 }

287

288 /**

289 * Get the parent groups of a single group.

290 * @throws LdapException

291 */

292 private function getGroupGroups(string $groupName): array

293 {

294 $ldapConnection = $this->getConnection();

295 $this->bindSystemUser($ldapConnection);

296

297 $followReferrals = $this->config['follow_referrals'] ? 1 : 0;

298 $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, $followReferrals);

299

300 $baseDn = $this->config['base_dn'];

301 $groupsAttr = strtolower($this->config['group_attribute']);

302

303 $groupFilter = 'CN=' . $this->ldap->escape($groupName);

304 $groups = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, $groupFilter, [$groupsAttr]);

305 if ($groups['count'] === 0) {

306 return [];

307 }

308

309 return $this->groupFilter($groups[0]);

310 }

311

312 /**

313 * Filter out LDAP CN and DN language in a ldap search return.

314 * Gets the base CN (common name) of the string.

315 */

316 protected function groupFilter(array $userGroupSearchResponse): array

317 {

318 $groupsAttr = strtolower($this->config['group_attribute']);

319 $ldapGroups = [];

320 $count = 0;

321

322 if (isset($userGroupSearchResponse[$groupsAttr]['count'])) {

323 $count = (int)$userGroupSearchResponse[$groupsAttr]['count'];

324 }

325

326 for ($i = 0; $i < $count; $i++) {

327 $dnComponents = $this->ldap->explodeDn($userGroupSearchResponse[$groupsAttr][$i], 1);

328 if (!in_array($dnComponents[0], $ldapGroups)) {

329 $ldapGroups[] = $dnComponents[0];

330 }

331 }

332

333 return $ldapGroups;

334 }

335

336 /**

337 * Sync the LDAP groups to the user roles for the current user.

338 * @throws LdapException

339 */

340 public function syncGroups(User $user, string $username)

341 {

342 $userLdapGroups = $this->getUserGroups($username);

343 $this->syncWithGroups($user, $userLdapGroups);

344 }

345 }