BookStack Code Mirror - bookstack/blob - app/Auth/Access/LdapService.php

1 <?php namespace BookStack\Auth\Access;

3 use BookStack\Auth\User;

4 use BookStack\Exceptions\JsonDebugException;

5 use BookStack\Exceptions\LdapException;

6 use ErrorException;

8 /**

9 * Class LdapService

10 * Handles any app-specific LDAP tasks.

11 */

12 class LdapService extends ExternalAuthService

13 {

15 protected $ldap;

16 protected $ldapConnection;

17 protected $config;

18 protected $enabled;

20 /**

21 * LdapService constructor.

22 */

23 public function __construct(Ldap $ldap)

24 {

25 $this->ldap = $ldap;

26 $this->config = config('services.ldap');

27 $this->enabled = config('auth.method') === 'ldap';

28 }

30 /**

31 * Check if groups should be synced.

32 * @return bool

33 */

34 public function shouldSyncGroups()

35 {

36 return $this->enabled && $this->config['user_to_groups'] !== false;

37 }

39 /**

40 * Search for attributes for a specific user on the ldap.

41 * @throws LdapException

42 */

43 private function getUserWithAttributes(string $userName, array $attributes): ?array

44 {

45 $ldapConnection = $this->getConnection();

46 $this->bindSystemUser($ldapConnection);

48 // Clean attributes

49 foreach ($attributes as $index => $attribute) {

50 if (strpos($attribute, 'BIN;') === 0) {

51 $attributes[$index] = substr($attribute, strlen('BIN;'));

52 }

53 }

55 // Find user

56 $userFilter = $this->buildFilter($this->config['user_filter'], ['user' => $userName]);

57 $baseDn = $this->config['base_dn'];

59 $followReferrals = $this->config['follow_referrals'] ? 1 : 0;

60 $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, $followReferrals);

61 $users = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, $userFilter, $attributes);

62 if ($users['count'] === 0) {

63 return null;

64 }

66 return $users[0];

67 }

69 /**

70 * Get the details of a user from LDAP using the given username.

71 * User found via configurable user filter.

72 * @throws LdapException

73 */

74 public function getUserDetails(string $userName): ?array

75 {

76 $idAttr = $this->config['id_attribute'];

77 $emailAttr = $this->config['email_attribute'];

78 $displayNameAttr = $this->config['display_name_attribute'];

80 $user = $this->getUserWithAttributes($userName, ['cn', 'dn', $idAttr, $emailAttr, $displayNameAttr]);

82 if ($user === null) {

83 return null;

84 }

86 $userCn = $this->getUserResponseProperty($user, 'cn', null);

87 $formatted = [

88 'uid' => $this->getUserResponseProperty($user, $idAttr, $user['dn']),

89 'name' => $this->getUserResponseProperty($user, $displayNameAttr, $userCn),

90 'dn' => $user['dn'],

91 'email' => $this->getUserResponseProperty($user, $emailAttr, null),

92 ];

94 if ($this->config['dump_user_details']) {

95 throw new JsonDebugException([

96 'details_from_ldap' => $user,

97 'details_bookstack_parsed' => $formatted,

98 ]);

99 }

100

101 return $formatted;

102 }

103

104 /**

105 * Get a property from an LDAP user response fetch.

106 * Handles properties potentially being part of an array.

107 * If the given key is prefixed with 'BIN;', that indicator will be stripped

108 * from the key and any fetched values will be converted from binary to hex.

109 */

110 protected function getUserResponseProperty(array $userDetails, string $propertyKey, $defaultValue)

111 {

112 $isBinary = strpos($propertyKey, 'BIN;') === 0;

113 $propertyKey = strtolower($propertyKey);

114 $value = $defaultValue;

115

116 if ($isBinary) {

117 $propertyKey = substr($propertyKey, strlen('BIN;'));

118 }

119

120 if (isset($userDetails[$propertyKey])) {

121 $value = (is_array($userDetails[$propertyKey]) ? $userDetails[$propertyKey][0] : $userDetails[$propertyKey]);

122 if ($isBinary) {

123 $value = bin2hex($value);

124 }

125 }

126

127 return $value;

128 }

129

130 /**

131 * Check if the given credentials are valid for the given user.

132 * @throws LdapException

133 */

134 public function validateUserCredentials(?array $ldapUserDetails, string $password): bool

135 {

136 if (is_null($ldapUserDetails)) {

137 return false;

138 }

139

140 $ldapConnection = $this->getConnection();

141 try {

142 $ldapBind = $this->ldap->bind($ldapConnection, $ldapUserDetails['dn'], $password);

143 } catch (ErrorException $e) {

144 $ldapBind = false;

145 }

146

147 return $ldapBind;

148 }

149

150 /**

151 * Bind the system user to the LDAP connection using the given credentials

152 * otherwise anonymous access is attempted.

153 * @param $connection

154 * @throws LdapException

155 */

156 protected function bindSystemUser($connection)

157 {

158 $ldapDn = $this->config['dn'];

159 $ldapPass = $this->config['pass'];

160

161 $isAnonymous = ($ldapDn === false || $ldapPass === false);

162 if ($isAnonymous) {

163 $ldapBind = $this->ldap->bind($connection);

164 } else {

165 $ldapBind = $this->ldap->bind($connection, $ldapDn, $ldapPass);

166 }

167

168 if (!$ldapBind) {

169 throw new LdapException(($isAnonymous ? trans('errors.ldap_fail_anonymous') : trans('errors.ldap_fail_authed')));

170 }

171 }

172

173 /**

174 * Get the connection to the LDAP server.

175 * Creates a new connection if one does not exist.

176 * @return resource

177 * @throws LdapException

178 */

179 protected function getConnection()

180 {

181 if ($this->ldapConnection !== null) {

182 return $this->ldapConnection;

183 }

184

185 // Check LDAP extension in installed

186 if (!function_exists('ldap_connect') && config('app.env') !== 'testing') {

187 throw new LdapException(trans('errors.ldap_extension_not_installed'));

188 }

189

190 // Disable certificate verification.

191 // This option works globally and must be set before a connection is created.

192 if ($this->config['tls_insecure']) {

193 $this->ldap->setOption(null, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);

194 }

195

196 $serverDetails = $this->parseServerString($this->config['server']);

197 $ldapConnection = $this->ldap->connect($serverDetails['host'], $serverDetails['port']);

198

199 if ($ldapConnection === false) {

200 throw new LdapException(trans('errors.ldap_cannot_connect'));

201 }

202

203 // Set any required options

204 if ($this->config['version']) {

205 $this->ldap->setVersion($ldapConnection, $this->config['version']);

206 }

207

208 // Start and verify TLS if it's enabled

209 if ($this->config['start_tls']) {

210 $started = $this->ldap->startTls($ldapConnection);

211 if (!$started) {

212 throw new LdapException('Could not start TLS connection');

213 }

214 }

215

216 $this->ldapConnection = $ldapConnection;

217 return $this->ldapConnection;

218 }

219

220 /**

221 * Parse a LDAP server string and return the host and port for a connection.

222 * Is flexible to formats such as 'ldap.example.com:8069' or 'ldaps://ldap.example.com'.

223 */

224 protected function parseServerString(string $serverString): array

225 {

226 $serverNameParts = explode(':', $serverString);

227

228 // If we have a protocol just return the full string since PHP will ignore a separate port.

229 if ($serverNameParts[0] === 'ldaps' || $serverNameParts[0] === 'ldap') {

230 return ['host' => $serverString, 'port' => 389];

231 }

232

233 // Otherwise, extract the port out

234 $hostName = $serverNameParts[0];

235 $ldapPort = (count($serverNameParts) > 1) ? intval($serverNameParts[1]) : 389;

236 return ['host' => $hostName, 'port' => $ldapPort];

237 }

238

239 /**

240 * Build a filter string by injecting common variables.

241 */

242 protected function buildFilter(string $filterString, array $attrs): string

243 {

244 $newAttrs = [];

245 foreach ($attrs as $key => $attrText) {

246 $newKey = '${' . $key . '}';

247 $newAttrs[$newKey] = $this->ldap->escape($attrText);

248 }

249 return strtr($filterString, $newAttrs);

250 }

251

252 /**

253 * Get the groups a user is a part of on ldap.

254 * @throws LdapException

255 */

256 public function getUserGroups(string $userName): array

257 {

258 $groupsAttr = $this->config['group_attribute'];

259 $user = $this->getUserWithAttributes($userName, [$groupsAttr]);

260

261 if ($user === null) {

262 return [];

263 }

264

265 $userGroups = $this->groupFilter($user);

266 $userGroups = $this->getGroupsRecursive($userGroups, []);

267 return $userGroups;

268 }

269

270 /**

271 * Get the parent groups of an array of groups.

272 * @throws LdapException

273 */

274 private function getGroupsRecursive(array $groupsArray, array $checked): array

275 {

276 $groupsToAdd = [];

277 foreach ($groupsArray as $groupName) {

278 if (in_array($groupName, $checked)) {

279 continue;

280 }

281

282 $parentGroups = $this->getGroupGroups($groupName);

283 $groupsToAdd = array_merge($groupsToAdd, $parentGroups);

284 $checked[] = $groupName;

285 }

286

287 $groupsArray = array_unique(array_merge($groupsArray, $groupsToAdd), SORT_REGULAR);

288

289 if (empty($groupsToAdd)) {

290 return $groupsArray;

291 }

292

293 return $this->getGroupsRecursive($groupsArray, $checked);

294 }

295

296 /**

297 * Get the parent groups of a single group.

298 * @throws LdapException

299 */

300 private function getGroupGroups(string $groupName): array

301 {

302 $ldapConnection = $this->getConnection();

303 $this->bindSystemUser($ldapConnection);

304

305 $followReferrals = $this->config['follow_referrals'] ? 1 : 0;

306 $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, $followReferrals);

307

308 $baseDn = $this->config['base_dn'];

309 $groupsAttr = strtolower($this->config['group_attribute']);

310

311 $groupFilter = 'CN=' . $this->ldap->escape($groupName);

312 $groups = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, $groupFilter, [$groupsAttr]);

313 if ($groups['count'] === 0) {

314 return [];

315 }

316

317 return $this->groupFilter($groups[0]);

318 }

319

320 /**

321 * Filter out LDAP CN and DN language in a ldap search return.

322 * Gets the base CN (common name) of the string.

323 */

324 protected function groupFilter(array $userGroupSearchResponse): array

325 {

326 $groupsAttr = strtolower($this->config['group_attribute']);

327 $ldapGroups = [];

328 $count = 0;

329

330 if (isset($userGroupSearchResponse[$groupsAttr]['count'])) {

331 $count = (int)$userGroupSearchResponse[$groupsAttr]['count'];

332 }

333

334 for ($i = 0; $i < $count; $i++) {

335 $dnComponents = $this->ldap->explodeDn($userGroupSearchResponse[$groupsAttr][$i], 1);

336 if (!in_array($dnComponents[0], $ldapGroups)) {

337 $ldapGroups[] = $dnComponents[0];

338 }

339 }

340

341 return $ldapGroups;

342 }

343

344 /**

345 * Sync the LDAP groups to the user roles for the current user.

346 * @throws LdapException

347 */

348 public function syncGroups(User $user, string $username)

349 {

350 $userLdapGroups = $this->getUserGroups($username);

351 $this->syncWithGroups($user, $userLdapGroups);

352 }

353 }