diff --git a/.env.example b/.env.example index ccafaf4fb..57e6af6a9 100644 --- a/.env.example +++ b/.env.example @@ -67,6 +67,15 @@ LDAP_DN=false LDAP_PASS=false LDAP_USER_FILTER=false LDAP_VERSION=false +#do you want to sync LDAP groups to BookStack roles for a user +LDAP_USER_TO_GROUPS=false +#what is the LDAP attribute for group memberships +LDAP_GROUP_ATTRIBUTE="memberOf" +#what LDAP group should the user be a part of to be an admin on BookStack +LDAP_ADMIN_GROUP="Domain Admins" +#would you like to remove users from roles on bookstack if they do not match on LDAP +#if false, the ldap groups-roles sync will only add users to roles +LDAP_REMOVE_FROM_GROUPS=false # Mail settings MAIL_DRIVER=smtp diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index 106b90524..21c9dc4c5 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -5,6 +5,7 @@ namespace BookStack\Http\Controllers\Auth; use BookStack\Exceptions\AuthException; use BookStack\Http\Controllers\Controller; use BookStack\Repos\UserRepo; +use BookStack\Repos\LdapRepo; use BookStack\Services\SocialAuthService; use Illuminate\Contracts\Auth\Authenticatable; use Illuminate\Foundation\Auth\AuthenticatesUsers; @@ -96,6 +97,13 @@ class LoginController extends Controller auth()->login($user); } + // ldap groups refresh + if (config('services.ldap.user_to_groups') !== false && $request->filled('username')) { + $ldapRepo = new LdapRepo($this->userRepo); + $ldapRepo->syncGroups($user, $request->input('username')); + } + + $path = session()->pull('url.intended', '/'); $path = baseUrl($path, true); return redirect($path); diff --git a/app/Repos/LdapRepo.php b/app/Repos/LdapRepo.php new file mode 100644 index 000000000..12bde0cdd --- /dev/null +++ b/app/Repos/LdapRepo.php @@ -0,0 +1,84 @@ +config = config('services.ldap'); + + if (config('auth.method') !== 'ldap') { + return false; + } + + $this->ldapService = new LdapService(new Ldap); + $this->userRepo = $userRepo; + } + + /** + * If there is no ldap connection, all methods calls to this library will return null + */ + public function __call($method, $arguments) + { + if ($this->ldap === null) { + return null; + } + + return call_user_func_array(array($this,$method), $arguments); + } + + /** + * Sync the LDAP groups to the user roles for the current user + * @param \BookStack\User $user + * @param string $userName + * @throws \BookStack\Exceptions\NotFoundException + */ + public function syncGroups($user, $userName) + { + $userLdapGroups = $this->ldapService->getUserGroups($userName); + $userLdapGroups = $this->groupNameFilter($userLdapGroups); + // get the ids for the roles from the names + $ldapGroupsAsRoles = Role::whereIn('name', $userLdapGroups)->pluck('id'); + // sync groups + if ($this->config['remove_from_groups']) { + $user->roles()->sync($ldapGroupsAsRoles); + $this->userRepo->attachDefaultRole($user); + } else { + $user->roles()->syncWithoutDetaching($ldapGroupsAsRoles); + } + + // make the user an admin? + if (in_array($this->config['admin'], $userLdapGroups)) { + $this->userRepo->attachSystemRole($user, 'admin'); + } + } + + /** + * Filter to convert the groups from ldap to the format of the roles name on BookStack + * Spaces replaced with -, all lowercase letters + * @param array $groups + * @return array + */ + private function groupNameFilter($groups) + { + $return = []; + foreach ($groups as $groupName) { + $return[] = str_replace(' ', '-', strtolower($groupName)); + } + return $return; + } +} diff --git a/app/Services/LdapService.php b/app/Services/LdapService.php index 3eb2f2830..d51b89409 100644 --- a/app/Services/LdapService.php +++ b/app/Services/LdapService.php @@ -25,6 +25,32 @@ class LdapService $this->config = config('services.ldap'); } + /** + * Search for attributes for a specific user on the ldap + * @param string $userName + * @param array $attributes + * @return null|array + * @throws LdapException + */ + private function getUserWithAttributes($userName, $attributes) + { + $ldapConnection = $this->getConnection(); + $this->bindSystemUser($ldapConnection); + + // Find user + $userFilter = $this->buildFilter($this->config['user_filter'], ['user' => $userName]); + $baseDn = $this->config['base_dn']; + + $followReferrals = $this->config['follow_referrals'] ? 1 : 0; + $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, $followReferrals); + $users = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, $userFilter, $attributes); + if ($users['count'] === 0) { + return null; + } + + return $users[0]; + } + /** * Get the details of a user from LDAP using the given username. * User found via configurable user filter. @@ -34,21 +60,13 @@ class LdapService */ public function getUserDetails($userName) { - $ldapConnection = $this->getConnection(); - $this->bindSystemUser($ldapConnection); - - // Find user - $userFilter = $this->buildFilter($this->config['user_filter'], ['user' => $userName]); - $baseDn = $this->config['base_dn']; $emailAttr = $this->config['email_attribute']; - $followReferrals = $this->config['follow_referrals'] ? 1 : 0; - $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, $followReferrals); - $users = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, $userFilter, ['cn', 'uid', 'dn', $emailAttr]); - if ($users['count'] === 0) { + $user = $this->getUserWithAttributes($userName, ['cn', 'uid', 'dn', $emailAttr]); + + if ($user === null) { return null; } - $user = $users[0]; return [ 'uid' => (isset($user['uid'])) ? $user['uid'][0] : $user['dn'], 'name' => $user['cn'][0], @@ -162,4 +180,98 @@ class LdapService } return strtr($filterString, $newAttrs); } + + /** + * Get the groups a user is a part of on ldap + * @param string $userName + * @return array|null + */ + public function getUserGroups($userName) + { + $groupsAttr = $this->config['group_attribute']; + $user = $this->getUserWithAttributes($userName, [$groupsAttr]); + + if ($user === null) { + return null; + } + + $userGroups = $this->groupFilter($user); + $userGroups = $this->getGroupsRecursive($userGroups, []); + return $userGroups; + } + + /** + * Get the parent groups of an array of groups + * @param array $groupsArray + * @param array $checked + * @return array + */ + private function getGroupsRecursive($groupsArray, $checked) + { + $groups_to_add = []; + foreach ($groupsArray as $groupName) { + if (in_array($groupName, $checked)) { + continue; + } + + $groupsToAdd = $this->getGroupGroups($groupName); + $groups_to_add = array_merge($groups_to_add, $groupsToAdd); + $checked[] = $groupName; + } + $groupsArray = array_unique(array_merge($groupsArray, $groups_to_add), SORT_REGULAR); + + if (!empty($groups_to_add)) { + return $this->getGroupsRecursive($groupsArray, $checked); + } else { + return $groupsArray; + } + } + + /** + * Get the parent groups of a single group + * @param string $groupName + * @return array + */ + private function getGroupGroups($groupName) + { + $ldapConnection = $this->getConnection(); + $this->bindSystemUser($ldapConnection); + + $followReferrals = $this->config['follow_referrals'] ? 1 : 0; + $this->ldap->setOption($ldapConnection, LDAP_OPT_REFERRALS, $followReferrals); + + $baseDn = $this->config['base_dn']; + $groupsAttr = strtolower($this->config['group_attribute']); + + $groups = $this->ldap->searchAndGetEntries($ldapConnection, $baseDn, 'CN='.$groupName, [$groupsAttr]); + if ($groups['count'] === 0) { + return []; + } + + $groupGroups = $this->groupFilter($groups[0]); + return $groupGroups; + } + + /** + * Filter out LDAP CN and DN language in a ldap search return + * Gets the base CN (common name) of the string + * @param string $ldapSearchReturn + * @return array + */ + protected function groupFilter($ldapSearchReturn) + { + $groupsAttr = strtolower($this->config['group_attribute']); + $ldapGroups = []; + $count = 0; + if (isset($ldapSearchReturn[$groupsAttr]['count'])) { + $count = (int) $ldapSearchReturn[$groupsAttr]['count']; + } + for ($i=0; $i<$count; $i++) { + $dnComponents = ldap_explode_dn($ldapSearchReturn[$groupsAttr][$i], 1); + if (!in_array($dnComponents[0], $ldapGroups)) { + $ldapGroups[] = $dnComponents[0]; + } + } + return $ldapGroups; + } } diff --git a/config/services.php b/config/services.php index 825b1f109..daa160643 100644 --- a/config/services.php +++ b/config/services.php @@ -118,6 +118,10 @@ return [ 'version' => env('LDAP_VERSION', false), 'email_attribute' => env('LDAP_EMAIL_ATTRIBUTE', 'mail'), 'follow_referrals' => env('LDAP_FOLLOW_REFERRALS', false), - ] + 'user_to_groups' => env('LDAP_USER_TO_GROUPS',false), + 'group_attribute' => env('LDAP_GROUP_ATTRIBUTE', 'memberOf'), + 'admin' => env('LDAP_ADMIN_GROUP','Domain Admins'), + 'remove_from_groups' => env('LDAP_REMOVE_FROM_GROUPS',false), + ] ];