From f9fa6904b95409908e1ad8cbb344c7d1773bfc66 Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Mon, 16 Dec 2019 12:38:35 +0000 Subject: [PATCH] Made LDAP auth ID attribute configurable - Allows the field that gets stored as the "External Authentication ID" to be configurable. Defined as LDAP_ID_ATTRIBUTE=uid in .env. - Added test to cover usage. - Also now auto-lowercases when searching for attributes in LDAP response since PHP always provides them as lower case. Closes #592. --- .env.example.complete | 1 + app/Auth/Access/LdapService.php | 101 ++++++++++++-------------------- app/Config/services.php | 1 + tests/Auth/LdapTest.php | 29 ++++++++- 4 files changed, 66 insertions(+), 66 deletions(-) diff --git a/.env.example.complete b/.env.example.complete index e8c212f39..a13c8b7d0 100644 --- a/.env.example.complete +++ b/.env.example.complete @@ -191,6 +191,7 @@ LDAP_PASS=false LDAP_USER_FILTER=false LDAP_VERSION=false LDAP_TLS_INSECURE=false +LDAP_ID_ATTRIBUTE=uid LDAP_EMAIL_ATTRIBUTE=mail LDAP_DISPLAY_NAME_ATTRIBUTE=cn LDAP_FOLLOW_REFERRALS=true diff --git a/app/Auth/Access/LdapService.php b/app/Auth/Access/LdapService.php index b0700322f..554bc4b48 100644 --- a/app/Auth/Access/LdapService.php +++ b/app/Auth/Access/LdapService.php @@ -1,17 +1,16 @@ ldap = $ldap; $this->config = config('services.ldap'); @@ -43,13 +40,10 @@ class LdapService extends Access\ExternalAuthService } /** - * Search for attributes for a specific user on the ldap - * @param string $userName - * @param array $attributes - * @return null|array + * Search for attributes for a specific user on the ldap. * @throws LdapException */ - private function getUserWithAttributes($userName, $attributes) + private function getUserWithAttributes(string $userName, array $attributes): ?array { $ldapConnection = $this->getConnection(); $this->bindSystemUser($ldapConnection); @@ -71,16 +65,15 @@ class LdapService extends Access\ExternalAuthService /** * Get the details of a user from LDAP using the given username. * User found via configurable user filter. - * @param $userName - * @return array|null * @throws LdapException */ - public function getUserDetails($userName) + public function getUserDetails(string $userName): ?array { + $idAttr = $this->config['id_attribute']; $emailAttr = $this->config['email_attribute']; $displayNameAttr = $this->config['display_name_attribute']; - $user = $this->getUserWithAttributes($userName, ['cn', 'uid', 'dn', $emailAttr, $displayNameAttr]); + $user = $this->getUserWithAttributes($userName, ['cn', 'dn', $idAttr, $emailAttr, $displayNameAttr]); if ($user === null) { return null; @@ -88,7 +81,7 @@ class LdapService extends Access\ExternalAuthService $userCn = $this->getUserResponseProperty($user, 'cn', null); return [ - 'uid' => $this->getUserResponseProperty($user, 'uid', $user['dn']), + 'uid' => $this->getUserResponseProperty($user, $idAttr, $user['dn']), 'name' => $this->getUserResponseProperty($user, $displayNameAttr, $userCn), 'dn' => $user['dn'], 'email' => $this->getUserResponseProperty($user, $emailAttr, null), @@ -98,13 +91,10 @@ class LdapService extends Access\ExternalAuthService /** * Get a property from an LDAP user response fetch. * Handles properties potentially being part of an array. - * @param array $userDetails - * @param string $propertyKey - * @param $defaultValue - * @return mixed */ protected function getUserResponseProperty(array $userDetails, string $propertyKey, $defaultValue) { + $propertyKey = strtolower($propertyKey); if (isset($userDetails[$propertyKey])) { return (is_array($userDetails[$propertyKey]) ? $userDetails[$propertyKey][0] : $userDetails[$propertyKey]); } @@ -113,13 +103,10 @@ class LdapService extends Access\ExternalAuthService } /** - * @param Authenticatable $user - * @param string $username - * @param string $password - * @return bool + * Check if the given credentials are valid for the given user. * @throws LdapException */ - public function validateUserCredentials(Authenticatable $user, $username, $password) + public function validateUserCredentials(Authenticatable $user, string $username, string $password): bool { $ldapUser = $this->getUserDetails($username); if ($ldapUser === null) { @@ -133,7 +120,7 @@ class LdapService extends Access\ExternalAuthService $ldapConnection = $this->getConnection(); try { $ldapBind = $this->ldap->bind($ldapConnection, $ldapUser['dn'], $password); - } catch (\ErrorException $e) { + } catch (ErrorException $e) { $ldapBind = false; } @@ -203,12 +190,10 @@ class LdapService extends Access\ExternalAuthService } /** - * Parse a LDAP server string and return the host and port for - * a connection. Is flexible to formats such as 'ldap.example.com:8069' or 'ldaps://ldap.example.com' - * @param $serverString - * @return array + * Parse a LDAP server string and return the host and port for a connection. + * Is flexible to formats such as 'ldap.example.com:8069' or 'ldaps://ldap.example.com'. */ - protected function parseServerString($serverString) + protected function parseServerString(string $serverString): array { $serverNameParts = explode(':', $serverString); @@ -225,11 +210,8 @@ class LdapService extends Access\ExternalAuthService /** * Build a filter string by injecting common variables. - * @param string $filterString - * @param array $attrs - * @return string */ - protected function buildFilter($filterString, array $attrs) + protected function buildFilter(string $filterString, array $attrs): string { $newAttrs = []; foreach ($attrs as $key => $attrText) { @@ -240,12 +222,10 @@ class LdapService extends Access\ExternalAuthService } /** - * Get the groups a user is a part of on ldap - * @param string $userName - * @return array + * Get the groups a user is a part of on ldap. * @throws LdapException */ - public function getUserGroups($userName) + public function getUserGroups(string $userName): array { $groupsAttr = $this->config['group_attribute']; $user = $this->getUserWithAttributes($userName, [$groupsAttr]); @@ -260,40 +240,36 @@ class LdapService extends Access\ExternalAuthService } /** - * Get the parent groups of an array of groups - * @param array $groupsArray - * @param array $checked - * @return array + * Get the parent groups of an array of groups. * @throws LdapException */ - private function getGroupsRecursive($groupsArray, $checked) + private function getGroupsRecursive(array $groupsArray, array $checked): array { - $groups_to_add = []; + $groupsToAdd = []; foreach ($groupsArray as $groupName) { if (in_array($groupName, $checked)) { continue; } - $groupsToAdd = $this->getGroupGroups($groupName); - $groups_to_add = array_merge($groups_to_add, $groupsToAdd); + $parentGroups = $this->getGroupGroups($groupName); + $groupsToAdd = array_merge($groupsToAdd, $parentGroups); $checked[] = $groupName; } - $groupsArray = array_unique(array_merge($groupsArray, $groups_to_add), SORT_REGULAR); - if (!empty($groups_to_add)) { - return $this->getGroupsRecursive($groupsArray, $checked); - } else { + $groupsArray = array_unique(array_merge($groupsArray, $groupsToAdd), SORT_REGULAR); + + if (empty($groupsToAdd)) { return $groupsArray; } + + return $this->getGroupsRecursive($groupsArray, $checked); } /** - * Get the parent groups of a single group - * @param string $groupName - * @return array + * Get the parent groups of a single group. * @throws LdapException */ - private function getGroupGroups($groupName) + private function getGroupGroups(string $groupName): array { $ldapConnection = $this->getConnection(); $this->bindSystemUser($ldapConnection); @@ -310,17 +286,14 @@ class LdapService extends Access\ExternalAuthService return []; } - $groupGroups = $this->groupFilter($groups[0]); - return $groupGroups; + return $this->groupFilter($groups[0]); } /** - * Filter out LDAP CN and DN language in a ldap search return - * Gets the base CN (common name) of the string - * @param array $userGroupSearchResponse - * @return array + * Filter out LDAP CN and DN language in a ldap search return. + * Gets the base CN (common name) of the string. */ - protected function groupFilter(array $userGroupSearchResponse) + protected function groupFilter(array $userGroupSearchResponse): array { $groupsAttr = strtolower($this->config['group_attribute']); $ldapGroups = []; @@ -341,9 +314,7 @@ class LdapService extends Access\ExternalAuthService } /** - * Sync the LDAP groups to the user roles for the current user - * @param \BookStack\Auth\User $user - * @param string $username + * Sync the LDAP groups to the user roles for the current user. * @throws LdapException */ public function syncGroups(User $user, string $username) diff --git a/app/Config/services.php b/app/Config/services.php index a3ddf4f4d..a0bdd078a 100644 --- a/app/Config/services.php +++ b/app/Config/services.php @@ -123,6 +123,7 @@ return [ 'base_dn' => env('LDAP_BASE_DN', false), 'user_filter' => env('LDAP_USER_FILTER', '(&(uid=${user}))'), 'version' => env('LDAP_VERSION', false), + 'id_attribute' => env('LDAP_ID_ATTRIBUTE', 'uid'), 'email_attribute' => env('LDAP_EMAIL_ATTRIBUTE', 'mail'), 'display_name_attribute' => env('LDAP_DISPLAY_NAME_ATTRIBUTE', 'cn'), 'follow_referrals' => env('LDAP_FOLLOW_REFERRALS', false), diff --git a/tests/Auth/LdapTest.php b/tests/Auth/LdapTest.php index fe28698df..5d7bbfb1e 100644 --- a/tests/Auth/LdapTest.php +++ b/tests/Auth/LdapTest.php @@ -24,6 +24,7 @@ class LdapTest extends BrowserKitTest 'services.ldap.base_dn' => 'dc=ldap,dc=local', 'services.ldap.email_attribute' => 'mail', 'services.ldap.display_name_attribute' => 'cn', + 'services.ldap.id_attribute' => 'uid', 'services.ldap.user_to_groups' => false, 'auth.providers.users.driver' => 'ldap', ]); @@ -102,6 +103,32 @@ class LdapTest extends BrowserKitTest ->seeInDatabase('users', ['email' => $this->mockUser->email, 'email_confirmed' => false, 'external_auth_id' => $ldapDn]); } + public function test_a_custom_uid_attribute_can_be_specified_and_is_used_properly() + { + config()->set(['services.ldap.id_attribute' => 'my_custom_id']); + $this->mockLdap->shouldReceive('connect')->once()->andReturn($this->resourceId); + $this->mockLdap->shouldReceive('setVersion')->once(); + $ldapDn = 'cn=test-user,dc=test' . config('services.ldap.base_dn'); + $this->mockLdap->shouldReceive('setOption')->times(2); + $this->mockLdap->shouldReceive('searchAndGetEntries')->times(2) + ->with($this->resourceId, config('services.ldap.base_dn'), \Mockery::type('string'), \Mockery::type('array')) + ->andReturn(['count' => 1, 0 => [ + 'cn' => [$this->mockUser->name], + 'dn' => $ldapDn, + 'my_custom_id' => ['cooluser456'], + 'mail' => [$this->mockUser->email] + ]]); + + + $this->mockLdap->shouldReceive('bind')->times(3)->andReturn(true); + $this->mockEscapes(2); + + $this->mockUserLogin() + ->seePageIs('/') + ->see($this->mockUser->name) + ->seeInDatabase('users', ['email' => $this->mockUser->email, 'email_confirmed' => false, 'external_auth_id' => 'cooluser456']); + } + public function test_initial_incorrect_details() { $this->mockLdap->shouldReceive('connect')->once()->andReturn($this->resourceId); @@ -365,7 +392,7 @@ class LdapTest extends BrowserKitTest 'uid' => [$this->mockUser->name], 'cn' => [$this->mockUser->name], 'dn' => ['dc=test' . config('services.ldap.base_dn')], - 'displayName' => 'displayNameAttribute' + 'displayname' => 'displayNameAttribute' ]]); $this->mockLdap->shouldReceive('bind')->times(6)->andReturn(true); $this->mockEscapes(4);