ldap authentication, fixes shaarli/Shaarli#1343

This commit is contained in:
Sébastien NOBILI 2020-03-02 17:08:19 +01:00
parent 810f0f6c96
commit cc2ded54e1
3 changed files with 102 additions and 13 deletions

View file

@ -1,6 +1,7 @@
<?php
namespace Shaarli\Security;
use Exception;
use Shaarli\Config\ConfigManager;
/**
@ -139,26 +140,71 @@ class LoginManager
*/
public function checkCredentials($remoteIp, $clientIpId, $login, $password)
{
$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
if ($login != $this->configManager->get('credentials.login')
|| $hash != $this->configManager->get('credentials.hash')
) {
logm(
$this->configManager->get('resource.log'),
$remoteIp,
'Login failed for user ' . $login
);
// Check login matches config
if ($login != $this->configManager->get('credentials.login')) {
return false;
}
$this->sessionManager->storeLoginInfo($clientIpId);
// Check credentials
try {
if (($this->configManager->get('ldap.host') != "" && $this->checkCredentialsFromLdap($login, $password))
|| ($this->configManager->get('ldap.host') == "" && $this->checkCredentialsFromLocalConfig($login, $password))) {
$this->sessionManager->storeLoginInfo($clientIpId);
logm(
$this->configManager->get('resource.log'),
$remoteIp,
'Login successful'
);
return true;
}
}
catch(Exception $exception) {
logm(
$this->configManager->get('resource.log'),
$remoteIp,
'Exception while checking credentials: ' . $exception
);
}
logm(
$this->configManager->get('resource.log'),
$remoteIp,
'Login successful'
'Login failed for user ' . $login
);
return true;
return false;
}
/**
* Check user credentials from local config
*
* @param string $login Username
* @param string $password Password
*
* @return bool true if the provided credentials are valid, false otherwise
*/
public function checkCredentialsFromLocalConfig($login, $password) {
$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
return $login == $this->configManager->get('credentials.login')
&& $hash == $this->configManager->get('credentials.hash');
}
/**
* Check user credentials are valid through LDAP bind
*
* @param string $remoteIp Remote client IP address
* @param string $clientIpId Client IP address identifier
* @param string $login Username
* @param string $password Password
*
* @return bool true if the provided credentials are valid, false otherwise
*/
public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
{
$connect = $connect ?? function($host) { return ldap_connect($host); };
$bind = $bind ?? function($handle, $dn, $password) { return ldap_bind($handle, $dn, $password); };
return $bind($connect($this->configManager->get('ldap.host')), sprintf($this->configManager->get('ldap.dn'), $login), $password);
}
/**

View file

@ -122,6 +122,11 @@ Must be an associative array: `translation domain => translation path`.
- **enable_thumbnails**: Enable or disable thumbnail display.
- **enable_localcache**: Enable or disable local cache.
### LDAP
- **host**: LDAP host used for user authentication
- **dn**: user DN template (`sprintf` format, `%s` being replaced by user login)
## Configuration file example
```json
@ -223,6 +228,10 @@ Must be an associative array: `translation domain => translation path`.
"extensions": {
"demo": "plugins/demo_plugin/languages/"
}
},
"ldap": {
"host": "ldap://localhost",
"dn": "uid=%s,ou=people,dc=example,dc=org"
}
} ?>
```

View file

@ -78,6 +78,7 @@ class LoginManagerTest extends TestCase
'security.ban_after' => 2,
'security.ban_duration' => 3600,
'security.trusted_proxies' => [$this->trustedProxy],
'ldap.host' => '',
]);
$this->cookie = [];
@ -296,4 +297,37 @@ class LoginManagerTest extends TestCase
$this->loginManager->checkCredentials('', '', $this->login, $this->password)
);
}
/**
* Check user credentials through LDAP - server unreachable
*/
public function testCheckCredentialsFromUnreachableLdap()
{
$this->configManager->set('ldap.host', 'dummy');
$this->assertFalse(
$this->loginManager->checkCredentials('', '', $this->login, $this->password)
);
}
/**
* Check user credentials through LDAP - wrong login and password supplied
*/
public function testCheckCredentialsFromLdapWrongLoginAndPassword()
{
$this->coddnfigManager->set('ldap.host', 'dummy');
$this->assertFalse(
$this->loginManager->checkCredentialsFromLdap($this->login, $this->password, function() { return null; }, function() { return false; })
);
}
/**
* Check user credentials through LDAP - correct login and password supplied
*/
public function testCheckCredentialsFromLdapGoodLoginAndPassword()
{
$this->configManager->set('ldap.host', 'dummy');
$this->assertTrue(
$this->loginManager->checkCredentialsFromLdap($this->login, $this->password, function() { return null; }, function() { return true; })
);
}
}