deblan/php-censor
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fixed LDAP authentication + unified app config options: authenticate_settings, security and ldap

Browse source
This commit is contained in:
Dmitry Khomutov 2017-01-22 18:05:24 +07:00
commit f3bdeb2493
No known key found for this signature in database
GPG key ID: 7EB36C9576F9ECB9
17 changed files with 105 additions and 245 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/PHPCensor/Application.php
View file

@ -158,13 +158,13 @@ class Application extends b8\Application
*/
protected function shouldSkipAuth()
{
$config = b8\Config::getInstance();
$state = (bool)$config->get('php-censor.authentication_settings.state', false);
$userId = $config->get('php-censor.authentication_settings.user_id', 0);
$config = b8\Config::getInstance();
$disableAuth = (bool)$config->get('php-censor.security.disable_auth', false);
$defaultUserId = (integer)$config->get('php-censor.security.default_user_id', 1);
if (false !== $state && 0 != (int)$userId) {
if ($disableAuth && $defaultUserId) {
$user = b8\Store\Factory::getStore('User')
->getByPrimaryKey($userId);
->getByPrimaryKey($defaultUserId);
if ($user) {
$_SESSION['php-censor-user'] = $user;

87
src/PHPCensor/Command/RegisterLdapUserCommand.php
View file

@ -1,87 +0,0 @@
<?php
/**
* PHPCI - Continuous Integration for PHP
*
* @copyright Copyright 2014, Block 8 Limited.
* @license https://github.com/Block8/PHPCI/blob/master/LICENSE.md
* @link https://www.phptesting.org/
*/
namespace PHPCensor\Command;
use PHPCensor\Helper\Lang;
use PHPCensor\Service\UserService;
use PHPCensor\Store\UserStore;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
/**
* Register user command - creates an user with provider (Adirelle pluggable-auth)
*
* @author Dmitrii Zolotov (@itherz)
* @package PHPCI
* @subpackage Console
*/
class RegisterLdapUserCommand extends Command
{
/**
* @var UserStore
*/
protected $userStore;
/**
* @param UserStore $userStore
*/
public function __construct(UserStore $userStore)
{
parent::__construct();
$this->userStore = $userStore;
}
protected function configure()
{
$this
->setName('php-censor:register-ldap-user')
->setDescription(Lang::get('register_ldap_user'));
}
/**
* Creates an admin user in the existing PHPCI database
*
* {@inheritDoc}
*/
protected function execute(InputInterface $input, OutputInterface $output)
{
$userService = new UserService($this->userStore);
/** @var $dialog \Symfony\Component\Console\Helper\DialogHelper */
$dialog = $this->getHelperSet()->get('dialog');
// Function to validate mail address.
$mailValidator = function ($answer) {
if (!filter_var($answer, FILTER_VALIDATE_EMAIL)) {
throw new \InvalidArgumentException(Lang::get('must_be_valid_email'));
}
return $answer;
};
$email = $dialog->askAndValidate($output, Lang::get('enter_email'), $mailValidator, false);
$name = $dialog->ask($output, Lang::get('enter_name'));
$providerKey = "ldap";
$providerData = null;
$isAdmin = ($dialog->ask($output, Lang::get('enter_isadmin')));
$isAdmin = !empty($isAdmin);
$password = "";
try {
$userService->createUserWithProvider($name, $email, $password, $providerKey, $providerData, $isAdmin);
$output->writeln(Lang::get('user_created'));
} catch (\Exception $e) {
$output->writeln(sprintf('<error>%s</error>', Lang::get('failed_to_create')));
$output->writeln(sprintf('<error>%s</error>', $e->getMessage()));
}
}
}

87
src/PHPCensor/Command/RegisterUserCommand.php
View file

@ -1,87 +0,0 @@
<?php
/**
* PHPCI - Continuous Integration for PHP
*
* @copyright Copyright 2014, Block 8 Limited.
* @license https://github.com/Block8/PHPCI/blob/master/LICENSE.md
* @link https://www.phptesting.org/
*/
namespace PHPCensor\Command;
use PHPCensor\Helper\Lang;
use PHPCensor\Service\UserService;
use PHPCensor\Store\UserStore;
use Symfony\Component\Console\Command\Command;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
/**
* Register user command - creates an user with provider (Adirelle pluggable-auth)
* @author Dmitrii Zolotov (@itherz)
* @package PHPCI
* @subpackage Console
*/
class RegisterUserCommand extends Command
{
/**
* @var UserStore
*/
protected $userStore;
/**
* @param UserStore $userStore
*/
public function __construct(UserStore $userStore)
{
parent::__construct();
$this->userStore = $userStore;
}
protected function configure()
{
$this
->setName('php-censor:register-user')
->setDescription(Lang::get('register_user'));
}
/**
* Creates an admin user in the existing PHPCI database
*
* {@inheritDoc}
*/
protected function execute(InputInterface $input, OutputInterface $output)
{
$userService = new UserService($this->userStore);
/** @var $dialog \Symfony\Component\Console\Helper\DialogHelper */
$dialog = $this->getHelperSet()->get('dialog');
// Function to validate mail address.
$mailValidator = function ($answer) {
if (!filter_var($answer, FILTER_VALIDATE_EMAIL)) {
throw new \InvalidArgumentException(Lang::get('must_be_valid_email'));
}
return $answer;
};
$id = $dialog->ask($output, Lang::get('enter_id'));
$password = $dialog->askHiddenResponse($output, Lang::get('enter_password'));
$emailAddress = $dialog->askAndValidate($output, Lang::get('enter_email'), $mailValidator, false);
$providerKey = $dialog->ask($output, Lang::get('enter_providerkey'));
$providerData = $dialog->ask($output, Lang::get('enter_providerdata'));
$isAdmin = $dialog->ask($output, Lang::get('enter_isadmin'));
$isAdmin = !empty($isAdmin);
$name = $dialog->ask($output, Lang::get('enter_name'));
try {
$userService->createUserWithProvider($name, $emailAddress, $id, $password, $providerKey, $providerData, $isAdmin = false);
$output->writeln(Lang::get('user_created'));
} catch (\Exception $e) {
$output->writeln(sprintf('<error>%s</error>', Lang::get('failed_to_create')));
$output->writeln(sprintf('<error>%s</error>', $e->getMessage()));
}
}
}

9
src/PHPCensor/Controller/SessionController.php
View file

@ -42,8 +42,9 @@ class SessionController extends Controller
public function init()
{
$this->response->disableLayout();
$this->userStore = b8\Store\Factory::getStore('User');
$this->authentication = Service::getInstance();
$this->userStore = b8\Store\Factory::getStore('User');
$this->authentication = Service::getInstance();
}
/**
@ -60,8 +61,8 @@ class SessionController extends Controller
} else {
unset($_SESSION['login_token']);
$email = $this->getParam('email');
$password = $this->getParam('password', '');
$email = $this->getParam('email');
$password = $this->getParam('password', '');
$isLoginFailure = true;
$user = $this->userStore->getByEmailOrName($email);

29
src/PHPCensor/Controller/SettingsController.php
View file

@ -47,6 +47,7 @@ class SettingsController extends Controller
/**
* Display settings forms.
*
* @return string
*/
public function index()
@ -72,18 +73,18 @@ class SettingsController extends Controller
$emailSettings = $this->settings['php-censor']['email_settings'];
}
$authSettings = [];
if (isset($this->settings['php-censor']['authentication_settings'])) {
$authSettings = $this->settings['php-censor']['authentication_settings'];
$securitySettings = [];
if (isset($this->settings['php-censor']['security'])) {
$securitySettings = $this->settings['php-censor']['security'];
}
$this->view->configFile = APP_DIR . 'config.yml';
$this->view->basicSettings = $this->getBasicForm($basicSettings);
$this->view->buildSettings = $this->getBuildForm($buildSettings);
$this->view->github = $this->getGithubForm();
$this->view->emailSettings = $this->getEmailForm($emailSettings);
$this->view->authenticationSettings = $this->getAuthenticationForm($authSettings);
$this->view->isWriteable = $this->canWriteConfig();
$this->view->configFile = APP_DIR . 'config.yml';
$this->view->basicSettings = $this->getBasicForm($basicSettings);
$this->view->buildSettings = $this->getBuildForm($buildSettings);
$this->view->github = $this->getGithubForm();
$this->view->emailSettings = $this->getEmailForm($emailSettings);
$this->view->securitySettings = $this->getAuthenticationForm($securitySettings);
$this->view->isWriteable = $this->canWriteConfig();
if (!empty($this->settings['php-censor']['github']['token'])) {
$this->view->githubUser = $this->getGithubUser($this->settings['php-censor']['github']['token']);
@ -187,8 +188,8 @@ class SettingsController extends Controller
{
$this->requireAdmin();
$this->settings['php-censor']['authentication_settings']['state'] = $this->getParam('disable_authentication', 0);
$this->settings['php-censor']['authentication_settings']['user_id'] = $_SESSION['php-censor-user-id'];
$this->settings['php-censor']['security']['disable_auth'] = (boolean)$this->getParam('disable_authentication', false);
$this->settings['php-censor']['security']['default_user_id'] = (integer)$_SESSION['php-censor-user-id'];
$error = $this->storeSettings();
@ -479,8 +480,8 @@ class SettingsController extends Controller
$field->setContainerClass('form-group');
$field->setValue(0);
if (isset($values['state'])) {
$field->setValue((int)$values['state']);
if (isset($values['disable_auth'])) {
$field->setValue((integer)$values['disable_auth']);
}
$form->addField($field);

8
src/PHPCensor/Helper/LoginIsDisabled.php
View file

@ -21,17 +21,19 @@ class LoginIsDisabled
{
/**
* Checks if
*
* @param $method
* @param array $params
*
* @return mixed|null
*/
public function __call($method, $params = [])
{
unset($method, $params);
$config = Config::getInstance();
$state = (bool) $config->get('php-censor.authentication_settings.state', false);
$config = Config::getInstance();
$disableAuth = (boolean)$config->get('php-censor.security.disable_auth', false);
return (false !== $state);
return $disableAuth;
}
}

2
src/PHPCensor/Security/Authentication/LoginPasswordProvider.php → src/PHPCensor/Security/Authentication/LoginPasswordProviderInterface.php
View file

@ -17,7 +17,7 @@ use PHPCensor\Model\User;
*
* @author Adirelle <adirelle@gmail.com>
*/
interface LoginPasswordProvider extends UserProvider
interface LoginPasswordProviderInterface extends UserProviderInterface
{
/** Verify if the supplied password matches the user's one.
*

19
src/PHPCensor/Security/Authentication/Service.php
View file

@ -33,8 +33,12 @@ class Service
{
if (self::$instance === null) {
$config = Config::getInstance()->get(
'php-censor.security.authentication',
['internal' => ['type' => 'internal']]
'php-censor.security.auth_providers',
[
'internal' => [
'type' => 'internal'
]
]
);
$providers = [];
@ -49,9 +53,10 @@ class Service
/** Create a provider from a given configuration.
*
* @param string $key
* @param string $key
* @param string|array $config
* @return UserProvider
*
* @return UserProviderInterface
*/
public static function buildProvider($key, $config)
{
@ -80,7 +85,7 @@ class Service
/** Return all providers.
*
* @return UserProvider[]
* @return UserProviderInterface[]
*/
public function getProviders()
{
@ -89,13 +94,13 @@ class Service
/** Return the user providers that allows password authentication.
*
* @return LoginPasswordProvider[]
* @return LoginPasswordProviderInterface[]
*/
public function getLoginPasswordProviders()
{
$providers = [];
foreach ($this->providers as $key => $provider) {
if ($provider instanceof LoginPasswordProvider) {
if ($provider instanceof LoginPasswordProviderInterface) {
$providers[$key] = $provider;
}
}

4
src/PHPCensor/Security/Authentication/UserProvider/AbstractProvider.php
View file

@ -10,14 +10,14 @@
namespace PHPCensor\Security\Authentication\UserProvider;
use PHPCensor\Security\Authentication\UserProvider;
use PHPCensor\Security\Authentication\UserProviderInterface;
/**
* Abstract user provider.
*
* @author Adirelle <adirelle@gmail.com>
*/
abstract class AbstractProvider implements UserProvider
abstract class AbstractProvider implements UserProviderInterface
{
/**
* @var string

4
src/PHPCensor/Security/Authentication/UserProvider/Internal.php
View file

@ -11,14 +11,14 @@
namespace PHPCensor\Security\Authentication\UserProvider;
use PHPCensor\Model\User;
use PHPCensor\Security\Authentication\LoginPasswordProvider;
use PHPCensor\Security\Authentication\LoginPasswordProviderInterface;
/**
* Internal user provider
*
* @author Adirelle <adirelle@gmail.com>
*/
class Internal extends AbstractProvider implements LoginPasswordProvider
class Internal extends AbstractProvider implements LoginPasswordProviderInterface
{
public function verifyPassword(User $user, $password)

45
src/PHPCensor/Security/Authentication/UserProvider/Ldap.php
View file

@ -11,36 +11,44 @@
namespace PHPCensor\Security\Authentication\UserProvider;
use b8\Config;
use b8\Store\Factory;
use PHPCensor\Model\User;
use PHPCensor\Security\Authentication\LoginPasswordProvider;
use PHPCensor\Security\Authentication\LoginPasswordProviderInterface;
use PHPCensor\Service\UserService;
/**
* Ldap user provider.
*
* @author Dmitrii Zolotov (@itherz)
*/
class Ldap extends AbstractProvider implements LoginPasswordProvider
class Ldap extends AbstractProvider implements LoginPasswordProviderInterface
{
public function verifyPassword(User $user, $password)
{
$config = Config::getInstance()->get('php-censor.security.ldap', []);
$server = $config["server"];
$mailAttribute = $config["mailAttribute"];
$ldap = ldap_connect($server);
$providers = Config::getInstance()->get('php-censor.security.auth_providers', []);
if ($providers) {
foreach ($providers as $provider) {
if (isset($provider['type']) && 'ldap' === $provider['type']) {
$ldapData = $provider['data'];
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldap = ldap_connect($ldapData['host'], $ldapData['port']);
$ls = ldap_search($ldap, $config["base"], $mailAttribute . "=" . $user->getEmail());
$le = ldap_get_entries($ldap, $ls);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if ($le["count"] == 0) {
return false;
$ls = ldap_search($ldap, $ldapData['base_dn'], $ldapData['mail_attribute'] . '=' . $user->getEmail());
$le = ldap_get_entries($ldap, $ls);
if (!$le['count']) {
continue;
}
$dn = $le[0]['dn'];
return @ldap_bind($ldap, $dn, $password);
}
}
}
$dn = $le[0]["dn"];
return ldap_bind($ldap, $dn, $password);
return false;
}
public function checkRequirements()
@ -50,6 +58,11 @@ class Ldap extends AbstractProvider implements LoginPasswordProvider
public function provisionUser($identifier)
{
return null;
$userService = new UserService(Factory::getStore('User'));
$parts = explode("@", $identifier);
$username = $parts[0];
return $userService->createUserWithProvider($username, $identifier, 'ldap', null);
}
}

2
src/PHPCensor/Security/Authentication/UserProvider.php → src/PHPCensor/Security/Authentication/UserProviderInterface.php
View file

@ -17,7 +17,7 @@ use PHPCensor\Model\User;
*
* @author Adirelle <adirelle@gmail.com>
*/
interface UserProvider
interface UserProviderInterface
{
/** Check if all software requirements are met (libraries, extensions, ...)

6
src/PHPCensor/Service/UserService.php
View file

@ -59,17 +59,17 @@ class UserService
/**
* Create a new user within PHPCI (with provider).
*
* @param $name
* @param $emailAddress
* @param $id
* @param $password
* @param $providerKey
* @param $providerData
* @param bool $isAdmin
*
* @return \PHPCI\Model\User
*/
public function createUserWithProvider($name, $emailAddress, $id, $password, $providerKey, $providerData, $isAdmin = false)
public function createUserWithProvider($name, $emailAddress, $providerKey, $providerData, $isAdmin = false)
{
$user = new User();
$user->setName($name);

2
src/PHPCensor/View/Settings/index.phtml
View file

@ -126,7 +126,7 @@
Be careful: This setting disables authentication and uses your current admin account for all actions within PHP Censor with admin rights.
</p>
<?php print $authenticationSettings; ?>
<?php print $securitySettings; ?>
</div>
</div>