PhabricatorLDAPProvider.php
No OneTemporary
Actions

Subscribers

None

File Metadata

Created: Sat, May 24, 23:13

PhabricatorLDAPProvider.php
View Options

	<?php

	final class PhabricatorLDAPProvider {
	// http://www.php.net/manual/en/function.ldap-errno.php#20665 states
	// that the number could be 31 or 49, in testing it has always been 49
	const LDAP_INVALID_CREDENTIALS = 49;

	private $userData;
	private $connection;

	public function __construct() {

	}

	public function __destruct() {
	if (isset($this->connection)) {
	ldap_unbind($this->connection);
	}
	}

	public function isProviderEnabled() {
	return PhabricatorEnv::getEnvConfig('ldap.auth-enabled');
	}

	public function getHostname() {
	return PhabricatorEnv::getEnvConfig('ldap.hostname');
	}

	public function getPort() {
	return PhabricatorEnv::getEnvConfig('ldap.port');
	}

	public function getBaseDN() {
	return PhabricatorEnv::getEnvConfig('ldap.base_dn');
	}

	public function getSearchAttribute() {
	return PhabricatorEnv::getEnvConfig('ldap.search_attribute');
	}

	public function getUsernameAttribute() {
	return PhabricatorEnv::getEnvConfig('ldap.username-attribute');
	}

	public function getLDAPVersion() {
	return PhabricatorEnv::getEnvConfig('ldap.version');
	}

	public function getLDAPReferrals() {
	return PhabricatorEnv::getEnvConfig('ldap.referrals');
	}

	public function getLDAPStartTLS() {
	return PhabricatorEnv::getEnvConfig('ldap.start-tls');
	}

	public function bindAnonymousUserEnabled() {
	return strlen(trim($this->getAnonymousUserName())) > 0;
	}

	public function getAnonymousUserName() {
	return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name');
	}

	public function getAnonymousUserPassword() {
	return PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password');
	}

	public function retrieveUserEmail() {
	return $this->userData['mail'][0];
	}

	public function retrieveUserRealName() {
	return $this->retrieveUserRealNameFromData($this->userData);
	}

	public function retrieveUserRealNameFromData($data) {
	$name_attributes = PhabricatorEnv::getEnvConfig(
	'ldap.real_name_attributes');

	$real_name = '';
	if (is_array($name_attributes)) {
	foreach ($name_attributes AS $attribute) {
	if (isset($data[$attribute][0])) {
	$real_name .= $data[$attribute][0].' ';
	}
	}

	trim($real_name);
	} else if (isset($data[$name_attributes][0])) {
	$real_name = $data[$name_attributes][0];
	}

	if ($real_name == '') {
	return null;
	}

	return $real_name;
	}

	public function retrieveUsername() {
	$key = nonempty(
	$this->getUsernameAttribute(),
	$this->getSearchAttribute());
	return $this->userData[$key][0];
	}

	public function getConnection() {
	if (!isset($this->connection)) {
	$this->connection = ldap_connect($this->getHostname(), $this->getPort());

	if (!$this->connection) {
	throw new Exception('Could not connect to LDAP host at '.
	$this->getHostname().':'.$this->getPort());
	}

	ldap_set_option($this->connection, LDAP_OPT_PROTOCOL_VERSION,
	$this->getLDAPVersion());
	ldap_set_option($this->connection, LDAP_OPT_REFERRALS,
	$this->getLDAPReferrals());

	if ($this->getLDAPStartTLS()) {
	if (!ldap_start_tls($this->getConnection())) {
	throw new Exception('Unabled to initialize STARTTLS for LDAP host at '.
	$this->getHostname().':'.$this->getPort());
	}
	}
	}

	return $this->connection;
	}

	public function getUserData() {
	return $this->userData;
	}

	private function invalidLDAPUserErrorMessage($errno, $errmsg) {
	return "LDAP Error #".$errno.": ".$errmsg;
	}

	public function auth($username, PhutilOpaqueEnvelope $password) {
	if (strlen(trim($username)) == 0) {
	throw new Exception('Username can not be empty');
	}

	if (PhabricatorEnv::getEnvConfig('ldap.search-first')) {
	// To protect against people phishing for accounts we catch the
	// exception and present the default exception that would be presented
	// in the case of a failed bind.
	try {
	$user = $this->getUser($this->getUsernameAttribute(), $username);
	$username = $user[$this->getSearchAttribute()][0];
	} catch (PhabricatorLDAPUnknownUserException $e) {
	throw new Exception(
	$this->invalidLDAPUserErrorMessage(
	self::LDAP_INVALID_CREDENTIALS,
	ldap_err2str(self::LDAP_INVALID_CREDENTIALS)));
	}
	}

	$conn = $this->getConnection();

	$activeDirectoryDomain =
	PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain');

	if ($activeDirectoryDomain) {
	$dn = $username.'@'.$activeDirectoryDomain;
	} else {
	if (isset($user)) {
	$dn = $user['dn'];
	} else {
	$dn = ldap_sprintf(
	'%Q=%s,%Q',
	$this->getSearchAttribute(),
	$username,
	$this->getBaseDN());
	}
	}

	// NOTE: It is very important we suppress any messages that occur here,
	// because it logs passwords if it reaches an error log of any sort.
	DarkConsoleErrorLogPluginAPI::enableDiscardMode();
	$result = @ldap_bind($conn, $dn, $password->openEnvelope());
	DarkConsoleErrorLogPluginAPI::disableDiscardMode();

	if (!$result) {
	throw new Exception(
	$this->invalidLDAPUserErrorMessage(
	ldap_errno($conn),
	ldap_error($conn)));
	}

	$this->userData = $this->getUser($this->getSearchAttribute(), $username);
	return $this->userData;
	}

	private function getUser($attribute, $username) {
	$conn = $this->getConnection();

	if ($this->bindAnonymousUserEnabled()) {
	// NOTE: It is very important we suppress any messages that occur here,
	// because it logs passwords if it reaches an error log of any sort.
	DarkConsoleErrorLogPluginAPI::enableDiscardMode();
	$result = ldap_bind(
	$conn,
	$this->getAnonymousUserName(),
	$this->getAnonymousUserPassword());
	DarkConsoleErrorLogPluginAPI::disableDiscardMode();

	if (!$result) {
	throw new Exception('Bind anonymous account failed. '.
	$this->invalidLDAPUserErrorMessage(
	ldap_errno($conn),
	ldap_error($conn)));
	}
	}

	$query = ldap_sprintf(
	'%Q=%S',
	$attribute,
	$username);

	$result = ldap_search($conn, $this->getBaseDN(), $query);

	if (!$result) {
	throw new Exception('Search failed. '.
	$this->invalidLDAPUserErrorMessage(
	ldap_errno($conn),
	ldap_error($conn)));
	}

	$entries = ldap_get_entries($conn, $result);

	if ($entries === false) {
	throw new Exception('Could not get entries');
	}

	if ($entries['count'] > 1) {
	throw new Exception('Found more then one user with this '.
	$attribute);
	}

	if ($entries['count'] == 0) {
	throw new PhabricatorLDAPUnknownUserException('Could not find user');
	}

	return $entries[0];
	}

	public function search($query) {
	$result = ldap_search($this->getConnection(), $this->getBaseDN(),
	$query);

	if (!$result) {
	throw new Exception('Search failed. Please check your LDAP and HTTP '.
	'logs for more information.');
	}

	$entries = ldap_get_entries($this->getConnection(), $result);

	if ($entries === false) {
	throw new Exception('Could not get entries');
	}

	if ($entries['count'] == 0) {
	throw new Exception('No results found');
	}


	$rows = array();

	for ($i = 0; $i < $entries['count']; $i++) {
	$row = array();
	$entry = $entries[$i];

	// Get username, email and realname
	$username = $entry[$this->getSearchAttribute()][0];
	if (empty($username)) {
	continue;
	}
	$row[] = $username;
	$row[] = $entry['mail'][0];
	$row[] = $this->retrieveUserRealNameFromData($entry);


	$rows[] = $row;
	}

	return $rows;

	}
	}

PhabricatorLDAPProvider.phpNo OneTemporaryActions

File Metadata

PhabricatorLDAPProvider.phpView Options

Event Timeline

PhabricatorLDAPProvider.php
No OneTemporary
Actions

PhabricatorLDAPProvider.php
View Options