AS1024
/
Kanboard-Prod
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add generic LDAP client library

This commit is contained in:
Frederic Guillot 2015-11-27 09:15:12 -05:00
parent f837e70a2d
commit 2451706316
9 changed files with 800 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -4,6 +4,7 @@ Version 1.0.22 (unreleased)
New features:
* User groups (Teams)
* Add generic LDAP client library
* Pluggable authentication and authorization system (Work in progress)
* Add new project role Viewer (Work in progress)
* Assign project permissions to a group (Work in progress)

84
app/Core/Ldap/Client.php Normal file
View File

@ -0,0 +1,84 @@
<?php
namespace Kanboard\Core\Ldap;
/**
* LDAP Client
*
* @package ldap
* @author Frederic Guillot
*/
class Client
{
/**
* Get server connection
*
* @access public
* @param string $server LDAP server hostname or IP
* @param integer $port LDAP port
* @param boolean $tls Start TLS
* @param boolean $verify Skip SSL certificate verification
* @return resource
*/
public function getConnection($server, $port = LDAP_PORT, $tls = LDAP_START_TLS, $verify = LDAP_SSL_VERIFY)
{
if (! function_exists('ldap_connect')) {
throw new ClientException('LDAP: The PHP LDAP extension is required');
}
if (! $verify) {
putenv('LDAPTLS_REQCERT=never');
}
$ldap = ldap_connect($server, $port);
if ($ldap === false) {
throw new ClientException('LDAP: Unable to connect to the LDAP server');
}
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 1);
ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 1);
if ($tls && ! @ldap_start_tls($ldap)) {
throw new ClientException('LDAP: Unable to start TLS');
}
return $ldap;
}
/**
* Anonymous authentication
*
* @access public
* @param resource $ldap
* @return boolean
*/
public function useAnonymousAuthentication($ldap)
{
if (! ldap_bind($ldap)) {
throw new ClientException('Unable to perform anonymous binding');
}
return true;
}
/**
* Authentication with username/password
*
* @access public
* @param resource $ldap
* @param string $username
* @param string $password
* @return boolean
*/
public function authenticate($ldap, $username, $password)
{
if (! ldap_bind($ldap, $username, $password)) {
throw new ClientException('Unable to perform anonymous binding');
}
return true;
}
}

15
app/Core/Ldap/ClientException.php Normal file
View File

@ -0,0 +1,15 @@
<?php
namespace Kanboard\Core\Ldap;
use Exception;
/**
* LDAP Client Exception
*
* @package ldap
* @author Frederic Guillot
*/
class ClientException extends Exception
{
}

95
app/Core/Ldap/Query.php Normal file
View File

@ -0,0 +1,95 @@
<?php
namespace Kanboard\Core\Ldap;
/**
* LDAP Query
*
* @package ldap
* @author Frederic Guillot
*/
class Query
{
/**
* Query result
*
* @access private
* @var array
*/
private $entries = array();
/**
* Constructor
*
* @access public
* @param array $entries
*/
public function __construct(array $entries = array())
{
$this->entries = $entries;
}
/**
* Execute query
*
* @access public
* @param resource $ldap
* @param string $baseDn
* @param string $filter
* @param array $attributes
* @return Query
*/
public function execute($ldap, $baseDn, $filter, array $attributes)
{
$sr = ldap_search($ldap, $baseDn, $filter, $attributes);
if ($sr === false) {
return $this;
}
$entries = ldap_get_entries($ldap, $sr);
if ($entries === false || count($entries) === 0 || $entries['count'] == 0) {
return $this;
}
$this->entries = $entries;
return $this;
}
/**
* Return true if the query returned a result
*
* @access public
* @return boolean
*/
public function hasResult()
{
return ! empty($this->entries);
}
/**
* Return subset of entries
*
* @access public
* @param string $key
* @param mixed $default
* @return array
*/
public function getAttribute($key, $default = null)
{
return isset($this->entries[0][$key]) ? $this->entries[0][$key] : $default;
}
/**
* Return one entry from a list of entries
*
* @access public
* @param string $key Key
* @param string $default Default value if key not set in entry
* @return string
*/
public function getAttributeValue($key, $default = '')
{
return isset($this->entries[0][$key][0]) ? $this->entries[0][$key][0] : $default;
}
}

178
app/Core/Ldap/User.php Normal file
View File

@ -0,0 +1,178 @@
<?php
namespace Kanboard\Core\Ldap;
/**
* LDAP User
*
* @package ldap
* @author Frederic Guillot
*/
class User
{
/**
* Query
*
* @access private
* @var Query
*/
private $query;
/**
* Constructor
*
* @access public
* @param Query $query
*/
public function __construct(Query $query = null)
{
$this->query = $query ?: new Query;
}
/**
* Get user profile
*
* @access public
* @param resource $ldap
* @param string $baseDn
* @param string $query
* @return array
*/
public function getProfile($ldap, $baseDn, $query)
{
$this->query->execute($ldap, $baseDn, $query, $this->getAttributes());
$profile = array();
if ($this->query->hasResult()) {
$profile = $this->prepareProfile();
}
return $profile;
}
/**
* Build user profile
*
* @access private
* @return boolean|array
*/
private function prepareProfile()
{
return array(
'ldap_id' => $this->query->getAttribute('dn', ''),
'username' => $this->query->getAttributeValue($this->getAttributeUsername()),
'name' => $this->query->getAttributeValue($this->getAttributeName()),
'email' => $this->query->getAttributeValue($this->getAttributeEmail()),
'is_admin' => (int) $this->isMemberOf($this->query->getAttribute($this->getAttributeGroup(), array()), $this->getGroupAdminDn()),
'is_project_admin' => (int) $this->isMemberOf($this->query->getAttribute($this->getAttributeGroup(), array()), $this->getGroupProjectAdminDn()),
'is_ldap_user' => 1,
);
}
/**
* Check group membership
*
* @access public
* @param array $group_entries
* @param string $group_dn
* @return boolean
*/
public function isMemberOf(array $group_entries, $group_dn)
{
if (! isset($group_entries['count']) || empty($group_dn)) {
return false;
}
for ($i = 0; $i < $group_entries['count']; $i++) {
if ($group_entries[$i] === $group_dn) {
return true;
}
}
return false;
}
/**
* Ge the list of attributes to fetch when reading the LDAP user entry
*
* Must returns array with index that start at 0 otherwise ldap_search returns a warning "Array initialization wrong"
*
* @access public
* @return array
*/
public function getAttributes()
{
return array_values(array_filter(array(
$this->getAttributeUsername(),
$this->getAttributeName(),
$this->getAttributeEmail(),
$this->getAttributeGroup(),
)));
}
/**
* Get LDAP account id attribute
*
* @access public
* @return string
*/
public function getAttributeUsername()
{
return LDAP_ACCOUNT_ID;
}
/**
* Get LDAP account email attribute
*
* @access public
* @return string
*/
public function getAttributeEmail()
{
return LDAP_ACCOUNT_EMAIL;
}
/**
* Get LDAP account name attribute
*
* @access public
* @return string
*/
public function getAttributeName()
{
return LDAP_ACCOUNT_FULLNAME;
}
/**
* Get LDAP account memberof attribute
*
* @access public
* @return string
*/
public function getAttributeGroup()
{
return LDAP_ACCOUNT_MEMBEROF;
}
/**
* Get LDAP admin group DN
*
* @access public
* @return string
*/
public function getGroupAdminDn()
{
return LDAP_GROUP_ADMIN_DN;
}
/**
* Get LDAP project admin group DN
*
* @access public
* @return string
*/
public function getGroupProjectAdminDn()
{
return LDAP_GROUP_PROJECT_ADMIN_DN;
}
}

13
config.default.php
View File

@ -32,19 +32,6 @@ define('MAIL_SMTP_ENCRYPTION', null); // Valid values are "null", "ssl" or "tls"
// Sendmail command to use when the transport is "sendmail"
define('MAIL_SENDMAIL_COMMAND', '/usr/sbin/sendmail -bs');
// Postmark API token (used to send emails through their API)
define('POSTMARK_API_TOKEN', '');
// Mailgun API key (used to send emails through their API)
define('MAILGUN_API_TOKEN', '');
// Mailgun domain name
define('MAILGUN_DOMAIN', '');
// Sendgrid API configuration
define('SENDGRID_API_USER', '');
define('SENDGRID_API_KEY', '');
// Database driver: sqlite, mysql or postgres (sqlite by default)
define('DB_DRIVER', 'sqlite');

195
tests/units/Core/Ldap/ClientTest.php Normal file
View File

@ -0,0 +1,195 @@
<?php
namespace Kanboard\Core\Ldap;
require_once __DIR__.'/../../Base.php';
function ldap_connect($hostname, $port)
{
return ClientTest::$functions->ldap_connect($hostname, $port);
}
function ldap_set_option()
{
}
function ldap_bind($link_identifier, $bind_rdn = null, $bind_password = null)
{
return ClientTest::$functions->ldap_bind($link_identifier, $bind_rdn, $bind_password);
}
function ldap_start_tls($link_identifier)
{
return ClientTest::$functions->ldap_start_tls($link_identifier);
}
class ClientTest extends \Base
{
public static $functions;
private $ldap;
public function setUp()
{
parent::setup();
self::$functions = $this
->getMockBuilder('stdClass')
->setMethods(array(
'ldap_connect',
'ldap_set_option',
'ldap_bind',
'ldap_start_tls',
))
->getMock();
}
public function tearDown()
{
parent::tearDown();
self::$functions = null;
}
public function testConnectSuccess()
{
self::$functions
->expects($this->once())
->method('ldap_connect')
->with(
$this->equalTo('my_ldap_server'),
$this->equalTo(389)
)
->will($this->returnValue('my_ldap_resource'));
$ldap = new Client;
$this->assertEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server'));
}
public function testConnectFailure()
{
self::$functions
->expects($this->once())
->method('ldap_connect')
->with(
$this->equalTo('my_ldap_server'),
$this->equalTo(389)
)
->will($this->returnValue(false));
$this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
$ldap = new Client;
$this->assertNotEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server'));
}
public function testConnectSuccessWithTLS()
{
self::$functions
->expects($this->once())
->method('ldap_connect')
->with(
$this->equalTo('my_ldap_server'),
$this->equalTo(389)
)
->will($this->returnValue('my_ldap_resource'));
self::$functions
->expects($this->once())
->method('ldap_start_tls')
->with(
$this->equalTo('my_ldap_resource')
)
->will($this->returnValue(true));
$ldap = new Client;
$this->assertEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server', 389, true));
}
public function testConnectFailureWithTLS()
{
self::$functions
->expects($this->once())
->method('ldap_connect')
->with(
$this->equalTo('my_ldap_server'),
$this->equalTo(389)
)
->will($this->returnValue('my_ldap_resource'));
self::$functions
->expects($this->once())
->method('ldap_start_tls')
->with(
$this->equalTo('my_ldap_resource')
)
->will($this->returnValue(false));
$this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
$ldap = new Client;
$this->assertNotEquals('my_ldap_resource', $ldap->getConnection('my_ldap_server', 389, true));
}
public function testAnonymousAuthenticationSuccess()
{
self::$functions
->expects($this->once())
->method('ldap_bind')
->with(
$this->equalTo('my_ldap_resource')
)
->will($this->returnValue(true));
$ldap = new Client;
$this->assertTrue($ldap->useAnonymousAuthentication('my_ldap_resource'));
}
public function testAnonymousAuthenticationFailure()
{
self::$functions
->expects($this->once())
->method('ldap_bind')
->with(
$this->equalTo('my_ldap_resource')
)
->will($this->returnValue(false));
$this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
$ldap = new Client;
$ldap->useAnonymousAuthentication('my_ldap_resource');
}
public function testUserAuthenticationSuccess()
{
self::$functions
->expects($this->once())
->method('ldap_bind')
->with(
$this->equalTo('my_ldap_resource'),
$this->equalTo('my_ldap_user'),
$this->equalTo('my_ldap_password')
)
->will($this->returnValue(true));
$ldap = new Client;
$this->assertTrue($ldap->authenticate('my_ldap_resource', 'my_ldap_user', 'my_ldap_password'));
}
public function testUserAuthenticationFailure()
{
self::$functions
->expects($this->once())
->method('ldap_bind')
->with(
$this->equalTo('my_ldap_resource'),
$this->equalTo('my_ldap_user'),
$this->equalTo('my_ldap_password')
)
->will($this->returnValue(false));
$this->setExpectedException('\Kanboard\Core\Ldap\ClientException');
$ldap = new Client;
$ldap->authenticate('my_ldap_resource', 'my_ldap_user', 'my_ldap_password');
}
}

137
tests/units/Core/Ldap/QueryTest.php Normal file
View File

@ -0,0 +1,137 @@
<?php
namespace Kanboard\Core\Ldap;
require_once __DIR__.'/../../Base.php';
function ldap_search($link_identifier, $base_dn, $filter, array $attributes)
{
return QueryTest::$functions->ldap_search($link_identifier, $base_dn, $filter, $attributes);
}
function ldap_get_entries($link_identifier, $result_identifier)
{
return QueryTest::$functions->ldap_get_entries($link_identifier, $result_identifier);
}
class QueryTest extends \Base
{
public static $functions;
public function setUp()
{
parent::setup();
self::$functions = $this
->getMockBuilder('stdClass')
->setMethods(array(
'ldap_search',
'ldap_get_entries',
))
->getMock();
}
public function tearDown()
{
parent::tearDown();
self::$functions = null;
}
public function testExecuteQuerySuccessfully()
{
$entries = array(
'count' => 1,
0 => array(
'count' => 2,
'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
'displayname' => array(
'count' => 1,
0 => 'My user',
),
'mail' => array(
'count' => 2,
0 => 'user1@localhost',
1 => 'user2@localhost',
),
0 => 'displayname',
1 => 'mail',
)
);
self::$functions
->expects($this->once())
->method('ldap_search')
->with(
$this->equalTo('my_ldap_resource'),
$this->equalTo('ou=People,dc=kanboard,dc=local'),
$this->equalTo('uid=my_user'),
$this->equalTo(array('displayname'))
)
->will($this->returnValue('search_resource'));
self::$functions
->expects($this->once())
->method('ldap_get_entries')
->with(
$this->equalTo('my_ldap_resource'),
$this->equalTo('search_resource')
)
->will($this->returnValue($entries));
$query = new Query;
$query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
$this->assertTrue($query->hasResult());
$this->assertEquals('My user', $query->getAttributeValue('displayname'));
$this->assertEquals('user1@localhost', $query->getAttributeValue('mail'));
$this->assertEquals('', $query->getAttributeValue('not_found'));
$this->assertEquals('uid=my_user,ou=People,dc=kanboard,dc=local', $query->getAttribute('dn'));
$this->assertEquals(null, $query->getAttribute('missing'));
}
public function testExecuteQueryNotFound()
{
self::$functions
->expects($this->once())
->method('ldap_search')
->with(
$this->equalTo('my_ldap_resource'),
$this->equalTo('ou=People,dc=kanboard,dc=local'),
$this->equalTo('uid=my_user'),
$this->equalTo(array('displayname'))
)
->will($this->returnValue('search_resource'));
self::$functions
->expects($this->once())
->method('ldap_get_entries')
->with(
$this->equalTo('my_ldap_resource'),
$this->equalTo('search_resource')
)
->will($this->returnValue(array()));
$query = new Query;
$query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
$this->assertFalse($query->hasResult());
}
public function testExecuteQueryFailed()
{
self::$functions
->expects($this->once())
->method('ldap_search')
->with(
$this->equalTo('my_ldap_resource'),
$this->equalTo('ou=People,dc=kanboard,dc=local'),
$this->equalTo('uid=my_user'),
$this->equalTo(array('displayname'))
)
->will($this->returnValue(false));
$query = new Query;
$query->execute('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', 'uid=my_user', array('displayname'));
$this->assertFalse($query->hasResult());
}
}

95
tests/units/Core/Ldap/UserTest.php Normal file
View File

@ -0,0 +1,95 @@
<?php
require_once __DIR__.'/../../Base.php';
use Kanboard\Core\Ldap\User;
class UserTest extends Base
{
public function testGetProfile()
{
$entries = array(
'count' => 1,
0 => array(
'count' => 2,
'dn' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
'displayname' => array(
'count' => 1,
0 => 'My LDAP user',
),
'mail' => array(
'count' => 2,
0 => 'user1@localhost',
1 => 'user2@localhost',
),
'samaccountname' => array(
'count' => 1,
0 => 'my_ldap_user',
),
0 => 'displayname',
1 => 'mail',
2 => 'samaccountname',
)
);
$expected = array(
'ldap_id' => 'uid=my_user,ou=People,dc=kanboard,dc=local',
'username' => 'my_ldap_user',
'name' => 'My LDAP user',
'email' => 'user1@localhost',
'is_admin' => 0,
'is_project_admin' => 0,
'is_ldap_user' => 1,
);
$query = $this
->getMockBuilder('\Kanboard\Core\Ldap\Query')
->setConstructorArgs(array($entries))
->setMethods(array(
'execute',
'hasResult',
))
->getMock();
$query
->expects($this->once())
->method('execute')
->with(
$this->equalTo('my_ldap_resource'),
$this->equalTo('ou=People,dc=kanboard,dc=local'),
$this->equalTo('(uid=my_user)')
);
$query
->expects($this->once())
->method('hasResult')
->will($this->returnValue(true));
$user = $this
->getMockBuilder('\Kanboard\Core\Ldap\User')
->setConstructorArgs(array($query))
->setMethods(array(
'getAttributeUsername',
'getAttributeEmail',
'getAttributeName',
))
->getMock();
$user
->expects($this->any())
->method('getAttributeUsername')
->will($this->returnValue('samaccountname'));
$user
->expects($this->any())
->method('getAttributeName')
->will($this->returnValue('displayname'));
$user
->expects($this->any())
->method('getAttributeEmail')
->will($this->returnValue('mail'));
$this->assertEquals($expected, $user->getProfile('my_ldap_resource', 'ou=People,dc=kanboard,dc=local', '(uid=my_user)'));
}
}