<?php
namespace Shaarli\Security;
+use Exception;
use Shaarli\Config\ConfigManager;
/**
*/
public function checkCredentials($remoteIp, $clientIpId, $login, $password)
{
- $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+ // Check login matches config
+ if ($login != $this->configManager->get('credentials.login')) {
+ return false;
+ }
- if ($login != $this->configManager->get('credentials.login')
- || $hash != $this->configManager->get('credentials.hash')
- ) {
+ // Check credentials
+ try {
+ if (($this->configManager->get('ldap.host') != "" && $this->checkCredentialsFromLdap($login, $password))
+ || ($this->configManager->get('ldap.host') == "" && $this->checkCredentialsFromLocalConfig($login, $password))) {
+ $this->sessionManager->storeLoginInfo($clientIpId);
+ logm(
+ $this->configManager->get('resource.log'),
+ $remoteIp,
+ 'Login successful'
+ );
+ return true;
+ }
+ }
+ catch(Exception $exception) {
logm(
$this->configManager->get('resource.log'),
$remoteIp,
- 'Login failed for user ' . $login
+ 'Exception while checking credentials: ' . $exception
);
- return false;
}
- $this->sessionManager->storeLoginInfo($clientIpId);
logm(
$this->configManager->get('resource.log'),
$remoteIp,
- 'Login successful'
+ 'Login failed for user ' . $login
);
- return true;
+ return false;
+ }
+
+
+ /**
+ * Check user credentials from local config
+ *
+ * @param string $login Username
+ * @param string $password Password
+ *
+ * @return bool true if the provided credentials are valid, false otherwise
+ */
+ public function checkCredentialsFromLocalConfig($login, $password) {
+ $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+
+ return $login == $this->configManager->get('credentials.login')
+ && $hash == $this->configManager->get('credentials.hash');
+ }
+
+ /**
+ * Check user credentials are valid through LDAP bind
+ *
+ * @param string $remoteIp Remote client IP address
+ * @param string $clientIpId Client IP address identifier
+ * @param string $login Username
+ * @param string $password Password
+ *
+ * @return bool true if the provided credentials are valid, false otherwise
+ */
+ public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
+ {
+ $connect = $connect ?? function($host) { return ldap_connect($host); };
+ $bind = $bind ?? function($handle, $dn, $password) { return ldap_bind($handle, $dn, $password); };
+ return $bind($connect($this->configManager->get('ldap.host')), sprintf($this->configManager->get('ldap.dn'), $login), $password);
}
/**
- **enable_thumbnails**: Enable or disable thumbnail display.
- **enable_localcache**: Enable or disable local cache.
+### LDAP
+
+- **host**: LDAP host used for user authentication
+- **dn**: user DN template (`sprintf` format, `%s` being replaced by user login)
+
## Configuration file example
```json
"extensions": {
"demo": "plugins/demo_plugin/languages/"
}
+ },
+ "ldap": {
+ "host": "ldap://localhost",
+ "dn": "uid=%s,ou=people,dc=example,dc=org"
}
} ?>
```
'security.ban_after' => 2,
'security.ban_duration' => 3600,
'security.trusted_proxies' => [$this->trustedProxy],
+ 'ldap.host' => '',
]);
$this->cookie = [];
$this->loginManager->checkCredentials('', '', $this->login, $this->password)
);
}
+
+ /**
+ * Check user credentials through LDAP - server unreachable
+ */
+ public function testCheckCredentialsFromUnreachableLdap()
+ {
+ $this->configManager->set('ldap.host', 'dummy');
+ $this->assertFalse(
+ $this->loginManager->checkCredentials('', '', $this->login, $this->password)
+ );
+ }
+
+ /**
+ * Check user credentials through LDAP - wrong login and password supplied
+ */
+ public function testCheckCredentialsFromLdapWrongLoginAndPassword()
+ {
+ $this->coddnfigManager->set('ldap.host', 'dummy');
+ $this->assertFalse(
+ $this->loginManager->checkCredentialsFromLdap($this->login, $this->password, function() { return null; }, function() { return false; })
+ );
+ }
+
+ /**
+ * Check user credentials through LDAP - correct login and password supplied
+ */
+ public function testCheckCredentialsFromLdapGoodLoginAndPassword()
+ {
+ $this->configManager->set('ldap.host', 'dummy');
+ $this->assertTrue(
+ $this->loginManager->checkCredentialsFromLdap($this->login, $this->password, function() { return null; }, function() { return true; })
+ );
+ }
}