ldap authentication, fixes shaarli/Shaarli#1343

author: Sébastien NOBILI <code@pipoprods.org> 2020-03-02 17:08:19 +0100
committer: Sébastien NOBILI <code@pipoprods.org> 2020-03-02 17:13:18 +0100
commit: cc2ded54e12e3f3140b895067af086cd71cc5dc6 (patch)
tree: 5e95c4b5b6d7eadef25cbb503167e8f89608162d /application/security/LoginManager.php
parent: 810f0f6c96b6d26e22164027185c5996b425816c (diff)
download: Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.tar.gz
Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.tar.zst
Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.zip
1 files changed, 55 insertions, 9 deletions
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 0b0ce0b1..2cea3f10 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -1,6 +1,7 @@
 <?php
 namespace Shaarli\Security;
+use Exception;
 use Shaarli\Config\ConfigManager;
 /**
@@ -139,26 +140,71 @@ class LoginManager
     */
    public function checkCredentials($remoteIp, $clientIpId, $login, $password)
    {
-        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        // Check login matches config
+        if ($login != $this->configManager->get('credentials.login')) {
+            return false;
+        }
-        if ($login != $this->configManager->get('credentials.login')
+        // Check credentials
-            || $hash != $this->configManager->get('credentials.hash')
+        try {
-        ) {
+            if (($this->configManager->get('ldap.host') != "" && $this->checkCredentialsFromLdap($login, $password))
+                || ($this->configManager->get('ldap.host') == "" && $this->checkCredentialsFromLocalConfig($login, $password))) {
+                    $this->sessionManager->storeLoginInfo($clientIpId);
+                    logm(
+                        $this->configManager->get('resource.log'),
+                        $remoteIp,
+                        'Login successful'
+                    );
+                    return true;
+            }
+        }
+        catch(Exception $exception) {
            logm(
                $this->configManager->get('resource.log'),
                $remoteIp,
-                'Login failed for user ' . $login
+                'Exception while checking credentials: ' . $exception
            );
-            return false;
        }
-        $this->sessionManager->storeLoginInfo($clientIpId);
        logm(
            $this->configManager->get('resource.log'),
            $remoteIp,
-            'Login successful'
+            'Login failed for user ' . $login
        );
-        return true;
+        return false;
+    }
+    /**
+     * Check user credentials from local config
+     *
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentialsFromLocalConfig($login, $password) {
+        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        return $login == $this->configManager->get('credentials.login')
+             && $hash == $this->configManager->get('credentials.hash');
+    }
+    /**
+     * Check user credentials are valid through LDAP bind
+     *
+     * @param string $remoteIp   Remote client IP address
+     * @param string $clientIpId Client IP address identifier
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
+    {
+        $connect = $connect ?? function($host) { return ldap_connect($host); };
+        $bind = $bind ?? function($handle, $dn, $password) { return ldap_bind($handle, $dn, $password); };
+        return $bind($connect($this->configManager->get('ldap.host')), sprintf($this->configManager->get('ldap.dn'), $login), $password);
    }
    /**
author	Sébastien NOBILI <code@pipoprods.org>	2020-03-02 17:08:19 +0100
committer	Sébastien NOBILI <code@pipoprods.org>	2020-03-02 17:13:18 +0100
commit	cc2ded54e12e3f3140b895067af086cd71cc5dc6 (patch)
tree	5e95c4b5b6d7eadef25cbb503167e8f89608162d /application/security/LoginManager.php
parent	810f0f6c96b6d26e22164027185c5996b425816c (diff)
download	Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.tar.gz Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.tar.zst Shaarli-cc2ded54e12e3f3140b895067af086cd71cc5dc6.zip

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php index 0b0ce0b1..2cea3f10 100644 --- a/application/security/LoginManager.php +++ b/application/security/LoginManager.php
@@ -1,6 +1,7 @@
1	<?php	1	<?php
2	namespace Shaarli\Security;	2	namespace Shaarli\Security;
3		3
		4	use Exception;
4	use Shaarli\Config\ConfigManager;	5	use Shaarli\Config\ConfigManager;
5		6
6	/**	7	/**
@@ -139,26 +140,71 @@ class LoginManager
139	*/	140	*/
140	public function checkCredentials($remoteIp, $clientIpId, $login, $password)	141	public function checkCredentials($remoteIp, $clientIpId, $login, $password)
141	{	142	{
142	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));	143	// Check login matches config
		144	if ($login != $this->configManager->get('credentials.login')) {
		145	return false;
		146	}
143		147
144	if ($login != $this->configManager->get('credentials.login')	148	// Check credentials
145	\|\| $hash != $this->configManager->get('credentials.hash')	149	try {
146	) {	150	if (($this->configManager->get('ldap.host') != "" && $this->checkCredentialsFromLdap($login, $password))
		151	\|\| ($this->configManager->get('ldap.host') == "" && $this->checkCredentialsFromLocalConfig($login, $password))) {
		152	$this->sessionManager->storeLoginInfo($clientIpId);
		153	logm(
		154	$this->configManager->get('resource.log'),
		155	$remoteIp,
		156	'Login successful'
		157	);
		158	return true;
		159	}
		160	}
		161	catch(Exception $exception) {
147	logm(	162	logm(
148	$this->configManager->get('resource.log'),	163	$this->configManager->get('resource.log'),
149	$remoteIp,	164	$remoteIp,
150	'Login failed for user ' . $login	165	'Exception while checking credentials: ' . $exception
151	);	166	);
152	return false;
153	}	167	}
154		168
155	$this->sessionManager->storeLoginInfo($clientIpId);
156	logm(	169	logm(
157	$this->configManager->get('resource.log'),	170	$this->configManager->get('resource.log'),
158	$remoteIp,	171	$remoteIp,
159	'Login successful'	172	'Login failed for user ' . $login
160	);	173	);
161	return true;	174	return false;
		175	}
		176
		177
		178	/**
		179	* Check user credentials from local config
		180	*
		181	* @param string $login Username
		182	* @param string $password Password
		183	*
		184	* @return bool true if the provided credentials are valid, false otherwise
		185	*/
		186	public function checkCredentialsFromLocalConfig($login, $password) {
		187	$hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
		188
		189	return $login == $this->configManager->get('credentials.login')
		190	&& $hash == $this->configManager->get('credentials.hash');
		191	}
		192
		193	/**
		194	* Check user credentials are valid through LDAP bind
		195	*
		196	* @param string $remoteIp Remote client IP address
		197	* @param string $clientIpId Client IP address identifier
		198	* @param string $login Username
		199	* @param string $password Password
		200	*
		201	* @return bool true if the provided credentials are valid, false otherwise
		202	*/
		203	public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
		204	{
		205	$connect = $connect ?? function($host) { return ldap_connect($host); };
		206	$bind = $bind ?? function($handle, $dn, $password) { return ldap_bind($handle, $dn, $password); };
		207	return $bind($connect($this->configManager->get('ldap.host')), sprintf($this->configManager->get('ldap.dn'), $login), $password);
162	}	208	}
163		209
164	/**	210	/**