From cc2ded54e12e3f3140b895067af086cd71cc5dc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20NOBILI?= <code@pipoprods.org>
Date: Mon, 2 Mar 2020 17:08:19 +0100
Subject: ldap authentication, fixes shaarli/Shaarli#1343

---
 application/security/LoginManager.php | 64 ++++++++++++++++++++++++++++++-----
 1 file changed, 55 insertions(+), 9 deletions(-)

(limited to 'application/security')

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 0b0ce0b1..2cea3f10 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -1,6 +1,7 @@
 <?php
 namespace Shaarli\Security;
 
+use Exception;
 use Shaarli\Config\ConfigManager;
 
 /**
@@ -139,26 +140,71 @@ class LoginManager
      */
     public function checkCredentials($remoteIp, $clientIpId, $login, $password)
     {
-        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        // Check login matches config
+        if ($login != $this->configManager->get('credentials.login')) {
+            return false;
+        }
 
-        if ($login != $this->configManager->get('credentials.login')
-            || $hash != $this->configManager->get('credentials.hash')
-        ) {
+        // Check credentials
+        try {
+            if (($this->configManager->get('ldap.host') != "" && $this->checkCredentialsFromLdap($login, $password))
+                || ($this->configManager->get('ldap.host') == "" && $this->checkCredentialsFromLocalConfig($login, $password))) {
+                    $this->sessionManager->storeLoginInfo($clientIpId);
+                    logm(
+                        $this->configManager->get('resource.log'),
+                        $remoteIp,
+                        'Login successful'
+                    );
+                    return true;
+            }
+        }
+        catch(Exception $exception) {
             logm(
                 $this->configManager->get('resource.log'),
                 $remoteIp,
-                'Login failed for user ' . $login
+                'Exception while checking credentials: ' . $exception
             );
-            return false;
         }
 
-        $this->sessionManager->storeLoginInfo($clientIpId);
         logm(
             $this->configManager->get('resource.log'),
             $remoteIp,
-            'Login successful'
+            'Login failed for user ' . $login
         );
-        return true;
+        return false;
+    }
+
+
+    /**
+     * Check user credentials from local config
+     *
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentialsFromLocalConfig($login, $password) {
+        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+
+        return $login == $this->configManager->get('credentials.login')
+             && $hash == $this->configManager->get('credentials.hash');
+    }
+
+    /**
+     * Check user credentials are valid through LDAP bind
+     *
+     * @param string $remoteIp   Remote client IP address
+     * @param string $clientIpId Client IP address identifier
+     * @param string $login      Username
+     * @param string $password   Password
+     *
+     * @return bool true if the provided credentials are valid, false otherwise
+     */
+    public function checkCredentialsFromLdap($login, $password, $connect = null, $bind = null)
+    {
+        $connect = $connect ?? function($host) { return ldap_connect($host); };
+        $bind = $bind ?? function($handle, $dn, $password) { return ldap_bind($handle, $dn, $password); };
+        return $bind($connect($this->configManager->get('ldap.host')), sprintf($this->configManager->get('ldap.dn'), $login), $password);
     }
 
     /**
-- 
cgit v1.2.3