Add ldap

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2018-06-16 11:40:00 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-01-23 19:57:28 +0100
commit: 3b68f6ca727f52f9dc84fa1a134c092b44c49103 (patch)
tree: 2dd38ff1453ad3a0a4620a408cdb67a482ae2fc6
parent: 3f7a28de8473db53b3de9e19d5e8e58b4e21090d (diff)
download: wallabag-3b68f6ca727f52f9dc84fa1a134c092b44c49103.tar.gz
wallabag-3b68f6ca727f52f9dc84fa1a134c092b44c49103.tar.zst
wallabag-3b68f6ca727f52f9dc84fa1a134c092b44c49103.zip
14 files changed, 363 insertions, 2 deletions
diff --git a/.travis.yml b/.travis.yml
index 04cea258..56b1f576 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -58,6 +58,7 @@ install:
 before_script:
    - PHP=$TRAVIS_PHP_VERSION
+    - echo "extension=ldap.so" >> ~/.phpenv/versions/$(phpenv version-name)/etc/conf.d/travis.ini
    - if [[ ! $PHP = hhvm* ]]; then echo "memory_limit=-1" >> ~/.phpenv/versions/$(phpenv version-name)/etc/conf.d/travis.ini; fi;
    # xdebug isn't enable for PHP 7.1
    - if [[ ! $PHP = hhvm* ]]; then phpenv config-rm xdebug.ini || echo "xdebug not available"; fi
diff --git a/app/AppKernel.php b/app/AppKernel.php
index 40726f05..c4f465dc 100644
--- a/app/AppKernel.php
+++ b/app/AppKernel.php
@@ -42,6 +42,10 @@ class AppKernel extends Kernel
            new OldSound\RabbitMqBundle\OldSoundRabbitMqBundle(),
        ];
+        if (class_exists('FR3D\\LdapBundle\\FR3DLdapBundle')) {
+          $bundles[] = new FR3D\LdapBundle\FR3DLdapBundle();
+        }
        if (in_array($this->getEnvironment(), ['dev', 'test'], true)) {
            $bundles[] = new Symfony\Bundle\DebugBundle\DebugBundle();
            $bundles[] = new Symfony\Bundle\WebProfilerBundle\WebProfilerBundle();
diff --git a/app/DoctrineMigrations/Version20170710113900.php b/app/DoctrineMigrations/Version20170710113900.php
new file mode 100644
index 00000000..7be83110
--- /dev/null
+++ b/app/DoctrineMigrations/Version20170710113900.php
@@ -0,0 +1,54 @@
+<?php
+namespace Application\Migrations;
+use Doctrine\DBAL\Migrations\AbstractMigration;
+use Doctrine\DBAL\Schema\Schema;
+use Symfony\Component\DependencyInjection\ContainerAwareInterface;
+use Symfony\Component\DependencyInjection\ContainerInterface;
+/**
+ * Added dn field on wallabag_users
+ */
+class Version20170710113900 extends AbstractMigration implements ContainerAwareInterface
+{
+    /**
+     * @var ContainerInterface
+     */
+    private $container;
+    public function setContainer(ContainerInterface $container = null)
+    {
+        $this->container = $container;
+    }
+    private function getTable($tableName)
+    {
+        return $this->container->getParameter('database_table_prefix').$tableName;
+    }
+    /**
+     * @param Schema $schema
+     */
+    public function up(Schema $schema)
+    {
+        $usersTable = $schema->getTable($this->getTable('user'));
+        $this->skipIf($usersTable->hasColumn('dn'), 'It seems that you already played this migration.');
+        $usersTable->addColumn('dn', 'text', [
+            'default' => null,
+            'notnull' => false,
+        ]);
+    }
+    /**
+     * @param Schema $schema
+     */
+    public function down(Schema $schema)
+    {
+        $usersTable = $schema->getTable($this->getTable('user'));
+        $usersTable->dropColumn('dn');
+    }
+}
diff --git a/app/config/parameters.yml.dist b/app/config/parameters.yml.dist
index 6b0cb8e8..cfd41b69 100644
--- a/app/config/parameters.yml.dist
+++ b/app/config/parameters.yml.dist
@@ -62,3 +62,23 @@ parameters:
    redis_port: 6379
    redis_path: null
    redis_password: null
+    # ldap configuration
+    # To enable, you need to require fr3d/ldap-bundle
+    ldap_enabled: false
+    ldap_host: localhost
+    ldap_port: 389
+    ldap_tls:  false
+    ldap_ssl:  false
+    ldap_bind_requires_dn: true
+    ldap_base: dc=example,dc=com
+    ldap_manager_dn: ou=Manager,dc=example,dc=com
+    ldap_manager_pw: password
+    ldap_filter: (&(ObjectClass=Person))
+    # optional (if null: no ldap user is admin)
+    ldap_admin_filter: (&(memberOf=ou=admins,dc=example,dc=com)(uid=%s))
+    ldap_username_attribute: uid
+    ldap_email_attribute: mail
+    ldap_name_attribute: cn
+    # optional (default sets user as enabled unconditionally)
+    ldap_enabled_attribute: ~
diff --git a/app/config/security.yml b/app/config/security.yml
index 02afc9ea..48fbb553 100644
--- a/app/config/security.yml
+++ b/app/config/security.yml
@@ -6,6 +6,7 @@ security:
        ROLE_ADMIN: ROLE_USER
        ROLE_SUPER_ADMIN: [ ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]
+    # /!\ This list is modified in WallabagUserBundle when LDAP is enabled
    providers:
        administrators:
            entity:
@@ -36,6 +37,7 @@ security:
            pattern: ^/login$
            anonymous:  ~
+        # /!\ This section is modified in WallabagUserBundle when LDAP is enabled
        secured_area:
            pattern: ^/
            form_login:
diff --git a/composer.json b/composer.json
index 68cfad05..775a1ebd 100644
--- a/composer.json
+++ b/composer.json
@@ -87,6 +87,9 @@
        "defuse/php-encryption": "^2.1",
        "html2text/html2text": "^4.1"
    },
+    "suggest": {
+      "fr3d/ldap-bundle": "If you want to authenticate via LDAP"
+    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "~2.2",
        "doctrine/data-fixtures": "~1.1",
diff --git a/scripts/install.sh b/scripts/install.sh
index 8b7ea03f..3a4a33ab 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -26,5 +26,8 @@ ENV=$1
 TAG=$(git describe --tags $(git rev-list --tags --max-count=1))
 git checkout $TAG
+if [ -n "$LDAP_ENABLED" ]; then
+  SYMFONY_ENV=$ENV $COMPOSER_COMMAND require --no-update fr3d/ldap-bundle
+fi
 SYMFONY_ENV=$ENV $COMPOSER_COMMAND install --no-dev -o --prefer-dist
 php bin/console wallabag:install --env=$ENV
diff --git a/scripts/update.sh b/scripts/update.sh
index c62d104a..6259a431 100755
--- a/scripts/update.sh
+++ b/scripts/update.sh
@@ -32,6 +32,9 @@ git fetch origin
 git fetch --tags
 TAG=$(git describe --tags $(git rev-list --tags --max-count=1))
 git checkout $TAG --force
+if [ -n "$LDAP_ENABLED" ]; then
+  SYMFONY_ENV=$ENV $COMPOSER_COMMAND require --no-update fr3d/ldap-bundle
+fi
 SYMFONY_ENV=$ENV $COMPOSER_COMMAND install --no-dev -o --prefer-dist
 php bin/console doctrine:migrations:migrate --no-interaction --env=$ENV
 php bin/console cache:clear --env=$ENV
diff --git a/src/Wallabag/UserBundle/DependencyInjection/WallabagUserExtension.php b/src/Wallabag/UserBundle/DependencyInjection/WallabagUserExtension.php
index 5ca3482e..904a6af1 100644
--- a/src/Wallabag/UserBundle/DependencyInjection/WallabagUserExtension.php
+++ b/src/Wallabag/UserBundle/DependencyInjection/WallabagUserExtension.php
@@ -6,9 +6,34 @@ use Symfony\Component\Config\FileLocator;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Loader;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
+use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
-class WallabagUserExtension extends Extension
+class WallabagUserExtension extends Extension implements PrependExtensionInterface
 {
+    public function prepend(ContainerBuilder $container)
+    {
+        $ldap = $container->getParameter('ldap_enabled');
+        if ($ldap) {
+            $container->prependExtensionConfig('security', array(
+              'providers' => array(
+                'chain_provider' => array(),
+              ),
+            ));
+            $loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
+            $loader->load('ldap.yml');
+        } elseif ($container->hasExtension('fr3d_ldap')) {
+            $container->prependExtensionConfig('fr3_d_ldap', array(
+            'driver' => array(
+              'host' => 'localhost',
+            ),
+            'user' => array(
+              'baseDn' => 'dc=example,dc=com',
+            ),
+          ));
+        }
+    }
    public function load(array $configs, ContainerBuilder $container)
    {
        $configuration = new Configuration();
@@ -16,6 +41,9 @@ class WallabagUserExtension extends Extension
        $loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__ . '/../Resources/config'));
        $loader->load('services.yml');
+        if ($container->getParameter('ldap_enabled')) {
+            $loader->load('ldap_services.yml');
+        }
        $container->setParameter('wallabag_user.registration_enabled', $config['registration_enabled']);
    }
diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php
index 48446e3c..f93c59c7 100644
--- a/src/Wallabag/UserBundle/Entity/User.php
+++ b/src/Wallabag/UserBundle/Entity/User.php
@@ -1,5 +1,15 @@
 <?php
+// This permits to have the LdapUserInterface even when fr3d/ldap-bundle is not
+// in the packages
+namespace FR3D\LdapBundle\Model;
+interface LdapUserInterface
+{
+    public function setDn($dn);
+    public function getDn();
+}
 namespace Wallabag\UserBundle\Entity;
 use Doctrine\Common\Collections\ArrayCollection;
@@ -16,6 +26,7 @@ use Wallabag\ApiBundle\Entity\Client;
 use Wallabag\CoreBundle\Entity\Config;
 use Wallabag\CoreBundle\Entity\Entry;
 use Wallabag\CoreBundle\Helper\EntityTimestampsTrait;
+use FR3D\LdapBundle\Model\LdapUserInterface;
 /**
 * User.
@@ -28,7 +39,7 @@ use Wallabag\CoreBundle\Helper\EntityTimestampsTrait;
 * @UniqueEntity("email")
 * @UniqueEntity("username")
 */
-class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterface
+class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterface, LdapUserInterface
 {
    use EntityTimestampsTrait;
@@ -68,6 +79,13 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
    protected $email;
    /**
+     * @var string
+     *
+     * @ORM\Column(name="dn", type="text", nullable=true)
+     */
+    protected $dn;
+    /**
     * @var \DateTime
     *
     * @ORM\Column(name="created_at", type="datetime")
@@ -309,4 +327,33 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
            return $this->clients->first();
        }
    }
+    /**
+     * Set dn.
+     *
+     * @param string $dn
+     *
+     * @return User
+     */
+    public function setDn($dn)
+    {
+        $this->dn = $dn;
+        return $this;
+    }
+    /**
+     * Get dn.
+     *
+     * @return string
+     */
+    public function getDn()
+    {
+        return $this->dn;
+    }
+    public function isLdapUser()
+    {
+        return $this->dn !== null;
+    }
 }
diff --git a/src/Wallabag/UserBundle/LdapHydrator.php b/src/Wallabag/UserBundle/LdapHydrator.php
new file mode 100644
index 00000000..cea2450f
--- /dev/null
+++ b/src/Wallabag/UserBundle/LdapHydrator.php
@@ -0,0 +1,103 @@
+<?php
+namespace Wallabag\UserBundle;
+use FR3D\LdapBundle\Hydrator\HydratorInterface;
+use FOS\UserBundle\FOSUserEvents;
+use FOS\UserBundle\Event\UserEvent;
+class LdapHydrator implements HydratorInterface
+{
+    private $userManager;
+    private $eventDispatcher;
+    private $attributesMap;
+    private $enabledAttribute;
+    private $ldapBaseDn;
+    private $ldapAdminFilter;
+    private $ldapDriver;
+    public function __construct(
+      $user_manager,
+      $event_dispatcher,
+      array $attributes_map,
+      $ldap_base_dn,
+      $ldap_admin_filter,
+      $ldap_driver
+    ) {
+        $this->userManager = $user_manager;
+        $this->eventDispatcher = $event_dispatcher;
+        $this->attributesMap = array(
+        'setUsername' => $attributes_map[0],
+        'setEmail' => $attributes_map[1],
+        'setName' => $attributes_map[2],
+      );
+        $this->enabledAttribute = $attributes_map[3];
+        $this->ldapBaseDn = $ldap_base_dn;
+        $this->ldapAdminFilter = $ldap_admin_filter;
+        $this->ldapDriver = $ldap_driver;
+    }
+    public function hydrate(array $ldapEntry)
+    {
+        $user = $this->userManager->findUserBy(array('dn' => $ldapEntry['dn']));
+        if (!$user) {
+            $user = $this->userManager->createUser();
+            $user->setDn($ldapEntry['dn']);
+            $user->setPassword('');
+            $user->setSalt('');
+            $this->updateUserFields($user, $ldapEntry);
+            $event = new UserEvent($user);
+            $this->eventDispatcher->dispatch(FOSUserEvents::USER_CREATED, $event);
+            $this->userManager->reloadUser($user);
+        } else {
+            $this->updateUserFields($user, $ldapEntry);
+        }
+        return $user;
+    }
+    private function updateUserFields($user, $ldapEntry)
+    {
+        foreach ($this->attributesMap as $key => $value) {
+            if (is_array($ldapEntry[$value])) {
+                $ldap_value = $ldapEntry[$value][0];
+            } else {
+                $ldap_value = $ldapEntry[$value];
+            }
+            call_user_func([$user, $key], $ldap_value);
+        }
+        if ($this->enabledAttribute !== null) {
+            $user->setEnabled($ldapEntry[$this->enabledAttribute]);
+        } else {
+            $user->setEnabled(true);
+        }
+        if ($this->isAdmin($user)) {
+            $user->addRole('ROLE_SUPER_ADMIN');
+        } else {
+            $user->removeRole('ROLE_SUPER_ADMIN');
+        }
+        $this->userManager->updateUser($user, true);
+    }
+    private function isAdmin($user)
+    {
+        if ($this->ldapAdminFilter === null) {
+            return false;
+        }
+        $escaped_username = ldap_escape($user->getUsername(), '', LDAP_ESCAPE_FILTER);
+        $filter = sprintf($this->ldapAdminFilter, $escaped_username);
+        $entries = $this->ldapDriver->search($this->ldapBaseDn, $filter);
+        return $entries['count'] == 1;
+    }
+}
diff --git a/src/Wallabag/UserBundle/OAuthStorageLdapWrapper.php b/src/Wallabag/UserBundle/OAuthStorageLdapWrapper.php
new file mode 100644
index 00000000..8a851f12
--- /dev/null
+++ b/src/Wallabag/UserBundle/OAuthStorageLdapWrapper.php
@@ -0,0 +1,43 @@
+<?php
+namespace Wallabag\UserBundle;
+use FOS\OAuthServerBundle\Storage\OAuthStorage;
+use OAuth2\Model\IOAuth2Client;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+class OAuthStorageLdapWrapper extends OAuthStorage
+{
+    private $ldapManager;
+    public function setLdapManager($ldap_manager)
+    {
+        $this->ldapManager = $ldap_manager;
+    }
+    public function checkUserCredentials(IOAuth2Client $client, $username, $password)
+    {
+        try {
+            $user = $this->userProvider->loadUserByUsername($username);
+        } catch (AuthenticationException $e) {
+            return false;
+        }
+        if ($user->isLdapUser()) {
+            return $this->checkLdapUserCredentials($user, $password);
+        } else {
+            return parent::checkUserCredentials($client, $username, $password);
+        }
+    }
+    private function checkLdapUserCredentials($user, $password)
+    {
+        if ($this->ldapManager->bind($user, $password)) {
+            return array(
+        'data' => $user,
+      );
+        } else {
+            return false;
+        }
+    }
+}
diff --git a/src/Wallabag/UserBundle/Resources/config/ldap.yml b/src/Wallabag/UserBundle/Resources/config/ldap.yml
new file mode 100644
index 00000000..5ec16088
--- /dev/null
+++ b/src/Wallabag/UserBundle/Resources/config/ldap.yml
@@ -0,0 +1,28 @@
+fr3d_ldap:
+    service:
+        user_hydrator: ldap_user_hydrator
+    driver:
+        host: "%ldap_host%"
+        port: "%ldap_port%"
+        useSsl: "%ldap_ssl%"
+        useStartTls: "%ldap_tls%"
+        bindRequiresDn: "%ldap_bind_requires_dn%"
+        username: "%ldap_manager_dn%"
+        password: "%ldap_manager_pw%"
+    user:
+        baseDn: "%ldap_base%"
+        filter: "%ldap_filter%"
+        usernameAttribute: "%ldap_username_attribute%"
+security:
+    providers:
+        chain_provider:
+            chain:
+                providers: [ fr3d_ldapbundle, fos_userbundle ]
+        fr3d_ldapbundle:
+            id: fr3d_ldap.security.user.provider
+    firewalls:
+        secured_area:
+            fr3d_ldap: ~
+            form_login:
+                provider: chain_provider
diff --git a/src/Wallabag/UserBundle/Resources/config/ldap_services.yml b/src/Wallabag/UserBundle/Resources/config/ldap_services.yml
new file mode 100644
index 00000000..b3e3fd8a
--- /dev/null
+++ b/src/Wallabag/UserBundle/Resources/config/ldap_services.yml
@@ -0,0 +1,22 @@
+services:
+    fos_oauth_server.server:
+        class: OAuth2\OAuth2
+        arguments:
+            - "@oauth_storage_ldap_wrapper"
+            - "%fos_oauth_server.server.options%"
+    oauth_storage_ldap_wrapper:
+        class: Wallabag\UserBundle\OAuthStorageLdapWrapper
+        parent: fos_oauth_server.storage
+        calls:
+            - [setLdapManager, ["@fr3d_ldap.ldap_manager"]]
+    ldap_user_hydrator:
+        class: Wallabag\UserBundle\LdapHydrator
+        arguments:
+            - "@fos_user.user_manager"
+            - "@event_dispatcher"
+            - [ "%ldap_username_attribute%", "%ldap_email_attribute%", "%ldap_name_attribute%", "%ldap_enabled_attribute%" ]
+            - "%ldap_base%"
+            - "%ldap_admin_filter%"
+            - "@fr3d_ldap.ldap_driver"
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2018-06-16 11:40:00 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-01-23 19:57:28 +0100
commit	3b68f6ca727f52f9dc84fa1a134c092b44c49103 (patch)
tree	2dd38ff1453ad3a0a4620a408cdb67a482ae2fc6
parent	3f7a28de8473db53b3de9e19d5e8e58b4e21090d (diff)
download	wallabag-3b68f6ca727f52f9dc84fa1a134c092b44c49103.tar.gz wallabag-3b68f6ca727f52f9dc84fa1a134c092b44c49103.tar.zst wallabag-3b68f6ca727f52f9dc84fa1a134c092b44c49103.zip

diff --git a/.travis.yml b/.travis.yml index 04cea258..56b1f576 100644 --- a/.travis.yml +++ b/.travis.yml
@@ -58,6 +58,7 @@ install:
58		58
59	before_script:	59	before_script:
60	- PHP=$TRAVIS_PHP_VERSION	60	- PHP=$TRAVIS_PHP_VERSION
		61	- echo "extension=ldap.so" >> ~/.phpenv/versions/$(phpenv version-name)/etc/conf.d/travis.ini
61	- if [[ ! $PHP = hhvm* ]]; then echo "memory_limit=-1" >> ~/.phpenv/versions/$(phpenv version-name)/etc/conf.d/travis.ini; fi;	62	- if [[ ! $PHP = hhvm* ]]; then echo "memory_limit=-1" >> ~/.phpenv/versions/$(phpenv version-name)/etc/conf.d/travis.ini; fi;
62	# xdebug isn't enable for PHP 7.1	63	# xdebug isn't enable for PHP 7.1
63	- if [[ ! $PHP = hhvm* ]]; then phpenv config-rm xdebug.ini \|\| echo "xdebug not available"; fi	64	- if [[ ! $PHP = hhvm* ]]; then phpenv config-rm xdebug.ini \|\| echo "xdebug not available"; fi


diff --git a/app/AppKernel.php b/app/AppKernel.php index 40726f05..c4f465dc 100644 --- a/app/AppKernel.php +++ b/app/AppKernel.php
@@ -42,6 +42,10 @@ class AppKernel extends Kernel
42	new OldSound\RabbitMqBundle\OldSoundRabbitMqBundle(),	42	new OldSound\RabbitMqBundle\OldSoundRabbitMqBundle(),
43	];	43	];
44		44
		45	if (class_exists('FR3D\\LdapBundle\\FR3DLdapBundle')) {
		46	$bundles[] = new FR3D\LdapBundle\FR3DLdapBundle();
		47	}
		48
45	if (in_array($this->getEnvironment(), ['dev', 'test'], true)) {	49	if (in_array($this->getEnvironment(), ['dev', 'test'], true)) {
46	$bundles[] = new Symfony\Bundle\DebugBundle\DebugBundle();	50	$bundles[] = new Symfony\Bundle\DebugBundle\DebugBundle();
47	$bundles[] = new Symfony\Bundle\WebProfilerBundle\WebProfilerBundle();	51	$bundles[] = new Symfony\Bundle\WebProfilerBundle\WebProfilerBundle();


diff --git a/app/DoctrineMigrations/Version20170710113900.php b/app/DoctrineMigrations/Version20170710113900.php new file mode 100644 index 00000000..7be83110 --- /dev/null +++ b/app/DoctrineMigrations/Version20170710113900.php
@@ -0,0 +1,54 @@
		1	<?php
		2
		3	namespace Application\Migrations;
		4
		5	use Doctrine\DBAL\Migrations\AbstractMigration;
		6	use Doctrine\DBAL\Schema\Schema;
		7	use Symfony\Component\DependencyInjection\ContainerAwareInterface;
		8	use Symfony\Component\DependencyInjection\ContainerInterface;
		9
		10	/**
		11	* Added dn field on wallabag_users
		12	*/
		13	class Version20170710113900 extends AbstractMigration implements ContainerAwareInterface
		14	{
		15	/**
		16	* @var ContainerInterface
		17	*/
		18	private $container;
		19
		20	public function setContainer(ContainerInterface $container = null)
		21	{
		22	$this->container = $container;
		23	}
		24
		25	private function getTable($tableName)
		26	{
		27	return $this->container->getParameter('database_table_prefix').$tableName;
		28	}
		29
		30	/**
		31	* @param Schema $schema
		32	*/
		33	public function up(Schema $schema)
		34	{
		35	$usersTable = $schema->getTable($this->getTable('user'));
		36
		37	$this->skipIf($usersTable->hasColumn('dn'), 'It seems that you already played this migration.');
		38
		39	$usersTable->addColumn('dn', 'text', [
		40	'default' => null,
		41	'notnull' => false,
		42	]);
		43	}
		44
		45	/**
		46	* @param Schema $schema
		47	*/
		48	public function down(Schema $schema)
		49	{
		50	$usersTable = $schema->getTable($this->getTable('user'));
		51	$usersTable->dropColumn('dn');
		52	}
		53	}
		54


diff --git a/app/config/parameters.yml.dist b/app/config/parameters.yml.dist index 6b0cb8e8..cfd41b69 100644 --- a/app/config/parameters.yml.dist +++ b/app/config/parameters.yml.dist
@@ -62,3 +62,23 @@ parameters:
62	redis_port: 6379	62	redis_port: 6379
63	redis_path: null	63	redis_path: null
64	redis_password: null	64	redis_password: null
		65
		66	# ldap configuration
		67	# To enable, you need to require fr3d/ldap-bundle
		68	ldap_enabled: false
		69	ldap_host: localhost
		70	ldap_port: 389
		71	ldap_tls: false
		72	ldap_ssl: false
		73	ldap_bind_requires_dn: true
		74	ldap_base: dc=example,dc=com
		75	ldap_manager_dn: ou=Manager,dc=example,dc=com
		76	ldap_manager_pw: password
		77	ldap_filter: (&(ObjectClass=Person))
		78	# optional (if null: no ldap user is admin)
		79	ldap_admin_filter: (&(memberOf=ou=admins,dc=example,dc=com)(uid=%s))
		80	ldap_username_attribute: uid
		81	ldap_email_attribute: mail
		82	ldap_name_attribute: cn
		83	# optional (default sets user as enabled unconditionally)
		84	ldap_enabled_attribute: ~


diff --git a/app/config/security.yml b/app/config/security.yml index 02afc9ea..48fbb553 100644 --- a/app/config/security.yml +++ b/app/config/security.yml
@@ -6,6 +6,7 @@ security:
6	ROLE_ADMIN: ROLE_USER	6	ROLE_ADMIN: ROLE_USER
7	ROLE_SUPER_ADMIN: [ ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]	7	ROLE_SUPER_ADMIN: [ ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]
8		8
		9	# /!\ This list is modified in WallabagUserBundle when LDAP is enabled
9	providers:	10	providers:
10	administrators:	11	administrators:
11	entity:	12	entity:
@@ -36,6 +37,7 @@ security:
36	pattern: ^/login$	37	pattern: ^/login$
37	anonymous: ~	38	anonymous: ~
38		39
		40	# /!\ This section is modified in WallabagUserBundle when LDAP is enabled
39	secured_area:	41	secured_area:
40	pattern: ^/	42	pattern: ^/
41	form_login:	43	form_login:


diff --git a/composer.json b/composer.json index 68cfad05..775a1ebd 100644 --- a/composer.json +++ b/composer.json
@@ -87,6 +87,9 @@
87	"defuse/php-encryption": "^2.1",	87	"defuse/php-encryption": "^2.1",
88	"html2text/html2text": "^4.1"	88	"html2text/html2text": "^4.1"
89	},	89	},
		90	"suggest": {
		91	"fr3d/ldap-bundle": "If you want to authenticate via LDAP"
		92	},
90	"require-dev": {	93	"require-dev": {
91	"doctrine/doctrine-fixtures-bundle": "~2.2",	94	"doctrine/doctrine-fixtures-bundle": "~2.2",
92	"doctrine/data-fixtures": "~1.1",	95	"doctrine/data-fixtures": "~1.1",


diff --git a/scripts/install.sh b/scripts/install.sh index 8b7ea03f..3a4a33ab 100755 --- a/scripts/install.sh +++ b/scripts/install.sh
@@ -26,5 +26,8 @@ ENV=$1
26	TAG=$(git describe --tags $(git rev-list --tags --max-count=1))	26	TAG=$(git describe --tags $(git rev-list --tags --max-count=1))
27		27
28	git checkout $TAG	28	git checkout $TAG
		29	if [ -n "$LDAP_ENABLED" ]; then
		30	SYMFONY_ENV=$ENV $COMPOSER_COMMAND require --no-update fr3d/ldap-bundle
		31	fi
29	SYMFONY_ENV=$ENV $COMPOSER_COMMAND install --no-dev -o --prefer-dist	32	SYMFONY_ENV=$ENV $COMPOSER_COMMAND install --no-dev -o --prefer-dist
30	php bin/console wallabag:install --env=$ENV	33	php bin/console wallabag:install --env=$ENV


diff --git a/scripts/update.sh b/scripts/update.sh index c62d104a..6259a431 100755 --- a/scripts/update.sh +++ b/scripts/update.sh
@@ -32,6 +32,9 @@ git fetch origin
32	git fetch --tags	32	git fetch --tags
33	TAG=$(git describe --tags $(git rev-list --tags --max-count=1))	33	TAG=$(git describe --tags $(git rev-list --tags --max-count=1))
34	git checkout $TAG --force	34	git checkout $TAG --force
		35	if [ -n "$LDAP_ENABLED" ]; then
		36	SYMFONY_ENV=$ENV $COMPOSER_COMMAND require --no-update fr3d/ldap-bundle
		37	fi
35	SYMFONY_ENV=$ENV $COMPOSER_COMMAND install --no-dev -o --prefer-dist	38	SYMFONY_ENV=$ENV $COMPOSER_COMMAND install --no-dev -o --prefer-dist
36	php bin/console doctrine:migrations:migrate --no-interaction --env=$ENV	39	php bin/console doctrine:migrations:migrate --no-interaction --env=$ENV
37	php bin/console cache:clear --env=$ENV	40	php bin/console cache:clear --env=$ENV


diff --git a/src/Wallabag/UserBundle/DependencyInjection/WallabagUserExtension.php b/src/Wallabag/UserBundle/DependencyInjection/WallabagUserExtension.php index 5ca3482e..904a6af1 100644 --- a/src/Wallabag/UserBundle/DependencyInjection/WallabagUserExtension.php +++ b/src/Wallabag/UserBundle/DependencyInjection/WallabagUserExtension.php
@@ -6,9 +6,34 @@ use Symfony\Component\Config\FileLocator;
6	use Symfony\Component\DependencyInjection\ContainerBuilder;	6	use Symfony\Component\DependencyInjection\ContainerBuilder;
7	use Symfony\Component\DependencyInjection\Loader;	7	use Symfony\Component\DependencyInjection\Loader;
8	use Symfony\Component\HttpKernel\DependencyInjection\Extension;	8	use Symfony\Component\HttpKernel\DependencyInjection\Extension;
		9	use Symfony\Component\DependencyInjection\Extension\PrependExtensionInterface;
9		10
10	class WallabagUserExtension extends Extension	11	class WallabagUserExtension extends Extension implements PrependExtensionInterface
11	{	12	{
		13	public function prepend(ContainerBuilder $container)
		14	{
		15	$ldap = $container->getParameter('ldap_enabled');
		16
		17	if ($ldap) {
		18	$container->prependExtensionConfig('security', array(
		19	'providers' => array(
		20	'chain_provider' => array(),
		21	),
		22	));
		23	$loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
		24	$loader->load('ldap.yml');
		25	} elseif ($container->hasExtension('fr3d_ldap')) {
		26	$container->prependExtensionConfig('fr3_d_ldap', array(
		27	'driver' => array(
		28	'host' => 'localhost',
		29	),
		30	'user' => array(
		31	'baseDn' => 'dc=example,dc=com',
		32	),
		33	));
		34	}
		35	}
		36
12	public function load(array $configs, ContainerBuilder $container)	37	public function load(array $configs, ContainerBuilder $container)
13	{	38	{
14	$configuration = new Configuration();	39	$configuration = new Configuration();
@@ -16,6 +41,9 @@ class WallabagUserExtension extends Extension
16		41
17	$loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__ . '/../Resources/config'));	42	$loader = new Loader\YamlFileLoader($container, new FileLocator(__DIR__ . '/../Resources/config'));
18	$loader->load('services.yml');	43	$loader->load('services.yml');
		44	if ($container->getParameter('ldap_enabled')) {
		45	$loader->load('ldap_services.yml');
		46	}
19	$container->setParameter('wallabag_user.registration_enabled', $config['registration_enabled']);	47	$container->setParameter('wallabag_user.registration_enabled', $config['registration_enabled']);
20	}	48	}
21		49


diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php index 48446e3c..f93c59c7 100644 --- a/src/Wallabag/UserBundle/Entity/User.php +++ b/src/Wallabag/UserBundle/Entity/User.php
@@ -1,5 +1,15 @@
1	<?php	1	<?php
2		2
		3	// This permits to have the LdapUserInterface even when fr3d/ldap-bundle is not
		4	// in the packages
		5	namespace FR3D\LdapBundle\Model;
		6
		7	interface LdapUserInterface
		8	{
		9	public function setDn($dn);
		10	public function getDn();
		11	}
		12
3	namespace Wallabag\UserBundle\Entity;	13	namespace Wallabag\UserBundle\Entity;
4		14
5	use Doctrine\Common\Collections\ArrayCollection;	15	use Doctrine\Common\Collections\ArrayCollection;
@@ -16,6 +26,7 @@ use Wallabag\ApiBundle\Entity\Client;
16	use Wallabag\CoreBundle\Entity\Config;	26	use Wallabag\CoreBundle\Entity\Config;
17	use Wallabag\CoreBundle\Entity\Entry;	27	use Wallabag\CoreBundle\Entity\Entry;
18	use Wallabag\CoreBundle\Helper\EntityTimestampsTrait;	28	use Wallabag\CoreBundle\Helper\EntityTimestampsTrait;
		29	use FR3D\LdapBundle\Model\LdapUserInterface;
19		30
20	/**	31	/**
21	* User.	32	* User.
@@ -28,7 +39,7 @@ use Wallabag\CoreBundle\Helper\EntityTimestampsTrait;
28	* @UniqueEntity("email")	39	* @UniqueEntity("email")
29	* @UniqueEntity("username")	40	* @UniqueEntity("username")
30	*/	41	*/
31	class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterface	42	class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterface, LdapUserInterface
32	{	43	{
33	use EntityTimestampsTrait;	44	use EntityTimestampsTrait;
34		45
@@ -68,6 +79,13 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
68	protected $email;	79	protected $email;
69		80
70	/**	81	/**
		82	* @var string
		83	*
		84	* @ORM\Column(name="dn", type="text", nullable=true)
		85	*/
		86	protected $dn;
		87
		88	/**
71	* @var \DateTime	89	* @var \DateTime
72	*	90	*
73	* @ORM\Column(name="created_at", type="datetime")	91	* @ORM\Column(name="created_at", type="datetime")
@@ -309,4 +327,33 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
309	return $this->clients->first();	327	return $this->clients->first();
310	}	328	}
311	}	329	}
		330
		331	/**
		332	* Set dn.
		333	*
		334	* @param string $dn
		335	*
		336	* @return User
		337	*/
		338	public function setDn($dn)
		339	{
		340	$this->dn = $dn;
		341
		342	return $this;
		343	}
		344
		345	/**
		346	* Get dn.
		347	*
		348	* @return string
		349	*/
		350	public function getDn()
		351	{
		352	return $this->dn;
		353	}
		354
		355	public function isLdapUser()
		356	{
		357	return $this->dn !== null;
		358	}
312	}	359	}


diff --git a/src/Wallabag/UserBundle/LdapHydrator.php b/src/Wallabag/UserBundle/LdapHydrator.php new file mode 100644 index 00000000..cea2450f --- /dev/null +++ b/src/Wallabag/UserBundle/LdapHydrator.php
@@ -0,0 +1,103 @@
		1	<?php
		2
		3	namespace Wallabag\UserBundle;
		4
		5	use FR3D\LdapBundle\Hydrator\HydratorInterface;
		6	use FOS\UserBundle\FOSUserEvents;
		7	use FOS\UserBundle\Event\UserEvent;
		8
		9	class LdapHydrator implements HydratorInterface
		10	{
		11	private $userManager;
		12	private $eventDispatcher;
		13	private $attributesMap;
		14	private $enabledAttribute;
		15	private $ldapBaseDn;
		16	private $ldapAdminFilter;
		17	private $ldapDriver;
		18
		19	public function __construct(
		20	$user_manager,
		21	$event_dispatcher,
		22	array $attributes_map,
		23	$ldap_base_dn,
		24	$ldap_admin_filter,
		25	$ldap_driver
		26	) {
		27	$this->userManager = $user_manager;
		28	$this->eventDispatcher = $event_dispatcher;
		29
		30	$this->attributesMap = array(
		31	'setUsername' => $attributes_map[0],
		32	'setEmail' => $attributes_map[1],
		33	'setName' => $attributes_map[2],
		34	);
		35	$this->enabledAttribute = $attributes_map[3];
		36
		37	$this->ldapBaseDn = $ldap_base_dn;
		38	$this->ldapAdminFilter = $ldap_admin_filter;
		39	$this->ldapDriver = $ldap_driver;
		40	}
		41
		42	public function hydrate(array $ldapEntry)
		43	{
		44	$user = $this->userManager->findUserBy(array('dn' => $ldapEntry['dn']));
		45
		46	if (!$user) {
		47	$user = $this->userManager->createUser();
		48	$user->setDn($ldapEntry['dn']);
		49	$user->setPassword('');
		50	$user->setSalt('');
		51	$this->updateUserFields($user, $ldapEntry);
		52
		53	$event = new UserEvent($user);
		54	$this->eventDispatcher->dispatch(FOSUserEvents::USER_CREATED, $event);
		55
		56	$this->userManager->reloadUser($user);
		57	} else {
		58	$this->updateUserFields($user, $ldapEntry);
		59	}
		60
		61	return $user;
		62	}
		63
		64	private function updateUserFields($user, $ldapEntry)
		65	{
		66	foreach ($this->attributesMap as $key => $value) {
		67	if (is_array($ldapEntry[$value])) {
		68	$ldap_value = $ldapEntry[$value][0];
		69	} else {
		70	$ldap_value = $ldapEntry[$value];
		71	}
		72
		73	call_user_func([$user, $key], $ldap_value);
		74	}
		75
		76	if ($this->enabledAttribute !== null) {
		77	$user->setEnabled($ldapEntry[$this->enabledAttribute]);
		78	} else {
		79	$user->setEnabled(true);
		80	}
		81
		82	if ($this->isAdmin($user)) {
		83	$user->addRole('ROLE_SUPER_ADMIN');
		84	} else {
		85	$user->removeRole('ROLE_SUPER_ADMIN');
		86	}
		87
		88	$this->userManager->updateUser($user, true);
		89	}
		90
		91	private function isAdmin($user)
		92	{
		93	if ($this->ldapAdminFilter === null) {
		94	return false;
		95	}
		96
		97	$escaped_username = ldap_escape($user->getUsername(), '', LDAP_ESCAPE_FILTER);
		98	$filter = sprintf($this->ldapAdminFilter, $escaped_username);
		99	$entries = $this->ldapDriver->search($this->ldapBaseDn, $filter);
		100
		101	return $entries['count'] == 1;
		102	}
		103	}


diff --git a/src/Wallabag/UserBundle/OAuthStorageLdapWrapper.php b/src/Wallabag/UserBundle/OAuthStorageLdapWrapper.php new file mode 100644 index 00000000..8a851f12 --- /dev/null +++ b/src/Wallabag/UserBundle/OAuthStorageLdapWrapper.php
@@ -0,0 +1,43 @@
		1	<?php
		2
		3	namespace Wallabag\UserBundle;
		4
		5	use FOS\OAuthServerBundle\Storage\OAuthStorage;
		6	use OAuth2\Model\IOAuth2Client;
		7	use Symfony\Component\Security\Core\Exception\AuthenticationException;
		8
		9	class OAuthStorageLdapWrapper extends OAuthStorage
		10	{
		11	private $ldapManager;
		12
		13	public function setLdapManager($ldap_manager)
		14	{
		15	$this->ldapManager = $ldap_manager;
		16	}
		17
		18	public function checkUserCredentials(IOAuth2Client $client, $username, $password)
		19	{
		20	try {
		21	$user = $this->userProvider->loadUserByUsername($username);
		22	} catch (AuthenticationException $e) {
		23	return false;
		24	}
		25
		26	if ($user->isLdapUser()) {
		27	return $this->checkLdapUserCredentials($user, $password);
		28	} else {
		29	return parent::checkUserCredentials($client, $username, $password);
		30	}
		31	}
		32
		33	private function checkLdapUserCredentials($user, $password)
		34	{
		35	if ($this->ldapManager->bind($user, $password)) {
		36	return array(
		37	'data' => $user,
		38	);
		39	} else {
		40	return false;
		41	}
		42	}
		43	}


diff --git a/src/Wallabag/UserBundle/Resources/config/ldap.yml b/src/Wallabag/UserBundle/Resources/config/ldap.yml new file mode 100644 index 00000000..5ec16088 --- /dev/null +++ b/src/Wallabag/UserBundle/Resources/config/ldap.yml
@@ -0,0 +1,28 @@
		1	fr3d_ldap:
		2	service:
		3	user_hydrator: ldap_user_hydrator
		4	driver:
		5	host: "%ldap_host%"
		6	port: "%ldap_port%"
		7	useSsl: "%ldap_ssl%"
		8	useStartTls: "%ldap_tls%"
		9	bindRequiresDn: "%ldap_bind_requires_dn%"
		10	username: "%ldap_manager_dn%"
		11	password: "%ldap_manager_pw%"
		12	user:
		13	baseDn: "%ldap_base%"
		14	filter: "%ldap_filter%"
		15	usernameAttribute: "%ldap_username_attribute%"
		16	security:
		17	providers:
		18	chain_provider:
		19	chain:
		20	providers: [ fr3d_ldapbundle, fos_userbundle ]
		21	fr3d_ldapbundle:
		22	id: fr3d_ldap.security.user.provider
		23	firewalls:
		24	secured_area:
		25	fr3d_ldap: ~
		26	form_login:
		27	provider: chain_provider
		28


diff --git a/src/Wallabag/UserBundle/Resources/config/ldap_services.yml b/src/Wallabag/UserBundle/Resources/config/ldap_services.yml new file mode 100644 index 00000000..b3e3fd8a --- /dev/null +++ b/src/Wallabag/UserBundle/Resources/config/ldap_services.yml
@@ -0,0 +1,22 @@
		1	services:
		2	fos_oauth_server.server:
		3	class: OAuth2\OAuth2
		4	arguments:
		5	- "@oauth_storage_ldap_wrapper"
		6	- "%fos_oauth_server.server.options%"
		7	oauth_storage_ldap_wrapper:
		8	class: Wallabag\UserBundle\OAuthStorageLdapWrapper
		9	parent: fos_oauth_server.storage
		10	calls:
		11	- [setLdapManager, ["@fr3d_ldap.ldap_manager"]]
		12
		13	ldap_user_hydrator:
		14	class: Wallabag\UserBundle\LdapHydrator
		15	arguments:
		16	- "@fos_user.user_manager"
		17	- "@event_dispatcher"
		18	- [ "%ldap_username_attribute%", "%ldap_email_attribute%", "%ldap_name_attribute%", "%ldap_enabled_attribute%" ]
		19	- "%ldap_base%"
		20	- "%ldap_admin_filter%"
		21	- "@fr3d_ldap.ldap_driver"
		22