revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-09-22 18:28:47 +02:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications/auth/provider/PhabricatorAuthProviderLDAP.php

169 lines
5 KiB
PHP
Raw Normal View History

Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
<?php
final class PhabricatorAuthProviderLDAP
extends PhabricatorAuthProvider {
private $adapter;
public function getProviderName() {
return pht('LDAP');
}
Add initial create screen for auth providers Summary: Ref T1536. Adds an initial "choose a provider type" screen for adding a new provider. This doesn't go anywhere yet. Test Plan: {F46316} Reviewers: btrahan Reviewed By: btrahan CC: aran, chad Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6199
2013-06-17 19:51:35 +02:00
public function getDescriptionForCreate() {
return pht(
'Configure a connection to an LDAP server so that users can use their '.
'LDAP credentials to log in to Phabricator.');
}
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
public function isEnabled() {
return parent::isEnabled() &&
PhabricatorEnv::getEnvConfig('ldap.auth-enabled');
}
public function getAdapter() {
if (!$this->adapter) {
$adapter = id(new PhutilAuthAdapterLDAP())
->setHostname(PhabricatorEnv::getEnvConfig('ldap.hostname'))
->setPort(PhabricatorEnv::getEnvConfig('ldap.port'))
->setBaseDistinguishedName(PhabricatorEnv::getEnvConfig('ldap.base_dn'))
->setSearchAttribute(
PhabricatorEnv::getEnvConfig('ldap.search_attribute'))
->setUsernameAttribute(
PhabricatorEnv::getEnvConfig('ldap.username-attribute'))
->setLDAPVersion(PhabricatorEnv::getEnvConfig('ldap.version'))
->setLDAPReferrals(PhabricatorEnv::getEnvConfig('ldap.referrals'))
->setLDAPStartTLS(PhabricatorEnv::getEnvConfig('ldap.start-tls'))
->setAnonymousUsername(
PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name'))
->setAnonymousPassword(
new PhutilOpaqueEnvelope(
PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password')))
->setSearchFirst(PhabricatorEnv::getEnvConfig('ldap.search-first'))
->setActiveDirectoryDomain(
PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain'));
$this->adapter = $adapter;
}
return $this->adapter;
}
public function shouldAllowLogin() {
return true;
}
public function shouldAllowRegistration() {
return true;
}
public function shouldAllowAccountLink() {
Move all account link / unlink to new registration flow Summary: Ref T1536. Currently, we have separate panels for each link/unlink and separate controllers for OAuth vs LDAP. Instead, provide a single "External Accounts" panel which shows all linked accounts and allows you to link/unlink more easily. Move link/unlink over to a full externalaccount-based workflow. Test Plan: - Linked and unlinked OAuth accounts. - Linked and unlinked LDAP accounts. - Registered new accounts. - Exercised most/all of the error cases. Reviewers: btrahan, chad Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6189
2013-06-17 15:12:45 +02:00
return true;
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
}
public function shouldAllowAccountUnlink() {
Move all account link / unlink to new registration flow Summary: Ref T1536. Currently, we have separate panels for each link/unlink and separate controllers for OAuth vs LDAP. Instead, provide a single "External Accounts" panel which shows all linked accounts and allows you to link/unlink more easily. Move link/unlink over to a full externalaccount-based workflow. Test Plan: - Linked and unlinked OAuth accounts. - Linked and unlinked LDAP accounts. - Registered new accounts. - Exercised most/all of the error cases. Reviewers: btrahan, chad Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6189
2013-06-17 15:12:45 +02:00
return true;
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
}
Move all account link / unlink to new registration flow Summary: Ref T1536. Currently, we have separate panels for each link/unlink and separate controllers for OAuth vs LDAP. Instead, provide a single "External Accounts" panel which shows all linked accounts and allows you to link/unlink more easily. Move link/unlink over to a full externalaccount-based workflow. Test Plan: - Linked and unlinked OAuth accounts. - Linked and unlinked LDAP accounts. - Registered new accounts. - Exercised most/all of the error cases. Reviewers: btrahan, chad Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6189
2013-06-17 15:12:45 +02:00
protected function renderLoginForm(AphrontRequest $request, $is_link) {
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
$viewer = $request->getUser();
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209
2013-06-17 01:31:57 +02:00
$dialog = id(new AphrontDialogView())
->setSubmitURI($this->getLoginURI())
->setUser($viewer);
Move all account link / unlink to new registration flow Summary: Ref T1536. Currently, we have separate panels for each link/unlink and separate controllers for OAuth vs LDAP. Instead, provide a single "External Accounts" panel which shows all linked accounts and allows you to link/unlink more easily. Move link/unlink over to a full externalaccount-based workflow. Test Plan: - Linked and unlinked OAuth accounts. - Linked and unlinked LDAP accounts. - Registered new accounts. - Exercised most/all of the error cases. Reviewers: btrahan, chad Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6189
2013-06-17 15:12:45 +02:00
if ($is_link) {
$dialog->setTitle(pht('Link LDAP Account'));
$dialog->addSubmitButton(pht('Link Accounts'));
} else if ($this->shouldAllowRegistration()) {
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209
2013-06-17 01:31:57 +02:00
$dialog->setTitle(pht('Login or Register with LDAP'));
$dialog->addSubmitButton(pht('Login or Register'));
} else {
$dialog->setTitle(pht('Login with LDAP'));
$dialog->addSubmitButton(pht('Login'));
}
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
$v_user = $request->getStr('ldap_username');
$e_user = null;
$e_pass = null;
$errors = array();
if ($request->isHTTPPost()) {
// NOTE: This is intentionally vague so as not to disclose whether a
// given username exists.
$e_user = pht('Invalid');
$e_pass = pht('Invalid');
$errors[] = pht('Username or password are incorrect.');
}
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209
2013-06-17 01:31:57 +02:00
$form = id(new AphrontFormLayoutView())
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
->setUser($viewer)
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209
2013-06-17 01:31:57 +02:00
->setFullWidth(true)
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
->appendChild(
id(new AphrontFormTextControl())
->setLabel('LDAP Username')
->setName('ldap_username')
->setValue($v_user)
->setError($e_user))
->appendChild(
id(new AphrontFormPasswordControl())
->setLabel('LDAP Password')
->setName('ldap_password')
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209
2013-06-17 01:31:57 +02:00
->setError($e_pass));
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
if ($errors) {
$errors = id(new AphrontErrorView())->setErrors($errors);
}
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209
2013-06-17 01:31:57 +02:00
$dialog->appendChild($errors);
$dialog->appendChild($form);
return $dialog;
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177
2013-06-16 19:18:34 +02:00
}
public function processLoginRequest(
PhabricatorAuthLoginController $controller) {
$request = $controller->getRequest();
$viewer = $request->getUser();
$response = null;
$account = null;
$username = $request->getStr('ldap_username');
$password = $request->getStr('ldap_password');
$has_password = strlen($password);
$password = new PhutilOpaqueEnvelope($password);
if (!strlen($username) || !$has_password) {
$response = $controller->buildProviderPageResponse(
$this,
$this->renderLoginForm($request));
return array($account, $response);
}
try {
if (strlen($username) && $has_password) {
$adapter = $this->getAdapter();
$adapter->setLoginUsername($username);
$adapter->setLoginPassword($password);
// TODO: This calls ldap_bind() eventually, which dumps cleartext
// passwords to the error log. See note in PhutilAuthAdapterLDAP.
// See T3351.
DarkConsoleErrorLogPluginAPI::enableDiscardMode();
$account_id = $adapter->getAccountID();
DarkConsoleErrorLogPluginAPI::disableDiscardMode();
} else {
throw new Exception("Username and password are required!");
}
} catch (Exception $ex) {
// TODO: Make this cleaner.
throw $ex;
}
return array($this->loadOrCreateAccount($account_id), $response);
}
}
Copy permalink