phorge-phorge/src/applications/auth/controller/PhabricatorLDAPLoginController.php

<?php

/*
 * Copyright 2012 Facebook, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

final class PhabricatorLDAPLoginController extends PhabricatorAuthController {
  private $provider;

  public function shouldRequireLogin() {
    return false;
  }

  public function willProcessRequest(array $data) {
    $this->provider = new PhabricatorLDAPProvider();
  }

  public function processRequest() {
    if (!$this->provider->isProviderEnabled()) {
      return new Aphront400Response();
    }

    $current_user = $this->getRequest()->getUser();
    $request = $this->getRequest();

    if ($request->isFormPost()) {
      try {
        $envelope = new PhutilOpaqueEnvelope($request->getStr('password'));
        $this->provider->auth($request->getStr('username'), $envelope);
      } catch (Exception $e) {
        $errors[] = $e->getMessage();
      }

      if (empty($errors)) {
        $ldap_info = $this->retrieveLDAPInfo($this->provider);

        if ($current_user->getPHID()) {
          if ($ldap_info->getID()) {
            $existing_ldap = id(new PhabricatorUserLDAPInfo())->loadOneWhere(
              'userID = %d',
              $current_user->getID());

            if ($ldap_info->getUserID() != $current_user->getID() ||
                $existing_ldap) {
              $dialog = new AphrontDialogView();
              $dialog->setUser($current_user);
              $dialog->setTitle('Already Linked to Another Account');
              $dialog->appendChild(
                '<p>The LDAP account you just authorized is already linked to '.
                'another Phabricator account. Before you can link it to a '.
                'different LDAP account, you must unlink the old account.</p>'
              );
              $dialog->addCancelButton('/settings/page/ldap/');

              return id(new AphrontDialogResponse())->setDialog($dialog);
            } else {
              return id(new AphrontRedirectResponse())
                ->setURI('/settings/page/ldap/');
            }
          }

          if (!$request->isDialogFormPost()) {
            $dialog = new AphrontDialogView();
            $dialog->setUser($current_user);
            $dialog->setTitle('Link LDAP Account');
            $dialog->appendChild(
              '<p>Link your LDAP account to your Phabricator account?</p>');
            $dialog->addHiddenInput('username', $request->getStr('username'));
            $dialog->addHiddenInput('password', $request->getStr('password'));
            $dialog->addSubmitButton('Link Accounts');
            $dialog->addCancelButton('/settings/page/ldap/');

            return id(new AphrontDialogResponse())->setDialog($dialog);
          }

          $ldap_info->setUserID($current_user->getID());

          $this->saveLDAPInfo($ldap_info);

          return id(new AphrontRedirectResponse())
            ->setURI('/settings/page/ldap/');
        }

        if ($ldap_info->getID()) {
          $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();

          $known_user = id(new PhabricatorUser())->load(
              $ldap_info->getUserID());

          $session_key = $known_user->establishSession('web');

          $this->saveLDAPInfo($ldap_info);

          $request->setCookie('phusr', $known_user->getUsername());
          $request->setCookie('phsid', $session_key);

          $uri = new PhutilURI('/login/validate/');
          $uri->setQueryParams(
            array(
              'phusr' => $known_user->getUsername(),
            ));

          return id(new AphrontRedirectResponse())->setURI((string)$uri);
        }

        $controller = newv('PhabricatorLDAPRegistrationController',
                      array($this->getRequest()));
        $controller->setLDAPProvider($this->provider);
        $controller->setLDAPInfo($ldap_info);

        return $this->delegateToController($controller);
      }
    }

    $ldap_username = $request->getCookie('phusr');
    $ldap_form = new AphrontFormView();
    $ldap_form
      ->setUser($request->getUser())
      ->setAction('/ldap/login/')
      ->appendChild(
        id(new AphrontFormTextControl())
        ->setLabel('LDAP username')
        ->setName('username')
        ->setValue($ldap_username))
      ->appendChild(
        id(new AphrontFormPasswordControl())
        ->setLabel('Password')
        ->setName('password'));

    $ldap_form
      ->appendChild(
        id(new AphrontFormSubmitControl())
        ->setValue('Login'));

    $panel = new AphrontPanelView();
    $panel->setWidth(AphrontPanelView::WIDTH_FORM);
    $panel->appendChild('<h1>LDAP login</h1>');
    $panel->appendChild($ldap_form);

    if (isset($errors) && count($errors) > 0) {
      $error_view = new AphrontErrorView();
      $error_view->setTitle('Login Failed');
      $error_view->setErrors($errors);
    }

    return $this->buildStandardPageResponse(
      array(
        isset($error_view) ? $error_view : null,
        $panel,
      ),
      array(
        'title' => 'Login',
      ));
  }

  private function retrieveLDAPInfo(PhabricatorLDAPProvider $provider) {
    $ldap_info = id(new PhabricatorUserLDAPInfo())->loadOneWhere(
      'ldapUsername = %s',
      $provider->retrieveUsername());

    if (!$ldap_info) {
      $ldap_info = new PhabricatorUserLDAPInfo();
      $ldap_info->setLDAPUsername($provider->retrieveUsername());
    }

    return $ldap_info;
  }

  private function saveLDAPInfo(PhabricatorUserLDAPInfo $info) {
    // UNGUARDED WRITES: Logging-in users don't have their CSRF set up yet.
    $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
    $info->save();
  }
}
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722 2012-06-13 17:52:05 +02:00			`<?php`

			`/*`
			`* Copyright 2012 Facebook, Inc.`
			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`final class PhabricatorLDAPLoginController extends PhabricatorAuthController {`
			`private $provider;`

			`public function shouldRequireLogin() {`
			`return false;`
			`}`

			`public function willProcessRequest(array $data) {`
			`$this->provider = new PhabricatorLDAPProvider();`
			`}`

			`public function processRequest() {`
			`if (!$this->provider->isProviderEnabled()) {`
			`return new Aphront400Response();`
			`}`

			`$current_user = $this->getRequest()->getUser();`
			`$request = $this->getRequest();`

			`if ($request->isFormPost()) {`
			`try {`
Use OpaqueEnvelopes for all passwords in Phabricator Summary: See D2991 / T1526. Two major changes here: - PHP just straight-up logs passwords on ldap_bind() failures. Suppress that with "@" and keep them out of DarkConsole by enabling discard mode. - Use PhutilOpaqueEnvelope whenever we send a password into a call stack. Test Plan: - Created a new account. - Reset password. - Changed password. - Logged in with valid password. - Tried to login with bad password. - Changed password via accountadmin. - Hit various LDAP errors and made sure nothing appears in the logs. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D2993 2012-07-17 21:06:33 +02:00			`$envelope = new PhutilOpaqueEnvelope($request->getStr('password'));`
			`$this->provider->auth($request->getStr('username'), $envelope);`
Made it possible to login using LDAP Summary: Made it possible to link and unlink LDAP accounts with Phabricator accounts. Test Plan: I've tested this code locally and in production where I work. I've tried creating an account from scratch by logging in with LDAP and linking and unlinking an LDAP account with an existing account. I've tried to associate the same LDAP account with different Phabricator accounts and it failed as expected. Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin, auduny, svemir Maniphest Tasks: T742 Differential Revision: https://secure.phabricator.com/D2722 2012-06-13 17:52:05 +02:00			`} catch (Exception $e) {`
			`$errors[] = $e->getMessage();`
			`}`

			`if (empty($errors)) {`
			`$ldap_info = $this->retrieveLDAPInfo($this->provider);`

			`if ($current_user->getPHID()) {`
			`if ($ldap_info->getID()) {`
			`$existing_ldap = id(new PhabricatorUserLDAPInfo())->loadOneWhere(`
			`'userID = %d',`
			`$current_user->getID());`

			`if ($ldap_info->getUserID() != $current_user->getID() \|\|`
			`$existing_ldap) {`
			`$dialog = new AphrontDialogView();`
			`$dialog->setUser($current_user);`
			`$dialog->setTitle('Already Linked to Another Account');`
			`$dialog->appendChild(`
			`'<p>The LDAP account you just authorized is already linked to '.`
			`'another Phabricator account. Before you can link it to a '.`
			`'different LDAP account, you must unlink the old account.</p>'`
			`);`
			`$dialog->addCancelButton('/settings/page/ldap/');`

			`return id(new AphrontDialogResponse())->setDialog($dialog);`
			`} else {`
			`return id(new AphrontRedirectResponse())`
			`->setURI('/settings/page/ldap/');`
			`}`
			`}`

			`if (!$request->isDialogFormPost()) {`
			`$dialog = new AphrontDialogView();`
			`$dialog->setUser($current_user);`
			`$dialog->setTitle('Link LDAP Account');`
			`$dialog->appendChild(`
			`'<p>Link your LDAP account to your Phabricator account?</p>');`
			`$dialog->addHiddenInput('username', $request->getStr('username'));`
			`$dialog->addHiddenInput('password', $request->getStr('password'));`
			`$dialog->addSubmitButton('Link Accounts');`
			`$dialog->addCancelButton('/settings/page/ldap/');`

			`return id(new AphrontDialogResponse())->setDialog($dialog);`
			`}`

			`$ldap_info->setUserID($current_user->getID());`

			`$this->saveLDAPInfo($ldap_info);`

			`return id(new AphrontRedirectResponse())`
			`->setURI('/settings/page/ldap/');`
			`}`

			`if ($ldap_info->getID()) {`
			`$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();`

			`$known_user = id(new PhabricatorUser())->load(`
			`$ldap_info->getUserID());`

			`$session_key = $known_user->establishSession('web');`

			`$this->saveLDAPInfo($ldap_info);`

			`$request->setCookie('phusr', $known_user->getUsername());`
			`$request->setCookie('phsid', $session_key);`

			`$uri = new PhutilURI('/login/validate/');`
			`$uri->setQueryParams(`
			`array(`
			`'phusr' => $known_user->getUsername(),`
			`));`

			`return id(new AphrontRedirectResponse())->setURI((string)$uri);`
			`}`

			`$controller = newv('PhabricatorLDAPRegistrationController',`
			`array($this->getRequest()));`
			`$controller->setLDAPProvider($this->provider);`
			`$controller->setLDAPInfo($ldap_info);`

			`return $this->delegateToController($controller);`
			`}`
			`}`

			`$ldap_username = $request->getCookie('phusr');`
			`$ldap_form = new AphrontFormView();`
			`$ldap_form`
			`->setUser($request->getUser())`
			`->setAction('/ldap/login/')`
			`->appendChild(`
			`id(new AphrontFormTextControl())`
			`->setLabel('LDAP username')`
			`->setName('username')`
			`->setValue($ldap_username))`
			`->appendChild(`
			`id(new AphrontFormPasswordControl())`
			`->setLabel('Password')`
			`->setName('password'));`

			`$ldap_form`
			`->appendChild(`
			`id(new AphrontFormSubmitControl())`
			`->setValue('Login'));`

			`$panel = new AphrontPanelView();`
			`$panel->setWidth(AphrontPanelView::WIDTH_FORM);`
			`$panel->appendChild('<h1>LDAP login</h1>');`
			`$panel->appendChild($ldap_form);`

			`if (isset($errors) && count($errors) > 0) {`
			`$error_view = new AphrontErrorView();`
			`$error_view->setTitle('Login Failed');`
			`$error_view->setErrors($errors);`
			`}`

			`return $this->buildStandardPageResponse(`
			`array(`
			`isset($error_view) ? $error_view : null,`
			`$panel,`
			`),`
			`array(`
			`'title' => 'Login',`
			`));`
			`}`

			`private function retrieveLDAPInfo(PhabricatorLDAPProvider $provider) {`
			`$ldap_info = id(new PhabricatorUserLDAPInfo())->loadOneWhere(`
			`'ldapUsername = %s',`
			`$provider->retrieveUsername());`

			`if (!$ldap_info) {`
			`$ldap_info = new PhabricatorUserLDAPInfo();`
			`$ldap_info->setLDAPUsername($provider->retrieveUsername());`
			`}`

			`return $ldap_info;`
			`}`

			`private function saveLDAPInfo(PhabricatorUserLDAPInfo $info) {`
			`// UNGUARDED WRITES: Logging-in users don't have their CSRF set up yet.`
			`$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();`
			`$info->save();`
			`}`
			`}`