phorge-phorge/src/applications/auth/provider/PhabricatorAuthProviderLDAP.php

<?php

final class PhabricatorAuthProviderLDAP
  extends PhabricatorAuthProvider {

  private $adapter;

  public function getProviderName() {
    return pht('LDAP');
  }

  public function isEnabled() {
    return parent::isEnabled() &&
           PhabricatorEnv::getEnvConfig('ldap.auth-enabled');
  }

  public function getAdapter() {
    if (!$this->adapter) {
      $adapter = id(new PhutilAuthAdapterLDAP())
        ->setHostname(PhabricatorEnv::getEnvConfig('ldap.hostname'))
        ->setPort(PhabricatorEnv::getEnvConfig('ldap.port'))
        ->setBaseDistinguishedName(PhabricatorEnv::getEnvConfig('ldap.base_dn'))
        ->setSearchAttribute(
            PhabricatorEnv::getEnvConfig('ldap.search_attribute'))
        ->setUsernameAttribute(
            PhabricatorEnv::getEnvConfig('ldap.username-attribute'))
        ->setLDAPVersion(PhabricatorEnv::getEnvConfig('ldap.version'))
        ->setLDAPReferrals(PhabricatorEnv::getEnvConfig('ldap.referrals'))
        ->setLDAPStartTLS(PhabricatorEnv::getEnvConfig('ldap.start-tls'))
        ->setAnonymousUsername(
            PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name'))
        ->setAnonymousPassword(
            new PhutilOpaqueEnvelope(
              PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password')))
        ->setSearchFirst(PhabricatorEnv::getEnvConfig('ldap.search-first'))
        ->setActiveDirectoryDomain(
            PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain'));
      $this->adapter = $adapter;
    }
    return $this->adapter;
  }

  public function shouldAllowLogin() {
    return true;
  }

  public function shouldAllowRegistration() {
    return true;
  }

  public function shouldAllowAccountLink() {
    return true;
  }

  public function shouldAllowAccountUnlink() {
    return true;
  }

  protected function renderLoginForm(AphrontRequest $request, $is_link) {
    $viewer = $request->getUser();

    $dialog = id(new AphrontDialogView())
      ->setSubmitURI($this->getLoginURI())
      ->setUser($viewer);

    if ($is_link) {
      $dialog->setTitle(pht('Link LDAP Account'));
      $dialog->addSubmitButton(pht('Link Accounts'));
    } else if ($this->shouldAllowRegistration()) {
      $dialog->setTitle(pht('Login or Register with LDAP'));
      $dialog->addSubmitButton(pht('Login or Register'));
    } else {
      $dialog->setTitle(pht('Login with LDAP'));
      $dialog->addSubmitButton(pht('Login'));
    }

    $v_user = $request->getStr('ldap_username');

    $e_user = null;
    $e_pass = null;

    $errors = array();
    if ($request->isHTTPPost()) {
      // NOTE: This is intentionally vague so as not to disclose whether a
      // given username exists.
      $e_user = pht('Invalid');
      $e_pass = pht('Invalid');
      $errors[] = pht('Username or password are incorrect.');
    }

    $form = id(new AphrontFormLayoutView())
      ->setUser($viewer)
      ->setFullWidth(true)
      ->appendChild(
        id(new AphrontFormTextControl())
          ->setLabel('LDAP Username')
          ->setName('ldap_username')
          ->setValue($v_user)
          ->setError($e_user))
      ->appendChild(
        id(new AphrontFormPasswordControl())
          ->setLabel('LDAP Password')
          ->setName('ldap_password')
          ->setError($e_pass));

    if ($errors) {
      $errors = id(new AphrontErrorView())->setErrors($errors);
    }

    $dialog->appendChild($errors);
    $dialog->appendChild($form);


    return $dialog;
  }

  public function processLoginRequest(
    PhabricatorAuthLoginController $controller) {

    $request = $controller->getRequest();
    $viewer = $request->getUser();
    $response = null;
    $account = null;

    $username = $request->getStr('ldap_username');
    $password = $request->getStr('ldap_password');
    $has_password = strlen($password);
    $password = new PhutilOpaqueEnvelope($password);

    if (!strlen($username) || !$has_password) {
      $response = $controller->buildProviderPageResponse(
        $this,
        $this->renderLoginForm($request));
      return array($account, $response);
    }

    try {
      if (strlen($username) && $has_password) {
        $adapter = $this->getAdapter();
        $adapter->setLoginUsername($username);
        $adapter->setLoginPassword($password);

        // TODO: This calls ldap_bind() eventually, which dumps cleartext
        // passwords to the error log. See note in PhutilAuthAdapterLDAP.
        // See T3351.

        DarkConsoleErrorLogPluginAPI::enableDiscardMode();
          $account_id = $adapter->getAccountID();
        DarkConsoleErrorLogPluginAPI::disableDiscardMode();
      } else {
        throw new Exception("Username and password are required!");
      }
    } catch (Exception $ex) {
      // TODO: Make this cleaner.
      throw $ex;
    }

    return array($this->loadOrCreateAccount($account_id), $response);
  }

}
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00			`<?php`

			`final class PhabricatorAuthProviderLDAP`
			`extends PhabricatorAuthProvider {`

			`private $adapter;`

			`public function getProviderName() {`
			`return pht('LDAP');`
			`}`

			`public function isEnabled() {`
			`return parent::isEnabled() &&`
			`PhabricatorEnv::getEnvConfig('ldap.auth-enabled');`
			`}`

			`public function getAdapter() {`
			`if (!$this->adapter) {`
			`$adapter = id(new PhutilAuthAdapterLDAP())`
			`->setHostname(PhabricatorEnv::getEnvConfig('ldap.hostname'))`
			`->setPort(PhabricatorEnv::getEnvConfig('ldap.port'))`
			`->setBaseDistinguishedName(PhabricatorEnv::getEnvConfig('ldap.base_dn'))`
			`->setSearchAttribute(`
			`PhabricatorEnv::getEnvConfig('ldap.search_attribute'))`
			`->setUsernameAttribute(`
			`PhabricatorEnv::getEnvConfig('ldap.username-attribute'))`
			`->setLDAPVersion(PhabricatorEnv::getEnvConfig('ldap.version'))`
			`->setLDAPReferrals(PhabricatorEnv::getEnvConfig('ldap.referrals'))`
			`->setLDAPStartTLS(PhabricatorEnv::getEnvConfig('ldap.start-tls'))`
			`->setAnonymousUsername(`
			`PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name'))`
			`->setAnonymousPassword(`
			`new PhutilOpaqueEnvelope(`
			`PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password')))`
			`->setSearchFirst(PhabricatorEnv::getEnvConfig('ldap.search-first'))`
			`->setActiveDirectoryDomain(`
			`PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain'));`
			`$this->adapter = $adapter;`
			`}`
			`return $this->adapter;`
			`}`

			`public function shouldAllowLogin() {`
			`return true;`
			`}`

			`public function shouldAllowRegistration() {`
			`return true;`
			`}`

			`public function shouldAllowAccountLink() {`
Move all account link / unlink to new registration flow Summary: Ref T1536. Currently, we have separate panels for each link/unlink and separate controllers for OAuth vs LDAP. Instead, provide a single "External Accounts" panel which shows all linked accounts and allows you to link/unlink more easily. Move link/unlink over to a full externalaccount-based workflow. Test Plan: - Linked and unlinked OAuth accounts. - Linked and unlinked LDAP accounts. - Registered new accounts. - Exercised most/all of the error cases. Reviewers: btrahan, chad Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6189 2013-06-17 15:12:45 +02:00			`return true;`
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00			`}`

			`public function shouldAllowAccountUnlink() {`
Move all account link / unlink to new registration flow Summary: Ref T1536. Currently, we have separate panels for each link/unlink and separate controllers for OAuth vs LDAP. Instead, provide a single "External Accounts" panel which shows all linked accounts and allows you to link/unlink more easily. Move link/unlink over to a full externalaccount-based workflow. Test Plan: - Linked and unlinked OAuth accounts. - Linked and unlinked LDAP accounts. - Registered new accounts. - Exercised most/all of the error cases. Reviewers: btrahan, chad Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6189 2013-06-17 15:12:45 +02:00			`return true;`
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00			`}`

Move all account link / unlink to new registration flow Summary: Ref T1536. Currently, we have separate panels for each link/unlink and separate controllers for OAuth vs LDAP. Instead, provide a single "External Accounts" panel which shows all linked accounts and allows you to link/unlink more easily. Move link/unlink over to a full externalaccount-based workflow. Test Plan: - Linked and unlinked OAuth accounts. - Linked and unlinked LDAP accounts. - Registered new accounts. - Exercised most/all of the error cases. Reviewers: btrahan, chad Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6189 2013-06-17 15:12:45 +02:00			`protected function renderLoginForm(AphrontRequest $request, $is_link) {`
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00			`$viewer = $request->getUser();`

Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209 2013-06-17 01:31:57 +02:00			`$dialog = id(new AphrontDialogView())`
			`->setSubmitURI($this->getLoginURI())`
			`->setUser($viewer);`

Move all account link / unlink to new registration flow Summary: Ref T1536. Currently, we have separate panels for each link/unlink and separate controllers for OAuth vs LDAP. Instead, provide a single "External Accounts" panel which shows all linked accounts and allows you to link/unlink more easily. Move link/unlink over to a full externalaccount-based workflow. Test Plan: - Linked and unlinked OAuth accounts. - Linked and unlinked LDAP accounts. - Registered new accounts. - Exercised most/all of the error cases. Reviewers: btrahan, chad Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6189 2013-06-17 15:12:45 +02:00			`if ($is_link) {`
			`$dialog->setTitle(pht('Link LDAP Account'));`
			`$dialog->addSubmitButton(pht('Link Accounts'));`
			`} else if ($this->shouldAllowRegistration()) {`
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209 2013-06-17 01:31:57 +02:00			`$dialog->setTitle(pht('Login or Register with LDAP'));`
			`$dialog->addSubmitButton(pht('Login or Register'));`
			`} else {`
			`$dialog->setTitle(pht('Login with LDAP'));`
			`$dialog->addSubmitButton(pht('Login'));`
			`}`
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00
			`$v_user = $request->getStr('ldap_username');`

			`$e_user = null;`
			`$e_pass = null;`

			`$errors = array();`
			`if ($request->isHTTPPost()) {`
			`// NOTE: This is intentionally vague so as not to disclose whether a`
			`// given username exists.`
			`$e_user = pht('Invalid');`
			`$e_pass = pht('Invalid');`
			`$errors[] = pht('Username or password are incorrect.');`
			`}`

Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209 2013-06-17 01:31:57 +02:00			`$form = id(new AphrontFormLayoutView())`
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00			`->setUser($viewer)`
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209 2013-06-17 01:31:57 +02:00			`->setFullWidth(true)`
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00			`->appendChild(`
			`id(new AphrontFormTextControl())`
			`->setLabel('LDAP Username')`
			`->setName('ldap_username')`
			`->setValue($v_user)`
			`->setError($e_user))`
			`->appendChild(`
			`id(new AphrontFormPasswordControl())`
			`->setLabel('LDAP Password')`
			`->setName('ldap_password')`
Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209 2013-06-17 01:31:57 +02:00			`->setError($e_pass));`
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00
			`if ($errors) {`
			`$errors = id(new AphrontErrorView())->setErrors($errors);`
			`}`

Add login buttons for button logins, fix LDAP form Summary: Ref T1536. Test Plan: {F46555} {F46556} Reviewers: chad, btrahan Reviewed By: chad CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6209 2013-06-17 01:31:57 +02:00			`$dialog->appendChild($errors);`
			`$dialog->appendChild($form);`


			`return $dialog;`
Move LDAP to new registration flow Summary: Ref T1536. LDAP is very likely the worst thing in existence. This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr Test Plan: Registered and logged in using LDAP. Reviewers: btrahan Reviewed By: btrahan CC: aran, mbishopim3 Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6177 2013-06-16 19:18:34 +02:00			`}`

			`public function processLoginRequest(`
			`PhabricatorAuthLoginController $controller) {`

			`$request = $controller->getRequest();`
			`$viewer = $request->getUser();`
			`$response = null;`
			`$account = null;`

			`$username = $request->getStr('ldap_username');`
			`$password = $request->getStr('ldap_password');`
			`$has_password = strlen($password);`
			`$password = new PhutilOpaqueEnvelope($password);`

			`if (!strlen($username) \|\| !$has_password) {`
			`$response = $controller->buildProviderPageResponse(`
			`$this,`
			`$this->renderLoginForm($request));`
			`return array($account, $response);`
			`}`

			`try {`
			`if (strlen($username) && $has_password) {`
			`$adapter = $this->getAdapter();`
			`$adapter->setLoginUsername($username);`
			`$adapter->setLoginPassword($password);`

			`// TODO: This calls ldap_bind() eventually, which dumps cleartext`
			`// passwords to the error log. See note in PhutilAuthAdapterLDAP.`
			`// See T3351.`

			`DarkConsoleErrorLogPluginAPI::enableDiscardMode();`
			`$account_id = $adapter->getAccountID();`
			`DarkConsoleErrorLogPluginAPI::disableDiscardMode();`
			`} else {`
			`throw new Exception("Username and password are required!");`
			`}`
			`} catch (Exception $ex) {`
			`// TODO: Make this cleaner.`
			`throw $ex;`
			`}`

			`return array($this->loadOrCreateAccount($account_id), $response);`
			`}`

			`}`