Move LDAP to new registration flow

Summary:
Ref T1536. LDAP is very likely the worst thing in existence.

This has some rough edges (error handling isn't perfect) but is already better than the current LDAP experience! durrr

Test Plan: Registered and logged in using LDAP.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran, mbishopim3

Maniphest Tasks: T1536

Differential Revision: https://secure.phabricator.com/D6177

src/__phutil_library_map__.php

@@ -817,6 +817,7 @@ phutil_register_library_map(array(
     'PhabricatorAuthController' => 'applications/auth/controller/PhabricatorAuthController.php',
     'PhabricatorAuthLoginController' => 'applications/auth/controller/PhabricatorAuthLoginController.php',
     'PhabricatorAuthProvider' => 'applications/auth/provider/PhabricatorAuthProvider.php',
+    'PhabricatorAuthProviderLDAP' => 'applications/auth/provider/PhabricatorAuthProviderLDAP.php',
     'PhabricatorAuthProviderOAuth' => 'applications/auth/provider/PhabricatorAuthProviderOAuth.php',
     'PhabricatorAuthProviderOAuthDisqus' => 'applications/auth/provider/PhabricatorAuthProviderOAuthDisqus.php',
     'PhabricatorAuthProviderOAuthFacebook' => 'applications/auth/provider/PhabricatorAuthProviderOAuthFacebook.php',
@@ -2680,6 +2681,7 @@ phutil_register_library_map(array(
     'PhabricatorAuditReplyHandler' => 'PhabricatorMailReplyHandler',
     'PhabricatorAuthController' => 'PhabricatorController',
     'PhabricatorAuthLoginController' => 'PhabricatorAuthController',
+    'PhabricatorAuthProviderLDAP' => 'PhabricatorAuthProvider',
     'PhabricatorAuthProviderOAuth' => 'PhabricatorAuthProvider',
     'PhabricatorAuthProviderOAuthDisqus' => 'PhabricatorAuthProviderOAuth',
     'PhabricatorAuthProviderOAuthFacebook' => 'PhabricatorAuthProviderOAuth',

src/applications/auth/provider/PhabricatorAuthProviderLDAP.php

@@ -0,0 +1,162 @@
+<?php
+
+final class PhabricatorAuthProviderLDAP
+  extends PhabricatorAuthProvider {
+
+  private $adapter;
+
+  public function getProviderName() {
+    return pht('LDAP');
+  }
+
+  public function isEnabled() {
+    return parent::isEnabled() &&
+           PhabricatorEnv::getEnvConfig('ldap.auth-enabled');
+  }
+
+  public function getAdapter() {
+    if (!$this->adapter) {
+      $adapter = id(new PhutilAuthAdapterLDAP())
+        ->setHostname(PhabricatorEnv::getEnvConfig('ldap.hostname'))
+        ->setPort(PhabricatorEnv::getEnvConfig('ldap.port'))
+        ->setBaseDistinguishedName(PhabricatorEnv::getEnvConfig('ldap.base_dn'))
+        ->setSearchAttribute(
+            PhabricatorEnv::getEnvConfig('ldap.search_attribute'))
+        ->setUsernameAttribute(
+            PhabricatorEnv::getEnvConfig('ldap.username-attribute'))
+        ->setLDAPVersion(PhabricatorEnv::getEnvConfig('ldap.version'))
+        ->setLDAPReferrals(PhabricatorEnv::getEnvConfig('ldap.referrals'))
+        ->setLDAPStartTLS(PhabricatorEnv::getEnvConfig('ldap.start-tls'))
+        ->setAnonymousUsername(
+            PhabricatorEnv::getEnvConfig('ldap.anonymous-user-name'))
+        ->setAnonymousPassword(
+            new PhutilOpaqueEnvelope(
+              PhabricatorEnv::getEnvConfig('ldap.anonymous-user-password')))
+        ->setSearchFirst(PhabricatorEnv::getEnvConfig('ldap.search-first'))
+        ->setActiveDirectoryDomain(
+            PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain'));
+      $this->adapter = $adapter;
+    }
+    return $this->adapter;
+  }
+
+  public function shouldAllowLogin() {
+    return true;
+  }
+
+  public function shouldAllowRegistration() {
+    return true;
+  }
+
+  public function shouldAllowAccountLink() {
+    return false;
+  }
+
+  public function shouldAllowAccountUnlink() {
+    return false;
+  }
+
+  public function buildLoginForm(
+    PhabricatorAuthStartController $controller) {
+
+    $request = $controller->getRequest();
+    return $this->renderLoginForm($request);
+  }
+
+  private function renderLoginForm(AphrontRequest $request) {
+
+    $viewer = $request->getUser();
+
+    $submit = id(new AphrontFormSubmitControl())
+      ->setValue(pht('Login or Register'));
+
+    $header = id(new PhabricatorHeaderView())
+      ->setHeader(pht('Login with LDAP'));
+
+    $v_user = $request->getStr('ldap_username');
+
+    $e_user = null;
+    $e_pass = null;
+
+    $errors = array();
+    if ($request->isHTTPPost()) {
+      // NOTE: This is intentionally vague so as not to disclose whether a
+      // given username exists.
+      $e_user = pht('Invalid');
+      $e_pass = pht('Invalid');
+      $errors[] = pht('Username or password are incorrect.');
+    }
+
+    $form = id(new AphrontFormView())
+      ->setAction($this->getLoginURI())
+      ->setUser($viewer)
+      ->setFlexible(true)
+      ->appendChild(
+        id(new AphrontFormTextControl())
+          ->setLabel('LDAP Username')
+          ->setName('ldap_username')
+          ->setValue($v_user)
+          ->setError($e_user))
+      ->appendChild(
+        id(new AphrontFormPasswordControl())
+          ->setLabel('LDAP Password')
+          ->setName('ldap_password')
+          ->setError($e_pass))
+      ->appendChild($submit);
+
+    if ($errors) {
+      $errors = id(new AphrontErrorView())->setErrors($errors);
+    }
+
+    return array(
+      $errors,
+      $header,
+      $form,
+    );
+  }
+
+  public function processLoginRequest(
+    PhabricatorAuthLoginController $controller) {
+
+    $request = $controller->getRequest();
+    $viewer = $request->getUser();
+    $response = null;
+    $account = null;
+
+    $username = $request->getStr('ldap_username');
+    $password = $request->getStr('ldap_password');
+    $has_password = strlen($password);
+    $password = new PhutilOpaqueEnvelope($password);
+
+    if (!strlen($username) || !$has_password) {
+      $response = $controller->buildProviderPageResponse(
+        $this,
+        $this->renderLoginForm($request));
+      return array($account, $response);
+    }
+
+    try {
+      if (strlen($username) && $has_password) {
+        $adapter = $this->getAdapter();
+        $adapter->setLoginUsername($username);
+        $adapter->setLoginPassword($password);
+
+        // TODO: This calls ldap_bind() eventually, which dumps cleartext
+        // passwords to the error log. See note in PhutilAuthAdapterLDAP.
+        // See T3351.
+
+        DarkConsoleErrorLogPluginAPI::enableDiscardMode();
+          $account_id = $adapter->getAccountID();
+        DarkConsoleErrorLogPluginAPI::disableDiscardMode();
+      } else {
+        throw new Exception("Username and password are required!");
+      }
+    } catch (Exception $ex) {
+      // TODO: Make this cleaner.
+      throw $ex;
+    }
+
+    return array($this->loadOrCreateAccount($account_id), $response);
+  }
+
+}

src/applications/auth/provider/PhabricatorAuthProviderPassword.php

@@ -164,7 +164,6 @@ final class PhabricatorAuthProviderPassword
 
     if (!$require_captcha || $captcha_valid) {
       $username_or_email = $request->getStr('username');
-
       if (strlen($username_or_email)) {
         $user = id(new PhabricatorUser())->loadOneWhere(
           'username = %s',
@@ -173,13 +172,13 @@ final class PhabricatorAuthProviderPassword
         if (!$user) {
           $user = PhabricatorUser::loadOneWithEmailAddress($username_or_email);
         }
-      }
 
-      if ($user) {
-        $envelope = new PhutilOpaqueEnvelope($request->getStr('password'));
-        if ($user->comparePassword($envelope)) {
-          $account = $this->loadOrCreateAccount($user->getPHID());
-          $log_user = $user;
+        if ($user) {
+          $envelope = new PhutilOpaqueEnvelope($request->getStr('password'));
+          if ($user->comparePassword($envelope)) {
+            $account = $this->loadOrCreateAccount($user->getPHID());
+            $log_user = $user;
+          }
         }
       }
     }