added LdapQueryAuthenticationProvider

lsmith77 · lsmith77 · commit 04b82a8e81c7 · 2017-01-25T18:44:51.000+01:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.php
@@ -26,16 +26,23 @@ class FormLoginLdapFactory extends FormLoginFactory
 {
     protected function createAuthProvider(ContainerBuilder $container, $id, $config, $userProviderId)
     {
-        $provider = 'security.authentication.provider.ldap_bind.'.$id;
-        $container
-            ->setDefinition($provider, new ChildDefinition('security.authentication.provider.ldap_bind'))
+        $method = empty($config['query_string']) ? 'bind' : 'query';
+
+        $provider = 'security.authentication.provider.ldap_'.$method.'.'.$id;
+
+        $parent = 'security.authentication.provider.ldap_'.$method;
+        $definition = $container->setDefinition($provider, new ChildDefinition($parent))
             ->replaceArgument(0, new Reference($userProviderId))
             ->replaceArgument(1, new Reference('security.user_checker.'.$id))
             ->replaceArgument(2, $id)
             ->replaceArgument(3, new Reference($config['service']))
             ->replaceArgument(4, $config['dn_string'])
         ;
 
+        if ('query' === $method) {
+            $definition->replaceArgument(5, $config['query_string']);
+        }
+
         return $provider;
     }
 
@@ -47,6 +54,7 @@ public function addConfiguration(NodeDefinition $node)
             ->children()
                 ->scalarNode('service')->defaultValue('ldap')->end()
                 ->scalarNode('dn_string')->defaultValue('{username}')->end()
+                ->scalarNode('query_string')->end()
             ->end()
         ;
     }
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
@@ -201,6 +201,16 @@
             <argument>%security.authentication.hide_user_not_found%</argument>
         </service>
 
+        <service id="security.authentication.provider.ldap_query" class="Symfony\Component\Security\Core\Authentication\Provider\LdapQueryAuthenticationProvider" public="false" abstract="true">
+            <argument /> <!-- User Provider -->
+            <argument /> <!-- UserChecker -->
+            <argument /> <!-- Provider-shared Key -->
+            <argument /> <!-- LDAP -->
+            <argument /> <!-- Base DN -->
+            <argument /> <!-- Query DN -->
+            <argument>%security.authentication.hide_user_not_found%</argument>
+        </service>
+
         <service id="security.authentication.provider.simple" class="Symfony\Component\Security\Core\Authentication\Provider\SimpleAuthenticationProvider" abstract="true" public="false">
             <argument /> <!-- Simple Authenticator -->
             <argument /> <!-- User Provider -->
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapQueryAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapQueryAuthenticationProvider.php
@@ -0,0 +1,98 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Provider;
+
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Ldap\LdapInterface;
+use Symfony\Component\Ldap\Exception\ConnectionException;
+
+/**
+ * LdapQueryAuthenticationProvider authenticates a user against an LDAP server.
+ *
+ * The only way to check user credentials is to first find the DN via query and then bind
+ *
+ * @author Charles Sarrazin <charles@sarraz.in>
+ * @author Lukas Kahwe Smith <smith@pooteeweet.org>
+ */
+class LdapQueryAuthenticationProvider extends UserAuthenticationProvider
+{
+    private $userProvider;
+    private $ldap;
+    private $dnString;
+    private $queryString;
+
+    /**
+     * Constructor.
+     *
+     * @param UserProviderInterface $userProvider               A UserProvider
+     * @param UserCheckerInterface  $userChecker                A UserChecker
+     * @param string                $providerKey                The provider key
+     * @param LdapInterface         $ldap                       A Ldap client
+     * @param string                $dnString                   A string with the query DN
+     * @param string                $queryString                A string used to create the query query
+     * @param bool                  $hideUserNotFoundExceptions Whether to hide user not found exception or not
+     */
+    public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, $providerKey, LdapInterface $ldap, $dnString, $queryString = '{username}', $hideUserNotFoundExceptions = true)
+    {
+        parent::__construct($userChecker, $providerKey, $hideUserNotFoundExceptions);
+
+        $this->userProvider = $userProvider;
+        $this->ldap = $ldap;
+        $this->dnString = $dnString;
+        $this->queryString = $queryString;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function retrieveUser($username, UsernamePasswordToken $token)
+    {
+        if (AuthenticationProviderInterface::USERNAME_NONE_PROVIDED === $username) {
+            throw new UsernameNotFoundException('Username can not be null');
+        }
+
+        return $this->userProvider->loadUserByUsername($username);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function checkAuthentication(UserInterface $user, UsernamePasswordToken $token)
+    {
+        $username = $token->getUsername();
+        $password = $token->getCredentials();
+
+        if ('' === $password) {
+            throw new BadCredentialsException('The presented password must not be empty.');
+        }
+
+        try {
+            $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);
+            $query = str_replace('{username}', $username, $this->queryString);
+
+            $query = $this->ldap->query($this->dnString, $query);
+            $result = $query->execute();
+            if (1 !== $result->count()) {
+                throw new BadCredentialsException('The presented password is invalid.');
+            }
+
+            $this->ldap->bind($result->getIterator()->current()->getDn(), $password);
+        } catch (ConnectionException $e) {
+            throw new BadCredentialsException('The presented password is invalid.');
+        }
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -26,16 +26,23 @@ class FormLoginLdapFactory extends FormLoginFactory`
`26`	`26`	`{`
`27`	`27`	`protected function createAuthProvider(ContainerBuilder $container, $id, $config, $userProviderId)`
`28`	`28`	`{`
`29`		`- $provider = 'security.authentication.provider.ldap_bind.'.$id;`
`30`		`- $container`
`31`		`- ->setDefinition($provider, new ChildDefinition('security.authentication.provider.ldap_bind'))`
	`29`	`+ $method = empty($config['query_string']) ? 'bind' : 'query';`
	`30`	`+`
	`31`	`+ $provider = 'security.authentication.provider.ldap_'.$method.'.'.$id;`
	`32`	`+`
	`33`	`+ $parent = 'security.authentication.provider.ldap_'.$method;`
	`34`	`+ $definition = $container->setDefinition($provider, new ChildDefinition($parent))`
`32`	`35`	`->replaceArgument(0, new Reference($userProviderId))`
`33`	`36`	`->replaceArgument(1, new Reference('security.user_checker.'.$id))`
`34`	`37`	`->replaceArgument(2, $id)`
`35`	`38`	`->replaceArgument(3, new Reference($config['service']))`
`36`	`39`	`->replaceArgument(4, $config['dn_string'])`
`37`	`40`	`;`
`38`	`41`
	`42`	`+ if ('query' === $method) {`
	`43`	`+ $definition->replaceArgument(5, $config['query_string']);`
	`44`	`+ }`
	`45`	`+`
`39`	`46`	`return $provider;`
`40`	`47`	`}`
`41`	`48`
`@@ -47,6 +54,7 @@ public function addConfiguration(NodeDefinition $node)`
`47`	`54`	`->children()`
`48`	`55`	`->scalarNode('service')->defaultValue('ldap')->end()`
`49`	`56`	`->scalarNode('dn_string')->defaultValue('{username}')->end()`
	`57`	`+ ->scalarNode('query_string')->end()`
`50`	`58`	`->end()`
`51`	`59`	`;`
`52`	`60`	`}`