[Security] Ability to add roles in form_login_ldap by ldap group

Spomky · Spomky · commit 172a40aeb85a · 2023-10-20T18:21:59.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/UserProvider/LdapFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/UserProvider/LdapFactory.php
@@ -26,6 +26,7 @@ class LdapFactory implements UserProviderFactoryInterface
 {
     public function create(ContainerBuilder $container, string $id, array $config): void
     {
+        $roleFetcher = $config['role_fetcher'] ? new Reference($config['role_fetcher']) : null;
         $container
             ->setDefinition($id, new ChildDefinition('security.user.provider.ldap'))
             ->replaceArgument(0, new Reference($config['service']))
@@ -37,6 +38,7 @@ public function create(ContainerBuilder $container, string $id, array $config):
             ->replaceArgument(6, $config['filter'])
             ->replaceArgument(7, $config['password_attribute'])
             ->replaceArgument(8, $config['extra_fields'])
+            ->replaceArgument(9, $roleFetcher)
         ;
     }
 
@@ -63,6 +65,7 @@ public function addConfiguration(NodeDefinition $node): void
                     ->requiresAtLeastOneElement()
                     ->prototype('scalar')->end()
                 ->end()
+                ->scalarNode('role_fetcher')->defaultNull()->end()
                 ->scalarNode('uid_key')->defaultValue('sAMAccountName')->end()
                 ->scalarNode('filter')->defaultValue('({uid_key}={username})')->end()
                 ->scalarNode('password_attribute')->defaultNull()->end()
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
@@ -256,6 +256,7 @@
                 abstract_arg('filter'),
                 abstract_arg('password_attribute'),
                 abstract_arg('extra_fields (email etc)'),
+                abstract_arg('role fetcher'),
             ])
 
         ->set('security.user.provider.chain', ChainUserProvider::class)
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/DummyRoleFetcher.php b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/DummyRoleFetcher.php
@@ -0,0 +1,23 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
+
+use Symfony\Component\Ldap\Entry;
+use Symfony\Component\Ldap\Security\RoleFetcherInterface;
+
+class DummyRoleFetcher implements RoleFetcherInterface
+{
+    public function fetchRoles(Entry $entry): array
+    {
+        dd($entry); // Tests to be written
+    }
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/JsonLoginLdap/config.yml b/src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/JsonLoginLdap/config.yml
@@ -4,6 +4,9 @@ services:
     Symfony\Component\Ldap\Ldap:
         arguments: ['@Symfony\Component\Ldap\Adapter\ExtLdap\Adapter']
 
+    test_role_fetcher:
+        class: Symfony\Bundle\SecurityBundle\Tests\Functional\DummyRoleFetcher
+
     Symfony\Component\Ldap\Adapter\ExtLdap\Adapter:
         arguments:
             -   host: 'localhost'
@@ -22,6 +25,7 @@ security:
                 default_roles: ROLE_USER
                 uid_key: uid
                 extra_fields: ['email']
+                role_fetcher: 'test_role_fetcher'
 
     firewalls:
         main:
diff --git a/src/Symfony/Component/Ldap/Security/LdapUserProvider.php b/src/Symfony/Component/Ldap/Security/LdapUserProvider.php
@@ -44,8 +44,9 @@ class LdapUserProvider implements UserProviderInterface, PasswordUpgraderInterfa
     private string $defaultSearch;
     private ?string $passwordAttribute;
     private array $extraFields;
+    private ?RoleFetcherInterface $roleFetcher;
 
-    public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, #[\SensitiveParameter] string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null, array $extraFields = [])
+    public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, #[\SensitiveParameter] string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null, array $extraFields = [], RoleFetcherInterface $roleFetcher = null)
     {
         $uidKey ??= 'sAMAccountName';
         $filter ??= '({uid_key}={user_identifier})';
@@ -59,6 +60,7 @@ public function __construct(LdapInterface $ldap, string $baseDn, string $searchD
         $this->defaultSearch = str_replace('{uid_key}', $uidKey, $filter);
         $this->passwordAttribute = $passwordAttribute;
         $this->extraFields = $extraFields;
+        $this->roleFetcher = $roleFetcher;
     }
 
     public function loadUserByIdentifier(string $identifier): UserInterface
@@ -154,7 +156,12 @@ protected function loadUser(string $identifier, Entry $entry): UserInterface
             $extraFields[$field] = $this->getAttributeValue($entry, $field);
         }
 
-        return new LdapUser($entry, $identifier, $password, $this->defaultRoles, $extraFields);
+        $roles = $this->defaultRoles;
+        if (null !== $this->roleFetcher) {
+            $roles = $this->roleFetcher->fetchRoles($entry);
+        }
+
+        return new LdapUser($entry, $identifier, $password, $roles, $extraFields);
     }
 
     private function getAttributeValue(Entry $entry, string $attribute): mixed
diff --git a/src/Symfony/Component/Ldap/Security/RoleFetcherInterface.php b/src/Symfony/Component/Ldap/Security/RoleFetcherInterface.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Ldap\Security;
+
+use Symfony\Component\Ldap\Entry;
+
+/**
+ * Fetches LDAP roles for a given entry.
+ */
+interface RoleFetcherInterface
+{
+    /**
+     * @return string[] The list of roles
+     */
+    public function fetchRoles(Entry $entry): array;
+}
diff --git a/src/Symfony/Component/Ldap/Tests/Security/LdapUserProviderTest.php b/src/Symfony/Component/Ldap/Tests/Security/LdapUserProviderTest.php
@@ -19,6 +19,7 @@
 use Symfony\Component\Ldap\LdapInterface;
 use Symfony\Component\Ldap\Security\LdapUser;
 use Symfony\Component\Ldap\Security\LdapUserProvider;
+use Symfony\Component\Ldap\Security\RoleFetcherInterface;
 use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 
@@ -388,4 +389,47 @@ public function testRefreshUserShouldReturnUserWithSameProperties()
 
         $this->assertEquals($user, $provider->refreshUser($user));
     }
+
+    public function testLoadUserWithCorrectRoles()
+    {
+        // Given
+        $result = $this->createMock(CollectionInterface::class);
+        $query = $this->createMock(QueryInterface::class);
+        $query
+            ->method('execute')
+            ->willReturn($result)
+        ;
+        $ldap = $this->createMock(LdapInterface::class);
+        $result
+            ->method('offsetGet')
+            ->with(0)
+            ->willReturn(new Entry('foo', ['sAMAccountName' => ['foo']]))
+        ;
+        $result
+            ->method('count')
+            ->willReturn(1)
+        ;
+        $ldap
+            ->method('escape')
+            ->willReturn('foo')
+        ;
+        $ldap
+            ->method('query')
+            ->willReturn($query)
+        ;
+        $roleFetcher = $this->createMock(RoleFetcherInterface::class);
+        $roleFetcher
+            ->method('fetchRoles')
+            ->willReturn(['ROLE_FOO', 'ROLE_BAR'])
+        ;
+
+        $provider = new LdapUserProvider($ldap, 'ou=MyBusiness,dc=symfony,dc=com', roleFetcher: $roleFetcher);
+
+        // When
+        $user = $provider->loadUserByIdentifier('foo');
+
+        // Then
+        $this->assertInstanceOf(LdapUser::class, $user);
+        $this->assertSame(['ROLE_FOO', 'ROLE_BAR'], $user->getRoles());
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ class LdapFactory implements UserProviderFactoryInterface`
`26`	`26`	`{`
`27`	`27`	`public function create(ContainerBuilder $container, string $id, array $config): void`
`28`	`28`	`{`
	`29`	`+ $roleFetcher = $config['role_fetcher'] ? new Reference($config['role_fetcher']) : null;`
`29`	`30`	`$container`
`30`	`31`	`->setDefinition($id, new ChildDefinition('security.user.provider.ldap'))`
`31`	`32`	`->replaceArgument(0, new Reference($config['service']))`
`@@ -37,6 +38,7 @@ public function create(ContainerBuilder $container, string $id, array $config):`
`37`	`38`	`->replaceArgument(6, $config['filter'])`
`38`	`39`	`->replaceArgument(7, $config['password_attribute'])`
`39`	`40`	`->replaceArgument(8, $config['extra_fields'])`
	`41`	`+ ->replaceArgument(9, $roleFetcher)`
`40`	`42`	`;`
`41`	`43`	`}`
`42`	`44`
`@@ -63,6 +65,7 @@ public function addConfiguration(NodeDefinition $node): void`
`63`	`65`	`->requiresAtLeastOneElement()`
`64`	`66`	`->prototype('scalar')->end()`
`65`	`67`	`->end()`
	`68`	`+ ->scalarNode('role_fetcher')->defaultNull()->end()`
`66`	`69`	`->scalarNode('uid_key')->defaultValue('sAMAccountName')->end()`
`67`	`70`	`->scalarNode('filter')->defaultValue('({uid_key}={username})')->end()`
`68`	`71`	`->scalarNode('password_attribute')->defaultNull()->end()`