Allow to use ldap in a chain provider

l-vo · l-vo · commit 726db7089320 · 2023-08-08T13:32:34.000+02:00
diff --git a/src/Symfony/Component/Ldap/Attribute/WithLdapPassword.php b/src/Symfony/Component/Ldap/Attribute/WithLdapPassword.php
@@ -0,0 +1,9 @@
+<?php
+
+namespace Symfony\Component\Ldap\Attribute;
+
+#[\Attribute(\Attribute::TARGET_CLASS)]
+class WithLdapPassword
+{
+    public function __construct(public readonly bool $enabled = true) {}
+}
diff --git a/src/Symfony/Component/Ldap/Security/CheckLdapCredentialsListener.php b/src/Symfony/Component/Ldap/Security/CheckLdapCredentialsListener.php
@@ -13,11 +13,13 @@
 
 use Psr\Container\ContainerInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Ldap\Attribute\WithLdapPassword;
 use Symfony\Component\Ldap\Exception\InvalidCredentialsException;
 use Symfony\Component\Ldap\Exception\InvalidSearchCredentialsException;
 use Symfony\Component\Ldap\LdapInterface;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\LogicException;
+use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 
@@ -48,9 +50,6 @@ public function onCheckPassport(CheckPassportEvent $event)
 
         /** @var LdapBadge $ldapBadge */
         $ldapBadge = $passport->getBadge(LdapBadge::class);
-        if ($ldapBadge->isResolved()) {
-            return;
-        }
 
         if (!$passport->hasBadge(PasswordCredentials::class)) {
             throw new \LogicException(sprintf('LDAP authentication requires a passport containing password credentials, authenticator "%s" does not fulfill these requirements.', $event->getAuthenticator()::class));
@@ -72,6 +71,16 @@ public function onCheckPassport(CheckPassportEvent $event)
         }
 
         $user = $passport->getUser();
+        $nonLdapUserWithoutLdapPasswordAttribute = false;
+        if (!$user instanceof LdapUser) {
+            $reflectionClass = new \ReflectionClass($user);
+            $attr = $reflectionClass->getAttributes(WithLdapPassword::class);
+
+            $nonLdapUserWithoutLdapPasswordAttribute = count($attr) === 0;
+            if (!$nonLdapUserWithoutLdapPasswordAttribute && !$attr[0]->newInstance()->enabled) {
+                return;
+            }
+        }
 
         /** @var LdapInterface $ldap */
         $ldap = $this->ldapLocator->get($ldapBadge->getLdapServiceId());
@@ -104,8 +113,11 @@ public function onCheckPassport(CheckPassportEvent $event)
             throw new BadCredentialsException('The presented password is invalid.');
         }
 
+        if ($nonLdapUserWithoutLdapPasswordAttribute) {
+            trigger_deprecation('symfony/ldap', '6.4', 'Authenticate a user that is not an instance of %s is deprecated and won\'t be the default behavior anymore in 7.0. Use the %s attribute to keep this behavior.', LdapUser::class, WithLdapPassword::class);
+        }
+
         $passwordCredentials->markResolved();
-        $ldapBadge->markResolved();
     }
 
     public static function getSubscribedEvents(): array
diff --git a/src/Symfony/Component/Ldap/Security/LdapAuthenticator.php b/src/Symfony/Component/Ldap/Security/LdapAuthenticator.php
@@ -60,7 +60,7 @@ public function supports(Request $request): ?bool
     public function authenticate(Request $request): Passport
     {
         $passport = $this->authenticator->authenticate($request);
-        $passport->addBadge(new LdapBadge($this->ldapServiceId, $this->dnString, $this->searchDn, $this->searchPassword, $this->queryString));
+        $passport->addBadge(new LdapBadge($this->ldapServiceId, $this->dnString, $this->searchDn, $this->searchPassword, $this->queryString, true));
 
         return $passport;
     }
diff --git a/src/Symfony/Component/Ldap/Security/LdapBadge.php b/src/Symfony/Component/Ldap/Security/LdapBadge.php
@@ -24,14 +24,14 @@
  */
 class LdapBadge implements BadgeInterface
 {
-    private bool $resolved = false;
+    private bool $resolved = true;
     private string $ldapServiceId;
     private string $dnString;
     private string $searchDn;
     private string $searchPassword;
     private ?string $queryString;
 
-    public function __construct(string $ldapServiceId, string $dnString = '{user_identifier}', string $searchDn = '', string $searchPassword = '', string $queryString = null)
+    public function __construct(string $ldapServiceId, string $dnString = '{user_identifier}', string $searchDn = '', string $searchPassword = '', string $queryString = null, bool $resolved = false)
     {
         $this->ldapServiceId = $ldapServiceId;
         $dnString = str_replace('{username}', '{user_identifier}', $dnString, $replaceCount);
@@ -46,6 +46,10 @@ public function __construct(string $ldapServiceId, string $dnString = '{user_ide
             trigger_deprecation('symfony/ldap', '6.2', 'Using "{username}" parameter in LDAP configuration is deprecated, consider using "{user_identifier}" instead.');
         }
         $this->queryString = $queryString;
+        $this->resolved = $resolved;
+        if (false === $this->resolved) {
+            trigger_deprecation('symfony/ldap', '6.4', 'Passing "false" as resolved initial value is deprecated, use "true" instead.');
+        }
     }
 
     public function getLdapServiceId(): string
@@ -75,6 +79,8 @@ public function getQueryString(): ?string
 
     public function markResolved(): void
     {
+        trigger_deprecation('symfony/ldap', '6.4', '%s is deprecated and will be removed in 7.0. %s is intended to bear LDAP information and doesn\'t need to be resolved anymore.', __METHOD__, __CLASS__);
+
         $this->resolved = true;
     }
 
diff --git a/src/Symfony/Component/Ldap/Tests/Security/CheckLdapCredentialsListenerTest.php b/src/Symfony/Component/Ldap/Tests/Security/CheckLdapCredentialsListenerTest.php
@@ -14,19 +14,23 @@
 use PHPUnit\Framework\MockObject\MockObject;
 use PHPUnit\Framework\TestCase;
 use Psr\Container\ContainerInterface;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Ldap\Adapter\CollectionInterface;
 use Symfony\Component\Ldap\Adapter\QueryInterface;
+use Symfony\Component\Ldap\Attribute\WithLdapPassword;
 use Symfony\Component\Ldap\Entry;
 use Symfony\Component\Ldap\Exception\InvalidCredentialsException;
 use Symfony\Component\Ldap\LdapInterface;
 use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
 use Symfony\Component\Ldap\Security\LdapBadge;
+use Symfony\Component\Ldap\Security\LdapUser;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
@@ -38,6 +42,7 @@
 
 class CheckLdapCredentialsListenerTest extends TestCase
 {
+    use ExpectDeprecationTrait;
     private MockObject&LdapInterface $ldap;
 
     protected function setUp(): void
@@ -46,25 +51,42 @@ protected function setUp(): void
     }
 
     /**
-     * @dataProvider provideShouldNotCheckPassport
+     * @group legacy
+     *
+     * @dataProvider provideShouldCheckPassport
      */
-    public function testShouldNotCheckPassport($authenticator, $passport)
+    public function testShouldCheckPassport(AuthenticatorInterface $authenticator, Passport $passport, bool $expectedBindCalled, bool $expectDeprecation)
     {
-        $this->ldap->expects($this->never())->method('bind');
+        if ($expectDeprecation) {
+            $this->expectDeprecation('Since symfony/ldap 6.4: Authenticate a user that is not an instance of Symfony\Component\Ldap\Security\LdapUser is deprecated and won\'t be the default behavior anymore in 7.0. Use the Symfony\Component\Ldap\Attribute\WithLdapPassword attribute to keep this behavior.');
+        }
+
+        if ($expectedBindCalled) {
+            $this->ldap->expects($this->once())->method('bind');
+        } else {
+            $this->ldap->expects($this->never())->method('bind');
+        }
 
         $listener = $this->createListener();
         $listener->onCheckPassport(new CheckPassportEvent($authenticator, $passport));
     }
 
-    public static function provideShouldNotCheckPassport()
+    public static function provideShouldCheckPassport()
     {
-        // no LdapBadge
-        yield [new TestAuthenticator(), new Passport(new UserBadge('test'), new PasswordCredentials('s3cret'))];
+        yield 'no LdapBadge' => [new TestAuthenticator(), new Passport(new UserBadge('test'), new PasswordCredentials('s3cret')), false, false];
 
-        // ldap already resolved
-        $badge = new LdapBadge('app.ldap');
-        $badge->markResolved();
-        yield [new TestAuthenticator(), new Passport(new UserBadge('test'), new PasswordCredentials('s3cret'), [$badge])];
+        $ldapBadge = new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true);
+        $userBadge = new UserBadge('test');
+        $userBadge->setUserLoader(function () { return new InMemoryUser('test', 'pass', ['ROLE_USER']); });
+        yield 'non ldap user' => [new TestAuthenticator(), new Passport($userBadge, new PasswordCredentials('s3cret'), [$ldapBadge]), true, true];
+
+        $userBadge = new UserBadge('test');
+        $userBadge->setUserLoader(function () { return new UserWithLdapPasswordEnabled('test', ['ROLE_USER']); });
+        yield 'withLdapPassword enabled' => [new TestAuthenticator(), new Passport($userBadge, new PasswordCredentials('s3cret'), [$ldapBadge]), true, false];
+
+        $userBadge = new UserBadge('test');
+        $userBadge->setUserLoader(function () { return new UserWithLdapPasswordDisabled('test', ['ROLE_USER']); });
+        yield 'withLdapPassword disabled' => [new TestAuthenticator(), new Passport($userBadge, new PasswordCredentials('s3cret'), [$ldapBadge]), false, false];
     }
 
     public function testPasswordCredentialsAlreadyResolvedThrowsException()
@@ -74,7 +96,7 @@ public function testPasswordCredentialsAlreadyResolvedThrowsException()
 
         $badge = new PasswordCredentials('s3cret');
         $badge->markResolved();
-        $passport = new Passport(new UserBadge('test'), $badge, [new LdapBadge('app.ldap')]);
+        $passport = new Passport(new UserBadge('test'), $badge, [new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true)]);
 
         $listener = $this->createListener();
         $listener->onCheckPassport(new CheckPassportEvent(new TestAuthenticator(), $passport));
@@ -86,7 +108,7 @@ public function testInvalidLdapServiceId()
         $this->expectExceptionMessage('Cannot check credentials using the "not_existing_ldap_service" ldap service, as such service is not found. Did you maybe forget to add the "ldap" service tag to this service?');
 
         $listener = $this->createListener();
-        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('not_existing_ldap_service')));
+        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('not_existing_ldap_service', '{user_identifier}', '', '', null, true)));
     }
 
     /**
@@ -104,7 +126,10 @@ public function testWrongPassport($passport)
     public static function provideWrongPassportData()
     {
         // no password credentials
-        yield [new SelfValidatingPassport(new UserBadge('test'), [new LdapBadge('app.ldap')])];
+        yield [new SelfValidatingPassport(
+            new UserBadge('test'),
+            [new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true)]
+        )];
     }
 
     public function testEmptyPasswordShouldThrowAnException()
@@ -171,6 +196,9 @@ public static function queryForDnProvider(): iterable
         yield ['{user_identifier}', '{user_identifier}_test'];
     }
 
+    /**
+     * @group legacy
+     */
     public function testQueryForDn()
     {
         $collection = new class([new Entry('')]) extends \ArrayObject implements CollectionInterface {
@@ -198,7 +226,7 @@ public function toArray(): array
         $this->ldap->expects($this->once())->method('query')->with('{user_identifier}', 'wouter_test')->willReturn($query);
 
         $listener = $this->createListener();
-        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('app.ldap', '{user_identifier}', 'elsa', 'test1234A$', '{user_identifier}_test')));
+        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('app.ldap', '{user_identifier}', 'elsa', 'test1234A$', '{user_identifier}_test', true)));
     }
 
     public function testEmptyQueryResultShouldThrowAnException()
@@ -226,14 +254,21 @@ public function testEmptyQueryResultShouldThrowAnException()
         $this->ldap->expects($this->once())->method('query')->willReturn($query);
 
         $listener = $this->createListener();
-        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('app.ldap', '{user_identifier}', 'elsa', 'test1234A$', '{user_identifier}_test')));
+        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('app.ldap', '{user_identifier}', 'elsa', 'test1234A$', '{user_identifier}_test', true)));
     }
 
     private function createEvent($password = 's3cr3t', $ldapBadge = null)
     {
+        $ldapUser = new LdapUser(new Entry('cn=Wouter,dc=example,dc=com'), 'Wouter', null, ['ROLE_USER']);
+
+        /*return new CheckPassportEvent(
+            new TestAuthenticator(),
+            new Passport(new UserBadge('Wouter', fn () => $ldapUser), new PasswordCredentials($password), [$ldapBadge ?? new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true)])
+        );*/
+
         return new CheckPassportEvent(
             new TestAuthenticator(),
-            new Passport(new UserBadge('Wouter', fn () => new InMemoryUser('Wouter', null, ['ROLE_USER'])), new PasswordCredentials($password), [$ldapBadge ?? new LdapBadge('app.ldap')])
+            new Passport(new UserBadge('Wouter', fn () => new InMemoryUser('Wouter', null, ['ROLE_USER'])), new PasswordCredentials($password), [$ldapBadge ?? new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true)])
         );
     }
 
@@ -278,3 +313,30 @@ public function createToken(Passport $passport, string $firewallName): TokenInte
         }
     }
 }
+
+class BaseUser implements UserInterface
+{
+    public function __construct(private string $identifier, private array $roles)
+    {
+    }
+
+    public function getRoles(): array
+    {
+        return $this->roles;
+    }
+
+    public function eraseCredentials(): void
+    {
+    }
+
+    public function getUserIdentifier(): string
+    {
+        return $this->identifier;
+    }
+}
+
+#[WithLdapPassword]
+class UserWithLdapPasswordEnabled extends BaseUser {}
+
+#[WithLdapPassword(false)]
+class UserWithLdapPasswordDisabled extends BaseUser {}
diff --git a/src/Symfony/Component/Ldap/Tests/Security/LdapBadgeTest.php b/src/Symfony/Component/Ldap/Tests/Security/LdapBadgeTest.php
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Security;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
+use Symfony\Component\Ldap\Security\LdapBadge;
+
+final class LdapBadgeTest extends TestCase
+{
+    use ExpectDeprecationTrait;
+
+    /**
+     * @group legacy
+     */
+    public function testDeprecationOnResolvedInitialValue()
+    {
+        $this->expectDeprecation('Since symfony/ldap 6.4: Passing "false" as resolved initial value is deprecated, use "true" instead.');
+
+        new LdapBadge('foo');
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testDeprecationOnMarkAsResolved()
+    {
+        $this->expectDeprecation('Since symfony/ldap 6.4: Symfony\Component\Ldap\Security\LdapBadge::markResolved is deprecated and will be removed in 7.0. Symfony\Component\Ldap\Security\LdapBadge is intended to bear LDAP information and doesn\'t need to be resolved anymore.');
+
+        $sut = new LdapBadge('foo', '{user_identifier}', '', '', null, true);
+        $sut->markResolved();
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/ChainProviderWithLdapTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/ChainProviderWithLdapTest.php
diff --git a/src/Symfony/Component/Security/Core/composer.json b/src/Symfony/Component/Security/Core/composer.json

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ public function supports(Request $request): ?bool`
`60`	`60`	`public function authenticate(Request $request): Passport`
`61`	`61`	`{`
`62`	`62`	`$passport = $this->authenticator->authenticate($request);`
`63`		`- $passport->addBadge(new LdapBadge($this->ldapServiceId, $this->dnString, $this->searchDn, $this->searchPassword, $this->queryString));`
	`63`	`+ $passport->addBadge(new LdapBadge($this->ldapServiceId, $this->dnString, $this->searchDn, $this->searchPassword, $this->queryString, true));`
`64`	`64`
`65`	`65`	`return $passport;`
`66`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,14 +24,14 @@`
`24`	`24`	`*/`
`25`	`25`	`class LdapBadge implements BadgeInterface`
`26`	`26`	`{`
`27`		`- private bool $resolved = false;`
	`27`	`+ private bool $resolved = true;`
`28`	`28`	`private string $ldapServiceId;`
`29`	`29`	`private string $dnString;`
`30`	`30`	`private string $searchDn;`
`31`	`31`	`private string $searchPassword;`
`32`	`32`	`private ?string $queryString;`
`33`	`33`
`34`		`- public function __construct(string $ldapServiceId, string $dnString = '{user_identifier}', string $searchDn = '', string $searchPassword = '', string $queryString = null)`
	`34`	`+ public function __construct(string $ldapServiceId, string $dnString = '{user_identifier}', string $searchDn = '', string $searchPassword = '', string $queryString = null, bool $resolved = false)`
`35`	`35`	`{`
`36`	`36`	`$this->ldapServiceId = $ldapServiceId;`
`37`	`37`	`$dnString = str_replace('{username}', '{user_identifier}', $dnString, $replaceCount);`
`@@ -46,6 +46,10 @@ public function __construct(string $ldapServiceId, string $dnString = '{user_ide`
`46`	`46`	`trigger_deprecation('symfony/ldap', '6.2', 'Using "{username}" parameter in LDAP configuration is deprecated, consider using "{user_identifier}" instead.');`
`47`	`47`	`}`
`48`	`48`	`$this->queryString = $queryString;`
	`49`	`+ $this->resolved = $resolved;`
	`50`	`+ if (false === $this->resolved) {`
	`51`	`+ trigger_deprecation('symfony/ldap', '6.4', 'Passing "false" as resolved initial value is deprecated, use "true" instead.');`
	`52`	`+ }`
`49`	`53`	`}`
`50`	`54`
`51`	`55`	`public function getLdapServiceId(): string`
`@@ -75,6 +79,8 @@ public function getQueryString(): ?string`
`75`	`79`
`76`	`80`	`public function markResolved(): void`
`77`	`81`	`{`
	`82`	`+ trigger_deprecation('symfony/ldap', '6.4', '%s is deprecated and will be removed in 7.0. %s is intended to bear LDAP information and doesn\'t need to be resolved anymore.', __METHOD__, __CLASS__);`
	`83`	`+`
`78`	`84`	`$this->resolved = true;`
`79`	`85`	`}`
`80`	`86`