Allow to use ldap in a chain provider

l-vo · l-vo · commit cbe2c95c3564 · 2023-08-04T11:05:14.000+02:00
diff --git a/src/Symfony/Component/Ldap/Security/CheckLdapCredentialsListener.php b/src/Symfony/Component/Ldap/Security/CheckLdapCredentialsListener.php
@@ -48,9 +48,6 @@ public function onCheckPassport(CheckPassportEvent $event)
 
         /** @var LdapBadge $ldapBadge */
         $ldapBadge = $passport->getBadge(LdapBadge::class);
-        if ($ldapBadge->isResolved()) {
-            return;
-        }
 
         if (!$passport->hasBadge(PasswordCredentials::class)) {
             throw new \LogicException(sprintf('LDAP authentication requires a passport containing password credentials, authenticator "%s" does not fulfill these requirements.', $event->getAuthenticator()::class));
@@ -72,6 +69,9 @@ public function onCheckPassport(CheckPassportEvent $event)
         }
 
         $user = $passport->getUser();
+        if (!$user instanceof LdapUser) {
+            return;
+        }
 
         /** @var LdapInterface $ldap */
         $ldap = $this->ldapLocator->get($ldapBadge->getLdapServiceId());
@@ -105,7 +105,6 @@ public function onCheckPassport(CheckPassportEvent $event)
         }
 
         $passwordCredentials->markResolved();
-        $ldapBadge->markResolved();
     }
 
     public static function getSubscribedEvents(): array
diff --git a/src/Symfony/Component/Ldap/Security/LdapAuthenticator.php b/src/Symfony/Component/Ldap/Security/LdapAuthenticator.php
@@ -60,7 +60,7 @@ public function supports(Request $request): ?bool
     public function authenticate(Request $request): Passport
     {
         $passport = $this->authenticator->authenticate($request);
-        $passport->addBadge(new LdapBadge($this->ldapServiceId, $this->dnString, $this->searchDn, $this->searchPassword, $this->queryString));
+        $passport->addBadge(new LdapBadge($this->ldapServiceId, $this->dnString, $this->searchDn, $this->searchPassword, $this->queryString, true));
 
         return $passport;
     }
diff --git a/src/Symfony/Component/Ldap/Security/LdapBadge.php b/src/Symfony/Component/Ldap/Security/LdapBadge.php
@@ -24,14 +24,14 @@
  */
 class LdapBadge implements BadgeInterface
 {
-    private bool $resolved = false;
+    private bool $resolved = true;
     private string $ldapServiceId;
     private string $dnString;
     private string $searchDn;
     private string $searchPassword;
     private ?string $queryString;
 
-    public function __construct(string $ldapServiceId, string $dnString = '{user_identifier}', string $searchDn = '', string $searchPassword = '', string $queryString = null)
+    public function __construct(string $ldapServiceId, string $dnString = '{user_identifier}', string $searchDn = '', string $searchPassword = '', string $queryString = null, bool $resolved = false)
     {
         $this->ldapServiceId = $ldapServiceId;
         $dnString = str_replace('{username}', '{user_identifier}', $dnString, $replaceCount);
@@ -46,6 +46,10 @@ public function __construct(string $ldapServiceId, string $dnString = '{user_ide
             trigger_deprecation('symfony/ldap', '6.2', 'Using "{username}" parameter in LDAP configuration is deprecated, consider using "{user_identifier}" instead.');
         }
         $this->queryString = $queryString;
+        $this->resolved = $resolved;
+        if (false === $this->resolved) {
+            trigger_deprecation('symfony/ldap', '6.4', 'Passing false as resolved initial value is deprecated, use true instead.');
+        }
     }
 
     public function getLdapServiceId(): string
@@ -75,6 +79,8 @@ public function getQueryString(): ?string
 
     public function markResolved(): void
     {
+        trigger_deprecation('symfony/ldap', '6.4', 'Calling %s is deprecated.', __METHOD__);
+
         $this->resolved = true;
     }
 
diff --git a/src/Symfony/Component/Ldap/Tests/Security/CheckLdapCredentialsListenerTest.php b/src/Symfony/Component/Ldap/Tests/Security/CheckLdapCredentialsListenerTest.php
@@ -23,6 +23,7 @@
 use Symfony\Component\Ldap\LdapInterface;
 use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
 use Symfony\Component\Ldap\Security\LdapBadge;
+use Symfony\Component\Ldap\Security\LdapUser;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
@@ -62,9 +63,10 @@ public static function provideShouldNotCheckPassport()
         yield [new TestAuthenticator(), new Passport(new UserBadge('test'), new PasswordCredentials('s3cret'))];
 
         // ldap already resolved
-        $badge = new LdapBadge('app.ldap');
-        $badge->markResolved();
-        yield [new TestAuthenticator(), new Passport(new UserBadge('test'), new PasswordCredentials('s3cret'), [$badge])];
+        $ldapBadge = new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true);
+        $userBadge = new UserBadge('test');
+        $userBadge->setUserLoader(function () { return new InMemoryUser('test', 'pass', ['ROLE_USER']); });
+        yield [new TestAuthenticator(), new Passport($userBadge, new PasswordCredentials('s3cret'), [$ldapBadge])];
     }
 
     public function testPasswordCredentialsAlreadyResolvedThrowsException()
@@ -74,7 +76,7 @@ public function testPasswordCredentialsAlreadyResolvedThrowsException()
 
         $badge = new PasswordCredentials('s3cret');
         $badge->markResolved();
-        $passport = new Passport(new UserBadge('test'), $badge, [new LdapBadge('app.ldap')]);
+        $passport = new Passport(new UserBadge('test'), $badge, [new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true)]);
 
         $listener = $this->createListener();
         $listener->onCheckPassport(new CheckPassportEvent(new TestAuthenticator(), $passport));
@@ -86,7 +88,7 @@ public function testInvalidLdapServiceId()
         $this->expectExceptionMessage('Cannot check credentials using the "not_existing_ldap_service" ldap service, as such service is not found. Did you maybe forget to add the "ldap" service tag to this service?');
 
         $listener = $this->createListener();
-        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('not_existing_ldap_service')));
+        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('not_existing_ldap_service', '{user_identifier}', '', '', null, true)));
     }
 
     /**
@@ -104,7 +106,10 @@ public function testWrongPassport($passport)
     public static function provideWrongPassportData()
     {
         // no password credentials
-        yield [new SelfValidatingPassport(new UserBadge('test'), [new LdapBadge('app.ldap')])];
+        yield [new SelfValidatingPassport(
+            new UserBadge('test'),
+            [new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true)]
+        )];
     }
 
     public function testEmptyPasswordShouldThrowAnException()
@@ -198,7 +203,7 @@ public function toArray(): array
         $this->ldap->expects($this->once())->method('query')->with('{user_identifier}', 'wouter_test')->willReturn($query);
 
         $listener = $this->createListener();
-        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('app.ldap', '{user_identifier}', 'elsa', 'test1234A$', '{user_identifier}_test')));
+        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('app.ldap', '{user_identifier}', 'elsa', 'test1234A$', '{user_identifier}_test', true)));
     }
 
     public function testEmptyQueryResultShouldThrowAnException()
@@ -226,14 +231,16 @@ public function testEmptyQueryResultShouldThrowAnException()
         $this->ldap->expects($this->once())->method('query')->willReturn($query);
 
         $listener = $this->createListener();
-        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('app.ldap', '{user_identifier}', 'elsa', 'test1234A$', '{user_identifier}_test')));
+        $listener->onCheckPassport($this->createEvent('s3cr3t', new LdapBadge('app.ldap', '{user_identifier}', 'elsa', 'test1234A$', '{user_identifier}_test', true)));
     }
 
     private function createEvent($password = 's3cr3t', $ldapBadge = null)
     {
+        $ldapUser = new LdapUser(new Entry('cn=Wouter,dc=example,dc=com'), 'Wouter', null, ['ROLE_USER']);
+
         return new CheckPassportEvent(
             new TestAuthenticator(),
-            new Passport(new UserBadge('Wouter', fn () => new InMemoryUser('Wouter', null, ['ROLE_USER'])), new PasswordCredentials($password), [$ldapBadge ?? new LdapBadge('app.ldap')])
+            new Passport(new UserBadge('Wouter', fn () => $ldapUser), new PasswordCredentials($password), [$ldapBadge ?? new LdapBadge('app.ldap', '{user_identifier}', '', '', null, true)])
         );
     }
 
diff --git a/src/Symfony/Component/Ldap/Tests/Security/LdapBadgeTest.php b/src/Symfony/Component/Ldap/Tests/Security/LdapBadgeTest.php
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Security;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
+use Symfony\Component\Ldap\Security\LdapBadge;
+
+final class LdapBadgeTest extends TestCase
+{
+    use ExpectDeprecationTrait;
+
+    /**
+     * @group legacy
+     */
+    public function testDeprecationOnResolvedInitialValue()
+    {
+        $this->expectDeprecation('Since symfony/ldap 6.4: Passing false as resolved initial value is deprecated, use true instead.');
+
+        new LdapBadge('foo');
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testDeprecationOnMarkAsResolved()
+    {
+        $this->expectDeprecation('Since symfony/ldap 6.4: Calling Symfony\Component\Ldap\Security\LdapBadge::markResolved is deprecated.');
+
+        $sut = new LdapBadge('foo', '{user_identifier}', '', '', null, true);
+        $sut->markResolved();
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/ChainProviderWithLdapTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/ChainProviderWithLdapTest.php
@@ -0,0 +1,190 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authentication\Provider;
+
+use PHPUnit\Framework\TestCase;
+use Psr\Container\ContainerInterface;
+use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
+use Symfony\Component\Ldap\Adapter\AdapterInterface;
+use Symfony\Component\Ldap\Adapter\CollectionInterface;
+use Symfony\Component\Ldap\Adapter\ConnectionInterface;
+use Symfony\Component\Ldap\Adapter\QueryInterface;
+use Symfony\Component\Ldap\Entry;
+use Symfony\Component\Ldap\Exception\ConnectionException;
+use Symfony\Component\Ldap\Ldap;
+use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
+use Symfony\Component\Ldap\Security\LdapAuthenticator;
+use Symfony\Component\Ldap\Security\LdapUserProvider;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\User\ChainUserProvider;
+use Symfony\Component\Security\Core\User\InMemoryUserProvider;
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
+use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Http\Authentication\AuthenticatorManager;
+use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Component\Security\Http\EventListener\UserProviderListener;
+use Symfony\Component\Security\Http\HttpUtils;
+
+class ChainProviderWithLdapTest extends TestCase
+{
+    public function provideChainWithLdapAndInMemory(): array
+    {
+        return [
+            'in memory' => ['foo', 'foopass'],
+            'ldap' => ['bar', 'barpass'],
+        ];
+    }
+
+    /**
+     * @dataProvider provideChainWithLdapAndInMemory
+     */
+    public function testChainWithLdapAndInMemory(string $userIdentifier, string $pass)
+    {
+        $inMemoryProvider = new InMemoryUserProvider([
+            'foo' => ['password' => 'foopass', 'roles' => ['ROLE_USER']],
+        ]);
+
+        $ldapAdapteur = $this->createMock(AdapterInterface::class);
+        $ldapAdapteur
+            ->method('getConnection')
+            ->willReturn($connection = $this->createMock(ConnectionInterface::class))
+        ;
+
+        $connection
+            ->method('bind')
+            ->willReturnCallback(static function (?string $user, ?string $pass): void {
+                if ('admin' === $user && 'adminpass' === $pass) {
+                    return;
+                }
+
+                if ('bar' === $user && 'barpass' === $pass) {
+                    return;
+                }
+
+                throw new ConnectionException('failure when binding');
+            })
+        ;
+
+        $ldapAdapteur
+            ->method('escape')
+            ->willReturnArgument(0)
+        ;
+
+        $ldapAdapteur
+            ->method('createQuery')
+            ->willReturn($query = $this->createMock(QueryInterface::class))
+        ;
+
+        $query
+            ->method('execute')
+            ->willReturn($collection = $this->createMock(CollectionInterface::class));
+
+        $collection
+            ->method('count')
+            ->willReturn(1)
+        ;
+
+        $collection
+            ->method('offsetGet')
+            ->with(0)
+            ->willReturn(new Entry('cn=bar,dc=example,dc=com', ['sAMAccountName' => ['bar'], 'userPassword' => ['barpass']]))
+        ;
+
+        $ldapProvider = new LdapUserProvider($ldap = new Ldap($ldapAdapteur), 'dc=example,dc=com', 'admin', 'adminpass', [], null, null, 'userPassword');
+
+        $chainUserProvider = new ChainUserProvider([$inMemoryProvider, $ldapProvider]);
+
+        $httpUtils = $this->createMock(HttpUtils::class);
+        $httpUtils
+            ->method('checkRequestPath')
+            ->willReturn(true)
+        ;
+
+        $failureHandler = $this->createMock(AuthenticationFailureHandlerInterface::class);
+        $failureHandler
+            ->method('onAuthenticationFailure')
+            ->willReturn(new Response())
+        ;
+
+        $formLoginAuthenticator = new FormLoginAuthenticator(
+            $httpUtils,
+            $chainUserProvider,
+            $this->createMock(AuthenticationSuccessHandlerInterface::class),
+            $failureHandler,
+            []
+        );
+
+        $ldapAuthenticator = new LdapAuthenticator($formLoginAuthenticator, 'ldap-id');
+
+        $ldapLocator = new class($ldap) implements ContainerInterface {
+            private $ldap;
+
+            public function __construct(Ldap $ldap)
+            {
+                $this->ldap = $ldap;
+            }
+
+            public function get(string $id): Ldap
+            {
+                return $this->ldap;
+            }
+
+            public function has(string $id): bool
+            {
+                return 'ldap-id' === $id;
+            }
+        };
+
+        $eventDispatcher = new EventDispatcher();
+        $eventDispatcher->addListener(CheckPassportEvent::class, [new UserProviderListener($chainUserProvider), 'checkPassport']);
+        $eventDispatcher->addListener(CheckPassportEvent::class, [new CheckLdapCredentialsListener($ldapLocator), 'onCheckPassport']);
+        $eventDispatcher->addListener(CheckPassportEvent::class, function (CheckPassportEvent $event): void {
+            $passport = $event->getPassport();
+            $userBadge = $passport->getBadge(UserBadge::class);
+            if (null === $userBadge || null === $userBadge->getUser()) {
+                return;
+            }
+            $credentials = $passport->getBadge(PasswordCredentials::class);
+            if ($credentials->isResolved()) {
+                return;
+            }
+
+            if ($credentials && 'foopass' === $credentials->getPassword()) {
+                $credentials->markResolved();
+            }
+        });
+
+        $authenticatorManager = new AuthenticatorManager(
+            [$ldapAuthenticator],
+            $tokenStorage = new TokenStorage(),
+            $eventDispatcher,
+            'main'
+        );
+
+        $request = Request::create('/login', 'POST', ['_username' => $userIdentifier, '_password' => $pass]);
+        $request->setSession(new Session(new MockArraySessionStorage()));
+
+        $this->assertTrue($authenticatorManager->supports($request));
+        $authenticatorManager->authenticateRequest($request);
+
+        $this->assertInstanceOf(UsernamePasswordToken::class, $token = $tokenStorage->getToken());
+        $this->assertSame($userIdentifier, $token->getUserIdentifier());
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/composer.json b/src/Symfony/Component/Security/Core/composer.json
@@ -30,6 +30,7 @@
         "symfony/expression-language": "^5.4|^6.0|^7.0",
         "symfony/http-foundation": "^5.4|^6.0|^7.0",
         "symfony/ldap": "^5.4|^6.0|^7.0",
+        "symfony/security-http": "^5.4|^6.0|^7.0",
         "symfony/string": "^5.4|^6.0|^7.0",
         "symfony/translation": "^5.4|^6.0|^7.0",
         "symfony/validator": "^5.4|^6.0|^7.0",

Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ public function supports(Request $request): ?bool`
`60`	`60`	`public function authenticate(Request $request): Passport`
`61`	`61`	`{`
`62`	`62`	`$passport = $this->authenticator->authenticate($request);`
`63`		`- $passport->addBadge(new LdapBadge($this->ldapServiceId, $this->dnString, $this->searchDn, $this->searchPassword, $this->queryString));`
	`63`	`+ $passport->addBadge(new LdapBadge($this->ldapServiceId, $this->dnString, $this->searchDn, $this->searchPassword, $this->queryString, true));`
`64`	`64`
`65`	`65`	`return $passport;`
`66`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -24,14 +24,14 @@`
`24`	`24`	`*/`
`25`	`25`	`class LdapBadge implements BadgeInterface`
`26`	`26`	`{`
`27`		`- private bool $resolved = false;`
	`27`	`+ private bool $resolved = true;`
`28`	`28`	`private string $ldapServiceId;`
`29`	`29`	`private string $dnString;`
`30`	`30`	`private string $searchDn;`
`31`	`31`	`private string $searchPassword;`
`32`	`32`	`private ?string $queryString;`
`33`	`33`
`34`		`- public function __construct(string $ldapServiceId, string $dnString = '{user_identifier}', string $searchDn = '', string $searchPassword = '', string $queryString = null)`
	`34`	`+ public function __construct(string $ldapServiceId, string $dnString = '{user_identifier}', string $searchDn = '', string $searchPassword = '', string $queryString = null, bool $resolved = false)`
`35`	`35`	`{`
`36`	`36`	`$this->ldapServiceId = $ldapServiceId;`
`37`	`37`	`$dnString = str_replace('{username}', '{user_identifier}', $dnString, $replaceCount);`
`@@ -46,6 +46,10 @@ public function __construct(string $ldapServiceId, string $dnString = '{user_ide`
`46`	`46`	`trigger_deprecation('symfony/ldap', '6.2', 'Using "{username}" parameter in LDAP configuration is deprecated, consider using "{user_identifier}" instead.');`
`47`	`47`	`}`
`48`	`48`	`$this->queryString = $queryString;`
	`49`	`+ $this->resolved = $resolved;`
	`50`	`+ if (false === $this->resolved) {`
	`51`	`+ trigger_deprecation('symfony/ldap', '6.4', 'Passing false as resolved initial value is deprecated, use true instead.');`
	`52`	`+ }`
`49`	`53`	`}`
`50`	`54`
`51`	`55`	`public function getLdapServiceId(): string`
`@@ -75,6 +79,8 @@ public function getQueryString(): ?string`
`75`	`79`
`76`	`80`	`public function markResolved(): void`
`77`	`81`	`{`
	`82`	`+ trigger_deprecation('symfony/ldap', '6.4', 'Calling %s is deprecated.', __METHOD__);`
	`83`	`+`
`78`	`84`	`$this->resolved = true;`
`79`	`85`	`}`
`80`	`86`