From d1e1592c2e2560f01f436e8f4c0aedc5f0f8a360 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Tue, 19 Dec 2017 00:14:02 +0100 Subject: [PATCH 1/3] Fix fake patch... --- .../Baikal/Core/AbstractExternalAuth.php | 130 +++++++++++ .../Baikal/Core/LDAPUserBindAuth.php | 75 +++++++ sources/patches/app-add-ldap-auth.patch | 211 ------------------ 3 files changed, 205 insertions(+), 211 deletions(-) create mode 100644 sources/extra_files/app/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php create mode 100644 sources/extra_files/app/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php diff --git a/sources/extra_files/app/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php b/sources/extra_files/app/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php new file mode 100644 index 0000000..e7859ea --- /dev/null +++ b/sources/extra_files/app/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php @@ -0,0 +1,130 @@ + + * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License + */ +abstract class AbstractExternalAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { + + /** + * enable autocreation of user + * + * @var PDO + */ + protected $enableAutoCreation; + + /** + * Reference to PDO connection + * + * @var PDO + */ + private $pdo; + + /** + * PDO table name we'll be using + * + * @var string + */ + private $tableName; + + /** + * Creates the backend object. + * + * If the filename argument is passed in, it will parse out the specified file fist. + * + * @param PDO $pdo + * @param string $realm + * @param string $tableName The PDO table name to use + */ + public function __construct(\PDO $pdo, $realm = 'BaikalDAV', $tableName = 'users') { + + $this->pdo = $pdo; + $this->tableName = $tableName; + $this->enableAutoCreation = true; + } + + /** + * Validates a username and password + * + * This method should return true or false depending on if login + * succeeded. + * + * @param string $username + * @param string $password + * @return bool + */ + public function validateUserPass($username, $password) { + + if (!$this->validateUserPassExternal($username, $password)) + return false; + + $this->currentUser = $username; + if ($this->enableAutoCreation) + $this->autoUserCreation($username); + + return true; + } + + /** + * Validates a username and password agains external backend + * + * This method should return true or false depending on if login + * succeeded. + * + * @param string $username + * @param string $password + * @return bool + */ + public abstract function validateUserPassExternal($username, $password); + + /** + * return the displayname and email from the external Backend + * + * @param string $username + * @return array ('displayname' => string, 'email' => string) + */ + public function getAccountValues($username) { + + return array(); + } + + /** + * create an internal user, when user not exists + * + * @param string $username + */ + private function autoUserCreation($username) { + + /* search user in DB and do nothing, when user exists */ + $stmt = $this->pdo->prepare('SELECT username FROM '.$this->tableName.' WHERE username = ?'); + $stmt->execute(array($username)); + $result = $stmt->fetchAll(); + if (count($result) != 0) + return; + + /* get account values from backend */ + $values = $this->getAccountValues($username); + if (!isset($values['displayname']) OR strlen($values['displayname']) === 0) + $values['displayname'] = $username; + if (!isset($values['email']) OR strlen($values['email']) === 0) { + if(filter_var($username, FILTER_VALIDATE_EMAIL)) + $values['email'] = $username; + else + $values['email'] = 'unset-mail'; + } + + /* create user */ + $user = new \Baikal\Model\User(); + $user->set('username', $username); + $user->set('displayname', $values['displayname']); + $user->set('email', $values['email']); + $user->persist(); + } + +} diff --git a/sources/extra_files/app/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php b/sources/extra_files/app/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php new file mode 100644 index 0000000..c491d8d --- /dev/null +++ b/sources/extra_files/app/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php @@ -0,0 +1,75 @@ + + * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License + */ +class LDAPUserBindAuth extends AbstractExternalAuth { + + /** + * AccountValues for getAccountValues + * + * @var array ('displayname' => string, 'email' => string) + */ + private $accountValues; + + /** + * Validates a username and password over ldap + * + * @param string $username + * @param string $password + * @return bool + */ + public function validateUserPassExternal($username, $password) { + + /* create ldap connection */ + $conn = ldap_connect(BAIKAL_DAV_LDAP_URI); + if (!$conn) + return false; + if (!ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3)) + return false; + + /* bind with user + * error_handler have to change, because a failed bind raises an error + * this raise a secuity issue because in the stack trace is the password of user readable + */ + $arr = explode('@', $username, 2); + $dn = str_replace('%n', $username, BAIKAL_DAV_LDAP_DN_TEMPLATE); + $dn = str_replace('%u', $arr[0], $dn); + if(isset($arr[1])) $dn = str_replace('%d', $arr[1], $dn); + + set_error_handler("\Baikal\Core\LDAPUserBindAuth::exception_error_handler"); + $bind = ldap_bind($conn, $dn, $password); + restore_error_handler(); + if (!$bind) { + ldap_close($conn); + return false; + } + + /* read displayname and email from user */ + $this->accountValues = array(); + $sr = ldap_read($conn, $dn, '(objectclass=*)', array(BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR, BAIKAL_DAV_LDAP_EMAIL_ATTR)); + $entry = ldap_get_entries($conn, $sr); + if (isset($entry[0][BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR][0])) + $this->accountValues['displayname'] = $entry[0][BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR][0]; + if (isset($entry[0][BAIKAL_DAV_LDAP_EMAIL_ATTR][0])) + $this->accountValues['email'] = $entry[0][BAIKAL_DAV_LDAP_EMAIL_ATTR][0]; + + /* close */ + ldap_close($conn); + return true; + } + + public function getAccountValues($username) { + + return $this->accountValues; + } + + # WorkAround error_handler in failed bind of LDAP + public static function exception_error_handler($errno, $errstr, $errfile, $errline) { + } +} diff --git a/sources/patches/app-add-ldap-auth.patch b/sources/patches/app-add-ldap-auth.patch index 1a24d53..61dcc21 100644 --- a/sources/patches/app-add-ldap-auth.patch +++ b/sources/patches/app-add-ldap-auth.patch @@ -1,214 +1,3 @@ ---- b/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php -+++ b/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php -@@ -0,0 +1,130 @@ -+ -+ * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License -+ */ -+abstract class AbstractExternalAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { -+ -+ /** -+ * enable autocreation of user -+ * -+ * @var PDO -+ */ -+ protected $enableAutoCreation; -+ -+ /** -+ * Reference to PDO connection -+ * -+ * @var PDO -+ */ -+ private $pdo; -+ -+ /** -+ * PDO table name we'll be using -+ * -+ * @var string -+ */ -+ private $tableName; -+ -+ /** -+ * Creates the backend object. -+ * -+ * If the filename argument is passed in, it will parse out the specified file fist. -+ * -+ * @param PDO $pdo -+ * @param string $realm -+ * @param string $tableName The PDO table name to use -+ */ -+ public function __construct(\PDO $pdo, $realm = 'BaikalDAV', $tableName = 'users') { -+ -+ $this->pdo = $pdo; -+ $this->tableName = $tableName; -+ $this->enableAutoCreation = true; -+ } -+ -+ /** -+ * Validates a username and password -+ * -+ * This method should return true or false depending on if login -+ * succeeded. -+ * -+ * @param string $username -+ * @param string $password -+ * @return bool -+ */ -+ public function validateUserPass($username, $password) { -+ -+ if (!$this->validateUserPassExternal($username, $password)) -+ return false; -+ -+ $this->currentUser = $username; -+ if ($this->enableAutoCreation) -+ $this->autoUserCreation($username); -+ -+ return true; -+ } -+ -+ /** -+ * Validates a username and password agains external backend -+ * -+ * This method should return true or false depending on if login -+ * succeeded. -+ * -+ * @param string $username -+ * @param string $password -+ * @return bool -+ */ -+ public abstract function validateUserPassExternal($username, $password); -+ -+ /** -+ * return the displayname and email from the external Backend -+ * -+ * @param string $username -+ * @return array ('displayname' => string, 'email' => string) -+ */ -+ public function getAccountValues($username) { -+ -+ return array(); -+ } -+ -+ /** -+ * create an internal user, when user not exists -+ * -+ * @param string $username -+ */ -+ private function autoUserCreation($username) { -+ -+ /* search user in DB and do nothing, when user exists */ -+ $stmt = $this->pdo->prepare('SELECT username FROM '.$this->tableName.' WHERE username = ?'); -+ $stmt->execute(array($username)); -+ $result = $stmt->fetchAll(); -+ if (count($result) != 0) -+ return; -+ -+ /* get account values from backend */ -+ $values = $this->getAccountValues($username); -+ if (!isset($values['displayname']) OR strlen($values['displayname']) === 0) -+ $values['displayname'] = $username; -+ if (!isset($values['email']) OR strlen($values['email']) === 0) { -+ if(filter_var($username, FILTER_VALIDATE_EMAIL)) -+ $values['email'] = $username; -+ else -+ $values['email'] = 'unset-mail'; -+ } -+ -+ /* create user */ -+ $user = new \Baikal\Model\User(); -+ $user->set('username', $username); -+ $user->set('displayname', $values['displayname']); -+ $user->set('email', $values['email']); -+ $user->persist(); -+ } -+ -+} ---- b/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php -+++ b/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php -@@ -0,0 +1,75 @@ -+ -+ * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License -+ */ -+class LDAPUserBindAuth extends AbstractExternalAuth { -+ -+ /** -+ * AccountValues for getAccountValues -+ * -+ * @var array ('displayname' => string, 'email' => string) -+ */ -+ private $accountValues; -+ -+ /** -+ * Validates a username and password over ldap -+ * -+ * @param string $username -+ * @param string $password -+ * @return bool -+ */ -+ public function validateUserPassExternal($username, $password) { -+ -+ /* create ldap connection */ -+ $conn = ldap_connect(BAIKAL_DAV_LDAP_URI); -+ if (!$conn) -+ return false; -+ if (!ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3)) -+ return false; -+ -+ /* bind with user -+ * error_handler have to change, because a failed bind raises an error -+ * this raise a secuity issue because in the stack trace is the password of user readable -+ */ -+ $arr = explode('@', $username, 2); -+ $dn = str_replace('%n', $username, BAIKAL_DAV_LDAP_DN_TEMPLATE); -+ $dn = str_replace('%u', $arr[0], $dn); -+ if(isset($arr[1])) $dn = str_replace('%d', $arr[1], $dn); -+ -+ set_error_handler("\Baikal\Core\LDAPUserBindAuth::exception_error_handler"); -+ $bind = ldap_bind($conn, $dn, $password); -+ restore_error_handler(); -+ if (!$bind) { -+ ldap_close($conn); -+ return false; -+ } -+ -+ /* read displayname and email from user */ -+ $this->accountValues = array(); -+ $sr = ldap_read($conn, $dn, '(objectclass=*)', array(BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR, BAIKAL_DAV_LDAP_EMAIL_ATTR)); -+ $entry = ldap_get_entries($conn, $sr); -+ if (isset($entry[0][BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR][0])) -+ $this->accountValues['displayname'] = $entry[0][BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR][0]; -+ if (isset($entry[0][BAIKAL_DAV_LDAP_EMAIL_ATTR][0])) -+ $this->accountValues['email'] = $entry[0][BAIKAL_DAV_LDAP_EMAIL_ATTR][0]; -+ -+ /* close */ -+ ldap_close($conn); -+ return true; -+ } -+ -+ public function getAccountValues($username) { -+ -+ return $this->accountValues; -+ } -+ -+ # WorkAround error_handler in failed bind of LDAP -+ public static function exception_error_handler($errno, $errstr, $errfile, $errline) { -+ } -+} diff --git a/Core/Frameworks/Baikal/Core/Server.php b/Core/Frameworks/Baikal/Core/Server.php index 8026854..8d306fe 100644 --- a/Core/Frameworks/Baikal/Core/Server.php From 7960d347424cb1cb931c91f2628dd829288184e1 Mon Sep 17 00:00:00 2001 From: optikfluffel Date: Thu, 16 May 2019 14:43:08 +0200 Subject: [PATCH 2/3] bump baikal to 0.5.3 --- README.md | 2 +- conf/app.src | 4 ++-- conf/config.system.php | 2 +- manifest.json | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index defaf4b..f2bea50 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ If you don't have YunoHost, please see [here](https://yunohost.org/#/install) to [Baïkal](http://baikal-server.com/) is a CalDAV and CardDAV server, based on sabre/dav, that includes an administration interface for easy management. -**Shipped version:** 0.4.6 +**Shipped version:** 0.5.3 ## Screenshots diff --git a/conf/app.src b/conf/app.src index f26db38..f07f48a 100644 --- a/conf/app.src +++ b/conf/app.src @@ -1,5 +1,5 @@ -SOURCE_URL=https://github.com/fruux/Baikal/releases/download/0.4.6/baikal-0.4.6.zip -SOURCE_SUM=946e8e4161f7ef84be42430b6e9d3bb7dd4bbbe241b409be208c14447d7aa7a6 +SOURCE_URL=https://github.com/sabre-io/Baikal/releases/download/0.5.3/baikal-0.5.3.zip +SOURCE_SUM=11e6971a3cdc4c0cfc36e82498809162b5a6cfb67545f0dbc5b9d9e0c28c93c0 SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=zip SOURCE_IN_SUBDIR=true diff --git a/conf/config.system.php b/conf/config.system.php index 9b0be7c..2399d76 100644 --- a/conf/config.system.php +++ b/conf/config.system.php @@ -69,4 +69,4 @@ define("PROJECT_DB_MYSQL_PASSWORD", '__DBPASS__'); define("BAIKAL_ENCRYPTION_KEY", '__DESKEY__'); # The currently configured Baïkal version -define("BAIKAL_CONFIGURED_VERSION", '0.4.6'); +define("BAIKAL_CONFIGURED_VERSION", '0.5.3'); diff --git a/manifest.json b/manifest.json index 2e9cf5f..8e7dc38 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Lightweight CalDAV+CardDAV server", "fr": "Serveur CalDAV+CardDAV léger" }, - "version": "0.4.6~ynh1", + "version": "0.5.3~ynh1", "url": "http://baikal-server.com/", "license": "GPL-3.0", "maintainer": { From c4b5736a7839906618de490e9173cb8c30fe69f6 Mon Sep 17 00:00:00 2001 From: optikfluffel Date: Thu, 16 May 2019 15:18:08 +0200 Subject: [PATCH 3/3] update patch --- sources/patches/app-add-ldap-auth.patch | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sources/patches/app-add-ldap-auth.patch b/sources/patches/app-add-ldap-auth.patch index 61dcc21..9872571 100644 --- a/sources/patches/app-add-ldap-auth.patch +++ b/sources/patches/app-add-ldap-auth.patch @@ -1,18 +1,18 @@ diff --git a/Core/Frameworks/Baikal/Core/Server.php b/Core/Frameworks/Baikal/Core/Server.php -index 8026854..8d306fe 100644 +index 957cac3..fcc2e3c 100644 --- a/Core/Frameworks/Baikal/Core/Server.php +++ b/Core/Frameworks/Baikal/Core/Server.php @@ -133,6 +133,8 @@ class Server { if ($this->authType === 'Basic') { $authBackend = new \Baikal\Core\PDOBasicAuth($this->pdo, $this->authRealm); -+ } elseif ($this->authType === 'LDAP-UserBind') { ++ } elseif ($this->authType === 'LDAP-UserBind') { + $authBackend = new \Baikal\Core\LDAPUserBindAuth($this->pdo, $this->authRealm); } else { $authBackend = new \Sabre\DAV\Auth\Backend\PDO($this->pdo); $authBackend->setRealm($this->authRealm); diff --git a/Core/Frameworks/Baikal/Model/Config/Standard.php b/Core/Frameworks/Baikal/Model/Config/Standard.php -index 6107377..39f90bd 100644 +index 2e07f44..948b5be 100644 --- a/Core/Frameworks/Baikal/Model/Config/Standard.php +++ b/Core/Frameworks/Baikal/Model/Config/Standard.php @@ -46,6 +46,22 @@ class Standard extends \Baikal\Model\Config { @@ -53,8 +53,8 @@ index 6107377..39f90bd 100644 $oMorpho->add(new \Formal\Element\Listbox([ "prop" => "BAIKAL_DAV_AUTH_TYPE", "label" => "WebDAV authentication type", -- "options" => [ "Digest", "Basic" ] -+ "options" => [ "Digest", "Basic", "LDAP-UserBind" ] +- "options" => ["Digest", "Basic"] ++ "options" => ["Digest", "Basic", "LDAP-UserBind"] + ])); + + $oMorpho->add(new \Formal\Element\Text([