diff --git a/sources/extra_files/app/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php b/sources/extra_files/app/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php new file mode 100644 index 0000000..e7859ea --- /dev/null +++ b/sources/extra_files/app/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php @@ -0,0 +1,130 @@ + + * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License + */ +abstract class AbstractExternalAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { + + /** + * enable autocreation of user + * + * @var PDO + */ + protected $enableAutoCreation; + + /** + * Reference to PDO connection + * + * @var PDO + */ + private $pdo; + + /** + * PDO table name we'll be using + * + * @var string + */ + private $tableName; + + /** + * Creates the backend object. + * + * If the filename argument is passed in, it will parse out the specified file fist. + * + * @param PDO $pdo + * @param string $realm + * @param string $tableName The PDO table name to use + */ + public function __construct(\PDO $pdo, $realm = 'BaikalDAV', $tableName = 'users') { + + $this->pdo = $pdo; + $this->tableName = $tableName; + $this->enableAutoCreation = true; + } + + /** + * Validates a username and password + * + * This method should return true or false depending on if login + * succeeded. + * + * @param string $username + * @param string $password + * @return bool + */ + public function validateUserPass($username, $password) { + + if (!$this->validateUserPassExternal($username, $password)) + return false; + + $this->currentUser = $username; + if ($this->enableAutoCreation) + $this->autoUserCreation($username); + + return true; + } + + /** + * Validates a username and password agains external backend + * + * This method should return true or false depending on if login + * succeeded. + * + * @param string $username + * @param string $password + * @return bool + */ + public abstract function validateUserPassExternal($username, $password); + + /** + * return the displayname and email from the external Backend + * + * @param string $username + * @return array ('displayname' => string, 'email' => string) + */ + public function getAccountValues($username) { + + return array(); + } + + /** + * create an internal user, when user not exists + * + * @param string $username + */ + private function autoUserCreation($username) { + + /* search user in DB and do nothing, when user exists */ + $stmt = $this->pdo->prepare('SELECT username FROM '.$this->tableName.' WHERE username = ?'); + $stmt->execute(array($username)); + $result = $stmt->fetchAll(); + if (count($result) != 0) + return; + + /* get account values from backend */ + $values = $this->getAccountValues($username); + if (!isset($values['displayname']) OR strlen($values['displayname']) === 0) + $values['displayname'] = $username; + if (!isset($values['email']) OR strlen($values['email']) === 0) { + if(filter_var($username, FILTER_VALIDATE_EMAIL)) + $values['email'] = $username; + else + $values['email'] = 'unset-mail'; + } + + /* create user */ + $user = new \Baikal\Model\User(); + $user->set('username', $username); + $user->set('displayname', $values['displayname']); + $user->set('email', $values['email']); + $user->persist(); + } + +} diff --git a/sources/extra_files/app/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php b/sources/extra_files/app/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php new file mode 100644 index 0000000..c491d8d --- /dev/null +++ b/sources/extra_files/app/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php @@ -0,0 +1,75 @@ + + * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License + */ +class LDAPUserBindAuth extends AbstractExternalAuth { + + /** + * AccountValues for getAccountValues + * + * @var array ('displayname' => string, 'email' => string) + */ + private $accountValues; + + /** + * Validates a username and password over ldap + * + * @param string $username + * @param string $password + * @return bool + */ + public function validateUserPassExternal($username, $password) { + + /* create ldap connection */ + $conn = ldap_connect(BAIKAL_DAV_LDAP_URI); + if (!$conn) + return false; + if (!ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3)) + return false; + + /* bind with user + * error_handler have to change, because a failed bind raises an error + * this raise a secuity issue because in the stack trace is the password of user readable + */ + $arr = explode('@', $username, 2); + $dn = str_replace('%n', $username, BAIKAL_DAV_LDAP_DN_TEMPLATE); + $dn = str_replace('%u', $arr[0], $dn); + if(isset($arr[1])) $dn = str_replace('%d', $arr[1], $dn); + + set_error_handler("\Baikal\Core\LDAPUserBindAuth::exception_error_handler"); + $bind = ldap_bind($conn, $dn, $password); + restore_error_handler(); + if (!$bind) { + ldap_close($conn); + return false; + } + + /* read displayname and email from user */ + $this->accountValues = array(); + $sr = ldap_read($conn, $dn, '(objectclass=*)', array(BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR, BAIKAL_DAV_LDAP_EMAIL_ATTR)); + $entry = ldap_get_entries($conn, $sr); + if (isset($entry[0][BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR][0])) + $this->accountValues['displayname'] = $entry[0][BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR][0]; + if (isset($entry[0][BAIKAL_DAV_LDAP_EMAIL_ATTR][0])) + $this->accountValues['email'] = $entry[0][BAIKAL_DAV_LDAP_EMAIL_ATTR][0]; + + /* close */ + ldap_close($conn); + return true; + } + + public function getAccountValues($username) { + + return $this->accountValues; + } + + # WorkAround error_handler in failed bind of LDAP + public static function exception_error_handler($errno, $errstr, $errfile, $errline) { + } +} diff --git a/sources/patches/app-add-ldap-auth.patch b/sources/patches/app-add-ldap-auth.patch index 1a24d53..61dcc21 100644 --- a/sources/patches/app-add-ldap-auth.patch +++ b/sources/patches/app-add-ldap-auth.patch @@ -1,214 +1,3 @@ ---- b/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php -+++ b/Core/Frameworks/Baikal/Core/AbstractExternalAuth.php -@@ -0,0 +1,130 @@ -+ -+ * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License -+ */ -+abstract class AbstractExternalAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic { -+ -+ /** -+ * enable autocreation of user -+ * -+ * @var PDO -+ */ -+ protected $enableAutoCreation; -+ -+ /** -+ * Reference to PDO connection -+ * -+ * @var PDO -+ */ -+ private $pdo; -+ -+ /** -+ * PDO table name we'll be using -+ * -+ * @var string -+ */ -+ private $tableName; -+ -+ /** -+ * Creates the backend object. -+ * -+ * If the filename argument is passed in, it will parse out the specified file fist. -+ * -+ * @param PDO $pdo -+ * @param string $realm -+ * @param string $tableName The PDO table name to use -+ */ -+ public function __construct(\PDO $pdo, $realm = 'BaikalDAV', $tableName = 'users') { -+ -+ $this->pdo = $pdo; -+ $this->tableName = $tableName; -+ $this->enableAutoCreation = true; -+ } -+ -+ /** -+ * Validates a username and password -+ * -+ * This method should return true or false depending on if login -+ * succeeded. -+ * -+ * @param string $username -+ * @param string $password -+ * @return bool -+ */ -+ public function validateUserPass($username, $password) { -+ -+ if (!$this->validateUserPassExternal($username, $password)) -+ return false; -+ -+ $this->currentUser = $username; -+ if ($this->enableAutoCreation) -+ $this->autoUserCreation($username); -+ -+ return true; -+ } -+ -+ /** -+ * Validates a username and password agains external backend -+ * -+ * This method should return true or false depending on if login -+ * succeeded. -+ * -+ * @param string $username -+ * @param string $password -+ * @return bool -+ */ -+ public abstract function validateUserPassExternal($username, $password); -+ -+ /** -+ * return the displayname and email from the external Backend -+ * -+ * @param string $username -+ * @return array ('displayname' => string, 'email' => string) -+ */ -+ public function getAccountValues($username) { -+ -+ return array(); -+ } -+ -+ /** -+ * create an internal user, when user not exists -+ * -+ * @param string $username -+ */ -+ private function autoUserCreation($username) { -+ -+ /* search user in DB and do nothing, when user exists */ -+ $stmt = $this->pdo->prepare('SELECT username FROM '.$this->tableName.' WHERE username = ?'); -+ $stmt->execute(array($username)); -+ $result = $stmt->fetchAll(); -+ if (count($result) != 0) -+ return; -+ -+ /* get account values from backend */ -+ $values = $this->getAccountValues($username); -+ if (!isset($values['displayname']) OR strlen($values['displayname']) === 0) -+ $values['displayname'] = $username; -+ if (!isset($values['email']) OR strlen($values['email']) === 0) { -+ if(filter_var($username, FILTER_VALIDATE_EMAIL)) -+ $values['email'] = $username; -+ else -+ $values['email'] = 'unset-mail'; -+ } -+ -+ /* create user */ -+ $user = new \Baikal\Model\User(); -+ $user->set('username', $username); -+ $user->set('displayname', $values['displayname']); -+ $user->set('email', $values['email']); -+ $user->persist(); -+ } -+ -+} ---- b/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php -+++ b/Core/Frameworks/Baikal/Core/LDAPUserBindAuth.php -@@ -0,0 +1,75 @@ -+ -+ * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License -+ */ -+class LDAPUserBindAuth extends AbstractExternalAuth { -+ -+ /** -+ * AccountValues for getAccountValues -+ * -+ * @var array ('displayname' => string, 'email' => string) -+ */ -+ private $accountValues; -+ -+ /** -+ * Validates a username and password over ldap -+ * -+ * @param string $username -+ * @param string $password -+ * @return bool -+ */ -+ public function validateUserPassExternal($username, $password) { -+ -+ /* create ldap connection */ -+ $conn = ldap_connect(BAIKAL_DAV_LDAP_URI); -+ if (!$conn) -+ return false; -+ if (!ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3)) -+ return false; -+ -+ /* bind with user -+ * error_handler have to change, because a failed bind raises an error -+ * this raise a secuity issue because in the stack trace is the password of user readable -+ */ -+ $arr = explode('@', $username, 2); -+ $dn = str_replace('%n', $username, BAIKAL_DAV_LDAP_DN_TEMPLATE); -+ $dn = str_replace('%u', $arr[0], $dn); -+ if(isset($arr[1])) $dn = str_replace('%d', $arr[1], $dn); -+ -+ set_error_handler("\Baikal\Core\LDAPUserBindAuth::exception_error_handler"); -+ $bind = ldap_bind($conn, $dn, $password); -+ restore_error_handler(); -+ if (!$bind) { -+ ldap_close($conn); -+ return false; -+ } -+ -+ /* read displayname and email from user */ -+ $this->accountValues = array(); -+ $sr = ldap_read($conn, $dn, '(objectclass=*)', array(BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR, BAIKAL_DAV_LDAP_EMAIL_ATTR)); -+ $entry = ldap_get_entries($conn, $sr); -+ if (isset($entry[0][BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR][0])) -+ $this->accountValues['displayname'] = $entry[0][BAIKAL_DAV_LDAP_DISPLAYNAME_ATTR][0]; -+ if (isset($entry[0][BAIKAL_DAV_LDAP_EMAIL_ATTR][0])) -+ $this->accountValues['email'] = $entry[0][BAIKAL_DAV_LDAP_EMAIL_ATTR][0]; -+ -+ /* close */ -+ ldap_close($conn); -+ return true; -+ } -+ -+ public function getAccountValues($username) { -+ -+ return $this->accountValues; -+ } -+ -+ # WorkAround error_handler in failed bind of LDAP -+ public static function exception_error_handler($errno, $errstr, $errfile, $errline) { -+ } -+} diff --git a/Core/Frameworks/Baikal/Core/Server.php b/Core/Frameworks/Baikal/Core/Server.php index 8026854..8d306fe 100644 --- a/Core/Frameworks/Baikal/Core/Server.php