11078ec26SAndreas Gohr<?php 21078ec26SAndreas Gohr 31078ec26SAndreas Gohrnamespace dokuwiki\plugin\pureldap\classes; 41078ec26SAndreas Gohr 580ac552fSAndreas Gohruse dokuwiki\Utf8\PhpString; 61078ec26SAndreas Gohruse FreeDSx\Ldap\Entry\Attribute; 71078ec26SAndreas Gohruse FreeDSx\Ldap\Exception\BindException; 81078ec26SAndreas Gohruse FreeDSx\Ldap\Exception\ConnectionException; 91078ec26SAndreas Gohruse FreeDSx\Ldap\Exception\OperationException; 101078ec26SAndreas Gohruse FreeDSx\Ldap\LdapClient; 111078ec26SAndreas Gohr 121078ec26SAndreas Gohrrequire_once __DIR__ . '/../vendor/autoload.php'; 131078ec26SAndreas Gohr 141078ec26SAndreas Gohrabstract class Client 151078ec26SAndreas Gohr{ 16204fba68SAndreas Gohr const FILTER_EQUAL = 'equal'; 17204fba68SAndreas Gohr const FILTER_CONTAINS = 'contains'; 18204fba68SAndreas Gohr const FILTER_STARTSWITH = 'startsWith'; 19204fba68SAndreas Gohr const FILTER_ENDSWITH = 'endsWith'; 20204fba68SAndreas Gohr 211078ec26SAndreas Gohr /** @var array the configuration */ 221078ec26SAndreas Gohr protected $config; 231078ec26SAndreas Gohr 241078ec26SAndreas Gohr /** @var LdapClient */ 251078ec26SAndreas Gohr protected $ldap; 261078ec26SAndreas Gohr 271078ec26SAndreas Gohr /** @var bool is this client authenticated already? */ 281078ec26SAndreas Gohr protected $isAuthenticated = false; 291078ec26SAndreas Gohr 301078ec26SAndreas Gohr /** @var array cached user info */ 311078ec26SAndreas Gohr protected $userCache = []; 321078ec26SAndreas Gohr 335a3b9122SAndreas Gohr /** @var array cached group list */ 345a3b9122SAndreas Gohr protected $groupCache = []; 355a3b9122SAndreas Gohr 361078ec26SAndreas Gohr /** 371078ec26SAndreas Gohr * Client constructor. 381078ec26SAndreas Gohr * @param array $config 391078ec26SAndreas Gohr */ 401078ec26SAndreas Gohr public function __construct($config) 411078ec26SAndreas Gohr { 421078ec26SAndreas Gohr $this->config = $this->prepareConfig($config); 431078ec26SAndreas Gohr $this->ldap = new LdapClient($this->config); 441078ec26SAndreas Gohr } 451078ec26SAndreas Gohr 461078ec26SAndreas Gohr /** 471078ec26SAndreas Gohr * Setup sane config defaults 481078ec26SAndreas Gohr * 491078ec26SAndreas Gohr * @param array $config 501078ec26SAndreas Gohr * @return array 511078ec26SAndreas Gohr */ 521078ec26SAndreas Gohr protected function prepareConfig($config) 531078ec26SAndreas Gohr { 54*1a4f0e1fSAndreas Gohr // ensure we have the default keys 55*1a4f0e1fSAndreas Gohr /** @var array $conf */ 56*1a4f0e1fSAndreas Gohr include __DIR__ . '/../conf/default.php'; 57*1a4f0e1fSAndreas Gohr $defaults = $conf; 58*1a4f0e1fSAndreas Gohr $defaults['defaultgroup'] = 'user'; // we expect this to be passed from global conf 591078ec26SAndreas Gohr 601078ec26SAndreas Gohr $config = array_merge($defaults, $config); 611078ec26SAndreas Gohr 621078ec26SAndreas Gohr // default port depends on SSL setting 631078ec26SAndreas Gohr if (!$config['port']) { 646d90d5c8SAndreas Gohr $config['port'] = ($config['encryption'] === 'ssl') ? 636 : 389; 656d90d5c8SAndreas Gohr } 666d90d5c8SAndreas Gohr 676d90d5c8SAndreas Gohr // set ssl parameters 686d90d5c8SAndreas Gohr $config['use_ssl'] = ($config['encryption'] === 'ssl'); 696d90d5c8SAndreas Gohr if ($config['validate'] === 'none') { 706d90d5c8SAndreas Gohr $config['ssl_validate_cert'] = false; 716d90d5c8SAndreas Gohr } elseif ($config['validate'] === 'self') { 726d90d5c8SAndreas Gohr $config['ssl_allow_self_signed'] = true; 731078ec26SAndreas Gohr } 741078ec26SAndreas Gohr 75a1128cc0SAndreas Gohr $config['suffix'] = PhpString::strtolower($config['suffix']); 76c2500b44SAndreas Gohr $config['primarygroup'] = $this->cleanGroup($config['primarygroup']); 7780ac552fSAndreas Gohr 781078ec26SAndreas Gohr return $config; 791078ec26SAndreas Gohr } 801078ec26SAndreas Gohr 811078ec26SAndreas Gohr /** 821078ec26SAndreas Gohr * Authenticate as admin 831078ec26SAndreas Gohr */ 841078ec26SAndreas Gohr public function autoAuth() 851078ec26SAndreas Gohr { 861078ec26SAndreas Gohr if ($this->isAuthenticated) return true; 879446f9efSAndreas Gohr 88a1128cc0SAndreas Gohr $user = $this->prepareBindUser($this->config['admin_username']); 899446f9efSAndreas Gohr $ok = $this->authenticate($user, $this->config['admin_password']); 908b2677edSAndreas Gohr if (!$ok) { 91a1128cc0SAndreas Gohr $this->error('Administrative bind failed. Probably wrong user/password.', __FILE__, __LINE__); 928b2677edSAndreas Gohr } 938b2677edSAndreas Gohr return $ok; 941078ec26SAndreas Gohr } 951078ec26SAndreas Gohr 961078ec26SAndreas Gohr /** 971078ec26SAndreas Gohr * Authenticates a given user. This client will remain authenticated 981078ec26SAndreas Gohr * 991078ec26SAndreas Gohr * @param string $user 1001078ec26SAndreas Gohr * @param string $pass 1011078ec26SAndreas Gohr * @return bool was the authentication successful? 1025a3b9122SAndreas Gohr * @noinspection PhpRedundantCatchClauseInspection 1031078ec26SAndreas Gohr */ 1041078ec26SAndreas Gohr public function authenticate($user, $pass) 1051078ec26SAndreas Gohr { 106a1128cc0SAndreas Gohr $user = $this->prepareBindUser($user); 10780ac552fSAndreas Gohr 1086d90d5c8SAndreas Gohr if ($this->config['encryption'] === 'tls') { 1091078ec26SAndreas Gohr try { 1101078ec26SAndreas Gohr $this->ldap->startTls(); 1111078ec26SAndreas Gohr } catch (OperationException $e) { 112da369b60SAndreas Gohr $this->fatal($e); 1131078ec26SAndreas Gohr } 1141078ec26SAndreas Gohr } 1151078ec26SAndreas Gohr 1161078ec26SAndreas Gohr try { 1171078ec26SAndreas Gohr $this->ldap->bind($user, $pass); 1181078ec26SAndreas Gohr } catch (BindException $e) { 1191078ec26SAndreas Gohr return false; 1201078ec26SAndreas Gohr } catch (ConnectionException $e) { 121da369b60SAndreas Gohr $this->fatal($e); 1221078ec26SAndreas Gohr return false; 1231078ec26SAndreas Gohr } catch (OperationException $e) { 124da369b60SAndreas Gohr $this->fatal($e); 1251078ec26SAndreas Gohr return false; 1261078ec26SAndreas Gohr } 1271078ec26SAndreas Gohr 1281078ec26SAndreas Gohr $this->isAuthenticated = true; 1291078ec26SAndreas Gohr return true; 1301078ec26SAndreas Gohr } 1311078ec26SAndreas Gohr 1321078ec26SAndreas Gohr /** 1331078ec26SAndreas Gohr * Get info for a single user, use cache if available 1341078ec26SAndreas Gohr * 1351078ec26SAndreas Gohr * @param string $username 1361078ec26SAndreas Gohr * @param bool $fetchgroups Are groups needed? 1371078ec26SAndreas Gohr * @return array|null 1381078ec26SAndreas Gohr */ 1391078ec26SAndreas Gohr public function getCachedUser($username, $fetchgroups = true) 1401078ec26SAndreas Gohr { 1416d90d5c8SAndreas Gohr global $conf; 1426d90d5c8SAndreas Gohr 1436d90d5c8SAndreas Gohr // memory cache first 1441078ec26SAndreas Gohr if (isset($this->userCache[$username])) { 1451078ec26SAndreas Gohr if (!$fetchgroups || is_array($this->userCache[$username]['grps'])) { 1461078ec26SAndreas Gohr return $this->userCache[$username]; 1471078ec26SAndreas Gohr } 1481078ec26SAndreas Gohr } 1491078ec26SAndreas Gohr 1506d90d5c8SAndreas Gohr // disk cache second 1516d90d5c8SAndreas Gohr $cachename = getCacheName($username, '.pureldap-user'); 1526d90d5c8SAndreas Gohr $cachetime = @filemtime($cachename); 1536d90d5c8SAndreas Gohr if ($cachetime && (time() - $cachetime) < $conf['auth_security_timeout']) { 1546d90d5c8SAndreas Gohr $this->userCache[$username] = json_decode(file_get_contents($cachename), true); 1556d90d5c8SAndreas Gohr if (!$fetchgroups || is_array($this->userCache[$username]['grps'])) { 1566d90d5c8SAndreas Gohr return $this->userCache[$username]; 1576d90d5c8SAndreas Gohr } 1586d90d5c8SAndreas Gohr } 1596d90d5c8SAndreas Gohr 1601078ec26SAndreas Gohr // fetch fresh data 1611078ec26SAndreas Gohr $info = $this->getUser($username, $fetchgroups); 1621078ec26SAndreas Gohr 1631078ec26SAndreas Gohr // store in cache 1641078ec26SAndreas Gohr if ($info !== null) { 1651078ec26SAndreas Gohr $this->userCache[$username] = $info; 1666d90d5c8SAndreas Gohr file_put_contents($cachename, json_encode($info)); 1671078ec26SAndreas Gohr } 1681078ec26SAndreas Gohr 1691078ec26SAndreas Gohr return $info; 1701078ec26SAndreas Gohr } 1711078ec26SAndreas Gohr 1721078ec26SAndreas Gohr /** 1731078ec26SAndreas Gohr * Fetch a single user 1741078ec26SAndreas Gohr * 1751078ec26SAndreas Gohr * @param string $username 1761078ec26SAndreas Gohr * @param bool $fetchgroups Shall groups be fetched, too? 1771078ec26SAndreas Gohr * @return null|array 1781078ec26SAndreas Gohr */ 1791078ec26SAndreas Gohr abstract public function getUser($username, $fetchgroups = true); 1801078ec26SAndreas Gohr 1811078ec26SAndreas Gohr /** 1825a3b9122SAndreas Gohr * Return a list of all available groups, use cache if available 1835a3b9122SAndreas Gohr * 1845a3b9122SAndreas Gohr * @return string[] 1855a3b9122SAndreas Gohr */ 1865a3b9122SAndreas Gohr public function getCachedGroups() 1875a3b9122SAndreas Gohr { 1885a3b9122SAndreas Gohr if (empty($this->groupCache)) { 1895a3b9122SAndreas Gohr $this->groupCache = $this->getGroups(); 1905a3b9122SAndreas Gohr } 1915a3b9122SAndreas Gohr 1925a3b9122SAndreas Gohr return $this->groupCache; 1935a3b9122SAndreas Gohr } 1945a3b9122SAndreas Gohr 1955a3b9122SAndreas Gohr /** 1965a3b9122SAndreas Gohr * Return a list of all available groups 1975a3b9122SAndreas Gohr * 198b21740b4SAndreas Gohr * Optionally filter the list 199b21740b4SAndreas Gohr * 200b21740b4SAndreas Gohr * @param null|string $match Filter for this, null for all groups 201b21740b4SAndreas Gohr * @param string $filtermethod How to match the groups 2025a3b9122SAndreas Gohr * @return string[] 2035a3b9122SAndreas Gohr */ 204204fba68SAndreas Gohr abstract public function getGroups($match = null, $filtermethod = self::FILTER_EQUAL); 2055a3b9122SAndreas Gohr 20680ac552fSAndreas Gohr /** 207a1128cc0SAndreas Gohr * Clean the user name for use in DokuWiki 20880ac552fSAndreas Gohr * 209a1128cc0SAndreas Gohr * @param string $user 21080ac552fSAndreas Gohr * @return string 21180ac552fSAndreas Gohr */ 212a1128cc0SAndreas Gohr abstract public function cleanUser($user); 21380ac552fSAndreas Gohr 21480ac552fSAndreas Gohr /** 215a1128cc0SAndreas Gohr * Clean the group name for use in DokuWiki 21680ac552fSAndreas Gohr * 217a1128cc0SAndreas Gohr * @param string $group 21880ac552fSAndreas Gohr * @return string 21980ac552fSAndreas Gohr */ 220a1128cc0SAndreas Gohr abstract public function cleanGroup($group); 221a1128cc0SAndreas Gohr 222a1128cc0SAndreas Gohr /** 223a1128cc0SAndreas Gohr * Inheriting classes may want to manipulate the user before binding 224a1128cc0SAndreas Gohr * 225a1128cc0SAndreas Gohr * @param string $user 226a1128cc0SAndreas Gohr * @return string 227a1128cc0SAndreas Gohr */ 228a1128cc0SAndreas Gohr protected function prepareBindUser($user) 229a1128cc0SAndreas Gohr { 230a1128cc0SAndreas Gohr return $user; 231a1128cc0SAndreas Gohr } 23280ac552fSAndreas Gohr 2335a3b9122SAndreas Gohr /** 2341078ec26SAndreas Gohr * Helper method to get the first value of the given attribute 2351078ec26SAndreas Gohr * 2361078ec26SAndreas Gohr * The given attribute may be null, an empty string is returned then 2371078ec26SAndreas Gohr * 2381078ec26SAndreas Gohr * @param Attribute|null $attribute 2391078ec26SAndreas Gohr * @return string 2401078ec26SAndreas Gohr */ 2415a3b9122SAndreas Gohr protected function attr2str($attribute) 2425a3b9122SAndreas Gohr { 2431078ec26SAndreas Gohr if ($attribute !== null) { 2441078ec26SAndreas Gohr return $attribute->firstValue(); 2451078ec26SAndreas Gohr } 2461078ec26SAndreas Gohr return ''; 2471078ec26SAndreas Gohr } 2481078ec26SAndreas Gohr 2491078ec26SAndreas Gohr /** 2509c590892SAndreas Gohr * Get the attributes that should be fetched for a user 2519c590892SAndreas Gohr * 2529c590892SAndreas Gohr * Can be extended in sub classes 2539c590892SAndreas Gohr * 2549c590892SAndreas Gohr * @return Attribute[] 2559c590892SAndreas Gohr */ 2569c590892SAndreas Gohr protected function userAttributes() 2579c590892SAndreas Gohr { 2589c590892SAndreas Gohr // defaults 2599c590892SAndreas Gohr $attr = [ 2609c590892SAndreas Gohr new Attribute('dn'), 2619c590892SAndreas Gohr new Attribute('displayName'), 2629c590892SAndreas Gohr new Attribute('mail'), 2639c590892SAndreas Gohr ]; 2649c590892SAndreas Gohr // additionals 2659c590892SAndreas Gohr foreach ($this->config['attributes'] as $attribute) { 2669c590892SAndreas Gohr $attr[] = new Attribute($attribute); 2679c590892SAndreas Gohr } 2689c590892SAndreas Gohr return $attr; 2699c590892SAndreas Gohr } 2709c590892SAndreas Gohr 2719c590892SAndreas Gohr /** 272da369b60SAndreas Gohr * Handle fatal exceptions 2731078ec26SAndreas Gohr * 2741078ec26SAndreas Gohr * @param \Exception $e 2751078ec26SAndreas Gohr */ 276da369b60SAndreas Gohr protected function fatal(\Exception $e) 2771078ec26SAndreas Gohr { 278c872f0e3SAndreas Gohr if (class_exists('\dokuwiki\ErrorHandler')) { 279c872f0e3SAndreas Gohr \dokuwiki\ErrorHandler::logException($e); 280c872f0e3SAndreas Gohr } 281c872f0e3SAndreas Gohr 2821078ec26SAndreas Gohr if (defined('DOKU_UNITTEST')) { 2838595f73eSAndreas Gohr throw new \RuntimeException('', 0, $e); 2841078ec26SAndreas Gohr } 285c872f0e3SAndreas Gohr 286c872f0e3SAndreas Gohr msg('[pureldap] ' . hsc($e->getMessage()), -1); 287da369b60SAndreas Gohr } 2881078ec26SAndreas Gohr 289da369b60SAndreas Gohr /** 290a1128cc0SAndreas Gohr * Handle error output 291a1128cc0SAndreas Gohr * 292a1128cc0SAndreas Gohr * @param string $msg 293a1128cc0SAndreas Gohr * @param string $file 294a1128cc0SAndreas Gohr * @param int $line 295a1128cc0SAndreas Gohr */ 296a1128cc0SAndreas Gohr protected function error($msg, $file, $line) 297a1128cc0SAndreas Gohr { 298c872f0e3SAndreas Gohr if (class_exists('\dokuwiki\Logger')) { 299c872f0e3SAndreas Gohr \dokuwiki\Logger::error('[pureldap] ' . $msg, '', $file, $line); 300c872f0e3SAndreas Gohr } 301c872f0e3SAndreas Gohr 302a1128cc0SAndreas Gohr if (defined('DOKU_UNITTEST')) { 303a1128cc0SAndreas Gohr throw new \RuntimeException($msg . ' at ' . $file . ':' . $line); 304a1128cc0SAndreas Gohr } 305a1128cc0SAndreas Gohr 306c872f0e3SAndreas Gohr msg('[pureldap] ' . hsc($msg), -1); 307a1128cc0SAndreas Gohr } 308a1128cc0SAndreas Gohr 309a1128cc0SAndreas Gohr /** 310da369b60SAndreas Gohr * Handle debug output 311da369b60SAndreas Gohr * 312da369b60SAndreas Gohr * @param string $msg 313da369b60SAndreas Gohr * @param string $file 314da369b60SAndreas Gohr * @param int $line 315da369b60SAndreas Gohr */ 316da369b60SAndreas Gohr protected function debug($msg, $file, $line) 317da369b60SAndreas Gohr { 318c872f0e3SAndreas Gohr global $conf; 319c872f0e3SAndreas Gohr 320c872f0e3SAndreas Gohr if (class_exists('\dokuwiki\Logger')) { 321c872f0e3SAndreas Gohr \dokuwiki\Logger::debug('[pureldap] ' . $msg, '', $file, $line); 322c872f0e3SAndreas Gohr } 323c872f0e3SAndreas Gohr 324c872f0e3SAndreas Gohr if ($conf['allowdebug']) { 32585916a2dSAndreas Gohr msg('[pureldap] ' . hsc($msg) . ' at ' . $file . ':' . $line, 0); 3261078ec26SAndreas Gohr } 3271078ec26SAndreas Gohr } 328c872f0e3SAndreas Gohr} 329