Rewrite of the authentication and authorization system

1 files changed, 100 insertions, 19 deletions

diff --git a/app/Core/Ldap/Client.php b/app/Core/Ldap/Client.php
index a523428c..5d481cd3 100644
--- a/app/Core/Ldap/Client.php
+++ b/app/Core/Ldap/Client.php
@@ -2,6 +2,8 @@
 
 namespace Kanboard\Core\Ldap;
 
+use LogicException;
+
 /**
  * LDAP Client
  *
@@ -11,16 +13,60 @@ namespace Kanboard\Core\Ldap;
 class Client
 {
     /**
+     * LDAP resource
+     *
+     * @access private
+     * @var resource
+     */
+    private $ldap;
+
+    /**
+     * Establish LDAP connection
+     *
+     * @static
+     * @access public
+     * @param  string $username
+     * @param  string $password
+     * @return Client
+     */
+    public static function connect($username = null, $password = null)
+    {
+        $client = new self;
+        $client->open($client->getLdapServer());
+        $username = $username ?: $client->getLdapUsername();
+        $password = $password ?: $client->getLdapPassword();
+
+        if (empty($username) && empty($password)) {
+            $client->useAnonymousAuthentication();
+        } else {
+            $client->authenticate($username, $password);
+        }
+
+        return $client;
+    }
+
+    /**
      * Get server connection
      *
      * @access public
+     * @return resource
+     */
+    public function getConnection()
+    {
+        return $this->ldap;
+    }
+
+    /**
+     * Establish server connection
+     *
+     * @access public
      * @param  string   $server  LDAP server hostname or IP
      * @param  integer  $port    LDAP port
      * @param  boolean  $tls     Start TLS
      * @param  boolean  $verify  Skip SSL certificate verification
-     * @return resource
+     * @return Client
      */
-    public function getConnection($server, $port = LDAP_PORT, $tls = LDAP_START_TLS, $verify = LDAP_SSL_VERIFY)
+    public function open($server, $port = LDAP_PORT, $tls = LDAP_START_TLS, $verify = LDAP_SSL_VERIFY)
     {
         if (! function_exists('ldap_connect')) {
             throw new ClientException('LDAP: The PHP LDAP extension is required');
@@ -30,34 +76,33 @@ class Client
             putenv('LDAPTLS_REQCERT=never');
         }
 
-        $ldap = ldap_connect($server, $port);
+        $this->ldap = ldap_connect($server, $port);
 
-        if ($ldap === false) {
+        if ($this->ldap === false) {
             throw new ClientException('LDAP: Unable to connect to the LDAP server');
         }
 
-        ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
-        ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
-        ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, 1);
-        ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, 1);
+        ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
+        ldap_set_option($this->ldap, LDAP_OPT_REFERRALS, 0);
+        ldap_set_option($this->ldap, LDAP_OPT_NETWORK_TIMEOUT, 1);
+        ldap_set_option($this->ldap, LDAP_OPT_TIMELIMIT, 1);
 
-        if ($tls && ! @ldap_start_tls($ldap)) {
+        if ($tls && ! @ldap_start_tls($this->ldap)) {
             throw new ClientException('LDAP: Unable to start TLS');
         }
 
-        return $ldap;
+        return $this;
     }
 
     /**
      * Anonymous authentication
      *
      * @access public
-     * @param  resource $ldap
      * @return boolean
      */
-    public function useAnonymousAuthentication($ldap)
+    public function useAnonymousAuthentication()
     {
-        if (! ldap_bind($ldap)) {
+        if (! @ldap_bind($this->ldap)) {
             throw new ClientException('Unable to perform anonymous binding');
         }
 
@@ -68,17 +113,53 @@ class Client
      * Authentication with username/password
      *
      * @access public
-     * @param  resource $ldap
-     * @param  string   $username
-     * @param  string   $password
+     * @param  string  $bind_rdn
+     * @param  string  $bind_password
      * @return boolean
      */
-    public function authenticate($ldap, $username, $password)
+    public function authenticate($bind_rdn, $bind_password)
     {
-        if (! ldap_bind($ldap, $username, $password)) {
-            throw new ClientException('Unable to perform anonymous binding');
+        if (! @ldap_bind($this->ldap, $bind_rdn, $bind_password)) {
+            throw new ClientException('LDAP authentication failure for "'.$bind_rdn.'"');
         }
 
         return true;
     }
+
+    /**
+     * Get LDAP server name
+     *
+     * @access public
+     * @return string
+     */
+    public function getLdapServer()
+    {
+        if (! LDAP_SERVER) {
+            throw new LogicException('LDAP server not configured, check the parameter LDAP_SERVER');
+        }
+
+        return LDAP_SERVER;
+    }
+
+    /**
+     * Get LDAP username (proxy auth)
+     *
+     * @access public
+     * @return string
+     */
+    public function getLdapUsername()
+    {
+        return LDAP_USERNAME;
+    }
+
+    /**
+     * Get LDAP password (proxy auth)
+     *
+     * @access public
+     * @return string
+     */
+    public function getLdapPassword()
+    {
+        return LDAP_PASSWORD;
+    }
 }