From e9fedf3e5cd63aea4da7a71f6647ee427c62fa49 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 5 Dec 2015 20:31:27 -0500
Subject: Rewrite of the authentication and authorization system

---
 app/User/DatabaseUserProvider.php     | 144 ++++++++++++++++++++++++
 app/User/GithubUserProvider.php       |  23 ++++
 app/User/GitlabUserProvider.php       |  23 ++++
 app/User/GoogleUserProvider.php       |  23 ++++
 app/User/LdapUserProvider.php         | 206 ++++++++++++++++++++++++++++++++++
 app/User/OAuthUserProvider.php        | 141 +++++++++++++++++++++++
 app/User/ReverseProxyUserProvider.php | 147 ++++++++++++++++++++++++
 7 files changed, 707 insertions(+)
 create mode 100644 app/User/DatabaseUserProvider.php
 create mode 100644 app/User/GithubUserProvider.php
 create mode 100644 app/User/GitlabUserProvider.php
 create mode 100644 app/User/GoogleUserProvider.php
 create mode 100644 app/User/LdapUserProvider.php
 create mode 100644 app/User/OAuthUserProvider.php
 create mode 100644 app/User/ReverseProxyUserProvider.php

(limited to 'app/User')

diff --git a/app/User/DatabaseUserProvider.php b/app/User/DatabaseUserProvider.php
new file mode 100644
index 00000000..b6d41186
--- /dev/null
+++ b/app/User/DatabaseUserProvider.php
@@ -0,0 +1,144 @@
+<?php
+
+namespace Kanboard\User;
+
+use Kanboard\Core\User\UserProviderInterface;
+use Kanboard\Core\Security\Role;
+
+/**
+ * Database User Provider
+ *
+ * @package  user
+ * @author   Frederic Guillot
+ */
+class DatabaseUserProvider implements UserProviderInterface
+{
+    /**
+     * User properties
+     *
+     * @access private
+     * @var array
+     */
+    private $user = array();
+
+    /**
+     * Constructor
+     *
+     * @access public
+     * @param  array $user
+     */
+    public function __construct(array $user)
+    {
+        $this->user = $user;
+    }
+
+    /**
+     * Return true to allow automatic user creation
+     *
+     * @access public
+     * @return boolean
+     */
+    public function isUserCreationAllowed()
+    {
+        return false;
+    }
+
+    /**
+     * Get internal id
+     *
+     * @access public
+     * @return string
+     */
+    public function getInternalId()
+    {
+        return $this->user['id'];
+    }
+
+    /**
+     * Get external id column name
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalIdColumn()
+    {
+        return '';
+    }
+
+    /**
+     * Get external id
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalId()
+    {
+        return '';
+    }
+
+    /**
+     * Get user role
+     *
+     * @access public
+     * @return string
+     */
+    public function getRole()
+    {
+        return '';
+    }
+
+    /**
+     * Get username
+     *
+     * @access public
+     * @return string
+     */
+    public function getUsername()
+    {
+        return '';
+    }
+
+    /**
+     * Get full name
+     *
+     * @access public
+     * @return string
+     */
+    public function getName()
+    {
+        return '';
+    }
+
+    /**
+     * Get user email
+     *
+     * @access public
+     * @return string
+     */
+    public function getEmail()
+    {
+        return '';
+    }
+
+    /**
+     * Get external group ids
+     *
+     * @access public
+     * @return array
+     */
+    public function getExternalGroupIds()
+    {
+        return array();
+    }
+
+    /**
+     * Get extra user attributes
+     *
+     * @access public
+     * @return array
+     */
+    public function getExtraAttributes()
+    {
+        return array();
+    }
+}
diff --git a/app/User/GithubUserProvider.php b/app/User/GithubUserProvider.php
new file mode 100644
index 00000000..ae3d7477
--- /dev/null
+++ b/app/User/GithubUserProvider.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Kanboard\User;
+
+/**
+ * Github OAuth User Provider
+ *
+ * @package  user
+ * @author   Frederic Guillot
+ */
+class GithubUserProvider extends OAuthUserProvider
+{
+    /**
+     * Get external id column name
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalIdColumn()
+    {
+        return 'github_id';
+    }
+}
diff --git a/app/User/GitlabUserProvider.php b/app/User/GitlabUserProvider.php
new file mode 100644
index 00000000..a73472c8
--- /dev/null
+++ b/app/User/GitlabUserProvider.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Kanboard\User;
+
+/**
+ * Gitlab OAuth User Provider
+ *
+ * @package  user
+ * @author   Frederic Guillot
+ */
+class GitlabUserProvider extends OAuthUserProvider
+{
+    /**
+     * Get external id column name
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalIdColumn()
+    {
+        return 'gitlab_id';
+    }
+}
diff --git a/app/User/GoogleUserProvider.php b/app/User/GoogleUserProvider.php
new file mode 100644
index 00000000..baa55e03
--- /dev/null
+++ b/app/User/GoogleUserProvider.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Kanboard\User;
+
+/**
+ * Google OAuth User Provider
+ *
+ * @package  user
+ * @author   Frederic Guillot
+ */
+class GoogleUserProvider extends OAuthUserProvider
+{
+    /**
+     * Get external id column name
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalIdColumn()
+    {
+        return 'google_id';
+    }
+}
diff --git a/app/User/LdapUserProvider.php b/app/User/LdapUserProvider.php
new file mode 100644
index 00000000..9dfb2380
--- /dev/null
+++ b/app/User/LdapUserProvider.php
@@ -0,0 +1,206 @@
+<?php
+
+namespace Kanboard\User;
+
+use Kanboard\Core\User\UserProviderInterface;
+
+/**
+ * LDAP User Provider
+ *
+ * @package  user
+ * @author   Frederic Guillot
+ */
+class LdapUserProvider implements UserProviderInterface
+{
+    /**
+     * LDAP DN
+     *
+     * @access private
+     * @var string
+     */
+    private $dn;
+
+    /**
+     * LDAP username
+     *
+     * @access private
+     * @var string
+     */
+    private $username;
+
+    /**
+     * User name
+     *
+     * @access private
+     * @var string
+     */
+    private $name;
+
+    /**
+     * Email
+     *
+     * @access private
+     * @var string
+     */
+    private $email;
+
+    /**
+     * User role
+     *
+     * @access private
+     * @var string
+     */
+    private $role;
+
+    /**
+     * Group LDAP DNs
+     *
+     * @access private
+     * @var string[]
+     */
+    private $groupIds;
+
+    /**
+     * Constructor
+     *
+     * @access public
+     * @param  string   $dn
+     * @param  string   $username
+     * @param  string   $name
+     * @param  string   $email
+     * @param  string   $role
+     * @param  string[]
+     */
+    public function __construct($dn, $username, $name, $email, $role, array $groupIds)
+    {
+        $this->dn = $dn;
+        $this->username = $username;
+        $this->name = $name;
+        $this->email = $email;
+        $this->role = $role;
+        $this->groupIds = $groupIds;
+    }
+
+    /**
+     * Return true to allow automatic user creation
+     *
+     * @access public
+     * @return boolean
+     */
+    public function isUserCreationAllowed()
+    {
+        return LDAP_USER_CREATION;
+    }
+
+    /**
+     * Get internal id
+     *
+     * @access public
+     * @return string
+     */
+    public function getInternalId()
+    {
+        return '';
+    }
+
+    /**
+     * Get external id column name
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalIdColumn()
+    {
+        return 'username';
+    }
+
+    /**
+     * Get external id
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalId()
+    {
+        return $this->getUsername();
+    }
+
+    /**
+     * Get user role
+     *
+     * @access public
+     * @return string
+     */
+    public function getRole()
+    {
+        return $this->role;
+    }
+
+    /**
+     * Get username
+     *
+     * @access public
+     * @return string
+     */
+    public function getUsername()
+    {
+        return LDAP_USERNAME_CASE_SENSITIVE ? $this->username : strtolower($this->username);
+    }
+
+    /**
+     * Get full name
+     *
+     * @access public
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->name;
+    }
+
+    /**
+     * Get user email
+     *
+     * @access public
+     * @return string
+     */
+    public function getEmail()
+    {
+        return $this->email;
+    }
+
+    /**
+     * Get groups
+     *
+     * @access public
+     * @return array
+     */
+    public function getExternalGroupIds()
+    {
+        return $this->groupIds;
+    }
+
+    /**
+     * Get extra user attributes
+     *
+     * @access public
+     * @return array
+     */
+    public function getExtraAttributes()
+    {
+        return array(
+            'is_ldap_user' => 1,
+        );
+    }
+
+    /**
+     * Get User DN
+     *
+     * @access public
+     * @return string
+     */
+    public function getDn()
+    {
+        return $this->dn;
+    }
+}
diff --git a/app/User/OAuthUserProvider.php b/app/User/OAuthUserProvider.php
new file mode 100644
index 00000000..3879fa76
--- /dev/null
+++ b/app/User/OAuthUserProvider.php
@@ -0,0 +1,141 @@
+<?php
+
+namespace Kanboard\User;
+
+use Kanboard\Core\User\UserProviderInterface;
+use Kanboard\Core\Security\Role;
+
+/**
+ * OAuth User Provider
+ *
+ * @package  user
+ * @author   Frederic Guillot
+ */
+abstract class OAuthUserProvider implements UserProviderInterface
+{
+    /**
+     * Get external id column name
+     *
+     * @access public
+     * @return string
+     */
+    abstract public function getExternalIdColumn();
+
+    /**
+     * User properties
+     *
+     * @access private
+     * @var array
+     */
+    private $user = array();
+
+    /**
+     * Constructor
+     *
+     * @access public
+     * @param  array $user
+     */
+    public function __construct(array $user)
+    {
+        $this->user = $user;
+    }
+
+    /**
+     * Return true to allow automatic user creation
+     *
+     * @access public
+     * @return boolean
+     */
+    public function isUserCreationAllowed()
+    {
+        return false;
+    }
+
+    /**
+     * Get internal id
+     *
+     * @access public
+     * @return string
+     */
+    public function getInternalId()
+    {
+        return '';
+    }
+
+    /**
+     * Get external id
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalId()
+    {
+        return $this->user['id'];
+    }
+
+    /**
+     * Get user role
+     *
+     * @access public
+     * @return string
+     */
+    public function getRole()
+    {
+        return '';
+    }
+
+    /**
+     * Get username
+     *
+     * @access public
+     * @return string
+     */
+    public function getUsername()
+    {
+        return '';
+    }
+
+    /**
+     * Get full name
+     *
+     * @access public
+     * @return string
+     */
+    public function getName()
+    {
+        return $this->user['name'];
+    }
+
+    /**
+     * Get user email
+     *
+     * @access public
+     * @return string
+     */
+    public function getEmail()
+    {
+        return $this->user['email'];
+    }
+
+    /**
+     * Get external group ids
+     *
+     * @access public
+     * @return array
+     */
+    public function getExternalGroupIds()
+    {
+        return array();
+    }
+
+    /**
+     * Get extra user attributes
+     *
+     * @access public
+     * @return array
+     */
+    public function getExtraAttributes()
+    {
+        return array();
+    }
+}
diff --git a/app/User/ReverseProxyUserProvider.php b/app/User/ReverseProxyUserProvider.php
new file mode 100644
index 00000000..071330df
--- /dev/null
+++ b/app/User/ReverseProxyUserProvider.php
@@ -0,0 +1,147 @@
+<?php
+
+namespace Kanboard\User;
+
+use Kanboard\Core\User\UserProviderInterface;
+use Kanboard\Core\Security\Role;
+
+/**
+ * Reverse Proxy User Provider
+ *
+ * @package  user
+ * @author   Frederic Guillot
+ */
+class ReverseProxyUserProvider implements UserProviderInterface
+{
+    /**
+     * Username
+     *
+     * @access private
+     * @var string
+     */
+    private $username = '';
+
+    /**
+     * Constructor
+     *
+     * @access public
+     * @param  string $username
+     */
+    public function __construct($username)
+    {
+        $this->username = $username;
+    }
+
+    /**
+     * Return true to allow automatic user creation
+     *
+     * @access public
+     * @return boolean
+     */
+    public function isUserCreationAllowed()
+    {
+        return true;
+    }
+
+    /**
+     * Get internal id
+     *
+     * @access public
+     * @return string
+     */
+    public function getInternalId()
+    {
+        return '';
+    }
+
+    /**
+     * Get external id column name
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalIdColumn()
+    {
+        return 'username';
+    }
+
+    /**
+     * Get external id
+     *
+     * @access public
+     * @return string
+     */
+    public function getExternalId()
+    {
+        return $this->username;
+    }
+
+    /**
+     * Get user role
+     *
+     * @access public
+     * @return string
+     */
+    public function getRole()
+    {
+        return REVERSE_PROXY_DEFAULT_ADMIN === $this->username ? Role::APP_ADMIN : Role::APP_USER;
+    }
+
+    /**
+     * Get username
+     *
+     * @access public
+     * @return string
+     */
+    public function getUsername()
+    {
+        return $this->username;
+    }
+
+    /**
+     * Get full name
+     *
+     * @access public
+     * @return string
+     */
+    public function getName()
+    {
+        return '';
+    }
+
+    /**
+     * Get user email
+     *
+     * @access public
+     * @return string
+     */
+    public function getEmail()
+    {
+        return REVERSE_PROXY_DEFAULT_DOMAIN !== '' ? $this->username.'@'.REVERSE_PROXY_DEFAULT_DOMAIN : '';
+    }
+
+    /**
+     * Get external group ids
+     *
+     * @access public
+     * @return array
+     */
+    public function getExternalGroupIds()
+    {
+        return array();
+    }
+
+    /**
+     * Get extra user attributes
+     *
+     * @access public
+     * @return array
+     */
+    public function getExtraAttributes()
+    {
+        return array(
+            'is_ldap_user' => 1,
+            'disable_login_form' => 1,
+        );
+    }
+}
-- 
cgit v1.2.3