bookstack/app/Auth/Access/Guards/LdapSessionGuard.php

<?php

namespace BookStack\Auth\Access\Guards;

use BookStack\Auth\Access\LdapService;
use BookStack\Auth\Access\RegistrationService;
use BookStack\Auth\User;
use BookStack\Exceptions\JsonDebugException;
use BookStack\Exceptions\LdapException;
use BookStack\Exceptions\LoginAttemptEmailNeededException;
use BookStack\Exceptions\LoginAttemptException;
use BookStack\Exceptions\UserRegistrationException;
use Illuminate\Contracts\Auth\UserProvider;
use Illuminate\Contracts\Session\Session;
use Illuminate\Support\Str;

class LdapSessionGuard extends ExternalBaseSessionGuard
{
    protected LdapService $ldapService;

    /**
     * LdapSessionGuard constructor.
     */
    public function __construct(
        $name,
        UserProvider $provider,
        Session $session,
        LdapService $ldapService,
        RegistrationService $registrationService
    ) {
        $this->ldapService = $ldapService;
        parent::__construct($name, $provider, $session, $registrationService);
    }

    /**
     * Validate a user's credentials.
     *
     * @param array $credentials
     *
     * @throws LdapException
     *
     * @return bool
     */
    public function validate(array $credentials = [])
    {
        $userDetails = $this->ldapService->getUserDetails($credentials['username']);

        if (isset($userDetails['uid'])) {
            $this->lastAttempted = $this->provider->retrieveByCredentials([
                'external_auth_id' => $userDetails['uid'],
            ]);
        }

        return $this->ldapService->validateUserCredentials($userDetails, $credentials['password']);
    }

    /**
     * Attempt to authenticate a user using the given credentials.
     *
     * @param array $credentials
     * @param bool  $remember
     *
     * @throws LdapException*@throws \BookStack\Exceptions\JsonDebugException
     * @throws LoginAttemptException
     * @throws JsonDebugException
     *
     * @return bool
     */
    public function attempt(array $credentials = [], $remember = false)
    {
        $username = $credentials['username'];
        $userDetails = $this->ldapService->getUserDetails($username);

        $user = null;
        if (isset($userDetails['uid'])) {
            $this->lastAttempted = $user = $this->provider->retrieveByCredentials([
                'external_auth_id' => $userDetails['uid'],
            ]);
        }

        if (!$this->ldapService->validateUserCredentials($userDetails, $credentials['password'])) {
            return false;
        }

        if (is_null($user)) {
            try {
                $user = $this->createNewFromLdapAndCreds($userDetails, $credentials);
            } catch (UserRegistrationException $exception) {
                throw new LoginAttemptException($exception->getMessage());
            }
        }

        // Sync LDAP groups if required
        if ($this->ldapService->shouldSyncGroups()) {
            $this->ldapService->syncGroups($user, $username);
        }

        // Attach avatar if non-existent
        if (!$user->avatar()->exists()) {
            $this->ldapService->saveAndAttachAvatar($user, $userDetails);
        }

        $this->login($user, $remember);

        return true;
    }

    /**
     * Create a new user from the given ldap credentials and login credentials.
     *
     * @throws LoginAttemptEmailNeededException
     * @throws LoginAttemptException
     * @throws UserRegistrationException
     */
    protected function createNewFromLdapAndCreds(array $ldapUserDetails, array $credentials): User
    {
        $email = trim($ldapUserDetails['email'] ?: ($credentials['email'] ?? ''));

        if (empty($email)) {
            throw new LoginAttemptEmailNeededException();
        }

        $details = [
            'name'             => $ldapUserDetails['name'],
            'email'            => $ldapUserDetails['email'] ?: $credentials['email'],
            'external_auth_id' => $ldapUserDetails['uid'],
            'password'         => Str::random(32),
        ];

        $user = $this->registrationService->registerUser($details, null, false);
        $this->ldapService->saveAndAttachAvatar($user, $ldapUserDetails);

        return $user;
    }
}
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`<?php`

			`namespace BookStack\Auth\Access\Guards;`

			`use BookStack\Auth\Access\LdapService;`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`use BookStack\Auth\Access\RegistrationService;`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`use BookStack\Auth\User;`
Added LDAP group debugging env option Closes #3345 2022-03-24 00:34:23 +08:00			`use BookStack\Exceptions\JsonDebugException;`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`use BookStack\Exceptions\LdapException;`
			`use BookStack\Exceptions\LoginAttemptEmailNeededException;`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`use BookStack\Exceptions\LoginAttemptException;`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`use BookStack\Exceptions\UserRegistrationException;`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`use Illuminate\Contracts\Auth\UserProvider;`
			`use Illuminate\Contracts\Session\Session;`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`use Illuminate\Support\Str;`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00
			`class LdapSessionGuard extends ExternalBaseSessionGuard`
			`{`
Added LDAP group debugging env option Closes #3345 2022-03-24 00:34:23 +08:00			`protected LdapService $ldapService;`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00
			`/**`
			`* LdapSessionGuard constructor.`
			`*/`
Ran phpcbf and updated phpcs.xml 2021-03-08 06:24:05 +08:00			`public function __construct(`
			`$name,`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`UserProvider $provider,`
			`Session $session,`
			`LdapService $ldapService,`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`RegistrationService $registrationService`
Ran phpcbf and updated phpcs.xml 2021-03-08 06:24:05 +08:00			`) {`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`$this->ldapService = $ldapService;`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`parent::__construct($name, $provider, $session, $registrationService);`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`}`

			`/**`
			`* Validate a user's credentials.`
			`*`
			`* @param array $credentials`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`* @throws LdapException`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
			`* @return bool`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`*/`
			`public function validate(array $credentials = [])`
			`{`
			`$userDetails = $this->ldapService->getUserDetails($credentials['username']);`

Fixed LDAP error thrown by not found user details - Added testing to cover. Related to #1876 2020-02-15 22:44:36 +08:00			`if (isset($userDetails['uid'])) {`
			`$this->lastAttempted = $this->provider->retrieveByCredentials([`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'external_auth_id' => $userDetails['uid'],`
Fixed LDAP error thrown by not found user details - Added testing to cover. Related to #1876 2020-02-15 22:44:36 +08:00			`]);`
			`}`

			`return $this->ldapService->validateUserCredentials($userDetails, $credentials['password']);`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`}`

			`/**`
			`* Attempt to authenticate a user using the given credentials.`
			`*`
			`* @param array $credentials`
Applied latest styleCI changes 2022-03-25 19:14:27 +08:00			`* @param bool $remember`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`*`
Added LDAP group debugging env option Closes #3345 2022-03-24 00:34:23 +08:00			`* @throws LdapException*@throws \BookStack\Exceptions\JsonDebugException`
			`* @throws LoginAttemptException`
			`* @throws JsonDebugException`
Applied latest styleCI changes 2022-03-25 19:14:27 +08:00			`*`
			`* @return bool`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`*/`
			`public function attempt(array $credentials = [], $remember = false)`
			`{`
			`$username = $credentials['username'];`
			`$userDetails = $this->ldapService->getUserDetails($username);`

Fixed LDAP error thrown by not found user details - Added testing to cover. Related to #1876 2020-02-15 22:44:36 +08:00			`$user = null;`
			`if (isset($userDetails['uid'])) {`
			`$this->lastAttempted = $user = $this->provider->retrieveByCredentials([`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'external_auth_id' => $userDetails['uid'],`
Fixed LDAP error thrown by not found user details - Added testing to cover. Related to #1876 2020-02-15 22:44:36 +08:00			`]);`
			`}`

			`if (!$this->ldapService->validateUserCredentials($userDetails, $credentials['password'])) {`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`return false;`
			`}`

			`if (is_null($user)) {`
Fixed not shown existing-email warning on new ldap user - Reduced the amount of different exceptions from LDAP attempt so they can be handled more consistently. - Added test to cover. - Also cleaned up LDAP tests to reduce boilterplate mocks. Fixes #2048 2020-04-26 19:13:00 +08:00			`try {`
			`$user = $this->createNewFromLdapAndCreds($userDetails, $credentials);`
			`} catch (UserRegistrationException $exception) {`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-04 08:26:19 +08:00			`throw new LoginAttemptException($exception->getMessage());`
Fixed not shown existing-email warning on new ldap user - Reduced the amount of different exceptions from LDAP attempt so they can be handled more consistently. - Added test to cover. - Also cleaned up LDAP tests to reduce boilterplate mocks. Fixes #2048 2020-04-26 19:13:00 +08:00			`}`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`}`

Set more appropriate login validation and broken up LDAP guide a bit 2020-02-01 22:30:23 +08:00			`// Sync LDAP groups if required`
			`if ($this->ldapService->shouldSyncGroups()) {`
			`$this->ldapService->syncGroups($user, $username);`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`}`

Reviewed PR to add import user avatars va LDAP - Reduced options to single new configuration paramter instead of two. - Moved more logic into UserAvatars class. - Updated LDAP avatar import to also run on login when no image is currently set. - Added thumbnail fetching to search requests. - Added testing to cover. Related to PR #2320, and issue #1161 2021-05-25 01:45:08 +08:00			`// Attach avatar if non-existent`
Done a round of phpstan fixes 2021-11-06 08:32:01 +08:00			`if (!$user->avatar()->exists()) {`
Reviewed PR to add import user avatars va LDAP - Reduced options to single new configuration paramter instead of two. - Moved more logic into UserAvatars class. - Updated LDAP avatar import to also run on login when no image is currently set. - Added thumbnail fetching to search requests. - Added testing to cover. Related to PR #2320, and issue #1161 2021-05-25 01:45:08 +08:00			`$this->ldapService->saveAndAttachAvatar($user, $userDetails);`
			`}`

Set more appropriate login validation and broken up LDAP guide a bit 2020-02-01 22:30:23 +08:00			`$this->login($user, $remember);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Set more appropriate login validation and broken up LDAP guide a bit 2020-02-01 22:30:23 +08:00			`return true;`
			`}`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00
Set more appropriate login validation and broken up LDAP guide a bit 2020-02-01 22:30:23 +08:00			`/**`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`* Create a new user from the given ldap credentials and login credentials.`
			`*`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`* @throws LoginAttemptEmailNeededException`
Set more appropriate login validation and broken up LDAP guide a bit 2020-02-01 22:30:23 +08:00			`* @throws LoginAttemptException`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`* @throws UserRegistrationException`
Set more appropriate login validation and broken up LDAP guide a bit 2020-02-01 22:30:23 +08:00			`*/`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`protected function createNewFromLdapAndCreds(array $ldapUserDetails, array $credentials): User`
Set more appropriate login validation and broken up LDAP guide a bit 2020-02-01 22:30:23 +08:00			`{`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`$email = trim($ldapUserDetails['email'] ?: ($credentials['email'] ?? ''));`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`if (empty($email)) {`
Set more appropriate login validation and broken up LDAP guide a bit 2020-02-01 22:30:23 +08:00			`throw new LoginAttemptEmailNeededException();`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`}`

Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`$details = [`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'name' => $ldapUserDetails['name'],`
			`'email' => $ldapUserDetails['email'] ?: $credentials['email'],`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`'external_auth_id' => $ldapUserDetails['uid'],`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00			`'password' => Str::random(32),`
Checked over and aligned registration option behavior across all auth options - Added tests to cover 2020-02-03 01:31:00 +08:00			`];`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00
Import thumbnail photos when LDAP users are created. 2020-10-13 00:33:55 +08:00			`$user = $this->registrationService->registerUser($details, null, false);`
Reviewed PR to add import user avatars va LDAP - Reduced options to single new configuration paramter instead of two. - Moved more logic into UserAvatars class. - Updated LDAP avatar import to also run on login when no image is currently set. - Added thumbnail fetching to search requests. - Added testing to cover. Related to PR #2320, and issue #1161 2021-05-25 01:45:08 +08:00			`$this->ldapService->saveAndAttachAvatar($user, $ldapUserDetails);`
Apply fixes from StyleCI 2021-06-26 23:23:15 +08:00
Import thumbnail photos when LDAP users are created. 2020-10-13 00:33:55 +08:00			`return $user;`
Started alignment of auth services - Removed LDAP specific logic from login controller, placed in Guard. - Created safer base user provider for ldap login, to be used for SAML soon. - Moved LDAP auth work from user provider to guard. 2020-02-01 19:42:22 +08:00			`}`
			`}`