-

manu0401 · nicolas-grekas · commit 27dba3b5e5a3 · 2024-08-22T08:58:16.000+02:00
diff --git a/UPGRADE-7.2.md b/UPGRADE-7.2.md
@@ -29,6 +29,11 @@ FrameworkBundle
 
  * [BC BREAK] The `secrets:decrypt-to-local` command terminates with a non-zero exit code when a secret could not be read
 
+Ldap
+----
+
+ * Add methods for `saslBind()` and `whoami()` to `ConnectionInterface` and `LdapInterface`
+
 Messenger
 ---------
 
diff --git a/src/Symfony/Component/Ldap/Adapter/ConnectionInterface.php b/src/Symfony/Component/Ldap/Adapter/ConnectionInterface.php
@@ -18,6 +18,9 @@
 
 /**
  * @author Charles Sarrazin <charles@sarraz.in>
+ *
+ * @method void saslBind(?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authcId = null, ?string $authzId = null, ?string $props =  null)
+ * @method string whoami()
  */
 interface ConnectionInterface
 {
@@ -38,20 +41,16 @@ public function bind(?string $dn = null, #[\SensitiveParameter] ?string $passwor
     /**
      * Binds the connection against a user's DN and password using SASL
      *
-     * @return void
-     *
      * @throws LdapException               When SASL support is not available
      * @throws AlreadyExistsException      When the connection can't be created because of an LDAP_ALREADY_EXISTS error
      * @throws ConnectionTimeoutException  When the connection can't be created because of an LDAP_TIMEOUT error
      * @throws InvalidCredentialsException When the connection can't be created because of an LDAP_INVALID_CREDENTIALS error
-     */
     public function saslBind(?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authcId = null, ?string $authzId = null, ?string $props = null): void;
+     */
 
     /**
      * Return authenticated and authorized (for SASL) DN
-     *
-     * @return string
-     */
     public function whoami(): string;
+     */
 
 }
diff --git a/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php b/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php
@@ -70,18 +70,14 @@ public function bind(?string $dn = null, #[\SensitiveParameter] ?string $passwor
 
         if (false === @ldap_bind($this->connection, $dn, $password)) {
             $error = ldap_error($this->connection);
-            $errno = ldap_errno($this->connection);
-            if (self::LDAP_INVALID_CREDENTIALS === $errno) {
-                    throw new InvalidCredentialsException($error);
-            }
-            if (self::LDAP_TIMEOUT === $errno) {
-                    throw new ConnectionTimeoutException($error);
-            }
-            if (self::LDAP_ALREADY_EXISTS === $errno) {
-                    throw new AlreadyExistsException($error);
-            }
-            ldap_get_option($this->connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $diagnostic_message);
-            throw new ConnectionException($error.' '.$diagnostic_message);
+            ldap_get_option($this->connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $diagnostic);
+
+            throw match (ldap_errno($this->connection)) {
+                self::LDAP_INVALID_CREDENTIALS => new InvalidCredentialsException($error),
+                self::LDAP_TIMEOUT => new ConnectionTimeoutException($error),
+                self::LDAP_ALREADY_EXISTS => new AlreadyExistsException($error),
+                default => new ConnectionException($error.' '.$diagnostic),
+            };
         }
 
         $this->bound = true;
@@ -92,7 +88,7 @@ public function bind(?string $dn = null, #[\SensitiveParameter] ?string $passwor
      */
     public function saslBind(?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authcId = null, ?string $authzId = null, ?string $props = null): void
     {
-        if (!function_exists('ldap_sasl_bind')) {
+        if (!\function_exists('ldap_sasl_bind')) {
             throw new LdapException('Library - missing SASL support');
         }
 
@@ -102,46 +98,39 @@ public function saslBind(?string $dn = null, #[\SensitiveParameter] ?string $pas
 
         if (false === @ldap_sasl_bind($this->connection, $dn, $password, $mech, $realm, $authcId, $authzId, $props)) {
             $error = ldap_error($this->connection);
-            $errno = ldap_errno($this->connection);
-            if (self::LDAP_INVALID_CREDENTIALS === $errno) {
-                    throw new InvalidCredentialsException($error);
-            }
-            if (self::LDAP_TIMEOUT === $errno) {
-                    throw new ConnectionTimeoutException($error);
-            }
-            if (self::LDAP_ALREADY_EXISTS === $errno) {
-                    throw new AlreadyExistsException($error);
-            }
-            throw new ConnectionException($error);
+            ldap_get_option($this->connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $diagnostic);
+
+            throw match (ldap_errno($this->connection)) {
+                self::LDAP_INVALID_CREDENTIALS => new InvalidCredentialsException($error),
+                self::LDAP_TIMEOUT => new ConnectionTimeoutException($error),
+                self::LDAP_ALREADY_EXISTS => new AlreadyExistsException($error),
+                default => new ConnectionException($error.' '.$diagnostic),
+            };
         }
 
         $this->bound = true;
     }
 
-
     /**
      * ldap_exop_whoami accessor, returns authenticated DN
      */
     public function whoami(): string
     {
-        $authzId = ldap_exop_whoami($this->connection);
-        if ($authzId === false) {
+        if (false === $authzId = ldap_exop_whoami($this->connection)) {
             throw new LdapException(ldap_error($this->connection));
         }
-	
-        $parts = explode(':', $authzId);
-        if ("dn" === $parts[0]) {
-            $dn = $parts[1];
-        } else {
+
+        $parts = explode(':', $authzId, 2);
+        if ('dn' !== $parts[0]) {
             /*
-             * We currently do not handle u:login authzId, which 
+             * We currently do not handle u:login authzId, which
              * would require a configuration-dependent LDAP search
              * to be turned into a DN
              */
-            throw new LdapException(sprintf('Unsupported authzId "%s"', $authzId));
+            throw new LdapException(\sprintf('Unsupported authzId "%s"', $authzId));
         }
-	  
-        return $dn;
+
+        return $parts[1];
     }
 
     /**
diff --git a/src/Symfony/Component/Ldap/CHANGELOG.md b/src/Symfony/Component/Ldap/CHANGELOG.md
@@ -4,7 +4,7 @@ CHANGELOG
 7.2
 ---
 
- * Add support for saslBind and whoami LDAP operations
+ * Add methods for `saslBind()` and `whoami()` to `ConnectionInterface` and `LdapInterface`
 
 7.1
 ---
diff --git a/src/Symfony/Component/Ldap/LdapInterface.php b/src/Symfony/Component/Ldap/LdapInterface.php
@@ -16,9 +16,10 @@
 use Symfony\Component\Ldap\Exception\ConnectionException;
 
 /**
- * Ldap interface.
- *
  * @author Charles Sarrazin <charles@sarraz.in>
+ *
+ * @method void saslBind(?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authcId = null, ?string $authzId = null, ?string $props =  null)
+ * @method string whoami()
  */
 interface LdapInterface
 {
@@ -35,19 +36,14 @@ public function bind(?string $dn = null, #[\SensitiveParameter] ?string $passwor
     /**
      * Returns a connection bound to the ldap using SASL
      *
-     * @return void
-     *
      * @throws ConnectionException if dn / password could not be bound
-     */
     public function saslBind(?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authcId = null, ?string $authzId = null, ?string $props = null): void;
-
+     */
 
     /**
      * Returns authenticated and authorized (for SASL) DN
-     *
-     * @return string
-     */
     public function whoami(): string;
+     */
 
     /**
      * Queries a ldap server for entries matching the given criteria.
diff --git a/src/Symfony/Component/Ldap/Tests/Adapter/ExtLdap/AdapterTest.php b/src/Symfony/Component/Ldap/Tests/Adapter/ExtLdap/AdapterTest.php
@@ -43,7 +43,7 @@ public function testSaslBind()
 
         $ldap->getConnection()->saslBind('cn=admin,dc=symfony,dc=com', 'symfony');
         $this->assertEquals('cn=admin,dc=symfony,dc=com', $ldap->getConnection()->whoami());
-    }    
+    }
 
     /**
      * @group functional
