feature #31560 [Ldap][Security] LdapBindAuthenticationProvider does not bind before search query (Simperfit)

fabpot · fabpot · commit 3c9ff1f8ace7 · 2019-07-08T10:00:04.000+02:00
This PR was merged into the 4.4 branch. Discussion ---------- [Ldap][Security] LdapBindAuthenticationProvider does not bind before search query | Q | A | ------------- | --- | Branch? | master | Bug fix? | yesish | New feature? | no  | BC breaks? | no  | Deprecations? | yes  | Tests pass? | yes  | Fixed tickets | #24210  | License | MIT | Doc PR | symfony/symfony-docs#...   This is tagged as a bug but since we need to add new params to the differents login providers and a deprecation I think we need to consider it as a new feature, maybe this could go in 3.4 too but without the deprecation. This allow using a searchDn and a sarchPassword when passing a queryString in order to do the query authenticated. Commits ------- cb2d97f [Ldap][Security] LdapBindAuthenticationProvider does not bind before search query
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -1,6 +1,10 @@
 CHANGELOG
 =========
 
+4.4.0
+
+* Deprecated the usage of "query_string" without a "search_dn" and a "search_password" config key in Ldap factories.
+
 4.3.0
 -----
 
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginLdapFactory.php
@@ -34,9 +34,14 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,
             ->replaceArgument(2, $id)
             ->replaceArgument(3, new Reference($config['service']))
             ->replaceArgument(4, $config['dn_string'])
+            ->replaceArgument(5, $config['search_dn'])
+            ->replaceArgument(6, $config['search_password'])
         ;
 
         if (!empty($config['query_string'])) {
+            if ('' === $config['search_dn'] || '' === $config['search_password']) {
+                @trigger_error('Using the "query_string" config without using a "search_dn" and a "search_password" is deprecated since Symfony 4.4 and will throw in Symfony 5.0.', E_USER_DEPRECATED);
+            }
             $definition->addMethodCall('setQueryString', [$config['query_string']]);
         }
 
@@ -52,6 +57,8 @@ public function addConfiguration(NodeDefinition $node)
                 ->scalarNode('service')->defaultValue('ldap')->end()
                 ->scalarNode('dn_string')->defaultValue('{username}')->end()
                 ->scalarNode('query_string')->end()
+                ->scalarNode('search_dn')->defaultValue('')->end()
+                ->scalarNode('search_password')->defaultValue('')->end()
             ->end()
         ;
     }
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicLdapFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicLdapFactory.php
@@ -35,12 +35,17 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
             ->replaceArgument(2, $id)
             ->replaceArgument(3, new Reference($config['service']))
             ->replaceArgument(4, $config['dn_string'])
+            ->replaceArgument(5, $config['search_dn'])
+            ->replaceArgument(6, $config['search_password'])
         ;
 
         // entry point
         $entryPointId = $this->createEntryPoint($container, $id, $config, $defaultEntryPoint);
 
         if (!empty($config['query_string'])) {
+            if ('' === $config['search_dn'] || '' === $config['search_password']) {
+                @trigger_error('Using the "query_string" config without using a "search_dn" and a "search_password" is deprecated since Symfony 4.4 and will throw in Symfony 5.0.', E_USER_DEPRECATED);
+            }
             $definition->addMethodCall('setQueryString', [$config['query_string']]);
         }
 
@@ -62,6 +67,8 @@ public function addConfiguration(NodeDefinition $node)
                 ->scalarNode('service')->defaultValue('ldap')->end()
                 ->scalarNode('dn_string')->defaultValue('{username}')->end()
                 ->scalarNode('query_string')->end()
+                ->scalarNode('search_dn')->defaultValue('')->end()
+                ->scalarNode('search_password')->defaultValue('')->end()
             ->end()
         ;
     }
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/JsonLoginLdapFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/JsonLoginLdapFactory.php
@@ -36,9 +36,14 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,
             ->replaceArgument(2, $id)
             ->replaceArgument(3, new Reference($config['service']))
             ->replaceArgument(4, $config['dn_string'])
+            ->replaceArgument(5, $config['search_dn'])
+            ->replaceArgument(6, $config['search_password'])
         ;
 
         if (!empty($config['query_string'])) {
+            if ('' === $config['search_dn'] || '' === $config['search_password']) {
+                @trigger_error('Using the "query_string" config without using a "search_dn" and a "search_password" is deprecated since Symfony 4.4 and will throw in Symfony 5.0.', E_USER_DEPRECATED);
+            }
             $definition->addMethodCall('setQueryString', [$config['query_string']]);
         }
 
@@ -54,6 +59,8 @@ public function addConfiguration(NodeDefinition $node)
                 ->scalarNode('service')->defaultValue('ldap')->end()
                 ->scalarNode('dn_string')->defaultValue('{username}')->end()
                 ->scalarNode('query_string')->end()
+                ->scalarNode('search_dn')->defaultValue('')->end()
+                ->scalarNode('search_password')->defaultValue('')->end()
             ->end()
         ;
     }
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
@@ -195,6 +195,8 @@
             <argument /> <!-- UserChecker -->
             <argument /> <!-- Provider-shared Key -->
             <argument /> <!-- LDAP -->
+            <argument /> <!-- search dn -->
+            <argument /> <!-- search password -->
             <argument /> <!-- Base DN -->
             <argument>%security.authentication.hide_user_not_found%</argument>
         </service>
diff --git a/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php b/src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php
@@ -34,14 +34,18 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider
     private $ldap;
     private $dnString;
     private $queryString;
+    private $searchDn;
+    private $searchPassword;
 
-    public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, string $providerKey, LdapInterface $ldap, string $dnString = '{username}', bool $hideUserNotFoundExceptions = true)
+    public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, string $providerKey, LdapInterface $ldap, string $dnString = '{username}', bool $hideUserNotFoundExceptions = true, string $searchDn = '', string $searchPassword = '')
     {
         parent::__construct($userChecker, $providerKey, $hideUserNotFoundExceptions);
 
         $this->userProvider = $userProvider;
         $this->ldap = $ldap;
         $this->dnString = $dnString;
+        $this->searchDn = $searchDn;
+        $this->searchPassword = $searchPassword;
     }
 
     /**
@@ -82,6 +86,11 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
             $username = $this->ldap->escape($username, '', LdapInterface::ESCAPE_DN);
 
             if ($this->queryString) {
+                if ('' !== $this->searchDn && '' !== $this->searchPassword) {
+                    $this->ldap->bind($this->searchDn, $this->searchPassword);
+                } else {
+                    @trigger_error('Using the "query_string" config without using a "search_dn" and a "search_password" is deprecated since Symfony 4.4 and will throw in Symfony 5.0.', E_USER_DEPRECATED);
+                }
                 $query = str_replace('{username}', $username, $this->queryString);
                 $result = $this->ldap->query($this->dnString, $query)->execute();
                 if (1 !== $result->count()) {
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php
@@ -123,6 +123,10 @@ public function testQueryForDn()
             ->with('foo', '')
             ->willReturn('foo')
         ;
+        $ldap
+            ->expects($this->at(1))
+            ->method('bind')
+            ->with('elsa', 'test1234A$');
         $ldap
             ->expects($this->once())
             ->method('query')
@@ -131,7 +135,48 @@ public function testQueryForDn()
         ;
         $userChecker = $this->getMockBuilder(UserCheckerInterface::class)->getMock();
 
-        $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap);
+        $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap, '{username}', true, 'elsa', 'test1234A$');
+        $provider->setQueryString('{username}bar');
+        $reflection = new \ReflectionMethod($provider, 'checkAuthentication');
+        $reflection->setAccessible(true);
+
+        $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', 'bar', 'key'));
+    }
+
+    public function testQueryWithUserForDn()
+    {
+        $userProvider = $this->getMockBuilder(UserProviderInterface::class)->getMock();
+
+        $collection = new \ArrayIterator([new Entry('')]);
+
+        $query = $this->getMockBuilder(QueryInterface::class)->getMock();
+        $query
+            ->expects($this->once())
+            ->method('execute')
+            ->will($this->returnValue($collection))
+        ;
+
+        $ldap = $this->getMockBuilder(LdapInterface::class)->getMock();
+        $ldap
+            ->expects($this->once())
+            ->method('escape')
+            ->with('foo', '')
+            ->will($this->returnValue('foo'))
+        ;
+        $ldap
+            ->expects($this->at(1))
+            ->method('bind')
+            ->with('elsa', 'test1234A$');
+        $ldap
+            ->expects($this->once())
+            ->method('query')
+            ->with('{username}', 'foobar')
+            ->will($this->returnValue($query))
+        ;
+
+        $userChecker = $this->getMockBuilder(UserCheckerInterface::class)->getMock();
+
+        $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap, '{username}', true, 'elsa', 'test1234A$');
         $provider->setQueryString('{username}bar');
         $reflection = new \ReflectionMethod($provider, 'checkAuthentication');
         $reflection->setAccessible(true);
@@ -157,14 +202,18 @@ public function testEmptyQueryResultShouldThrowAnException()
         ;
 
         $ldap = $this->getMockBuilder(LdapInterface::class)->getMock();
+        $ldap
+            ->expects($this->at(1))
+            ->method('bind')
+            ->with('elsa', 'test1234A$');
         $ldap
             ->expects($this->once())
             ->method('query')
             ->willReturn($query)
         ;
         $userChecker = $this->getMockBuilder(UserCheckerInterface::class)->getMock();
 
-        $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap);
+        $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap, '{username}', true, 'elsa', 'test1234A$');
         $provider->setQueryString('{username}bar');
         $reflection = new \ReflectionMethod($provider, 'checkAuthentication');
         $reflection->setAccessible(true);

Original file line number	Diff line number	Diff line change
`@@ -34,9 +34,14 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,`
`34`	`34`	`->replaceArgument(2, $id)`
`35`	`35`	`->replaceArgument(3, new Reference($config['service']))`
`36`	`36`	`->replaceArgument(4, $config['dn_string'])`
	`37`	`+ ->replaceArgument(5, $config['search_dn'])`
	`38`	`+ ->replaceArgument(6, $config['search_password'])`
`37`	`39`	`;`
`38`	`40`
`39`	`41`	`if (!empty($config['query_string'])) {`
	`42`	`+ if ('' === $config['search_dn'] \|\| '' === $config['search_password']) {`
	`43`	`+ @trigger_error('Using the "query_string" config without using a "search_dn" and a "search_password" is deprecated since Symfony 4.4 and will throw in Symfony 5.0.', E_USER_DEPRECATED);`
	`44`	`+ }`
`40`	`45`	`$definition->addMethodCall('setQueryString', [$config['query_string']]);`
`41`	`46`	`}`
`42`	`47`
`@@ -52,6 +57,8 @@ public function addConfiguration(NodeDefinition $node)`
`52`	`57`	`->scalarNode('service')->defaultValue('ldap')->end()`
`53`	`58`	`->scalarNode('dn_string')->defaultValue('{username}')->end()`
`54`	`59`	`->scalarNode('query_string')->end()`
	`60`	`+ ->scalarNode('search_dn')->defaultValue('')->end()`
	`61`	`+ ->scalarNode('search_password')->defaultValue('')->end()`
`55`	`62`	`->end()`
`56`	`63`	`;`
`57`	`64`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,12 +35,17 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,`
`35`	`35`	`->replaceArgument(2, $id)`
`36`	`36`	`->replaceArgument(3, new Reference($config['service']))`
`37`	`37`	`->replaceArgument(4, $config['dn_string'])`
	`38`	`+ ->replaceArgument(5, $config['search_dn'])`
	`39`	`+ ->replaceArgument(6, $config['search_password'])`
`38`	`40`	`;`
`39`	`41`
`40`	`42`	`// entry point`
`41`	`43`	`$entryPointId = $this->createEntryPoint($container, $id, $config, $defaultEntryPoint);`
`42`	`44`
`43`	`45`	`if (!empty($config['query_string'])) {`
	`46`	`+ if ('' === $config['search_dn'] \|\| '' === $config['search_password']) {`
	`47`	`+ @trigger_error('Using the "query_string" config without using a "search_dn" and a "search_password" is deprecated since Symfony 4.4 and will throw in Symfony 5.0.', E_USER_DEPRECATED);`
	`48`	`+ }`
`44`	`49`	`$definition->addMethodCall('setQueryString', [$config['query_string']]);`
`45`	`50`	`}`
`46`	`51`
`@@ -62,6 +67,8 @@ public function addConfiguration(NodeDefinition $node)`
`62`	`67`	`->scalarNode('service')->defaultValue('ldap')->end()`
`63`	`68`	`->scalarNode('dn_string')->defaultValue('{username}')->end()`
`64`	`69`	`->scalarNode('query_string')->end()`
	`70`	`+ ->scalarNode('search_dn')->defaultValue('')->end()`
	`71`	`+ ->scalarNode('search_password')->defaultValue('')->end()`
`65`	`72`	`->end()`
`66`	`73`	`;`
`67`	`74`	`}`
Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,14 @@ protected function createAuthProvider(ContainerBuilder $container, $id, $config,`
`36`	`36`	`->replaceArgument(2, $id)`
`37`	`37`	`->replaceArgument(3, new Reference($config['service']))`
`38`	`38`	`->replaceArgument(4, $config['dn_string'])`
	`39`	`+ ->replaceArgument(5, $config['search_dn'])`
	`40`	`+ ->replaceArgument(6, $config['search_password'])`
`39`	`41`	`;`
`40`	`42`
`41`	`43`	`if (!empty($config['query_string'])) {`
	`44`	`+ if ('' === $config['search_dn'] \|\| '' === $config['search_password']) {`
	`45`	`+ @trigger_error('Using the "query_string" config without using a "search_dn" and a "search_password" is deprecated since Symfony 4.4 and will throw in Symfony 5.0.', E_USER_DEPRECATED);`
	`46`	`+ }`
`42`	`47`	`$definition->addMethodCall('setQueryString', [$config['query_string']]);`
`43`	`48`	`}`
`44`	`49`
`@@ -54,6 +59,8 @@ public function addConfiguration(NodeDefinition $node)`
`54`	`59`	`->scalarNode('service')->defaultValue('ldap')->end()`
`55`	`60`	`->scalarNode('dn_string')->defaultValue('{username}')->end()`
`56`	`61`	`->scalarNode('query_string')->end()`
	`62`	`+ ->scalarNode('search_dn')->defaultValue('')->end()`
	`63`	`+ ->scalarNode('search_password')->defaultValue('')->end()`
`57`	`64`	`->end()`
`58`	`65`	`;`
`59`	`66`	`}`