private function processSearchRequest($request) { $panel = new PHUIBoxView(); $admin = $request->getUser(); $search = $request->getStr('query'); $ldap_provider = PhabricatorLDAPAuthProvider::getLDAPProvider(); if (!$ldap_provider) { throw new Exception(pht('No LDAP provider enabled!')); } $ldap_adapter = $ldap_provider->getAdapter(); $ldap_adapter->setLoginUsername($request->getStr('username')); $ldap_adapter->setLoginPassword(new PhutilOpaqueEnvelope($request->getStr('password'))); // This causes us to connect and bind. // TODO: Clean up this discard mode stuff. DarkConsoleErrorLogPluginAPI::enableDiscardMode(); $ldap_adapter->getAccountID(); DarkConsoleErrorLogPluginAPI::disableDiscardMode(); $results = $ldap_adapter->searchLDAP('%Q', $search); foreach ($results as $key => $record) { $account_id = $ldap_adapter->readLDAPRecordAccountID($record); if (!$account_id) { unset($results[$key]); continue; } $info = array($account_id, $ldap_adapter->readLDAPRecordEmail($record), $ldap_adapter->readLDAPRecordRealName($record)); $results[$key] = $info; $results[$key][] = $this->renderUserInputs($info); } $form = id(new AphrontFormView())->setUser($admin); $table = new AphrontTableView($results); $table->setHeaders(array(pht('Username'), pht('Email'), pht('Real Name'), pht('Import?'))); $form->appendChild($table); $form->setAction($request->getRequestURI()->alter('import', 'true')->alter('search', null))->appendChild(id(new AphrontFormSubmitControl())->setValue(pht('Import'))); $panel->appendChild($form); return $panel; }
public function processLoginRequest(PhabricatorAuthLoginController $controller) { $request = $controller->getRequest(); $viewer = $request->getUser(); $response = null; $account = null; $username = $request->getStr('ldap_username'); $password = $request->getStr('ldap_password'); $has_password = strlen($password); $password = new PhutilOpaqueEnvelope($password); if (!strlen($username) || !$has_password) { $response = $controller->buildProviderPageResponse($this, $this->renderLoginForm($request, 'login')); return array($account, $response); } if ($request->isFormPost()) { try { if (strlen($username) && $has_password) { $adapter = $this->getAdapter(); $adapter->setLoginUsername($username); $adapter->setLoginPassword($password); // TODO: This calls ldap_bind() eventually, which dumps cleartext // passwords to the error log. See note in PhutilLDAPAuthAdapter. // See T3351. DarkConsoleErrorLogPluginAPI::enableDiscardMode(); $account_id = $adapter->getAccountID(); DarkConsoleErrorLogPluginAPI::disableDiscardMode(); } else { throw new Exception(pht('Username and password are required!')); } } catch (PhutilAuthCredentialException $ex) { $response = $controller->buildProviderPageResponse($this, $this->renderLoginForm($request, 'login')); return array($account, $response); } catch (Exception $ex) { // TODO: Make this cleaner. throw $ex; } } return array($this->loadOrCreateAccount($account_id), $response); }
public function auth($username, PhutilOpaqueEnvelope $password) { if (strlen(trim($username)) == 0) { throw new Exception('Username can not be empty'); } if (PhabricatorEnv::getEnvConfig('ldap.search-first')) { // To protect against people phishing for accounts we catch the // exception and present the default exception that would be presented // in the case of a failed bind. try { $user = $this->getUser($this->getUsernameAttribute(), $username); $username = $user[$this->getSearchAttribute()][0]; } catch (PhabricatorLDAPUnknownUserException $e) { throw new Exception($this->invalidLDAPUserErrorMessage(self::LDAP_INVALID_CREDENTIALS, ldap_err2str(self::LDAP_INVALID_CREDENTIALS))); } } $conn = $this->getConnection(); $activeDirectoryDomain = PhabricatorEnv::getEnvConfig('ldap.activedirectory_domain'); if ($activeDirectoryDomain) { $dn = $username . '@' . $activeDirectoryDomain; } else { $dn = ldap_sprintf('%Q=%s,%Q', $this->getSearchAttribute(), $username, $this->getBaseDN()); } // NOTE: It is very important we suppress any messages that occur here, // because it logs passwords if it reaches an error log of any sort. DarkConsoleErrorLogPluginAPI::enableDiscardMode(); $result = @ldap_bind($conn, $dn, $password->openEnvelope()); DarkConsoleErrorLogPluginAPI::disableDiscardMode(); if (!$result) { throw new Exception($this->invalidLDAPUserErrorMessage(ldap_errno($conn), ldap_error($conn))); } $this->userData = $this->getUser($this->getSearchAttribute(), $username); return $this->userData; }