updated plugin AuthLDAP version 2.6.2

This commit is contained in:
KawaiiPunk 2024-06-27 12:10:42 +00:00 committed by Gitium
parent 4e493c268e
commit 65d26d4d83
10 changed files with 81 additions and 35 deletions

View File

@ -4,7 +4,7 @@
Plugin Name: AuthLDAP
Plugin URI: https://github.com/heiglandreas/authLdap
Description: This plugin allows you to use your existing LDAP as authentication base for WordPress
Version: 2.6.0
Version: 2.6.2
Author: Andreas Heigl <andreas@heigl.org>
Author URI: http://andreas.heigl.org
License: MIT
@ -77,7 +77,7 @@ function authLdap_options_panel()
if (!isset($_POST['authLdapNonce'])) {
die("Go away!");
}
if (!wp_verify_nonce($_POST['authLdapNonce'],'authLdapNonce')) {
if (!wp_verify_nonce($_POST['authLdapNonce'], 'authLdapNonce')) {
die("Go away!");
}
@ -255,8 +255,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
$authLDAPUidAttr = authLdap_get_option('UidAttr');
$authLDAPWebAttr = authLdap_get_option('WebAttr');
$authLDAPDefaultRole = authLdap_get_option('DefaultRole');
$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
$authLDAPGroupEnable = filter_var(authLdap_get_option('GroupEnable'), FILTER_VALIDATE_BOOLEAN);
$authLDAPGroupOverUser = filter_var(authLdap_get_option('GroupOverUser'), FILTER_VALIDATE_BOOLEAN);
$authLDAPUseUserAccount = authLdap_get_option('UserRead');
if (!$username) {
@ -373,7 +373,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
// we only need this if either LDAP groups are disabled or
// if the WordPress role of the user overrides LDAP groups
if (!$authLDAPGroupEnable || $authLDAPGroupOverUser) {
if ($authLDAPGroupEnable === false || $authLDAPGroupOverUser === false) {
$userRoles = authLdap_user_role($uid);
if ($userRoles !== []) {
$roles = array_merge($roles, $userRoles);
@ -383,8 +383,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
}
// do LDAP group mapping if needed
// (if LDAP groups override worpress user role, $role is still empty)
if (empty($roles) && $authLDAPGroupEnable) {
// (if LDAP groups override wordpress user role, $role is still empty)
if ((empty($roles) || $authLDAPGroupOverUser === true) && $authLDAPGroupEnable === true) {
$mappedRoles = authLdap_groupmap($realuid, $dn);
if ($mappedRoles !== []) {
$roles = $mappedRoles;

View File

@ -284,6 +284,25 @@ LDIF',
return trim($item);
}, explode(',', $user['roles']));
Assert::false(in_array($arg2, $roles));
}
/**
* @Given LDAP user :arg1 is not member of LDAP group :arg2
*/
public function ldapUserIsNotMemberOfLdapGroup($arg1, $arg2)
{
exec(sprintf(
'ldapmodify -x -H %1$s -D "%2$s" -w %3$s 2>&1 <<LDIF
%4$s
LDIF',
'ldap://openldap',
'cn=admin,dc=example,dc=org',
'insecure',
<<<LDIF
dn: cn=$arg2,dc=example,dc=org
changetype: modify
delete: uniqueMember
uniqueMember: uid=$arg1,dc=example,dc=org
LDIF
)); }
}

View File

@ -61,3 +61,24 @@ Feature: Log in without group assignment
And the WordPress user "ldapuser" is member of role "wordpressrole"
And the WordPress user "ldapuser" is not member of role "editor"
And the WordPress user "ldapuser" is not member of role "subscriber"
Scenario: Second Login with group assignment that changes between first and second login
Given a default configuration
And configuration value "GroupEnable" is set to "true"
And configuration value "DefaultRole" is set to "subscriber"
And configuration value "Groups" is set to "administrator=ldapgroup1" and "editor=ldapgroup2"
And configuration value "GroupAttr" is set to "cn"
And configuration value "GroupFilter" is set to "uniquemember=%dn%"
And configuration value "GroupOverUser" is set to "true"
And an LDAP user "ldapuser" with name "LDAP User", password "P@ssw0rd" and email "ldapuser@example.com" exists
And an LDAP group "ldapgroup1" exists
And an LDAP group "ldapgroup2" exists
And LDAP user "ldapuser" is member of LDAP group "ldapgroup1"
And LDAP user "ldapuser" logs in with password "P@ssw0rd"
And LDAP user "ldapuser" is member of LDAP group "ldapgroup2"
And LDAP user "ldapuser" is not member of LDAP group "ldapgroup1"
When LDAP user "ldapuser" logs in with password "P@ssw0rd"
Then the login suceeds
And the WordPress user "ldapuser" is member of role "editor"
And the WordPress user "ldapuser" is not member of role "administrator"
And the WordPress user "ldapuser" is not member of role "subscriber"

View File

@ -2,7 +2,7 @@
Contributors: heiglandreas
Tags: ldap, auth, authentication, active directory, AD, openLDAP, Open Directory
Requires at least: 2.5.0
Tested up to: 6.4.0
Tested up to: 6.5.0
Requires PHP: 7.4
Stable tag: trunk
License: MIT
@ -46,6 +46,9 @@ In essence: Report a security vulnerability at https://github.com/heiglandreas/a
Please see https://github.com/heiglandreas/authLdap/blob/master/SECURITY.md for more details
== Changelog ==
= 2.6.2 =
* Fix issue with Groups not being updated on existing accounts (see https://github.com/heiglandreas/authLdap/issues/250 for details)
= 2.6.0 =

View File

@ -1,13 +1,13 @@
<?php
declare(strict_types=1);
/**
* Copyright Andreas Heigl <andreas@heigl.org>
*
* Licensed under the MIT-license. For details see the included file LICENSE.md
*/
declare(strict_types=1);
namespace Org_Heigl\AuthLdap\Exception;
use RuntimeException;

View File

@ -1,13 +1,13 @@
<?php
declare(strict_types=1);
/**
* Copyright Andreas Heigl <andreas@heigl.org>
*
* Licensed under the MIT-license. For details see the included file LICENSE.md
*/
declare(strict_types=1);
namespace Org_Heigl\AuthLdap;
use function json_decode;

View File

@ -1,16 +1,17 @@
<?php
declare(strict_types=1);
/**
* Copyright Andreas Heigl <andreas@heigl.org>
*
* Licensed under the MIT-license. For details see the included file LICENSE.md
*/
declare(strict_types=1);
namespace Org_Heigl\AuthLdap;
use Org_Heigl\AuthLdap\Exception\UnknownOption;
use function array_key_exists;
class Options

View File

@ -23,7 +23,7 @@ class UserRoleHandler
* @param string[] $roles
* @return void
*/
public function addRolesToUser(WP_User $user, $roles) : void
public function addRolesToUser(WP_User $user, $roles): void
{
if ($roles === []) {
return;

View File

@ -101,7 +101,7 @@
</th>
<td>
<input type="text" name="authLDAPURI" id="authLDAPURI" placeholder="LDAP-URI"
class="regular-text" value="<?php echo $authLDAPURI; ?>"/>
class="regular-text" value="<?php echo esc_attr($authLDAPURI); ?>"/>
<p class="description">
The <abbr title="Uniform Ressource Identifier">URI</abbr>
for connecting to the LDAP-Server. This usualy takes the form
@ -139,7 +139,7 @@
</th>
<td>
<input type="text" name="authLDAPURISeparator" id="authLDAPURISeparator" placeholder="LDAP-URI Separator"
class="regular-text" value="<?php echo $authLDAPURISeparator; ?>"/>
class="regular-text" value="<?php echo esc_attr($authLDAPURISeparator); ?>"/>
<p class="description">
A separator that separates multiple LDAP-URIs from one another.
You can use that feature to try to authenticate against multiple LDAP-Servers
@ -152,7 +152,7 @@
<label for="authLDAPStartTLS" class="description">StartTLS</label>
</th>
<td>
<input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo $tStartTLSChecked; ?>/>
<input type="checkbox" name="authLDAPStartTLS" id="authLDAPStartTLS" value="1"<?php echo esc_attr($tStartTLSChecked); ?>/>
<p class="description">
Use StartTLS for encryption of ldap connections. This setting is not to be used in combination with ldaps connections (ldap:// only).
</p>
@ -163,7 +163,7 @@
</th>
<td>
<input type="text" name="authLDAPFilter" id="authLDAPFilter" placeholder="(uid=%s)"
class="regular-text" value="<?php echo $authLDAPFilter; ?>"/>
class="regular-text" value="<?php echo esc_attr($authLDAPFilter); ?>"/>
<p class="description">
Please provide a valid filter that can be used for querying the
<abbr title="Lightweight Directory Access Protocol">LDAP</abbr>
@ -190,7 +190,7 @@
<label for="authLDAPUseUserAccount">User-Read</label>
</th>
<td>
<input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo $tUserRead; ?>/><br />
<input type="checkbox" name="authLDAPUseUserAccount" id="authLDAPUseUserAccount" value="1"<?php echo esc_attr($tUserRead); ?>/><br />
<p class="description">
If checked the plugin will use the user's account to query their own information. If not it will use the admin account.
</p>
@ -203,7 +203,7 @@
</th>
<td>
<input type="text" name="authLDAPNameAttr" id="authLDAPNameAttr" placeholder="name"
class="regular-text" value="<?php echo $authLDAPNameAttr; ?>"/><br />
class="regular-text" value="<?php echo esc_attr($authLDAPNameAttr); ?>"/><br />
<p class="description">
Which Attribute from the LDAP contains the Full or the First name
of the user trying to log in.
@ -220,7 +220,7 @@
</th>
<td>
<input type="text" name="authLDAPSecName" id="authLDAPSecName" placeholder=""
class="regular-text" value="<?php echo $authLDAPSecName; ?>" />
class="regular-text" value="<?php echo esc_attr($authLDAPSecName); ?>" />
<p class="description">
If the above Name-Attribute only contains the First Name of the
user you can here specify an Attribute that contains the second name.
@ -236,7 +236,7 @@
</th>
<td>
<input type="text" name="authLDAPUidAttr" id="authLDAPUidAttr" placeholder="uid"
class="regular-text" value="<?php echo $authLDAPUidAttr; ?>" />
class="regular-text" value="<?php echo esc_attr($authLDAPUidAttr); ?>" />
<p class="description">
Please give the Attribute, that is used to identify the user. This
should be the same as you used in the above <em>Filter</em>-Option
@ -252,7 +252,7 @@
</th>
<td>
<input type="text" name="authLDAPMailAttr" id="authLDAPMailAttr" placeholder="mail"
class="regular-text" value="<?php echo $authLDAPMailAttr; ?>" />
class="regular-text" value="<?php echo esc_attr($authLDAPMailAttr); ?>" />
<p class="description">
Which Attribute holds the eMail-Address of the user?
</p>
@ -270,7 +270,7 @@
</th>
<td>
<input type="text" name="authLDAPWebAttr" id="authLDAPWebAttr" placeholder=""
class="regular-text" value="<?php echo $authLDAPWebAttr; ?>" />
class="regular-text" value="<?php echo esc_attr($authLDAPWebAttr); ?>" />
<p class="description">
If your users have a personal page (URI) stored in the LDAP, it can
be provided here.
@ -291,7 +291,7 @@
</option>
<?php foreach ($roles->get_names() as $group => $vals) : ?>
<option value="<?php echo $group; ?>" <?php echo ( $authLDAPDefaultRole == $group ? 'selected="selected"' : '' ); ?>>
<?php echo $vals; ?>
<?php echo esc_attr($vals); ?>
</option>
<?php endforeach; ?>
</select>
@ -317,7 +317,7 @@
<label for="authLDAPGroupOverUser">LDAP Groups override role of existing users?</label>
</th>
<td>
<input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo $tGroupOverUserChecked; ?>/>
<input type="checkbox" name="authLDAPGroupOverUser" id="authLDAPGroupOverUser" value="1"<?php echo esc_attr($tGroupOverUserChecked); ?>/>
<p class="description">
If role determined by LDAP Group differs from existing Wordpress User's role, use LDAP Group.
</p>
@ -329,7 +329,7 @@
</th>
<td>
<input type="text" name="authLDAPGroupBase" id="authLDAPGroupBase" placeholder=""
class="regular-text" value="<?php echo $authLDAPGroupBase; ?>" />
class="regular-text" value="<?php echo esc_attr($authLDAPGroupBase); ?>" />
<p class="description">
This is the base dn to lookup groups.
</p>
@ -344,7 +344,7 @@
</th>
<td>
<input type="text" name="authLDAPGroupAttr" id="authLDAPGroupAttr" placeholder="gidNumber"
class="regular-text" value="<?php echo $authLDAPGroupAttr; ?>" />
class="regular-text" value="<?php echo esc_attr($authLDAPGroupAttr); ?>" />
<p class="description">
This is the attribute that defines the Group-ID that can be matched
against the Groups defined further down
@ -360,7 +360,7 @@
</th>
<td>
<input type="text" name="authLDAPGroupSeparator" id="authLDAPGroupSeparator" placeholder=","
class="regular-text" value="<?php echo $authLDAPGroupSeparator; ?>" />
class="regular-text" value="<?php echo esc_attr($authLDAPGroupSeparator); ?>" />
<p class="description">
This attribute defines the separator used for the Group-IDs listed in the
Groups defined further down. This is useful if the value of Group-Attribute
@ -378,7 +378,7 @@
<td>
<input type="text" name="authLDAPGroupFilter" id="authLDAPGroupFilter"
placeholder="(&amp;(objectClass=posixGroup)(memberUid=%s))"
class="regular-text" value="<?php echo $authLDAPGroupFilter; ?>" />
class="regular-text" value="<?php echo esc_attr($authLDAPGroupFilter); ?>" />
<p class="description">
Here you can add the filter for selecting groups for ther
currentlly logged in user
@ -416,12 +416,13 @@
<tr>
<th scope="row" style="width:auto; min-width: 200px;">
<label for="authLDAPGroups[<?php echo $group; ?>]">
<?php echo $vals; ?>
<?php echo esc_attr($vals); ?>
</label>
</th>
<td>
<input type="text" name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]"
value="<?php echo $aGroup; ?>" />
<textarea name="authLDAPGroups[<?php echo $group; ?>]" id="authLDAPGroups[<?php echo $group; ?>]" cols=60 rows=5><?php
echo esc_textarea($aGroup);
?></textarea>
</td>
</tr>
<?php endforeach; ?>

View File

@ -0,0 +1 @@
<?php