From a9d04235accc4ba4e765c0f92c7c53614360ce25 Mon Sep 17 00:00:00 2001 From: hyung-hwan Date: Fri, 2 Dec 2016 07:29:03 +0000 Subject: [PATCH] changed ldap_insider_attribute_name to ldap_insider_attribute_names fixed some permissions issues in file and code --- codepot/etc/codepot.ini.in | 5 +- codepot/etc/perl/Codepot/AccessHandler.pm | 37 ++++--- codepot/src/codepot/controllers/code.php | 33 ++++--- codepot/src/codepot/controllers/file.php | 34 ++++--- codepot/src/codepot/models/ldaploginmodel.php | 99 ++++++++++--------- codepot/src/config.php.in | 2 +- 6 files changed, 120 insertions(+), 90 deletions(-) diff --git a/codepot/etc/codepot.ini.in b/codepot/etc/codepot.ini.in index 3be0c5b1..6eb07ffd 100644 --- a/codepot/etc/codepot.ini.in +++ b/codepot/etc/codepot.ini.in @@ -65,6 +65,9 @@ database_store_gmt = "yes" ; after having bound with ldap_admin_binddn and ldap_admin_password. ; The binddn found is used for subsequent binding for authentication. ; ldap_userid_format is unused in this mode. +; +; if you want to specify multiple attributes in ldap_insider_attribute_names +; separate them with a space. ;------------------------------------------------------------------------------ ldap_server_uri = "ldap://127.0.0.1:389" ldap_server_protocol_version = "3" @@ -76,7 +79,7 @@ ldap_admin_password = "admin-password" ldap_userid_search_filter = "(uid=${userid})" ldap_userid_search_base = "ou=users,dc=codepot,dc=org" ldap_mail_attribute_name = "" -ldap_insider_attribute_name = "" +ldap_insider_attribute_names = "mssfu30posixmemberof memberof" ldap_insider_attribute_value = "" ;------------------------------------------------------------------------------ diff --git a/codepot/etc/perl/Codepot/AccessHandler.pm b/codepot/etc/perl/Codepot/AccessHandler.pm index e186db67..bfbc38a5 100644 --- a/codepot/etc/perl/Codepot/AccessHandler.pm +++ b/codepot/etc/perl/Codepot/AccessHandler.pm @@ -65,7 +65,7 @@ sub get_config ldap_admin_password => $cfg->param ('ldap_admin_password'), ldap_userid_search_base => $cfg->param ('ldap_userid_search_base'), ldap_userid_search_filter => $cfg->param ('ldap_userid_search_filter'), - ldap_insider_attribute_name => $cfg->param ('ldap_insider_attribute_name'), + ldap_insider_attribute_names => $cfg->param ('ldap_insider_attribute_names'), ldap_insider_attribute_value => $cfg->param ('ldap_insider_attribute_value'), database_hostname => $cfg->param ('database_hostname'), @@ -159,23 +159,38 @@ sub authenticate_ldap } my $authenticated = 1; - if ($cfg->{ldap_insider_attribute_name} ne '' && $cfg->{ldap_insider_attribute_value} ne '') + if ($cfg->{ldap_insider_attribute_names} ne '' && $cfg->{ldap_insider_attribute_value} ne '') { - my $f_filter = '(' . $cfg->{ldap_insider_attribute_name} . '=*)'; - $res = $ldap->search (base => $binddn, scope => 'base', filter => $f_filter, [ $cfg->{ldap_insider_attribute_name} ]); - if ($res->code == LDAP_SUCCESS) + my $attr_str = $cfg->{ldap_insider_attribute_names}; + $attr_str =~ s/^\s+|\s+$//g; + my @attrs = split (/\s+/, $attr_str); + + if (scalar(@attrs) > 0) { - foreach my $entry ($res->entries) + #my $f_filter = '(' . $cfg->{ldap_insider_attribute_name} . '=*)'; + my $f_filter = '(objectClass=*)'; + + $res = $ldap->search (base => $binddn, scope => 'base', filter => $f_filter, @attrs); + if ($res->code == LDAP_SUCCESS) { - my @va = $entry->get_value($cfg->{ldap_insider_attribute_name}); - foreach my $v (@va) + search_loop: + foreach my $entry ($res->entries) { - if (lc($v) eq lc($cfg->{ldap_insider_attribute_value})) + foreach my $a (@attrs) { - $authenticated = 2; - last; + my @va = $entry->get_value($a); + foreach my $v (@va) + { + if (lc($v) eq lc($cfg->{ldap_insider_attribute_value})) + { + $authenticated = 2; + last search_loop; + } + } + if ($authenticated >= 2) last; } } + $res->abandon(); } } } diff --git a/codepot/src/codepot/controllers/code.php b/codepot/src/codepot/controllers/code.php index eaf5bb10..82fa4c59 100644 --- a/codepot/src/codepot/controllers/code.php +++ b/codepot/src/codepot/controllers/code.php @@ -30,11 +30,18 @@ class Code extends Controller { $userid = $login['id']; - if ($userid != '' && $login['sysadmin?']) return TRUE; + if ($userid != '') + { + if ($login['sysadmin?']) return TRUE; + if ($pm->projectHasMember($projectid, $userid)) return TRUE; + } if ($pm->projectIsPublic($projectid)) { - if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0) return TRUE; + if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0) + { + return TRUE; + } else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'authenticated') == 0) { if ($userid != '') return TRUE; @@ -43,15 +50,10 @@ class Code extends Controller { if ($userid != '' && $login['insider?']) return TRUE; } - else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0) - { - if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; - } - } - else - { - // non-public project. - if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; + //else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0) + //{ + // if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; + //} } return FALSE; @@ -59,10 +61,13 @@ class Code extends Controller private function _can_write ($pm, $projectid, $login) { - if ($login['sysadmin?']) return TRUE; - $userid = $login['id']; - if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; + if ($userid != '') + { + if ($login['sysadmin?']) return TRUE; + if ($pm->projectHasMember($projectid, $userid)) return TRUE; + } + return FALSE; } diff --git a/codepot/src/codepot/controllers/file.php b/codepot/src/codepot/controllers/file.php index 1a89d5e4..67976c25 100644 --- a/codepot/src/codepot/controllers/file.php +++ b/codepot/src/codepot/controllers/file.php @@ -22,12 +22,18 @@ class File extends Controller private function _can_read ($pm, $projectid, $login) { $userid = $login['id']; - - if ($userid != '' && $login['sysadmin?']) return TRUE; + if ($userid != '') + { + if ($login['sysadmin?']) return TRUE; + if ($pm->projectHasMember($projectid, $userid)) return TRUE; + } if ($pm->projectIsPublic($projectid)) { - if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0) return TRUE; + if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0) + { + return TRUE; + } else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'authenticated') == 0) { if ($userid != '') return TRUE; @@ -36,15 +42,10 @@ class File extends Controller { if ($userid != '' && $login['insider?']) return TRUE; } - else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0) - { - if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; - } - } - else - { - // non-public project. - if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; + //else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0) + //{ + // if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; + //} } return FALSE; @@ -52,10 +53,13 @@ class File extends Controller private function _can_write ($pm, $projectid, $login) { - if ($login['sysadmin?']) return TRUE; - $userid = $login['id']; - if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; + if ($userid != '') + { + if ($login['sysadmin?']) return TRUE; + if ($pm->projectHasMember($projectid, $userid)) return TRUE; + } + return FALSE; } diff --git a/codepot/src/codepot/models/ldaploginmodel.php b/codepot/src/codepot/models/ldaploginmodel.php index 39ec7c96..12e848c1 100644 --- a/codepot/src/codepot/models/ldaploginmodel.php +++ b/codepot/src/codepot/models/ldaploginmodel.php @@ -88,8 +88,9 @@ class LdapLoginModel extends LoginModel $email = ''; if (CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME != '') { - $filter = '(' . CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME . '=*)'; - $r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME)); + //$filter = '(' . CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME . '=*)'; + $filter = '(objectClass=*)'; + $r = @ldap_read ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME)); if ($r !== FALSE) { $e = @ldap_get_entries($ldap, $r); @@ -103,61 +104,66 @@ class LdapLoginModel extends LoginModel } $insider = FALSE; - if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '') + if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAMES != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '') { - $filter = '(' . CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME . '=*)'; - $r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME)); - if ($r !== FALSE) + $attr_str = trim(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAMES); + $attrs = preg_split ("/[[:space:]]+/", $attr_str); + + if (count($attrs) > 0) { - - /* SAMPLE LDAP RESULT - array(2) { - ["count"]=> int(1) - [0]=> - array(4) { - ["mssfu30posixmemberof"]=> - array(4) { - ["count"]=> - int(3) - [0]=> - string(36) "CN=group01,OU=Groups,DC=abiyo,DC=net" - [1]=> - string(36) "CN=group02,OU=Groups,DC=abiyo,DC=net" - [2]=> - string(45) "CN=group03,OU=Groups,DC=abiyo,DC=net" - } - [0]=> - string(20) "mssfu30posixmemberof" - ["count"]=> - int(1) - ["dn"]=> - string(37) "CN=user01,CN=Users,DC=abiyo,DC=net" - } - } - */ - $e = @ldap_get_entries($ldap, $r); - if ($e !== FALSE && array_key_exists('count', $e) && ($ec = $e['count']) > 0) + $filter = '(objectClass=*)'; + $r = @ldap_read ($ldap, $f_userid, $filter, $attrs); + if ($r !== FALSE) { - for ($i = 0; $i < $ec; $i++) + /* SAMPLE LDAP RESULT + array(2) { + ["count"]=> int(1) + [0]=> + array(4) { + ["mssfu30posixmemberof"]=> + array(4) { + ["count"]=> + int(3) + [0]=> + string(36) "CN=group01,OU=Groups,DC=abiyo,DC=net" + [1]=> + string(36) "CN=group02,OU=Groups,DC=abiyo,DC=net" + [2]=> + string(45) "CN=group03,OU=Groups,DC=abiyo,DC=net" + } + [0]=> + string(20) "mssfu30posixmemberof" + ["count"]=> + int(1) + ["dn"]=> + string(37) "CN=user01,CN=Users,DC=abiyo,DC=net" + } + } + */ + $e = @ldap_get_entries($ldap, $r); + if ($e !== FALSE && array_key_exists('count', $e) && ($ec = $e['count']) > 0) { - if (array_key_exists($i, $e) && - array_key_exists(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME, $e[$i])) + for ($i = 0; $i < $ec; $i++) { - $va = $e[$i][CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME]; - - if (array_key_exists('count', $va) && ($vac = $va['count']) > 0) + foreach ($attrs as $a) { - for ($j = 0; $j < $vac; $j++) + if (array_key_exists($i, $e) && array_key_exists($a, $e[$i])) { - if (strcasecmp($va[$j], CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE) == 0) + $va = $e[$i][$a]; + if (array_key_exists('count', $va) && ($vac = $va['count']) > 0) { - $insider = TRUE; - break; + for ($j = 0; $j < $vac; $j++) + { + if (strcasecmp($va[$j], CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE) == 0) + { + $insider = TRUE; + break 3; + } + } } } } } - if ($insider) break; } } } @@ -165,9 +171,6 @@ class LdapLoginModel extends LoginModel //@ldap_unbind ($ldap); @ldap_close ($ldap); -if ($insider) error_log ("$userid is insider"); -else error_log ("$userid is NOT insider"); - return parent::authenticate ($userid, $password, $email, $insider); } diff --git a/codepot/src/config.php.in b/codepot/src/config.php.in index 966ce4b8..4d2de76d 100644 --- a/codepot/src/config.php.in +++ b/codepot/src/config.php.in @@ -80,7 +80,7 @@ function load_ini ($file) array ('ldap_userid_search_filter', 'string', '(uid=${userid})'), array ('ldap_userid_search_base', 'string', ''), array ('ldap_mail_attribute_name', 'string', ''), - array ('ldap_insider_attribute_name', 'string', ''), + array ('ldap_insider_attribute_names', 'string', ''), array ('ldap_insider_attribute_value', 'string', ''), array ('svnrepo_dir', 'string', CODEPOT_DEPOT_DIR.'/svnrepo'),