hyung-hwan/codepot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

changed ldap_insider_attribute_name to ldap_insider_attribute_names

Browse Source 
fixed some permissions issues in file and code
This commit is contained in:
hyung-hwan 2016-12-02 07:29:03 +00:00
parent 330cdb4996
commit a9d04235ac
6 changed files with 120 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
codepot/etc/codepot.ini.in
View File

@ -65,6 +65,9 @@ database_store_gmt = "yes"
; after having bound with ldap_admin_binddn and ldap_admin_password. ; after having bound with ldap_admin_binddn and ldap_admin_password.
; The binddn found is used for subsequent binding for authentication. ; The binddn found is used for subsequent binding for authentication.
; ldap_userid_format is unused in this mode. ; ldap_userid_format is unused in this mode.
;
; if you want to specify multiple attributes in ldap_insider_attribute_names
; separate them with a space.
;------------------------------------------------------------------------------ ;------------------------------------------------------------------------------
ldap_server_uri = "ldap://127.0.0.1:389" ldap_server_uri = "ldap://127.0.0.1:389"
ldap_server_protocol_version = "3" ldap_server_protocol_version = "3"
@ -76,7 +79,7 @@ ldap_admin_password = "admin-password"
ldap_userid_search_filter = "(uid=${userid})" ldap_userid_search_filter = "(uid=${userid})"
ldap_userid_search_base = "ou=users,dc=codepot,dc=org" ldap_userid_search_base = "ou=users,dc=codepot,dc=org"
ldap_mail_attribute_name = "" ldap_mail_attribute_name = ""
ldap_insider_attribute_name = "" ldap_insider_attribute_names = "mssfu30posixmemberof memberof"
ldap_insider_attribute_value = "" ldap_insider_attribute_value = ""
;------------------------------------------------------------------------------ ;------------------------------------------------------------------------------

37
codepot/etc/perl/Codepot/AccessHandler.pm
View File

@ -65,7 +65,7 @@ sub get_config
ldap_admin_password => $cfg->param ('ldap_admin_password'), ldap_admin_password => $cfg->param ('ldap_admin_password'),
ldap_userid_search_base => $cfg->param ('ldap_userid_search_base'), ldap_userid_search_base => $cfg->param ('ldap_userid_search_base'),
ldap_userid_search_filter => $cfg->param ('ldap_userid_search_filter'), ldap_userid_search_filter => $cfg->param ('ldap_userid_search_filter'),
ldap_insider_attribute_name => $cfg->param ('ldap_insider_attribute_name'), ldap_insider_attribute_names => $cfg->param ('ldap_insider_attribute_names'),
ldap_insider_attribute_value => $cfg->param ('ldap_insider_attribute_value'), ldap_insider_attribute_value => $cfg->param ('ldap_insider_attribute_value'),
database_hostname => $cfg->param ('database_hostname'), database_hostname => $cfg->param ('database_hostname'),
@ -159,23 +159,38 @@ sub authenticate_ldap
} }
my $authenticated = 1; my $authenticated = 1;
if ($cfg->{ldap_insider_attribute_name} ne '' && $cfg->{ldap_insider_attribute_value} ne '') if ($cfg->{ldap_insider_attribute_names} ne '' && $cfg->{ldap_insider_attribute_value} ne '')
{ {
my $f_filter = '(' . $cfg->{ldap_insider_attribute_name} . '=*)'; my $attr_str = $cfg->{ldap_insider_attribute_names};
$res = $ldap->search (base => $binddn, scope => 'base', filter => $f_filter, [ $cfg->{ldap_insider_attribute_name} ]); $attr_str =~ s/^\s+|\s+$//g;
if ($res->code == LDAP_SUCCESS) my @attrs = split (/\s+/, $attr_str);
if (scalar(@attrs) > 0)
{ {
foreach my $entry ($res->entries) #my $f_filter = '(' . $cfg->{ldap_insider_attribute_name} . '=*)';
my $f_filter = '(objectClass=*)';
$res = $ldap->search (base => $binddn, scope => 'base', filter => $f_filter, @attrs);
if ($res->code == LDAP_SUCCESS)
{ {
my @va = $entry->get_value($cfg->{ldap_insider_attribute_name}); search_loop:
foreach my $v (@va) foreach my $entry ($res->entries)
{ {
if (lc($v) eq lc($cfg->{ldap_insider_attribute_value})) foreach my $a (@attrs)
{ {
$authenticated = 2; my @va = $entry->get_value($a);
last; foreach my $v (@va)
{
if (lc($v) eq lc($cfg->{ldap_insider_attribute_value}))
{
$authenticated = 2;
last search_loop;
}
}
if ($authenticated >= 2) last;
} }
} }
$res->abandon();
} }
} }
} }

33
codepot/src/codepot/controllers/code.php
View File

@ -30,11 +30,18 @@ class Code extends Controller
{ {
$userid = $login['id']; $userid = $login['id'];
if ($userid != '' && $login['sysadmin?']) return TRUE; if ($userid != '')
{
if ($login['sysadmin?']) return TRUE;
if ($pm->projectHasMember($projectid, $userid)) return TRUE;
}
if ($pm->projectIsPublic($projectid)) if ($pm->projectIsPublic($projectid))
{ {
if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0) return TRUE; if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'anonymous') == 0)
{
return TRUE;
}
else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'authenticated') == 0) else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'authenticated') == 0)
{ {
if ($userid != '') return TRUE; if ($userid != '') return TRUE;
@ -43,15 +50,10 @@ class Code extends Controller
{ {
if ($userid != '' && $login['insider?']) return TRUE; if ($userid != '' && $login['insider?']) return TRUE;
} }
else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0) //else if (strcasecmp(CODEPOT_CODE_READ_ACCESS, 'member') == 0)
{ //{
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; // if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
} //}
}
else
{
// non-public project.
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
} }
return FALSE; return FALSE;
@ -59,10 +61,13 @@ class Code extends Controller
private function _can_write ($pm, $projectid, $login) private function _can_write ($pm, $projectid, $login)
{ {
if ($login['sysadmin?']) return TRUE;
$userid = $login['id']; $userid = $login['id'];
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; if ($userid != '')
{
if ($login['sysadmin?']) return TRUE;
if ($pm->projectHasMember($projectid, $userid)) return TRUE;
}
return FALSE; return FALSE;
} }

34
codepot/src/codepot/controllers/file.php
View File

@ -22,12 +22,18 @@ class File extends Controller
private function _can_read ($pm, $projectid, $login) private function _can_read ($pm, $projectid, $login)
{ {
$userid = $login['id']; $userid = $login['id'];
if ($userid != '')
if ($userid != '' && $login['sysadmin?']) return TRUE; {
if ($login['sysadmin?']) return TRUE;
if ($pm->projectHasMember($projectid, $userid)) return TRUE;
}
if ($pm->projectIsPublic($projectid)) if ($pm->projectIsPublic($projectid))
{ {
if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0) return TRUE; if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'anonymous') == 0)
{
return TRUE;
}
else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'authenticated') == 0) else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'authenticated') == 0)
{ {
if ($userid != '') return TRUE; if ($userid != '') return TRUE;
@ -36,15 +42,10 @@ class File extends Controller
{ {
if ($userid != '' && $login['insider?']) return TRUE; if ($userid != '' && $login['insider?']) return TRUE;
} }
else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0) //else if (strcasecmp(CODEPOT_FILE_READ_ACCESS, 'member') == 0)
{ //{
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; // if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
} //}
}
else
{
// non-public project.
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE;
} }
return FALSE; return FALSE;
@ -52,10 +53,13 @@ class File extends Controller
private function _can_write ($pm, $projectid, $login) private function _can_write ($pm, $projectid, $login)
{ {
if ($login['sysadmin?']) return TRUE;
$userid = $login['id']; $userid = $login['id'];
if ($userid != '' && $pm->projectHasMember($projectid, $userid)) return TRUE; if ($userid != '')
{
if ($login['sysadmin?']) return TRUE;
if ($pm->projectHasMember($projectid, $userid)) return TRUE;
}
return FALSE; return FALSE;
} }

99
codepot/src/codepot/models/ldaploginmodel.php
View File

@ -88,8 +88,9 @@ class LdapLoginModel extends LoginModel
$email = ''; $email = '';
if (CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME != '') if (CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME != '')
{ {
$filter = '(' . CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME . '=*)'; //$filter = '(' . CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME . '=*)';
$r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME)); $filter = '(objectClass=*)';
$r = @ldap_read ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_MAIL_ATTRIBUTE_NAME));
if ($r !== FALSE) if ($r !== FALSE)
{ {
$e = @ldap_get_entries($ldap, $r); $e = @ldap_get_entries($ldap, $r);
@ -103,61 +104,66 @@ class LdapLoginModel extends LoginModel
} }
$insider = FALSE; $insider = FALSE;
if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '') if (CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAMES != '' && CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE != '')
{ {
$filter = '(' . CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME . '=*)'; $attr_str = trim(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAMES);
$r = @ldap_search ($ldap, $f_userid, $filter, array(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME)); $attrs = preg_split ("/[[:space:]]+/", $attr_str);
if ($r !== FALSE)
if (count($attrs) > 0)
{ {
$filter = '(objectClass=*)';
/* SAMPLE LDAP RESULT $r = @ldap_read ($ldap, $f_userid, $filter, $attrs);
array(2) { if ($r !== FALSE)
["count"]=> int(1)
[0]=>
array(4) {
["mssfu30posixmemberof"]=>
array(4) {
["count"]=>
int(3)
[0]=>
string(36) "CN=group01,OU=Groups,DC=abiyo,DC=net"
[1]=>
string(36) "CN=group02,OU=Groups,DC=abiyo,DC=net"
[2]=>
string(45) "CN=group03,OU=Groups,DC=abiyo,DC=net"
}
[0]=>
string(20) "mssfu30posixmemberof"
["count"]=>
int(1)
["dn"]=>
string(37) "CN=user01,CN=Users,DC=abiyo,DC=net"
}
}
*/
$e = @ldap_get_entries($ldap, $r);
if ($e !== FALSE && array_key_exists('count', $e) && ($ec = $e['count']) > 0)
{ {
for ($i = 0; $i < $ec; $i++) /* SAMPLE LDAP RESULT
array(2) {
["count"]=> int(1)
[0]=>
array(4) {
["mssfu30posixmemberof"]=>
array(4) {
["count"]=>
int(3)
[0]=>
string(36) "CN=group01,OU=Groups,DC=abiyo,DC=net"
[1]=>
string(36) "CN=group02,OU=Groups,DC=abiyo,DC=net"
[2]=>
string(45) "CN=group03,OU=Groups,DC=abiyo,DC=net"
}
[0]=>
string(20) "mssfu30posixmemberof"
["count"]=>
int(1)
["dn"]=>
string(37) "CN=user01,CN=Users,DC=abiyo,DC=net"
}
}
*/
$e = @ldap_get_entries($ldap, $r);
if ($e !== FALSE && array_key_exists('count', $e) && ($ec = $e['count']) > 0)
{ {
if (array_key_exists($i, $e) && for ($i = 0; $i < $ec; $i++)
array_key_exists(CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME, $e[$i]))
{ {
$va = $e[$i][CODEPOT_LDAP_INSIDER_ATTRIBUTE_NAME]; foreach ($attrs as $a)
if (array_key_exists('count', $va) && ($vac = $va['count']) > 0)
{ {
for ($j = 0; $j < $vac; $j++) if (array_key_exists($i, $e) && array_key_exists($a, $e[$i]))
{ {
if (strcasecmp($va[$j], CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE) == 0) $va = $e[$i][$a];
if (array_key_exists('count', $va) && ($vac = $va['count']) > 0)
{ {
$insider = TRUE; for ($j = 0; $j < $vac; $j++)
break; {
if (strcasecmp($va[$j], CODEPOT_LDAP_INSIDER_ATTRIBUTE_VALUE) == 0)
{
$insider = TRUE;
break 3;
}
}
} }
} }
} }
} }
if ($insider) break;
} }
} }
} }
@ -165,9 +171,6 @@ class LdapLoginModel extends LoginModel
//@ldap_unbind ($ldap); //@ldap_unbind ($ldap);
@ldap_close ($ldap); @ldap_close ($ldap);
if ($insider) error_log ("$userid is insider");
else error_log ("$userid is NOT insider");
return parent::authenticate ($userid, $password, $email, $insider); return parent::authenticate ($userid, $password, $email, $insider);
} }

2
codepot/src/config.php.in
View File

@ -80,7 +80,7 @@ function load_ini ($file)
array ('ldap_userid_search_filter', 'string', '(uid=${userid})'), array ('ldap_userid_search_filter', 'string', '(uid=${userid})'),
array ('ldap_userid_search_base', 'string', ''), array ('ldap_userid_search_base', 'string', ''),
array ('ldap_mail_attribute_name', 'string', ''), array ('ldap_mail_attribute_name', 'string', ''),
array ('ldap_insider_attribute_name', 'string', ''), array ('ldap_insider_attribute_names', 'string', ''),
array ('ldap_insider_attribute_value', 'string', ''), array ('ldap_insider_attribute_value', 'string', ''),
array ('svnrepo_dir', 'string', CODEPOT_DEPOT_DIR.'/svnrepo'), array ('svnrepo_dir', 'string', CODEPOT_DEPOT_DIR.'/svnrepo'),