zep/kanboard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

看板初始化提交

Browse Source
This commit is contained in:
zephyr
2026-06-01 21:23:12 -07:00
commit 27411ebedc
1827 changed files with 192340 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Core/Ldap/Client.php
+247
View File
@@ -0,0 +1,247 @@
<?php
namespace Kanboard\Core\Ldap;
use LogicException;
use Psr\Log\LoggerInterface;
/**
* LDAP Client
*
* @package ldap
* @author Frederic Guillot
*/
class Client
{
/**
* LDAP resource
*
* @access protected
* @var resource
*/
protected $ldap;
/**
* Logger instance
*
* @access private
* @var LoggerInterface
*/
private $logger;
/**
* Establish LDAP connection
*
* @static
* @access public
* @param string $username
* @param string $password
* @return Client
*/
public static function connect($username = null, $password = null)
{
$client = new static;
$client->open($client->getLdapServer());
$username = $username ?: $client->getLdapUsername();
$password = $password ?: $client->getLdapPassword();
if (empty($username) && empty($password)) {
$client->useAnonymousAuthentication();
} else {
$client->authenticate($username, $password);
}
return $client;
}
/**
* Get server connection
*
* @access public
* @return resource
*/
public function getConnection()
{
return $this->ldap;
}
/**
* Establish server connection
*
* @access public
*
* @param string $server LDAP server URI (ldap[s]://hostname:port) or hostname (deprecated)
* @param int $port LDAP port (deprecated)
* @param bool $tls Start TLS
* @param bool $verify Skip SSL certificate verification
* @return Client
* @throws ClientException
* @throws ConnectionException
*/
public function open($server, $port = LDAP_PORT, $tls = LDAP_START_TLS, $verify = LDAP_SSL_VERIFY)
{
if (! function_exists('ldap_connect')) {
throw new ClientException('LDAP: The PHP LDAP extension is required');
}
if (! $verify) {
putenv('LDAPTLS_REQCERT=never');
}
if (filter_var($server, FILTER_VALIDATE_URL) !== false) {
$this->ldap = @ldap_connect($server);
} else {
$this->ldap = @ldap_connect($server, $port);
}
if ($this->ldap === false) {
throw new ConnectionException('Malformed LDAP server hostname or LDAP server port');
}
ldap_set_option($this->ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($this->ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($this->ldap, LDAP_OPT_NETWORK_TIMEOUT, 1);
ldap_set_option($this->ldap, LDAP_OPT_TIMELIMIT, 1);
if ($tls && ! @ldap_start_tls($this->ldap)) {
throw new ConnectionException('Unable to start LDAP TLS (' . $this->getLdapError() . ')');
}
return $this;
}
/**
* Anonymous authentication
*
* @access public
* @throws ClientException
* @return boolean
*/
public function useAnonymousAuthentication()
{
if (! @ldap_bind($this->ldap)) {
$this->checkForServerConnectionError();
throw new ClientException('Unable to perform anonymous binding => '.$this->getLdapError());
}
return true;
}
/**
* Authentication with username/password
*
* @access public
* @throws ClientException
* @param string $bind_rdn
* @param string $bind_password
* @return boolean
*/
public function authenticate($bind_rdn, $bind_password)
{
if (! @ldap_bind($this->ldap, $bind_rdn, $bind_password)) {
$this->checkForServerConnectionError();
throw new ClientException('LDAP authentication failure for "'.$bind_rdn.'" => '.$this->getLdapError());
}
return true;
}
/**
* Get LDAP server name
*
* @access public
* @return string
*/
public function getLdapServer()
{
if (! LDAP_SERVER) {
throw new LogicException('LDAP server not configured, check the parameter LDAP_SERVER');
}
return LDAP_SERVER;
}
/**
* Get LDAP username (proxy auth)
*
* @access public
* @return string
*/
public function getLdapUsername()
{
return LDAP_USERNAME;
}
/**
* Get LDAP password (proxy auth)
*
* @access public
* @return string
*/
public function getLdapPassword()
{
return LDAP_PASSWORD;
}
/**
* Set logger
*
* @access public
* @param LoggerInterface $logger
* @return Client
*/
public function setLogger(LoggerInterface $logger)
{
$this->logger = $logger;
return $this;
}
/**
* Get logger
*
* @access public
* @return LoggerInterface
*/
public function getLogger()
{
return $this->logger;
}
/**
* Test if a logger is defined
*
* @access public
* @return boolean
*/
public function hasLogger()
{
return $this->logger !== null;
}
/**
* Raise ConnectionException if the application is not able to connect to LDAP server
*
* @access protected
* @throws ConnectionException
*/
protected function checkForServerConnectionError()
{
if (ldap_errno($this->ldap) === -1) {
throw new ConnectionException('Unable to connect to LDAP server (' . $this->getLdapError() . ')');
}
}
/**
* Get extended LDAP error message
*
* @return string
*/
protected function getLdapError()
{
ldap_get_option($this->ldap, LDAP_OPT_ERROR_STRING, $extendedErrorMessage);
$errorMessage = ldap_error($this->ldap);
$errorCode = ldap_errno($this->ldap);
return 'Code="'.$errorCode.'"; Error="'.$errorMessage.'"; ExtendedError="'.$extendedErrorMessage.'"';
}
}
app/Core/Ldap/ClientException.php
+15
View File
@@ -0,0 +1,15 @@
<?php
namespace Kanboard\Core\Ldap;
use Exception;
/**
* LDAP Client Exception
*
* @package ldap
* @author Frederic Guillot
*/
class ClientException extends Exception
{
}
app/Core/Ldap/ConnectionException.php
+15
View File
@@ -0,0 +1,15 @@
<?php
namespace Kanboard\Core\Ldap;
use Exception;
/**
* LDAP Connection Exception
*
* @package ldap
* @author Frederic Guillot
*/
class ConnectionException extends Exception
{
}
app/Core/Ldap/Entries.php
+63
View File
@@ -0,0 +1,63 @@
<?php
namespace Kanboard\Core\Ldap;
/**
* LDAP Entries
*
* @package ldap
* @author Frederic Guillot
*/
class Entries
{
/**
* LDAP entries
*
* @access protected
* @var array
*/
protected $entries = array();
/**
* Constructor
*
* @access public
* @param array $entries
*/
public function __construct(array $entries)
{
$this->entries = $entries;
}
/**
* Get all entries
*
* @access public
* @return Entry[]
*/
public function getAll()
{
$entities = array();
if (! isset($this->entries['count'])) {
return $entities;
}
for ($i = 0; $i < $this->entries['count']; $i++) {
$entities[] = new Entry($this->entries[$i]);
}
return $entities;
}
/**
* Get first entry
*
* @access public
* @return Entry
*/
public function getFirstEntry()
{
return new Entry(isset($this->entries[0]) ? $this->entries[0] : array());
}
}
app/Core/Ldap/Entry.php
+99
View File
@@ -0,0 +1,99 @@
<?php
namespace Kanboard\Core\Ldap;
/**
* LDAP Entry
*
* @package ldap
* @author Frederic Guillot
*/
class Entry
{
/**
* LDAP entry
*
* @access protected
* @var array
*/
protected $entry = array();
/**
* Constructor
*
* @access public
* @param array $entry
*/
public function __construct(array $entry)
{
$this->entry = $entry;
}
/**
* Get all attribute values
*
* @access public
* @param string $attribute
* @return string[]
*/
public function getAll($attribute)
{
$attributes = array();
if ($attribute === null) {
return $attributes;
}
if (! isset($this->entry[$attribute]['count'])) {
return $attributes;
}
for ($i = 0; $i < $this->entry[$attribute]['count']; $i++) {
$attributes[] = $this->entry[$attribute][$i];
}
return $attributes;
}
/**
* Get first attribute value
*
* @access public
* @param string $attribute
* @param string $default
* @return string
*/
public function getFirstValue($attribute, $default = '')
{
if ($attribute === null) {
return $default;
}
return isset($this->entry[$attribute][0]) ? $this->entry[$attribute][0] : $default;
}
/**
* Get entry distinguished name
*
* @access public
* @return string
*/
public function getDn()
{
return isset($this->entry['dn']) ? $this->entry['dn'] : '';
}
/**
* Return true if the given value exists in attribute list
*
* @access public
* @param string $attribute
* @param string $value
* @return boolean
*/
public function hasValue($attribute, $value)
{
$attributes = $this->getAll($attribute);
return in_array($value, $attributes);
}
}
app/Core/Ldap/Group.php
+130
View File
@@ -0,0 +1,130 @@
<?php
namespace Kanboard\Core\Ldap;
use LogicException;
use Kanboard\Group\LdapGroupProvider;
/**
* LDAP Group Finder
*
* @package ldap
* @author Frederic Guillot
*/
class Group
{
/**
* Query
*
* @access protected
* @var Query
*/
protected $query;
/**
* Constructor
*
* @access public
* @param Query $query
*/
public function __construct(Query $query)
{
$this->query = $query;
}
/**
* Get groups
*
* @static
* @access public
* @param Client $client
* @param string $query
* @return LdapGroupProvider[]
*/
public static function getGroups(Client $client, $query)
{
$self = new static(new Query($client));
return $self->find($query);
}
/**
* Find groups
*
* @access public
* @param string $query
* @return array
*/
public function find($query)
{
$this->query->execute($this->getBaseDn(), $query, $this->getAttributes());
$groups = array();
if ($this->query->hasResult()) {
$groups = $this->build();
}
return $groups;
}
/**
* Build groups list
*
* @access protected
* @return array
*/
protected function build()
{
$groups = array();
foreach ($this->query->getEntries()->getAll() as $entry) {
$groups[] = new LdapGroupProvider($entry->getDn(), $entry->getFirstValue($this->getAttributeName()));
}
return $groups;
}
/**
* Ge the list of attributes to fetch when reading the LDAP group entry
*
* Must returns array with index that start at 0 otherwise ldap_search returns a warning "Array initialization wrong"
*
* @access public
* @return array
*/
public function getAttributes()
{
return array_values(array_filter(array(
$this->getAttributeName(),
)));
}
/**
* Get LDAP group name attribute
*
* @access public
* @return string
*/
public function getAttributeName()
{
if (! LDAP_GROUP_ATTRIBUTE_NAME) {
throw new LogicException('LDAP full name attribute empty, check the parameter LDAP_GROUP_ATTRIBUTE_NAME');
}
return strtolower(LDAP_GROUP_ATTRIBUTE_NAME);
}
/**
* Get LDAP group base DN
*
* @access public
* @return string
*/
public function getBaseDn()
{
if (! LDAP_GROUP_BASE_DN) {
throw new LogicException('LDAP group base DN empty, check the parameter LDAP_GROUP_BASE_DN');
}
return LDAP_GROUP_BASE_DN;
}
}
app/Core/Ldap/Query.php
+98
View File
@@ -0,0 +1,98 @@
<?php
namespace Kanboard\Core\Ldap;
/**
* LDAP Query
*
* @package ldap
* @author Frederic Guillot
*/
class Query
{
/**
* LDAP client
*
* @access protected
* @var Client
*/
protected $client = null;
/**
* Query result
*
* @access protected
* @var array
*/
protected $entries = array();
/**
* Constructor
*
* @access public
* @param Client $client
*/
public function __construct(Client $client)
{
$this->client = $client;
}
/**
* Execute query
*
* @access public
* @param string $baseDn
* @param string $filter
* @param array $attributes
* @param integer $limit
* @return $this
*/
public function execute($baseDn, $filter, array $attributes, $limit = 0)
{
if (DEBUG && $this->client->hasLogger()) {
$this->client->getLogger()->debug('BaseDN='.$baseDn);
$this->client->getLogger()->debug('Filter='.$filter);
$this->client->getLogger()->debug('Attributes='.implode(', ', $attributes));
}
$sr = @ldap_search($this->client->getConnection(), $baseDn, $filter, $attributes, null, $limit);
if ($sr === false) {
return $this;
}
$entries = ldap_get_entries($this->client->getConnection(), $sr);
if ($entries === false || count($entries) === 0 || $entries['count'] == 0) {
return $this;
}
$this->entries = $entries;
if (DEBUG && $this->client->hasLogger()) {
$this->client->getLogger()->debug('NbEntries='.$entries['count']);
}
return $this;
}
/**
* Return true if the query returned a result
*
* @access public
* @return boolean
*/
public function hasResult()
{
return ! empty($this->entries);
}
/**
* Get LDAP Entries
*
* @access public
* @return Entries
*/
public function getEntries()
{
return new Entries($this->entries);
}
}
app/Core/Ldap/User.php
+366
View File
@@ -0,0 +1,366 @@
<?php
namespace Kanboard\Core\Ldap;
use LogicException;
use Kanboard\Core\Security\Role;
use Kanboard\User\LdapUserProvider;
/**
* LDAP User Finder
*
* @package ldap
* @author Frederic Guillot
*/
class User
{
/**
* Query
*
* @access protected
* @var Query
*/
protected $query;
/**
* LDAP Group object
*
* @access protected
* @var Group
*/
protected $group;
/**
* Constructor
*
* @access public
* @param Query $query
* @param Group $group
*/
public function __construct(Query $query, ?Group $group = null)
{
$this->query = $query;
$this->group = $group;
}
/**
* Get user profile
*
* @static
* @access public
* @param Client $client
* @param string $username
* @return LdapUserProvider
*/
public static function getUser(Client $client, $username)
{
$self = new static(new Query($client), new Group(new Query($client)));
return $self->find($self->getLdapUserPattern($username));
}
/**
* Find user
*
* @access public
* @param string $query
* @return LdapUserProvider
*/
public function find($query)
{
$this->query->execute($this->getBaseDn(), $query, $this->getAttributes());
$user = null;
if ($this->query->hasResult()) {
$user = $this->build();
}
return $user;
}
/**
* Get user groupIds (DN)
*
* 1) If configured, use memberUid and posixGroup
* 2) Otherwise, use memberOf
*
* @access protected
* @param Entry $entry
* @return string[]
*/
protected function getGroups(Entry $entry)
{
$userattr = '';
if ('username' == $this->getGroupUserAttribute()) {
$userattr = $entry->getFirstValue($this->getAttributeUsername());
} elseif ('dn' == $this->getGroupUserAttribute()) {
$userattr = $entry->getDn();
}
$groupIds = array();
if (! empty($userattr) && $this->group !== null && $this->hasGroupUserFilter()) {
$escapedUserAttribute = ldap_escape($userattr, '', LDAP_ESCAPE_FILTER);
$groups = $this->group->find(sprintf($this->getGroupUserFilter(), $escapedUserAttribute));
foreach ($groups as $group) {
$groupIds[] = $group->getExternalId();
}
} else {
$groupIds = $entry->getAll($this->getAttributeGroup());
}
return $groupIds;
}
/**
* Get role from LDAP groups
*
* Note: Do not touch the current role if groups are not configured
*
* @access protected
* @param string[] $groupIds
* @return string
*/
protected function getRole(array $groupIds)
{
if (! $this->hasGroupsConfigured()) {
return null;
}
if (LDAP_USER_DEFAULT_ROLE_MANAGER) {
$role = Role::APP_MANAGER;
} else {
$role = Role::APP_USER;
}
foreach ($groupIds as $groupId) {
$groupId = strtolower($groupId);
if ($groupId === strtolower($this->getGroupAdminDn())) {
$role = Role::APP_ADMIN;
break;
}
if ($groupId === strtolower($this->getGroupManagerDn())) {
$role = Role::APP_MANAGER;
}
}
return $role;
}
/**
* Build user profile
*
* @access protected
* @return LdapUserProvider
*/
protected function build()
{
$entry = $this->query->getEntries()->getFirstEntry();
$groupIds = $this->getGroups($entry);
return new LdapUserProvider(
$entry->getDn(),
$entry->getFirstValue($this->getAttributeUsername()),
$entry->getFirstValue($this->getAttributeName()),
$entry->getFirstValue($this->getAttributeEmail()),
$this->getRole($groupIds),
$groupIds,
$entry->getFirstValue($this->getAttributePhoto()),
$entry->getFirstValue($this->getAttributeLanguage())
);
}
/**
* Ge the list of attributes to fetch when reading the LDAP user entry
*
* Must returns array with index that start at 0 otherwise ldap_search returns a warning "Array initialization wrong"
*
* @access public
* @return array
*/
public function getAttributes()
{
return array_values(array_filter(array(
$this->getAttributeUsername(),
$this->getAttributeName(),
$this->getAttributeEmail(),
$this->getAttributeGroup(),
$this->getAttributePhoto(),
$this->getAttributeLanguage(),
)));
}
/**
* Get LDAP account id attribute
*
* @access public
* @return string
*/
public function getAttributeUsername()
{
if (! LDAP_USER_ATTRIBUTE_USERNAME) {
throw new LogicException('LDAP username attribute empty, check the parameter LDAP_USER_ATTRIBUTE_USERNAME');
}
return strtolower(LDAP_USER_ATTRIBUTE_USERNAME);
}
/**
* Get LDAP user name attribute
*
* @access public
* @return string
*/
public function getAttributeName()
{
if (! LDAP_USER_ATTRIBUTE_FULLNAME) {
throw new LogicException('LDAP full name attribute empty, check the parameter LDAP_USER_ATTRIBUTE_FULLNAME');
}
return strtolower(LDAP_USER_ATTRIBUTE_FULLNAME);
}
/**
* Get LDAP account email attribute
*
* @access public
* @return string
*/
public function getAttributeEmail()
{
if (! LDAP_USER_ATTRIBUTE_EMAIL) {
throw new LogicException('LDAP email attribute empty, check the parameter LDAP_USER_ATTRIBUTE_EMAIL');
}
return strtolower(LDAP_USER_ATTRIBUTE_EMAIL);
}
/**
* Get LDAP account memberOf attribute
*
* @access public
* @return string
*/
public function getAttributeGroup()
{
return strtolower(LDAP_USER_ATTRIBUTE_GROUPS);
}
/**
* Get LDAP profile photo attribute
*
* @access public
* @return string
*/
public function getAttributePhoto()
{
return strtolower(LDAP_USER_ATTRIBUTE_PHOTO);
}
/**
* Get LDAP language attribute
*
* @access public
* @return string
*/
public function getAttributeLanguage()
{
return strtolower(LDAP_USER_ATTRIBUTE_LANGUAGE);
}
/**
* Get LDAP Group User filter
*
* @access public
* @return string
*/
public function getGroupUserFilter()
{
return LDAP_GROUP_USER_FILTER;
}
/**
* Get LDAP Group User attribute
*
* @access public
* @return string
*/
public function getGroupUserAttribute()
{
return LDAP_GROUP_USER_ATTRIBUTE;
}
/**
* Return true if LDAP Group User filter is defined
*
* @access public
* @return string
*/
public function hasGroupUserFilter()
{
return $this->getGroupUserFilter() !== '' && $this->getGroupUserFilter() !== null;
}
/**
* Return true if LDAP Group mapping are configured
*
* @access public
* @return boolean
*/
public function hasGroupsConfigured()
{
return $this->getGroupAdminDn() || $this->getGroupManagerDn();
}
/**
* Get LDAP admin group DN
*
* @access public
* @return string
*/
public function getGroupAdminDn(): string
{
return strtolower(LDAP_GROUP_ADMIN_DN);
}
/**
* Get LDAP application manager group DN
*
* @access public
* @return string
*/
public function getGroupManagerDn(): string
{
return LDAP_GROUP_MANAGER_DN;
}
/**
* Get LDAP user base DN
*
* @access public
* @return string
*/
public function getBaseDn()
{
return LDAP_USER_BASE_DN;
}
/**
* Get LDAP user pattern
*
* @access public
* @param string $username
* @param string $filter
* @return string
*/
public function getLdapUserPattern($username, $filter = LDAP_USER_FILTER)
{
if (! $filter) {
throw new LogicException('LDAP user filter is not configured. Please set the LDAP_USER_FILTER parameter in your configuration file');
}
$escapedUsername = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
return str_replace('%s', $escapedUsername, $filter);
}
}