From c54a8b9609a554c20cb7d32292a74655d2fd3c23 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Wed, 22 Feb 2023 14:19:24 +0100 Subject: [PATCH 01/11] Bump ldap-module --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index a12308a..9a206da 100644 --- a/composer.json +++ b/composer.json @@ -46,7 +46,7 @@ "simplesamlphp/assert": "^1.0", "simplesamlphp/composer-module-installer": "^1.3.2", "simplesamlphp/simplesamlphp": "dev-master", - "simplesamlphp/simplesamlphp-module-ldap": "^1.2", + "simplesamlphp/simplesamlphp-module-ldap": "^2.1.2" "symfony/http-foundation": "^6.0" }, "require-dev": { From e65b92bda2f37295b5f9faf636e24ec5bdc5a5f6 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Wed, 22 Feb 2023 16:48:34 +0100 Subject: [PATCH 02/11] First rough migration to ldapv2 --- src/Auth/Source/X509userCert.php | 129 ++++++++++++++++++++++--------- 1 file changed, 92 insertions(+), 37 deletions(-) diff --git a/src/Auth/Source/X509userCert.php b/src/Auth/Source/X509userCert.php index 13730f2..2a4b4b4 100644 --- a/src/Auth/Source/X509userCert.php +++ b/src/Auth/Source/X509userCert.php @@ -5,13 +5,27 @@ namespace SimpleSAML\Module\authX509\Auth\Source; use Exception; +use SimpleSAML\Assert\Assert; use SimpleSAML\Auth; use SimpleSAML\Configuration; use SimpleSAML\Error; use SimpleSAML\Logger; -use SimpleSAML\Module\ldap\ConfigHelper; +use SimpleSAML\Module\ldap\ConnectorFactory; +use SimpleSAML\Module\ldap\ConnectorInterface; use SimpleSAML\Utils; use SimpleSAML\XHTML\Template; +use Symfony\Component\Ldap\Entry; +use Symfony\Component\Ldap\Security\LdapUserProvider; +use Symfony\Component\Security\Core\Exception\UserNotFoundException; + +use function array_key_exists; +use function array_fill_keys; +use function array_merge; +use function array_values; +use function current; +use function openssl_x509_parse; +use function sprintf; +use function str_replace; /** * This class implements x509 certificate authentication with certificate validation against an LDAP directory. @@ -19,20 +33,28 @@ * @package SimpleSAMLphp */ -class X509userCert extends \SimpleSAML\Auth\Source +class X509userCert extends Auth\Source { + /** @var \SimpleSAML\Module\ldap\ConnectorInterface */ + protected ConnectorInterface $connector; + /** - * x509 attributes to use from the certificate for searching the user in the LDAP directory. - * @var array + * The ldap-authsource to use + * @var string */ - private array $x509attributes = ['UID' => 'uid']; + private string $backend; /** - * A pattern from configuration to construct a ldap dn from a username - * @var string|null + * The ldap-authsource config to use + * @var \SimpleSAML\Configuration */ - private ?string $dnpattern; + private Configuration $ldapConfig; + /** + * x509 attributes to use from the certificate for searching the user in the LDAP directory. + * @var array + */ + private array $x509attributes = ['UID' => 'uid']; /** * LDAP attribute containing the user certificate. @@ -42,12 +64,6 @@ class X509userCert extends \SimpleSAML\Auth\Source private ?array $ldapusercert = ['userCertificate;binary']; - /** - * @var \SimpleSAML\Module\ldap\ConfigHelper - */ - private ConfigHelper $ldapcf; - - /** * Constructor for this authentication source. * @@ -58,6 +74,8 @@ class X509userCert extends \SimpleSAML\Auth\Source */ public function __construct(array $info, array &$config) { + parent::__construct($info, $config); + if (isset($config['authX509:x509attributes'])) { $this->x509attributes = $config['authX509:x509attributes']; } @@ -66,16 +84,25 @@ public function __construct(array $info, array &$config) $this->ldapusercert = $config['authX509:ldapusercert']; } - if (isset($config['dnpattern'])) { - $this->dnpattern = $config['dnpattern']; + Assert::keyExists($config, 'backend'); + $this->backend = $config['backend']; + + // Get the authsources file, which should contain the backend-config + $authSources = Configuration::getConfig('authsources.php'); + + // Verify that the authsource config exists + if (!$authSources->hasValue($this->backend)) { + throw new Error\Exception( + sprintf('Authsource [%s] not found in authsources.php', $this->backend) + ); } - parent::__construct($info, $config); + // Get just the specified authsource config values + $this->ldapConfig = $authSources->getConfigItem($this->backend); + $type = current($this->ldapConfig->toArray()); + Assert::oneOf($type, ['ldap:Ldap']); - $this->ldapcf = new ConfigHelper( - $config, - 'Authentication source ' . var_export($this->authId, true) - ); + $this->connector = ConnectorFactory::fromAuthSource($this->backend); } @@ -120,8 +147,6 @@ public function authFailed(&$state): void */ public function authenticate(array &$state): void { - $ldapcf = $this->ldapcf; - if ( !isset($_SERVER['SSL_CLIENT_CERT']) || ($_SERVER['SSL_CLIENT_CERT'] == '') @@ -142,25 +167,21 @@ public function authenticate(array &$state): void throw new Exception("Should never be reached"); } - $dn = null; - foreach ($this->x509attributes as $x509_attr => $ldap_attr) { + $entry = $dn = null; + foreach ($this->x509attributes as $x509_attr => $attr) { // value is scalar if (array_key_exists($x509_attr, $client_cert_data['subject'])) { $value = $client_cert_data['subject'][$x509_attr]; Logger::info('authX509: cert ' . $x509_attr . ' = ' . $value); - - if (isset($this->dnpattern)) { - $dn = str_replace('%username%', $value, $this->dnpattern); - } else { - $dn = $ldapcf->searchfordn($ldap_attr, $value, true); - } - if ($dn !== null) { + $entry = $this->findUserByAttribute($attr, $value); + if ($entry !== null) { + $dn = $attr; break; } } } - if ($dn === null) { + if ($entry === null) { Logger::error('authX509: cert has no matching user in LDAP.'); $state['authX509.error'] = "UNKNOWNCERT"; $this->authFailed($state); @@ -170,7 +191,10 @@ public function authenticate(array &$state): void if ($this->ldapusercert === null) { // do not check for certificate match - $attributes = $ldapcf->getAttributes($dn); + $attributes = array_intersect_key( + $entry->getAttributes(), + array_fill_keys(array_values($this->x509attributes), null), + ); $state['Attributes'] = $attributes; $this->authSuccesful($state); @@ -178,8 +202,7 @@ public function authenticate(array &$state): void throw new Exception("Should never be reached"); } - $ldap_certs = $ldapcf->getAttributes($dn, $this->ldapusercert); - + $ldap_certs = array_map([$entry, 'getAttribute'], $this->ldapusercert); if (empty($ldap_certs)) { Logger::error('authX509: no certificate found in LDAP for dn=' . $dn); $state['authX509.error'] = "UNKNOWNCERT"; @@ -205,7 +228,10 @@ public function authenticate(array &$state): void } if ($ldap_cert_data === $client_cert_data) { - $attributes = $ldapcf->getAttributes($dn); + $attributes = array_intersect_key( + $entry->getAttributes(), + array_fill_keys(array_values($this->x509attributes), null) + ); $state['Attributes'] = $attributes; $this->authSuccesful($state); @@ -234,4 +260,33 @@ public function authSuccesful(array &$state): void throw new Exception("Should never be reached"); } + + + /** + * Find user in LDAP-store + * + * @param string $attr + * @param string $value + * @return \Symfony\Component\Ldap\Entry|null + */ + public function findUserByAttribute(string $attr, string $value): ?Entry + { + $searchBase = $this->ldapConfig->getString('search.base'); + + $searchUsername = $this->ldapConfig->getString('search.username'); + Assert::notWhitespaceOnly($searchUsername); + + $searchPassword = $this->ldapConfig->getOptionalString('search.password', null); + Assert::nullOrnotWhitespaceOnly($searchPassword); + + $ldap = ConnectorFactory::fromAuthSource($this->backend); + $ldapUserProvider = new LdapUserProvider($ldap, $searchBase, $searchUsername, $searchPassword, [], $attr); + + try { + return $ldapUserProvider->loadUserByIdentifier($value)->getEntry(); + } catch (UserNotFoundException $e) { + // We haven't found the user + return null; + } + } } From 2582691f1b3c80c578a75224de878a3c86bac379 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Thu, 16 Mar 2023 23:15:00 +0100 Subject: [PATCH 03/11] Bump nosborn --- .github/workflows/documentation.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 779d2bd..353483c 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -1,12 +1,14 @@ +--- + name: Documentation on: push: - branches: [ master, simplesamlphp-* ] + branches: [master, simplesamlphp-*] paths: - '**.md' pull_request: - branches: [ master, simplesamlphp-* ] + branches: [master, simplesamlphp-*] paths: - '**.md' workflow_dispatch: @@ -20,7 +22,7 @@ jobs: - uses: actions/checkout@v4 - name: Lint markdown files - uses: nosborn/github-action-markdown-cli@v3.1.0 + uses: nosborn/github-action-markdown-cli@v3.2.0 with: files: . ignore_path: .markdownlintignore From 188d62867e7621fdfee0b6d470ddc66fb2fb797b Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Sat, 18 Mar 2023 12:08:12 +0100 Subject: [PATCH 04/11] Lock conversations of closed issues/prs after 90 days of inactivity --- .github/workflows/documentation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 353483c..0b3dd38 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -22,7 +22,7 @@ jobs: - uses: actions/checkout@v4 - name: Lint markdown files - uses: nosborn/github-action-markdown-cli@v3.2.0 + uses: nosborn/github-action-markdown-cli@v3 with: files: . ignore_path: .markdownlintignore From e9ba41f4fc8dcd2733867ecc2ef16025403b6409 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Thu, 8 Feb 2024 13:35:38 +0100 Subject: [PATCH 05/11] Fix composer file --- composer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/composer.json b/composer.json index 9a206da..5748505 100644 --- a/composer.json +++ b/composer.json @@ -46,7 +46,7 @@ "simplesamlphp/assert": "^1.0", "simplesamlphp/composer-module-installer": "^1.3.2", "simplesamlphp/simplesamlphp": "dev-master", - "simplesamlphp/simplesamlphp-module-ldap": "^2.1.2" + "simplesamlphp/simplesamlphp-module-ldap": "^2.1.2", "symfony/http-foundation": "^6.0" }, "require-dev": { From 876139b2951fdffb70ad121ff4340be241ffdf72 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Sun, 7 Apr 2024 16:02:52 +0200 Subject: [PATCH 06/11] Fix reported issues --- composer.json | 3 ++- src/Auth/Source/X509userCert.php | 18 +++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/composer.json b/composer.json index 3d17042..08f23e9 100644 --- a/composer.json +++ b/composer.json @@ -47,7 +47,8 @@ "simplesamlphp/composer-module-installer": "^1.3.2", "simplesamlphp/simplesamlphp": "^2.2", "simplesamlphp/simplesamlphp-module-ldap": "^2.2", - "symfony/http-foundation": "^6.4" + "symfony/http-foundation": "^6.4", + "symfony/security-bundle": "^6.4" }, "require-dev": { "simplesamlphp/simplesamlphp-test-framework": "^1.6.0" diff --git a/src/Auth/Source/X509userCert.php b/src/Auth/Source/X509userCert.php index 2a4b4b4..431051e 100644 --- a/src/Auth/Source/X509userCert.php +++ b/src/Auth/Source/X509userCert.php @@ -271,7 +271,7 @@ public function authSuccesful(array &$state): void */ public function findUserByAttribute(string $attr, string $value): ?Entry { - $searchBase = $this->ldapConfig->getString('search.base'); + $searchBase = $this->ldapConfig->getArray('search.base'); $searchUsername = $this->ldapConfig->getString('search.username'); Assert::notWhitespaceOnly($searchUsername); @@ -280,13 +280,17 @@ public function findUserByAttribute(string $attr, string $value): ?Entry Assert::nullOrnotWhitespaceOnly($searchPassword); $ldap = ConnectorFactory::fromAuthSource($this->backend); - $ldapUserProvider = new LdapUserProvider($ldap, $searchBase, $searchUsername, $searchPassword, [], $attr); - try { - return $ldapUserProvider->loadUserByIdentifier($value)->getEntry(); - } catch (UserNotFoundException $e) { - // We haven't found the user - return null; + foreach ($searchBase as $base) { + $ldapUserProvider = new LdapUserProvider($ldap, $base, $searchUsername, $searchPassword, [], $attr); + try { + return $ldapUserProvider->loadUserByIdentifier($value)->getEntry(); + } catch (UserNotFoundException $e) { + continue; + } } + + // We haven't found the user + return null; } } From 7e700e5e847099f18ff14c1fa49a2af4c952a2f8 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Sun, 7 Apr 2024 16:09:39 +0200 Subject: [PATCH 07/11] Fix unit tests --- .github/workflows/php.yml | 12 ++++----- composer.json | 2 +- psalm-dev.xml | 27 +++++++++++++++++++ src/Auth/Source/X509userCert.php | 3 +-- ...ExpiryWarningTest.php => AuthX509Test.php} | 0 tools/composer-require-checker.json | 5 +++- 6 files changed, 39 insertions(+), 10 deletions(-) create mode 100644 psalm-dev.xml rename tests/src/Controller/{ExpiryWarningTest.php => AuthX509Test.php} (100%) diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml index b726c78..3ab3f7d 100644 --- a/.github/workflows/php.yml +++ b/.github/workflows/php.yml @@ -55,7 +55,7 @@ jobs: php-version: '8.3' tools: composer, composer-require-checker, composer-unused, phpcs, psalm # optional performance gain for psalm: opcache - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, opcache, openssl, pcre, spl, xml + extensions: ctype, date, dom, fileinfo, filter, hash, intl, ldap, mbstring, opcache, openssl, pcre, spl, xml - name: Setup problem matchers for PHP run: echo "::add-matcher::${{ runner.tool_cache }}/php.json" @@ -119,7 +119,7 @@ jobs: with: # Should be the lowest supported version php-version: '8.1' - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, spl, xml + extensions: ctype, date, dom, fileinfo, filter, hash, intl, ldap, mbstring, openssl, pcre, spl, xml tools: composer coverage: none @@ -166,7 +166,7 @@ jobs: uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php-versions }} - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, spl, xml + extensions: ctype, date, dom, fileinfo, filter, hash, intl, ldap, mbstring, openssl, pcre, spl, xml tools: composer ini-values: error_reporting=E_ALL coverage: pcov @@ -228,7 +228,7 @@ jobs: uses: shivammathur/setup-php@v2 with: php-version: ${{ matrix.php-versions }} - extensions: ctype, date, dom, fileinfo, filter, hash, intl, mbstring, openssl, pcre, spl, xml + extensions: ctype, date, dom, fileinfo, filter, hash, intl, ldap, mbstring, openssl, pcre, spl, xml tools: composer ini-values: error_reporting=E_ALL coverage: none @@ -287,8 +287,8 @@ jobs: runs-on: [ubuntu-latest] if: | always() && - needs.coverage.result == 'success' && - (needs.unit-tests-linux == 'success' || needs.coverage == 'skipped') + needs.coverage.result == 'success' || + (needs.unit-tests-linux == 'success' && needs.coverage == 'skipped') steps: - uses: geekyeggo/delete-artifact@v5 diff --git a/composer.json b/composer.json index 08f23e9..3bd5e20 100644 --- a/composer.json +++ b/composer.json @@ -48,7 +48,7 @@ "simplesamlphp/simplesamlphp": "^2.2", "simplesamlphp/simplesamlphp-module-ldap": "^2.2", "symfony/http-foundation": "^6.4", - "symfony/security-bundle": "^6.4" + "symfony/ldap": "^6.4" }, "require-dev": { "simplesamlphp/simplesamlphp-test-framework": "^1.6.0" diff --git a/psalm-dev.xml b/psalm-dev.xml new file mode 100644 index 0000000..6116331 --- /dev/null +++ b/psalm-dev.xml @@ -0,0 +1,27 @@ + + + + + + + + + + + + + + + + + + + + diff --git a/src/Auth/Source/X509userCert.php b/src/Auth/Source/X509userCert.php index 431051e..256d58f 100644 --- a/src/Auth/Source/X509userCert.php +++ b/src/Auth/Source/X509userCert.php @@ -18,14 +18,13 @@ use Symfony\Component\Ldap\Security\LdapUserProvider; use Symfony\Component\Security\Core\Exception\UserNotFoundException; -use function array_key_exists; use function array_fill_keys; +use function array_key_exists; use function array_merge; use function array_values; use function current; use function openssl_x509_parse; use function sprintf; -use function str_replace; /** * This class implements x509 certificate authentication with certificate validation against an LDAP directory. diff --git a/tests/src/Controller/ExpiryWarningTest.php b/tests/src/Controller/AuthX509Test.php similarity index 100% rename from tests/src/Controller/ExpiryWarningTest.php rename to tests/src/Controller/AuthX509Test.php diff --git a/tools/composer-require-checker.json b/tools/composer-require-checker.json index 6f661ff..8a6e045 100644 --- a/tools/composer-require-checker.json +++ b/tools/composer-require-checker.json @@ -1,5 +1,8 @@ { "symbol-whitelist": [ - "SimpleSAML\\Module\\ldap\\ConfigHelper" + "SimpleSAML\\Module\\ldap\\ConfigHelper", + "SimpleSAML\\Module\\ldap\\ConnectorFactory", + "SimpleSAML\\Module\\ldap\\ConnectorInterface", + "Symfony\\Component\\Security\\Core\\Exception\\UserNotFoundException" ] } From a46ec9a1723f408a6607b282f5e898f4bcb9a73d Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Sun, 7 Apr 2024 17:05:34 +0200 Subject: [PATCH 08/11] Fix unit tests --- composer.json | 3 ++- src/Auth/Source/X509userCert.php | 4 +++- tools/composer-require-checker.json | 3 +-- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/composer.json b/composer.json index 3bd5e20..0bcf980 100644 --- a/composer.json +++ b/composer.json @@ -48,7 +48,8 @@ "simplesamlphp/simplesamlphp": "^2.2", "simplesamlphp/simplesamlphp-module-ldap": "^2.2", "symfony/http-foundation": "^6.4", - "symfony/ldap": "^6.4" + "symfony/ldap": "^6.4", + "symfony/security-core": "^6.4" }, "require-dev": { "simplesamlphp/simplesamlphp-test-framework": "^1.6.0" diff --git a/src/Auth/Source/X509userCert.php b/src/Auth/Source/X509userCert.php index 256d58f..aaa56b0 100644 --- a/src/Auth/Source/X509userCert.php +++ b/src/Auth/Source/X509userCert.php @@ -15,6 +15,7 @@ use SimpleSAML\Utils; use SimpleSAML\XHTML\Template; use Symfony\Component\Ldap\Entry; +use Symfony\Component\Ldap\Ldap; use Symfony\Component\Ldap\Security\LdapUserProvider; use Symfony\Component\Security\Core\Exception\UserNotFoundException; @@ -279,9 +280,10 @@ public function findUserByAttribute(string $attr, string $value): ?Entry Assert::nullOrnotWhitespaceOnly($searchPassword); $ldap = ConnectorFactory::fromAuthSource($this->backend); + $connection = new Ldap($ldap->getAdapter()); foreach ($searchBase as $base) { - $ldapUserProvider = new LdapUserProvider($ldap, $base, $searchUsername, $searchPassword, [], $attr); + $ldapUserProvider = new LdapUserProvider($connection, $base, $searchUsername, $searchPassword, [], $attr); try { return $ldapUserProvider->loadUserByIdentifier($value)->getEntry(); } catch (UserNotFoundException $e) { diff --git a/tools/composer-require-checker.json b/tools/composer-require-checker.json index 8a6e045..c98b9cd 100644 --- a/tools/composer-require-checker.json +++ b/tools/composer-require-checker.json @@ -2,7 +2,6 @@ "symbol-whitelist": [ "SimpleSAML\\Module\\ldap\\ConfigHelper", "SimpleSAML\\Module\\ldap\\ConnectorFactory", - "SimpleSAML\\Module\\ldap\\ConnectorInterface", - "Symfony\\Component\\Security\\Core\\Exception\\UserNotFoundException" + "SimpleSAML\\Module\\ldap\\ConnectorInterface" ] } From 83b5198ac126953a47e9745ca631f6b3bd77cf2f Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Sun, 7 Apr 2024 17:17:11 +0200 Subject: [PATCH 09/11] Fix deprecations --- src/Auth/Source/X509userCert.php | 2 +- src/Controller/ExpiryWarning.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Auth/Source/X509userCert.php b/src/Auth/Source/X509userCert.php index aaa56b0..33af6a7 100644 --- a/src/Auth/Source/X509userCert.php +++ b/src/Auth/Source/X509userCert.php @@ -117,7 +117,7 @@ public function authFailed(&$state): void { $config = Configuration::getInstance(); $errorcode = $state['authX509.error']; - $errorcodes = Error\ErrorCodes::getAllErrorCodeMessages(); + $errorcodes = (new Error\ErrorCodes())->getAllMessages(); $t = new Template($config, 'authX509:X509error.twig'); $httpUtils = new Utils\HTTP(); diff --git a/src/Controller/ExpiryWarning.php b/src/Controller/ExpiryWarning.php index a5bff3c..cb7fc56 100644 --- a/src/Controller/ExpiryWarning.php +++ b/src/Controller/ExpiryWarning.php @@ -89,7 +89,7 @@ public function main(Request $request): Response $t->data['data'] = ['StateId' => $id]; $t->data['daysleft'] = $state['daysleft']; $t->data['renewurl'] = $state['renewurl']; - $t->data['errorcodes'] = Error\ErrorCodes::getAllErrorCodeMessages(); + $t->data['errorcodes'] = (new Error\ErrorCodes())->getAllMessages(); return $t; } } From c69ead15714426b526c481a36db313a24eda14c7 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Sun, 7 Apr 2024 19:33:49 +0200 Subject: [PATCH 10/11] Fix --- src/Auth/Source/X509userCert.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Auth/Source/X509userCert.php b/src/Auth/Source/X509userCert.php index 33af6a7..a3f9920 100644 --- a/src/Auth/Source/X509userCert.php +++ b/src/Auth/Source/X509userCert.php @@ -214,7 +214,7 @@ public function authenticate(array &$state): void $merged_ldapcerts = []; foreach ($this->ldapusercert as $attr) { - $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[$attr]); + $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[0][$attr]); } $ldap_certs = $merged_ldapcerts; From f4805e01b67051576d54271ec6209dec5c6686c3 Mon Sep 17 00:00:00 2001 From: Tim van Dijen Date: Sun, 7 Apr 2024 21:44:39 +0200 Subject: [PATCH 11/11] Fix --- src/Auth/Source/X509userCert.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/Auth/Source/X509userCert.php b/src/Auth/Source/X509userCert.php index a3f9920..3ac4eed 100644 --- a/src/Auth/Source/X509userCert.php +++ b/src/Auth/Source/X509userCert.php @@ -202,7 +202,11 @@ public function authenticate(array &$state): void throw new Exception("Should never be reached"); } - $ldap_certs = array_map([$entry, 'getAttribute'], $this->ldapusercert); + $ldap_certs = []; + foreach ($this->ldapusercert as $attr) { + $ldap_certs[$attr] = $entry->getAttribute($attr); + } + if (empty($ldap_certs)) { Logger::error('authX509: no certificate found in LDAP for dn=' . $dn); $state['authX509.error'] = "UNKNOWNCERT"; @@ -214,7 +218,7 @@ public function authenticate(array &$state): void $merged_ldapcerts = []; foreach ($this->ldapusercert as $attr) { - $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[0][$attr]); + $merged_ldapcerts = array_merge($merged_ldapcerts, $ldap_certs[$attr]); } $ldap_certs = $merged_ldapcerts;