feat: Add faultyToken in order to be able to re-use token credential …

…because AD cannot keep authentication token fix #15
RiperFr · Sep 21, 2015 · 75b887b · 75b887b
1 parent de0bd32
commit 75b887b
Show file tree

Hide file tree

Showing 6 changed files with 105 additions and 13 deletions.
diff --git a/Exception/WrongTokenException.php b/Exception/WrongTokenException.php
@@ -0,0 +1,7 @@
+<?php
+namespace Riper\Security\ActiveDirectoryBundle\Exception;
+
+class WrongTokenException extends \Exception
+{
+
+}
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ You need to configure your domain specific information
             domain_controllers : [ baudrive.kim.riper.fr ] #Servers to use for ldap connection (Random)
             admin_username: #Null to use the userConnection
             admin_password: #Null to use the userConnection
+            keep_password_in_token: false #Set to true if you want to re-use the adldap instance to make further queries (This is a security issue because the password is kept in session)
             real_primarygroup : true #For Linux compatibility.
             use_ssl : false #Set it true need configuration of the server to be useful
             use_tls : false #Set it true need configuration of the server to be useful

diff --git a/Resources/config/services.yml b/Resources/config/services.yml
@@ -1,5 +1,11 @@
 parameters:
     riper_security_active_directory_token: Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
+    #This token is faulty because it does not do one security step. It does not erase the password in order to re-use it.
+    riper_security_active_directory_token_faulty : Riper\Security\ActiveDirectoryBundle\Security\Token\FaultyToken
+
+    riper_security_tokens_classes :
+        standard : %riper_security_active_directory_token%
+        faulty : %riper_security_active_directory_token_faulty%
 
 services:
     riper.security.active.directory.user.provider:
@@ -8,8 +14,12 @@ services:
 
     riper.security.active.directory.authentication.provider:
         class: "Riper\Security\ActiveDirectoryBundle\Security\Authentication\AdAuthProvider"
-        arguments: ["@riper.security.active.directory.user.provider", "", "@riper.security.active.directory.service.adldap", "@translator", "%riper_security_active_directory_token%"]
+        arguments: ["@riper.security.active.directory.user.provider", "", "@riper.security.active.directory.service.adldap", "@translator", "%riper_security_tokens_classes%", %riper.security.active_directory.settings% ]
 
     riper.security.active.directory.service.adldap:
         class: "Riper\Security\ActiveDirectoryBundle\Service\AdldapService"
         arguments: [ "%riper.security.active_directory.settings%"]
+
+    riper.security.active.directory.factory.adldap:
+        class: "Riper\Security\ActiveDirectoryBundle\Security\Factory\AdldapFactory"
+        arguments: [ @security.context, @riper.security.active.directory.service.adldap ]
diff --git a/Security/Authentication/AdAuthProvider.php b/Security/Authentication/AdAuthProvider.php
@@ -29,13 +29,15 @@ public function __construct(
         array $config,
         AdldapService $AdldapService,
         TranslatorInterface $translator,
-        $tokenClass
+        $tokenClasses,
+        $riperConfig
     ) {
-        $this->userProvider  = $userProvider;
-        $this->config        = $config;
+        $this->userProvider = $userProvider;
+        $this->config = $config;
         $this->AdldapService = $AdldapService;
-        $this->translator    = $translator;
-        $this->tokenClass    = $tokenClass;
+        $this->translator = $translator;
+        $this->tokenClasses = $tokenClasses;
+        $this->riperConfig = $riperConfig;
     }
 
     /**
@@ -50,7 +52,7 @@ public function __construct(
     public function authenticate(TokenInterface $token)
     {
         $Adldap = $this->AdldapService->getInstance();
-        $User   = $this->userProvider->loadUserByUsername($token->getUsername());
+        $User = $this->userProvider->loadUserByUsername($token->getUsername());
         if ($User instanceof AdUser) {
             if (!$Adldap->authenticate($User->getUsername(), $token->getCredentials())) {
                 $msg = $this->translator->trans(
@@ -61,12 +63,21 @@ public function authenticate(TokenInterface $token)
             $this->userProvider->fetchData($User, $token, $Adldap);
         }
 
-        $newToken = new $this->tokenClass(
-            $User,
-            $token->getCredentials(),
-            'riper.security.active.directory.user.provider',
-            $User->getRoles()
-        );
+        if (isset($this->riperConfig['keep_password_in_token']) && $this->riperConfig['keep_password_in_token']) {
+            $newToken = new $this->tokenClasses['faulty'](
+                $User,
+                $token->getCredentials(),
+                'riper.security.active.directory.user.provider',
+                $User->getRoles()
+            );
+        } else {
+            $newToken = new $this->tokenClasses['standard'](
+                $User,
+                $token->getCredentials(),
+                'riper.security.active.directory.user.provider',
+                $User->getRoles()
+            );
+        }
 
         return $newToken;
     }

diff --git a/Security/Factory/AdldapFactory.php b/Security/Factory/AdldapFactory.php
@@ -0,0 +1,44 @@
+<?php
+
+
+namespace Riper\Security\ActiveDirectoryBundle\Security\Factory;
+
+
+use Riper\Security\ActiveDirectoryBundle\Exception\WrongTokenException;
+use Riper\Security\ActiveDirectoryBundle\Service\AdldapService;
+use Riper\Security\ActiveDirectoryBundle\Token\FaultyToken;
+use Symfony\Component\Security\Core\SecurityContext;
+
+class AdldapFactory
+{
+
+    /**
+     * @var SecurityContext
+     */
+    private $securityContext;
+
+    /**
+     * @var AdldapService
+     */
+    private $adldapService;
+
+    public function __construct(SecurityContext $securityContext, AdldapService $adldapService)
+    {
+        $this->securityContext = $securityContext;
+        $this->adldapService = $adldapService;
+    }
+
+
+    public function getAuthenticatedAdLdap()
+    {
+        $token = $this->securityContext->getToken();
+        if ($token instanceof FaultyToken) {
+            throw new WrongTokenException(
+                'The token is not the right one. Did you forget to set "keep_password_in_token" to "true" in bundle configuration ?'
+            );
+        }
+        $adldap = $this->adldapService->getInstance();
+        $adldap->authenticate($token->getUsername(), $token->getCredentials());
+    }
+
+}
diff --git a/Security/Token/FaultyToken.php b/Security/Token/FaultyToken.php
@@ -0,0 +1,19 @@
+<?php
+namespace Riper\Security\ActiveDirectoryBundle\Security\Token;
+
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+
+class FaultyToken extends UsernamePasswordToken
+{
+
+
+    /**
+     * This method cut of the behaviour in order to keep the password in the token
+     * This is a bad practice, but is the only simple way to keep the password and reuse it after
+     * For active directory authentication
+     */
+    public function eraseCredentials()
+    {
+
+    }
+}