[Security] Ability to add roles in form_login_ldap by ldap group

This update allows LDAP to fetch roles for a given user entry by using the new RoleFetcherInterface. The LdapUserProvider class has been adjusted to use this new functionality.

Author: Spomky

CHANGELOG.md

@@ -5,6 +5,8 @@ CHANGELOG
 ---
 
  * Deprecate `LdapUser::eraseCredentials()` in favor of `__serialize()`
+ * Add `RoleFetcherInterface` to allow roles fetching at user loading
+ * Add ability to fetch LDAP roles
 
 7.2
 ---

Security/AssignDefaultRoles.php

@@ -0,0 +1,33 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Ldap\Security;
+
+use Symfony\Component\Ldap\Entry;
+
+final readonly class AssignDefaultRoles implements RoleFetcherInterface
+{
+    /**
+     * @param string[] $roles
+     */
+    public function __construct(
+        private array $roles,
+    ) {
+    }
+
+    /**
+     * @return string[]
+     */
+    public function fetchRoles(Entry $entry): array
+    {
+        return $this->roles;
+    }
+}

Security/LdapUserProvider.php

@@ -37,13 +37,14 @@ class LdapUserProvider implements UserProviderInterface, PasswordUpgraderInterfa
 {
     private string $uidKey;
     private string $defaultSearch;
+    private RoleFetcherInterface $roleFetcher;
 
     public function __construct(
         private LdapInterface $ldap,
         private string $baseDn,
         private ?string $searchDn = null,
         #[\SensitiveParameter] private ?string $searchPassword = null,
-        private array $defaultRoles = [],
+        array|RoleFetcherInterface $defaultRoles = [],
         ?string $uidKey = null,
         ?string $filter = null,
         private ?string $passwordAttribute = null,
@@ -54,6 +55,7 @@ public function __construct(
 
         $this->uidKey = $uidKey;
         $this->defaultSearch = str_replace('{uid_key}', $uidKey, $filter);
+        $this->roleFetcher = \is_array($defaultRoles) ? new AssignDefaultRoles($defaultRoles) : $defaultRoles;
     }
 
     public function loadUserByIdentifier(string $identifier): UserInterface
@@ -147,7 +149,9 @@ protected function loadUser(string $identifier, Entry $entry): UserInterface
             $extraFields[$field] = $this->getAttributeValue($entry, $field);
         }
 
-        return new LdapUser($entry, $identifier, $password, $this->defaultRoles, $extraFields);
+        $roles = $this->roleFetcher->fetchRoles($entry);
+
+        return new LdapUser($entry, $identifier, $password, $roles, $extraFields);
     }
 
     private function getAttributeValue(Entry $entry, string $attribute): mixed

Security/MemberOfRoles.php

@@ -0,0 +1,56 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Ldap\Security;
+
+use Symfony\Component\Ldap\Entry;
+
+final readonly class MemberOfRoles implements RoleFetcherInterface
+{
+    /**
+     * @param array<string, string> $mapping
+     */
+    public function __construct(
+        private array $mapping,
+        private string $attributeName = 'ismemberof',
+        private string $groupNameRegex = '/^CN=(?P<group>[^,]+),ou.*$/i',
+    ) {
+    }
+
+    /**
+     * @return string[]
+     */
+    public function fetchRoles(Entry $entry): array
+    {
+        if (!$entry->hasAttribute($this->attributeName)) {
+            return [];
+        }
+
+        $roles = [];
+        foreach ($entry->getAttribute($this->attributeName) as $group) {
+            $groupName = $this->getGroupName($group);
+            if (\array_key_exists($groupName, $this->mapping)) {
+                $roles[] = $this->mapping[$groupName];
+            }
+        }
+
+        return array_unique($roles);
+    }
+
+    private function getGroupName(string $group): string
+    {
+        if (preg_match($this->groupNameRegex, $group, $matches)) {
+            return $matches['group'];
+        }
+
+        return $group;
+    }
+}

Security/RoleFetcherInterface.php

@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Ldap\Security;
+
+use Symfony\Component\Ldap\Entry;
+
+/**
+ * Fetches LDAP roles for a given entry.
+ */
+interface RoleFetcherInterface
+{
+    /**
+     * @return string[] The list of roles
+     */
+    public function fetchRoles(Entry $entry): array;
+}

Tests/Security/LdapUserProviderTest.php

@@ -19,6 +19,8 @@
 use Symfony\Component\Ldap\LdapInterface;
 use Symfony\Component\Ldap\Security\LdapUser;
 use Symfony\Component\Ldap\Security\LdapUserProvider;
+use Symfony\Component\Ldap\Security\MemberOfRoles;
+use Symfony\Component\Ldap\Security\RoleFetcherInterface;
 use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 
@@ -388,4 +390,64 @@ public function testRefreshUserShouldReturnUserWithSameProperties()
 
         $this->assertEquals($user, $provider->refreshUser($user));
     }
+
+    public function testLoadUserWithCorrectRoles()
+    {
+        // Given
+        $result = $this->createMock(CollectionInterface::class);
+        $query = $this->createMock(QueryInterface::class);
+        $query
+            ->method('execute')
+            ->willReturn($result)
+        ;
+        $ldap = $this->createMock(LdapInterface::class);
+        $result
+            ->method('offsetGet')
+            ->with(0)
+            ->willReturn(new Entry('foo', ['sAMAccountName' => ['foo']]))
+        ;
+        $result
+            ->method('count')
+            ->willReturn(1)
+        ;
+        $ldap
+            ->method('escape')
+            ->willReturn('foo')
+        ;
+        $ldap
+            ->method('query')
+            ->willReturn($query)
+        ;
+        $roleFetcher = $this->createMock(RoleFetcherInterface::class);
+        $roleFetcher
+            ->method('fetchRoles')
+            ->willReturn(['ROLE_FOO', 'ROLE_BAR'])
+        ;
+
+        $provider = new LdapUserProvider($ldap, 'ou=MyBusiness,dc=symfony,dc=com', defaultRoles: $roleFetcher);
+
+        // When
+        $user = $provider->loadUserByIdentifier('foo');
+
+        // Then
+        $this->assertInstanceOf(LdapUser::class, $user);
+        $this->assertSame(['ROLE_FOO', 'ROLE_BAR'], $user->getRoles());
+    }
+
+    public function testMemberOfRoleFetch()
+    {
+        // Given
+        $roleFetcher = new MemberOfRoles(
+            ['Staff' => 'ROLE_STAFF', 'Admin' => 'ROLE_ADMIN'],
+            'memberOf'
+        );
+
+        $entry = new Entry('uid=elliot.alderson,ou=staff,ou=people,dc=example,dc=com', ['memberOf' => ['cn=Staff,ou=Groups,dc=example,dc=com', 'cn=Admin,ou=Groups,dc=example,dc=com']]);
+
+        // When
+        $roles = $roleFetcher->fetchRoles($entry);
+
+        // Then
+        $this->assertSame(['ROLE_STAFF', 'ROLE_ADMIN'], $roles);
+    }
 }