From 09c68d7d123a0492b18dc74d1849164144df149e Mon Sep 17 00:00:00 2001
From: Denis CLAVIER <denis.clavier@c-s.fr>
Date: Fri, 1 May 2020 21:22:34 +0200
Subject: [PATCH] Adapt v2 with merged PR

---
 Docker/mattermostldap/Dockerfile |  3 ++
 Docker/php-ldap-pgsql/Dockerfile |  1 +
 env.example                      | 18 +++++-----
 oauth/authorize.php              | 13 +++----
 oauth/connexion.php              | 60 --------------------------------
 oauth/style.css                  |  5 ++-
 6 files changed, 22 insertions(+), 78 deletions(-)
 delete mode 100644 oauth/connexion.php

diff --git a/Docker/mattermostldap/Dockerfile b/Docker/mattermostldap/Dockerfile
index ef1a8ce..71329b9 100644
--- a/Docker/mattermostldap/Dockerfile
+++ b/Docker/mattermostldap/Dockerfile
@@ -10,6 +10,9 @@ RUN set -x \
     && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \
     && docker-php-ext-install ldap
 
+# Enable development php.ini config (Solve empty answer from token.php)
+RUN ln -s /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini
+
 # Get Mattermost-LDAP project
 RUN git clone https://github.com/crivaledaz/Mattermost-LDAP.git /opt/Mattermost-LDAP/
 
diff --git a/Docker/php-ldap-pgsql/Dockerfile b/Docker/php-ldap-pgsql/Dockerfile
index ee17d76..f901b35 100644
--- a/Docker/php-ldap-pgsql/Dockerfile
+++ b/Docker/php-ldap-pgsql/Dockerfile
@@ -9,4 +9,5 @@ RUN set -x \
     && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \
     && docker-php-ext-install ldap
 
+# Enable development php.ini config (Solve empty answer from token.php)
 RUN ln -s /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini
diff --git a/env.example b/env.example
index 1f10418..665d55d 100644
--- a/env.example
+++ b/env.example
@@ -8,10 +8,10 @@
 #
 
 # Client ID token. Must be a random hex value. Use `openssl rand -hex 32` to generate a token.
-client_id = 123456789abcdef123456789abcdef
+client_id = "123456789abcdef123456789abcdef"
 
 # Client Secret token. Must be a random hex value. Use `openssl rand -hex 32` to generate a token.
-client_secret = fedcba987654321fedcba987654321
+client_secret = "fedcba987654321fedcba987654321"
 
 # Redirect URI use by Oauth server to redirect user after authentifictaion process. Must be the same than as Mattermost give to Oauth server.
 redirect_uri = "http://localhost/signup/gitlab/complete"
@@ -30,13 +30,13 @@ user_id = ""
 #
 
 # Username for the PostgreSQL administrator account
-POSTGRES_USER = postgres
+POSTGRES_USER = "postgres"
 
 # Password for PostgreSQL administrator account
-POSTGRES_PASSWORD = rootroot
+POSTGRES_PASSWORD = "rootroot"
 
 # Method to use for connection to database
-POSTGRES_HOST_AUTH_METHOD = trust
+POSTGRES_HOST_AUTH_METHOD = "trust"
 
 # Oauth user to connect the database
 db_user = "oauth"
@@ -61,16 +61,16 @@ db_type = "pgsql"
 #
 
 # LDAP host or IP
-ldap_host = ldap://ldap.company.com:389/
+ldap_host = "ldap://ldap.company.com:389/"
 
 # LDAP port
-ldap_port = 389
+ldap_port = "389"
 
 # LDAP protocol version
-ldap_version = 3
+ldap_version = "3"
 
 # Unique identifier for entry in LDAP
-ldap_search_attribute = uid
+ldap_search_attribute = "uid"
 
 # Base DN to search from in LDAP
 ldap_base_dn = "ou=People,o=Company"
diff --git a/oauth/authorize.php b/oauth/authorize.php
index baf14e6..6de485c 100644
--- a/oauth/authorize.php
+++ b/oauth/authorize.php
@@ -70,13 +70,11 @@ else if (empty($_POST)) {
                             &nbsp; <strong>E-mail</strong><br/>
                         </td>
                     </tr>
-                    <tr>
-                      <td>
-                        Login as : <strong>' . $_SESSION['uid'] . ' </strong> <button type="submit" class="link" name="disconnect" value="true" ><span>(not me ?)</span></button>
-                      </td>
-                    </tr>
                 </table>
-                <br>
+                <br/>
+                Logged as : <strong>' . $_SESSION['uid'] . ' </strong> <button type="submit" class="link" name="disconnect" value="true" ><span>(not me ?)</span></button>
+                <br/>
+                <br/>
 
                 <form method="POST">
                     <input type="submit" value="Authorize" name="authorized" id="input_accept" class="input_field">
@@ -96,6 +94,9 @@ else {
 // Print the authorization code if the user has authorized your client
 $server->handleAuthorizeRequest($request, $response, $is_authorized,$_SESSION['uid']);
 
+// Authentication process is terminated, session can be destroyed.
+$_SESSION=array();
+
 if ($is_authorized)
 {
   // This is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client
diff --git a/oauth/connexion.php b/oauth/connexion.php
deleted file mode 100644
index 5a48688..0000000
--- a/oauth/connexion.php
+++ /dev/null
@@ -1,60 +0,0 @@
-<?php
-session_start();
-/**
- * @author Denis CLAVIER <clavierd at gmail dot com>
- */
-
-// include our LDAP object
-require_once __DIR__.'/LDAP/LDAP.php';
-require_once __DIR__.'/LDAP/config_ldap.php';
-
-
-// Verify all fields have been filled
-if (empty($_POST['user']) || empty($_POST['password'])) {
-    echo 'Please fill in your Username and Password<br /><br />';
-    echo 'Click <a href="./index.php">here</a> to come back to login page';
-} else {
-    // Check received data length (to prevent code injection)
-    if (strlen($_POST['user']) > 15) {
-        echo 'Username has incorrect format ... Please try again<br /><br />';
-        echo 'Click <a href="./index.php">here</a> to come back to login page';
-    } elseif (strlen($_POST['password']) > 50 || strlen($_POST['password']) <= 7) {
-        echo 'Password has incorrect format ... Please try again<br /><br />';
-        echo 'Click <a href="./index.php">here</a> to come back to login page';
-    } else {
-        // Remove every html tag and useless space on username (to prevent XSS)
-        $user=strtolower(strip_tags(htmlspecialchars(trim($_POST['user']))));
-        $password=$_POST['password'];
-
-        // Open a LDAP connection
-        $ldap = new LDAP($ldap_host, $ldap_port, $ldap_version);
-
-        // Check user credential on LDAP
-        try {
-            $authenticated = $ldap->checkLogin($user, $password, $ldap_search_attribute, $ldap_filter, $ldap_base_dn, $ldap_bind_dn, $ldap_bind_pass);
-        } catch (Exception $e) {
-            $resp = json_encode(array("error" => "Impossible to get data", "message" => $e->getMessage()));
-            $authenticated = false;
-        }
-
-        // If user is authenticated
-        if ($authenticated) {
-            $_SESSION['uid']=$user;
-
-            // If user came here with an autorize request, redirect him to the authorize page. Else prompt a simple message.
-            if (isset($_SESSION['auth_page'])) {
-                $auth_page=$_SESSION['auth_page'];
-                header('Location: ' . $auth_page);
-                exit();
-            } else {
-                echo "Congratulation you are authenticated ! <br /><br /> However there is nothing to do here ...";
-            }
-        }
-        // check login on LDAP has failed. Login and password were invalid or LDAP is unreachable
-        else {
-            echo "Authentication failed ... Check your username and password.<br />If error persist contact your administrator.<br /><br />";
-            echo 'Click <a href="./index.php">here</a> to come back to login page';
-            echo '<br /><br /><br />' . $resp;
-        }
-    }
-}
diff --git a/oauth/style.css b/oauth/style.css
index 1555d05..5f1f1d9 100644
--- a/oauth/style.css
+++ b/oauth/style.css
@@ -32,8 +32,7 @@ table {
     margin-left: auto;
     margin-right: auto;
     font-size: larger;
-    border-style: solid;
-    border-width: 2px;
+    border: none;
     margin-top: 5%;
 }
 
@@ -191,7 +190,7 @@ button {
 }
 button.link {
     font-family: "Verdana" sans-serif;
-    font-size: 7pt;
+    font-size: 2pt;
     text-align: left;
     color: blue;
     background: none;