diff --git a/Docker/mattermostldap/Dockerfile b/Docker/mattermostldap/Dockerfile index ef1a8ce..71329b9 100644 --- a/Docker/mattermostldap/Dockerfile +++ b/Docker/mattermostldap/Dockerfile @@ -10,6 +10,9 @@ RUN set -x \ && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \ && docker-php-ext-install ldap +# Enable development php.ini config (Solve empty answer from token.php) +RUN ln -s /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini + # Get Mattermost-LDAP project RUN git clone https://github.com/crivaledaz/Mattermost-LDAP.git /opt/Mattermost-LDAP/ diff --git a/Docker/php-ldap-pgsql/Dockerfile b/Docker/php-ldap-pgsql/Dockerfile index ee17d76..f901b35 100644 --- a/Docker/php-ldap-pgsql/Dockerfile +++ b/Docker/php-ldap-pgsql/Dockerfile @@ -9,4 +9,5 @@ RUN set -x \ && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu/ \ && docker-php-ext-install ldap +# Enable development php.ini config (Solve empty answer from token.php) RUN ln -s /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini diff --git a/env.example b/env.example index 1f10418..665d55d 100644 --- a/env.example +++ b/env.example @@ -8,10 +8,10 @@ # # Client ID token. Must be a random hex value. Use `openssl rand -hex 32` to generate a token. -client_id = 123456789abcdef123456789abcdef +client_id = "123456789abcdef123456789abcdef" # Client Secret token. Must be a random hex value. Use `openssl rand -hex 32` to generate a token. -client_secret = fedcba987654321fedcba987654321 +client_secret = "fedcba987654321fedcba987654321" # Redirect URI use by Oauth server to redirect user after authentifictaion process. Must be the same than as Mattermost give to Oauth server. redirect_uri = "http://localhost/signup/gitlab/complete" @@ -30,13 +30,13 @@ user_id = "" # # Username for the PostgreSQL administrator account -POSTGRES_USER = postgres +POSTGRES_USER = "postgres" # Password for PostgreSQL administrator account -POSTGRES_PASSWORD = rootroot +POSTGRES_PASSWORD = "rootroot" # Method to use for connection to database -POSTGRES_HOST_AUTH_METHOD = trust +POSTGRES_HOST_AUTH_METHOD = "trust" # Oauth user to connect the database db_user = "oauth" @@ -61,16 +61,16 @@ db_type = "pgsql" # # LDAP host or IP -ldap_host = ldap://ldap.company.com:389/ +ldap_host = "ldap://ldap.company.com:389/" # LDAP port -ldap_port = 389 +ldap_port = "389" # LDAP protocol version -ldap_version = 3 +ldap_version = "3" # Unique identifier for entry in LDAP -ldap_search_attribute = uid +ldap_search_attribute = "uid" # Base DN to search from in LDAP ldap_base_dn = "ou=People,o=Company" diff --git a/oauth/.htaccess b/oauth/.htaccess index 3d8e7d7..1022358 100644 --- a/oauth/.htaccess +++ b/oauth/.htaccess @@ -15,3 +15,8 @@ deny from all allow from all + +# Only allow access to html files + + allow from all + diff --git a/oauth/authorize.php b/oauth/authorize.php index ce1cf0c..6de485c 100644 --- a/oauth/authorize.php +++ b/oauth/authorize.php @@ -36,93 +36,67 @@ if (!isset($_SESSION['uid'])) // Check if user has already authorized oauth to share data with Mattermost. In this case, user should exist in 'user' table. if ($server->userExists($_SESSION['uid'])) { - // Bypass authorize form, continue Oauth process. - $server->handleAuthorizeRequest($request, $response, true, $_SESSION['uid']); + // User had already authorized the client during a previous session. + $is_authorized = true; } // Display an authorization form else if (empty($_POST)) { exit(' - - - - Authorisation Mattermost - + + + Mattermost - LDAP Authorization - + + + -
- - - - - - -
  - - - - - -
-
Mattermost desires access to your LDAP data:
- - -
- - + +
+
+

LDAP Authentication

+
+ authentication icon +
+
+

Authorize Mattermost to get the following data:

+
- + - - - - - - - - - - - - -
- -
- -
-   - 		+   Full Name
+   E-mail
+
- Login as : ' . $_SESSION['uid'] . ' -
- -
- Requested Data :
-   -> Username,
-   -> Full Name,
-   -> Email - -
 
-
-
+
+ Logged as : ' . $_SESSION['uid'] . ' +
+
-
- -
-
- +
+ + +
+ + + -'); + '); } else { - // Print the authorization code if the user has authorized your client + // Check if user has authorized to share his data with the client $is_authorized = ($_POST['authorized'] === 'Authorize'); - $server->handleAuthorizeRequest($request, $response, $is_authorized, $_SESSION['uid']); } +// Print the authorization code if the user has authorized your client +$server->handleAuthorizeRequest($request, $response, $is_authorized,$_SESSION['uid']); + +// Authentication process is terminated, session can be destroyed. +$_SESSION=array(); + if ($is_authorized) { // This is only here so that you get to see your code in the cURL request. Otherwise, we'd redirect back to the client diff --git a/oauth/connexion.php b/oauth/connexion.php deleted file mode 100644 index bb667ed..0000000 --- a/oauth/connexion.php +++ /dev/null @@ -1,70 +0,0 @@ - - */ - -// include our LDAP object -require_once __DIR__.'/LDAP/LDAP.php'; -require_once __DIR__.'/LDAP/config_ldap.php'; - - -// Verify all fields have been filled -if (empty($_POST['user']) || empty($_POST['password'])) { - echo 'Please fill in your Username and Password

'; - echo 'Click here to come back to login page'; -} else { - // Check received data length (to prevent code injection) - if (strlen($_POST['user']) > 15) { - echo 'Username has incorrect format ... Please try again

'; - echo 'Click here to come back to login page'; - } elseif (strlen($_POST['password']) > 50 || strlen($_POST['password']) <= 7) { - echo 'Password has incorrect format ... Please try again

'; - echo 'Click here to come back to login page'; - } else { - // Remove every html tag and useless space on username (to prevent XSS) - $user=strtolower(strip_tags(htmlspecialchars(trim($_POST['user'])))); - - $password=$_POST['password']; - - // Open a LDAP connection - $ldap = new LDAP($ldap_host, $ldap_port, $ldap_version); - - // Check user credential on LDAP - try { - $authenticated = $ldap->checkLogin($user, $password, $ldap_search_attribute, $ldap_filter, $ldap_base_dn, $ldap_bind_dn, $ldap_bind_pass); - } catch (Exception $e) { - if ($e->getCode() == 404) { - $resp = json_encode( - [ - "error" => "User not found", - "message" => "$user is not in the group of authorized users." - ] - ); - } else { - $resp = json_encode(array("error" => "Impossible to get data", "message" => $e->getMessage())); - } - $authenticated = false; - } - - // If user is authenticated - if ($authenticated) { - $_SESSION['uid']=$user; - - // If user came here with an autorize request, redirect him to the authorize page. Else prompt a simple message. - if (isset($_SESSION['auth_page'])) { - $auth_page=$_SESSION['auth_page']; - header('Location: ' . $auth_page); - exit(); - } else { - echo "Congratulation you are authenticated !

However there is nothing to do here ..."; - } - } - // check login on LDAP has failed. Login and password were invalid or LDAP is unreachable - else { - echo "Authentication failed ... Check your username and password.
If error persist contact your administrator.

"; - echo 'Click here to come back to login page'; - echo '


' . $resp; - } - } -} diff --git a/oauth/form_prompt.html b/oauth/form_prompt.html new file mode 100644 index 0000000..936672c --- /dev/null +++ b/oauth/form_prompt.html @@ -0,0 +1,41 @@ + + + + + LDAP Connection Interface + + + + + + + +
+
+

LDAP Authentication

+
+ authentication icon +
+
+ +
+
+ + +

+ +
+ + +

+ +
+
+ + +
+
+
+ + diff --git a/oauth/images/ButtonGreen.png b/oauth/images/ButtonGreen.png deleted file mode 100644 index 9a88c41..0000000 Binary files a/oauth/images/ButtonGreen.png and /dev/null differ diff --git a/oauth/images/auth_icon.png b/oauth/images/auth_icon.png new file mode 100644 index 0000000..28e98fd Binary files /dev/null and b/oauth/images/auth_icon.png differ diff --git a/oauth/images/login.png b/oauth/images/login.png deleted file mode 100644 index 6034af0..0000000 Binary files a/oauth/images/login.png and /dev/null differ diff --git a/oauth/images/prompt_icon.png b/oauth/images/prompt_icon.png new file mode 100644 index 0000000..74cb2bc Binary files /dev/null and b/oauth/images/prompt_icon.png differ diff --git a/oauth/index.php b/oauth/index.php index 11190e7..77baacd 100644 --- a/oauth/index.php +++ b/oauth/index.php @@ -1,72 +1,89 @@ +/** + * @author Denis CLAVIER + * A modified verion by dimst23 + */ - - - - - LDAP Connection Interface - - -
- - - - - - -
  - +// include our LDAP object +require_once __DIR__.'/LDAP/LDAP.php'; +require_once __DIR__.'/LDAP/config_ldap.php'; - - - -
-
LDAP Authentification
- +$prompt_template = new DOMDocument(); +$prompt_template->loadHTMLFile('form_prompt.html'); -
- - - - - - - - - - - - - - - - - - - -
- -
- -
-   -
- Username:  - - -
- Password:  - - -
 
-
- -
- -
-
- - \ No newline at end of file + +function messageShow($html_template, $message = 'No Msg') { + $modification_node = $html_template->getElementsByTagName('div')->item(5); + $page_fragment = $html_template->createDocumentFragment(); + $page_fragment->appendXML($message); + + $modification_node->appendChild($page_fragment); + + echo $html_template->saveHTML(); +} + + +// Verify all fields have been filled +if (empty($_POST['user']) || empty($_POST['password'])) +{ + if (empty($_POST['user'])) { + messageShow($prompt_template, 'Username field can\'t be empty.'); + } else { + messageShow($prompt_template, 'Password field can\'t be empty.'); + } +} +else +{ + // Check received data length (to prevent code injection) + if (strlen($_POST['user']) > 64) + { + messageShow($prompt_template, 'Username has incorrect format ... Please try again'); + } + elseif (strlen($_POST['password']) > 64 || strlen($_POST['password']) <= 7) + { + messageShow($prompt_template, 'Password has incorrect format ... Please try again'); + } + else + { + // Remove every html tag and useless space on username (to prevent XSS) + $user=strtolower(strip_tags(htmlspecialchars(trim($_POST['user'])))); + $password=$_POST['password']; + + // Open a LDAP connection + $ldap = new LDAP($ldap_host,$ldap_port,$ldap_version); + + // Check user credential on LDAP + try{ + $authenticated = $ldap->checkLogin($user,$password,$ldap_search_attribute,$ldap_filter,$ldap_base_dn,$ldap_bind_dn,$ldap_bind_pass); + } + catch (Exception $e) + { + $authenticated = false; + } + + // If user is authenticated + if ($authenticated) + { + $_SESSION['uid']=$user; + + // If user came here with an autorize request, redirect him to the authorize page. Else prompt a simple message. + if (isset($_SESSION['auth_page'])) + { + $auth_page=$_SESSION['auth_page']; + header('Location: ' . $auth_page); + exit(); + } + else + { + messageShow($prompt_template, 'Congratulation you are authenticated !

However there is nothing to do here ...'); + } + } + // check login on LDAP has failed. Login and password were invalid or LDAP is unreachable + else + { + messageShow($prompt_template, 'Authentication failed ... Check your username and password.
If the error persists contact your administrator.

'); + } + } +} diff --git a/oauth/style.css b/oauth/style.css index b7b06c6..5f1f1d9 100644 --- a/oauth/style.css +++ b/oauth/style.css @@ -1,84 +1,212 @@ -html -{ - height: 100%; - margin: 0; -} - -body { - font-family:"Tahoma","Arial", serif; - font-size:8px; - font-weight: normal; - color: black; - text-decoration:none; - background-color: white; - height: 100%; - margin: 0; -} - - -.LoginTitle { - color: #000000; - font-family : "Tahoma","Arial", serif; - font-size : 18pt; - font-weight: normal; -} - -.LoginUsername { - color: #000000; - font-family : "Tahoma","Arial", serif; - font-size : 14pt; - font-weight: normal; -} - -.LoginComment { - color: #000000; - font-family : "Tahoma","Arial", serif; - font-size : 8pt; - font-weight: normal; -} - -.GreenButton -{ - color: white; - font-family : "Tahoma", "Arial", serif; - font-size : 10pt; - font-weight: normal; - height: 28px; - background: transparent url(images/ButtonGreen.png) repeat-x left top; - border: solid 1px #50B4AE; - font-weight: bold; -} - -.messageLogin { - color: Yellow; - font-family : "Tahoma", "Arial", serif; - font-size : 8pt; - font-weight: bold; -} - -button { - overflow: visible; - width: auto; -} -button.link { - font-family: "Verdana" sans-serif; - font-size: 7pt; - text-align: left; - color: blue; - background: none; - margin: 0; - padding: 0; - border: none; - cursor: pointer; - - -moz-user-select: text; - - /* override all your button styles here if there are any others */ -} -button.link span { - text-decoration: underline; -} -button.link:hover span, -button.link:focus span { - color: black; -} +:root { + --input_bg: #E5E5E5; + --input_hover:#eaeaea; + --accept_bg: #1FCC44; + --accept_hover: #40e263; + --deny_bg: #cc1f1f; + --deny_hover: #e24040; + --icon_color:#6b6b6b; +} + +html { + height: 100%; + margin: 0; +} + +/* Overide browser defaults */ +* { + padding: 0; + margin: 0; + box-sizing: border-box; +} + +/* Style the form wrapper */ +body { + /* Set custom font */ + font-family: 'Roboto', sans-serif; + margin: auto; + text-align: center; +} + +table { + margin-left: auto; + margin-right: auto; + font-size: larger; + border: none; + margin-top: 5%; +} + +/* Format the different images*/ +#form_icon, +#form_icon_prompt { + display: flex; + justify-content: center; + align-items: center; + margin-top: 5%; +} + +#form_icon img { + width: 100%; + max-width: 450px; +} + +#form_icon_prompt img { + width: 50%; + max-width: 350px; +} + + +/* Style the form_credentials */ +#form_credentials { + /* Center the content */ + display: inline-block; + justify-content: center; + align-items: center; + position: absolute; + transform: translate(-50%, 25%); +} + +/* Style input fields */ +.input_container { + background-color: var(--input_bg); + /* Vertically align icon and text inside the div*/ + display: flex; + align-items: center; + padding-left: 20px; +} + +.input_container:hover { + background-color: var(--input_hover); +} + +.input_container, +#input_accept, +#input_deny, +#input_login { + height: 60px; + + /* Make the borders more round */ + border-radius: 12px; + width: 100%; +} + +.input_field { + /* Customize the input tag with lighter font and some padding*/ + color: var(--icon_color); + background-color: inherit; + width: 95%; + border: none; + font-size: 1.3rem; + font-weight: 400; + padding-left: 6.5%; +} + +.input_field:hover, +.input_field:focus { + /* Remove the outline */ + outline: none; +} + +#input_accept, +#input_deny, +#input_login { + /* Submit button has a different color and different padding */ + background-color: var(--accept_bg); + padding-left: 0; + font-weight: bold; + color: white; + text-transform: capitalize; + text-align: center; + display: inline-block; + margin-top: 25%; + margin-right: 2%; + width: 50%; +} + +#input_accept:hover, +#input_deny:hover, +#input_login:hover { + /* Simple color transition on hover */ + transition: background-color, 500ms; + cursor: pointer; +} + +#input_accept, +#input_deny { + width: 45%; + margin-top: 6%; +} + +#input_deny { + background-color: var(--deny_bg); +} + +#input_deny:hover { + background-color: var(--deny_hover); +} + +/* Format the error messages */ +.err_msg { + color: red; + font-weight: bold; + font-size: 110%; +} + + +/* General page styling */ +h1, +span { + text-align: center; + padding-bottom: 2%; + padding-top: 0%; + font-weight: bolder; + font-size: 300%; +} + + +i { + color: var(--icon_color); +} + +/* Make it responsive */ +@media screen and (max-width:768px) { + + /* Make the layout a single column and add some margin to the wrapper */ + #form_wrapper { + grid-template-columns: 1fr; + margin-left: 10px; + margin-right: 10px; + } + + /* On small screens we don't display the image */ + #form_icon { + display: flex; + } +} + +button { + overflow: visible; + width: auto; +} +button.link { + font-family: "Verdana" sans-serif; + font-size: 2pt; + text-align: left; + color: blue; + background: none; + margin: 0; + padding: 0; + border: none; + cursor: pointer; + + -moz-user-select: text; + + /* override all your button styles here if there are any others */ +} +button.link span { + text-decoration: underline; +} +button.link:hover span, +button.link:focus span { + color: black; +}