Restore the ability to read attributes using a privileged account (#51)

* Restore the ability to read attributes using a privileged account * Perform strict comparison * Bump download-artifact action * Fix logics * Filter priv.password from logs * Don't fall back to search.password for read --------- Co-authored-by: Tim van Dijen <tvdijen@gmail.com>
simplesamlphp · Jan 22, 2024 · 0cf70c0 · 0cf70c0
1 parent 1cbcf68
commit 0cf70c0
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 4 deletions.
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
@@ -265,7 +265,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@v4
         with:
           name: coverage-data
           path: ${{ github.workspace }}/build
@@ -283,8 +283,8 @@ jobs:
     runs-on: [ubuntu-latest]
     if: |
       always() &&
-      needs.coverage.result == 'success' ||
-      (needs.unit-tests-linux == 'success' && needs.coverage == 'skipped')
+      needs.coverage.result == 'success' &&
+      (needs.unit-tests-linux == 'success' || needs.coverage == 'skipped')
 
     steps:
       - uses: geekyeggo/delete-artifact@v4

diff --git a/src/Auth/Process/BaseFilter.php b/src/Auth/Process/BaseFilter.php
@@ -272,7 +272,7 @@ protected function varExport($value): string
         if (is_array($value)) {
             // remove sensitive data
             foreach ($value as $key => &$val) {
-                if ($key === 'search.password') {
+                if ($key === 'search.password' || $key === 'priv.password') {
                     $val = empty($val) ? '' : '********';
                 }
             }

diff --git a/src/Auth/Source/Ldap.php b/src/Auth/Source/Ldap.php
@@ -121,8 +121,16 @@ protected function login(string $username, string $password): array
             }
         }
 
+        /* Verify the credentials */
         $this->connector->bind($dn, $password);
 
+        /* If the credentials were correct, rebind using a privileged account to read attributes */
+        $readUsername = $this->ldapConfig->getOptionalString('priv.username', null);
+        $readPassword = $this->ldapConfig->getOptionalString('priv.password', null);
+        if ($readUsername !== null) {
+            $this->connector->bind($readUsername, $readPassword);
+        }
+
         $options['scope'] = Query::SCOPE_BASE;
         $filter = '(objectClass=*)';