feat: added LDAP/AD Integration with groups

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: thorsten <[email protected]>

Author: Copilot

composer.json

@@ -59,7 +59,7 @@
     "phpstan/phpstan": "^2",
     "phpunit/phpunit": "12.*",
     "rector/rector": "^2",
-    "squizlabs/php_codesniffer": "3.*",
+    "squizlabs/php_codesniffer": "*",
     "symfony/yaml": "7.*",
     "zircote/swagger-php": "^5.0"
   },

composer.lock

@@ -24,6 +24,7 @@
 use phpMyFAQ\Core\Exception;
 use phpMyFAQ\Enums\AuthenticationSourceType;
 use phpMyFAQ\Ldap as LdapCore;
+use phpMyFAQ\Permission\MediumPermission;
 use phpMyFAQ\User;
 use SensitiveParameter;
 
@@ -93,9 +94,71 @@ public function create(string $login, #[SensitiveParameter] string $password, st
             ]
         );
 
+        // Handle group assignments if enabled
+        $ldapGroupConfig = $this->configuration->getLdapGroupConfig();
+        if ($ldapGroupConfig['auto_assign'] === 'true' && $this->configuration->get('security.permLevel') === 'medium') {
+            $this->assignUserToGroups($login, $user->getUserId());
+        }
+
         return $result;
     }
 
+    /**
+     * Assigns user to phpMyFAQ groups based on AD group membership
+     *
+     * @param string $login Username
+     * @param int $userId User ID
+     */
+    private function assignUserToGroups(string $login, int $userId): void
+    {
+        $ldapGroupConfig = $this->configuration->getLdapGroupConfig();
+        $userGroups = $this->ldapCore->getGroupMemberships($login);
+
+        if ($userGroups === false) {
+            $this->configuration->getLogger()->warning("Unable to retrieve group memberships for user: {$login}");
+            return;
+        }
+
+        $permission = new MediumPermission($this->configuration);
+        $groupMapping = $ldapGroupConfig['group_mapping'];
+
+        foreach ($userGroups as $adGroup) {
+            $groupName = $this->extractGroupNameFromDn($adGroup);
+
+            // Check if there's a specific mapping for this AD group
+            if (!empty($groupMapping) && isset($groupMapping[$groupName])) {
+                $faqGroupName = $groupMapping[$groupName];
+            } else {
+                // Default: use the AD group name
+                $faqGroupName = $groupName;
+            }
+
+            // Find or create the group
+            $groupId = $permission->findOrCreateGroupByName($faqGroupName);
+
+            if ($groupId > 0) {
+                $permission->addToGroup($userId, $groupId);
+                $this->configuration->getLogger()->info("Added user {$login} to group {$faqGroupName}");
+            }
+        }
+    }
+
+    /**
+     * Extract group name from DN
+     *
+     * @param string $dn Group DN
+     * @return string Group name
+     */
+    private function extractGroupNameFromDn(string $dn): string
+    {
+        // Extract CN from DN, e.g., "CN=Domain Users,CN=Users,DC=example,DC=com" -> "Domain Users"
+        if (preg_match('/CN=([^,]+)/', $dn, $matches)) {
+            return $matches[1];
+        }
+
+        return $dn;
+    }
+
     /**
      * @inheritDoc
      */
@@ -160,6 +223,32 @@ public function checkCredentials(
             throw new AuthException($this->ldapCore->error);
         }
 
+        // Check AD group membership restrictions if enabled
+        $ldapGroupConfig = $this->configuration->getLdapGroupConfig();
+        if ($ldapGroupConfig['use_group_restriction'] === 'true') {
+            $userGroups = $this->ldapCore->getGroupMemberships($login);
+            if ($userGroups === false) {
+                throw new AuthException('Unable to retrieve user group memberships');
+            }
+
+            $allowedGroups = $ldapGroupConfig['allowed_groups'];
+            if (!empty($allowedGroups)) {
+                $hasAllowedGroup = false;
+                foreach ($userGroups as $userGroup) {
+                    foreach ($allowedGroups as $allowedGroup) {
+                        if (str_contains($userGroup, trim($allowedGroup))) {
+                            $hasAllowedGroup = true;
+                            break 2;
+                        }
+                    }
+                }
+
+                if (!$hasAllowedGroup) {
+                    throw new AuthException('User is not a member of any allowed LDAP/Active Directory groups');
+                }
+            }
+        }
+
         $this->create($login, htmlspecialchars_decode($password));
 
         return true;

phpmyfaq/src/phpMyFAQ/Auth/AuthLdap.php

@@ -293,6 +293,7 @@ public function setLdapConfig(LdapConfiguration $ldapConfiguration): void
             'ldap_use_memberOf' => $this->get('ldap.ldap_use_memberOf'),
             'ldap_use_sasl' => $this->get('ldap.ldap_use_sasl'),
             'ldap_use_anonymous_login' => $this->get('ldap.ldap_use_anonymous_login'),
+            'ldap_group_config' => $this->getLdapGroupConfig(),
         ];
     }
 
@@ -324,6 +325,24 @@ public function getLdapOptions(): array
         ];
     }
 
+    /**
+     * Returns the LDAP group configuration.
+     *
+     * @return array<string, string|array>
+     */
+    public function getLdapGroupConfig(): array
+    {
+        $allowedGroups = $this->get('ldap.ldap_group_allowed_groups');
+        $groupMapping = $this->get('ldap.ldap_group_mapping');
+
+        return [
+            'use_group_restriction' => $this->get('ldap.ldap_use_group_restriction'),
+            'allowed_groups' => $allowedGroups ? explode(',', $allowedGroups) : [],
+            'auto_assign' => $this->get('ldap.ldap_group_auto_assign'),
+            'group_mapping' => $groupMapping ? json_decode($groupMapping, true) : [],
+        ];
+    }
+
     /**
      * Returns the LDAP configuration.
      *

phpmyfaq/src/phpMyFAQ/Configuration.php

@@ -306,6 +306,63 @@ public function getCompleteName(string $username): bool|string
         return $this->getLdapData($username, 'name');
     }
 
+    /**
+     * Returns the user's AD group memberships.
+     *
+     * @param string $username Username
+     * @return array<string>|false Array of group DNs or false on error
+     */
+    public function getGroupMemberships(string $username): array|false
+    {
+        if ($this->ds === false) {
+            $this->error = 'The LDAP connection handler is not a valid resource.';
+            return false;
+        }
+
+        $filter = sprintf(
+            '(%s=%s)',
+            $this->configuration->get('ldap.ldap_mapping.username'),
+            $this->quote($username)
+        );
+
+        $fields = ['memberOf'];
+
+        $searchResult = ldap_search($this->ds, $this->base, $filter, $fields);
+
+        if (!$searchResult) {
+            $this->error = sprintf(
+                'Unable to search for "%s" (Error: %s)',
+                $username,
+                ldap_error($this->ds)
+            );
+
+            return false;
+        }
+
+        $entryId = ldap_first_entry($this->ds, $searchResult);
+
+        if (!$entryId) {
+            $this->errno = ldap_errno($this->ds);
+            $this->error = sprintf(
+                'Cannot get the value(s). Error: %s',
+                ldap_error($this->ds)
+            );
+
+            return false;
+        }
+
+        $entries = ldap_get_entries($this->ds, $searchResult);
+        $groups = [];
+
+        if ($entries['count'] > 0 && isset($entries[0]['memberof'])) {
+            for ($i = 0; $i < $entries[0]['memberof']['count']; $i++) {
+                $groups[] = $entries[0]['memberof'][$i];
+            }
+        }
+
+        return $groups;
+    }
+
     /**
      * Returns the LDAP error message of the last LDAP command.
      *

phpmyfaq/src/phpMyFAQ/Ldap.php

@@ -784,4 +784,29 @@ public function removeAllUsersFromGroup(int $groupId): bool
 
         return (bool) $this->configuration->getDb()->query($delete);
     }
+
+    /**
+     * Finds or creates a group by name.
+     * Returns the group ID on success, 0 on failure.
+     *
+     * @param string $name Group name
+     * @param string $description Optional group description
+     */
+    public function findOrCreateGroupByName(string $name, string $description = ''): int
+    {
+        $groupId = $this->getGroupId($name);
+
+        if ($groupId > 0) {
+            return $groupId;
+        }
+
+        // Create new group if it doesn't exist
+        $groupData = [
+            'name' => $name,
+            'description' => $description ?: "Auto-created group for $name",
+            'auto_join' => false,
+        ];
+
+        return $this->addGroup($groupData);
+    }
 }

phpmyfaq/src/phpMyFAQ/Permission/MediumPermission.php

@@ -391,6 +391,10 @@ class Installer extends Setup
         'ldap.ldap_use_anonymous_login' => 'false',
         'ldap.ldap_use_dynamic_login' => 'false',
         'ldap.ldap_dynamic_login_attribute' => 'uid',
+        'ldap.ldap_use_group_restriction' => 'false',
+        'ldap.ldap_group_allowed_groups' => '',
+        'ldap.ldap_group_auto_assign' => 'false',
+        'ldap.ldap_group_mapping' => '',
 
         'api.enableAccess' => 'true',
         'api.apiClientToken' => '',

phpmyfaq/src/phpMyFAQ/Setup/Installer.php

@@ -1182,6 +1182,12 @@ private function applyUpdates410Alpha3(): void
                 "For more information about this FAQ system, visit: https://www.phpmyfaq.de";
 
             $this->configuration->add('seo.contentLlmsText', $llmsText);
+
+            // LDAP group integration
+            $this->configuration->add('ldap.ldap_use_group_restriction', 'false');
+            $this->configuration->add('ldap.ldap_group_allowed_groups', '');
+            $this->configuration->add('ldap.ldap_group_auto_assign', 'false');
+            $this->configuration->add('ldap.ldap_group_mapping', '');
         }
     }
 

phpmyfaq/src/phpMyFAQ/Setup/Update.php

@@ -1167,6 +1167,10 @@
 $LANG_CONF['ldap.ldap_use_anonymous_login'] = ['checkbox', 'Enable anonymous LDAP connections'];
 $LANG_CONF['ldap.ldap_use_dynamic_login'] = ['checkbox', 'Enable LDAP dynamic user binding'];
 $LANG_CONF['ldap.ldap_dynamic_login_attribute'] = ['input', 'LDAP attribute for dynamic user binding, "uid" when using an ADS'];
+$LANG_CONF['ldap.ldap_use_group_restriction'] = ['checkbox', 'Restrict login to specific Active Directory groups'];
+$LANG_CONF['ldap.ldap_group_allowed_groups'] = ['input', 'Comma-separated list of allowed AD groups (partial matches supported)'];
+$LANG_CONF['ldap.ldap_group_auto_assign'] = ['checkbox', 'Automatically assign users to phpMyFAQ groups based on AD membership'];
+$LANG_CONF['ldap.ldap_group_mapping'] = ['input', 'JSON mapping of AD groups to phpMyFAQ groups, e.g. {"Domain Admins": "Administrators"}'];
 $LANG_CONF['seo.enableXMLSitemap'] = ['checkbox', 'Enable XML sitemap'];
 $PMF_LANG['categoryImageLabel'] = 'Category image';
 $PMF_LANG["categoryShowHomeLabel"] = "Show on startpage";

phpmyfaq/translations/language_en.php

@@ -200,4 +200,32 @@ public function testSetLdapConfigWithMultipleServersButDisabled(): void
 
         $this->assertEquals($expected, $this->configuration->getLdapServer());
     }
+
+    public function testGetLdapGroupConfig(): void
+    {
+        // Test default values
+        $expected = [
+            'use_group_restriction' => 'false',
+            'allowed_groups' => [],
+            'auto_assign' => 'false',
+            'group_mapping' => [],
+        ];
+        
+        $this->assertEquals($expected, $this->configuration->getLdapGroupConfig());
+        
+        // Test with configured values
+        $this->configuration->set('ldap.ldap_use_group_restriction', 'true');
+        $this->configuration->set('ldap.ldap_group_allowed_groups', 'Domain Users,Domain Admins');
+        $this->configuration->set('ldap.ldap_group_auto_assign', 'true');
+        $this->configuration->set('ldap.ldap_group_mapping', '{"Domain Admins": "Administrators"}');
+        
+        $expected = [
+            'use_group_restriction' => 'true',
+            'allowed_groups' => ['Domain Users', 'Domain Admins'],
+            'auto_assign' => 'true',
+            'group_mapping' => ['Domain Admins' => 'Administrators'],
+        ];
+        
+        $this->assertEquals($expected, $this->configuration->getLdapGroupConfig());
+    }
 }