Add ldap auto create user provider

- Add user provider that creates user if not yet created on the app
- Add proxy to re-use existing entity and ldap user providers
- Allow configuring mapping of ldap extra fields to user fields
- Add base mapping configuration in ldap.yaml

config/core_services.yaml

@@ -55,6 +55,7 @@ services:
       $subpanelLineActions: '%module.subpanel.line_actions%'
       $subpanelTopActions: '%module.subpanel.top_actions%'
       $subpanelTopButtons: '%module.subpanel.top_buttons%'
+      $ldapAutoCreateExtraFieldsMap: '%ldap.autocreate.extra_fields_map%'
   _instanceof:
     App\Process\Service\ProcessHandlerInterface:
       tags: [ 'app.process.handler' ]
@@ -264,6 +265,10 @@ services:
     arguments:
       - !tagged { tag: 'massupdate.definition.mapper' }
 
+  App\Security\Ldap\AppLdapUserProviderProxy:
+    $ldapUserProvider: '@security.user.provider.concrete.ldap_users'
+    $entityUserProvider: '@security.user.provider.concrete.app_user_provider'
+
   legacy.route.handler:
     alias: App\Routes\Service\LegacyRouteHandler
     public: true

config/services/ldap/ldap.yaml

@@ -0,0 +1,4 @@
+parameters:
+  ldap.autocreate.extra_fields_map:
+
+  ldap.extra_fields: [ ]

core/backend/Security/Ldap/AppLdapUserProvider.php

@@ -0,0 +1,193 @@
+<?php
+/**
+ * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
+ * Copyright (C) 2022 SalesAgility Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Affero General Public License version 3 as published by the
+ * Free Software Foundation with the addition of the following permission added
+ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
+ * IN WHICH THE COPYRIGHT IS OWNED BY SALESAGILITY, SALESAGILITY DISCLAIMS THE
+ * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see http://www.gnu.org/licenses.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License
+ * version 3, these Appropriate Legal Notices must retain the display of the
+ * "Supercharged by SuiteCRM" logo. If the display of the logos is not reasonably
+ * feasible for technical reasons, the Appropriate Legal Notices must display
+ * the words "Supercharged by SuiteCRM".
+ */
+
+namespace App\Security\Ldap;
+
+use App\Authentication\LegacyHandler\UserHandler;
+use Symfony\Component\Ldap\Security\LdapUser;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+
+class AppLdapUserProvider implements UserProviderInterface, PasswordUpgraderInterface
+{
+    /**
+     * @var AppLdapUserProviderProxy
+     */
+    protected $proxy;
+
+    /**
+     * @var UserHandler
+     */
+    protected $userHandler;
+
+    /**
+     * @var array
+     */
+    protected $ldapAutoCreateExtraFieldsMap;
+
+    /**
+     * @param AppLdapUserProviderProxy $proxy
+     * @param UserHandler $userHandler
+     * @param array|null $ldapAutoCreateExtraFieldsMap
+     */
+    public function __construct(
+        AppLdapUserProviderProxy $proxy,
+        UserHandler $userHandler,
+        ?array $ldapAutoCreateExtraFieldsMap
+    ) {
+        $this->proxy = $proxy;
+        $this->userHandler = $userHandler;
+        $this->ldapAutoCreateExtraFieldsMap = $ldapAutoCreateExtraFieldsMap ?? [];
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function loadUserByUsername(string $username)
+    {
+        $existsUser = $this->userHandler->userExists($username);
+
+        $ldapUser = $this->getLdapUser($username, $existsUser);
+        $entityUser = $this->getEntityUser($existsUser, $username);
+
+        if ($entityUser !== null) {
+            return $entityUser;
+        }
+
+        if ($ldapUser !== null) {
+            return $this->createUser($ldapUser, $username);
+        }
+
+        throw new UsernameNotFoundException(sprintf('User "%s" not found.', $username));
+    }
+
+    /**
+     * @param string $username
+     * @param bool $existsUser
+     * @return LdapUser|UserInterface|null
+     */
+    protected function getLdapUser(string $username, bool $existsUser)
+    {
+        $ldapUser = null;
+        try {
+            $ldapUser = $this->proxy->getLdapUserProvider()->loadUserByUsername($username);
+        } catch (UsernameNotFoundException $e) {
+            if ($existsUser === false) {
+                throw $e;
+            }
+        }
+
+        return $ldapUser;
+    }
+
+    /**
+     * @param bool $existsUser
+     * @param string $username
+     * @return mixed|object|UserInterface|null
+     */
+    protected function getEntityUser(bool $existsUser, string $username)
+    {
+        $entityUser = null;
+        if ($existsUser === true) {
+            try {
+                $entityUser = $this->proxy->getEntityUserProvider()->loadUserByUsername($username);
+            } catch (UsernameNotFoundException $e) {
+            }
+        }
+
+        return $entityUser;
+    }
+
+    /**
+     * @param $ldapUser
+     * @param string $username
+     * @return mixed|object|UserInterface
+     */
+    protected function createUser($ldapUser, string $username)
+    {
+        $extraFields = $ldapUser->getExtraFields() ?? [];
+        $userInfo = $this->mapExtraFields($extraFields);
+
+        $this->userHandler->createExternalAuthUser($username, $userInfo);
+
+        $entityUser = null;
+        try {
+            $entityUser = $this->proxy->getEntityUserProvider()->loadUserByUsername($username);
+        } catch (UsernameNotFoundException $e) {
+        }
+
+        return $entityUser;
+    }
+
+    /**
+     * @param array $extraFields
+     * @return array
+     */
+    protected function mapExtraFields(array $extraFields): array
+    {
+        $userInfo = $extraFields;
+        if (empty($extraFields) || empty($this->ldapAutoCreateExtraFieldsMap)) {
+            return $userInfo;
+        }
+
+
+        $userInfo = [];
+        foreach ($this->ldapAutoCreateExtraFieldsMap as $ldapKey => $fieldKey) {
+            if (isset($extraFields[$ldapKey])) {
+                $userInfo[$fieldKey] = $extraFields[$ldapKey];
+            }
+        }
+
+        return $userInfo;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function refreshUser(UserInterface $user)
+    {
+        return $this->proxy->getEntityUserProvider()->refreshUser($user);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function supportsClass(string $class): bool
+    {
+        return $this->proxy->getEntityUserProvider()->supportsClass($class);
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        $this->proxy->getEntityUserProvider()->upgradePassword($user, $newEncodedPassword);
+    }
+}

core/backend/Security/Ldap/AppLdapUserProviderProxy.php

@@ -0,0 +1,73 @@
+<?php
+/**
+ * SuiteCRM is a customer relationship management program developed by SalesAgility Ltd.
+ * Copyright (C) 2022 SalesAgility Ltd.
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU Affero General Public License version 3 as published by the
+ * Free Software Foundation with the addition of the following permission added
+ * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
+ * IN WHICH THE COPYRIGHT IS OWNED BY SALESAGILITY, SALESAGILITY DISCLAIMS THE
+ * WARRANTY OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see http://www.gnu.org/licenses.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License
+ * version 3, these Appropriate Legal Notices must retain the display of the
+ * "Supercharged by SuiteCRM" logo. If the display of the logos is not reasonably
+ * feasible for technical reasons, the Appropriate Legal Notices must display
+ * the words "Supercharged by SuiteCRM".
+ */
+
+namespace App\Security\Ldap;
+
+use Symfony\Bridge\Doctrine\Security\User\EntityUserProvider;
+use Symfony\Component\Ldap\Security\LdapUserProvider;
+
+class AppLdapUserProviderProxy
+{
+
+    /**
+     * @var LdapUserProvider
+     */
+    protected $ldapUserProvider;
+
+    /**
+     * @var EntityUserProvider
+     */
+    protected $entityUserProvider;
+
+    /**
+     * @param LdapUserProvider $ldapUserProvider
+     * @param EntityUserProvider $entityUserProvider
+     */
+    public function __construct(
+        LdapUserProvider $ldapUserProvider,
+        EntityUserProvider $entityUserProvider
+    ) {
+        $this->ldapUserProvider = $ldapUserProvider;
+        $this->entityUserProvider = $entityUserProvider;
+    }
+
+    /**
+     * @return LdapUserProvider
+     */
+    public function getLdapUserProvider(): LdapUserProvider
+    {
+        return $this->ldapUserProvider;
+    }
+
+    /**
+     * @return EntityUserProvider
+     */
+    public function getEntityUserProvider(): EntityUserProvider
+    {
+        return $this->entityUserProvider;
+    }
+}

core/modules/Users/Entity/User.php

@@ -896,7 +896,7 @@ class User implements UserInterface, EquatableInterface
     /**
      * @inheritDoc
      */
-    public function getPassword(): string
+    public function getPassword(): ?string
     {
         return $this->getUserHash();
     }