Follow up group modifications in LDAP

.github/workflows/behat.yml

@@ -11,8 +11,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php-version: [ '8.0', '8.1', '8.2', '8.3' ]
-        wordpress-version: ['6.2', '6.3', '6.4']
+        php-version: ['8.0', '8.1', '8.2', '8.3']
+        wordpress-version: ['6.2', '6.3', '6.4', '6.5']
         exclude:
           - php-version: 8.3
             wordpress-version: 6.2
@@ -26,10 +26,16 @@ jobs:
             wordpress-version: 6.2
           - php-version: 8.0
             wordpress-version: 6.2
+          - php-version: 8.0
+            wordpress-version: 6.5
 
     name: Test on PHP ${{ matrix.php-version }}/WordPress ${{ matrix.wordpress-version }}
     steps:
       - uses: actions/checkout@v1
+      - name: Docker Compose Pull
+        run: docker compose pull
+      - uses: jpribyl/[email protected]
+        continue-on-error: true
       - name: Build the docker-compose stack
         run: docker compose build --build-arg PHP_VERSION=${{ matrix.php-version }} --build-arg WORDPRESS_VERSION=${{ matrix.wordpress-version }} wp
       - name: run the stack
@@ -48,7 +54,7 @@ jobs:
       - name: install tools
         run: |
           mkdir -p tools
-          curl -o tools/behat https://github.com/Behat/Behat/releases/download/v3.13.0/behat.phar
+          curl -Lo tools/behat https://github.com/Behat/Behat/releases/download/v3.13.0/behat.phar
           chmod 755 tools/behat
       - name: run behat
         run: docker compose exec wp bash -c "cd wp-content/plugins/authldap && ./tools/behat"

.github/workflows/tests.yml

@@ -11,12 +11,16 @@ jobs:
     strategy:
       matrix:
         # operating-system: [ubuntu-latest, windows-latest, macos-latest]
-        php-versions: [ '7.4', '8.0', '8.1', '8.2', '8.3' ]
+        php-versions: [ '7.4', '8.0', '8.1', '8.2', '8.3', '8.4' ]
     name: Test on ${{ matrix.php-versions }}
     steps:
       - uses: actions/checkout@v1
+      - name: Docker Compose Pull
+        run: docker compose pull
+      - uses: jpribyl/[email protected]
+        continue-on-error: true
       - name: Build the docker-compose stack
-        run: docker-compose -f docker-compose.yml up -d
+        run: docker-compose -f docker-compose.yml up -d db openldap
       - name: Check running containers
         run: docker ps -a
       - name: Check logs

authLdap.php

@@ -255,8 +255,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
 		$authLDAPUidAttr = authLdap_get_option('UidAttr');
 		$authLDAPWebAttr = authLdap_get_option('WebAttr');
 		$authLDAPDefaultRole = authLdap_get_option('DefaultRole');
-		$authLDAPGroupEnable = authLdap_get_option('GroupEnable');
-		$authLDAPGroupOverUser = authLdap_get_option('GroupOverUser');
+		$authLDAPGroupEnable = filter_var(authLdap_get_option('GroupEnable'), FILTER_VALIDATE_BOOLEAN);
+		$authLDAPGroupOverUser = filter_var(authLdap_get_option('GroupOverUser'), FILTER_VALIDATE_BOOLEAN);
 		$authLDAPUseUserAccount = authLdap_get_option('UserRead');
 
 		if (!$username) {
@@ -373,7 +373,7 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
 
 		// we only need this if either LDAP groups are disabled or
 		// if the WordPress role of the user overrides LDAP groups
-		if (!$authLDAPGroupEnable || $authLDAPGroupOverUser) {
+		if ($authLDAPGroupEnable === false || $authLDAPGroupOverUser === false) {
 			$userRoles = authLdap_user_role($uid);
 			if ($userRoles !== []) {
 				$roles = array_merge($roles, $userRoles);
@@ -383,8 +383,8 @@ function authLdap_login($user, $username, $password, $already_md5 = false)
 		}
 
 		// do LDAP group mapping if needed
-		// (if LDAP groups override worpress user role, $role is still empty)
-		if (empty($roles) && $authLDAPGroupEnable) {
+		// (if LDAP groups override wordpress user role, $role is still empty)
+		if ((empty($roles) || $authLDAPGroupOverUser === true) && $authLDAPGroupEnable === true) {
 			$mappedRoles = authLdap_groupmap($realuid, $dn);
 			if ($mappedRoles !== []) {
 				$roles = $mappedRoles;

docker-compose.yml

@@ -48,7 +48,7 @@ services:
     ports:
       - 3306:3306 # change ip if required
     command: [
-      '--default_authentication_plugin=mysql_native_password',
+      '--mysql_native_password=ON',
       '--character-set-server=utf8mb4',
       '--collation-server=utf8mb4_unicode_ci'
     ]
@@ -61,7 +61,8 @@ services:
     healthcheck:
       test: [ "CMD", "mysqladmin" ,"ping", "-h", "localhost" ]
       timeout: 1s
-      retries: 5
+      retries: 10
+      interval: 2s
 
   openldap:
     image: osixia/openldap:latest
@@ -81,7 +82,8 @@ services:
     healthcheck:
       test: ["CMD", "/usr/bin/ldapsearch", "-H",  "ldap://localhost/", "-x", "-s", "base", "-LLL", "+"]
       timeout: 1s
-      retries: 5
+      retries: 10
+      interval: 2s
 
 volumes:
   db_data:

features/bootstrap/FeatureContext.php

@@ -284,6 +284,25 @@ public function theWordpressUserIsNotMemberOfRole($arg1, $arg2)
 			return trim($item);
 		}, explode(',', $user['roles']));
 		Assert::false(in_array($arg2, $roles));
-
 	}
+
+	/**
+	 * @Given LDAP user :arg1 is not member of LDAP group :arg2
+	 */
+	public function ldapUserIsNotMemberOfLdapGroup($arg1, $arg2)
+	{
+		exec(sprintf(
+			'ldapmodify -x -H %1$s -D "%2$s" -w %3$s 2>&1 <<LDIF
+%4$s
+LDIF',
+			'ldap://openldap',
+			'cn=admin,dc=example,dc=org',
+			'insecure',
+			<<<LDIF
+			dn: cn=$arg2,dc=example,dc=org
+			changetype: modify
+			delete: uniqueMember
+			uniqueMember: uid=$arg1,dc=example,dc=org
+			LDIF
+		));	}
 }

features/log in using no groups at all.feature

@@ -61,3 +61,24 @@ Feature: Log in without group assignment
 		And the WordPress user "ldapuser" is member of role "wordpressrole"
 		And the WordPress user "ldapuser" is not member of role "editor"
 		And the WordPress user "ldapuser" is not member of role "subscriber"
+
+	Scenario: Second Login with group assignment that changes between first and second login
+		Given a default configuration
+		And configuration value "GroupEnable" is set to "true"
+		And configuration value "DefaultRole" is set to "subscriber"
+		And configuration value "Groups" is set to "administrator=ldapgroup1" and "editor=ldapgroup2"
+		And configuration value "GroupAttr" is set to "cn"
+		And configuration value "GroupFilter" is set to "uniquemember=%dn%"
+		And configuration value "GroupOverUser" is set to "true"
+		And an LDAP user "ldapuser" with name "LDAP User", password "P@ssw0rd" and email "[email protected]" exists
+		And an LDAP group "ldapgroup1" exists
+		And an LDAP group "ldapgroup2" exists
+		And LDAP user "ldapuser" is member of LDAP group "ldapgroup1"
+		And LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		And LDAP user "ldapuser" is member of LDAP group "ldapgroup2"
+		And LDAP user "ldapuser" is not member of LDAP group "ldapgroup1"
+		When LDAP user "ldapuser" logs in with password "P@ssw0rd"
+		Then the login suceeds
+		And the WordPress user "ldapuser" is member of role "editor"
+		And the WordPress user "ldapuser" is not member of role "administrator"
+		And the WordPress user "ldapuser" is not member of role "subscriber"

wordpress/info.php

@@ -0,0 +1 @@
+<?php