From 0ee3941b43cb41a924aca16bcb89cb21be9a4c27 Mon Sep 17 00:00:00 2001
From: root <garrett@glmdev.tech>
Date: Wed, 26 Aug 2020 14:07:47 +0000
Subject: [PATCH] This adds support for the ADLDAP_AUTH_FILTER env var, and the
 ldap_auth.custom_filter config option. These are optional.

If provided, the custom filter will be applied to the LDAP query
using the FireflyIII\Scopes\LdapFilterScope class.

This allows the integrator to specify a custom LDAP filter.
---
 app/Scopes/LdapFilterScope.php | 21 +++++++++++++++++++++
 config/ldap_auth.php           | 20 +++++++++++++++++++-
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 app/Scopes/LdapFilterScope.php

diff --git a/app/Scopes/LdapFilterScope.php b/app/Scopes/LdapFilterScope.php
new file mode 100644
index 0000000000..d1f9dc4e38
--- /dev/null
+++ b/app/Scopes/LdapFilterScope.php
@@ -0,0 +1,21 @@
+<?php
+
+namespace FireflyIII\Scopes;
+
+use Adldap\Query\Builder;
+use Adldap\Laravel\Scopes\ScopeInterface;
+
+class LdapFilterScope implements ScopeInterface {
+    /**
+     * If the ADLDAP_AUTH_FILTER is provided, apply the filter to the LDAP query.
+     * @param Builder $query
+     * @return void
+     */
+    public function apply(Builder $query)
+    {
+        $filter = config('ldap_auth.custom_filter');
+        if ( $filter ) {
+            $query->rawFilter($filter);
+        }
+    }
+}
diff --git a/config/ldap_auth.php b/config/ldap_auth.php
index f661236d38..13e45f9b0d 100644
--- a/config/ldap_auth.php
+++ b/config/ldap_auth.php
@@ -22,6 +22,8 @@
 
 declare(strict_types=1);
 
+use FireflyIII\Scopes\LdapFilterScope;
+
 use Adldap\Laravel\Events\Authenticated;
 use Adldap\Laravel\Events\AuthenticatedModelTrashed;
 use Adldap\Laravel\Events\AuthenticatedWithWindows;
@@ -49,13 +51,17 @@ use Adldap\Laravel\Scopes\UpnScope;
 
 // default OpenLDAP scopes.
 $scopes = [
+    LdapFilterScope::class,
     UidScope::class,
 ];
 if ('FreeIPA' === env('ADLDAP_CONNECTION_SCHEME')) {
-    $scopes = [];
+    $scopes = [
+        LdapFilterScope::class,
+    ];
 }
 if ('ActiveDirectory' === env('ADLDAP_CONNECTION_SCHEME')) {
     $scopes = [
+        LdapFilterScope::class,
         UpnScope::class,
     ];
 }
@@ -374,4 +380,16 @@ return [
         ],
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Custom LDAP Filter
+    |--------------------------------------------------------------------------
+    |
+    | This value can be optionally provided to restrict LDAP queries to the
+    | given filter. It should be in LDAP filter format, and will be
+    | applied in the LdapFilterScope.
+    |
+    */
+    'custom_filter' => env('ADLDAP_AUTH_FILTER', ''),
+
 ];