Handle invalid project LDAP filters (#3142)

#2985 failed to consider projects
which set an invalid LDAP filter, leading all LDAP syncing to fail if
any project has a bad LDAP filter. This PR handles the error and prints
a warning.

Author: williamjallen

app/Utils/LdapUtils.php

@@ -8,6 +8,7 @@
 use App\Models\User;
 use Exception;
 use Illuminate\Support\Facades\Log;
+use LdapRecord\LdapRecordException;
 
 class LdapUtils
 {
@@ -47,8 +48,14 @@ public static function syncUser(User $user): void
                 continue;
             }
 
-            $matches_ldap_filter = $user->ldapguid !== null && $ldap_provider::rawFilter($project->ldapfilter)->findByGuid($user->ldapguid) !== null;
-            $relationship_already_exists = $project->users->contains($user);
+            try {
+                $matches_ldap_filter = $user->ldapguid !== null && $ldap_provider::rawFilter($project->ldapfilter)->findByGuid($user->ldapguid) !== null;
+                $relationship_already_exists = $project->users->contains($user);
+            } catch (LdapRecordException) {
+                // Prevent invalid filters from breaking other projects.
+                Log::warning("Invalid LDAP filter '$project->ldapfilter' for project $project->name.");
+                continue;
+            }
 
             if ($matches_ldap_filter && !$relationship_already_exists) {
                 $project->users()->attach($user->id, ['role' => Project::PROJECT_USER]);

tests/Feature/LdapIntegration.php

@@ -3,12 +3,14 @@
 namespace Tests\Feature;
 
 use App\Models\Project;
+use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Str;
 use LdapRecord\LdapRecordException;
 use LdapRecord\Models\ModelDoesNotExistException;
 use LdapRecord\Models\OpenLDAP\Group;
 use LdapRecord\Models\OpenLDAP\User;
+use Mockery;
 use Mockery\Exception\InvalidCountException;
 use Tests\TestCase;
 use Tests\Traits\CreatesProjects;
@@ -416,4 +418,21 @@ public function testSyncsGroupsUponLogin(): void
         $this->assertCanAccessProject('group_1_only_1', 'only_group_1');
         $this->assertCanAccessProject('group_1_only_1', 'only_group_2');
     }
+
+    public function testSyncCommandHandlesInvalidProjectFilters(): void
+    {
+        // We are testing that nothing fails...
+        self::expectNotToPerformAssertions();
+
+        Log::shouldReceive('warning')
+            ->with("Invalid LDAP filter 'brokenldapfilter))' for project " . $this->projects['only_group_1']->name . '.');
+
+        // Allow other debug messages to be logged without causing a test failure.
+        Log::shouldReceive('debug')->with(Mockery::any());
+
+        $this->projects['only_group_1']->ldapfilter = 'brokenldapfilter))';
+        $this->projects['only_group_1']->save();
+
+        $this->artisan('ldap:sync_projects');
+    }
 }