Initial commit

.gitignore

+/vendor
+/var
+/.php_cs
+/.idea
+/*.cache
+/_coverage
\ No newline at end of file

.gitlab-ci.yml

+image: registry.gitlab.tugraz.at/dbp/relay/dbp-relay-core-bundle/main:v1
+
+before_script:
+  - 'git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.tugraz.at/".insteadOf "git@gitlab.tugraz.at:"'
+
+variables:
+  COMPOSER_CACHE_DIR: "$CI_PROJECT_DIR/_composer_cache"
+
+cache:
+  key: ${CI_PROJECT_PATH}
+  paths:
+    - _composer_cache
+
+stages:
+  - test
+
+.test_defaults: &test_defaults
+  script:
+    - sudo update-alternatives --set php "/usr/bin/${PHP}"
+    - composer install
+    - composer test
+
+test-php7.3:
+  stage: test
+  variables:
+    PHP: "php7.3"
+  <<: *test_defaults
+
+test-php7.4:
+  stage: test
+  variables:
+    PHP: "php7.4"
+  <<: *test_defaults
+
+test-php8.0:
+  stage: test
+  variables:
+    PHP: "php8.0"
+  <<: *test_defaults
+
+linting:
+  stage: test
+  allow_failure: true
+  script:
+    - sudo update-alternatives --set php /usr/bin/php7.4
+    - composer install
+    - result=0
+    - composer run cs || result=1
+    - composer run phpstan || result=1
+    - composer run psalm || result=1
+    - exit $result
\ No newline at end of file

.php-cs-fixer.dist.php

+<?php
+
+$finder = PhpCsFixer\Finder::create()
+    ->in(__DIR__)
+    ->exclude('var')
+;
+
+$config = new PhpCsFixer\Config();
+$config->setRules([
+    '@Symfony' => true,
+    '@PHP70Migration' => true,
+    '@PHP71Migration' => true,
+    '@PHP73Migration' => true,
+    '@DoctrineAnnotation' => true,
+    'doctrine_annotation_array_assignment' => ['operator' => '='],
+    'yoda_style' => false,
+    'strict_comparison' => true,
+    'strict_param' => true,
+    'declare_strict_types' => true,
+    'method_argument_space' => ['on_multiline' => 'ignore'],
+])
+->setRiskyAllowed(true)
+->setFinder($finder);
+
+return $config;
\ No newline at end of file

.renovaterc.json

+{
+  "extends": [
+    "config:base",
+    "group:allNonMajor",
+    "schedule:weekends",
+    ":automergePatch"
+  ],
+  "ignorePresets": [":prHourlyLimit2"],
+  "rangeStrategy": "update-lockfile",
+  "lockFileMaintenance": {
+    "enabled": true
+  },
+  "packageRules": [
+    {
+      "matchPackagePrefixes": [
+        "symfony/"
+      ],
+      "allowedVersions": "<6"
+    }
+  ]
+}
\ No newline at end of file

README.md

+# DbpRelayLdapPersonProviderBundle
+
+[GitLab](https://gitlab.tugraz.at/dbp/campus-online/dbp-relay-ldap-person-provider-bundle) | [Packagist](https://packagist.org/packages/dbp/relay-ldap-person-provider-bundle)
+
+This Symfony bundle contains LDAPPersonProvider services for the DBP Relay project.
+
+## Integration into the API Server
+
+* Add the bundle package as a dependency:
+
+```
+composer require dbp/relay-ldap-person-provider-bundle
+```
+
+* Add the bundle to your `config/bundles.php`:
+
+```php
+...
+Dbp\Relay\LdapPersonProviderBundle\DbpRelayLdapPersonProviderBundle::class => ['all' => true],
+DBP\API\CoreBundle\DbpCoreBundle::class => ['all' => true],
+];
+```
+
+* Run `composer install` to clear caches
+
+## Configuration
+
+The bundle has some configuration values that you can specify in your
+app, either by hardcoding it, or by referencing an environment variable.
+
+For this create `config/packages/dbp_relay_ldap_person_provider.yaml` in the app with the following
+content:
+
+```yaml
+dbp_relay_ldap_person_provider:
+  co_oauth2_ucardapi_api_url:
+  co_oauth2_ucardapi_client_id:
+  co_oauth2_ucardapi_client_secret:
+```
+
+The value gets read in `DbpRelayLdapPersonProviderExtension` and passed when creating the
+`UCardService` service.
+
+For more info on bundle configuration see
+https://symfony.com/doc/current/bundles/configuration.html
+
+## Development & Testing
+
+* Install dependencies: `composer install`
+* Run tests: `composer test`
+* Run linters: `composer run lint`
+* Run cs-fixer: `composer run cs-fix`
+
+## Bundle dependencies
+
+Don't forget you need to pull down your dependencies in your main application if you are installing packages in a bundle.
+
+```bash
+# updates and installs dependencies from dbp/relay-ldap-person-provider-bundle
+composer update dbp/relay-ldap-person-provider-bundle
+```

composer.json

+{
+    "name": "dbp/relay-ldap-person-provider-bundle",
+    "type": "symfony-bundle",
+    "license": "AGPL-3.0-or-later",
+    "require": {
+        "php": "^7.3 || ^8.0",
+        "ext-json": "*",
+        "ext-simplexml": "*",
+        "adldap2/adldap2": "^10.3",
+        "dbp/relay-auth-bundle": "^0.1.6",
+        "dbp/relay-base-person-bundle": "^0.1.5",
+        "guzzlehttp/guzzle": "^7.3",
+        "league/uri": "^6.5",
+        "symfony/framework-bundle": "^5.2"
+    },
+    "require-dev": {
+        "friendsofphp/php-cs-fixer": "^3.0",
+        "phpstan/phpstan": "^1.0.0",
+        "phpstan/phpstan-phpunit": "^1.0.0",
+        "symfony/browser-kit": "^5.2",
+        "symfony/http-client": "^5.2",
+        "symfony/monolog-bundle": "^3.7",
+        "symfony/phpunit-bridge": "^5.2",
+        "vimeo/psalm": "^4.2.1"
+    },
+    "autoload": {
+        "psr-4": {
+            "Dbp\\Relay\\LdapPersonProviderBundle\\": "src/"
+        }
+    },
+    "autoload-dev": {
+        "psr-4": {
+            "Dbp\\Relay\\LdapPersonProviderBundle\\Tests\\": "tests/"
+        }
+    },
+    "config": {
+        "sort-packages": true,
+        "platform": {
+            "php": "7.3"
+        }
+    },
+    "scripts": {
+        "test": [
+            "@php vendor/bin/simple-phpunit"
+        ],
+        "phpstan": [
+            "@php vendor/bin/simple-phpunit --atleast-version 0",
+            "@php vendor/bin/phpstan analyze --ansi"
+        ],
+        "psalm": [
+            "@php vendor/bin/simple-phpunit --atleast-version 0",
+            "@php vendor/bin/psalm"
+        ],
+        "lint": [
+            "@composer run cs",
+            "@composer run phpstan",
+            "@composer run psalm"
+        ],
+        "cs-fix": [
+            "@php vendor/bin/php-cs-fixer --ansi fix"
+        ],
+        "cs": [
+            "@php vendor/bin/php-cs-fixer --ansi fix --dry-run --diff"
+        ],
+        "coverage": [
+            "@php vendor/bin/simple-phpunit --coverage-html _coverage"
+        ]
+    }
+}

phpstan.neon

+includes:
+    - vendor/phpstan/phpstan-phpunit/extension.neon
+
+parameters:
+    inferPrivatePropertyTypeFromConstructor: true
+    level: 3
+    paths:
+        - src
+        - tests
+    bootstrapFiles:
+        - vendor/bin/.phpunit/phpunit-9-0/vendor/autoload.php
+    excludePaths:
+        - tests/bootstrap.php
+    ignoreErrors:
+        - message: '#.*NodeDefinition::children.*#'
+          path: ./src/DependencyInjection

phpunit.xml.dist

+<?xml version="1.0" encoding="UTF-8"?>
+<!-- https://phpunit.de/manual/current/en/appendixes.configuration.html -->
+<phpunit xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://schema.phpunit.de/9.3/phpunit.xsd" backupGlobals="false" colors="true" bootstrap="tests/bootstrap.php">
+  <coverage>
+    <include>
+      <directory>src</directory>
+      <directory>tests</directory>
+    </include>
+  </coverage>
+  <php>
+    <ini name="error_reporting" value="-1"/>
+    <server name="APP_ENV" value="test" force="true"/>
+    <server name="SHELL_VERBOSITY" value="-1"/>
+    <server name="SYMFONY_PHPUNIT_REMOVE" value=""/>
+    <server name="SYMFONY_PHPUNIT_VERSION" value="9"/>
+    <server name="SYMFONY_DEPRECATIONS_HELPER" value="weak"/>
+    <server name="KERNEL_CLASS" value="Dbp\Relay\LdapPersonProviderBundle\Tests\Kernel"/>
+  </php>
+  <testsuites>
+    <testsuite name="Project Test Suite">
+      <directory>tests</directory>
+    </testsuite>
+  </testsuites>
+  <listeners>
+    <listener class="Symfony\Bridge\PhpUnit\SymfonyTestsListener"/>
+  </listeners>
+</phpunit>

psalm.xml

+<?xml version="1.0"?>
+<psalm
+    totallyTyped="false"
+    errorLevel="5"
+    resolveFromConfigFile="true"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="https://getpsalm.org/schema/config"
+    xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
+>
+    <projectFiles>
+        <directory name="src" />
+        <ignoreFiles>
+            <directory name="vendor" />
+        </ignoreFiles>
+    </projectFiles>
+</psalm>

src/DbpRelayLdapPersonProviderBundle.php

+<?php
+
+declare(strict_types=1);
+
+namespace Dbp\Relay\LdapPersonProviderBundle;
+
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\HttpKernel\Bundle\Bundle;
+
+class DbpRelayLdapPersonProviderBundle extends Bundle
+{
+    public function build(ContainerBuilder $container)
+    {
+    }
+}

src/DependencyInjection/Configuration.php

+<?php
+
+declare(strict_types=1);
+
+namespace Dbp\Relay\LdapPersonProviderBundle\DependencyInjection;
+
+use Symfony\Component\Config\Definition\Builder\TreeBuilder;
+use Symfony\Component\Config\Definition\ConfigurationInterface;
+
+class Configuration implements ConfigurationInterface
+{
+    public function getConfigTreeBuilder()
+    {
+        $treeBuilder = new TreeBuilder('dbp_relay_ldap_person_provider');
+
+        $treeBuilder->getRootNode()
+            ->children()
+            ->scalarNode('co_oauth2_ucardapi_client_id')->end()
+            ->scalarNode('co_oauth2_ucardapi_client_secret')->end()
+            ->scalarNode('co_oauth2_ucardapi_api_url')->end()
+            ->end()
+            ->end();
+
+        return $treeBuilder;
+    }
+}

src/DependencyInjection/DbpRelayLdapPersonProviderExtension.php

+<?php
+
+declare(strict_types=1);
+
+namespace Dbp\Relay\LdapPersonProviderBundle\DependencyInjection;
+
+use Symfony\Component\Config\FileLocator;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Loader\YamlFileLoader;
+use Symfony\Component\HttpKernel\DependencyInjection\ConfigurableExtension;
+
+class DbpRelayLdapPersonProviderExtension extends ConfigurableExtension
+{
+    public function loadInternal(array $mergedConfig, ContainerBuilder $container)
+    {
+        $loader = new YamlFileLoader(
+            $container,
+            new FileLocator(__DIR__.'/../Resources/config')
+        );
+        $loader->load('services.yaml');
+
+        // Inject the config value into the UCardService service
+        $definition = $container->getDefinition('Dbp\Relay\LdapPersonProviderBundle\Service\UCardService');
+        $definition->addMethodCall('setConfig', [$mergedConfig]);
+    }
+
+    private function extendArrayParameter(ContainerBuilder $container, string $parameter, array $values)
+    {
+        if (!$container->hasParameter($parameter)) {
+            $container->setParameter($parameter, []);
+        }
+        $oldValues = $container->getParameter($parameter);
+        assert(is_array($oldValues));
+        $container->setParameter($parameter, array_merge($oldValues, $values));
+    }
+}

src/Resources/config/services.yaml

+services:
+  Dbp\Relay\LdapPersonProviderBundle\Service\:
+    autowire: true
+    autoconfigure: true
+
+  Dbp\Relay\BasePersonBundle\API\PersonProviderInterface:
+    '@Dbp\Relay\LdapPersonProviderBundle\Service\LDAPPersonProvider'
+
+  Dbp\Relay\AuthBundle\API\UserRolesInterface:
+    '@Dbp\Relay\LdapPersonProviderBundle\Service\CustomUserRoles'

src/Service/CustomUserRoles.php

+<?php
+
+declare(strict_types=1);
+
+namespace Dbp\Relay\LdapPersonProviderBundle\Service;
+
+use Dbp\Relay\AuthBundle\API\UserRolesInterface;
+
+class CustomUserRoles implements UserRolesInterface
+{
+    private $ldap;
+
+    public function __construct(LDAPApi $ldap)
+    {
+        $this->ldap = $ldap;
+    }
+
+    public function getRoles(?string $userIdentifier, array $scopes): array
+    {
+        // Convert all scopes to roles, like the default
+        $roles = [];
+        foreach ($scopes as $scope) {
+            $roles[] = 'ROLE_SCOPE_'.mb_strtoupper($scope);
+        }
+
+        // In case we have a real user also merge in roles from LDAP
+        if ($userIdentifier !== null) {
+            $personRoles = $this->ldap->getRolesForCurrentPerson();
+            $roles = array_merge($roles, $personRoles);
+            $roles = array_unique($roles);
+            sort($roles, SORT_STRING);
+        }
+
+        return $roles;
+    }
+}

src/Service/LDAPApi.php

+<?php
+
+declare(strict_types=1);
+/**
+ * LDAP wrapper service.
+ *
+ * @see https://github.com/Adldap2/Adldap2
+ */
+
+namespace Dbp\Relay\LdapPersonProviderBundle\Service;
+
+use Adldap\Adldap;
+use Adldap\Connections\Provider;
+use Adldap\Connections\ProviderInterface;
+use Adldap\Models\User;
+use Adldap\Query\Builder;
+use Dbp\Relay\BasePersonBundle\Entity\Person;
+use Dbp\Relay\CoreBundle\API\UserSessionInterface;
+use Dbp\Relay\CoreBundle\Exception\ApiError;
+use Dbp\Relay\CoreBundle\Helpers\Tools as CoreTools;
+use Psr\Cache\CacheItemPoolInterface;
+use Psr\Container\ContainerInterface;
+use Psr\Log\LoggerAwareInterface;
+use Psr\Log\LoggerAwareTrait;
+use Symfony\Component\Cache\Adapter\FilesystemAdapter;
+use Symfony\Component\Cache\Psr16Cache;
+use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Contracts\Service\ServiceSubscriberInterface;
+
+class LDAPApi implements LoggerAwareInterface, ServiceSubscriberInterface
+{
+    use LoggerAwareTrait;
+
+    private $PAGESIZE = 50;
+
+    /**
+     * @var Adldap
+     */
+    private $ad;
+
+    private $cachePool;
+
+    private $personCache;
+
+    private $cacheTTL;
+
+    /**
+     * @var Person|null
+     */
+    private $currentPerson;
+
+    private $providerConfig;
+
+    private $deploymentEnv;
+
+    private $locator;
+
+    private $params;
+
+    private $identifierAttributeName;
+
+    private $givenNameAttributeName;
+
+    private $familyNameAttributeName;
+
+    private $emailAttributeName;
+
+    private $birthdayAttributeName;
+
+    public function __construct(ContainerInterface $locator, ParameterBagInterface $params)
+    {
+        $this->ad = new Adldap();
+        $this->cacheTTL = 0;
+        $this->currentPerson = null;
+        $this->params = $params;
+        $this->providerConfig = [
+            'hosts' => [$this->params->get('app.ldap.host') ?? ''],
+            'base_dn' => $this->params->get('app.ldap.base_dn') ?? '',
+            'username' => $this->params->get('app.ldap.username') ?? '',
+            'password' => $this->params->get('app.ldap.password') ?? '',
+            'use_tls' => true,
+        ];
+        $this->locator = $locator;
+        $this->deploymentEnv = 'production';
+
+        $this->setPersonCache(new FilesystemAdapter('app-core-auth-person', 60, (string) $this->params->get('app.cache.person-cache-path')));
+        $this->setLDAPCache(new FilesystemAdapter('app-core-ldap', 360, (string) $this->params->get('app.cache.ldap-cache-path')), 360);
+
+        $this->identifierAttributeName = $this->params->get('app.ldap.attributes.identifier') ?? 'cn';
+        $this->givenNameAttributeName = $this->params->get('app.ldap.attributes.given_name') ?? 'givenName';
+        $this->familyNameAttributeName = $this->params->get('app.ldap.attributes.family_name') ?? 'sn';
+        $this->emailAttributeName = $this->params->get('app.ldap.attributes.email') ?? '';
+        $this->birthdayAttributeName = $this->params->get('app.ldap.attributes.birthday') ?? '';
+    }
+
+    public function setDeploymentEnvironment(string $env)
+    {
+        $this->deploymentEnv = $env;
+    }
+
+    public function setLDAPCache(?CacheItemPoolInterface $cachePool, int $ttl)
+    {
+        $this->cachePool = $cachePool;
+        $this->cacheTTL = $ttl;
+    }
+
+    public function setPersonCache(?CacheItemPoolInterface $cachePool)
+    {
+        $this->personCache = $cachePool;
+    }
+
+    private function getProvider(): ProviderInterface
+    {
+        if ($this->logger !== null) {
+            Adldap::setLogger($this->logger);
+        }
+        $ad = new Adldap();
+        $ad->addProvider($this->providerConfig);
+        $provider = $ad->connect();
+        assert($provider instanceof Provider);
+        if ($this->cachePool !== null) {
+            $provider->setCache(new Psr16Cache($this->cachePool));
+        }
+
+        return $provider;
+    }
+
+    private function getCachedBuilder(ProviderInterface $provider): Builder
+    {
+        // FIXME: https://github.com/Adldap2/Adldap2/issues/786
+        // return $provider->search()->cache($until=$this->cacheTTL);
+        // We depend on the default TTL of the cache for now...
+
+        /**
+         * @var Builder $builder
+         */
+        $builder = $provider->search()->cache();
+
+        return $builder;
+    }
+
+    private function getPeopleUserItems(array $filters): array
+    {
+        try {
+            $provider = $this->getProvider();
+            $builder = $this->getCachedBuilder($provider);
+
+            $search = $builder
+                ->where('objectClass', '=', $provider->getSchema()->person());
+
+            if (isset($filters['search'])) {
+                $items = explode(' ', $filters['search']);
+
+                // search for all substrings
+                foreach ($items as $item) {
+                    $search->whereContains('fullName', $item);
+                }
+            }
+
+            return $search->sortBy($this->familyNameAttributeName, 'asc')->paginate($this->PAGESIZE)->getResults();
+        } catch (\Adldap\Auth\BindException $e) {
+            // There was an issue binding / connecting to the server.
+            throw new ApiError(Response::HTTP_BAD_GATEWAY, sprintf('People could not be loaded! Message: %s', CoreTools::filterErrorMessage($e->getMessage())));
+        }
+    }
+
+    public function getPersons(array $filters): array
+    {
+        $persons = [];
+        $items = $this->getPeopleUserItems($filters);
+        foreach ($items as $item) {
+            $person = $this->personFromUserItem($item, false);
+            $persons[] = $person;
+        }
+
+        return $persons;
+    }
+
+    /**
+     * @return Person[]
+     */
+    public function getPersonsByNameAndBirthDate(string $givenName, string $familyName, string $birthDate): array
+    {
+        if ($this->birthdayAttributeName === '') {
+            return [];
+        }
+
+        try {
+            $provider = $this->getProvider();
+            $builder = $this->getCachedBuilder($provider);
+
+            /** @var User[] $users */
+            $users = $builder
+                ->where('objectClass', '=', $provider->getSchema()->person())
+                ->whereEquals($this->givenNameAttributeName, $givenName)
+                ->whereEquals($this->familyNameAttributeName, $familyName)
+                ->whereEquals($this->birthdayAttributeName, $birthDate) // (e.g. 1981-07-18)
+                ->sortBy($this->familyNameAttributeName, 'asc')->paginate($this->PAGESIZE)->getResults();
+
+            $people = [];
+
+            foreach ($users as $user) {
+                $people[] = $this->personFromUserItem($user, true);
+            }
+
+            return $people;
+        } catch (\Adldap\Auth\BindException $e) {
+            // There was an issue binding / connecting to the server.
+            throw new ApiError(Response::HTTP_BAD_GATEWAY, sprintf('Persons could not be loaded! Message: %s', CoreTools::filterErrorMessage($e->getMessage())));
+        }
+    }
+
+    public function getPersonUserItem(string $identifier): ?User
+    {
+        try {
+            $provider = $this->getProvider();
+            $builder = $this->getCachedBuilder($provider);
+
+            /** @var User $user */
+            $user = $builder
+                ->where('objectClass', '=', $provider->getSchema()->person())
+                ->whereEquals($this->identifierAttributeName, $identifier)
+                ->first();
+
+            if ($user === null) {
+                throw new NotFoundHttpException(sprintf("Person with id '%s' could not be found!", $identifier));
+            }
+
+            return $user;
+        } catch (\Adldap\Auth\BindException $e) {
+            // There was an issue binding / connecting to the server.
+            throw new ApiError(Response::HTTP_BAD_GATEWAY, sprintf("Person with id '%s' could not be loaded! Message: %s", $identifier, CoreTools::filterErrorMessage($e->getMessage())));
+        }
+    }
+
+    public function personFromUserItem(User $user, bool $full): Person
+    {
+        $identifier = $user->getFirstAttribute($this->identifierAttributeName);
+
+        $person = new Person();
+        $person->setIdentifier($identifier);
+        $person->setGivenName($user->getFirstAttribute($this->givenNameAttributeName));
+        $person->setFamilyName($user->getFirstAttribute($this->familyNameAttributeName));
+
+        if ($this->emailAttributeName !== '') {
+            $person->setEmail($user->getFirstAttribute($this->emailAttributeName));
+        }
+
+        $birthDateString = $this->birthdayAttributeName !== '' ?
+            trim($user->getFirstAttribute($this->birthdayAttributeName) ?? '') : '';
+
+        if ($birthDateString !== '') {
+            $matches = [];
+
+            if (preg_match('/^(\d{4})-(\d{2})-(\d{2})$/', $birthDateString, $matches)) {
+                $person->setBirthDate("{$matches[1]}-{$matches[2]}-{$matches[3]}");
+            }
+        }
+
+        // TODO: Add code to decide what roles a user has (or just depend on the roles from CustomUserRoles)
+        $roles = ['ROLE_SCOPE_GREENLIGHT'];
+        $person->setExtraData('ldap-roles', $roles);
+
+        $campusOnlineIdentifierAttribute = (string) $this->params->get('app.ldap.attributes.campusonline_identifier') ?? '';
+
+        // Used in \Dbp\Relay\LdapPersonProviderBundle\Service\CampusonlinePersonPhotoProvider::getPhotoData
+        if ($campusOnlineIdentifierAttribute !== '' && $user->hasAttribute($campusOnlineIdentifierAttribute)) {
+            $person->setExtraData($campusOnlineIdentifierAttribute, $user->getAttribute($campusOnlineIdentifierAttribute)[0]);
+        }
+
+        return $person;
+    }
+
+    public function getRolesForCurrentPerson(): array
+    {
+        $person = $this->getCurrentPerson();
+        if ($person !== null) {
+            $roles = $person->getExtraData('ldap-roles');
+            assert(is_array($roles));
+
+            return $roles;
+        }
+
+        return [];
+    }
+
+    public function getPerson(string $id): Person
+    {
+        $id = str_replace('/people/', '', $id);
+
+        $session = $this->getUserSession();
+        $currentIdentifier = $session->getUserIdentifier();
+
+        if ($currentIdentifier !== null && $currentIdentifier === $id) {
+            // fast path: getCurrentPerson() does some caching
+            $person = $this->getCurrentPerson();
+            assert($person !== null);
+        } else {
+            $user = $this->getPersonUserItem($id);
+            $person = $this->personFromUserItem($user, true);
+        }
+
+        return $person;
+    }
+
+    public function getPersonForExternalService(string $service, string $serviceID): Person
+    {
+        throw new BadRequestHttpException("Unknown service: $service");
+    }
+
+    private function getUserSession(): UserSessionInterface
+    {
+        return $this->locator->get(UserSessionInterface::class);
+    }
+
+    public function getCurrentPersonCached(): Person
+    {
+        $session = $this->getUserSession();
+        $currentIdentifier = $session->getUserIdentifier();
+        assert($currentIdentifier !== null);
+
+        $cache = $this->personCache;
+        $cacheKey = $session->getSessionCacheKey().'-'.$currentIdentifier;
+        // make sure the cache is longer than the session, so just double it.
+        $cacheTTL = $session->getSessionTTL() * 2;
+
+        $item = $cache->getItem($cacheKey);
+
+        if ($item->isHit()) {
+            $person = $item->get();
+            if ($person === null) {
+                throw new NotFoundHttpException();
+            }
+
+            return $person;
+        } else {
+            try {
+                $user = $this->getPersonUserItem($currentIdentifier);
+                $person = $this->personFromUserItem($user, true);
+            } catch (NotFoundHttpException $e) {
+                $person = null;
+            }
+            $item->set($person);
+            $item->expiresAfter($cacheTTL);
+            $cache->save($item);
+            if ($person === null) {
+                throw new NotFoundHttpException();
+            }
+
+            return $person;
+        }
+    }
+
+    public function getCurrentPerson(): ?Person
+    {
+        $session = $this->getUserSession();
+        $currentIdentifier = $session->getUserIdentifier();
+        if ($currentIdentifier === null) {
+            return null;
+        }
+
+        if ($this->currentPerson !== null && $this->currentPerson->getIdentifier() !== $currentIdentifier) {
+            $this->currentPerson = null;
+        }
+
+        if ($this->currentPerson === null) {
+            $this->currentPerson = $this->getCurrentPersonCached();
+        }
+
+        return $this->currentPerson;
+    }
+
+    public static function getSubscribedServices()
+    {
+        return [
+            UserSessionInterface::class,
+        ];
+    }
+}

src/Service/LDAPPersonProvider.php

+<?php
+
+declare(strict_types=1);
+
+namespace Dbp\Relay\LdapPersonProviderBundle\Service;
+
+use Dbp\Relay\BasePersonBundle\API\PersonProviderInterface;
+use Dbp\Relay\BasePersonBundle\Entity\Person;
+
+class LDAPPersonProvider implements PersonProviderInterface
+{
+    private $ldapApi;
+
+    public function __construct(LDAPApi $ldapApi)
+    {
+        $this->ldapApi = $ldapApi;
+    }
+
+    public function getPersons(array $filters): array
+    {
+        return $this->ldapApi->getPersons($filters);
+    }
+
+    public function getPersonsByNameAndBirthDate(string $givenName, string $familyName, string $birthDate): array
+    {
+        return $this->ldapApi->getPersonsByNameAndBirthDate($givenName, $familyName, $birthDate);
+    }
+
+    public function getPerson(string $id): Person
+    {
+        return $this->ldapApi->getPerson($id);
+    }
+
+    public function getPersonForExternalService(string $service, string $serviceID): Person
+    {
+        return $this->ldapApi->getPersonForExternalService($service, $serviceID);
+    }
+
+    public function getCurrentPerson(): ?Person
+    {
+        return $this->ldapApi->getCurrentPerson();
+    }
+}

tests/Kernel.php

+<?php
+
+declare(strict_types=1);
+
+namespace Dbp\Relay\LdapPersonProviderBundle\Tests;
+
+use Dbp\Relay\LdapPersonProviderBundle\DbpRelayLdapPersonProviderBundle;
+use Symfony\Bundle\FrameworkBundle\FrameworkBundle;
+use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
+use Symfony\Component\Config\Loader\LoaderInterface;
+use Symfony\Component\DependencyInjection\Loader\Configurator\ContainerConfigurator;
+use Symfony\Component\HttpKernel\Kernel as BaseKernel;
+
+class Kernel extends BaseKernel
+{
+    use MicroKernelTrait;
+
+    public function registerBundles(): iterable
+    {
+        yield new FrameworkBundle();
+        yield new DbpRelayLdapPersonProviderBundle();
+    }
+
+    protected function configureContainer(ContainerConfigurator $container, LoaderInterface $loader)
+    {
+        $container->import('@DbpRelayCoreBundle/Resources/config/services_test.yaml');
+        $container->extension('framework', [
+            'test' => true,
+            'secret' => '',
+        ]);
+
+        $container->extension('dbp_relay_ldap_person_provider', [
+            'secret_token' => 'secret-test',
+        ]);
+    }
+}

tests/bootstrap.php

+<?php
+
+declare(strict_types=1);
+
+require dirname(__DIR__).'/vendor/autoload.php';