Révision 32700c57
Ajouté par Assos Assos il y a environ 5 ans
drupal7/sites/all/modules/ldap/ldap_authentication/LdapAuthenticationConf.class.php | ||
---|---|---|
3 | 3 |
/** |
4 | 4 |
* @file |
5 | 5 |
* This class represents an ldap_authentication module's configuration |
6 |
* It is extended by LdapAuthenticationConfAdmin for configuration and other admin functions |
|
6 |
* It is extended by LdapAuthenticationConfAdmin for configuration and other admin functions.
|
|
7 | 7 |
*/ |
8 | 8 |
|
9 | 9 |
module_load_include('php', 'ldap_user', 'LdapUserConf.class'); |
10 |
|
|
10 |
/** |
|
11 |
* |
|
12 |
*/ |
|
11 | 13 |
class LdapAuthenticationConf { |
12 | 14 |
|
13 | 15 |
/** |
14 |
* server configuration ids being used for authentication
|
|
16 |
* Server configuration ids being used for authentication.
|
|
15 | 17 |
* |
16 | 18 |
* @var array |
17 | 19 |
* |
18 | 20 |
* @see LdapServer->sid() |
19 | 21 |
*/ |
20 |
public $sids = array();
|
|
22 |
public $sids = [];
|
|
21 | 23 |
|
22 | 24 |
/** |
23 |
* server configuration ids being used for authentication
|
|
25 |
* Server configuration ids being used for authentication.
|
|
24 | 26 |
* |
25 |
* @var associative array of LdapServer objects keyed on sids
|
|
27 |
* @var associativearrayofLdapServerobjectskeyedonsids
|
|
26 | 28 |
* |
27 | 29 |
* @see LdapServer->sid() |
28 | 30 |
* @see LdapServer |
29 | 31 |
*/ |
30 |
public $enabledAuthenticationServers = array();
|
|
32 |
public $enabledAuthenticationServers = [];
|
|
31 | 33 |
|
32 | 34 |
|
33 | 35 |
/** |
34 |
* LdapUser configuration object |
|
36 |
* LdapUser configuration object.
|
|
35 | 37 |
* |
36 |
* @var LdapUser object
|
|
38 |
* @var LdapUserobject |
|
37 | 39 |
*/ |
38 |
public $ldapUser = NULL; // ldap_user configuration object |
|
40 |
/** |
|
41 |
* Ldap_user configuration object. |
|
42 |
*/ |
|
43 |
public $ldapUser = NULL; |
|
39 | 44 |
|
40 | 45 |
/** |
41 | 46 |
* Has current object been saved to the database? |
42 | 47 |
* |
43 |
* @var boolean
|
|
48 |
* @var bool |
|
44 | 49 |
*/ |
45 | 50 |
public $inDatabase = FALSE; |
46 | 51 |
|
47 | 52 |
/** |
48 |
* Choice of authentication modes
|
|
49 |
*
|
|
50 |
* @var integer
|
|
51 |
* LDAP_AUTHENTICATION_MODE_DEFAULT (LDAP_AUTHENTICATION_MIXED)
|
|
52 |
* LDAP_AUTHENTICATION_MIXED - signifies both LDAP and Drupal authentication are allowed
|
|
53 |
* Drupal authentication is attempted first.
|
|
54 |
* LDAP_AUTHENTICATION_EXCLUSIVE - signifies only LDAP authenication is allowed
|
|
55 |
*/
|
|
53 |
* Choice of authentication modes.
|
|
54 |
* |
|
55 |
* @var int
|
|
56 |
* LDAP_AUTHENTICATION_MODE_DEFAULT (LDAP_AUTHENTICATION_MIXED) |
|
57 |
* LDAP_AUTHENTICATION_MIXED - signifies both LDAP and Drupal authentication are allowed |
|
58 |
* Drupal authentication is attempted first. |
|
59 |
* LDAP_AUTHENTICATION_EXCLUSIVE - signifies only LDAP authenication is allowed |
|
60 |
*/ |
|
56 | 61 |
public $authenticationMode = LDAP_AUTHENTICATION_MODE_DEFAULT; |
57 | 62 |
|
58 | 63 |
/** |
59 | 64 |
* The following are used to alter the logon interface to direct users |
60 |
* to local LDAP specific authentication help |
|
65 |
* to local LDAP specific authentication help.
|
|
61 | 66 |
*/ |
62 | 67 |
|
63 | 68 |
/** |
64 | 69 |
* Text describing username to use, such as "Hogwarts Username" |
65 | 70 |
* which will be inserted on logon forms to help users figure out which |
66 |
* username to use |
|
71 |
* username to use.
|
|
67 | 72 |
* |
68 | 73 |
* @var string |
69 | 74 |
*/ |
... | ... | |
72 | 77 |
/** |
73 | 78 |
* Text describing password to use, such as "Hogwards LDAP Password" |
74 | 79 |
* which will be inserted on logon forms. Useful in organizations with |
75 |
* multiple account types for authentication |
|
80 |
* multiple account types for authentication.
|
|
76 | 81 |
* |
77 | 82 |
* @var string |
78 | 83 |
*/ |
... | ... | |
81 | 86 |
/** |
82 | 87 |
* Text and Url to provide help link for password such as: |
83 | 88 |
* ldapUserHelpLinkUrl: https://passwords.hogwarts.edu |
84 |
* ldapUserHelpLinkText: Hogwarts IT Password Support Page |
|
89 |
* ldapUserHelpLinkText: Hogwarts IT Password Support Page.
|
|
85 | 90 |
* |
86 | 91 |
* @var string |
87 | 92 |
*/ |
... | ... | |
92 | 97 |
* Email handling option |
93 | 98 |
* LDAP_AUTHENTICATION_EMAIL_FIELD_REMOVE -- don't show email on user forms |
94 | 99 |
* LDAP_AUTHENTICATION_EMAIL_FIELD_DISABLE (default) -- disable email on user forms |
95 |
* LDAP_AUTHENTICATION_EMAIL_FIELD_ALLOW -- allow editing of email on user forms |
|
100 |
* LDAP_AUTHENTICATION_EMAIL_FIELD_ALLOW -- allow editing of email on user forms.
|
|
96 | 101 |
* |
97 | 102 |
* @var int |
98 | 103 |
*/ |
99 | 104 |
public $emailOption = LDAP_AUTHENTICATION_EMAIL_FIELD_DEFAULT; |
100 | 105 |
|
101 |
/**
|
|
106 |
/** |
|
102 | 107 |
* Email handling option |
103 | 108 |
* LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE_NOTIFY -- (default) Update stored email if LDAP email differs at login and notify user |
104 | 109 |
* LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_ENABLE -- Update stored email if LDAP email differs at login but don\'t notify user |
105 |
* LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DISABLE -- Don\'t update stored email if LDAP email differs at login |
|
110 |
* LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DISABLE -- Don\'t update stored email if LDAP email differs at login.
|
|
106 | 111 |
* |
107 | 112 |
* @var int |
108 | 113 |
*/ |
109 | 114 |
public $emailUpdate = LDAP_AUTHENTICATION_EMAIL_UPDATE_ON_LDAP_CHANGE_DEFAULT; |
110 |
|
|
115 |
|
|
111 | 116 |
/** |
112 |
* Email default handling option |
|
113 |
*
|
|
114 |
* This affects how email addresses that are empty are handled by
|
|
117 |
* Email default handling option.
|
|
118 |
* |
|
119 |
* This affects how email addresses that are empty are handled by |
|
115 | 120 |
* the authentication process. |
116 |
*
|
|
121 |
* |
|
117 | 122 |
* LDAP_AUTHENTICATION_EMAIL_TEMPLATE_NONE -- leaves the email empty |
118 | 123 |
* LDAP_AUTHENTICATION_EMAIL_TEMPLATE_IF_EMPTY (default) -- if the email is empty, it will be replaced |
119 | 124 |
* LDAP_AUTHENTICATION_EMAIL_TEMPLATE_ALWAYS -- always use the template |
120 |
*
|
|
125 |
* |
|
121 | 126 |
* @var int |
122 | 127 |
*/ |
123 | 128 |
public $emailTemplateHandling = LDAP_AUTHENTICATION_EMAIL_TEMPLATE_DEFAULT; |
124 |
|
|
129 |
|
|
125 | 130 |
/** |
126 | 131 |
* Email template. |
127 |
*
|
|
132 |
* |
|
128 | 133 |
* @var string |
129 | 134 |
*/ |
130 | 135 |
public $emailTemplate = LDAP_AUTHENTICATION_DEFAULT_TEMPLATE; |
131 |
|
|
136 |
|
|
132 | 137 |
/** |
133 |
* Whether or not to display a notification to the user on login, prompting
|
|
138 |
* Whether or not to display a notification to the user on login, prompting |
|
134 | 139 |
* them to change their email. |
135 |
*
|
|
136 |
* @var boolean
|
|
140 |
* |
|
141 |
* @var bool |
|
137 | 142 |
*/ |
138 | 143 |
public $templateUsagePromptUser = LDAP_AUTHENTICATION_TEMPLATE_USAGE_PROMPT_USER_DEFAULT; |
139 |
|
|
144 |
|
|
140 | 145 |
/** |
141 | 146 |
* Whether or not to avoid updating the email address of the user if the |
142 | 147 |
* template was used to generate it. |
143 |
*
|
|
144 |
* @var boolean
|
|
148 |
* |
|
149 |
* @var bool |
|
145 | 150 |
*/ |
146 | 151 |
public $templateUsageNeverUpdate = LDAP_AUTHENTICATION_TEMPLATE_USAGE_NEVER_UPDATE_DEFAULT; |
147 |
|
|
152 |
|
|
148 | 153 |
/** |
149 | 154 |
* Whether or not to use the email template if there is a user with a different |
150 | 155 |
* login name but same email address in the system. |
151 |
*
|
|
152 |
* @var boolean
|
|
156 |
* |
|
157 |
* @var bool |
|
153 | 158 |
*/ |
154 | 159 |
public $templateUsageResolveConflict = LDAP_AUTHENTICATION_TEMPLATE_USAGE_RESOLVE_CONFLICT_DEFAULT; |
155 |
|
|
160 |
|
|
156 | 161 |
/** |
157 | 162 |
* A PCRE regular expression (minus the delimiter and flags) that will be used |
158 |
* if $templateUsagePromptUser is set to true to determine if the email
|
|
159 |
* address is a fake one or not.
|
|
160 |
*
|
|
163 |
* if $templateUsagePromptUser is set to true to determine if the email |
|
164 |
* address is a fake one or not. |
|
165 |
* |
|
161 | 166 |
* By allowing this to be customized, we let the administrators handle older |
162 | 167 |
* patterns should they decide to change the existing one, as well as avoiding |
163 | 168 |
* the complexity of determining a proper regex from the template. |
164 |
*
|
|
169 |
* |
|
165 | 170 |
* @var string |
166 | 171 |
*/ |
167 | 172 |
public $templateUsagePromptRegex = LDAP_AUTHENTICATION_DEFAULT_TEMPLATE_REGEX; |
168 |
|
|
173 |
|
|
169 | 174 |
/** |
170 | 175 |
* Controls whether or not we should check on login if the email template was |
171 | 176 |
* used and redirect the user if needed. |
172 |
*
|
|
173 |
* @var boolean
|
|
177 |
* |
|
178 |
* @var bool |
|
174 | 179 |
*/ |
175 | 180 |
public $templateUsageRedirectOnLogin = LDAP_AUTHENTICATION_REDIRECT_ON_LOGIN_DEFAULT; |
176 |
|
|
177 | 181 |
|
178 | 182 |
|
179 |
/** |
|
183 |
|
|
184 |
/** |
|
180 | 185 |
* Password handling option |
181 | 186 |
* LDAP_AUTHENTICATION_PASSWORD_FIELD_SHOW -- show field disabled on user forms |
182 | 187 |
* LDAP_AUTHENTICATION_PASSWORD_FIELD_HIDE (default) -- disable password on user forms |
183 |
* LDAP_AUTHENTICATION_PASSWORD_FIELD_ALLOW -- allow editing of password on user forms |
|
188 |
* LDAP_AUTHENTICATION_PASSWORD_FIELD_ALLOW -- allow editing of password on user forms.
|
|
184 | 189 |
* |
185 | 190 |
* @var int |
186 | 191 |
*/ |
... | ... | |
194 | 199 |
public $ssoNotifyAuthentication = FALSE; |
195 | 200 |
public $ldapImplementation = FALSE; |
196 | 201 |
public $cookieExpire = LDAP_AUTHENTICATION_COOKIE_EXPIRE; |
197 |
public $apiPrefs = array();
|
|
202 |
public $apiPrefs = [];
|
|
198 | 203 |
|
199 | 204 |
/** |
200 |
* Advanced options. whitelist / blacklist options |
|
201 |
* |
|
202 |
* these are on the fuzzy line between authentication and authorization |
|
203 |
* and determine if a user is allowed to authenticate with ldap |
|
205 |
* Advanced options. whitelist / blacklist options. |
|
204 | 206 |
* |
207 |
* These are on the fuzzy line between authentication and authorization |
|
208 |
* and determine if a user is allowed to authenticate with ldap. |
|
205 | 209 |
*/ |
206 | 210 |
|
207 | 211 |
/** |
208 |
* text which must be present in user's LDAP entry's DN for user to authenticate with LDAP
|
|
209 |
* e.g. "ou=people" |
|
212 |
* Text which must be present in user's LDAP entry's DN for user to authenticate with LDAP
|
|
213 |
* e.g. "ou=people".
|
|
210 | 214 |
* |
211 | 215 |
* @var string |
212 | 216 |
*/ |
213 |
public $allowOnlyIfTextInDn = array(); // eg ou=education that must be met to allow ldap authentication |
|
217 |
/** |
|
218 |
* Eg ou=education that must be met to allow ldap authentication. |
|
219 |
*/ |
|
220 |
public $allowOnlyIfTextInDn = []; |
|
214 | 221 |
|
215 | 222 |
/** |
216 |
* text which prohibits logon if found in user's LDAP entry's DN for user to authenticate with LDAP
|
|
217 |
* e.g. "ou=guest accounts" |
|
223 |
* Text which prohibits logon if found in user's LDAP entry's DN for user to authenticate with LDAP
|
|
224 |
* e.g. "ou=guest accounts".
|
|
218 | 225 |
* |
219 | 226 |
* @var string |
220 | 227 |
*/ |
221 |
public $excludeIfTextInDn = array();
|
|
228 |
public $excludeIfTextInDn = [];
|
|
222 | 229 |
|
223 | 230 |
/** |
224 |
* code that prints 1 or 0 signifying if user is allowed
|
|
225 |
* should not start with <?php |
|
231 |
* Code that prints 1 or 0 signifying if user is allowed
|
|
232 |
* should not start with <?php.
|
|
226 | 233 |
* |
227 |
* @var string of php
|
|
234 |
* @var stringofphp
|
|
228 | 235 |
*/ |
229 | 236 |
public $allowTestPhp = NULL; |
230 | 237 |
|
231 | 238 |
/** |
232 |
* if at least 1 ldap authorization must exist for user to be allowed
|
|
239 |
* If at least 1 ldap authorization must exist for user to be allowed
|
|
233 | 240 |
* True signfies disallow if no authorizations. |
234 | 241 |
* False signifies don't consider authorizations. |
235 | 242 |
* |
236 |
* @var boolean.
|
|
243 |
* @var bool |
|
237 | 244 |
*/ |
238 | 245 |
public $excludeIfNoAuthorizations = LDAP_AUTHENTICATION_EXCL_IF_NO_AUTHZ_DEFAULT; |
239 | 246 |
|
240 |
public $saveable = array(
|
|
247 |
public $saveable = [
|
|
241 | 248 |
'sids', |
242 | 249 |
'authenticationMode', |
243 | 250 |
'loginUIUsernameTxt', |
... | ... | |
265 | 272 |
'templateUsageResolveConflict', |
266 | 273 |
'templateUsagePromptRegex', |
267 | 274 |
'templateUsageRedirectOnLogin', |
268 |
);
|
|
275 |
];
|
|
269 | 276 |
|
277 |
/** |
|
278 |
* |
|
279 |
*/ |
|
270 | 280 |
public function hasEnabledAuthenticationServers() { |
271 | 281 |
return !(count($this->enabledAuthenticationServers) == 0); |
272 | 282 |
} |
273 | 283 |
|
284 |
/** |
|
285 |
* |
|
286 |
*/ |
|
274 | 287 |
public function enabled_servers() { |
275 | 288 |
return $this->hasEnabledAuthenticationServers(); |
276 | 289 |
} |
277 | 290 |
|
278 |
function __construct() { |
|
291 |
/** |
|
292 |
* |
|
293 |
*/ |
|
294 |
public function __construct() { |
|
279 | 295 |
$this->load(); |
280 | 296 |
} |
281 | 297 |
|
282 |
function load() { |
|
298 |
/** |
|
299 |
* |
|
300 |
*/ |
|
301 |
public function load() { |
|
283 | 302 |
|
284 | 303 |
if ($saved = variable_get("ldap_authentication_conf", FALSE)) { |
285 | 304 |
$this->inDatabase = TRUE; |
... | ... | |
288 | 307 |
$this->{$property} = $saved[$property]; |
289 | 308 |
} |
290 | 309 |
} |
291 |
$this->enabledAuthenticationServers = array(); // reset in case reloading instantiated object |
|
310 |
// Reset in case reloading instantiated object. |
|
311 |
$this->enabledAuthenticationServers = []; |
|
292 | 312 |
$enabled_ldap_servers = ldap_servers_get_servers(NULL, 'enabled'); |
293 | 313 |
foreach ($this->sids as $sid => $enabled) { |
294 | 314 |
if ($enabled && isset($enabled_ldap_servers[$sid])) { |
... | ... | |
309 | 329 |
} |
310 | 330 |
|
311 | 331 |
/** |
312 |
* Destructor Method |
|
332 |
* Destructor Method.
|
|
313 | 333 |
*/ |
314 |
function __destruct() { } |
|
315 |
|
|
334 |
public function __destruct() {} |
|
316 | 335 |
|
317 |
/** |
|
318 |
* decide if a username is excluded or not |
|
336 |
/** |
|
337 |
* Decide if a username is excluded or not. |
|
338 |
* |
|
339 |
* @param string $name |
|
340 |
* as proposed drupal username. |
|
341 |
* @param array $ldap_user |
|
342 |
* where top level keys are 'dn','attr','mail'. |
|
319 | 343 |
* |
320 |
* @param string $name as proposed drupal username |
|
321 |
* @param array $ldap_user where top level keys are 'dn','attr','mail' |
|
322 | 344 |
* @return boolean FALSE means NOT allow; TRUE means allow |
323 | 345 |
* |
324 |
* @todo. this function should simply invoke hook_ldap_authentication_allowuser_results_alter
|
|
346 |
* @todo. this function should simply invoke hook_ldap_authentication_allowuser_results_alter |
|
325 | 347 |
* and most of this function should go in ldap_authentication_allowuser_results_alter |
326 | 348 |
*/ |
327 | 349 |
public function allowUser($name, $ldap_user) { |
... | ... | |
330 | 352 |
* do one of the exclude attribute pairs match |
331 | 353 |
*/ |
332 | 354 |
$ldap_user_conf = ldap_user_conf(); |
333 |
// if user does not already exists and deferring to user settings AND user settings only allow
|
|
355 |
// If user does not already exists and deferring to user settings AND user settings only allow.
|
|
334 | 356 |
$user_register = variable_get('user_register', USER_REGISTER_VISITORS_ADMINISTRATIVE_APPROVAL); |
335 | 357 |
|
336 | 358 |
foreach ($this->excludeIfTextInDn as $test) { |
337 | 359 |
if (stripos($ldap_user['dn'], $test) !== FALSE) { |
338 |
return FALSE;// if a match, return FALSE; |
|
360 |
// Match. |
|
361 |
return FALSE; |
|
339 | 362 |
} |
340 | 363 |
} |
341 | 364 |
|
... | ... | |
352 | 375 |
$code_result = php_eval($code); |
353 | 376 |
$_name = NULL; |
354 | 377 |
$_ldap_user_entry = NULL; |
355 |
if ((boolean)($code_result) == FALSE) { |
|
378 |
if ((boolean) ($code_result) == FALSE) {
|
|
356 | 379 |
return FALSE; |
357 | 380 |
} |
358 | 381 |
} |
359 | 382 |
else { |
360 | 383 |
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); |
361 |
$tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'));
|
|
384 |
$tokens = ['!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication')];
|
|
362 | 385 |
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users based on php execution with php_eval function, but php module is not enabled. Please enable php module or remove php code at !ldap_authentication_config .', $tokens); |
363 | 386 |
return FALSE; |
364 | 387 |
} |
... | ... | |
387 | 410 |
|
388 | 411 |
if (!module_exists('ldap_authorization')) { |
389 | 412 |
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); |
390 |
$tokens = array('!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication'));
|
|
413 |
$tokens = ['!ldap_authentication_config' => l(t('LDAP Authentication Configuration'), 'admin/config/people/ldap/authentication')];
|
|
391 | 414 |
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but LDAP Authorization module is not enabled. Please enable and configure LDAP Authorization or disable this option at !ldap_authentication_config .', $tokens); |
392 | 415 |
return FALSE; |
393 | 416 |
} |
394 | 417 |
|
395 | 418 |
$user = new stdClass(); |
396 | 419 |
$user->name = $name; |
397 |
$user->ldap_authenticated = TRUE; // fake user property added for query |
|
420 |
// Fake user property added for query. |
|
421 |
$user->ldap_authenticated = TRUE; |
|
398 | 422 |
$consumers = ldap_authorization_get_consumers(); |
399 | 423 |
$has_enabled_consumers = FALSE; |
400 | 424 |
$has_ldap_authorizations = FALSE; |
... | ... | |
415 | 439 |
|
416 | 440 |
if (!$has_enabled_consumers) { |
417 | 441 |
drupal_set_message(t(LDAP_AUTHENTICATION_DISABLED_FOR_BAD_CONF_MSG), 'warning'); |
418 |
$tokens = array('!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization'));
|
|
442 |
$tokens = ['!ldap_consumer_config' => l(t('LDAP Authorization Configuration'), 'admin/config/people/ldap/authorization')];
|
|
419 | 443 |
watchdog('ldap_authentication', 'LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured: !ldap_consumer_config .', $tokens); |
420 | 444 |
return FALSE; |
421 | 445 |
} |
... | ... | |
425 | 449 |
|
426 | 450 |
} |
427 | 451 |
|
428 |
// allow other modules to hook in and refuse if they like
|
|
452 |
// Allow other modules to hook in and refuse if they like.
|
|
429 | 453 |
$hook_result = TRUE; |
430 | 454 |
drupal_alter('ldap_authentication_allowuser_results', $ldap_user, $name, $hook_result); |
431 | 455 |
|
432 | 456 |
if ($hook_result === FALSE) { |
433 |
watchdog('ldap_authentication', "Authentication Allow User Result=refused for %name", array('%name' => $name), WATCHDOG_NOTICE);
|
|
457 |
watchdog('ldap_authentication', "Authentication Allow User Result=refused for %name", ['%name' => $name], WATCHDOG_NOTICE);
|
|
434 | 458 |
return FALSE; |
435 | 459 |
} |
436 | 460 |
|
... | ... | |
440 | 464 |
return TRUE; |
441 | 465 |
} |
442 | 466 |
|
443 |
|
|
444 | 467 |
} |
Formats disponibles : Unified diff
Weekly update of contrib modules