1
|
<?php
|
2
|
|
3
|
/**
|
4
|
* @file
|
5
|
* bulk of authorization code executed to determine a users authorizations
|
6
|
*/
|
7
|
|
8
|
function ldap_authorization_help_watchdog() { // remove after testing
|
9
|
|
10
|
$path = drupal_get_path("module", "ldap_help");
|
11
|
$_content = "";
|
12
|
if (module_exists('dblog')) {
|
13
|
include_once(drupal_get_path('module', 'dblog') . '/dblog.admin.inc');
|
14
|
$_SESSION['dblog_overview_filter']['type'] = Array('ldap' => 'ldap');
|
15
|
$_content .= "<h3>" . t('LDAP Watchdog Errors and Notifications') . "</h3>";
|
16
|
$overview = dblog_overview();
|
17
|
$_content .= render($overview);
|
18
|
|
19
|
$_content .= l(t('...more watchdog'), 'admin/reports/dblog');
|
20
|
}
|
21
|
else {
|
22
|
$_content .= "<h3>" . t('LDAP Help Watchdog Errors and Notifications') . "</h3>";
|
23
|
$_content .= 'This feature requires <code>Database logging</code> module to be turned on. ';
|
24
|
$_content .= l(t('Module enable page'), 'admin/build/modules');
|
25
|
}
|
26
|
|
27
|
|
28
|
return $_content;
|
29
|
}
|
30
|
|
31
|
|
32
|
/**
|
33
|
* return all desired authorizations for a given user
|
34
|
*
|
35
|
* @param object $user
|
36
|
*
|
37
|
* @param string $op =
|
38
|
* set -- grant authorizations (store in db) and return authorizations
|
39
|
* test_query -- don't grant authorization, just query and return authorizations. assume user is ldap authenticated and exists
|
40
|
* test_query_set -- do grant authorizations, but also log data for debugging
|
41
|
* query -- don't grant authorization, just query and return authorizations
|
42
|
*
|
43
|
* @param string $consumer_type e.g. drupal_roles
|
44
|
* @param string $context 'logon', 'test_if_authorizations_granted'
|
45
|
*
|
46
|
* @return
|
47
|
*
|
48
|
* LDAP_AUTHORIZATION_NO_LDAP_SERVERS if no servers configured
|
49
|
* LDAP_AUTHORIZATION_LDAP_ERROR if ldap error
|
50
|
* TRUE if servers configured but no roles derived from ldap
|
51
|
* array of potential authorizations (user may or may not already have these)
|
52
|
*
|
53
|
* by reference $user->data[<consumer_type>][<authorization_id>] = array();
|
54
|
* e.g. $var['drupal_role']['content_admin'] = array('rid' => 4)
|
55
|
* e.g. $var['og_membership']['bakers club'] = array('expires' => '01/01/2012');
|
56
|
*
|
57
|
*/
|
58
|
|
59
|
|
60
|
function _ldap_authorizations_user_authorizations(&$user, $op, $consumer_type, $context) {
|
61
|
$debug = FALSE;
|
62
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
63
|
$authorizations = array();
|
64
|
$notifications = array();
|
65
|
$watchdog_tokens = array('%username' => $user->name);
|
66
|
$consumers = ldap_authorization_get_consumers($consumer_type, TRUE, FALSE);
|
67
|
|
68
|
$servers = ldap_servers_get_servers(NULL, 'enabled', TRUE);
|
69
|
|
70
|
/**
|
71
|
* user 1 not used in ldap authorization. this is a design decision.
|
72
|
*/
|
73
|
if (property_exists($user, 'uid') && $user->uid == 1) {
|
74
|
if ($detailed_watchdog_log) {
|
75
|
watchdog('ldap_authorization', '%username : ldap_authorization not applied to user 1', $watchdog_tokens, WATCHDOG_DEBUG);
|
76
|
}
|
77
|
$notifications['all'] = LDAP_AUTHORIZATION_NOT_APPLY_USER_1;
|
78
|
foreach ($consumers as $consumer_type => $consumer) {
|
79
|
$authorizations[$consumer_type] = array();
|
80
|
}
|
81
|
return array($authorizations, $notifications);
|
82
|
}
|
83
|
|
84
|
/**
|
85
|
* determine if user is ldap authenticated
|
86
|
*/
|
87
|
if ($context == 'test_if_authorizations_granted' || (($op == 'test_query_set' || $op == 'test_query') && @$user->ldap_test == TRUE)) {
|
88
|
$ldap_authenticated = $user->ldap_authenticated; // property 'ldap_authenticated' only exists for fake user objects submitted from testing form
|
89
|
}
|
90
|
else {
|
91
|
$ldap_authenticated = (boolean)(module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user));
|
92
|
}
|
93
|
$watchdog_tokens['%ldap_authenticated'] = ($ldap_authenticated) ? 'yes' : 'no';
|
94
|
|
95
|
foreach ($consumers as $consumer_type => $consumer) {
|
96
|
$authorizations[$consumer_type] = array();
|
97
|
/**
|
98
|
* each consumer type has only one consumer conf and each consumer conf has only one ldap server id (sid)
|
99
|
* so there is a one-to-one-to-one relationship between:
|
100
|
* - consumer object ($consumer),
|
101
|
* - server object ($ldap_server),
|
102
|
* - and consumer conf object.
|
103
|
*
|
104
|
*/
|
105
|
|
106
|
$consumer = ldap_authorization_get_consumer_object($consumer_type);
|
107
|
if (!$consumer->consumerConf->status) {
|
108
|
continue;
|
109
|
}
|
110
|
$proposed_ldap_authorizations = array();
|
111
|
$watchdog_tokens['%consumer_type'] = $consumer_type;
|
112
|
$watchdog_tokens['%sid'] = $consumer->consumerConf->sid;
|
113
|
|
114
|
if (! is_object($consumer->consumerConf)) {
|
115
|
if ($detailed_watchdog_log) {
|
116
|
watchdog('ldap_authorization', '%username : consumer type %consumer_type has no
|
117
|
configuration set.', $watchdog_tokens, WATCHDOG_DEBUG);
|
118
|
}
|
119
|
continue;
|
120
|
}
|
121
|
|
122
|
if ($detailed_watchdog_log) {
|
123
|
watchdog('ldap_authorization', '%username : testing with
|
124
|
consumer type %consumer_type. ldap authenticated=%ldap_authenticated', $watchdog_tokens, WATCHDOG_DEBUG);
|
125
|
}
|
126
|
if ($debug) {
|
127
|
debug(t('%username : testing with consumer type %consumer_type. ldap authenticated=%ldap_authenticated'), $watchdog_tokens);
|
128
|
debug("op=$op,ldap_authenticated=$ldap_authenticated $consumer_type context=$context, consumer->consumerConf->synchOnLogon=" . (int)$consumer->consumerConf->synchOnLogon); //$debug = TRUE;
|
129
|
}
|
130
|
|
131
|
if ($context == 'logon' && !$consumer->consumerConf->synchOnLogon) {
|
132
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_MAP_NOT_CONF_FOR_LOGON;
|
133
|
if ($detailed_watchdog_log) {
|
134
|
watchdog('ldap_authorization', '%username : %consumer_type not set to run on user logon.', $watchdog_tokens, WATCHDOG_DEBUG);
|
135
|
}
|
136
|
continue;
|
137
|
}
|
138
|
|
139
|
if ($consumer->consumerConf->onlyApplyToLdapAuthenticated && !$ldap_authenticated && $op != 'test_query' && $op != 'test_query_set') {
|
140
|
if ($detailed_watchdog_log) {
|
141
|
watchdog('ldap_authorization', '%username : not used because it is set to be applied only to ldap authenticated users.
|
142
|
%username is not ldap authenticated.', $watchdog_tokens, WATCHDOG_DEBUG);
|
143
|
}
|
144
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_NOT_LDAP_AUTHENTICATED;
|
145
|
continue;
|
146
|
}
|
147
|
|
148
|
$ldap_user = ldap_servers_get_user_ldap_data($user, $consumer->consumerConf->sid, 'ldap_authorization__' . $consumer_type);
|
149
|
|
150
|
if (!$ldap_user) {
|
151
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_LDAP_NOT_FOUND;
|
152
|
if ($detailed_watchdog_log) {
|
153
|
watchdog('ldap_authorization', '%username : %consumer_type ldap user not found.', $watchdog_tokens, WATCHDOG_DEBUG);
|
154
|
}
|
155
|
continue;
|
156
|
}
|
157
|
|
158
|
if (! isset($servers[$consumer->consumerConf->sid])) {
|
159
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_SERVER_CONFIG_NOT_FOUND;
|
160
|
if ($detailed_watchdog_log) {
|
161
|
watchdog('ldap_authorization', '%username : %consumer_type ldap server %sid not enabled or found.', $watchdog_tokens, WATCHDOG_DEBUG);
|
162
|
}
|
163
|
continue;
|
164
|
}
|
165
|
|
166
|
$ldap_server = $consumer->consumerConf->server;
|
167
|
|
168
|
/**
|
169
|
* 1. first just need to figure out what authz_ids are generated for this consumer type/mapping configuration
|
170
|
*
|
171
|
* goal here is simply to build an array of authorizations for this ldap authz mapping
|
172
|
* $proposed_ldap_authorizations[<authorization id>] = properties associative array or empty array
|
173
|
* e.g. $proposed_ldap_authorizations['admin'] = array()
|
174
|
*
|
175
|
* @see ldap_authorization.api.php hook_ldap_authorization_maps_alter() notes
|
176
|
*/
|
177
|
|
178
|
ldap_authorization_maps_alter_invoke($user, $ldap_user, $ldap_server, $consumer->consumerConf, $proposed_ldap_authorizations, $op);
|
179
|
|
180
|
/** make sure keys of array are lower case and values are mixed case
|
181
|
and strip to first attribute is configured
|
182
|
*/
|
183
|
|
184
|
foreach ($proposed_ldap_authorizations as $key => $authorization_id) {
|
185
|
if ($consumer->consumerConf->useFirstAttrAsGroupId) {
|
186
|
$attr_parts = ldap_explode_dn($authorization_id, 0);
|
187
|
if (count($attr_parts) > 0) {
|
188
|
$first_part = explode('=', $attr_parts[0]);
|
189
|
if (count($first_part) > 1) {
|
190
|
$authorization_id = ldap_pear_unescape_dn_value(trim($first_part[1]));
|
191
|
}
|
192
|
}
|
193
|
$new_key = drupal_strtolower($authorization_id);
|
194
|
}
|
195
|
else {
|
196
|
$new_key = drupal_strtolower($key);
|
197
|
}
|
198
|
$proposed_ldap_authorizations[$new_key] = $authorization_id;
|
199
|
if ($key != $new_key) {
|
200
|
unset($proposed_ldap_authorizations[$key]);
|
201
|
}
|
202
|
}
|
203
|
|
204
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
205
|
$_SESSION['ldap_authorization_test_query']['useFirstAttrAsGroupId'] = $proposed_ldap_authorizations;
|
206
|
}
|
207
|
|
208
|
if ($detailed_watchdog_log || $debug) {
|
209
|
$_proposed_ldap_authorizations = is_array($proposed_ldap_authorizations) ? $proposed_ldap_authorizations : array();
|
210
|
$watchdog_tokens['%proposed_authorizations'] = join(', ', $_proposed_ldap_authorizations);
|
211
|
}
|
212
|
if ($detailed_watchdog_log) {
|
213
|
watchdog('ldap_authorization', '%username : initial proposed authorization for %consumer_type: %proposed_authorizations.',
|
214
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
215
|
}
|
216
|
if ($debug) {
|
217
|
debug(t('%username : initial proposed authorization for %consumer_type: %proposed_authorizations.',
|
218
|
$watchdog_tokens));
|
219
|
}
|
220
|
|
221
|
/**
|
222
|
* 2. filter can be both a whitelist and a mapping of an ldap results to an authorization id.
|
223
|
* goal of this step is to generate $filtered_ldap_authorizations[$consumer_type]
|
224
|
* an array of filtered and mapped authorization ids
|
225
|
*/
|
226
|
|
227
|
$filtered_ldap_authorizations = array();
|
228
|
if ($consumer->consumerConf->useMappingsAsFilter) { // filter + map
|
229
|
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
|
230
|
$map_from = $mapping_filter['from'];
|
231
|
$map_to = $mapping_filter['normalized'];
|
232
|
if (isset($proposed_ldap_authorizations[drupal_strtolower($map_from)])) {
|
233
|
$filtered_ldap_authorizations[drupal_strtolower($map_to)] = array('map_to_string' => $map_to, 'exists' => NULL);
|
234
|
}
|
235
|
}
|
236
|
}
|
237
|
else { // only map, don't filter off authorizations that have no mapping
|
238
|
$_authorizations = array_values($proposed_ldap_authorizations);
|
239
|
if (is_array($consumer->consumerConf->mappings) && is_array($proposed_ldap_authorizations)) {
|
240
|
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
|
241
|
$map_from = $mapping_filter['from'];
|
242
|
$map_to = $mapping_filter['normalized'];
|
243
|
$map_from_key = array_search(drupal_strtolower($map_from), array_keys($proposed_ldap_authorizations));
|
244
|
if ($map_from_key !== FALSE) {
|
245
|
// remove non mapped authorization
|
246
|
$_authorizations = array_diff($_authorizations, array($map_from));
|
247
|
$_authorizations = array_diff($_authorizations, array(drupal_strtolower($map_from)));
|
248
|
// add mapped authorization
|
249
|
$_authorizations[] = $map_to;
|
250
|
// remove map from;
|
251
|
}
|
252
|
}
|
253
|
}
|
254
|
foreach ($_authorizations as $i => $authorization_id) {
|
255
|
$filtered_ldap_authorizations[drupal_strtolower($authorization_id)] = array(
|
256
|
'map_to_string' => $authorization_id,
|
257
|
'exists' => NULL,
|
258
|
'value' => $authorization_id
|
259
|
);
|
260
|
}
|
261
|
}
|
262
|
|
263
|
$consumer->populateConsumersFromConsumerIds($filtered_ldap_authorizations, $consumer->consumerConf->createConsumers); // set values of $filtered_ldap_authorizations to consumers
|
264
|
/**
|
265
|
* now that we have list of consumers that are to be granted, give other modules a chance to alter it
|
266
|
*
|
267
|
* @see ldap_authorization.api.php hook_ldap_authorization_authorizations_alter() notes
|
268
|
*/
|
269
|
$params = array(
|
270
|
'user' => $user,
|
271
|
'ldap_user' => $ldap_user,
|
272
|
'ldap_server' => $ldap_server,
|
273
|
'consumer' => $consumer,
|
274
|
);
|
275
|
|
276
|
drupal_alter('ldap_authorization_authorizations', $filtered_ldap_authorizations, $params);
|
277
|
|
278
|
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
|
279
|
if ($detailed_watchdog_log) {
|
280
|
watchdog('ldap_authorization', '%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.',
|
281
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
282
|
}
|
283
|
if ($debug) {
|
284
|
debug(t('%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.',
|
285
|
$watchdog_tokens));
|
286
|
}
|
287
|
|
288
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
289
|
$display_authorizations = array();
|
290
|
foreach ($filtered_ldap_authorizations as $consumer_id => $_consumer) {
|
291
|
$display_authorizations[] = $_consumer['map_to_string'];
|
292
|
}
|
293
|
$_SESSION['ldap_authorization_test_query']['post mappings'] = $display_authorizations;
|
294
|
$data = property_exists($user, 'data') ? $user->data['ldap_authorizations'][$consumer->consumerType] : array();
|
295
|
$_SESSION['ldap_authorization_test_query']['user data'] = $data;
|
296
|
}
|
297
|
|
298
|
/**
|
299
|
* 3. third, grant any proposed authorizations not already granted
|
300
|
*/
|
301
|
|
302
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
303
|
$_SESSION['ldap_authorization_test_query']['tokens'] = $watchdog_tokens;
|
304
|
}
|
305
|
if ($op == 'set' || $op == "test_query_set") {
|
306
|
$test = ($op == "test_query_set");
|
307
|
_ldap_authorizations_user_authorizations_set($user, $consumer, $filtered_ldap_authorizations, $ldap_user, $watchdog_tokens, $test);
|
308
|
}
|
309
|
|
310
|
$authorizations[$consumer_type] = $filtered_ldap_authorizations;
|
311
|
} // end foreach $consumers
|
312
|
|
313
|
return array($authorizations, $notifications);
|
314
|
|
315
|
}
|
316
|
/**
|
317
|
* @param object $user is a drupal user account object, need not be current user
|
318
|
* @param object $consumer is instance of an authorization consumer class
|
319
|
* such as LdapAuthorizationConsumerDrupalRole
|
320
|
* @param associative array of lower case authorization ids as keys and
|
321
|
* mixed case strings as values $filtered_ldap_authorizations
|
322
|
* all authorization ids a user is granted via ldap authorization configuration
|
323
|
* @param object $ldap_entry is users ldap entry. mapping of drupal user to
|
324
|
* ldap entry is stored in ldap_server configuration
|
325
|
*
|
326
|
* returns nothing
|
327
|
*/
|
328
|
|
329
|
function _ldap_authorizations_user_authorizations_set(&$user, $consumer, $filtered_ldap_authorizations, &$ldap_entry, $watchdog_tokens, $test) {
|
330
|
|
331
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
332
|
ldap_authorization_cleanse_empty_og_fields($user);
|
333
|
|
334
|
/**
|
335
|
* A. Determine what authorizations have been granted in the past by ldap authorization
|
336
|
*/
|
337
|
|
338
|
if (isset($user->data['ldap_authorizations'][$consumer->consumerType])
|
339
|
&& is_array($user->data['ldap_authorizations'][$consumer->consumerType])) {
|
340
|
$user_auth_data = $user->data['ldap_authorizations'][$consumer->consumerType];
|
341
|
$initial_existing_ldap_authorizations = array_keys($user_auth_data);
|
342
|
}
|
343
|
else {
|
344
|
$user_auth_data = array();
|
345
|
$initial_existing_ldap_authorizations = array();
|
346
|
}
|
347
|
|
348
|
if ($test) {
|
349
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user_auth_data;
|
350
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes authorizations user has'] = $consumer->usersAuthorizations($user);
|
351
|
}
|
352
|
|
353
|
$watchdog_tokens['%initial'] = join(', ', $initial_existing_ldap_authorizations);
|
354
|
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
|
355
|
/**
|
356
|
* B. if regrantLdapProvisioned is false, $grants_lcase array should only be new authorizations
|
357
|
*/
|
358
|
|
359
|
if (!$consumer->consumerConf->regrantLdapProvisioned) {
|
360
|
// if regranting disabled, filter off previously granted roles
|
361
|
$grants = array_diff(array_keys($filtered_ldap_authorizations), $initial_existing_ldap_authorizations);
|
362
|
if ($test) {
|
363
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Grants after regrantLdapProvisioned filter'] = $grants;
|
364
|
}
|
365
|
}
|
366
|
else {
|
367
|
$grants = array_keys($filtered_ldap_authorizations);
|
368
|
}
|
369
|
|
370
|
$watchdog_tokens['%grants1'] = join(', ', $grants);
|
371
|
|
372
|
/**
|
373
|
* D. Only grant authorization consumer ids that exist
|
374
|
*/
|
375
|
|
376
|
$existing_grants = array(); // keys are lcase, values are mixed case
|
377
|
foreach ($grants as $i => $grant) {
|
378
|
if (!empty($filtered_ldap_authorizations[$grant]['exists'])) {
|
379
|
$existing_grants[$grant] = $filtered_ldap_authorizations[$grant];
|
380
|
}
|
381
|
}
|
382
|
/**
|
383
|
* E. Do grants
|
384
|
*/
|
385
|
$watchdog_tokens['%filtered_grants_full_array'] = print_r($existing_grants, TRUE);
|
386
|
$consumer->authorizationGrant($user, $user_auth_data, $existing_grants, $ldap_entry, FALSE);
|
387
|
$watchdog_tokens['%user_auth_data_post_grants'] = print_r($user_auth_data, TRUE);
|
388
|
$watchdog_tokens['%user_data_post_grants'] = print_r($user->data, TRUE);
|
389
|
|
390
|
/**
|
391
|
* 3.F take away any authorizations not in proposed authorization,
|
392
|
* but previously granted by ldap
|
393
|
*/
|
394
|
$watchdog_tokens['%revokes'] = t('none');
|
395
|
|
396
|
if ($consumer->consumerConf->revokeLdapProvisioned) {
|
397
|
$revokes_lcase = $consumer->authorizationDiff($initial_existing_ldap_authorizations, array_keys($filtered_ldap_authorizations));
|
398
|
if (count($revokes_lcase)) {
|
399
|
$revokes = array(); // keys are lcase, values are mixed case
|
400
|
foreach ($revokes_lcase as $i => $revoke_lcase) {
|
401
|
$revokes[$revoke_lcase] = array(
|
402
|
'value' => NULL,
|
403
|
'map_to_string' => NULL,
|
404
|
'exists' => TRUE,
|
405
|
);
|
406
|
}
|
407
|
if ($test) {
|
408
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Revokes'] = $revokes;
|
409
|
}
|
410
|
$consumer->authorizationRevoke($user, $user_auth_data, $revokes, $ldap_entry, FALSE);
|
411
|
$watchdog_tokens['%revokes'] = join(', ', array_keys($revokes));
|
412
|
}
|
413
|
}
|
414
|
|
415
|
$watchdog_tokens['%user_auth_data_post_revokes'] = print_r($user_auth_data, TRUE);
|
416
|
$watchdog_tokens['%user_data_post_revokes'] = print_r($user->data, TRUE);
|
417
|
|
418
|
/**
|
419
|
* 3.G save user object and user data
|
420
|
* note $user object is passed by reference into this function
|
421
|
*/
|
422
|
|
423
|
$uid = $user->uid;
|
424
|
$user_edit = array('data' => $user->data);
|
425
|
$user_edit['data']['ldap_authorizations'] = empty($user->data['ldap_authorizations']) ? array() : $user->data['ldap_authorizations'];
|
426
|
$consumer->sortConsumerIds('grant', $user_auth_data); // keep in good display order
|
427
|
$user_edit['data']['ldap_authorizations'][$consumer->consumerType] = $user_auth_data;
|
428
|
$watchdog_tokens['%user_edit_presave'] = print_r($user_edit, TRUE);
|
429
|
if (empty($user->picture->fid)) { // see #1973352 and #935592
|
430
|
$user2 = user_load($user->uid);
|
431
|
$user->picture = $user2->picture;
|
432
|
}
|
433
|
$user = user_save($user, $user_edit);
|
434
|
|
435
|
$watchdog_tokens['%user_data_post_save'] = print_r($user->data, TRUE);
|
436
|
$watchdog_tokens['%user_roles_post_save'] = print_r($user->roles, TRUE);
|
437
|
|
438
|
if ($detailed_watchdog_log) {
|
439
|
watchdog('ldap_authorization',
|
440
|
'%username : user_authorizations_set results for %consumer_type:
|
441
|
<hr/>1. Initial existing authorizations: %initial
|
442
|
<hr/>2. Filtered Authorizations: %filtered_ldap_authorizations
|
443
|
<hr/>3. After filtering off previously granted authorizations (if regrant is false): %grants1
|
444
|
|
445
|
<hr/>4a. full consumers array, pre grants: %filtered_grants_full_array
|
446
|
<hr/>4b. user auth data after grants %consumer_type: <pre>%user_auth_data_post_grants</pre>
|
447
|
<hr/>4c. user data after grants for %consumer_type: <pre>%user_data_post_grants</pre>
|
448
|
|
449
|
<hr/>5a. revokes passed to authorizationRevoke(): %revokes
|
450
|
<hr/>5b. user auth data after revokes %consumer_type: <pre>%user_auth_data_post_revokes</pre>
|
451
|
<hr/>5c. user data after revokes for %consumer_type: <pre>%user_data_post_revokes</pre>
|
452
|
|
453
|
<hr/>6a. user_edit pre save : <pre>%user_edit_presave</pre>
|
454
|
<hr/>6b. user data post save: <pre>%user_data_post_save</pre>
|
455
|
<hr/>6c. user roles post save: <pre>%user_roles_post_save</pre>
|
456
|
',
|
457
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
458
|
}
|
459
|
|
460
|
if ($test) {
|
461
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes authorizations user has'] = $consumer->usersAuthorizations($user);
|
462
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user->data['ldap_authorizations'][$consumer->consumerType];
|
463
|
}
|
464
|
|
465
|
}
|
466
|
|
467
|
function _ldap_authorization_ldap_authorization_maps_alter(&$user, &$user_ldap_entry, &$ldap_server, &$consumer_conf, &$authz_ids, $op) {
|
468
|
|
469
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
470
|
$watchdog_tokens = array();
|
471
|
|
472
|
// groups extracted from user's DN. such as ou=IT => group = "IT"
|
473
|
$derive_from_dn_authorizations = array();
|
474
|
if ($rdn_values = $consumer_conf->server->groupUserMembershipsFromDn($user)) {
|
475
|
$derive_from_dn_authorizations = array_combine($rdn_values, $rdn_values);
|
476
|
}
|
477
|
else {
|
478
|
$derive_from_dn_authorizations = array();
|
479
|
}
|
480
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
481
|
$_SESSION['ldap_authorization_test_query']['maps']['Derive from DN'] = ($rdn_values) ? $derive_from_dn_authorizations : t('disabled');
|
482
|
}
|
483
|
|
484
|
// traditional groups (dns)
|
485
|
$group_dns = $consumer_conf->server->groupMembershipsFromUser($user, 'group_dns');
|
486
|
if (!$group_dns) {
|
487
|
$group_dns = array();
|
488
|
}
|
489
|
elseif (count($group_dns)) {
|
490
|
$group_dns = array_unique($group_dns);
|
491
|
}
|
492
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
493
|
$_SESSION['ldap_authorization_test_query']['maps']['Groups DNs'] = $group_dns;
|
494
|
}
|
495
|
|
496
|
$values = array_merge($derive_from_dn_authorizations, $group_dns);
|
497
|
$values = array_unique($values);
|
498
|
$authz_ids = (count($values)) ? array_combine($values, $values) : array();
|
499
|
if ($detailed_watchdog_log) {
|
500
|
$watchdog_tokens['%username'] = $user->name;
|
501
|
$watchdog_tokens['%ldap_server'] = $ldap_server->sid;
|
502
|
$watchdog_tokens['%deriveFromDn'] = join(', ', $derive_from_dn_authorizations);
|
503
|
$watchdog_tokens['%deriveFromGroups'] = join(', ', $group_dns);
|
504
|
$watchdog_tokens['%authz_ids'] = join(', ', array_keys($authz_ids));
|
505
|
|
506
|
watchdog('ldap_authorization', '%username :_ldap_authorization_ldap_authorization_maps_alter:
|
507
|
<hr/>deriveFromDn authorization ids: %deriveFromDn
|
508
|
<hr/>deriveFromAttr authorization ids: %deriveFromGroups
|
509
|
<hr/>merged authz_ids authorization ids: %authz_ids
|
510
|
',
|
511
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
512
|
}
|
513
|
|
514
|
}
|