1 |
85ad3d82
|
Assos Assos
|
<?php
|
2 |
|
|
|
3 |
|
|
/**
|
4 |
|
|
* @file
|
5 |
bc175c27
|
Assos Assos
|
* Bulk of authorization code executed to determine a users authorizations.
|
6 |
85ad3d82
|
Assos Assos
|
*/
|
7 |
|
|
|
8 |
bc175c27
|
Assos Assos
|
/**
|
9 |
32700c57
|
Assos Assos
|
* Unclear.
|
10 |
bc175c27
|
Assos Assos
|
*/
|
11 |
|
|
function ldap_authorization_help_watchdog() {
|
12 |
|
|
|
13 |
|
|
$path = drupal_get_path("module", "ldap_help");
|
14 |
85ad3d82
|
Assos Assos
|
$_content = "";
|
15 |
|
|
if (module_exists('dblog')) {
|
16 |
bc175c27
|
Assos Assos
|
include_once drupal_get_path('module', 'dblog') . '/dblog.admin.inc';
|
17 |
32700c57
|
Assos Assos
|
$_SESSION['dblog_overview_filter']['type'] = ['ldap' => 'ldap'];
|
18 |
85ad3d82
|
Assos Assos
|
$_content .= "<h3>" . t('LDAP Watchdog Errors and Notifications') . "</h3>";
|
19 |
|
|
$overview = dblog_overview();
|
20 |
|
|
$_content .= render($overview);
|
21 |
|
|
|
22 |
|
|
$_content .= l(t('...more watchdog'), 'admin/reports/dblog');
|
23 |
|
|
}
|
24 |
|
|
else {
|
25 |
|
|
$_content .= "<h3>" . t('LDAP Help Watchdog Errors and Notifications') . "</h3>";
|
26 |
|
|
$_content .= 'This feature requires <code>Database logging</code> module to be turned on. ';
|
27 |
|
|
$_content .= l(t('Module enable page'), 'admin/build/modules');
|
28 |
|
|
}
|
29 |
|
|
|
30 |
|
|
return $_content;
|
31 |
|
|
}
|
32 |
|
|
|
33 |
|
|
/**
|
34 |
bc175c27
|
Assos Assos
|
* Return all desired authorizations for a given user.
|
35 |
85ad3d82
|
Assos Assos
|
*
|
36 |
|
|
* @param object $user
|
37 |
|
|
*
|
38 |
bc175c27
|
Assos Assos
|
* @param string $op
|
39 |
|
|
* =
|
40 |
85ad3d82
|
Assos Assos
|
* set -- grant authorizations (store in db) and return authorizations
|
41 |
|
|
* test_query -- don't grant authorization, just query and return authorizations. assume user is ldap authenticated and exists
|
42 |
|
|
* test_query_set -- do grant authorizations, but also log data for debugging
|
43 |
bc175c27
|
Assos Assos
|
* query -- don't grant authorization, just query and return authorizations.
|
44 |
85ad3d82
|
Assos Assos
|
*
|
45 |
bc175c27
|
Assos Assos
|
* @param string $consumer_type
|
46 |
|
|
* e.g. drupal_roles.
|
47 |
|
|
* @param string $context
|
48 |
|
|
* 'logon', 'test_if_authorizations_granted'.
|
49 |
85ad3d82
|
Assos Assos
|
*
|
50 |
|
|
* @return
|
51 |
|
|
*
|
52 |
|
|
* LDAP_AUTHORIZATION_NO_LDAP_SERVERS if no servers configured
|
53 |
|
|
* LDAP_AUTHORIZATION_LDAP_ERROR if ldap error
|
54 |
|
|
* TRUE if servers configured but no roles derived from ldap
|
55 |
|
|
* array of potential authorizations (user may or may not already have these)
|
56 |
|
|
*
|
57 |
|
|
* by reference $user->data[<consumer_type>][<authorization_id>] = array();
|
58 |
|
|
* e.g. $var['drupal_role']['content_admin'] = array('rid' => 4)
|
59 |
|
|
* e.g. $var['og_membership']['bakers club'] = array('expires' => '01/01/2012');
|
60 |
|
|
*/
|
61 |
|
|
function _ldap_authorizations_user_authorizations(&$user, $op, $consumer_type, $context) {
|
62 |
|
|
$debug = FALSE;
|
63 |
|
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
64 |
32700c57
|
Assos Assos
|
$authorizations = [];
|
65 |
|
|
$notifications = [];
|
66 |
|
|
$watchdog_tokens = ['%username' => $user->name];
|
67 |
85ad3d82
|
Assos Assos
|
$consumers = ldap_authorization_get_consumers($consumer_type, TRUE, FALSE);
|
68 |
|
|
|
69 |
|
|
$servers = ldap_servers_get_servers(NULL, 'enabled', TRUE);
|
70 |
|
|
|
71 |
|
|
/**
|
72 |
|
|
* user 1 not used in ldap authorization. this is a design decision.
|
73 |
|
|
*/
|
74 |
|
|
if (property_exists($user, 'uid') && $user->uid == 1) {
|
75 |
|
|
if ($detailed_watchdog_log) {
|
76 |
|
|
watchdog('ldap_authorization', '%username : ldap_authorization not applied to user 1', $watchdog_tokens, WATCHDOG_DEBUG);
|
77 |
|
|
}
|
78 |
|
|
$notifications['all'] = LDAP_AUTHORIZATION_NOT_APPLY_USER_1;
|
79 |
|
|
foreach ($consumers as $consumer_type => $consumer) {
|
80 |
32700c57
|
Assos Assos
|
$authorizations[$consumer_type] = [];
|
81 |
85ad3d82
|
Assos Assos
|
}
|
82 |
32700c57
|
Assos Assos
|
return [$authorizations, $notifications];
|
83 |
85ad3d82
|
Assos Assos
|
}
|
84 |
|
|
|
85 |
|
|
/**
|
86 |
|
|
* determine if user is ldap authenticated
|
87 |
|
|
*/
|
88 |
|
|
if ($context == 'test_if_authorizations_granted' || (($op == 'test_query_set' || $op == 'test_query') && @$user->ldap_test == TRUE)) {
|
89 |
bc175c27
|
Assos Assos
|
// Property 'ldap_authenticated' only exists for fake user objects submitted from testing form.
|
90 |
|
|
$ldap_authenticated = $user->ldap_authenticated;
|
91 |
85ad3d82
|
Assos Assos
|
}
|
92 |
|
|
else {
|
93 |
bc175c27
|
Assos Assos
|
$ldap_authenticated = (boolean) (module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user));
|
94 |
85ad3d82
|
Assos Assos
|
}
|
95 |
|
|
$watchdog_tokens['%ldap_authenticated'] = ($ldap_authenticated) ? 'yes' : 'no';
|
96 |
|
|
|
97 |
|
|
foreach ($consumers as $consumer_type => $consumer) {
|
98 |
32700c57
|
Assos Assos
|
$authorizations[$consumer_type] = [];
|
99 |
85ad3d82
|
Assos Assos
|
/**
|
100 |
|
|
* each consumer type has only one consumer conf and each consumer conf has only one ldap server id (sid)
|
101 |
|
|
* so there is a one-to-one-to-one relationship between:
|
102 |
|
|
* - consumer object ($consumer),
|
103 |
|
|
* - server object ($ldap_server),
|
104 |
|
|
* - and consumer conf object.
|
105 |
|
|
*
|
106 |
|
|
*/
|
107 |
|
|
|
108 |
|
|
$consumer = ldap_authorization_get_consumer_object($consumer_type);
|
109 |
|
|
if (!$consumer->consumerConf->status) {
|
110 |
|
|
continue;
|
111 |
|
|
}
|
112 |
32700c57
|
Assos Assos
|
$proposed_ldap_authorizations = [];
|
113 |
85ad3d82
|
Assos Assos
|
$watchdog_tokens['%consumer_type'] = $consumer_type;
|
114 |
|
|
$watchdog_tokens['%sid'] = $consumer->consumerConf->sid;
|
115 |
|
|
|
116 |
bc175c27
|
Assos Assos
|
if (!is_object($consumer->consumerConf)) {
|
117 |
85ad3d82
|
Assos Assos
|
if ($detailed_watchdog_log) {
|
118 |
|
|
watchdog('ldap_authorization', '%username : consumer type %consumer_type has no
|
119 |
|
|
configuration set.', $watchdog_tokens, WATCHDOG_DEBUG);
|
120 |
|
|
}
|
121 |
|
|
continue;
|
122 |
|
|
}
|
123 |
|
|
|
124 |
|
|
if ($detailed_watchdog_log) {
|
125 |
|
|
watchdog('ldap_authorization', '%username : testing with
|
126 |
|
|
consumer type %consumer_type. ldap authenticated=%ldap_authenticated', $watchdog_tokens, WATCHDOG_DEBUG);
|
127 |
|
|
}
|
128 |
|
|
if ($debug) {
|
129 |
|
|
debug(t('%username : testing with consumer type %consumer_type. ldap authenticated=%ldap_authenticated'), $watchdog_tokens);
|
130 |
bc175c27
|
Assos Assos
|
// $debug = TRUE;.
|
131 |
|
|
debug("op=$op,ldap_authenticated=$ldap_authenticated $consumer_type context=$context, consumer->consumerConf->synchOnLogon=" . (int) $consumer->consumerConf->synchOnLogon);
|
132 |
85ad3d82
|
Assos Assos
|
}
|
133 |
|
|
|
134 |
|
|
if ($context == 'logon' && !$consumer->consumerConf->synchOnLogon) {
|
135 |
|
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_MAP_NOT_CONF_FOR_LOGON;
|
136 |
|
|
if ($detailed_watchdog_log) {
|
137 |
|
|
watchdog('ldap_authorization', '%username : %consumer_type not set to run on user logon.', $watchdog_tokens, WATCHDOG_DEBUG);
|
138 |
|
|
}
|
139 |
|
|
continue;
|
140 |
|
|
}
|
141 |
|
|
|
142 |
|
|
if ($consumer->consumerConf->onlyApplyToLdapAuthenticated && !$ldap_authenticated && $op != 'test_query' && $op != 'test_query_set') {
|
143 |
|
|
if ($detailed_watchdog_log) {
|
144 |
|
|
watchdog('ldap_authorization', '%username : not used because it is set to be applied only to ldap authenticated users.
|
145 |
|
|
%username is not ldap authenticated.', $watchdog_tokens, WATCHDOG_DEBUG);
|
146 |
|
|
}
|
147 |
|
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_NOT_LDAP_AUTHENTICATED;
|
148 |
|
|
continue;
|
149 |
|
|
}
|
150 |
|
|
|
151 |
|
|
$ldap_user = ldap_servers_get_user_ldap_data($user, $consumer->consumerConf->sid, 'ldap_authorization__' . $consumer_type);
|
152 |
|
|
|
153 |
|
|
if (!$ldap_user) {
|
154 |
|
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_LDAP_NOT_FOUND;
|
155 |
|
|
if ($detailed_watchdog_log) {
|
156 |
|
|
watchdog('ldap_authorization', '%username : %consumer_type ldap user not found.', $watchdog_tokens, WATCHDOG_DEBUG);
|
157 |
|
|
}
|
158 |
|
|
continue;
|
159 |
|
|
}
|
160 |
|
|
|
161 |
bc175c27
|
Assos Assos
|
if (!isset($servers[$consumer->consumerConf->sid])) {
|
162 |
85ad3d82
|
Assos Assos
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_SERVER_CONFIG_NOT_FOUND;
|
163 |
|
|
if ($detailed_watchdog_log) {
|
164 |
|
|
watchdog('ldap_authorization', '%username : %consumer_type ldap server %sid not enabled or found.', $watchdog_tokens, WATCHDOG_DEBUG);
|
165 |
|
|
}
|
166 |
|
|
continue;
|
167 |
|
|
}
|
168 |
|
|
|
169 |
|
|
$ldap_server = $consumer->consumerConf->server;
|
170 |
|
|
|
171 |
|
|
/**
|
172 |
|
|
* 1. first just need to figure out what authz_ids are generated for this consumer type/mapping configuration
|
173 |
|
|
*
|
174 |
|
|
* goal here is simply to build an array of authorizations for this ldap authz mapping
|
175 |
|
|
* $proposed_ldap_authorizations[<authorization id>] = properties associative array or empty array
|
176 |
|
|
* e.g. $proposed_ldap_authorizations['admin'] = array()
|
177 |
|
|
*
|
178 |
|
|
* @see ldap_authorization.api.php hook_ldap_authorization_maps_alter() notes
|
179 |
|
|
*/
|
180 |
|
|
|
181 |
|
|
ldap_authorization_maps_alter_invoke($user, $ldap_user, $ldap_server, $consumer->consumerConf, $proposed_ldap_authorizations, $op);
|
182 |
|
|
|
183 |
|
|
/** make sure keys of array are lower case and values are mixed case
|
184 |
bc175c27
|
Assos Assos
|
* and strip to first attribute is configured
|
185 |
85ad3d82
|
Assos Assos
|
*/
|
186 |
|
|
|
187 |
|
|
foreach ($proposed_ldap_authorizations as $key => $authorization_id) {
|
188 |
|
|
if ($consumer->consumerConf->useFirstAttrAsGroupId) {
|
189 |
|
|
$attr_parts = ldap_explode_dn($authorization_id, 0);
|
190 |
32700c57
|
Assos Assos
|
if (!empty($attr_parts) && count($attr_parts) > 0) {
|
191 |
85ad3d82
|
Assos Assos
|
$first_part = explode('=', $attr_parts[0]);
|
192 |
|
|
if (count($first_part) > 1) {
|
193 |
|
|
$authorization_id = ldap_pear_unescape_dn_value(trim($first_part[1]));
|
194 |
|
|
}
|
195 |
|
|
}
|
196 |
|
|
$new_key = drupal_strtolower($authorization_id);
|
197 |
|
|
}
|
198 |
|
|
else {
|
199 |
|
|
$new_key = drupal_strtolower($key);
|
200 |
|
|
}
|
201 |
|
|
$proposed_ldap_authorizations[$new_key] = $authorization_id;
|
202 |
|
|
if ($key != $new_key) {
|
203 |
|
|
unset($proposed_ldap_authorizations[$key]);
|
204 |
|
|
}
|
205 |
|
|
}
|
206 |
|
|
|
207 |
|
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
208 |
|
|
$_SESSION['ldap_authorization_test_query']['useFirstAttrAsGroupId'] = $proposed_ldap_authorizations;
|
209 |
|
|
}
|
210 |
|
|
|
211 |
|
|
if ($detailed_watchdog_log || $debug) {
|
212 |
32700c57
|
Assos Assos
|
$_proposed_ldap_authorizations = is_array($proposed_ldap_authorizations) ? $proposed_ldap_authorizations : [];
|
213 |
85ad3d82
|
Assos Assos
|
$watchdog_tokens['%proposed_authorizations'] = join(', ', $_proposed_ldap_authorizations);
|
214 |
|
|
}
|
215 |
|
|
if ($detailed_watchdog_log) {
|
216 |
|
|
watchdog('ldap_authorization', '%username : initial proposed authorization for %consumer_type: %proposed_authorizations.',
|
217 |
|
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
218 |
|
|
}
|
219 |
|
|
if ($debug) {
|
220 |
|
|
debug(t('%username : initial proposed authorization for %consumer_type: %proposed_authorizations.',
|
221 |
|
|
$watchdog_tokens));
|
222 |
|
|
}
|
223 |
|
|
|
224 |
|
|
/**
|
225 |
|
|
* 2. filter can be both a whitelist and a mapping of an ldap results to an authorization id.
|
226 |
|
|
* goal of this step is to generate $filtered_ldap_authorizations[$consumer_type]
|
227 |
|
|
* an array of filtered and mapped authorization ids
|
228 |
|
|
*/
|
229 |
|
|
|
230 |
32700c57
|
Assos Assos
|
$filtered_ldap_authorizations = [];
|
231 |
bc175c27
|
Assos Assos
|
// Filter + map.
|
232 |
|
|
if ($consumer->consumerConf->useMappingsAsFilter) {
|
233 |
85ad3d82
|
Assos Assos
|
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
|
234 |
|
|
$map_from = $mapping_filter['from'];
|
235 |
|
|
$map_to = $mapping_filter['normalized'];
|
236 |
|
|
if (isset($proposed_ldap_authorizations[drupal_strtolower($map_from)])) {
|
237 |
32700c57
|
Assos Assos
|
$filtered_ldap_authorizations[drupal_strtolower($map_to)] = ['map_to_string' => $map_to, 'exists' => NULL];
|
238 |
85ad3d82
|
Assos Assos
|
}
|
239 |
|
|
}
|
240 |
|
|
}
|
241 |
bc175c27
|
Assos Assos
|
// Only map, don't filter off authorizations that have no mapping.
|
242 |
|
|
else {
|
243 |
85ad3d82
|
Assos Assos
|
$_authorizations = array_values($proposed_ldap_authorizations);
|
244 |
|
|
if (is_array($consumer->consumerConf->mappings) && is_array($proposed_ldap_authorizations)) {
|
245 |
|
|
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
|
246 |
|
|
$map_from = $mapping_filter['from'];
|
247 |
|
|
$map_to = $mapping_filter['normalized'];
|
248 |
|
|
$map_from_key = array_search(drupal_strtolower($map_from), array_keys($proposed_ldap_authorizations));
|
249 |
|
|
if ($map_from_key !== FALSE) {
|
250 |
bc175c27
|
Assos Assos
|
// Remove non mapped authorization.
|
251 |
32700c57
|
Assos Assos
|
$_authorizations = array_diff($_authorizations, [$map_from]);
|
252 |
|
|
$_authorizations = array_diff($_authorizations, [drupal_strtolower($map_from)]);
|
253 |
bc175c27
|
Assos Assos
|
// Add mapped authorization.
|
254 |
85ad3d82
|
Assos Assos
|
$_authorizations[] = $map_to;
|
255 |
|
|
}
|
256 |
|
|
}
|
257 |
|
|
}
|
258 |
|
|
foreach ($_authorizations as $i => $authorization_id) {
|
259 |
32700c57
|
Assos Assos
|
$filtered_ldap_authorizations[drupal_strtolower($authorization_id)] = [
|
260 |
85ad3d82
|
Assos Assos
|
'map_to_string' => $authorization_id,
|
261 |
|
|
'exists' => NULL,
|
262 |
bc175c27
|
Assos Assos
|
'value' => $authorization_id,
|
263 |
32700c57
|
Assos Assos
|
];
|
264 |
85ad3d82
|
Assos Assos
|
}
|
265 |
|
|
}
|
266 |
|
|
|
267 |
bc175c27
|
Assos Assos
|
// Set values of $filtered_ldap_authorizations to consumers.
|
268 |
|
|
$consumer->populateConsumersFromConsumerIds($filtered_ldap_authorizations, $consumer->consumerConf->createConsumers);
|
269 |
85ad3d82
|
Assos Assos
|
/**
|
270 |
|
|
* now that we have list of consumers that are to be granted, give other modules a chance to alter it
|
271 |
|
|
*
|
272 |
|
|
* @see ldap_authorization.api.php hook_ldap_authorization_authorizations_alter() notes
|
273 |
|
|
*/
|
274 |
32700c57
|
Assos Assos
|
$params = [
|
275 |
85ad3d82
|
Assos Assos
|
'user' => $user,
|
276 |
|
|
'ldap_user' => $ldap_user,
|
277 |
|
|
'ldap_server' => $ldap_server,
|
278 |
|
|
'consumer' => $consumer,
|
279 |
32700c57
|
Assos Assos
|
];
|
280 |
85ad3d82
|
Assos Assos
|
|
281 |
|
|
drupal_alter('ldap_authorization_authorizations', $filtered_ldap_authorizations, $params);
|
282 |
|
|
|
283 |
|
|
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
|
284 |
|
|
if ($detailed_watchdog_log) {
|
285 |
|
|
watchdog('ldap_authorization', '%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.',
|
286 |
|
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
287 |
|
|
}
|
288 |
|
|
if ($debug) {
|
289 |
|
|
debug(t('%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.',
|
290 |
|
|
$watchdog_tokens));
|
291 |
|
|
}
|
292 |
|
|
|
293 |
|
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
294 |
32700c57
|
Assos Assos
|
$display_authorizations = [];
|
295 |
85ad3d82
|
Assos Assos
|
foreach ($filtered_ldap_authorizations as $consumer_id => $_consumer) {
|
296 |
|
|
$display_authorizations[] = $_consumer['map_to_string'];
|
297 |
|
|
}
|
298 |
|
|
$_SESSION['ldap_authorization_test_query']['post mappings'] = $display_authorizations;
|
299 |
bc175c27
|
Assos Assos
|
if (property_exists($user, 'data') &&
|
300 |
|
|
isset($user->data['ldap_authorizations'][$consumer->consumerType])) {
|
301 |
|
|
$data = $user->data['ldap_authorizations'][$consumer->consumerType];
|
302 |
|
|
}
|
303 |
|
|
else {
|
304 |
|
|
$data = [];
|
305 |
|
|
}
|
306 |
85ad3d82
|
Assos Assos
|
$_SESSION['ldap_authorization_test_query']['user data'] = $data;
|
307 |
|
|
}
|
308 |
|
|
|
309 |
|
|
/**
|
310 |
|
|
* 3. third, grant any proposed authorizations not already granted
|
311 |
|
|
*/
|
312 |
|
|
|
313 |
|
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
314 |
|
|
$_SESSION['ldap_authorization_test_query']['tokens'] = $watchdog_tokens;
|
315 |
|
|
}
|
316 |
|
|
if ($op == 'set' || $op == "test_query_set") {
|
317 |
|
|
$test = ($op == "test_query_set");
|
318 |
|
|
_ldap_authorizations_user_authorizations_set($user, $consumer, $filtered_ldap_authorizations, $ldap_user, $watchdog_tokens, $test);
|
319 |
|
|
}
|
320 |
|
|
|
321 |
|
|
$authorizations[$consumer_type] = $filtered_ldap_authorizations;
|
322 |
|
|
} // end foreach $consumers
|
323 |
|
|
|
324 |
32700c57
|
Assos Assos
|
return [$authorizations, $notifications];
|
325 |
85ad3d82
|
Assos Assos
|
|
326 |
|
|
}
|
327 |
bc175c27
|
Assos Assos
|
|
328 |
85ad3d82
|
Assos Assos
|
/**
|
329 |
bc175c27
|
Assos Assos
|
* @param object $user
|
330 |
|
|
* is a drupal user account object, need not be current user.
|
331 |
|
|
* @param object $consumer
|
332 |
|
|
* is instance of an authorization consumer class
|
333 |
|
|
* such as LdapAuthorizationConsumerDrupalRole.
|
334 |
32700c57
|
Assos Assos
|
* @param array of lower case authorization ids as keys and
|
335 |
bc175c27
|
Assos Assos
|
* mixed case strings as values $filtered_ldap_authorizations
|
336 |
85ad3d82
|
Assos Assos
|
* all authorization ids a user is granted via ldap authorization configuration
|
337 |
bc175c27
|
Assos Assos
|
* @param object $ldap_entry
|
338 |
|
|
* is users ldap entry. mapping of drupal user to
|
339 |
85ad3d82
|
Assos Assos
|
* ldap entry is stored in ldap_server configuration
|
340 |
|
|
*
|
341 |
bc175c27
|
Assos Assos
|
* returns nothing.
|
342 |
85ad3d82
|
Assos Assos
|
*/
|
343 |
|
|
function _ldap_authorizations_user_authorizations_set(&$user, $consumer, $filtered_ldap_authorizations, &$ldap_entry, $watchdog_tokens, $test) {
|
344 |
|
|
|
345 |
|
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
346 |
|
|
ldap_authorization_cleanse_empty_og_fields($user);
|
347 |
|
|
|
348 |
|
|
/**
|
349 |
|
|
* A. Determine what authorizations have been granted in the past by ldap authorization
|
350 |
|
|
*/
|
351 |
|
|
|
352 |
|
|
if (isset($user->data['ldap_authorizations'][$consumer->consumerType])
|
353 |
|
|
&& is_array($user->data['ldap_authorizations'][$consumer->consumerType])) {
|
354 |
|
|
$user_auth_data = $user->data['ldap_authorizations'][$consumer->consumerType];
|
355 |
|
|
$initial_existing_ldap_authorizations = array_keys($user_auth_data);
|
356 |
|
|
}
|
357 |
|
|
else {
|
358 |
32700c57
|
Assos Assos
|
$user_auth_data = [];
|
359 |
|
|
$initial_existing_ldap_authorizations = [];
|
360 |
85ad3d82
|
Assos Assos
|
}
|
361 |
|
|
|
362 |
|
|
if ($test) {
|
363 |
|
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user_auth_data;
|
364 |
|
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes authorizations user has'] = $consumer->usersAuthorizations($user);
|
365 |
|
|
}
|
366 |
|
|
|
367 |
|
|
$watchdog_tokens['%initial'] = join(', ', $initial_existing_ldap_authorizations);
|
368 |
|
|
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
|
369 |
bc175c27
|
Assos Assos
|
/**
|
370 |
85ad3d82
|
Assos Assos
|
* B. if regrantLdapProvisioned is false, $grants_lcase array should only be new authorizations
|
371 |
|
|
*/
|
372 |
|
|
|
373 |
|
|
if (!$consumer->consumerConf->regrantLdapProvisioned) {
|
374 |
bc175c27
|
Assos Assos
|
// If regranting disabled, filter off previously granted roles.
|
375 |
85ad3d82
|
Assos Assos
|
$grants = array_diff(array_keys($filtered_ldap_authorizations), $initial_existing_ldap_authorizations);
|
376 |
|
|
if ($test) {
|
377 |
|
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Grants after regrantLdapProvisioned filter'] = $grants;
|
378 |
|
|
}
|
379 |
|
|
}
|
380 |
|
|
else {
|
381 |
|
|
$grants = array_keys($filtered_ldap_authorizations);
|
382 |
|
|
}
|
383 |
|
|
|
384 |
|
|
$watchdog_tokens['%grants1'] = join(', ', $grants);
|
385 |
|
|
|
386 |
bc175c27
|
Assos Assos
|
/**
|
387 |
85ad3d82
|
Assos Assos
|
* D. Only grant authorization consumer ids that exist
|
388 |
|
|
*/
|
389 |
|
|
|
390 |
bc175c27
|
Assos Assos
|
// Keys are lcase, values are mixed case.
|
391 |
32700c57
|
Assos Assos
|
$existing_grants = [];
|
392 |
85ad3d82
|
Assos Assos
|
foreach ($grants as $i => $grant) {
|
393 |
|
|
if (!empty($filtered_ldap_authorizations[$grant]['exists'])) {
|
394 |
|
|
$existing_grants[$grant] = $filtered_ldap_authorizations[$grant];
|
395 |
|
|
}
|
396 |
|
|
}
|
397 |
|
|
/**
|
398 |
|
|
* E. Do grants
|
399 |
|
|
*/
|
400 |
|
|
$watchdog_tokens['%filtered_grants_full_array'] = print_r($existing_grants, TRUE);
|
401 |
|
|
$consumer->authorizationGrant($user, $user_auth_data, $existing_grants, $ldap_entry, FALSE);
|
402 |
|
|
$watchdog_tokens['%user_auth_data_post_grants'] = print_r($user_auth_data, TRUE);
|
403 |
|
|
$watchdog_tokens['%user_data_post_grants'] = print_r($user->data, TRUE);
|
404 |
|
|
|
405 |
|
|
/**
|
406 |
|
|
* 3.F take away any authorizations not in proposed authorization,
|
407 |
|
|
* but previously granted by ldap
|
408 |
|
|
*/
|
409 |
|
|
$watchdog_tokens['%revokes'] = t('none');
|
410 |
|
|
|
411 |
|
|
if ($consumer->consumerConf->revokeLdapProvisioned) {
|
412 |
|
|
$revokes_lcase = $consumer->authorizationDiff($initial_existing_ldap_authorizations, array_keys($filtered_ldap_authorizations));
|
413 |
|
|
if (count($revokes_lcase)) {
|
414 |
bc175c27
|
Assos Assos
|
// Keys are lcase, values are mixed case.
|
415 |
32700c57
|
Assos Assos
|
$revokes = [];
|
416 |
85ad3d82
|
Assos Assos
|
foreach ($revokes_lcase as $i => $revoke_lcase) {
|
417 |
32700c57
|
Assos Assos
|
$revokes[$revoke_lcase] = [
|
418 |
85ad3d82
|
Assos Assos
|
'value' => NULL,
|
419 |
|
|
'map_to_string' => NULL,
|
420 |
|
|
'exists' => TRUE,
|
421 |
32700c57
|
Assos Assos
|
];
|
422 |
85ad3d82
|
Assos Assos
|
}
|
423 |
|
|
if ($test) {
|
424 |
|
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Revokes'] = $revokes;
|
425 |
|
|
}
|
426 |
|
|
$consumer->authorizationRevoke($user, $user_auth_data, $revokes, $ldap_entry, FALSE);
|
427 |
|
|
$watchdog_tokens['%revokes'] = join(', ', array_keys($revokes));
|
428 |
|
|
}
|
429 |
|
|
}
|
430 |
|
|
|
431 |
|
|
$watchdog_tokens['%user_auth_data_post_revokes'] = print_r($user_auth_data, TRUE);
|
432 |
|
|
$watchdog_tokens['%user_data_post_revokes'] = print_r($user->data, TRUE);
|
433 |
|
|
|
434 |
|
|
/**
|
435 |
|
|
* 3.G save user object and user data
|
436 |
|
|
* note $user object is passed by reference into this function
|
437 |
|
|
*/
|
438 |
|
|
|
439 |
|
|
$uid = $user->uid;
|
440 |
32700c57
|
Assos Assos
|
$user_edit = ['data' => $user->data];
|
441 |
|
|
$user_edit['data']['ldap_authorizations'] = empty($user->data['ldap_authorizations']) ? [] : $user->data['ldap_authorizations'];
|
442 |
bc175c27
|
Assos Assos
|
// Keep in good display order.
|
443 |
|
|
$consumer->sortConsumerIds('grant', $user_auth_data);
|
444 |
85ad3d82
|
Assos Assos
|
$user_edit['data']['ldap_authorizations'][$consumer->consumerType] = $user_auth_data;
|
445 |
|
|
$watchdog_tokens['%user_edit_presave'] = print_r($user_edit, TRUE);
|
446 |
bc175c27
|
Assos Assos
|
// See #1973352 and #935592.
|
447 |
|
|
if (empty($user->picture->fid)) {
|
448 |
85ad3d82
|
Assos Assos
|
$user2 = user_load($user->uid);
|
449 |
|
|
$user->picture = $user2->picture;
|
450 |
|
|
}
|
451 |
|
|
$user = user_save($user, $user_edit);
|
452 |
|
|
|
453 |
|
|
$watchdog_tokens['%user_data_post_save'] = print_r($user->data, TRUE);
|
454 |
|
|
$watchdog_tokens['%user_roles_post_save'] = print_r($user->roles, TRUE);
|
455 |
|
|
|
456 |
|
|
if ($detailed_watchdog_log) {
|
457 |
|
|
watchdog('ldap_authorization',
|
458 |
|
|
'%username : user_authorizations_set results for %consumer_type:
|
459 |
|
|
<hr/>1. Initial existing authorizations: %initial
|
460 |
|
|
<hr/>2. Filtered Authorizations: %filtered_ldap_authorizations
|
461 |
|
|
<hr/>3. After filtering off previously granted authorizations (if regrant is false): %grants1
|
462 |
|
|
|
463 |
|
|
<hr/>4a. full consumers array, pre grants: %filtered_grants_full_array
|
464 |
|
|
<hr/>4b. user auth data after grants %consumer_type: <pre>%user_auth_data_post_grants</pre>
|
465 |
|
|
<hr/>4c. user data after grants for %consumer_type: <pre>%user_data_post_grants</pre>
|
466 |
|
|
|
467 |
|
|
<hr/>5a. revokes passed to authorizationRevoke(): %revokes
|
468 |
|
|
<hr/>5b. user auth data after revokes %consumer_type: <pre>%user_auth_data_post_revokes</pre>
|
469 |
|
|
<hr/>5c. user data after revokes for %consumer_type: <pre>%user_data_post_revokes</pre>
|
470 |
|
|
|
471 |
|
|
<hr/>6a. user_edit pre save : <pre>%user_edit_presave</pre>
|
472 |
|
|
<hr/>6b. user data post save: <pre>%user_data_post_save</pre>
|
473 |
|
|
<hr/>6c. user roles post save: <pre>%user_roles_post_save</pre>
|
474 |
|
|
',
|
475 |
|
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
476 |
|
|
}
|
477 |
|
|
|
478 |
|
|
if ($test) {
|
479 |
|
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes authorizations user has'] = $consumer->usersAuthorizations($user);
|
480 |
|
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user->data['ldap_authorizations'][$consumer->consumerType];
|
481 |
|
|
}
|
482 |
|
|
|
483 |
|
|
}
|
484 |
|
|
|
485 |
bc175c27
|
Assos Assos
|
/**
|
486 |
|
|
*
|
487 |
|
|
*/
|
488 |
85ad3d82
|
Assos Assos
|
function _ldap_authorization_ldap_authorization_maps_alter(&$user, &$user_ldap_entry, &$ldap_server, &$consumer_conf, &$authz_ids, $op) {
|
489 |
|
|
|
490 |
|
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
491 |
32700c57
|
Assos Assos
|
$watchdog_tokens = [];
|
492 |
85ad3d82
|
Assos Assos
|
|
493 |
bc175c27
|
Assos Assos
|
// Groups extracted from user's DN. such as ou=IT => group = "IT".
|
494 |
32700c57
|
Assos Assos
|
$derive_from_dn_authorizations = [];
|
495 |
85ad3d82
|
Assos Assos
|
if ($rdn_values = $consumer_conf->server->groupUserMembershipsFromDn($user)) {
|
496 |
|
|
$derive_from_dn_authorizations = array_combine($rdn_values, $rdn_values);
|
497 |
|
|
}
|
498 |
|
|
else {
|
499 |
32700c57
|
Assos Assos
|
$derive_from_dn_authorizations = [];
|
500 |
85ad3d82
|
Assos Assos
|
}
|
501 |
|
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
502 |
|
|
$_SESSION['ldap_authorization_test_query']['maps']['Derive from DN'] = ($rdn_values) ? $derive_from_dn_authorizations : t('disabled');
|
503 |
|
|
}
|
504 |
|
|
|
505 |
bc175c27
|
Assos Assos
|
// Traditional groups (dns)
|
506 |
85ad3d82
|
Assos Assos
|
$group_dns = $consumer_conf->server->groupMembershipsFromUser($user, 'group_dns');
|
507 |
|
|
if (!$group_dns) {
|
508 |
32700c57
|
Assos Assos
|
$group_dns = [];
|
509 |
85ad3d82
|
Assos Assos
|
}
|
510 |
|
|
elseif (count($group_dns)) {
|
511 |
|
|
$group_dns = array_unique($group_dns);
|
512 |
|
|
}
|
513 |
|
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
514 |
|
|
$_SESSION['ldap_authorization_test_query']['maps']['Groups DNs'] = $group_dns;
|
515 |
|
|
}
|
516 |
|
|
|
517 |
|
|
$values = array_merge($derive_from_dn_authorizations, $group_dns);
|
518 |
|
|
$values = array_unique($values);
|
519 |
32700c57
|
Assos Assos
|
$authz_ids = (count($values)) ? array_combine($values, $values) : [];
|
520 |
85ad3d82
|
Assos Assos
|
if ($detailed_watchdog_log) {
|
521 |
|
|
$watchdog_tokens['%username'] = $user->name;
|
522 |
|
|
$watchdog_tokens['%ldap_server'] = $ldap_server->sid;
|
523 |
|
|
$watchdog_tokens['%deriveFromDn'] = join(', ', $derive_from_dn_authorizations);
|
524 |
|
|
$watchdog_tokens['%deriveFromGroups'] = join(', ', $group_dns);
|
525 |
bc175c27
|
Assos Assos
|
$watchdog_tokens['%authz_ids'] = join(', ', array_keys($authz_ids));
|
526 |
85ad3d82
|
Assos Assos
|
|
527 |
|
|
watchdog('ldap_authorization', '%username :_ldap_authorization_ldap_authorization_maps_alter:
|
528 |
|
|
<hr/>deriveFromDn authorization ids: %deriveFromDn
|
529 |
|
|
<hr/>deriveFromAttr authorization ids: %deriveFromGroups
|
530 |
|
|
<hr/>merged authz_ids authorization ids: %authz_ids
|
531 |
|
|
',
|
532 |
|
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
533 |
|
|
}
|
534 |
|
|
|
535 |
|
|
} |