1
|
<?php
|
2
|
|
3
|
/**
|
4
|
* @file
|
5
|
* Bulk of authorization code executed to determine a users authorizations.
|
6
|
*/
|
7
|
|
8
|
/**
|
9
|
* Unclear.
|
10
|
*/
|
11
|
function ldap_authorization_help_watchdog() {
|
12
|
|
13
|
$path = drupal_get_path("module", "ldap_help");
|
14
|
$_content = "";
|
15
|
if (module_exists('dblog')) {
|
16
|
include_once drupal_get_path('module', 'dblog') . '/dblog.admin.inc';
|
17
|
$_SESSION['dblog_overview_filter']['type'] = ['ldap' => 'ldap'];
|
18
|
$_content .= "<h3>" . t('LDAP Watchdog Errors and Notifications') . "</h3>";
|
19
|
$overview = dblog_overview();
|
20
|
$_content .= render($overview);
|
21
|
|
22
|
$_content .= l(t('...more watchdog'), 'admin/reports/dblog');
|
23
|
}
|
24
|
else {
|
25
|
$_content .= "<h3>" . t('LDAP Help Watchdog Errors and Notifications') . "</h3>";
|
26
|
$_content .= 'This feature requires <code>Database logging</code> module to be turned on. ';
|
27
|
$_content .= l(t('Module enable page'), 'admin/build/modules');
|
28
|
}
|
29
|
|
30
|
return $_content;
|
31
|
}
|
32
|
|
33
|
/**
|
34
|
* Return all desired authorizations for a given user.
|
35
|
*
|
36
|
* @param object $user
|
37
|
*
|
38
|
* @param string $op
|
39
|
* =
|
40
|
* set -- grant authorizations (store in db) and return authorizations
|
41
|
* test_query -- don't grant authorization, just query and return authorizations. assume user is ldap authenticated and exists
|
42
|
* test_query_set -- do grant authorizations, but also log data for debugging
|
43
|
* query -- don't grant authorization, just query and return authorizations.
|
44
|
*
|
45
|
* @param string $consumer_type
|
46
|
* e.g. drupal_roles.
|
47
|
* @param string $context
|
48
|
* 'logon', 'test_if_authorizations_granted'.
|
49
|
*
|
50
|
* @return
|
51
|
*
|
52
|
* LDAP_AUTHORIZATION_NO_LDAP_SERVERS if no servers configured
|
53
|
* LDAP_AUTHORIZATION_LDAP_ERROR if ldap error
|
54
|
* TRUE if servers configured but no roles derived from ldap
|
55
|
* array of potential authorizations (user may or may not already have these)
|
56
|
*
|
57
|
* by reference $user->data[<consumer_type>][<authorization_id>] = array();
|
58
|
* e.g. $var['drupal_role']['content_admin'] = array('rid' => 4)
|
59
|
* e.g. $var['og_membership']['bakers club'] = array('expires' => '01/01/2012');
|
60
|
*/
|
61
|
function _ldap_authorizations_user_authorizations(&$user, $op, $consumer_type, $context) {
|
62
|
$debug = FALSE;
|
63
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
64
|
$authorizations = [];
|
65
|
$notifications = [];
|
66
|
$watchdog_tokens = ['%username' => $user->name];
|
67
|
$consumers = ldap_authorization_get_consumers($consumer_type, TRUE, FALSE);
|
68
|
|
69
|
$servers = ldap_servers_get_servers(NULL, 'enabled', TRUE);
|
70
|
|
71
|
/**
|
72
|
* user 1 not used in ldap authorization. this is a design decision.
|
73
|
*/
|
74
|
if (property_exists($user, 'uid') && $user->uid == 1) {
|
75
|
if ($detailed_watchdog_log) {
|
76
|
watchdog('ldap_authorization', '%username : ldap_authorization not applied to user 1', $watchdog_tokens, WATCHDOG_DEBUG);
|
77
|
}
|
78
|
$notifications['all'] = LDAP_AUTHORIZATION_NOT_APPLY_USER_1;
|
79
|
foreach ($consumers as $consumer_type => $consumer) {
|
80
|
$authorizations[$consumer_type] = [];
|
81
|
}
|
82
|
return [$authorizations, $notifications];
|
83
|
}
|
84
|
|
85
|
/**
|
86
|
* determine if user is ldap authenticated
|
87
|
*/
|
88
|
if ($context == 'test_if_authorizations_granted' || (($op == 'test_query_set' || $op == 'test_query') && @$user->ldap_test == TRUE)) {
|
89
|
// Property 'ldap_authenticated' only exists for fake user objects submitted from testing form.
|
90
|
$ldap_authenticated = $user->ldap_authenticated;
|
91
|
}
|
92
|
else {
|
93
|
$ldap_authenticated = (boolean) (module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user));
|
94
|
}
|
95
|
$watchdog_tokens['%ldap_authenticated'] = ($ldap_authenticated) ? 'yes' : 'no';
|
96
|
|
97
|
foreach ($consumers as $consumer_type => $consumer) {
|
98
|
$authorizations[$consumer_type] = [];
|
99
|
/**
|
100
|
* each consumer type has only one consumer conf and each consumer conf has only one ldap server id (sid)
|
101
|
* so there is a one-to-one-to-one relationship between:
|
102
|
* - consumer object ($consumer),
|
103
|
* - server object ($ldap_server),
|
104
|
* - and consumer conf object.
|
105
|
*
|
106
|
*/
|
107
|
|
108
|
$consumer = ldap_authorization_get_consumer_object($consumer_type);
|
109
|
if (!$consumer->consumerConf->status) {
|
110
|
continue;
|
111
|
}
|
112
|
$proposed_ldap_authorizations = [];
|
113
|
$watchdog_tokens['%consumer_type'] = $consumer_type;
|
114
|
$watchdog_tokens['%sid'] = $consumer->consumerConf->sid;
|
115
|
|
116
|
if (!is_object($consumer->consumerConf)) {
|
117
|
if ($detailed_watchdog_log) {
|
118
|
watchdog('ldap_authorization', '%username : consumer type %consumer_type has no
|
119
|
configuration set.', $watchdog_tokens, WATCHDOG_DEBUG);
|
120
|
}
|
121
|
continue;
|
122
|
}
|
123
|
|
124
|
if ($detailed_watchdog_log) {
|
125
|
watchdog('ldap_authorization', '%username : testing with
|
126
|
consumer type %consumer_type. ldap authenticated=%ldap_authenticated', $watchdog_tokens, WATCHDOG_DEBUG);
|
127
|
}
|
128
|
if ($debug) {
|
129
|
debug(t('%username : testing with consumer type %consumer_type. ldap authenticated=%ldap_authenticated'), $watchdog_tokens);
|
130
|
// $debug = TRUE;.
|
131
|
debug("op=$op,ldap_authenticated=$ldap_authenticated $consumer_type context=$context, consumer->consumerConf->synchOnLogon=" . (int) $consumer->consumerConf->synchOnLogon);
|
132
|
}
|
133
|
|
134
|
if ($context == 'logon' && !$consumer->consumerConf->synchOnLogon) {
|
135
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_MAP_NOT_CONF_FOR_LOGON;
|
136
|
if ($detailed_watchdog_log) {
|
137
|
watchdog('ldap_authorization', '%username : %consumer_type not set to run on user logon.', $watchdog_tokens, WATCHDOG_DEBUG);
|
138
|
}
|
139
|
continue;
|
140
|
}
|
141
|
|
142
|
if ($consumer->consumerConf->onlyApplyToLdapAuthenticated && !$ldap_authenticated && $op != 'test_query' && $op != 'test_query_set') {
|
143
|
if ($detailed_watchdog_log) {
|
144
|
watchdog('ldap_authorization', '%username : not used because it is set to be applied only to ldap authenticated users.
|
145
|
%username is not ldap authenticated.', $watchdog_tokens, WATCHDOG_DEBUG);
|
146
|
}
|
147
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_NOT_LDAP_AUTHENTICATED;
|
148
|
continue;
|
149
|
}
|
150
|
|
151
|
$ldap_user = ldap_servers_get_user_ldap_data($user, $consumer->consumerConf->sid, 'ldap_authorization__' . $consumer_type);
|
152
|
|
153
|
if (!$ldap_user) {
|
154
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_LDAP_NOT_FOUND;
|
155
|
if ($detailed_watchdog_log) {
|
156
|
watchdog('ldap_authorization', '%username : %consumer_type ldap user not found.', $watchdog_tokens, WATCHDOG_DEBUG);
|
157
|
}
|
158
|
continue;
|
159
|
}
|
160
|
|
161
|
if (!isset($servers[$consumer->consumerConf->sid])) {
|
162
|
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_SERVER_CONFIG_NOT_FOUND;
|
163
|
if ($detailed_watchdog_log) {
|
164
|
watchdog('ldap_authorization', '%username : %consumer_type ldap server %sid not enabled or found.', $watchdog_tokens, WATCHDOG_DEBUG);
|
165
|
}
|
166
|
continue;
|
167
|
}
|
168
|
|
169
|
$ldap_server = $consumer->consumerConf->server;
|
170
|
|
171
|
/**
|
172
|
* 1. first just need to figure out what authz_ids are generated for this consumer type/mapping configuration
|
173
|
*
|
174
|
* goal here is simply to build an array of authorizations for this ldap authz mapping
|
175
|
* $proposed_ldap_authorizations[<authorization id>] = properties associative array or empty array
|
176
|
* e.g. $proposed_ldap_authorizations['admin'] = array()
|
177
|
*
|
178
|
* @see ldap_authorization.api.php hook_ldap_authorization_maps_alter() notes
|
179
|
*/
|
180
|
|
181
|
ldap_authorization_maps_alter_invoke($user, $ldap_user, $ldap_server, $consumer->consumerConf, $proposed_ldap_authorizations, $op);
|
182
|
|
183
|
/** make sure keys of array are lower case and values are mixed case
|
184
|
* and strip to first attribute is configured
|
185
|
*/
|
186
|
|
187
|
foreach ($proposed_ldap_authorizations as $key => $authorization_id) {
|
188
|
if ($consumer->consumerConf->useFirstAttrAsGroupId) {
|
189
|
$attr_parts = ldap_explode_dn($authorization_id, 0);
|
190
|
if (!empty($attr_parts) && count($attr_parts) > 0) {
|
191
|
$first_part = explode('=', $attr_parts[0]);
|
192
|
if (count($first_part) > 1) {
|
193
|
$authorization_id = ldap_pear_unescape_dn_value(trim($first_part[1]));
|
194
|
}
|
195
|
}
|
196
|
$new_key = drupal_strtolower($authorization_id);
|
197
|
}
|
198
|
else {
|
199
|
$new_key = drupal_strtolower($key);
|
200
|
}
|
201
|
$proposed_ldap_authorizations[$new_key] = $authorization_id;
|
202
|
if ($key != $new_key) {
|
203
|
unset($proposed_ldap_authorizations[$key]);
|
204
|
}
|
205
|
}
|
206
|
|
207
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
208
|
$_SESSION['ldap_authorization_test_query']['useFirstAttrAsGroupId'] = $proposed_ldap_authorizations;
|
209
|
}
|
210
|
|
211
|
if ($detailed_watchdog_log || $debug) {
|
212
|
$_proposed_ldap_authorizations = is_array($proposed_ldap_authorizations) ? $proposed_ldap_authorizations : [];
|
213
|
$watchdog_tokens['%proposed_authorizations'] = join(', ', $_proposed_ldap_authorizations);
|
214
|
}
|
215
|
if ($detailed_watchdog_log) {
|
216
|
watchdog('ldap_authorization', '%username : initial proposed authorization for %consumer_type: %proposed_authorizations.',
|
217
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
218
|
}
|
219
|
if ($debug) {
|
220
|
debug(t('%username : initial proposed authorization for %consumer_type: %proposed_authorizations.',
|
221
|
$watchdog_tokens));
|
222
|
}
|
223
|
|
224
|
/**
|
225
|
* 2. filter can be both a whitelist and a mapping of an ldap results to an authorization id.
|
226
|
* goal of this step is to generate $filtered_ldap_authorizations[$consumer_type]
|
227
|
* an array of filtered and mapped authorization ids
|
228
|
*/
|
229
|
|
230
|
$filtered_ldap_authorizations = [];
|
231
|
// Filter + map.
|
232
|
if ($consumer->consumerConf->useMappingsAsFilter) {
|
233
|
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
|
234
|
$map_from = $mapping_filter['from'];
|
235
|
$map_to = $mapping_filter['normalized'];
|
236
|
if (isset($proposed_ldap_authorizations[drupal_strtolower($map_from)])) {
|
237
|
$filtered_ldap_authorizations[drupal_strtolower($map_to)] = ['map_to_string' => $map_to, 'exists' => NULL];
|
238
|
}
|
239
|
}
|
240
|
}
|
241
|
// Only map, don't filter off authorizations that have no mapping.
|
242
|
else {
|
243
|
$_authorizations = array_values($proposed_ldap_authorizations);
|
244
|
if (is_array($consumer->consumerConf->mappings) && is_array($proposed_ldap_authorizations)) {
|
245
|
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
|
246
|
$map_from = $mapping_filter['from'];
|
247
|
$map_to = $mapping_filter['normalized'];
|
248
|
$map_from_key = array_search(drupal_strtolower($map_from), array_keys($proposed_ldap_authorizations));
|
249
|
if ($map_from_key !== FALSE) {
|
250
|
// Remove non mapped authorization.
|
251
|
$_authorizations = array_diff($_authorizations, [$map_from]);
|
252
|
$_authorizations = array_diff($_authorizations, [drupal_strtolower($map_from)]);
|
253
|
// Add mapped authorization.
|
254
|
$_authorizations[] = $map_to;
|
255
|
}
|
256
|
}
|
257
|
}
|
258
|
foreach ($_authorizations as $i => $authorization_id) {
|
259
|
$filtered_ldap_authorizations[drupal_strtolower($authorization_id)] = [
|
260
|
'map_to_string' => $authorization_id,
|
261
|
'exists' => NULL,
|
262
|
'value' => $authorization_id,
|
263
|
];
|
264
|
}
|
265
|
}
|
266
|
|
267
|
// Set values of $filtered_ldap_authorizations to consumers.
|
268
|
$consumer->populateConsumersFromConsumerIds($filtered_ldap_authorizations, $consumer->consumerConf->createConsumers);
|
269
|
/**
|
270
|
* now that we have list of consumers that are to be granted, give other modules a chance to alter it
|
271
|
*
|
272
|
* @see ldap_authorization.api.php hook_ldap_authorization_authorizations_alter() notes
|
273
|
*/
|
274
|
$params = [
|
275
|
'user' => $user,
|
276
|
'ldap_user' => $ldap_user,
|
277
|
'ldap_server' => $ldap_server,
|
278
|
'consumer' => $consumer,
|
279
|
];
|
280
|
|
281
|
drupal_alter('ldap_authorization_authorizations', $filtered_ldap_authorizations, $params);
|
282
|
|
283
|
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
|
284
|
if ($detailed_watchdog_log) {
|
285
|
watchdog('ldap_authorization', '%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.',
|
286
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
287
|
}
|
288
|
if ($debug) {
|
289
|
debug(t('%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.',
|
290
|
$watchdog_tokens));
|
291
|
}
|
292
|
|
293
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
294
|
$display_authorizations = [];
|
295
|
foreach ($filtered_ldap_authorizations as $consumer_id => $_consumer) {
|
296
|
$display_authorizations[] = $_consumer['map_to_string'];
|
297
|
}
|
298
|
$_SESSION['ldap_authorization_test_query']['post mappings'] = $display_authorizations;
|
299
|
if (property_exists($user, 'data') &&
|
300
|
isset($user->data['ldap_authorizations'][$consumer->consumerType])) {
|
301
|
$data = $user->data['ldap_authorizations'][$consumer->consumerType];
|
302
|
}
|
303
|
else {
|
304
|
$data = [];
|
305
|
}
|
306
|
$_SESSION['ldap_authorization_test_query']['user data'] = $data;
|
307
|
}
|
308
|
|
309
|
/**
|
310
|
* 3. third, grant any proposed authorizations not already granted
|
311
|
*/
|
312
|
|
313
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
314
|
$_SESSION['ldap_authorization_test_query']['tokens'] = $watchdog_tokens;
|
315
|
}
|
316
|
if ($op == 'set' || $op == "test_query_set") {
|
317
|
$test = ($op == "test_query_set");
|
318
|
_ldap_authorizations_user_authorizations_set($user, $consumer, $filtered_ldap_authorizations, $ldap_user, $watchdog_tokens, $test);
|
319
|
}
|
320
|
|
321
|
$authorizations[$consumer_type] = $filtered_ldap_authorizations;
|
322
|
} // end foreach $consumers
|
323
|
|
324
|
return [$authorizations, $notifications];
|
325
|
|
326
|
}
|
327
|
|
328
|
/**
|
329
|
* @param object $user
|
330
|
* is a drupal user account object, need not be current user.
|
331
|
* @param object $consumer
|
332
|
* is instance of an authorization consumer class
|
333
|
* such as LdapAuthorizationConsumerDrupalRole.
|
334
|
* @param array of lower case authorization ids as keys and
|
335
|
* mixed case strings as values $filtered_ldap_authorizations
|
336
|
* all authorization ids a user is granted via ldap authorization configuration
|
337
|
* @param object $ldap_entry
|
338
|
* is users ldap entry. mapping of drupal user to
|
339
|
* ldap entry is stored in ldap_server configuration
|
340
|
*
|
341
|
* returns nothing.
|
342
|
*/
|
343
|
function _ldap_authorizations_user_authorizations_set(&$user, $consumer, $filtered_ldap_authorizations, &$ldap_entry, $watchdog_tokens, $test) {
|
344
|
|
345
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
346
|
ldap_authorization_cleanse_empty_og_fields($user);
|
347
|
|
348
|
/**
|
349
|
* A. Determine what authorizations have been granted in the past by ldap authorization
|
350
|
*/
|
351
|
|
352
|
if (isset($user->data['ldap_authorizations'][$consumer->consumerType])
|
353
|
&& is_array($user->data['ldap_authorizations'][$consumer->consumerType])) {
|
354
|
$user_auth_data = $user->data['ldap_authorizations'][$consumer->consumerType];
|
355
|
$initial_existing_ldap_authorizations = array_keys($user_auth_data);
|
356
|
}
|
357
|
else {
|
358
|
$user_auth_data = [];
|
359
|
$initial_existing_ldap_authorizations = [];
|
360
|
}
|
361
|
|
362
|
if ($test) {
|
363
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user_auth_data;
|
364
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Pre Grant/Revokes authorizations user has'] = $consumer->usersAuthorizations($user);
|
365
|
}
|
366
|
|
367
|
$watchdog_tokens['%initial'] = join(', ', $initial_existing_ldap_authorizations);
|
368
|
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
|
369
|
/**
|
370
|
* B. if regrantLdapProvisioned is false, $grants_lcase array should only be new authorizations
|
371
|
*/
|
372
|
|
373
|
if (!$consumer->consumerConf->regrantLdapProvisioned) {
|
374
|
// If regranting disabled, filter off previously granted roles.
|
375
|
$grants = array_diff(array_keys($filtered_ldap_authorizations), $initial_existing_ldap_authorizations);
|
376
|
if ($test) {
|
377
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Grants after regrantLdapProvisioned filter'] = $grants;
|
378
|
}
|
379
|
}
|
380
|
else {
|
381
|
$grants = array_keys($filtered_ldap_authorizations);
|
382
|
}
|
383
|
|
384
|
$watchdog_tokens['%grants1'] = join(', ', $grants);
|
385
|
|
386
|
/**
|
387
|
* D. Only grant authorization consumer ids that exist
|
388
|
*/
|
389
|
|
390
|
// Keys are lcase, values are mixed case.
|
391
|
$existing_grants = [];
|
392
|
foreach ($grants as $i => $grant) {
|
393
|
if (!empty($filtered_ldap_authorizations[$grant]['exists'])) {
|
394
|
$existing_grants[$grant] = $filtered_ldap_authorizations[$grant];
|
395
|
}
|
396
|
}
|
397
|
/**
|
398
|
* E. Do grants
|
399
|
*/
|
400
|
$watchdog_tokens['%filtered_grants_full_array'] = print_r($existing_grants, TRUE);
|
401
|
$consumer->authorizationGrant($user, $user_auth_data, $existing_grants, $ldap_entry, FALSE);
|
402
|
$watchdog_tokens['%user_auth_data_post_grants'] = print_r($user_auth_data, TRUE);
|
403
|
$watchdog_tokens['%user_data_post_grants'] = print_r($user->data, TRUE);
|
404
|
|
405
|
/**
|
406
|
* 3.F take away any authorizations not in proposed authorization,
|
407
|
* but previously granted by ldap
|
408
|
*/
|
409
|
$watchdog_tokens['%revokes'] = t('none');
|
410
|
|
411
|
if ($consumer->consumerConf->revokeLdapProvisioned) {
|
412
|
$revokes_lcase = $consumer->authorizationDiff($initial_existing_ldap_authorizations, array_keys($filtered_ldap_authorizations));
|
413
|
if (count($revokes_lcase)) {
|
414
|
// Keys are lcase, values are mixed case.
|
415
|
$revokes = [];
|
416
|
foreach ($revokes_lcase as $i => $revoke_lcase) {
|
417
|
$revokes[$revoke_lcase] = [
|
418
|
'value' => NULL,
|
419
|
'map_to_string' => NULL,
|
420
|
'exists' => TRUE,
|
421
|
];
|
422
|
}
|
423
|
if ($test) {
|
424
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Revokes'] = $revokes;
|
425
|
}
|
426
|
$consumer->authorizationRevoke($user, $user_auth_data, $revokes, $ldap_entry, FALSE);
|
427
|
$watchdog_tokens['%revokes'] = join(', ', array_keys($revokes));
|
428
|
}
|
429
|
}
|
430
|
|
431
|
$watchdog_tokens['%user_auth_data_post_revokes'] = print_r($user_auth_data, TRUE);
|
432
|
$watchdog_tokens['%user_data_post_revokes'] = print_r($user->data, TRUE);
|
433
|
|
434
|
/**
|
435
|
* 3.G save user object and user data
|
436
|
* note $user object is passed by reference into this function
|
437
|
*/
|
438
|
|
439
|
$uid = $user->uid;
|
440
|
$user_edit = ['data' => $user->data];
|
441
|
$user_edit['data']['ldap_authorizations'] = empty($user->data['ldap_authorizations']) ? [] : $user->data['ldap_authorizations'];
|
442
|
// Keep in good display order.
|
443
|
$consumer->sortConsumerIds('grant', $user_auth_data);
|
444
|
$user_edit['data']['ldap_authorizations'][$consumer->consumerType] = $user_auth_data;
|
445
|
$watchdog_tokens['%user_edit_presave'] = print_r($user_edit, TRUE);
|
446
|
// See #1973352 and #935592.
|
447
|
if (empty($user->picture->fid)) {
|
448
|
$user2 = user_load($user->uid);
|
449
|
$user->picture = $user2->picture;
|
450
|
}
|
451
|
$user = user_save($user, $user_edit);
|
452
|
|
453
|
$watchdog_tokens['%user_data_post_save'] = print_r($user->data, TRUE);
|
454
|
$watchdog_tokens['%user_roles_post_save'] = print_r($user->roles, TRUE);
|
455
|
|
456
|
if ($detailed_watchdog_log) {
|
457
|
watchdog('ldap_authorization',
|
458
|
'%username : user_authorizations_set results for %consumer_type:
|
459
|
<hr/>1. Initial existing authorizations: %initial
|
460
|
<hr/>2. Filtered Authorizations: %filtered_ldap_authorizations
|
461
|
<hr/>3. After filtering off previously granted authorizations (if regrant is false): %grants1
|
462
|
|
463
|
<hr/>4a. full consumers array, pre grants: %filtered_grants_full_array
|
464
|
<hr/>4b. user auth data after grants %consumer_type: <pre>%user_auth_data_post_grants</pre>
|
465
|
<hr/>4c. user data after grants for %consumer_type: <pre>%user_data_post_grants</pre>
|
466
|
|
467
|
<hr/>5a. revokes passed to authorizationRevoke(): %revokes
|
468
|
<hr/>5b. user auth data after revokes %consumer_type: <pre>%user_auth_data_post_revokes</pre>
|
469
|
<hr/>5c. user data after revokes for %consumer_type: <pre>%user_data_post_revokes</pre>
|
470
|
|
471
|
<hr/>6a. user_edit pre save : <pre>%user_edit_presave</pre>
|
472
|
<hr/>6b. user data post save: <pre>%user_data_post_save</pre>
|
473
|
<hr/>6c. user roles post save: <pre>%user_roles_post_save</pre>
|
474
|
',
|
475
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
476
|
}
|
477
|
|
478
|
if ($test) {
|
479
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes authorizations user has'] = $consumer->usersAuthorizations($user);
|
480
|
$_SESSION['ldap_authorization_test_query']['setting_data']['Post Grant/Revokes $user->data[ldap_authorizations][' . $consumer->consumerType . ']'] = $user->data['ldap_authorizations'][$consumer->consumerType];
|
481
|
}
|
482
|
|
483
|
}
|
484
|
|
485
|
/**
|
486
|
*
|
487
|
*/
|
488
|
function _ldap_authorization_ldap_authorization_maps_alter(&$user, &$user_ldap_entry, &$ldap_server, &$consumer_conf, &$authz_ids, $op) {
|
489
|
|
490
|
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
491
|
$watchdog_tokens = [];
|
492
|
|
493
|
// Groups extracted from user's DN. such as ou=IT => group = "IT".
|
494
|
$derive_from_dn_authorizations = [];
|
495
|
if ($rdn_values = $consumer_conf->server->groupUserMembershipsFromDn($user)) {
|
496
|
$derive_from_dn_authorizations = array_combine($rdn_values, $rdn_values);
|
497
|
}
|
498
|
else {
|
499
|
$derive_from_dn_authorizations = [];
|
500
|
}
|
501
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
502
|
$_SESSION['ldap_authorization_test_query']['maps']['Derive from DN'] = ($rdn_values) ? $derive_from_dn_authorizations : t('disabled');
|
503
|
}
|
504
|
|
505
|
// Traditional groups (dns)
|
506
|
$group_dns = $consumer_conf->server->groupMembershipsFromUser($user, 'group_dns');
|
507
|
if (!$group_dns) {
|
508
|
$group_dns = [];
|
509
|
}
|
510
|
elseif (count($group_dns)) {
|
511
|
$group_dns = array_unique($group_dns);
|
512
|
}
|
513
|
if ($op == 'test_query' || $op == 'test_query_set') {
|
514
|
$_SESSION['ldap_authorization_test_query']['maps']['Groups DNs'] = $group_dns;
|
515
|
}
|
516
|
|
517
|
$values = array_merge($derive_from_dn_authorizations, $group_dns);
|
518
|
$values = array_unique($values);
|
519
|
$authz_ids = (count($values)) ? array_combine($values, $values) : [];
|
520
|
if ($detailed_watchdog_log) {
|
521
|
$watchdog_tokens['%username'] = $user->name;
|
522
|
$watchdog_tokens['%ldap_server'] = $ldap_server->sid;
|
523
|
$watchdog_tokens['%deriveFromDn'] = join(', ', $derive_from_dn_authorizations);
|
524
|
$watchdog_tokens['%deriveFromGroups'] = join(', ', $group_dns);
|
525
|
$watchdog_tokens['%authz_ids'] = join(', ', array_keys($authz_ids));
|
526
|
|
527
|
watchdog('ldap_authorization', '%username :_ldap_authorization_ldap_authorization_maps_alter:
|
528
|
<hr/>deriveFromDn authorization ids: %deriveFromDn
|
529
|
<hr/>deriveFromAttr authorization ids: %deriveFromGroups
|
530
|
<hr/>merged authz_ids authorization ids: %authz_ids
|
531
|
',
|
532
|
$watchdog_tokens, WATCHDOG_DEBUG);
|
533
|
}
|
534
|
|
535
|
}
|