Révision bc175c27
Ajouté par Assos Assos il y a plus de 5 ans
| drupal7/sites/all/modules/ldap/ldap_authorization/ldap_authorization.inc | ||
|---|---|---|
| 2 | 2 |
|
| 3 | 3 |
/** |
| 4 | 4 |
* @file |
| 5 |
* bulk of authorization code executed to determine a users authorizations
|
|
| 5 |
* Bulk of authorization code executed to determine a users authorizations.
|
|
| 6 | 6 |
*/ |
| 7 | 7 |
|
| 8 |
function ldap_authorization_help_watchdog() { // remove after testing
|
|
| 8 |
// Remove after testing. |
|
| 9 |
/** |
|
| 10 |
* |
|
| 11 |
*/ |
|
| 9 | 12 |
|
| 10 |
$path = drupal_get_path("module", "ldap_help");
|
|
| 13 |
function ldap_authorization_help_watchdog() {
|
|
| 14 |
|
|
| 15 |
$path = drupal_get_path("module", "ldap_help");
|
|
| 11 | 16 |
$_content = ""; |
| 12 | 17 |
if (module_exists('dblog')) {
|
| 13 |
include_once(drupal_get_path('module', 'dblog') . '/dblog.admin.inc');
|
|
| 14 |
$_SESSION['dblog_overview_filter']['type'] = Array('ldap' => 'ldap');
|
|
| 18 |
include_once drupal_get_path('module', 'dblog') . '/dblog.admin.inc';
|
|
| 19 |
$_SESSION['dblog_overview_filter']['type'] = array('ldap' => 'ldap');
|
|
| 15 | 20 |
$_content .= "<h3>" . t('LDAP Watchdog Errors and Notifications') . "</h3>";
|
| 16 | 21 |
$overview = dblog_overview(); |
| 17 | 22 |
$_content .= render($overview); |
| ... | ... | |
| 24 | 29 |
$_content .= l(t('Module enable page'), 'admin/build/modules');
|
| 25 | 30 |
} |
| 26 | 31 |
|
| 27 |
|
|
| 28 | 32 |
return $_content; |
| 29 | 33 |
} |
| 30 | 34 |
|
| 31 |
|
|
| 32 | 35 |
/** |
| 33 |
* return all desired authorizations for a given user
|
|
| 36 |
* Return all desired authorizations for a given user.
|
|
| 34 | 37 |
* |
| 35 | 38 |
* @param object $user |
| 36 | 39 |
* |
| 37 |
* @param string $op = |
|
| 40 |
* @param string $op |
|
| 41 |
* = |
|
| 38 | 42 |
* set -- grant authorizations (store in db) and return authorizations |
| 39 | 43 |
* test_query -- don't grant authorization, just query and return authorizations. assume user is ldap authenticated and exists |
| 40 | 44 |
* test_query_set -- do grant authorizations, but also log data for debugging |
| 41 |
* query -- don't grant authorization, just query and return authorizations |
|
| 45 |
* query -- don't grant authorization, just query and return authorizations.
|
|
| 42 | 46 |
* |
| 43 |
* @param string $consumer_type e.g. drupal_roles |
|
| 44 |
* @param string $context 'logon', 'test_if_authorizations_granted' |
|
| 47 |
* @param string $consumer_type |
|
| 48 |
* e.g. drupal_roles. |
|
| 49 |
* @param string $context |
|
| 50 |
* 'logon', 'test_if_authorizations_granted'. |
|
| 45 | 51 |
* |
| 46 | 52 |
* @return |
| 47 | 53 |
* |
| ... | ... | |
| 53 | 59 |
* by reference $user->data[<consumer_type>][<authorization_id>] = array(); |
| 54 | 60 |
* e.g. $var['drupal_role']['content_admin'] = array('rid' => 4)
|
| 55 | 61 |
* e.g. $var['og_membership']['bakers club'] = array('expires' => '01/01/2012');
|
| 56 |
* |
|
| 57 | 62 |
*/ |
| 58 |
|
|
| 59 |
|
|
| 60 | 63 |
function _ldap_authorizations_user_authorizations(&$user, $op, $consumer_type, $context) {
|
| 61 | 64 |
$debug = FALSE; |
| 62 | 65 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
| ... | ... | |
| 85 | 88 |
* determine if user is ldap authenticated |
| 86 | 89 |
*/ |
| 87 | 90 |
if ($context == 'test_if_authorizations_granted' || (($op == 'test_query_set' || $op == 'test_query') && @$user->ldap_test == TRUE)) {
|
| 88 |
$ldap_authenticated = $user->ldap_authenticated; // property 'ldap_authenticated' only exists for fake user objects submitted from testing form |
|
| 91 |
// Property 'ldap_authenticated' only exists for fake user objects submitted from testing form. |
|
| 92 |
$ldap_authenticated = $user->ldap_authenticated; |
|
| 89 | 93 |
} |
| 90 | 94 |
else {
|
| 91 |
$ldap_authenticated = (boolean)(module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user));
|
|
| 95 |
$ldap_authenticated = (boolean) (module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user));
|
|
| 92 | 96 |
} |
| 93 | 97 |
$watchdog_tokens['%ldap_authenticated'] = ($ldap_authenticated) ? 'yes' : 'no'; |
| 94 | 98 |
|
| ... | ... | |
| 111 | 115 |
$watchdog_tokens['%consumer_type'] = $consumer_type; |
| 112 | 116 |
$watchdog_tokens['%sid'] = $consumer->consumerConf->sid; |
| 113 | 117 |
|
| 114 |
if (! is_object($consumer->consumerConf)) {
|
|
| 118 |
if (!is_object($consumer->consumerConf)) {
|
|
| 115 | 119 |
if ($detailed_watchdog_log) {
|
| 116 | 120 |
watchdog('ldap_authorization', '%username : consumer type %consumer_type has no
|
| 117 | 121 |
configuration set.', $watchdog_tokens, WATCHDOG_DEBUG); |
| ... | ... | |
| 125 | 129 |
} |
| 126 | 130 |
if ($debug) {
|
| 127 | 131 |
debug(t('%username : testing with consumer type %consumer_type. ldap authenticated=%ldap_authenticated'), $watchdog_tokens);
|
| 128 |
debug("op=$op,ldap_authenticated=$ldap_authenticated $consumer_type context=$context, consumer->consumerConf->synchOnLogon=" . (int)$consumer->consumerConf->synchOnLogon); //$debug = TRUE;
|
|
| 132 |
// $debug = TRUE;. |
|
| 133 |
debug("op=$op,ldap_authenticated=$ldap_authenticated $consumer_type context=$context, consumer->consumerConf->synchOnLogon=" . (int) $consumer->consumerConf->synchOnLogon);
|
|
| 129 | 134 |
} |
| 130 | 135 |
|
| 131 | 136 |
if ($context == 'logon' && !$consumer->consumerConf->synchOnLogon) {
|
| ... | ... | |
| 155 | 160 |
continue; |
| 156 | 161 |
} |
| 157 | 162 |
|
| 158 |
if (! isset($servers[$consumer->consumerConf->sid])) {
|
|
| 163 |
if (!isset($servers[$consumer->consumerConf->sid])) {
|
|
| 159 | 164 |
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_SERVER_CONFIG_NOT_FOUND; |
| 160 | 165 |
if ($detailed_watchdog_log) {
|
| 161 | 166 |
watchdog('ldap_authorization', '%username : %consumer_type ldap server %sid not enabled or found.', $watchdog_tokens, WATCHDOG_DEBUG);
|
| ... | ... | |
| 178 | 183 |
ldap_authorization_maps_alter_invoke($user, $ldap_user, $ldap_server, $consumer->consumerConf, $proposed_ldap_authorizations, $op); |
| 179 | 184 |
|
| 180 | 185 |
/** make sure keys of array are lower case and values are mixed case |
| 181 |
and strip to first attribute is configured |
|
| 186 |
* and strip to first attribute is configured
|
|
| 182 | 187 |
*/ |
| 183 | 188 |
|
| 184 | 189 |
foreach ($proposed_ldap_authorizations as $key => $authorization_id) {
|
| ... | ... | |
| 225 | 230 |
*/ |
| 226 | 231 |
|
| 227 | 232 |
$filtered_ldap_authorizations = array(); |
| 228 |
if ($consumer->consumerConf->useMappingsAsFilter) { // filter + map
|
|
| 233 |
// Filter + map. |
|
| 234 |
if ($consumer->consumerConf->useMappingsAsFilter) {
|
|
| 229 | 235 |
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
|
| 230 | 236 |
$map_from = $mapping_filter['from']; |
| 231 | 237 |
$map_to = $mapping_filter['normalized']; |
| ... | ... | |
| 234 | 240 |
} |
| 235 | 241 |
} |
| 236 | 242 |
} |
| 237 |
else { // only map, don't filter off authorizations that have no mapping
|
|
| 243 |
// Only map, don't filter off authorizations that have no mapping. |
|
| 244 |
else {
|
|
| 238 | 245 |
$_authorizations = array_values($proposed_ldap_authorizations); |
| 239 | 246 |
if (is_array($consumer->consumerConf->mappings) && is_array($proposed_ldap_authorizations)) {
|
| 240 | 247 |
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
|
| ... | ... | |
| 242 | 249 |
$map_to = $mapping_filter['normalized']; |
| 243 | 250 |
$map_from_key = array_search(drupal_strtolower($map_from), array_keys($proposed_ldap_authorizations)); |
| 244 | 251 |
if ($map_from_key !== FALSE) {
|
| 245 |
// remove non mapped authorization
|
|
| 252 |
// Remove non mapped authorization.
|
|
| 246 | 253 |
$_authorizations = array_diff($_authorizations, array($map_from)); |
| 247 | 254 |
$_authorizations = array_diff($_authorizations, array(drupal_strtolower($map_from))); |
| 248 |
// add mapped authorization
|
|
| 255 |
// Add mapped authorization.
|
|
| 249 | 256 |
$_authorizations[] = $map_to; |
| 250 |
// remove map from;
|
|
| 257 |
// Remove map from;.
|
|
| 251 | 258 |
} |
| 252 | 259 |
} |
| 253 | 260 |
} |
| ... | ... | |
| 255 | 262 |
$filtered_ldap_authorizations[drupal_strtolower($authorization_id)] = array( |
| 256 | 263 |
'map_to_string' => $authorization_id, |
| 257 | 264 |
'exists' => NULL, |
| 258 |
'value' => $authorization_id |
|
| 265 |
'value' => $authorization_id,
|
|
| 259 | 266 |
); |
| 260 | 267 |
} |
| 261 | 268 |
} |
| 262 | 269 |
|
| 263 |
$consumer->populateConsumersFromConsumerIds($filtered_ldap_authorizations, $consumer->consumerConf->createConsumers); // set values of $filtered_ldap_authorizations to consumers |
|
| 270 |
// Set values of $filtered_ldap_authorizations to consumers. |
|
| 271 |
$consumer->populateConsumersFromConsumerIds($filtered_ldap_authorizations, $consumer->consumerConf->createConsumers); |
|
| 264 | 272 |
/** |
| 265 | 273 |
* now that we have list of consumers that are to be granted, give other modules a chance to alter it |
| 266 | 274 |
* |
| ... | ... | |
| 291 | 299 |
$display_authorizations[] = $_consumer['map_to_string']; |
| 292 | 300 |
} |
| 293 | 301 |
$_SESSION['ldap_authorization_test_query']['post mappings'] = $display_authorizations; |
| 294 |
$data = property_exists($user, 'data') ? $user->data['ldap_authorizations'][$consumer->consumerType] : array(); |
|
| 302 |
if (property_exists($user, 'data') && |
|
| 303 |
isset($user->data['ldap_authorizations'][$consumer->consumerType])) {
|
|
| 304 |
$data = $user->data['ldap_authorizations'][$consumer->consumerType]; |
|
| 305 |
} |
|
| 306 |
else {
|
|
| 307 |
$data = []; |
|
| 308 |
} |
|
| 295 | 309 |
$_SESSION['ldap_authorization_test_query']['user data'] = $data; |
| 296 | 310 |
} |
| 297 | 311 |
|
| ... | ... | |
| 313 | 327 |
return array($authorizations, $notifications); |
| 314 | 328 |
|
| 315 | 329 |
} |
| 330 |
|
|
| 316 | 331 |
/** |
| 317 |
* @param object $user is a drupal user account object, need not be current user |
|
| 318 |
* @param object $consumer is instance of an authorization consumer class |
|
| 319 |
* such as LdapAuthorizationConsumerDrupalRole |
|
| 332 |
* @param object $user |
|
| 333 |
* is a drupal user account object, need not be current user. |
|
| 334 |
* @param object $consumer |
|
| 335 |
* is instance of an authorization consumer class |
|
| 336 |
* such as LdapAuthorizationConsumerDrupalRole. |
|
| 320 | 337 |
* @param associative array of lower case authorization ids as keys and |
| 321 |
* mixed case strings as values $filtered_ldap_authorizations
|
|
| 338 |
* mixed case strings as values $filtered_ldap_authorizations |
|
| 322 | 339 |
* all authorization ids a user is granted via ldap authorization configuration |
| 323 |
* @param object $ldap_entry is users ldap entry. mapping of drupal user to |
|
| 340 |
* @param object $ldap_entry |
|
| 341 |
* is users ldap entry. mapping of drupal user to |
|
| 324 | 342 |
* ldap entry is stored in ldap_server configuration |
| 325 | 343 |
* |
| 326 |
* returns nothing
|
|
| 344 |
* returns nothing.
|
|
| 327 | 345 |
*/ |
| 328 |
|
|
| 329 | 346 |
function _ldap_authorizations_user_authorizations_set(&$user, $consumer, $filtered_ldap_authorizations, &$ldap_entry, $watchdog_tokens, $test) {
|
| 330 | 347 |
|
| 331 | 348 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
| ... | ... | |
| 352 | 369 |
|
| 353 | 370 |
$watchdog_tokens['%initial'] = join(', ', $initial_existing_ldap_authorizations);
|
| 354 | 371 |
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
|
| 355 |
/**
|
|
| 372 |
/** |
|
| 356 | 373 |
* B. if regrantLdapProvisioned is false, $grants_lcase array should only be new authorizations |
| 357 | 374 |
*/ |
| 358 | 375 |
|
| 359 | 376 |
if (!$consumer->consumerConf->regrantLdapProvisioned) {
|
| 360 |
// if regranting disabled, filter off previously granted roles
|
|
| 377 |
// If regranting disabled, filter off previously granted roles.
|
|
| 361 | 378 |
$grants = array_diff(array_keys($filtered_ldap_authorizations), $initial_existing_ldap_authorizations); |
| 362 | 379 |
if ($test) {
|
| 363 | 380 |
$_SESSION['ldap_authorization_test_query']['setting_data']['Grants after regrantLdapProvisioned filter'] = $grants; |
| ... | ... | |
| 369 | 386 |
|
| 370 | 387 |
$watchdog_tokens['%grants1'] = join(', ', $grants);
|
| 371 | 388 |
|
| 372 |
/**
|
|
| 389 |
/** |
|
| 373 | 390 |
* D. Only grant authorization consumer ids that exist |
| 374 | 391 |
*/ |
| 375 | 392 |
|
| 376 |
$existing_grants = array(); // keys are lcase, values are mixed case |
|
| 393 |
// Keys are lcase, values are mixed case. |
|
| 394 |
$existing_grants = array(); |
|
| 377 | 395 |
foreach ($grants as $i => $grant) {
|
| 378 | 396 |
if (!empty($filtered_ldap_authorizations[$grant]['exists'])) {
|
| 379 | 397 |
$existing_grants[$grant] = $filtered_ldap_authorizations[$grant]; |
| ... | ... | |
| 396 | 414 |
if ($consumer->consumerConf->revokeLdapProvisioned) {
|
| 397 | 415 |
$revokes_lcase = $consumer->authorizationDiff($initial_existing_ldap_authorizations, array_keys($filtered_ldap_authorizations)); |
| 398 | 416 |
if (count($revokes_lcase)) {
|
| 399 |
$revokes = array(); // keys are lcase, values are mixed case |
|
| 417 |
// Keys are lcase, values are mixed case. |
|
| 418 |
$revokes = array(); |
|
| 400 | 419 |
foreach ($revokes_lcase as $i => $revoke_lcase) {
|
| 401 | 420 |
$revokes[$revoke_lcase] = array( |
| 402 | 421 |
'value' => NULL, |
| ... | ... | |
| 423 | 442 |
$uid = $user->uid; |
| 424 | 443 |
$user_edit = array('data' => $user->data);
|
| 425 | 444 |
$user_edit['data']['ldap_authorizations'] = empty($user->data['ldap_authorizations']) ? array() : $user->data['ldap_authorizations']; |
| 426 |
$consumer->sortConsumerIds('grant', $user_auth_data); // keep in good display order
|
|
| 445 |
// Keep in good display order. |
|
| 446 |
$consumer->sortConsumerIds('grant', $user_auth_data);
|
|
| 427 | 447 |
$user_edit['data']['ldap_authorizations'][$consumer->consumerType] = $user_auth_data; |
| 428 | 448 |
$watchdog_tokens['%user_edit_presave'] = print_r($user_edit, TRUE); |
| 429 |
if (empty($user->picture->fid)) { // see #1973352 and #935592
|
|
| 449 |
// See #1973352 and #935592. |
|
| 450 |
if (empty($user->picture->fid)) {
|
|
| 430 | 451 |
$user2 = user_load($user->uid); |
| 431 | 452 |
$user->picture = $user2->picture; |
| 432 | 453 |
} |
| ... | ... | |
| 464 | 485 |
|
| 465 | 486 |
} |
| 466 | 487 |
|
| 488 |
/** |
|
| 489 |
* |
|
| 490 |
*/ |
|
| 467 | 491 |
function _ldap_authorization_ldap_authorization_maps_alter(&$user, &$user_ldap_entry, &$ldap_server, &$consumer_conf, &$authz_ids, $op) {
|
| 468 | 492 |
|
| 469 | 493 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
|
| 470 | 494 |
$watchdog_tokens = array(); |
| 471 | 495 |
|
| 472 |
// groups extracted from user's DN. such as ou=IT => group = "IT"
|
|
| 496 |
// Groups extracted from user's DN. such as ou=IT => group = "IT".
|
|
| 473 | 497 |
$derive_from_dn_authorizations = array(); |
| 474 | 498 |
if ($rdn_values = $consumer_conf->server->groupUserMembershipsFromDn($user)) {
|
| 475 | 499 |
$derive_from_dn_authorizations = array_combine($rdn_values, $rdn_values); |
| ... | ... | |
| 481 | 505 |
$_SESSION['ldap_authorization_test_query']['maps']['Derive from DN'] = ($rdn_values) ? $derive_from_dn_authorizations : t('disabled');
|
| 482 | 506 |
} |
| 483 | 507 |
|
| 484 |
// traditional groups (dns)
|
|
| 508 |
// Traditional groups (dns)
|
|
| 485 | 509 |
$group_dns = $consumer_conf->server->groupMembershipsFromUser($user, 'group_dns'); |
| 486 | 510 |
if (!$group_dns) {
|
| 487 | 511 |
$group_dns = array(); |
| ... | ... | |
| 501 | 525 |
$watchdog_tokens['%ldap_server'] = $ldap_server->sid; |
| 502 | 526 |
$watchdog_tokens['%deriveFromDn'] = join(', ', $derive_from_dn_authorizations);
|
| 503 | 527 |
$watchdog_tokens['%deriveFromGroups'] = join(', ', $group_dns);
|
| 504 |
$watchdog_tokens['%authz_ids'] = join(', ', array_keys($authz_ids));
|
|
| 528 |
$watchdog_tokens['%authz_ids'] = join(', ', array_keys($authz_ids));
|
|
| 505 | 529 |
|
| 506 | 530 |
watchdog('ldap_authorization', '%username :_ldap_authorization_ldap_authorization_maps_alter:
|
| 507 | 531 |
<hr/>deriveFromDn authorization ids: %deriveFromDn |
Formats disponibles : Unified diff
Weekly update of contrib modules