Révision bc175c27
Ajouté par Assos Assos il y a plus de 5 ans
drupal7/sites/all/modules/ldap/ldap_authorization/ldap_authorization.inc | ||
---|---|---|
2 | 2 |
|
3 | 3 |
/** |
4 | 4 |
* @file |
5 |
* bulk of authorization code executed to determine a users authorizations
|
|
5 |
* Bulk of authorization code executed to determine a users authorizations.
|
|
6 | 6 |
*/ |
7 | 7 |
|
8 |
function ldap_authorization_help_watchdog() { // remove after testing |
|
8 |
// Remove after testing. |
|
9 |
/** |
|
10 |
* |
|
11 |
*/ |
|
9 | 12 |
|
10 |
$path = drupal_get_path("module", "ldap_help"); |
|
13 |
function ldap_authorization_help_watchdog() { |
|
14 |
|
|
15 |
$path = drupal_get_path("module", "ldap_help"); |
|
11 | 16 |
$_content = ""; |
12 | 17 |
if (module_exists('dblog')) { |
13 |
include_once(drupal_get_path('module', 'dblog') . '/dblog.admin.inc');
|
|
14 |
$_SESSION['dblog_overview_filter']['type'] = Array('ldap' => 'ldap');
|
|
18 |
include_once drupal_get_path('module', 'dblog') . '/dblog.admin.inc';
|
|
19 |
$_SESSION['dblog_overview_filter']['type'] = array('ldap' => 'ldap');
|
|
15 | 20 |
$_content .= "<h3>" . t('LDAP Watchdog Errors and Notifications') . "</h3>"; |
16 | 21 |
$overview = dblog_overview(); |
17 | 22 |
$_content .= render($overview); |
... | ... | |
24 | 29 |
$_content .= l(t('Module enable page'), 'admin/build/modules'); |
25 | 30 |
} |
26 | 31 |
|
27 |
|
|
28 | 32 |
return $_content; |
29 | 33 |
} |
30 | 34 |
|
31 |
|
|
32 | 35 |
/** |
33 |
* return all desired authorizations for a given user
|
|
36 |
* Return all desired authorizations for a given user.
|
|
34 | 37 |
* |
35 | 38 |
* @param object $user |
36 | 39 |
* |
37 |
* @param string $op = |
|
40 |
* @param string $op |
|
41 |
* = |
|
38 | 42 |
* set -- grant authorizations (store in db) and return authorizations |
39 | 43 |
* test_query -- don't grant authorization, just query and return authorizations. assume user is ldap authenticated and exists |
40 | 44 |
* test_query_set -- do grant authorizations, but also log data for debugging |
41 |
* query -- don't grant authorization, just query and return authorizations |
|
45 |
* query -- don't grant authorization, just query and return authorizations.
|
|
42 | 46 |
* |
43 |
* @param string $consumer_type e.g. drupal_roles |
|
44 |
* @param string $context 'logon', 'test_if_authorizations_granted' |
|
47 |
* @param string $consumer_type |
|
48 |
* e.g. drupal_roles. |
|
49 |
* @param string $context |
|
50 |
* 'logon', 'test_if_authorizations_granted'. |
|
45 | 51 |
* |
46 | 52 |
* @return |
47 | 53 |
* |
... | ... | |
53 | 59 |
* by reference $user->data[<consumer_type>][<authorization_id>] = array(); |
54 | 60 |
* e.g. $var['drupal_role']['content_admin'] = array('rid' => 4) |
55 | 61 |
* e.g. $var['og_membership']['bakers club'] = array('expires' => '01/01/2012'); |
56 |
* |
|
57 | 62 |
*/ |
58 |
|
|
59 |
|
|
60 | 63 |
function _ldap_authorizations_user_authorizations(&$user, $op, $consumer_type, $context) { |
61 | 64 |
$debug = FALSE; |
62 | 65 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0); |
... | ... | |
85 | 88 |
* determine if user is ldap authenticated |
86 | 89 |
*/ |
87 | 90 |
if ($context == 'test_if_authorizations_granted' || (($op == 'test_query_set' || $op == 'test_query') && @$user->ldap_test == TRUE)) { |
88 |
$ldap_authenticated = $user->ldap_authenticated; // property 'ldap_authenticated' only exists for fake user objects submitted from testing form |
|
91 |
// Property 'ldap_authenticated' only exists for fake user objects submitted from testing form. |
|
92 |
$ldap_authenticated = $user->ldap_authenticated; |
|
89 | 93 |
} |
90 | 94 |
else { |
91 |
$ldap_authenticated = (boolean)(module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user)); |
|
95 |
$ldap_authenticated = (boolean) (module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user));
|
|
92 | 96 |
} |
93 | 97 |
$watchdog_tokens['%ldap_authenticated'] = ($ldap_authenticated) ? 'yes' : 'no'; |
94 | 98 |
|
... | ... | |
111 | 115 |
$watchdog_tokens['%consumer_type'] = $consumer_type; |
112 | 116 |
$watchdog_tokens['%sid'] = $consumer->consumerConf->sid; |
113 | 117 |
|
114 |
if (! is_object($consumer->consumerConf)) {
|
|
118 |
if (!is_object($consumer->consumerConf)) { |
|
115 | 119 |
if ($detailed_watchdog_log) { |
116 | 120 |
watchdog('ldap_authorization', '%username : consumer type %consumer_type has no |
117 | 121 |
configuration set.', $watchdog_tokens, WATCHDOG_DEBUG); |
... | ... | |
125 | 129 |
} |
126 | 130 |
if ($debug) { |
127 | 131 |
debug(t('%username : testing with consumer type %consumer_type. ldap authenticated=%ldap_authenticated'), $watchdog_tokens); |
128 |
debug("op=$op,ldap_authenticated=$ldap_authenticated $consumer_type context=$context, consumer->consumerConf->synchOnLogon=" . (int)$consumer->consumerConf->synchOnLogon); //$debug = TRUE; |
|
132 |
// $debug = TRUE;. |
|
133 |
debug("op=$op,ldap_authenticated=$ldap_authenticated $consumer_type context=$context, consumer->consumerConf->synchOnLogon=" . (int) $consumer->consumerConf->synchOnLogon); |
|
129 | 134 |
} |
130 | 135 |
|
131 | 136 |
if ($context == 'logon' && !$consumer->consumerConf->synchOnLogon) { |
... | ... | |
155 | 160 |
continue; |
156 | 161 |
} |
157 | 162 |
|
158 |
if (! isset($servers[$consumer->consumerConf->sid])) {
|
|
163 |
if (!isset($servers[$consumer->consumerConf->sid])) { |
|
159 | 164 |
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_SERVER_CONFIG_NOT_FOUND; |
160 | 165 |
if ($detailed_watchdog_log) { |
161 | 166 |
watchdog('ldap_authorization', '%username : %consumer_type ldap server %sid not enabled or found.', $watchdog_tokens, WATCHDOG_DEBUG); |
... | ... | |
178 | 183 |
ldap_authorization_maps_alter_invoke($user, $ldap_user, $ldap_server, $consumer->consumerConf, $proposed_ldap_authorizations, $op); |
179 | 184 |
|
180 | 185 |
/** make sure keys of array are lower case and values are mixed case |
181 |
and strip to first attribute is configured |
|
186 |
* and strip to first attribute is configured
|
|
182 | 187 |
*/ |
183 | 188 |
|
184 | 189 |
foreach ($proposed_ldap_authorizations as $key => $authorization_id) { |
... | ... | |
225 | 230 |
*/ |
226 | 231 |
|
227 | 232 |
$filtered_ldap_authorizations = array(); |
228 |
if ($consumer->consumerConf->useMappingsAsFilter) { // filter + map |
|
233 |
// Filter + map. |
|
234 |
if ($consumer->consumerConf->useMappingsAsFilter) { |
|
229 | 235 |
foreach ($consumer->consumerConf->mappings as $mapping_filter) { |
230 | 236 |
$map_from = $mapping_filter['from']; |
231 | 237 |
$map_to = $mapping_filter['normalized']; |
... | ... | |
234 | 240 |
} |
235 | 241 |
} |
236 | 242 |
} |
237 |
else { // only map, don't filter off authorizations that have no mapping |
|
243 |
// Only map, don't filter off authorizations that have no mapping. |
|
244 |
else { |
|
238 | 245 |
$_authorizations = array_values($proposed_ldap_authorizations); |
239 | 246 |
if (is_array($consumer->consumerConf->mappings) && is_array($proposed_ldap_authorizations)) { |
240 | 247 |
foreach ($consumer->consumerConf->mappings as $mapping_filter) { |
... | ... | |
242 | 249 |
$map_to = $mapping_filter['normalized']; |
243 | 250 |
$map_from_key = array_search(drupal_strtolower($map_from), array_keys($proposed_ldap_authorizations)); |
244 | 251 |
if ($map_from_key !== FALSE) { |
245 |
// remove non mapped authorization
|
|
252 |
// Remove non mapped authorization.
|
|
246 | 253 |
$_authorizations = array_diff($_authorizations, array($map_from)); |
247 | 254 |
$_authorizations = array_diff($_authorizations, array(drupal_strtolower($map_from))); |
248 |
// add mapped authorization
|
|
255 |
// Add mapped authorization.
|
|
249 | 256 |
$_authorizations[] = $map_to; |
250 |
// remove map from;
|
|
257 |
// Remove map from;.
|
|
251 | 258 |
} |
252 | 259 |
} |
253 | 260 |
} |
... | ... | |
255 | 262 |
$filtered_ldap_authorizations[drupal_strtolower($authorization_id)] = array( |
256 | 263 |
'map_to_string' => $authorization_id, |
257 | 264 |
'exists' => NULL, |
258 |
'value' => $authorization_id |
|
265 |
'value' => $authorization_id,
|
|
259 | 266 |
); |
260 | 267 |
} |
261 | 268 |
} |
262 | 269 |
|
263 |
$consumer->populateConsumersFromConsumerIds($filtered_ldap_authorizations, $consumer->consumerConf->createConsumers); // set values of $filtered_ldap_authorizations to consumers |
|
270 |
// Set values of $filtered_ldap_authorizations to consumers. |
|
271 |
$consumer->populateConsumersFromConsumerIds($filtered_ldap_authorizations, $consumer->consumerConf->createConsumers); |
|
264 | 272 |
/** |
265 | 273 |
* now that we have list of consumers that are to be granted, give other modules a chance to alter it |
266 | 274 |
* |
... | ... | |
291 | 299 |
$display_authorizations[] = $_consumer['map_to_string']; |
292 | 300 |
} |
293 | 301 |
$_SESSION['ldap_authorization_test_query']['post mappings'] = $display_authorizations; |
294 |
$data = property_exists($user, 'data') ? $user->data['ldap_authorizations'][$consumer->consumerType] : array(); |
|
302 |
if (property_exists($user, 'data') && |
|
303 |
isset($user->data['ldap_authorizations'][$consumer->consumerType])) { |
|
304 |
$data = $user->data['ldap_authorizations'][$consumer->consumerType]; |
|
305 |
} |
|
306 |
else { |
|
307 |
$data = []; |
|
308 |
} |
|
295 | 309 |
$_SESSION['ldap_authorization_test_query']['user data'] = $data; |
296 | 310 |
} |
297 | 311 |
|
... | ... | |
313 | 327 |
return array($authorizations, $notifications); |
314 | 328 |
|
315 | 329 |
} |
330 |
|
|
316 | 331 |
/** |
317 |
* @param object $user is a drupal user account object, need not be current user |
|
318 |
* @param object $consumer is instance of an authorization consumer class |
|
319 |
* such as LdapAuthorizationConsumerDrupalRole |
|
332 |
* @param object $user |
|
333 |
* is a drupal user account object, need not be current user. |
|
334 |
* @param object $consumer |
|
335 |
* is instance of an authorization consumer class |
|
336 |
* such as LdapAuthorizationConsumerDrupalRole. |
|
320 | 337 |
* @param associative array of lower case authorization ids as keys and |
321 |
* mixed case strings as values $filtered_ldap_authorizations
|
|
338 |
* mixed case strings as values $filtered_ldap_authorizations |
|
322 | 339 |
* all authorization ids a user is granted via ldap authorization configuration |
323 |
* @param object $ldap_entry is users ldap entry. mapping of drupal user to |
|
340 |
* @param object $ldap_entry |
|
341 |
* is users ldap entry. mapping of drupal user to |
|
324 | 342 |
* ldap entry is stored in ldap_server configuration |
325 | 343 |
* |
326 |
* returns nothing
|
|
344 |
* returns nothing.
|
|
327 | 345 |
*/ |
328 |
|
|
329 | 346 |
function _ldap_authorizations_user_authorizations_set(&$user, $consumer, $filtered_ldap_authorizations, &$ldap_entry, $watchdog_tokens, $test) { |
330 | 347 |
|
331 | 348 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0); |
... | ... | |
352 | 369 |
|
353 | 370 |
$watchdog_tokens['%initial'] = join(', ', $initial_existing_ldap_authorizations); |
354 | 371 |
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations)); |
355 |
/**
|
|
372 |
/** |
|
356 | 373 |
* B. if regrantLdapProvisioned is false, $grants_lcase array should only be new authorizations |
357 | 374 |
*/ |
358 | 375 |
|
359 | 376 |
if (!$consumer->consumerConf->regrantLdapProvisioned) { |
360 |
// if regranting disabled, filter off previously granted roles
|
|
377 |
// If regranting disabled, filter off previously granted roles.
|
|
361 | 378 |
$grants = array_diff(array_keys($filtered_ldap_authorizations), $initial_existing_ldap_authorizations); |
362 | 379 |
if ($test) { |
363 | 380 |
$_SESSION['ldap_authorization_test_query']['setting_data']['Grants after regrantLdapProvisioned filter'] = $grants; |
... | ... | |
369 | 386 |
|
370 | 387 |
$watchdog_tokens['%grants1'] = join(', ', $grants); |
371 | 388 |
|
372 |
/**
|
|
389 |
/** |
|
373 | 390 |
* D. Only grant authorization consumer ids that exist |
374 | 391 |
*/ |
375 | 392 |
|
376 |
$existing_grants = array(); // keys are lcase, values are mixed case |
|
393 |
// Keys are lcase, values are mixed case. |
|
394 |
$existing_grants = array(); |
|
377 | 395 |
foreach ($grants as $i => $grant) { |
378 | 396 |
if (!empty($filtered_ldap_authorizations[$grant]['exists'])) { |
379 | 397 |
$existing_grants[$grant] = $filtered_ldap_authorizations[$grant]; |
... | ... | |
396 | 414 |
if ($consumer->consumerConf->revokeLdapProvisioned) { |
397 | 415 |
$revokes_lcase = $consumer->authorizationDiff($initial_existing_ldap_authorizations, array_keys($filtered_ldap_authorizations)); |
398 | 416 |
if (count($revokes_lcase)) { |
399 |
$revokes = array(); // keys are lcase, values are mixed case |
|
417 |
// Keys are lcase, values are mixed case. |
|
418 |
$revokes = array(); |
|
400 | 419 |
foreach ($revokes_lcase as $i => $revoke_lcase) { |
401 | 420 |
$revokes[$revoke_lcase] = array( |
402 | 421 |
'value' => NULL, |
... | ... | |
423 | 442 |
$uid = $user->uid; |
424 | 443 |
$user_edit = array('data' => $user->data); |
425 | 444 |
$user_edit['data']['ldap_authorizations'] = empty($user->data['ldap_authorizations']) ? array() : $user->data['ldap_authorizations']; |
426 |
$consumer->sortConsumerIds('grant', $user_auth_data); // keep in good display order |
|
445 |
// Keep in good display order. |
|
446 |
$consumer->sortConsumerIds('grant', $user_auth_data); |
|
427 | 447 |
$user_edit['data']['ldap_authorizations'][$consumer->consumerType] = $user_auth_data; |
428 | 448 |
$watchdog_tokens['%user_edit_presave'] = print_r($user_edit, TRUE); |
429 |
if (empty($user->picture->fid)) { // see #1973352 and #935592 |
|
449 |
// See #1973352 and #935592. |
|
450 |
if (empty($user->picture->fid)) { |
|
430 | 451 |
$user2 = user_load($user->uid); |
431 | 452 |
$user->picture = $user2->picture; |
432 | 453 |
} |
... | ... | |
464 | 485 |
|
465 | 486 |
} |
466 | 487 |
|
488 |
/** |
|
489 |
* |
|
490 |
*/ |
|
467 | 491 |
function _ldap_authorization_ldap_authorization_maps_alter(&$user, &$user_ldap_entry, &$ldap_server, &$consumer_conf, &$authz_ids, $op) { |
468 | 492 |
|
469 | 493 |
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0); |
470 | 494 |
$watchdog_tokens = array(); |
471 | 495 |
|
472 |
// groups extracted from user's DN. such as ou=IT => group = "IT"
|
|
496 |
// Groups extracted from user's DN. such as ou=IT => group = "IT".
|
|
473 | 497 |
$derive_from_dn_authorizations = array(); |
474 | 498 |
if ($rdn_values = $consumer_conf->server->groupUserMembershipsFromDn($user)) { |
475 | 499 |
$derive_from_dn_authorizations = array_combine($rdn_values, $rdn_values); |
... | ... | |
481 | 505 |
$_SESSION['ldap_authorization_test_query']['maps']['Derive from DN'] = ($rdn_values) ? $derive_from_dn_authorizations : t('disabled'); |
482 | 506 |
} |
483 | 507 |
|
484 |
// traditional groups (dns)
|
|
508 |
// Traditional groups (dns)
|
|
485 | 509 |
$group_dns = $consumer_conf->server->groupMembershipsFromUser($user, 'group_dns'); |
486 | 510 |
if (!$group_dns) { |
487 | 511 |
$group_dns = array(); |
... | ... | |
501 | 525 |
$watchdog_tokens['%ldap_server'] = $ldap_server->sid; |
502 | 526 |
$watchdog_tokens['%deriveFromDn'] = join(', ', $derive_from_dn_authorizations); |
503 | 527 |
$watchdog_tokens['%deriveFromGroups'] = join(', ', $group_dns); |
504 |
$watchdog_tokens['%authz_ids'] = join(', ', array_keys($authz_ids));
|
|
528 |
$watchdog_tokens['%authz_ids'] = join(', ', array_keys($authz_ids)); |
|
505 | 529 |
|
506 | 530 |
watchdog('ldap_authorization', '%username :_ldap_authorization_ldap_authorization_maps_alter: |
507 | 531 |
<hr/>deriveFromDn authorization ids: %deriveFromDn |
Formats disponibles : Unified diff
Weekly update of contrib modules