You are here

public function LoginValidator::checkAllowedExcluded in Lightweight Directory Access Protocol (LDAP) 8.3

Check if exclusion criteria match.

Return value

bool Exclusion result.

2 calls to LoginValidator::checkAllowedExcluded()
LoginValidator::testCredentials in ldap_authentication/src/Controller/LoginValidator.php
Credentials are tested.
LoginValidator::testSsoCredentials in ldap_authentication/src/Controller/LoginValidator.php
Test the SSO credentials.

File

ldap_authentication/src/Controller/LoginValidator.php, line 612

Class

LoginValidator
Handles the actual testing of credentials and authentication of users.

Namespace

Drupal\ldap_authentication\Controller

Code

public function checkAllowedExcluded($authName, $ldap_user) {

  // Do one of the exclude attribute pairs match? If user does not already
  // exists and deferring to user settings AND user settings only allow.
  foreach ($this->config
    ->get('excludeIfTextInDn') as $test) {
    if (stripos($ldap_user['dn'], $test) !== FALSE) {
      return FALSE;
    }
  }

  // Check if one of the allow attribute pairs match.
  if (count($this->config
    ->get('allowOnlyIfTextInDn'))) {
    $fail = TRUE;
    foreach ($this->config
      ->get('allowOnlyIfTextInDn') as $test) {
      if (stripos($ldap_user['dn'], $test) !== FALSE) {
        $fail = FALSE;
      }
    }
    if ($fail) {
      return FALSE;
    }
  }

  // Handle excludeIfNoAuthorizations enabled and user has no groups.
  if ($this->moduleHandler
    ->moduleExists('ldap_authorization') && $this->config
    ->get('excludeIfNoAuthorizations')) {
    $user = FALSE;
    $id = ExternalAuthenticationHelper::getUidFromIdentifierMap($authName);
    if ($id) {
      $user = $this->entityTypeManager
        ->getStorage('user')
        ->load($id);
    }
    if (!$user) {
      $user = User::create([
        'name' => $authName,
      ]);
    }

    // We are not injecting this service properly to avoid forcing this
    // dependency on authorization.

    /** @var \Drupal\authorization\AuthorizationController $controller */
    $controller = \Drupal::service('authorization.manager');
    $controller
      ->setUser($user);
    $profiles = $this->entityTypeManager
      ->getStorage('authorization_profile')
      ->getQuery()
      ->condition('provider', 'ldap_provider')
      ->execute();
    foreach ($profiles as $profile) {
      $controller
        ->queryIndividualProfile($profile);
    }
    $authorizations = $controller
      ->getProcessedAuthorizations();
    $controller
      ->clearAuthorizations();
    $valid_profile = FALSE;
    foreach ($authorizations as $authorization) {
      if (!empty($authorization
        ->getAuthorizationsApplied())) {
        $valid_profile = TRUE;
      }
    }
    if (!$valid_profile) {
      drupal_set_message($this
        ->t('The site logon is currently not working due to a configuration error. Please see logs for additional details.'), 'warning');
      $this->logger
        ->notice('LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured.');
      return FALSE;
    }
  }

  // Allow other modules to hook in and refuse if they like.
  $hook_result = TRUE;
  $this->moduleHandler
    ->alter('ldap_authentication_allowuser_results', $ldap_user, $authName, $hook_result);
  if ($hook_result === FALSE) {
    $this->logger
      ->notice('Authentication Allow User Result=refused for %name', [
      '%name' => $authName,
    ]);
    return FALSE;
  }

  // Default to allowed.
  return TRUE;
}