You are here

public function LoginValidatorBase::checkAllowedExcluded in Lightweight Directory Access Protocol (LDAP) 8.4

Check if exclusion criteria match.

Parameters

string $authName: Authname.

\Symfony\Component\Ldap\Entry $ldap_user: LDAP Entry.

Return value

bool Exclusion result.

Overrides LoginValidatorInterface::checkAllowedExcluded

2 calls to LoginValidatorBase::checkAllowedExcluded()
LoginValidatorLoginForm::testCredentials in ldap_authentication/src/Controller/LoginValidatorLoginForm.php
Credentials are tested.
LoginValidatorSso::testCredentials in ldap_authentication/src/Controller/LoginValidatorSso.php
@todo Reduce code duplication w/ LoginValidator, split this function up.

File

ldap_authentication/src/Controller/LoginValidatorBase.php, line 501

Class

LoginValidatorBase
Handles the actual testing of credentials and authentication of users.

Namespace

Drupal\ldap_authentication\Controller

Code

public function checkAllowedExcluded(string $authName, Entry $ldap_user) : bool {

  // Do one of the exclude attribute pairs match? If user does not already
  // exists and deferring to user settings AND user settings only allow.
  foreach ($this->config
    ->get('excludeIfTextInDn') as $test) {
    if (stripos($ldap_user
      ->getDn(), $test) !== FALSE) {
      return FALSE;
    }
  }

  // Check if one of the allow attribute pairs match.
  if (count($this->config
    ->get('allowOnlyIfTextInDn'))) {
    $fail = TRUE;
    foreach ($this->config
      ->get('allowOnlyIfTextInDn') as $test) {
      if (stripos($ldap_user
        ->getDn(), $test) !== FALSE) {
        $fail = FALSE;
      }
    }
    if ($fail) {
      return FALSE;
    }
  }

  // Handle excludeIfNoAuthorizations enabled and user has no groups.
  if ($this->moduleHandler
    ->moduleExists('ldap_authorization') && $this->config
    ->get('excludeIfNoAuthorizations')) {
    $user = FALSE;
    $id = $this->externalAuth
      ->getUid($authName, 'ldap_user');
    if ($id) {
      $user = $this->entityTypeManager
        ->getStorage('user')
        ->load($id);
    }
    if (!$user) {
      $user = $this->entityTypeManager
        ->getStorage('user')
        ->create([
        'name' => $authName,
      ]);
    }

    // We are not injecting this service properly to avoid forcing this
    // dependency on authorization.

    /** @var \Drupal\user\Entity\User $user */

    /** @var \Drupal\authorization\AuthorizationController $controller */

    // @codingStandardsIgnoreLine
    $controller = \Drupal::service('authorization.manager');
    $controller
      ->setUser($user);
    $profiles = $this->entityTypeManager
      ->getStorage('authorization_profile')
      ->getQuery()
      ->condition('provider', 'ldap_provider')
      ->execute();
    foreach ($profiles as $profile) {
      $controller
        ->queryIndividualProfile($profile);
    }
    $authorizations = $controller
      ->getProcessedAuthorizations();
    $controller
      ->clearAuthorizations();
    $valid_profile = FALSE;
    foreach ($authorizations as $authorization) {
      if (!empty($authorization
        ->getAuthorizationsApplied())) {
        $valid_profile = TRUE;
      }
    }
    if (!$valid_profile) {
      $this->messenger
        ->addWarning($this
        ->t('The site logon is currently not working due to a configuration error. Please see logs for additional details.'));
      $this->logger
        ->notice('LDAP Authentication is configured to deny users without LDAP Authorization mappings, but 0 LDAP Authorization consumers are configured.');
      return FALSE;
    }
  }

  // Allow other modules to hook in and refuse if they like.
  $hook_result = TRUE;
  $this->moduleHandler
    ->alter('ldap_authentication_allowuser_results', $ldap_user, $authName, $hook_result);
  if (!$hook_result) {
    $this->logger
      ->notice('Authentication Allow User Result=refused for %name', [
      '%name' => $authName,
    ]);
    return FALSE;
  }

  // Default to allowed.
  return TRUE;
}