function _ldap_authorizations_user_authorizations in Lightweight Directory Access Protocol (LDAP) 7
Same name and namespace in other branches
- 8.2 ldap_authorization/ldap_authorization.inc \_ldap_authorizations_user_authorizations()
- 7.2 ldap_authorization/ldap_authorization.inc \_ldap_authorizations_user_authorizations()
return all desired authorizations for a given user
Parameters
object $user:
string $op =: set -- grant authorizations (store in db) and return authorizations test_query -- don't grant authorization, just query and return authorizations. assume user is ldap authenticated and exists query -- don't grant authorization, just query and return authorizations
string $consumer_type e.g. drupal_roles:
string $context 'logon', 'test_if_authorizations_granted':
Return value
LDAP_AUTHORIZATION_NO_LDAP_SERVERS if no servers configured LDAP_AUTHORIZATION_LDAP_ERROR if ldap error TRUE if servers configured but no roles derived from ldap array of potential authorizations (user may or may not already have these)
by reference $user->data[<consumer_type>][<authorization_id>] = array(); e.g. $var['drupal_role']['content_admin'] = array('rid' => 4) e.g. $var['og_membership']['bakers club'] = array('expires' => '01/01/2012');
1 call to _ldap_authorizations_user_authorizations()
- ldap_authorizations_user_authorizations in ldap_authorization/
ldap_authorization.module - @rationale: need not be called from hook_user, so this function separated out so it can be called from a batch synchronization process for example
File
- ldap_authorization/
ldap_authorization.inc, line 61 - bulk of authorization code executed to determine a users authorizations
Code
function _ldap_authorizations_user_authorizations(&$user, $op, $consumer_type, $context) {
$debug = FALSE;
$detailed_watchdog_log = variable_get('ldap_help_watchdog_detail', 0);
$authorizations = array();
$notifications = array();
$watchdog_tokens = array(
'%username' => $user->name,
);
$consumers = ldap_authorization_get_consumers($consumer_type, TRUE, FALSE);
$servers = ldap_servers_get_servers(NULL, 'enabled', TRUE);
/**
* user 1 not used in ldap authorization. this is a design decision.
*/
if (property_exists($user, 'uid') && $user->uid == 1) {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : ldap_authorization not applied to user 1', $watchdog_tokens, WATCHDOG_DEBUG);
}
$notifications['all'] = LDAP_AUTHORIZATION_NOT_APPLY_USER_1;
foreach ($consumers as $consumer_type => $consumer) {
$authorizations[$consumer_type] = array();
}
return array(
$authorizations,
$notifications,
);
}
/**
* determine if user is ldap authenticated
*/
if ($context == 'test_if_authorizations_granted' || $op == 'test_query' && @$user->ldap_test == TRUE) {
$ldap_authenticated = $user->ldap_authenticated;
// property 'ldap_authenticated' only exists for fake user objects
}
else {
$ldap_authenticated = (bool) (module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user));
}
$watchdog_tokens['%ldap_authenticated'] = $ldap_authenticated ? 'yes' : 'no';
foreach ($consumers as $consumer_type => $consumer) {
$authorizations[$consumer_type] = array();
/**
* each consumer type has only one consumer conf and each consumer conf has only one ldap server id (sid)
* so there is a one-to-one-to-one relationship between:
* - consumer object ($consumer),
* - server object ($ldap_server),
* - and consumer conf object.
*
*/
$consumer = ldap_authorization_get_consumer_object($consumer_type);
if (!$consumer->consumerConf->status) {
continue;
}
$proposed_ldap_authorizations = array();
$watchdog_tokens['%consumer_type'] = $consumer_type;
$watchdog_tokens['%sid'] = $consumer->consumerConf->sid;
if (!is_object($consumer->consumerConf)) {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : consumer type %consumer_type has no
configuration set.', $watchdog_tokens, WATCHDOG_DEBUG);
}
continue;
}
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : testing with
consumer type %consumer_type. ldap authenticated=%ldap_authenticated', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($debug) {
debug(t('%username : testing with consumer type %consumer_type. ldap authenticated=%ldap_authenticated'), $watchdog_tokens);
}
if ($context == 'logon' && !$consumer->consumerConf->synchOnLogon) {
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_MAP_NOT_CONF_FOR_LOGON;
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : %consumer_type not set to run on user logon.', $watchdog_tokens, WATCHDOG_DEBUG);
}
continue;
}
if ($consumer->consumerConf->onlyApplyToLdapAuthenticated && !$ldap_authenticated && $op != 'test_query') {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : not used because it is set to be applied only to ldap authenticated users.
%username is not ldap authenticated.', $watchdog_tokens, WATCHDOG_DEBUG);
}
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_NOT_LDAP_AUTHENTICATED;
continue;
}
$consumer_sid = $consumer->consumerConf->deriveFromEntrySearchAll ? NULL : $consumer->consumerConf->sid;
if (!($user_ldap_entry = ldap_servers_get_user_ldap_data($user, $consumer_sid))) {
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_LDAP_NOT_FOUND;
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : %consumer_type ldap user not found.', $watchdog_tokens, WATCHDOG_DEBUG);
}
continue;
}
if (!isset($servers[$consumer->consumerConf->sid])) {
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_SERVER_CONFIG_NOT_FOUND;
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : %consumer_type ldap server %sid not enabled or found.', $watchdog_tokens, WATCHDOG_DEBUG);
}
continue;
}
$ldap_server = $servers[$consumer->consumerConf->sid];
/**
* 1. first just need to figure out what authz_ids are generated for this consumer type/mapping configuration
*
* goal here is simply to build an array of authorizations for this ldap authz mapping
* $proposed_ldap_authorizations[<authorization id>] = properties associative array or empty array
* e.g. $proposed_ldap_authorizations['admin'] = array()
*
* the authorization ids may represent drupal roles, organic groups, civicrm groups, etc.
* these mappings are a function of:
* - drupal user entry, $user
* - a user ldap entry, $user_ldap_entry
* - an ldap server configuration, $ldap_server
* - a mapping configuration ($consumer_conf)
*/
if ($detailed_watchdog_log || $debug) {
$_proposed_ldap_authorizations_pre_hook_maps_alter = is_array($proposed_ldap_authorizations) ? $proposed_ldap_authorizations : array();
$watchdog_tokens['%proposed_authorizations_pre_hook'] = join(', ', $_proposed_ldap_authorizations_pre_hook_maps_alter);
watchdog('ldap_authorization', '%username : initial proposed authorization before mapps_alter_invoke %consumer_type: %proposed_authorizations_pre_hook.', $watchdog_tokens, WATCHDOG_DEBUG);
}
ldap_authorization_maps_alter_invoke($user, $user_ldap_entry, $ldap_server, $consumer->consumerConf, $proposed_ldap_authorizations, $op);
if ($detailed_watchdog_log || $debug) {
$_proposed_ldap_authorizations = is_array($proposed_ldap_authorizations) ? $proposed_ldap_authorizations : array();
$watchdog_tokens['%proposed_authorizations'] = join(', ', $_proposed_ldap_authorizations);
}
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : initial proposed authorization for %consumer_type: %proposed_authorizations.', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($debug) {
debug(t('%username : initial proposed authorization for %consumer_type: %proposed_authorizations.', $watchdog_tokens));
}
/** make sure keys of array are lower case and values are mixed case **/
foreach ($proposed_ldap_authorizations as $key => $value) {
if ($key != drupal_strtolower($key)) {
$proposed_ldap_authorizations[drupal_strtolower($key)] = $value;
unset($proposed_ldap_authorizations[$key]);
}
}
// debug('proposed_ldap_authorizations3'); debug($proposed_ldap_authorizations);
/**
* 2. filter can be both a whitelist and a mapping of an ldap results to an authorization id.
* goal of this step is to generate $filtered_ldap_authorizations[$consumer_type]
* an array of filtered and mapped authorization ids
*/
if ($consumer->consumerConf->useMappingsAsFilter) {
// filter + map
$filtered_ldap_authorizations = array();
// debug('useMappingsAsFilter');
foreach ($consumer->consumerConf->normalizedMappings as $mapping_filter) {
$map_from = $mapping_filter[0];
$map_to = $mapping_filter[1];
// debug("from:$map_from to:$map_to");
if (isset($proposed_ldap_authorizations[drupal_strtolower($map_from)])) {
$filtered_ldap_authorizations[] = $map_to;
}
}
}
else {
// only map
// debug('not useMappingsAsFilter');
$filtered_ldap_authorizations = array_values($proposed_ldap_authorizations);
if (is_array($consumer->consumerConf->mappings) && is_array($proposed_ldap_authorizations)) {
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
$map_from = $mapping_filter[0];
$map_to = $mapping_filter[1];
// debug("from:$map_from to:$map_to");
$map_from_key = array_search(drupal_strtolower($map_from), array_keys($proposed_ldap_authorizations));
if ($map_from_key !== FALSE) {
// remove non mapped authorization
$filtered_ldap_authorizations = array_diff($filtered_ldap_authorizations, array(
$map_from,
));
$filtered_ldap_authorizations = array_diff($filtered_ldap_authorizations, array(
drupal_strtolower($map_from),
));
// add mapped authorization
$filtered_ldap_authorizations[] = $map_to;
// remove map from;
}
}
}
}
$filtered_ldap_authorizations = array_unique($filtered_ldap_authorizations);
// debug('filtered_ldap_authorizations'); debug($filtered_ldap_authorizations);
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', $filtered_ldap_authorizations);
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($debug) {
debug(t('%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.', $watchdog_tokens));
}
/**
* 3. third, grant any proposed authorizations not already granted
*/
if ($op == 'test_query') {
$_SESSION['ldap_authorization_test_query']['tokens'] = $watchdog_tokens;
}
if ($op == 'set') {
_ldap_authorizations_user_authorizations_set($user, $consumer, $filtered_ldap_authorizations, $user_ldap_entry, $watchdog_tokens);
}
// debug('filtered,'. $consumer_type); debug($authorizations[$consumer_type]);
$authorizations[$consumer_type] = $filtered_ldap_authorizations;
}
// end foreach $consumers
return array(
$authorizations,
$notifications,
);
}