function _ldap_authorizations_user_authorizations in Lightweight Directory Access Protocol (LDAP) 8.2
Same name and namespace in other branches
- 7.2 ldap_authorization/ldap_authorization.inc \_ldap_authorizations_user_authorizations()
- 7 ldap_authorization/ldap_authorization.inc \_ldap_authorizations_user_authorizations()
return all desired authorizations for a given user
Parameters
object $user:
string $op =: set -- grant authorizations (store in db) and return authorizations test_query -- don't grant authorization, just query and return authorizations. assume user is ldap authenticated and exists test_query_set -- do grant authorizations, but also log data for debugging query -- don't grant authorization, just query and return authorizations
string $consumer_type e.g. drupal_roles:
string $context 'logon', 'test_if_authorizations_granted':
Return value
LDAP_AUTHORIZATION_NO_LDAP_SERVERS if no servers configured LDAP_AUTHORIZATION_LDAP_ERROR if ldap error TRUE if servers configured but no roles derived from ldap array of potential authorizations (user may or may not already have these)
by reference $user->data[<consumer_type>][<authorization_id>] = array(); e.g. $var['drupal_role']['content_admin'] = array('rid' => 4) e.g. $var['og_membership']['bakers club'] = array('expires' => '01/01/2012');
1 call to _ldap_authorizations_user_authorizations()
- ldap_authorizations_user_authorizations in ldap_authorization/
ldap_authorization.module - @rationale: need not be called from hook_user, so this function separated out so it can be called from a batch synchronization process for example
File
- ldap_authorization/
ldap_authorization.inc, line 60 - bulk of authorization code executed to determine a users authorizations
Code
function _ldap_authorizations_user_authorizations(&$user, $op, $consumer_type, $context) {
$debug = FALSE;
$detailed_watchdog_log = config('ldap_help.settings')
->get('watchdog_detail');
$authorizations = array();
$notifications = array();
$watchdog_tokens = array(
'%username' => $user->name,
);
$consumers = ldap_authorization_get_consumers($consumer_type, TRUE, FALSE);
$servers = ldap_servers_get_servers(NULL, 'enabled', TRUE);
/**
* user 1 not used in ldap authorization. this is a design decision.
*/
if (property_exists($user, 'uid') && $user->uid == 1) {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : ldap_authorization not applied to user 1', $watchdog_tokens, WATCHDOG_DEBUG);
}
$notifications['all'] = LDAP_AUTHORIZATION_NOT_APPLY_USER_1;
foreach ($consumers as $consumer_type => $consumer) {
$authorizations[$consumer_type] = array();
}
return array(
$authorizations,
$notifications,
);
}
/**
* determine if user is ldap authenticated
*/
if ($context == 'test_if_authorizations_granted' || ($op == 'test_query_set' || $op == 'test_query') && @$user->ldap_test == TRUE) {
$ldap_authenticated = $user->ldap_authenticated;
// property 'ldap_authenticated' only exists for fake user objects submitted from testing form
}
else {
$ldap_authenticated = (bool) (module_exists('ldap_authentication') && ldap_authentication_ldap_authenticated($user));
}
$watchdog_tokens['%ldap_authenticated'] = $ldap_authenticated ? 'yes' : 'no';
foreach ($consumers as $consumer_type => $consumer) {
$authorizations[$consumer_type] = array();
/**
* each consumer type has only one consumer conf and each consumer conf has only one ldap server id (sid)
* so there is a one-to-one-to-one relationship between:
* - consumer object ($consumer),
* - server object ($ldap_server),
* - and consumer conf object.
*
*/
$consumer = ldap_authorization_get_consumer_object($consumer_type);
if (!$consumer->consumerConf->status) {
continue;
}
$proposed_ldap_authorizations = array();
$watchdog_tokens['%consumer_type'] = $consumer_type;
$watchdog_tokens['%sid'] = $consumer->consumerConf->sid;
if (!is_object($consumer->consumerConf)) {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : consumer type %consumer_type has no
configuration set.', $watchdog_tokens, WATCHDOG_DEBUG);
}
continue;
}
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : testing with
consumer type %consumer_type. ldap authenticated=%ldap_authenticated', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($debug) {
debug(t('%username : testing with consumer type %consumer_type. ldap authenticated=%ldap_authenticated'), $watchdog_tokens);
debug("op={$op},ldap_authenticated={$ldap_authenticated} {$consumer_type} context={$context}, consumer->consumerConf->synchOnLogon=" . (int) $consumer->consumerConf->synchOnLogon);
//$debug = TRUE;
}
if ($context == 'logon' && !$consumer->consumerConf->synchOnLogon) {
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_MAP_NOT_CONF_FOR_LOGON;
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : %consumer_type not set to run on user logon.', $watchdog_tokens, WATCHDOG_DEBUG);
}
continue;
}
if ($consumer->consumerConf->onlyApplyToLdapAuthenticated && !$ldap_authenticated && $op != 'test_query' && $op != 'test_query_set') {
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : not used because it is set to be applied only to ldap authenticated users.
%username is not ldap authenticated.', $watchdog_tokens, WATCHDOG_DEBUG);
}
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_NOT_LDAP_AUTHENTICATED;
continue;
}
$ldap_user = ldap_servers_get_user_ldap_data($user, $consumer->consumerConf->sid, 'ldap_authorization__' . $consumer_type);
if (!$ldap_user) {
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_USER_LDAP_NOT_FOUND;
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : %consumer_type ldap user not found.', $watchdog_tokens, WATCHDOG_DEBUG);
}
continue;
}
if (!isset($servers[$consumer->consumerConf->sid])) {
$notifications[$consumer_type][] = LDAP_AUTHORIZATION_SERVER_CONFIG_NOT_FOUND;
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : %consumer_type ldap server %sid not enabled or found.', $watchdog_tokens, WATCHDOG_DEBUG);
}
continue;
}
$ldap_server = $consumer->consumerConf->server;
/**
* 1. first just need to figure out what authz_ids are generated for this consumer type/mapping configuration
*
* goal here is simply to build an array of authorizations for this ldap authz mapping
* $proposed_ldap_authorizations[<authorization id>] = properties associative array or empty array
* e.g. $proposed_ldap_authorizations['admin'] = array()
*
* @see ldap_authorization.api.php hook_ldap_authorization_maps_alter() notes
*/
ldap_authorization_maps_alter_invoke($user, $ldap_user, $ldap_server, $consumer->consumerConf, $proposed_ldap_authorizations, $op);
/** make sure keys of array are lower case and values are mixed case
and strip to first attribute is configured
*/
foreach ($proposed_ldap_authorizations as $key => $authorization_id) {
if ($consumer->consumerConf->useFirstAttrAsGroupId) {
$attr_parts = ldap_explode_dn($authorization_id, 0);
if (count($attr_parts) > 0) {
$first_part = explode('=', $attr_parts[0]);
if (count($first_part) > 1) {
$authorization_id = ldap_pear_unescape_dn_value(trim($first_part[1]));
}
}
$new_key = drupal_strtolower($authorization_id);
}
else {
$new_key = drupal_strtolower($key);
}
$proposed_ldap_authorizations[$new_key] = $authorization_id;
if ($key != $new_key) {
unset($proposed_ldap_authorizations[$key]);
}
}
if ($op == 'test_query' || $op == 'test_query_set') {
$_SESSION['ldap_authorization_test_query']['useFirstAttrAsGroupId'] = $proposed_ldap_authorizations;
}
if ($detailed_watchdog_log || $debug) {
$_proposed_ldap_authorizations = is_array($proposed_ldap_authorizations) ? $proposed_ldap_authorizations : array();
$watchdog_tokens['%proposed_authorizations'] = join(', ', $_proposed_ldap_authorizations);
}
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : initial proposed authorization for %consumer_type: %proposed_authorizations.', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($debug) {
debug(t('%username : initial proposed authorization for %consumer_type: %proposed_authorizations.', $watchdog_tokens));
}
/**
* 2. filter can be both a whitelist and a mapping of an ldap results to an authorization id.
* goal of this step is to generate $filtered_ldap_authorizations[$consumer_type]
* an array of filtered and mapped authorization ids
*/
$filtered_ldap_authorizations = array();
if ($consumer->consumerConf->useMappingsAsFilter) {
// filter + map
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
$map_from = $mapping_filter['from'];
$map_to = $mapping_filter['normalized'];
if (isset($proposed_ldap_authorizations[drupal_strtolower($map_from)])) {
$filtered_ldap_authorizations[drupal_strtolower($map_to)] = array(
'map_to_string' => $map_to,
'exists' => NULL,
);
}
}
}
else {
// only map, don't filter off authorizations that have no mapping
$_authorizations = array_values($proposed_ldap_authorizations);
if (is_array($consumer->consumerConf->mappings) && is_array($proposed_ldap_authorizations)) {
foreach ($consumer->consumerConf->mappings as $mapping_filter) {
$map_from = $mapping_filter['from'];
$map_to = $mapping_filter['normalized'];
$map_from_key = array_search(drupal_strtolower($map_from), array_keys($proposed_ldap_authorizations));
if ($map_from_key !== FALSE) {
// remove non mapped authorization
$_authorizations = array_diff($_authorizations, array(
$map_from,
));
$_authorizations = array_diff($_authorizations, array(
drupal_strtolower($map_from),
));
// add mapped authorization
$_authorizations[] = $map_to;
// remove map from;
}
}
}
foreach ($_authorizations as $i => $authorization_id) {
$filtered_ldap_authorizations[drupal_strtolower($authorization_id)] = array(
'map_to_string' => $authorization_id,
'exists' => NULL,
'value' => $authorization_id,
);
}
}
$consumer
->populateConsumersFromConsumerIds($filtered_ldap_authorizations, $consumer->consumerConf->createConsumers);
// set values of $filtered_ldap_authorizations to consumers
/**
* now that we have list of consumers that are to be granted, give other modules a chance to alter it
*
* @see ldap_authorization.api.php hook_ldap_authorization_authorizations_alter() notes
*/
$params = array(
'user' => $user,
'ldap_user' => $ldap_user,
'ldap_server' => $ldap_server,
'consumer' => $consumer,
);
drupal_alter('ldap_authorization_authorizations', $filtered_ldap_authorizations, $params);
$watchdog_tokens['%filtered_ldap_authorizations'] = join(', ', array_keys($filtered_ldap_authorizations));
if ($detailed_watchdog_log) {
watchdog('ldap_authorization', '%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($debug) {
debug(t('%username : filtered authorization for %consumer_type: %filtered_ldap_authorizations.', $watchdog_tokens));
}
if ($op == 'test_query' || $op == 'test_query_set') {
$display_authorizations = array();
foreach ($filtered_ldap_authorizations as $consumer_id => $_consumer) {
$display_authorizations[] = $_consumer['map_to_string'];
}
$_SESSION['ldap_authorization_test_query']['post mappings'] = $display_authorizations;
$data = property_exists($user, 'data') ? $user->data['ldap_authorizations'][$consumer->consumerType] : array();
$_SESSION['ldap_authorization_test_query']['user data'] = $data;
}
/**
* 3. third, grant any proposed authorizations not already granted
*/
if ($op == 'test_query' || $op == 'test_query_set') {
$_SESSION['ldap_authorization_test_query']['tokens'] = $watchdog_tokens;
}
if ($op == 'set' || $op == "test_query_set") {
$test = $op == "test_query_set";
_ldap_authorizations_user_authorizations_set($user, $consumer, $filtered_ldap_authorizations, $ldap_user, $watchdog_tokens, $test);
}
$authorizations[$consumer_type] = $filtered_ldap_authorizations;
}
// end foreach $consumers
return array(
$authorizations,
$notifications,
);
}