View source
<?php
module_load_include('php', 'ldap_authorization', 'LdapAuthorizationConsumerAbstract.class');
class LdapAuthorizationConsumerOG extends LdapAuthorizationConsumerAbstract {
public $consumerType = 'og_group';
public $allowSynchBothDirections = FALSE;
public $allowConsumerObjectCreation = FALSE;
public $onlyApplyToLdapAuthenticatedDefault = TRUE;
public $useMappingsAsFilterDefault = TRUE;
public $synchOnLogonDefault = TRUE;
public $synchManuallyDefault = TRUE;
public $revokeLdapProvisionedDefault = TRUE;
public $regrantLdapProvisionedDefault = TRUE;
public $createContainersDefault = FALSE;
public $ogRoles = array();
public $ogRolesByName = array();
public $ogVersion = NULL;
public $ogs = array();
function __construct($consumer_type = NULL) {
$this->ogVersion = ldap_authorization_og_og_version();
$params = ldap_authorization_og_ldap_authorization_consumer();
if ($this->ogVersion == 1) {
$this->ogRoles = og_roles(0);
$this->ogRolesByName = array_flip($this->ogRoles);
}
else {
$this
->_setConsumerIDs();
}
parent::__construct('og_group', $params['og_group']);
}
public function refreshConsumerIDs() {
$this
->_setConsumerIDs();
}
public function _setConsumerIDs() {
$this->_availableConsumerIDs = array();
if ($this->ogVersion == 1) {
$groups = og_get_all_group();
$og_entities = og_load_multiple($groups);
foreach ($og_entities as $group) {
$this->ogs[$group->gid] = $group;
foreach ($this->ogRoles as $rid => $role) {
$auth_id = ldap_authorization_og_authorization_id($group->gid, $rid);
$this->_availableConsumerIDs[$auth_id] = $group->label . ", {$role}";
}
}
}
else {
list($this->ogs, $this->_availableConsumerIDs) = $this
->og2Groups();
}
}
public static function og2Groups() {
$ogs = array();
$availableConsumerIDs = array();
foreach (og_get_all_group_bundle() as $entity_type => $bundles) {
$group_entity_ids = og_get_all_group($entity_type);
$group_entities = entity_load($entity_type, $group_entity_ids);
$ogs[$entity_type] = $group_entities;
foreach ($group_entities as $entity_id => $group_entity) {
$roles = og_roles($entity_type, isset($group_entity->type) ? $group_entity->type : NULL, $entity_id);
$ogs[$entity_type][$entity_id] = array(
'roles' => $roles,
'entity' => $group_entity,
'name' => isset($group_entity->title) ? $group_entity->title : '',
);
foreach ($roles as $rid => $role) {
$auth_id = ldap_authorization_og_authorization_id($entity_id, $rid, $entity_type);
$availableConsumerIDs[$auth_id] = $ogs[$entity_type][$entity_id]['name'] . " - {$role}";
}
}
}
return array(
$ogs,
$availableConsumerIDs,
);
}
public function normalizeMappings($mappings) {
if ($this->ogVersion == 2) {
return $mappings;
}
foreach ($mappings as $i => $mapping) {
$gid = NULL;
$rid = NULL;
$targets = explode(',', $mapping[1]);
if (count($targets) != 2) {
return FALSE;
}
$group_target_and_value = explode('=', $targets[0]);
if (count($group_target_and_value) != 2) {
return FALSE;
}
list($group_target, $group_target_value) = $group_target_and_value;
$role_target_and_value = explode('=', $targets[1]);
if (count($role_target_and_value) != 2) {
return FALSE;
}
list($role_target, $role_target_value) = $role_target_and_value;
if ($group_target == 'gid') {
$gid = $group_target_value;
}
elseif ($group_target == 'group-name') {
list($og_group, $og_node) = ldap_authorization_og1_get_group($group_target_value, 'group_name', 'object');
if (is_object($og_group) && property_exists($og_group, 'gid') && $og_group->gid) {
$gid = $og_group->gid;
}
}
else {
$entity_type_and_field = explode('.', $group_target);
if (count($entity_type_and_field) != 2) {
return FALSE;
}
list($entity_type, $field) = $entity_type_and_field;
$query = new EntityFieldQuery();
$query
->entityCondition('entity_type', $entity_type)
->fieldCondition($field, 'value', $group_target_value, '=')
->addMetaData('account', user_load(1));
$result = $query
->execute();
if (is_array($result) && isset($result[$entity_type]) && count($result[$entity_type]) == 1) {
$entities = array_keys($result[$entity_type]);
$gid = ldap_authorization_og1_entity_id_to_gid($entities[0]);
}
}
if ($role_target == 'rid') {
$rid = $role_target_value;
}
elseif ($role_target == 'role-name') {
$rid = ldap_authorization_og_rid_from_role_name($role_target_value);
}
if ($gid && $rid) {
$mappings[$i][1] = ldap_authorization_og_authorization_id($gid, $rid);
}
else {
$mappings[$i][1] = FALSE;
}
}
return $mappings;
}
public function availableConsumerIDs($reset = FALSE) {
if ($reset || !is_array($this->_availableConsumerIDs)) {
$this
->refreshConsumerIDs();
}
return array_keys($this->_availableConsumerIDs);
}
public function sortConsumerIds($op, &$consumer_ids) {
if ($op == 'revoke') {
arsort($consumer_ids, SORT_STRING);
}
else {
asort($consumer_ids, SORT_STRING);
}
}
public function revokeSingleAuthorization(&$user, $authorization_id, &$user_auth_data) {
if ($this->ogVersion == 1) {
list($gid, $rid) = @explode('-', $authorization_id);
}
else {
list($group_type, $gid, $rid) = @explode(':', $authorization_id);
}
if (!$authorization_id || !$gid || !$rid || !is_object($user) || $this->ogVersion == 2 && !$group_type) {
watchdog('ldap_authorization_og', 'LdapAuthorizationConsumerOG.grantSingleAuthorization()
improper parameters.', array(), WATCHDOG_ERROR);
return FALSE;
}
$ldap_granted = $this
->hasLdapGrantedAuthorization($user, $authorization_id);
$granted = $this
->hasAuthorization($user, $authorization_id);
if ($this->ogVersion == 1) {
$users_group_roles = og_get_user_roles($gid, $user->uid);
}
else {
$users_group_roles = og_get_user_roles($group_type, $gid, $user->uid);
}
if (!$granted || $granted && !$ldap_granted) {
return TRUE;
}
if (count($users_group_roles) == 1) {
if ($this->ogVersion == 1) {
$entity = og_ungroup($gid, 'user', $user->uid, TRUE);
}
else {
$entity = og_ungroup($group_type, $gid, 'user', $user->uid);
}
$result = (bool) $entity;
$watchdog_tokens['%action'] = 'og_ungroup';
}
else {
if ($this->ogVersion == 1) {
og_role_revoke($gid, $user->uid, $rid);
}
else {
og_role_revoke($group_type, $gid, $user->uid, $rid);
}
$watchdog_tokens['%action'] = 'og_role_revoke';
return TRUE;
}
if ($this->detailedWatchdogLog) {
watchdog('ldap_authorization_og', 'LdapAuthorizationConsumerOG.revokeSingleAuthorization()
revoked: gid=%gid, rid=%rid, action=%action for username=%username', $watchdog_tokens, WATCHDOG_DEBUG);
}
return $result;
}
public function grantSingleAuthorization(&$user, $authorization_id, &$user_auth_data) {
$result = FALSE;
$watchdog_tokens = array(
'%authorization_id' => $authorization_id,
'%username' => $user->name,
'%ogversion' => $this->ogVersion,
);
if ($this->detailedWatchdogLog) {
watchdog('ldap_auth_og', 'LdapAuthorizationConsumerOG.grantSingleAuthorization()
beginning to grant authorization for $group_name=%group_name to user %username', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($this->ogVersion == 1) {
list($gid, $rid) = @explode('-', $authorization_id);
}
else {
list($group_type, $gid, $rid) = @explode(':', $authorization_id);
$watchdog_tokens['%group_type'] = $group_type;
}
$watchdog_tokens['%gid'] = $gid;
$watchdog_tokens['%rid'] = $rid;
$watchdog_tokens['%uid'] = $user->uid;
$available_consumer_ids = $this
->availableConsumerIDs(TRUE);
if (!$authorization_id || !$gid || !$rid || !is_object($user) || $this->ogVersion == 2 && !$group_type) {
watchdog('ldap_auth_og', 'LdapAuthorizationConsumerOG.grantSingleAuthorization()
improper parameters.', $watchdog_tokens, WATCHDOG_ERROR);
return FALSE;
}
if (!in_array($authorization_id, $available_consumer_ids)) {
$result = FALSE;
watchdog('ldap_authorization_og', 'LdapAuthorizationConsumerOG.grantSingleAuthorization()
failed to grant %username the group-role %authorization_id because group-role does not exist', $watchdog_tokens, WATCHDOG_ERROR);
return FALSE;
}
$ldap_granted = $this
->hasLdapGrantedAuthorization($user, $authorization_id);
$granted = $this
->hasAuthorization($user, $authorization_id);
if ($ldap_granted && $granted) {
watchdog('ldap_auth_og', 'LdapAuthorizationConsumerOG.grantSingleAuthorization()
<hr />not granted: gid=%gid, for username=%username,
<br />because user already belongs to group', $watchdog_tokens, WATCHDOG_DEBUG);
return TRUE;
}
if ($granted && !$ldap_granted) {
watchdog('ldap_authorization_og', 'LdapAuthorizationConsumerOG.grantSingleAuthorization()
<hr />membership already exists for: gid=%gid, rid=%rid, for username=%username,
<br />but made ldap granted.', $watchdog_tokens, WATCHDOG_DEBUG);
return TRUE;
}
if ($this->detailedWatchdogLog) {
watchdog('ldap_auth_og', 'LdapAuthorizationConsumerOG.grantSingleAuthorization()
calling og_role_grant(%group_type, %gid, %uid, %rid).
og version=%ogversion', $watchdog_tokens, WATCHDOG_DEBUG);
}
if ($this->ogVersion == 2) {
$values = array(
'entity_type' => 'user',
'entity' => $user->uid,
'field_name' => FALSE,
'state' => OG_STATE_ACTIVE,
);
$og_membership = og_group($group_type, $gid, $values);
og_role_grant($group_type, $gid, $user->uid, $rid);
}
else {
$values = array(
'entity type' => 'user',
'entity' => $user,
'state' => OG_STATE_ACTIVE,
'membership type' => OG_MEMBERSHIP_TYPE_DEFAULT,
);
watchdog('ldap_auth_og', 'og_group1', $watchdog_tokens, WATCHDOG_DEBUG);
$user_entity = og_group($gid, $values);
watchdog('ldap_auth_og', 'og_role_grant1', $watchdog_tokens, WATCHDOG_DEBUG);
og_role_grant($gid, $user->uid, $rid);
}
if ($this->detailedWatchdogLog) {
watchdog('ldap_auth_og', 'LdapAuthorizationConsumerOG.grantSingleAuthorization()
<hr />granted: group_type=%group_type gid=%gid, rid=%rid for username=%username', $watchdog_tokens, WATCHDOG_DEBUG);
}
return TRUE;
}
public function usersAuthorizations(&$user) {
$authorizations = array();
if ($this->ogVersion == 1) {
$groups = og_load_multiple(og_get_all_group());
$authorizations = array();
if (is_object($user) && is_array($groups)) {
foreach ($groups as $gid => $discard) {
$roles = og_get_user_roles($gid, $user->uid);
foreach ($roles as $rid => $discard) {
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid);
}
}
}
}
else {
$user_entities = entity_load('user', array(
$user->uid,
));
$memberships = og_get_entity_groups('user', $user_entities[$user->uid]);
foreach ($memberships as $entity_type => $entity_memberships) {
foreach ($entity_memberships as $og_membership_id => $gid) {
$roles = og_get_user_roles($entity_type, $gid, $user->uid);
foreach ($roles as $rid => $discard) {
$authorizations[] = ldap_authorization_og_authorization_id($gid, $rid, $entity_type);
}
}
}
}
return $authorizations;
}
public function convertToFriendlyAuthorizationIds($authorizations) {
$authorization_ids_friendly = array();
$this
->refreshConsumerIDs();
foreach ($authorizations as $i => $authorization_id) {
if ($this->ogVersion == 1) {
list($gid, $rid) = explode('-', $authorization_id);
$authorization_ids_friendly[] = 'Group: ' . $this->ogs[$gid]->label . ', Role: ' . $this->ogRoles[$rid] . " ({$authorization_id}) ";
}
else {
list($entity_type, $gid, $rid) = explode(':', $authorization_id);
$authorization_ids_friendly[] = 'Group: ' . $this->ogs[$entity_type][$gid]['name'] . ', Role: ' . $this->ogs[$entity_type][$gid]['roles'][$rid] . " ({$authorization_id}) ";
}
}
return $authorization_ids_friendly;
}
public function validateAuthorizationMappingTarget($map_to, $form_values = NULL, $clear_cache = FALSE) {
$has_form_values = is_array($form_values);
$message_type = NULL;
$message_text = NULL;
$tokens = array(
'!map_to' => $map_to,
);
$available_authorization_ids = $this
->availableConsumerIDs($clear_cache);
$pass = FALSE;
if ($this->ogVersion == 1) {
$normalized = $this
->normalizeMappings(array(
array(
'placeholder',
$map_to,
),
));
if (is_array($normalized) && isset($normalized[0][1]) && $normalized[0][1] !== FALSE) {
list($gid, $rid) = explode('-', $normalized[0][1]);
$pass = in_array($normalized[0][1], $available_authorization_ids);
}
}
else {
$normalized = TRUE;
$parts = explode(':', $map_to);
if (count($parts) == 3) {
list($entity_type, $entity_id, $rid) = $parts;
$pass = isset($this->ogs[$entity_type][$entity_id]['roles'][$rid]);
}
}
if (!$pass) {
$message_text = '<code>"' . t('!map_to', $tokens) . '"</code> ' . t('does not map to any existing organic groups and roles. ');
if ($has_form_values) {
$create_consumers = isset($form_values['synchronization_actions']['create_consumers']) && $form_values['synchronization_actions']['create_consumers'];
}
else {
$create_consumers = $this->consumerConf->create_consumers;
}
if ($normalized === FALSE) {
$message_type = 'error';
$message_text .= t('Can not normalize mappings. Please check the syntax in Mapping of LDAP to OG Group', $tokens);
}
elseif ($create_consumers && $this->allowConsumerObjectCreation) {
$message_type = 'warning';
$message_text .= t('It will be created when needed. If "!map_to" is not intentional, please fix it', $tokens);
}
elseif (!$this->allowConsumerObjectCreation) {
$message_type = 'error';
$message_text .= t('Since automatic organic group creation is not possible with this module, an existing group must be mapped to.');
}
elseif (!$create_consumers) {
$message_type = 'error';
$message_text .= t('Since automatic organic group creation is disabled, an existing group must be mapped to. Either enable organic group creation or map to an existing group.');
}
}
return array(
$message_type,
$message_text,
);
}
public function mappingExamples($tokens) {
if ($this->ogVersion == 1) {
$groups = og_get_all_group();
$ogEntities = og_load_multiple($groups);
$OGroles = og_roles(0);
$rows = array();
foreach ($ogEntities as $group) {
foreach ($OGroles as $rid => $role) {
$example = "<code>ou=IT,dc=myorg,dc=mytld,dc=edu|gid=" . $group->gid . ',rid=' . $rid . '</code><br/>' . '<code>ou=IT,dc=myorg,dc=mytld,dc=edu|group-name=' . $group->label . ',role-name=' . $role . '</code>';
$rows[] = array(
$group->label,
$group->gid,
$role,
$example,
);
}
}
$variables = array(
'header' => array(
'Group Name',
'OG Group ID',
'OG Membership Type',
'example',
),
'rows' => $rows,
'attributes' => array(),
);
}
else {
$rows = array();
foreach ($this->ogs as $entity_type => $entities) {
foreach ($entities as $entity_id => $entity) {
foreach ($entity['roles'] as $rid => $role) {
$group_role_identifier = ldap_authorization_og_authorization_id($entity_id, $rid, $entity_type);
$example = "<code>ou=IT,dc=myorg,dc=mytld,dc=edu|{$group_role_identifier}</code>";
$rows[] = array(
$entity['name'] . ' - ' . $role,
$example,
);
}
}
}
$variables = array(
'header' => array(
'Group Name - OG Membership Type',
'example',
),
'rows' => $rows,
'attributes' => array(),
);
}
$table = theme('table', $variables);
$link = l('admin/config/people/ldap/authorization/test/og_group', 'admin/config/people/ldap/authorization/test/og_group');
$examples = <<<EOT
<br/>
Examples for some (or all) existing OG Group IDs can be found in the table below.
This is complex. To test what is going to happen, uncheck "When a user logs on" in IV.B.
and use {<span class="php-variable">$link</span>} to see what memberships sample users would receive.
{<span class="php-variable">$table</span>}
EOT;
$examples = t($examples, $tokens);
return $examples;
}
}