ILIAS  release_10 Revision v10.1-43-ga1241a92c2f
class.ilLDAPRoleAssignmentRule.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
25 class ilLDAPRoleAssignmentRule
26 {
27  public const TYPE_GROUP = 1;
28  public const TYPE_ATTRIBUTE = 2;
29  public const TYPE_PLUGIN = 3;
30 
31  private static array $instances = [];
32 
33  private ilLogger $logger;
34  private ilDBInterface $db;
35  private ilErrorHandling $ilErr;
36  private ilLanguage $lng;
37 
38  private int $rule_id;
39 
40  private int $server_id = 0;
41  private bool $add_on_update = false;
42  private bool $remove_on_update = false;
43  private int $plugin_id = 0;
44  private string $attribute_value = '';
45  private string $attribute_name = '';
46  private bool $member_is_dn = false;
47  private string $member_attribute = '';
48  private string $dn = '';
49  private int $type = 0;
50  private int $role_id = 0;
51 
52  private function __construct(int $a_rule_id = 0)
53  {
54  global $DIC;
55  $this->db = $DIC->database();
56  $this->logger = $DIC->logger()->auth();
57  $this->ilErr = $DIC['ilErr'];
58  $this->lng = $DIC->language();
59 
60  $this->rule_id = $a_rule_id;
61  $this->read();
62  }
63 
64  public static function _getInstanceByRuleId(int $a_rule_id): ilLDAPRoleAssignmentRule
65  {
66  return self::$instances[$a_rule_id] ?? (self::$instances[$a_rule_id] = new ilLDAPRoleAssignmentRule($a_rule_id));
67  }
68 
72  public static function hasRulesForUpdate(): bool
73  {
74  global $DIC;
75 
76  $ilDB = $DIC['ilDB'];
77 
78  $query = 'SELECT COUNT(*) num FROM ldap_role_assignments ' .
79  'WHERE add_on_update = 1 ' .
80  'OR remove_on_update = 1 ';
81  $res = $ilDB->query($query);
82  $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
83 
84  return $row->num > 0;
85  }
86 
90  public function matches(array $a_user_data): bool
91  {
92  switch ($this->getType()) {
93  case self::TYPE_PLUGIN:
94  return ilLDAPRoleAssignmentRules::callPlugin($this->getPluginId(), $a_user_data);
95 
96  case self::TYPE_ATTRIBUTE:
97 
98  $attn = strtolower($this->getAttributeName());
99 
100  if (!isset($a_user_data[$attn])) {
101  return false;
102  }
103 
104  if (!is_array($a_user_data[$attn])) {
105  $attribute_val = array(0 => $a_user_data[$attn]);
106  } else {
107  $attribute_val = $a_user_data[$attn];
108  }
109 
110  foreach ($attribute_val as $value) {
111  if ($this->wildcardCompare(trim($this->getAttributeValue()), trim($value))) {
112  $this->logger->debug(': Found role mapping: ' . ilObject::_lookupTitle($this->getRoleId()));
113  return true;
114  }
115  }
116  return false;
117 
118  case self::TYPE_GROUP:
119  return $this->isGroupMember($a_user_data);
120  }
121 
122  return false;
123  }
124 
125  protected function wildcardCompare(string $a_str1, string $a_str2): bool
126  {
127  $pattern = str_replace('*', '.*?', $a_str1);
128 
129  foreach (ilAuthUtils::REGEX_DELIMITERS as $delimiter) {
130  $this->logger->debug('Trying pattern to match attribute value:' . $pattern . ' => ' . $a_str2);
131 
132  set_error_handler(static function (int $severity, string $message, string $file, int $line): never {
133  throw new ErrorException($message, $severity, $severity, $file, $line);
134  });
135 
136  try {
137  return preg_match($delimiter . "^" . $pattern . '$' . $delimiter . 'i', $a_str2) === 1;
138  } catch (Exception $ex) {
139  $this->logger->warning('Error occurred in preg_match Ex.: ' . $ex->getMessage());
140  } finally {
141  restore_error_handler();
142  }
143  }
144 
145  return false;
146  }
147 
148 
155  private function isGroupMember(array $a_user_data): bool
156  {
157  $server = ilLDAPServer::getInstanceByServerId($this->getServerId());
158 
159  if ($this->isMemberAttributeDN()) {
160  if ($server->enabledEscapeDN()) {
161  $user_cmp = ldap_escape($a_user_data['dn'], "", LDAP_ESCAPE_FILTER);
162  } else {
163  $user_cmp = $a_user_data['dn'];
164  }
165  } else {
166  $user_cmp = $a_user_data['ilExternalAccount'];
167  }
168 
169  try {
170  $query = new ilLDAPQuery($server);
171  $query->bind();
172  $res = $query->query(
173  $this->getDN(),
174  sprintf(
175  '(%s=%s)',
176  $this->getMemberAttribute(),
177  $user_cmp
178  ),
179  ilLDAPServer::LDAP_SCOPE_BASE,
180  array('dn')
181  );
182  return (bool) $res->numRows();
183  } catch (ilLDAPQueryException $e) {
184  $this->logger->warning(': Caught Exception: ' . $e->getMessage());
185  return false;
186  }
187  }
188 
189 
190 
196  public static function _getRules($a_server_id): array
197  {
198  global $DIC;
199  $ilDB = $DIC->database();
200 
201  $rules = [];
202 
203  $query = "SELECT rule_id FROM ldap_role_assignments " .
204  "WHERE server_id = " . $ilDB->quote($a_server_id, 'integer');
205  $res = $ilDB->query($query);
206  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
207  $rules[] = self::_getInstanceByRuleId((int) $row->rule_id);
208  }
209 
210  return $rules;
211  }
212 
218  public function setRoleId(int $a_role_id): void
219  {
220  $this->role_id = $a_role_id;
221  }
222 
226  public function getRoleId(): int
227  {
228  return $this->role_id;
229  }
230 
234  public function getRuleId(): int
235  {
236  return $this->rule_id;
237  }
238 
242  public function setServerId(int $a_id): void
243  {
244  $this->server_id = $a_id;
245  }
246 
250  public function getServerId(): int
251  {
252  return $this->server_id;
253  }
254 
258  public function setType(int $a_type): void
259  {
260  $this->type = $a_type;
261  }
262 
266  public function getType(): int
267  {
268  return $this->type;
269  }
270 
274  public function setDN(string $a_dn): void
275  {
276  $this->dn = $a_dn;
277  }
278 
282  public function getDN(): string
283  {
284  return $this->dn;
285  }
286 
287  public function setMemberAttribute(string $a_attribute): void
288  {
289  $this->member_attribute = $a_attribute;
290  }
291 
295  public function getMemberAttribute(): string
296  {
297  return $this->member_attribute;
298  }
299 
303  public function setMemberIsDN(bool $a_status): void
304  {
305  $this->member_is_dn = $a_status;
306  }
307 
311  public function isMemberAttributeDN(): bool
312  {
313  return $this->member_is_dn;
314  }
315 
319  public function setAttributeName(string $a_name): void
320  {
321  $this->attribute_name = $a_name;
322  }
323 
327  public function getAttributeName(): string
328  {
329  return $this->attribute_name;
330  }
331 
335  public function setAttributeValue(string $a_value): void
336  {
337  $this->attribute_value = $a_value;
338  }
339 
343  public function getAttributeValue(): string
344  {
345  return $this->attribute_value;
346  }
347 
348  public function enableAddOnUpdate(bool $a_status): void
349  {
350  $this->add_on_update = $a_status;
351  }
352 
353  public function isAddOnUpdateEnabled(): bool
354  {
355  return $this->add_on_update;
356  }
357 
358  public function enableRemoveOnUpdate(bool $a_status): void
359  {
360  $this->remove_on_update = $a_status;
361  }
362 
363  public function isRemoveOnUpdateEnabled(): bool
364  {
365  return $this->remove_on_update;
366  }
367 
368  public function setPluginId(int $a_id): void
369  {
370  $this->plugin_id = $a_id;
371  }
372 
373  public function getPluginId(): int
374  {
375  return $this->plugin_id;
376  }
377 
378  public function isPluginActive(): bool
379  {
380  return $this->getType() === self::TYPE_PLUGIN;
381  }
382 
383  public function conditionToString(): string
384  {
385  switch ($this->getType()) {
386  case self::TYPE_PLUGIN:
387  return $this->lng->txt('ldap_plugin_id') . ': ' . $this->getPluginId();
388 
389  case self::TYPE_GROUP:
390  $dn_arr = explode(',', $this->getDN());
391  return $dn_arr[0];
392 
393  case self::TYPE_ATTRIBUTE:
394  return $this->getAttributeName() . '=' . $this->getAttributeValue();
395 
396  default:
397  throw new RuntimeException(sprintf('Unknown type: %s', var_export($this->getType(), true)));
398  }
399  }
400 
401  public function create(): bool
402  {
403  $next_id = $this->db->nextId('ldap_role_assignments');
404 
405  $query = "INSERT INTO ldap_role_assignments (server_id,rule_id,type,dn,attribute,isdn,att_name,att_value,role_id, " .
406  "add_on_update, remove_on_update, plugin_id ) " .
407  "VALUES( " .
408  $this->db->quote($this->getServerId(), 'integer') . ", " .
409  $this->db->quote($next_id, 'integer') . ", " .
410  $this->db->quote($this->getType(), 'integer') . ", " .
411  $this->db->quote($this->getDN(), 'text') . ", " .
412  $this->db->quote($this->getMemberAttribute(), 'text') . ", " .
413  $this->db->quote($this->isMemberAttributeDN(), 'integer') . ", " .
414  $this->db->quote($this->getAttributeName(), 'text') . ", " .
415  $this->db->quote($this->getAttributeValue(), 'text') . ", " .
416  $this->db->quote($this->getRoleId(), 'integer') . ", " .
417  $this->db->quote($this->isAddOnUpdateEnabled(), 'integer') . ', ' .
418  $this->db->quote($this->isRemoveOnUpdateEnabled(), 'integer') . ', ' .
419  $this->db->quote($this->getPluginId(), 'integer') . ' ' .
420  ")";
421  $this->db->manipulate($query);
422  $this->rule_id = $next_id;
423 
424  return true;
425  }
426 
427  public function update(): bool
428  {
429  $query = "UPDATE ldap_role_assignments " .
430  "SET server_id = " . $this->db->quote($this->getServerId(), 'integer') . ", " .
431  "type = " . $this->db->quote($this->getType(), 'integer') . ", " .
432  "dn = " . $this->db->quote($this->getDN(), 'text') . ", " .
433  "attribute = " . $this->db->quote($this->getMemberAttribute(), 'text') . ", " .
434  "isdn = " . $this->db->quote($this->isMemberAttributeDN(), 'integer') . ", " .
435  "att_name = " . $this->db->quote($this->getAttributeName(), 'text') . ", " .
436  "att_value = " . $this->db->quote($this->getAttributeValue(), 'text') . ", " .
437  "role_id = " . $this->db->quote($this->getRoleId(), 'integer') . ", " .
438  "add_on_update = " . $this->db->quote($this->isAddOnUpdateEnabled(), 'integer') . ', ' .
439  'remove_on_update = ' . $this->db->quote($this->isRemoveOnUpdateEnabled(), 'integer') . ', ' .
440  'plugin_id = ' . $this->db->quote($this->getPluginId(), 'integer') . ' ' .
441  "WHERE rule_id = " . $this->db->quote($this->getRuleId(), 'integer') . " ";
442  $this->db->manipulate($query);
443 
444  return true;
445  }
446 
447  public function validate(): bool
448  {
449  $this->ilErr->setMessage('');
450 
451  if (!$this->getRoleId()) {
452  $this->ilErr->setMessage('fill_out_all_required_fields');
453  return false;
454  }
455  switch ($this->getType()) {
456  case self::TYPE_GROUP:
457  if ($this->getDN() === '' || $this->getMemberAttribute() === '') {
458  $this->ilErr->setMessage('fill_out_all_required_fields');
459  return false;
460  }
461  break;
462  case self::TYPE_ATTRIBUTE:
463  if ($this->getAttributeName() === '' || $this->getAttributeValue() === '') {
464  $this->ilErr->setMessage('fill_out_all_required_fields');
465  return false;
466  }
467  break;
468 
469  case self::TYPE_PLUGIN:
470  if (!$this->getPluginId()) {
471  $this->ilErr->setMessage('ldap_err_missing_plugin_id');
472  return false;
473  }
474  break;
475 
476  default:
477  $this->ilErr->setMessage('ldap_no_type_given');
478  return false;
479  }
480 
481  return true;
482  }
483 
484  public function delete(): bool
485  {
486  $query = "DELETE FROM ldap_role_assignments " .
487  "WHERE rule_id = " . $this->db->quote($this->getRuleId(), 'integer') . " ";
488  $this->db->manipulate($query);
489 
490  return true;
491  }
492 
493  private function read(): void
494  {
495  $query = "SELECT * FROM ldap_role_assignments " .
496  "WHERE rule_id = " . $this->db->quote($this->getRuleId(), 'integer') . " ";
497 
498  $res = $this->db->query($query);
499  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
500  $this->setServerId((int) $row->server_id);
501  $this->setType((int) $row->type);
502  if (!is_null($row->dn)) {
503  $this->setDN($row->dn);
504  }
505  if (!is_null($row->attribute)) {
506  $this->setMemberAttribute($row->attribute);
507  }
508  $this->setMemberIsDN((bool) $row->isdn);
509  if (!is_null($row->att_name)) {
510  $this->setAttributeName($row->att_name);
511  }
512  if (!is_null($row->att_value)) {
513  $this->setAttributeValue($row->att_value);
514  }
515  $this->setRoleId((int) $row->role_id);
516  if (!is_null($row->add_on_update)) {
517  $this->enableAddOnUpdate((bool) $row->add_on_update);
518  }
519  if (!is_null($row->remove_on_update)) {
520  $this->enableRemoveOnUpdate((bool) $row->remove_on_update);
521  }
522  if (!is_null($row->plugin_id)) {
523  $this->setPluginId((int) $row->plugin_id);
524  }
525  }
526  }
527 }
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:72
$res
$res
Definition: ltiservices.php:69
ilLDAPRoleAssignmentRule\matches
matches(array $a_user_data)
Check if a rule matches.
Definition: class.ilLDAPRoleAssignmentRule.php:90
ilLDAPRoleAssignmentRule\setAttributeName
setAttributeName(string $a_name)
set attribute name
Definition: class.ilLDAPRoleAssignmentRule.php:319
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId(int $a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:101
ilLDAPRoleAssignmentRule\isMemberAttributeDN
isMemberAttributeDN()
is member attribute dn
Definition: class.ilLDAPRoleAssignmentRule.php:311
ilLDAPRoleAssignmentRule\isGroupMember
isGroupMember(array $a_user_data)
Check if user is member of specific group.
Definition: class.ilLDAPRoleAssignmentRule.php:155
ilLDAPRoleAssignmentRule\_getRules
static _getRules($a_server_id)
Get all rules.
Definition: class.ilLDAPRoleAssignmentRule.php:196
ilLDAPRoleAssignmentRule\setAttributeValue
setAttributeValue(string $a_value)
set attribute value
Definition: class.ilLDAPRoleAssignmentRule.php:335
ilObject\_lookupTitle
static _lookupTitle(int $obj_id)
Definition: class.ilObject.php:831
$DIC
global $DIC
Definition: shib_login.php:25
ilLDAPRoleAssignmentRule\setRoleId
setRoleId(int $a_role_id)
set role id
Definition: class.ilLDAPRoleAssignmentRule.php:218
ilLDAPRoleAssignmentRule\_getInstanceByRuleId
static _getInstanceByRuleId(int $a_rule_id)
Definition: class.ilLDAPRoleAssignmentRule.php:64
ilLDAPRoleAssignmentRule\setMemberIsDN
setMemberIsDN(bool $a_status)
set member attribute is dn
Definition: class.ilLDAPRoleAssignmentRule.php:303
ilLDAPRoleAssignmentRule\wildcardCompare
wildcardCompare(string $a_str1, string $a_str2)
Definition: class.ilLDAPRoleAssignmentRule.php:125
$server
$server
Definition: shib_login.php:27
ilLDAPRoleAssignmentRules\callPlugin
static callPlugin(int $a_plugin_id, array $a_user_data)
Call plugin check if the condition matches.
Definition: class.ilLDAPRoleAssignmentRules.php:183