class.ilLDAPUserSynchronisation.php

Go to the documentation of this file.

<?php
/* Copyright (c) 1998-2009 ILIAS open source, Extended GPL, see docs/LICENSE */

include_once './Services/LDAP/classes/class.ilLDAPServer.php';
include_once './Services/LDAP/exceptions/class.ilLDAPSynchronisationForbiddenException.php';
include_once './Services/LDAP/exceptions/class.ilLDAPAccountMigrationRequiredException.php';

class ilLDAPUserSynchronisation
{
    private $authmode = 0;

    private $server = null;

    private $extaccount = '';
    private $intaccount = '';

    private $user_data = array();
    
    private $force_creation = false;
    private $force_read_ldap_data = false;

    private $logger;


    public function __construct($a_authmode, $a_server_id)
    {
        global $DIC;

        $this->logger = $DIC->logger()->auth();
        $this->initServer($a_authmode, $a_server_id);
    }

    public function getServer()
    {
        return $this->server;
    }

    public function getAuthMode()
    {
        return $this->authmode;
    }

    public function setExternalAccount($a_ext)
    {
        $this->extaccount = $a_ext;
    }

    public function getExternalAccount()
    {
        return $this->extaccount;
    }

    public function getInternalAccount()
    {
        return $this->intaccount;
    }
    
    public function forceCreation($a_force)
    {
        $this->force_creation = $a_force;
    }
    
    public function forceReadLdapData($a_status)
    {
        $this->force_read_ldap_data = $a_status;
    }

    public function isCreationForced()
    {
        return (bool) $this->force_creation;
    }

    public function getUserData()
    {
        return (array) $this->user_data;
    }

    public function setUserData($a_data)
    {
        $this->user_data = (array) $a_data;
    }

    public function sync()
    {
        $this->readInternalAccount();
        
        if (!$this->getInternalAccount()) {
            ilLoggerFactory::getLogger('auth')->debug('Creating new account');
            $this->handleCreation();
        }

        // Nothing to do if sync on login is disabled
        if (!$this->getServer()->enabledSyncOnLogin()) {
            return $this->getInternalAccount();
        }

        // For performance reasons, check if (an update is required)
        if ($this->isUpdateRequired()) {
            ilLoggerFactory::getLogger('auth')->debug('Perform update of user data');
            $this->readUserData();
            $this->performUpdate();
        }
        return $this->getInternalAccount();
    }

    protected function handleCreation()
    {
        // Disabled sync on login
        if (!$this->getServer()->enabledSyncOnLogin()) {
            throw new ilLDAPSynchronisationForbiddenException('User synchronisation forbidden.');
        }
        // Account migration
        if ($this->getServer()->isAccountMigrationEnabled() and !$this->isCreationForced()) {
            $this->readUserData();
            throw new ilLDAPAccountMigrationRequiredException('Account migration check required.');
        }
    }

    protected function performUpdate()
    {
        include_once './Services/User/classes/class.ilUserCreationContext.php';
        ilUserCreationContext::getInstance()->addContext(ilUserCreationContext::CONTEXT_LDAP);

        include_once 'Services/LDAP/classes/class.ilLDAPAttributeToUser.php';
        $update = new ilLDAPAttributeToUser($this->getServer());
        if ($this->isCreationForced()) {
            $update->addMode(ilLDAPAttributeToUser::MODE_INITIALIZE_ROLES);
        }
        $update->setNewUserAuthMode($this->getAuthMode());
        $update->setUserData(
            array(
                $this->getExternalAccount() => $this->getUserData()
            )
        );

        $update->refresh();

        // User has been created, now read internal account again
        $this->readInternalAccount();
        return true;
    }

    protected function readUserData() : bool
    {
        // Add internal account to user data
        $this->user_data['ilInternalAccount'] = $this->getInternalAccount();
        if (!$this->force_read_ldap_data && strpos($this->getAuthMode(), 'ldap') === 0) {
            return true;
        }

        try {
            $query = new ilLDAPQuery($this->getServer());
            $query->bind(ilLDAPQuery::LDAP_BIND_DEFAULT);
            $user = $query->fetchUser($this->getExternalAccount());
            $this->logger->dump($user, ilLogLevel::DEBUG);
            $this->user_data = (array) $user[strtolower($this->getExternalAccount())];
        } catch (ilLDAPQueryException $e) {
            $this->logger->error('LDAP bind failed with message: ' . $e->getMessage());
            throw new ilLDAPSynchronisationFailedException($e->getMessage());
        }

        return true;
    }


    protected function readInternalAccount()
    {
        if (!$this->getExternalAccount()) {
            throw new UnexpectedValueException('No external account given.');
        }
        $this->intaccount = ilObjUser::_checkExternalAuthAccount(
            $this->getAuthMode(),
            $this->getExternalAccount()
        );
    }

    protected function isUpdateRequired()
    {
        if ($this->isCreationForced()) {
            return true;
        }
        if (!$this->getInternalAccount()) {
            return true;
        }

        // Check attribute mapping on login
        include_once './Services/LDAP/classes/class.ilLDAPAttributeMapping.php';
        if (ilLDAPAttributeMapping::hasRulesForUpdate($this->getServer()->getServerId())) {
            return true;
        }

        // Check if there is any change in role assignments
        include_once './Services/LDAP/classes/class.ilLDAPRoleAssignmentRule.php';
        if (ilLDAPRoleAssignmentRule::hasRulesForUpdate()) {
            return true;
        }
        return false;
    }


    protected function initServer($a_auth_mode, $a_server_id)
    {
        $this->authmode = $a_auth_mode;
        $this->server = ilLDAPServer::getInstanceByServerId($a_server_id);
    }
}