ILIAS  release_8 Revision v8.19
All Data Structures Namespaces Files Functions Variables Modules Pages
class.ilLDAPRoleAssignmentRule.php
Go to the documentation of this file.
1 <?php
2 
19 declare(strict_types=1);
20 
25 class ilLDAPRoleAssignmentRule
26 {
27  public const TYPE_GROUP = 1;
28  public const TYPE_ATTRIBUTE = 2;
29  public const TYPE_PLUGIN = 3;
30 
31  private static array $instances = [];
32 
33  private ilLogger $logger;
34  private ilDBInterface $db;
35  private ilErrorHandling $ilErr;
36  private ilLanguage $lng;
37 
38  private int $rule_id;
39 
40  private int $server_id = 0;
41  private bool$add_on_update = false;
42  private bool$remove_on_update = false;
43  private int $plugin_id = 0;
44  private string $attribute_value = '';
45  private string $attribute_name = '';
46  private bool $member_is_dn = false;
47  private string $member_attribute = '';
48  private string $dn = '';
49  private int $type = 0;
50  private int $role_id = 0;
51 
52  private function __construct(int $a_rule_id = 0)
53  {
54  global $DIC;
55  $this->db = $DIC->database();
56  $this->logger = $DIC->logger()->auth();
57  $this->ilErr = $DIC['ilErr'];
58  $this->lng = $DIC->language();
59 
60  $this->rule_id = $a_rule_id;
61  $this->read();
62  }
63 
64  public static function _getInstanceByRuleId(int $a_rule_id): ilLDAPRoleAssignmentRule
65  {
66  return self::$instances[$a_rule_id] ?? (self::$instances[$a_rule_id] = new ilLDAPRoleAssignmentRule($a_rule_id));
67  }
68 
72  public static function hasRulesForUpdate(): bool
73  {
74  global $DIC;
75 
76  $ilDB = $DIC['ilDB'];
77 
78  $query = 'SELECT COUNT(*) num FROM ldap_role_assignments ' .
79  'WHERE add_on_update = 1 ' .
80  'OR remove_on_update = 1 ';
81  $res = $ilDB->query($query);
82  $row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT);
83 
84  return $row->num > 0;
85  }
86 
90  public function matches(array $a_user_data): bool
91  {
92  switch ($this->getType()) {
93  case self::TYPE_PLUGIN:
94  return ilLDAPRoleAssignmentRules::callPlugin($this->getPluginId(), $a_user_data);
95 
96  case self::TYPE_ATTRIBUTE:
97 
98  $attn = strtolower($this->getAttributeName());
99 
100  if (!isset($a_user_data[$attn])) {
101  return false;
102  }
103 
104  if (!is_array($a_user_data[$attn])) {
105  $attribute_val = array(0 => $a_user_data[$attn]);
106  } else {
107  $attribute_val = $a_user_data[$attn];
108  }
109 
110  foreach ($attribute_val as $value) {
111  if ($this->wildcardCompare(trim($this->getAttributeValue()), trim($value))) {
112  $this->logger->debug(': Found role mapping: ' . ilObject::_lookupTitle($this->getRoleId()));
113  return true;
114  }
115  }
116  return false;
117 
118  case self::TYPE_GROUP:
119  return $this->isGroupMember($a_user_data);
120 
121  }
122 
123  return false;
124  }
125 
126  protected function wildcardCompare(string $a_str1, string $a_str2): bool
127  {
128  $pattern = str_replace('*', '.*?', $a_str1);
129  $this->logger->debug(': Replace pattern:' . $pattern . ' => ' . $a_str2);
130  return preg_match('/^' . $pattern . '$/i', $a_str2) === 1;
131  }
132 
139  private function isGroupMember(array $a_user_data): bool
140  {
141  $server = ilLDAPServer::getInstanceByServerId($this->getServerId());
142 
143  if ($this->isMemberAttributeDN()) {
144  if ($server->enabledEscapeDN()) {
145  $user_cmp = ldap_escape($a_user_data['dn'], "", LDAP_ESCAPE_FILTER);
146  } else {
147  $user_cmp = $a_user_data['dn'];
148  }
149  } else {
150  $user_cmp = $a_user_data['ilExternalAccount'];
151  }
152 
153  try {
154  $query = new ilLDAPQuery($server);
155  $query->bind();
156  $res = $query->query(
157  $this->getDN(),
158  sprintf(
159  '(%s=%s)',
160  $this->getMemberAttribute(),
161  $user_cmp
162  ),
163  ilLDAPServer::LDAP_SCOPE_BASE,
164  array('dn')
165  );
166  return (bool) $res->numRows();
167  } catch (ilLDAPQueryException $e) {
168  $this->logger->warning(': Caught Exception: ' . $e->getMessage());
169  return false;
170  }
171  }
172 
173 
174 
180  public static function _getRules($a_server_id): array
181  {
182  global $DIC;
183  $ilDB = $DIC->database();
184 
185  $rules = [];
186 
187  $query = "SELECT rule_id FROM ldap_role_assignments " .
188  "WHERE server_id = " . $ilDB->quote($a_server_id, 'integer');
189  $res = $ilDB->query($query);
190  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
191  $rules[] = self::_getInstanceByRuleId((int) $row->rule_id);
192  }
193 
194  return $rules;
195  }
196 
202  public function setRoleId(int $a_role_id): void
203  {
204  $this->role_id = $a_role_id;
205  }
206 
210  public function getRoleId(): int
211  {
212  return $this->role_id;
213  }
214 
218  public function getRuleId(): int
219  {
220  return $this->rule_id;
221  }
222 
226  public function setServerId(int $a_id): void
227  {
228  $this->server_id = $a_id;
229  }
230 
234  public function getServerId(): int
235  {
236  return $this->server_id;
237  }
238 
242  public function setType(int $a_type): void
243  {
244  $this->type = $a_type;
245  }
246 
250  public function getType(): int
251  {
252  return $this->type;
253  }
254 
258  public function setDN(string $a_dn): void
259  {
260  $this->dn = $a_dn;
261  }
262 
266  public function getDN(): string
267  {
268  return $this->dn;
269  }
270 
271  public function setMemberAttribute(string $a_attribute): void
272  {
273  $this->member_attribute = $a_attribute;
274  }
275 
279  public function getMemberAttribute(): string
280  {
281  return $this->member_attribute;
282  }
283 
287  public function setMemberIsDN(bool $a_status): void
288  {
289  $this->member_is_dn = $a_status;
290  }
291 
295  public function isMemberAttributeDN(): bool
296  {
297  return $this->member_is_dn;
298  }
299 
303  public function setAttributeName(string $a_name): void
304  {
305  $this->attribute_name = $a_name;
306  }
307 
311  public function getAttributeName(): string
312  {
313  return $this->attribute_name;
314  }
315 
319  public function setAttributeValue(string $a_value): void
320  {
321  $this->attribute_value = $a_value;
322  }
323 
327  public function getAttributeValue(): string
328  {
329  return $this->attribute_value;
330  }
331 
332  public function enableAddOnUpdate(bool $a_status): void
333  {
334  $this->add_on_update = $a_status;
335  }
336 
337  public function isAddOnUpdateEnabled(): bool
338  {
339  return $this->add_on_update;
340  }
341 
342  public function enableRemoveOnUpdate(bool $a_status): void
343  {
344  $this->remove_on_update = $a_status;
345  }
346 
347  public function isRemoveOnUpdateEnabled(): bool
348  {
349  return $this->remove_on_update;
350  }
351 
352  public function setPluginId(int $a_id): void
353  {
354  $this->plugin_id = $a_id;
355  }
356 
357  public function getPluginId(): int
358  {
359  return $this->plugin_id;
360  }
361 
362  public function isPluginActive(): bool
363  {
364  return $this->getType() === self::TYPE_PLUGIN;
365  }
366 
367  public function conditionToString(): string
368  {
369  switch ($this->getType()) {
370  case self::TYPE_PLUGIN:
371  return $this->lng->txt('ldap_plugin_id') . ': ' . $this->getPluginId();
372 
373  case self::TYPE_GROUP:
374  $dn_arr = explode(',', $this->getDN());
375  return $dn_arr[0];
376 
377  case self::TYPE_ATTRIBUTE:
378  return $this->getAttributeName() . '=' . $this->getAttributeValue();
379 
380  default:
381  throw new RuntimeException(sprintf('Unknown type: %s', var_export($this->getType(), true)));
382  }
383  }
384 
385  public function create(): bool
386  {
387  $next_id = $this->db->nextId('ldap_role_assignments');
388 
389  $query = "INSERT INTO ldap_role_assignments (server_id,rule_id,type,dn,attribute,isdn,att_name,att_value,role_id, " .
390  "add_on_update, remove_on_update, plugin_id ) " .
391  "VALUES( " .
392  $this->db->quote($this->getServerId(), 'integer') . ", " .
393  $this->db->quote($next_id, 'integer') . ", " .
394  $this->db->quote($this->getType(), 'integer') . ", " .
395  $this->db->quote($this->getDN(), 'text') . ", " .
396  $this->db->quote($this->getMemberAttribute(), 'text') . ", " .
397  $this->db->quote($this->isMemberAttributeDN(), 'integer') . ", " .
398  $this->db->quote($this->getAttributeName(), 'text') . ", " .
399  $this->db->quote($this->getAttributeValue(), 'text') . ", " .
400  $this->db->quote($this->getRoleId(), 'integer') . ", " .
401  $this->db->quote($this->isAddOnUpdateEnabled(), 'integer') . ', ' .
402  $this->db->quote($this->isRemoveOnUpdateEnabled(), 'integer') . ', ' .
403  $this->db->quote($this->getPluginId(), 'integer') . ' ' .
404  ")";
405  $this->db->manipulate($query);
406  $this->rule_id = $next_id;
407 
408  return true;
409  }
410 
411  public function update(): bool
412  {
413  $query = "UPDATE ldap_role_assignments " .
414  "SET server_id = " . $this->db->quote($this->getServerId(), 'integer') . ", " .
415  "type = " . $this->db->quote($this->getType(), 'integer') . ", " .
416  "dn = " . $this->db->quote($this->getDN(), 'text') . ", " .
417  "attribute = " . $this->db->quote($this->getMemberAttribute(), 'text') . ", " .
418  "isdn = " . $this->db->quote($this->isMemberAttributeDN(), 'integer') . ", " .
419  "att_name = " . $this->db->quote($this->getAttributeName(), 'text') . ", " .
420  "att_value = " . $this->db->quote($this->getAttributeValue(), 'text') . ", " .
421  "role_id = " . $this->db->quote($this->getRoleId(), 'integer') . ", " .
422  "add_on_update = " . $this->db->quote($this->isAddOnUpdateEnabled(), 'integer') . ', ' .
423  'remove_on_update = ' . $this->db->quote($this->isRemoveOnUpdateEnabled(), 'integer') . ', ' .
424  'plugin_id = ' . $this->db->quote($this->getPluginId(), 'integer') . ' ' .
425  "WHERE rule_id = " . $this->db->quote($this->getRuleId(), 'integer') . " ";
426  $this->db->manipulate($query);
427 
428  return true;
429  }
430 
431  public function validate(): bool
432  {
433  $this->ilErr->setMessage('');
434 
435  if (!$this->getRoleId()) {
436  $this->ilErr->setMessage('fill_out_all_required_fields');
437  return false;
438  }
439  switch ($this->getType()) {
440  case self::TYPE_GROUP:
441  if ($this->getDN() === '' || $this->getMemberAttribute() === '') {
442  $this->ilErr->setMessage('fill_out_all_required_fields');
443  return false;
444  }
445  break;
446  case self::TYPE_ATTRIBUTE:
447  if ($this->getAttributeName() === '' || $this->getAttributeValue() === '') {
448  $this->ilErr->setMessage('fill_out_all_required_fields');
449  return false;
450  }
451  break;
452 
453  case self::TYPE_PLUGIN:
454  if (!$this->getPluginId()) {
455  $this->ilErr->setMessage('ldap_err_missing_plugin_id');
456  return false;
457  }
458  break;
459 
460  default:
461  $this->ilErr->setMessage('ldap_no_type_given');
462  return false;
463  }
464 
465  return true;
466  }
467 
468  public function delete(): bool
469  {
470  $query = "DELETE FROM ldap_role_assignments " .
471  "WHERE rule_id = " . $this->db->quote($this->getRuleId(), 'integer') . " ";
472  $this->db->manipulate($query);
473 
474  return true;
475  }
476 
477  private function read(): void
478  {
479  $query = "SELECT * FROM ldap_role_assignments " .
480  "WHERE rule_id = " . $this->db->quote($this->getRuleId(), 'integer') . " ";
481 
482  $res = $this->db->query($query);
483  while ($row = $res->fetchRow(ilDBConstants::FETCHMODE_OBJECT)) {
484  $this->setServerId((int) $row->server_id);
485  $this->setType((int) $row->type);
486  if (!is_null($row->dn)) {
487  $this->setDN($row->dn);
488  }
489  if (!is_null($row->attribute)) {
490  $this->setMemberAttribute($row->attribute);
491  }
492  $this->setMemberIsDN((bool) $row->isdn);
493  if (!is_null($row->att_name)) {
494  $this->setAttributeName($row->att_name);
495  }
496  if (!is_null($row->att_value)) {
497  $this->setAttributeValue($row->att_value);
498  }
499  $this->setRoleId((int) $row->role_id);
500  if (!is_null($row->add_on_update)) {
501  $this->enableAddOnUpdate((bool) $row->add_on_update);
502  }
503  if (!is_null($row->remove_on_update)) {
504  $this->enableRemoveOnUpdate((bool) $row->remove_on_update);
505  }
506  if (!is_null($row->plugin_id)) {
507  $this->setPluginId((int) $row->plugin_id);
508  }
509  }
510  }
511 }
ilLDAPRoleAssignmentRule\hasRulesForUpdate
static hasRulesForUpdate()
Check if there any rule for updates.
Definition: class.ilLDAPRoleAssignmentRule.php:72
$res
$res
Definition: ltiservices.php:69
ilLDAPRoleAssignmentRule\matches
matches(array $a_user_data)
Check if a rule matches.
Definition: class.ilLDAPRoleAssignmentRule.php:90
ilLDAPRoleAssignmentRule\setAttributeName
setAttributeName(string $a_name)
set attribute name
Definition: class.ilLDAPRoleAssignmentRule.php:303
ilLDAPServer\getInstanceByServerId
static getInstanceByServerId(int $a_server_id)
Get instance by server id.
Definition: class.ilLDAPServer.php:101
ilLDAPRoleAssignmentRule\isMemberAttributeDN
isMemberAttributeDN()
is member attribute dn
Definition: class.ilLDAPRoleAssignmentRule.php:295
ilLDAPRoleAssignmentRule\isGroupMember
isGroupMember(array $a_user_data)
Check if user is member of specific group.
Definition: class.ilLDAPRoleAssignmentRule.php:139
ilLDAPRoleAssignmentRule\_getRules
static _getRules($a_server_id)
Get all rules.
Definition: class.ilLDAPRoleAssignmentRule.php:180
$DIC
global $DIC
Definition: feed.php:28
ilLDAPRoleAssignmentRule\setAttributeValue
setAttributeValue(string $a_value)
set attribute value
Definition: class.ilLDAPRoleAssignmentRule.php:319
ilObject\_lookupTitle
static _lookupTitle(int $obj_id)
Definition: class.ilObject.php:837
$query
$query
Definition: proxy_ylocal.php:13
ilLDAPRoleAssignmentRule\setRoleId
setRoleId(int $a_role_id)
set role id
Definition: class.ilLDAPRoleAssignmentRule.php:202
$server
$server
Definition: dummy_client.php:22
ilLDAPRoleAssignmentRule\_getInstanceByRuleId
static _getInstanceByRuleId(int $a_rule_id)
Definition: class.ilLDAPRoleAssignmentRule.php:64
ilErrorHandling
Error Handling & global info handling uses PEAR error class.
Definition: class.ilErrorHandling.php:38
ilLDAPRoleAssignmentRule\setMemberIsDN
setMemberIsDN(bool $a_status)
set member attribute is dn
Definition: class.ilLDAPRoleAssignmentRule.php:287
ilLDAPRoleAssignmentRule\wildcardCompare
wildcardCompare(string $a_str1, string $a_str2)
Definition: class.ilLDAPRoleAssignmentRule.php:126
ilLDAPRoleAssignmentRules\callPlugin
static callPlugin(int $a_plugin_id, array $a_user_data)
Call plugin check if the condition matches.
Definition: class.ilLDAPRoleAssignmentRules.php:183