class.ilLDAPUserSynchronisation.php

Go to the documentation of this file.

<?php

declare(strict_types=1);

class ilLDAPUserSynchronisation
{
    private string $authmode;
    private ilLDAPServer $server;
    private ?string $extaccount;
    private ?string $intaccount;

    private array $user_data = array();
    private bool $force_creation = false;
    private bool $force_read_ldap_data = false;
    private ilLogger $logger;

    public function __construct(string $a_authmode, int $a_server_id)
    {
        global $DIC;

        $this->logger = $DIC->logger()->auth();
        $this->initServer($a_authmode, $a_server_id);
    }

    public function getServer(): ilLDAPServer
    {
        return $this->server;
    }

    public function getAuthMode(): string
    {
        return $this->authmode;
    }

    public function setExternalAccount(string $a_ext): void
    {
        $this->extaccount = $a_ext;
    }

    public function getExternalAccount(): ?string
    {
        return $this->extaccount;
    }

    public function getInternalAccount(): ?string
    {
        return $this->intaccount;
    }

    public function forceCreation(bool $a_force): void
    {
        $this->force_creation = $a_force;
    }

    public function forceReadLdapData(bool $a_status): void
    {
        $this->force_read_ldap_data = $a_status;
    }

    public function getUserData(): array
    {
        return $this->user_data;
    }

    public function setUserData(array $a_data): void
    {
        $this->user_data = $a_data;
    }

    public function sync(): string
    {
        $this->readInternalAccount();

        if (!$this->getInternalAccount()) {
            ilLoggerFactory::getLogger('auth')->debug('Creating new account');
            $this->handleCreation();
        }

        // Nothing to do if sync on login is disabled
        if (!$this->getServer()->enabledSyncOnLogin()) {
            return $this->getInternalAccount();
        }

        // For performance reasons, check if (an update is required)
        if ($this->isUpdateRequired()) {
            ilLoggerFactory::getLogger('auth')->debug('Perform update of user data');
            $this->readUserData();
            $this->performUpdate();
        }
        return $this->getInternalAccount();
    }

    protected function handleCreation(): void
    {
        // Disabled sync on login
        if (!$this->getServer()->enabledSyncOnLogin()) {
            throw new ilLDAPSynchronisationForbiddenException('User synchronisation forbidden.');
        }
        // Account migration
        if (!$this->force_creation && $this->getServer()->isAccountMigrationEnabled()) {
            $this->readUserData();
            throw new ilLDAPAccountMigrationRequiredException('Account migration check required.');
        }
    }

    protected function performUpdate(): bool
    {
        ilUserCreationContext::getInstance()->addContext(ilUserCreationContext::CONTEXT_LDAP);

        $update = new ilLDAPAttributeToUser($this->getServer());
        if ($this->force_creation) {
            $update->addMode(ilLDAPAttributeToUser::MODE_INITIALIZE_ROLES);
        }
        $update->setNewUserAuthMode($this->getAuthMode());
        $update->setUserData(
            array(
                $this->getExternalAccount() => $this->getUserData()
            )
        );

        $update->refresh();

        // User has been created, now read internal account again
        $this->readInternalAccount();
        return true;
    }

    protected function readUserData(): bool
    {
        // Add internal account to user data
        $this->user_data['ilInternalAccount'] = $this->getInternalAccount();
        if (!$this->force_read_ldap_data && strpos($this->getAuthMode(), 'ldap') === 0) {
            return true;
        }

        try {
            $query = new ilLDAPQuery($this->getServer());
            $query->bind(ilLDAPQuery::LDAP_BIND_DEFAULT);
            $user = $query->fetchUser($this->getExternalAccount());
            $this->logger->dump($user, ilLogLevel::DEBUG);
            $this->user_data = (array) $user[strtolower($this->getExternalAccount())];
        } catch (ilLDAPQueryException $e) {
            $this->logger->error('LDAP bind failed with message: ' . $e->getMessage());
            throw new ilLDAPSynchronisationFailedException($e->getMessage());
        }

        return true;
    }


    protected function readInternalAccount(): void
    {
        if (!$this->getExternalAccount()) {
            throw new UnexpectedValueException('No external account given.');
        }
        $this->intaccount = ilObjUser::_checkExternalAuthAccount(
            $this->getAuthMode(),
            $this->getExternalAccount()
        );
    }

    protected function isUpdateRequired(): bool
    {
        if ($this->force_creation) {
            return true;
        }
        if (!$this->getInternalAccount()) {
            return true;
        }

        // Check attribute mapping on login
        if (ilLDAPAttributeMapping::hasRulesForUpdate($this->getServer()->getServerId())) {
            return true;
        }

        // Check if there is any change in role assignments
        if (ilLDAPRoleAssignmentRule::hasRulesForUpdate()) {
            return true;
        }
        return false;
    }


    protected function initServer(string $a_auth_mode, int $a_server_id): void
    {
        $this->authmode = $a_auth_mode;
        $this->server = ilLDAPServer::getInstanceByServerId($a_server_id);
    }
}