Merge pull request #20 from BaranekD/isCesnetEligible

vyskocilpavel · web-flow · commit d150af7107a2 · 2019-08-19T14:03:10.000+02:00
Possibility to read isCesnetEligible attribute from LDAP
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,9 @@
 All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
+#### Added
+- Possibility to read isCesnetEligible attribute from LDAP
+
 #### Changed
 - Using of short array syntax ([] instead of array())
 
diff --git a/config-templates/processFilterConfigurations-example.md b/config-templates/processFilterConfigurations-example.md
@@ -13,12 +13,16 @@ Example how to configure ComputeLoA filter:
 ## IsCesnetEligible
 Example how to configure IsCesnetEligible filter:
 
+* Interface says if attribute will be read from RPC or LDAP
+* If interface is LDAP, LDAP.attributeName has to be filled
+* RPC.attributeName has to be filled
 * Put something like this into saml20-idp-hosted.php:
 
     ```php
     25 => [
-            'class' => 'cesnet:IsCesnetEligible',
-                    'cesnetEligibleLastSeenAttr' => 'urn:perun:user:attribute-def:def:isCesnetEligibleLastSeen',
-                    'listOfPerunEntityIds' => ['entityId1', 'entityId2'],
+        'class' => 'cesnet:IsCesnetEligible',
+        'interface' => 'RPC/LDAP',
+        'RPC.attributeName' => 'urn:perun:user:attribute-def:def:isCesnetEligibleLastSeen',
+        'LDAP.attributeName' => 'isCesnetEligible',
     ],
     ```
diff --git a/lib/Auth/Process/IsCesnetEligible.php b/lib/Auth/Process/IsCesnetEligible.php
@@ -2,6 +2,7 @@
 
 namespace SimpleSAML\Module\cesnet\Auth\Process;
 
+use SimpleSAML\Auth\ProcessingFilter;
 use SimpleSAML\Module\perun\LdapConnector;
 use SimpleSAML\Module\perun\RpcConnector;
 use SimpleSAML\Module\perun\AdapterLdap;
@@ -17,19 +18,27 @@
  *
  * @author Pavel Vyskocil <vyskocilpavel@muni.cz>
  */
-class IsCesnetEligible extends \SimpleSAML\Auth\ProcessingFilter
+class IsCesnetEligible extends ProcessingFilter
 {
     const CONFIG_FILE_NAME = 'module_cesnet_IsCesnetEligible.php';
     const ORGANIZATION_LDAP_BASE = 'ou=Organizations,o=eduID.cz,o=apps,dc=cesnet,dc=cz';
 
     const HOSTEL_ENTITY_ID = "https://idp.hostel.eduid.cz/idp/shibboleth";
 
     const INTERFACE_PROPNAME = "interface";
-    const CESNET_ELIGIBLE_LAST_SEEN_ATTR = "cesnetEligibleLastSeenAttr";
+    const ATTR_NAME = "attrName";
+    const RPC_ATTRIBUTE_NAME = "RPC.attributeName";
+    const LDAP_ATTRIBUTE_NAME = 'LDAP.attributeName';
     const DEFAULT_ATTR_NAME = 'isCesnetEligibleLastSeen';
+    const LDAP = 'LDAP';
+    const RPC = 'RPC';
 
-    private $cesnetEligibleLastSeen;
-    private $cesnetEligibleLastSeenAttr;
+    private $cesnetEligibleLastSeenValue;
+    private $cesnetEligibleLastSeenAttribute;
+    private $interface = self::RPC;
+    private $rpcAttrName;
+    private $ldapAttrName;
+    private $returnAttrName = self::DEFAULT_ATTR_NAME;
 
     private $spEntityId;
     private $idpEntityId;
@@ -40,6 +49,11 @@ class IsCesnetEligible extends \SimpleSAML\Auth\ProcessingFilter
      */
     private $cesnetLdapConnector;
 
+    /**
+     * @var AdapterLdap
+     */
+    private $ldapAdapter;
+
     /**
      * @var RpcConnector
      */
@@ -49,23 +63,33 @@ public function __construct($config, $reserved)
     {
         parent::__construct($config, $reserved);
 
-        if (!isset($config[self::CESNET_ELIGIBLE_LAST_SEEN_ATTR])) {
+        if (!isset($config[self::RPC_ATTRIBUTE_NAME]) || empty($config[self::RPC_ATTRIBUTE_NAME])) {
             throw new Exception(
                 "cesnet:IsCesnetEligible - missing mandatory configuration option '" .
-                self::CESNET_ELIGIBLE_LAST_SEEN_ATTR . "'."
+                self::RPC_ATTRIBUTE_NAME . "'."
             );
         }
 
-        if (isset($config['attrName'])) {
-            $this->attrName = $config['attrName'];
-        } else {
-            $this->attrName = self::DEFAULT_ATTR_NAME;
-        }
-
-        $this->cesnetEligibleLastSeenAttr = $config[self::CESNET_ELIGIBLE_LAST_SEEN_ATTR];
+        $this->rpcAttrName = $config[self::RPC_ATTRIBUTE_NAME];
 
-        $this->cesnetLdapConnector = (new AdapterLdap(self::CONFIG_FILE_NAME))->getConnector();
         $this->rpcConnector = (new AdapterRpc())->getConnector();
+        $this->cesnetLdapConnector = (new AdapterLdap(self::CONFIG_FILE_NAME))->getConnector();
+
+        if (isset($config[self::ATTR_NAME]) && !empty($config[self::ATTR_NAME])) {
+            $this->returnAttrName = $config['attrName'];
+        }
+
+        if (isset($config[self::INTERFACE_PROPNAME], $config[self::LDAP_ATTRIBUTE_NAME]) &&
+            $config[self::INTERFACE_PROPNAME] === self::LDAP && !empty($config[self::LDAP_ATTRIBUTE_NAME])) {
+            $this->interface = $config[self::INTERFACE_PROPNAME];
+            $this->ldapAttrName = $config[self::LDAP_ATTRIBUTE_NAME];
+            $this->ldapAdapter = new AdapterLdap();
+        } else {
+            Logger::warning(
+                "cesnet:IsCesnetEligible - One of " . self::INTERFACE_PROPNAME . self::LDAP_ATTRIBUTE_NAME .
+                " is missing or empty. RPC interface will be used"
+            );
+        }
     }
 
     public function process(&$request)
@@ -104,32 +128,54 @@ public function process(&$request)
 
         try {
             if (!empty($user)) {
-                $this->cesnetEligibleLastSeen = $this->rpcConnector->get(
-                    'attributesManager',
-                    'getAttribute',
-                    ['user' => $user->getId(), 'attributeName' => $this->cesnetEligibleLastSeenAttr,]
-                );
-            }
+                if ($this->interface === self::LDAP) {
+                    $attrs = $this->ldapAdapter->getUserAttributes($user, [$this->ldapAttrName]);
+                    if (isset($attrs[$this->ldapAttrName][0])) {
+                        $this->cesnetEligibleLastSeenValue = $attrs[$this->ldapAttrName][0];
+                    }
+                } else {
+                    $this->cesnetEligibleLastSeenAttribute = $this->rpcConnector->get(
+                        'attributesManager',
+                        'getAttribute',
+                        ['user' => $user->getId(), 'attributeName' => $this->rpcAttrName]
+                    );
+                    $this->cesnetEligibleLastSeenValue = $this->cesnetEligibleLastSeenAttribute['value'];
+                }
 
-            if ((!empty($this->eduPersonScopedAffiliation) && $this->isCesnetEligible())
-                || $isHostelVerified
-            ) {
-                $this->cesnetEligibleLastSeen['value'] = date("Y-m-d H:i:s");
+                if ($isHostelVerified || (!empty($this->eduPersonScopedAffiliation) && $this->isCesnetEligible())) {
+                    $this->cesnetEligibleLastSeenValue = date("Y-m-d H:i:s");
+
+                    if ($this->cesnetEligibleLastSeenAttribute === null) {
+                        $this->cesnetEligibleLastSeenAttribute = $this->rpcConnector->get(
+                            'attributesManager',
+                            'getAttribute',
+                            ['user' => $user->getId(), 'attributeName' => $this->rpcAttrName,]
+                        );
+                    }
+                    $this->cesnetEligibleLastSeenAttribute['value'] = $this->cesnetEligibleLastSeenValue;
 
-                if (!empty($user)) {
                     $this->rpcConnector->post(
                         'attributesManager',
                         'setAttribute',
-                        ['user' => $user->getId(), 'attribute' => $this->cesnetEligibleLastSeen,]
+                        ['user' => $user->getId(), 'attribute' => $this->cesnetEligibleLastSeenAttribute,]
+                    );
+
+                    Logger::debug(
+                        "cesnet:IsCesnetEligible - Value of attribute isCesnetEligibleLastSeen was updated to " .
+                        $this->cesnetEligibleLastSeenValue . "in Perun system."
                     );
                 }
             }
         } catch (Exception $ex) {
             Logger::warning("cesnet:IsCesnetEligible - " . $ex->getMessage());
         }
 
-        if ($this->cesnetEligibleLastSeen['value'] != null) {
-            $request['Attributes'][$this->attrName] = [$this->cesnetEligibleLastSeen['value']];
+        if ($this->cesnetEligibleLastSeenValue !== null) {
+            $request['Attributes'][$this->returnAttrName] = [$this->cesnetEligibleLastSeenValue];
+            Logger::debug(
+                "cesnet:IsCesnetEligible - Attribute " . $this->returnAttrName . " was set to value " .
+                $this->cesnetEligibleLastSeenValue
+            );
         }
     }
 
