Add support for adding multiple attributes in AttributeAddFromLDAP.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3371 44740490-163a-0410-bde0-09ae8108e29a

Add support for adding multiple attributes in AttributeAddFromLDAP.
f6ada0bc · Jaime Pérez Crespo · ff0e0ecb · f6ada0bc
Commit f6ada0bc authored 11 years ago by Jaime Pérez Crespo
--- a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php
+++ b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php
@@ -18,122 +18,162 @@
 *          - Added conversion of original filter option names for backwards-compatibility
 *          - Updated the constructor to use the new config method
 *          - Updated the process method to use the new config variable names
+ * Updated: 20131119 Yørn de Jong / Jaime Perez
+ *      - Added support for retrieving multiple values at once from LDAP
+ *      - Don't crash but fail silently on LDAP errors; the plugin is to complement attributes
 *
- * @author Steve Moitozo, JAARS, Inc., Ryan Panning
+ * @author Yørn de Jong
+ * @author Jaime Perez
+ * @author Steve Moitozo
+ * @author JAARS, Inc.
+ * @author Ryan Panning
 * @package simpleSAMLphp
 * @version $Id$
 */
 class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Process_BaseFilter {
+    /**
-	/**
+     * LDAP attribute to add to the request attributes
-	 * Name of the attribute to add LDAP values to
+     *
-	 *
+     * @var string
-	 * @var string
+     */
-	 */
+    protected $search_attributes;
-	protected $new_attribute;
+    /**
-	/**
+     * LDAP search filter to use in the LDAP query
-	 * LDAP attribute to add to the request attributes
+     *
-	 *
+     * @var string
-	 * @var string
+     */
-	 */
+    protected $search_filter;
-	protected $search_attribute;
+    /**
-	/**
+     * Initialize this filter.
-	 * LDAP search filter to use in the LDAP query
+     *
-	 *
+     * @param array $config Configuration information about this filter.
-	 * @var string
+     * @param mixed $reserved For future use.
-	 */
+     */
-	protected $search_filter;
+    public function __construct($config, $reserved) {
+        /*
-	/**
+         * For backwards compatibility, check for old config names
-	 * Initialize this filter.
+         * @TODO Remove after 2.0
-	 *
+         */
-	 * @param array $config  Configuration information about this filter.
+        if (isset($config['ldap_host'])) {
-	 * @param mixed $reserved  For future use.
+            $config['ldap.hostname'] = $config['ldap_host'];
-	 */
+        }
-	public function __construct($config, $reserved) {
+        if (isset($config['ldap_port'])) {
+            $config['ldap.port'] = $config['ldap_port'];
-		// For backwards compatibility, check for old config names
+        }
-		if (isset($config['ldap_host']))             $config['ldap.hostname']      = $config['ldap_host'];
+        if (isset($config['ldap_bind_user'])) {
-		if (isset($config['ldap_port']))             $config['ldap.port']          = $config['ldap_port'];
+            $config['ldap.username'] = $config['ldap_bind_user'];
-		if (isset($config['ldap_bind_user']))        $config['ldap.username']      = $config['ldap_bind_user'];
+        }
-		if (isset($config['ldap_bind_pwd']))         $config['ldap.password']      = $config['ldap_bind_pwd'];
+        if (isset($config['ldap_bind_pwd'])) {
-		if (isset($config['userid_attribute']))      $config['attribute.username'] = $config['userid_attribute'];
+            $config['ldap.password'] = $config['ldap_bind_pwd'];
-		if (isset($config['ldap_search_base_dn']))   $config['ldap.basedn']        = $config['ldap_search_base_dn'];
+        }
-		if (isset($config['ldap_search_filter']))    $config['search.filter']      = $config['ldap_search_filter'];
+        if (isset($config['userid_attribute'])) {
-		if (isset($config['ldap_search_attribute'])) $config['search.attribute']   = $config['ldap_search_attribute'];
+            $config['attribute.username'] = $config['userid_attribute'];
-		if (isset($config['new_attribute_name']))    $config['attribute.new']      = $config['new_attribute_name'];
+        }
+        if (isset($config['ldap_search_base_dn'])) {
-		// Remove the old config names
+            $config['ldap.basedn'] = $config['ldap_search_base_dn'];
-		unset(
+        }
-			$config['ldap_host'],
+        if (isset($config['ldap_search_filter'])) {
-			$config['ldap_port'],
+            $config['search.filter'] = $config['ldap_search_filter'];
-			$config['ldap_bind_user'],
+        }
-			$config['ldap_bind_pwd'],
+        if (isset($config['ldap_search_attribute'])) {
-			$config['userid_attribute'],
+            $config['search.attribute'] = $config['ldap_search_attribute'];
-			$config['ldap_search_base_dn'],
+        }
-			$config['ldap_search_filter'],
+        if (isset($config['new_attribute_name'])) {
-			$config['ldap_search_attribute'],
+            $config['attribute.new'] = $config['new_attribute_name'];
-			$config['new_attribute_name']
+        }
-		);
+        /*
-		// Now that we checked for BC, run the parent constructor
+         * Remove the old config names
-		parent::__construct($config, $reserved);
+         * @TODO Remove after 2.0
+         */
-		// Get filter specific config options
+        unset(
-		$this->new_attribute    = $this->config->getString('attribute.new');
+        $config['ldap_host'],
-		$this->search_attribute = $this->config->getString('search.attribute');
+        $config['ldap_port'],
-		$this->search_filter    = $this->config->getString('search.filter');
+        $config['ldap_bind_user'],
-	}
+        $config['ldap_bind_pwd'],
+        $config['userid_attribute'],
+        $config['ldap_search_base_dn'],
-	/**
+        $config['ldap_search_filter'],
-	 * Add attributes from an LDAP server.
+        $config['ldap_search_attribute'],
-	 *
+        $config['new_attribute_name']
-	 * @param array &$request  The current request
+        );
-	 */
-	public function process(&$request) {
+        // Now that we checked for BC, run the parent constructor
-		assert('is_array($request)');
+        parent::__construct($config, $reserved);
-		assert('array_key_exists("Attributes", $request)');
+        // Get filter specific config options
-		$attributes =& $request['Attributes'];
+        $this->search_attributes = $this->config->getArrayize('attributes', array());
+        if (empty($this->search_attributes)) {
-		// perform a merge on the ldap_search_filter
+            $new_attribute = $this->config->getString('attribute.new', '');
+            $this->search_attributes[$new_attribute] = $this->config->getString('search.attribute');
-		// loop over the attributes and build the search and replace arrays
+        }
-		foreach($attributes as $attr => $val){
+        $this->search_filter    = $this->config->getString('search.filter');
-			$arrSearch[] = '%'.$attr.'%';
+    }
-			if(strlen($val[0]) > 0){
-				$arrReplace[] = SimpleSAML_Auth_LDAP::escape_filter_value($val[0]);
+    /**
-			}else{
+     * Add attributes from an LDAP server.
-				$arrReplace[] = '';
+     *
-			}
+     * @param array &$request The current request
-		}
+     */
+    public function process(&$request) {
-		// merge the attributes into the ldap_search_filter
+        assert('is_array($request)');
-		$filter = str_replace($arrSearch, $arrReplace, $this->search_filter);
+        assert('array_key_exists("Attributes", $request)');
-		// search for matching entries
+        $attributes =& $request['Attributes'];
-		$entries = $this->getLdap()->searchformultiple($this->base_dn, $filter, (array) $this->search_attribute, TRUE, FALSE);
+        // perform a merge on the ldap_search_filter
-		// handle [multiple] values
-		if(is_array($entries) && is_array($entries[0])){
+        // loop over the attributes and build the search and replace arrays
-			$results = array();
+        foreach ($attributes as $attr => $val) {
-			foreach($entries as $entry){
+            $arrSearch[] = '%'.$attr.'%';
-				$entry = $entry[strtolower($this->search_attribute)];
-				for($i = 0; $i < $entry['count']; $i++){
+            if (strlen($val[0]) > 0) {
-					$results[] = $entry[$i];
+                $arrReplace[] = SimpleSAML_Auth_LDAP::escape_filter_value($val[0]);
-				}
+            } else {
-			}
+                $arrReplace[] = '';
-			$attributes[$this->new_attribute] = array_values($results);
+            }
-		}
+        }
-	}
+        // merge the attributes into the ldap_search_filter
+        $filter = str_replace($arrSearch, $arrReplace, $this->search_filter);
+        if (strpos($filter, '%') !== FALSE) {
+            SimpleSAML_Logger::info('There are non-existing attributes in the search filter. ('.
+                                    $this->search_filter.')');
+            return;
+        }
+        // search for matching entries
+        try {
+            $entries = $this->getLdap()->searchformultiple($this->base_dn, $filter,
+                                                           array_values($this->search_attributes), TRUE, FALSE);
+        } catch (Exception $e) {
+            return; // silent fail, error is still logged by LDAP search
+        }
+        // handle [multiple] values
+        foreach ($entries as $entry) {
+            foreach ($this->search_attributes as $target => $name) {
+                if (is_numeric($target)) {
+                    $target = $name;
+                }
+                $name = strtolower($name);
+                if (isset($entry[$name])) {
+                    unset($entry[$name]['count']);
+                    if (isset($attributes[$target])) {
+                        $attributes[$target] = array_merge($attributes[$target], array_values($entry[$name]));
+                    } else {
+                        $attributes[$target] = array_values($entry[$name]);
+                    }
+                }
+            }
+        }
+    }
 }