/**
* Returns count of users in LDAP that are member of a specific group of names. Uses a search
* filter with memberof=?.
*
* @param string $memberOf The group to check.
* @return int
* @throws Exception if the current user is not a Super User or something goes wrong with LDAP.
*/
public function getCountOfUsersMemberOf($memberOf)
{
Piwik::checkUserHasSuperUserAccess();
$memberOf = Common::unsanitizeInputValue($memberOf);
$memberOfField = Config::getRequiredMemberOfField();
return $this->ldapUsers->getCountOfUsersMatchingFilter("(" . $memberOfField . "=?)", array($memberOf));
}
/**
* @return string
*/
public function admin()
{
Piwik::checkUserHasSuperUserAccess();
$view = new View('@LoginLdap/index');
ControllerAdmin::setBasicVariablesAdminView($view);
if (!function_exists('ldap_connect')) {
$notification = new Notification(Piwik::translate('LoginLdap_LdapFunctionsMissing'));
$notification->context = Notification::CONTEXT_ERROR;
$notification->type = Notification::TYPE_PERSISTENT;
Notification\Manager::notify('LoginLdap_LdapFunctionsMissing', $notification);
}
$this->setBasicVariablesView($view);
$serverNames = Config::getServerNameList() ?: array();
$view->servers = array();
if (empty($serverNames)) {
try {
$serverInfo = ServerInfo::makeFromOldConfig()->getProperties();
$serverInfo['name'] = 'server';
$view->servers[] = $serverInfo;
} catch (Exception $ex) {
// ignore
}
} else {
foreach ($serverNames as $server) {
$serverConfig = Config::getServerConfig($server);
if (!empty($serverConfig)) {
$serverConfig['name'] = $server;
$view->servers[] = $serverConfig;
}
}
}
$view->ldapConfig = Config::getPluginOptionValuesWithDefaults();
$view->isLoginControllerActivated = PluginManager::getInstance()->isPluginActivated('Login');
$view->updatedFromPre30 = Option::get('LoginLdap_updatedFromPre3_0');
return $view->render();
}
/**
* Returns a ServerInfo instance created using options in an INI config section.
* The INI config section's name is determined by prefixing `'LoginLdap_'` to the
* server name.
*
* The INI config section can have the following information:
*
* - **hostname** _(Required)_ The server's hostname.
* - **base_dn** _(Required)_ The base DN to use with this server.
* - **port** The port to use when connecting to the server.
* - **admin_user** The name of an admin user that has read access to other users.
* - **admin_pass** The password to use when binding with the admin user.
*
* @param string $name The name of the LDAP server in config. This value can be
* used in the `[LoginLdap] servers[] = ` config option to
* add an LDAP server to the list of servers LoginLdap will
* connect to.
* @return ServerInfo
* @throws Exception if the LDAP server config cannot be found or is missing
* required information.
*/
public static function makeConfigured($name)
{
$config = Config::getServerConfig($name);
if (empty($config)) {
throw new Exception("No configuration section [{$name}] found.");
}
if (empty($config['hostname'])) {
throw new Exception("Required config option 'hostname' not found in [{$name}] section.");
}
if (empty($config['base_dn'])) {
throw new Exception("Required config option 'base_dn' not found in [{$name}] section.");
}
$hostname = $config['hostname'];
$baseDn = $config['base_dn'];
$result = new ServerInfo($hostname, $baseDn);
$port = $config['port'];
if (!empty($port)) {
$result->setServerPort((int) $port);
}
$adminUser = $config['admin_user'];
if (!empty($adminUser)) {
$result->setAdminUsername($adminUser);
}
$adminPass = $config['admin_pass'];
if (!empty($adminPass)) {
$result->setAdminPassword($adminPass);
}
Log::debug("ServerInfo::%s: configuring with hostname = %s, baseDn = %s, port = %s, adminUser = %s, adminPass = %s", __FUNCTION__, $hostname, $baseDn, $port, substr($adminUser, 3) . '...', '<len=' . strlen($adminPass) . '>');
return $result;
}
/**
* Returns a WebServerAuth instance configured with INI config.
* @return SynchronizedAuth
*/
public static function makeConfigured()
{
$result = new SynchronizedAuth();
$result->setLdapUsers(LdapUsers::makeConfigured());
$result->setUsersManagerAPI(UsersManagerAPI::getInstance());
$result->setUsersModel(new UserModel());
$result->setUserSynchronizer(UserSynchronizer::makeConfigured());
$synchronizeUsersAfterSuccessfulLogin = Config::getShouldSynchronizeUsersAfterLogin();
$result->setSynchronizeUsersAfterSuccessfulLogin($synchronizeUsersAfterSuccessfulLogin);
return $result;
}
/**
* Returns a configured UserAccessMapper instance. The instance is configured
* using INI config option values.
*
* @return UserAccessMapper
*/
public static function makeConfigured()
{
$result = new UserAccessMapper();
$result->setUserAccessAttributeParser(UserAccessAttributeParser::makeConfigured());
$viewAttributeName = Config::getLdapViewAccessField();
if (!empty($viewAttributeName)) {
$result->setViewAttributeName($viewAttributeName);
}
$adminAttributeName = Config::getLdapAdminAccessField();
if (!empty($adminAttributeName)) {
$result->setAdminAttributeName($adminAttributeName);
}
$superuserAttributeName = Config::getSuperUserAccessField();
if (!empty($superuserAttributeName)) {
$result->setSuperuserAttributeName($superuserAttributeName);
}
return $result;
}
/**
* Creates a UserMapper instance configured using INI options.
*
* @return UserMapper
*/
public static function makeConfigured()
{
$result = new UserMapper();
$uidField = Config::getLdapUserIdField();
if (!empty($uidField)) {
$result->setLdapUserIdField($uidField);
}
$lastNameField = Config::getLdapLastNameField();
if (!empty($lastNameField)) {
$result->setLdapLastNameField($lastNameField);
}
$firstNameField = Config::getLdapFirstNameField();
if (!empty($firstNameField)) {
$result->setLdapFirstNameField($firstNameField);
}
$aliasField = Config::getLdapAliasField();
if (!empty($aliasField)) {
$result->setLdapAliasField($aliasField);
}
$mailField = Config::getLdapMailField();
if (!empty($mailField)) {
$result->setLdapMailField($mailField);
}
$userPasswordField = Config::getLdapPasswordField();
if (!empty($userPasswordField)) {
$result->setLdapUserPasswordField($userPasswordField);
}
$userEmailSuffix = Config::getLdapUserEmailSuffix();
if (!empty($userEmailSuffix)) {
$result->setUserEmailSuffix($userEmailSuffix);
}
$isRandomTokenAuthGenerationEnabled = Config::isRandomTokenAuthGenerationEnabled();
if (!empty($isRandomTokenAuthGenerationEnabled)) {
$result->setIsRandomTokenAuthGenerationEnabled($isRandomTokenAuthGenerationEnabled);
}
$appendUserEmailSuffixToUsername = Config::shouldAppendUserEmailSuffixToUsername();
if (!empty($appendUserEmailSuffixToUsername)) {
$result->setAppendUserEmailSuffixToUsername($appendUserEmailSuffixToUsername);
}
Log::debug("UserMapper::%s: configuring with uidField = %s, aliasField = %s firstNameField = %s, lastNameField = %s" . " mailField = %s, ldapUserPasswordField = %s, userEmailSuffix = %s, isRandomTokenAuthGenerationEnabled = %s", __FUNCTION__, $uidField, $aliasField, $firstNameField, $lastNameField, $mailField, $userPasswordField, $userEmailSuffix, $isRandomTokenAuthGenerationEnabled);
return $result;
}
/**
* Creates a UserMapper instance configured using INI options.
*
* @return UserMapper
*/
public static function makeConfigured()
{
$result = new UserMapper();
$uidField = Config::getLdapUserIdField();
if (!empty($uidField)) {
$result->setLdapUserIdField($uidField);
}
$lastNameField = Config::getLdapLastNameField();
if (!empty($lastNameField)) {
$result->setLdapLastNameField($lastNameField);
}
$firstNameField = Config::getLdapFirstNameField();
if (!empty($firstNameField)) {
$result->setLdapFirstNameField($firstNameField);
}
$aliasField = Config::getLdapAliasField();
if (!empty($aliasField)) {
$result->setLdapAliasField($aliasField);
}
$mailField = Config::getLdapMailField();
if (!empty($mailField)) {
$result->setLdapMailField($mailField);
}
$userPasswordField = Config::getLdapPasswordField();
if (!empty($userPasswordField)) {
$result->setLdapUserPasswordField($userPasswordField);
}
$userEmailSuffix = Config::getLdapUserEmailSuffix();
if (!empty($userEmailSuffix)) {
$result->setUserEmailSuffix($userEmailSuffix);
}
$isRandomTokenAuthGenerationEnabled = Config::isRandomTokenAuthGenerationEnabled();
if (!empty($isRandomTokenAuthGenerationEnabled)) {
$result->setIsRandomTokenAuthGenerationEnabled($isRandomTokenAuthGenerationEnabled);
}
$appendUserEmailSuffixToUsername = Config::shouldAppendUserEmailSuffixToUsername();
if (!empty($appendUserEmailSuffixToUsername)) {
$result->setAppendUserEmailSuffixToUsername($appendUserEmailSuffixToUsername);
}
return $result;
}
/**
* Creates a UserSynchronizer using INI configuration.
*
* @return UserSynchronizer
*/
public static function makeConfigured()
{
$result = new UserSynchronizer();
$result->setUserMapper(UserMapper::makeConfigured());
$result->setUsersManagerApi(UsersManagerAPI::getInstance());
$result->setUserModel(new UserModel());
/** @var LoggerInterface $logger */
$logger = StaticContainer::get('Psr\\Log\\LoggerInterface');
if (Config::isAccessSynchronizationEnabled()) {
$result->setUserAccessMapper(UserAccessMapper::makeConfigured());
$logger->debug("UserSynchronizer::{func}(): Using UserAccessMapper when synchronizing users.", array('func' => __FUNCTION__));
} else {
$logger->debug("UserSynchronizer::{func}(): LDAP access synchronization not enabled.", array('func' => __FUNCTION__));
}
$defaultSitesWithViewAccess = Config::getDefaultSitesToGiveViewAccessTo();
if (!empty($defaultSitesWithViewAccess)) {
$siteIds = Access::doAsSuperUser(function () use($defaultSitesWithViewAccess) {
return Site::getIdSitesFromIdSitesString($defaultSitesWithViewAccess);
});
if (empty($siteIds)) {
$logger->warning("UserSynchronizer::{func}(): new_user_default_sites_view_access INI config option has no " . "entries. Newly synchronized users will not have any access.", array('func' => __FUNCTION__));
}
$result->setNewUserDefaultSitesWithViewAccess($siteIds);
}
$logger->debug("UserSynchronizer::{func}: configuring with defaultSitesWithViewAccess = {sites}", array('func' => __FUNCTION__, 'sites' => $defaultSitesWithViewAccess));
return $result;
}
/**
* Returns a WebServerAuth instance configured with INI config.
*
* @return WebServerAuth
*/
public static function makeConfigured()
{
$result = new WebServerAuth();
$result->setLdapUsers(LdapUsers::makeConfigured());
$result->setUsersManagerAPI(UsersManagerAPI::getInstance());
$result->setUsersModel(new UserModel());
$result->setUserSynchronizer(UserSynchronizer::makeConfigured());
$synchronizeUsersAfterSuccessfulLogin = Config::getShouldSynchronizeUsersAfterLogin();
$result->setSynchronizeUsersAfterSuccessfulLogin($synchronizeUsersAfterSuccessfulLogin);
if (Config::getUseLdapForAuthentication()) {
$fallbackAuth = LdapAuth::makeConfigured();
} else {
$fallbackAuth = SynchronizedAuth::makeConfigured();
}
$result->setFallbackAuth($fallbackAuth);
return $result;
}
/**
* Creates a new {@link LdapUsers} instance using config.ini.php values.
*
* @return LdapUsers
*/
public static function makeConfigured()
{
$result = new LdapUsers();
$result->setLdapServers(Config::getConfiguredLdapServers());
$usernameSuffix = Config::getLdapUserEmailSuffix();
if (!empty($usernameSuffix)) {
$result->setAuthenticationUsernameSuffix($usernameSuffix);
}
$requiredMemberOf = Config::getRequiredMemberOf();
if (!empty($requiredMemberOf)) {
$result->setAuthenticationRequiredMemberOf($requiredMemberOf);
}
$memberOfField = Config::getRequiredMemberOfField();
if (!empty($memberOfField)) {
$result->setAuthenticationMemberOfField($memberOfField);
}
$filter = Config::getLdapUserFilter();
if (!empty($filter)) {
$result->setAuthenticationLdapFilter($filter);
}
$timeoutSecs = Config::getLdapNetworkTimeout();
if (!empty($timeoutSecs)) {
$result->setLdapNetworkTimeout($timeoutSecs);
}
$result->setLdapUserMapper(UserMapper::makeConfigured());
Log::debug("LdapUsers::%s: configuring with userEmailSuffix = %s, requiredMemberOf = %s, filter = %s, timeoutSecs = %s", __FUNCTION__, $usernameSuffix, $requiredMemberOf, $filter, $timeoutSecs);
return $result;
}
/**
* Creates a UserSynchronizer using INI configuration.
*
* @return UserSynchronizer
*/
public static function makeConfigured()
{
$result = new UserSynchronizer();
$result->setUserMapper(UserMapper::makeConfigured());
$result->setUsersManagerApi(UsersManagerAPI::getInstance());
$result->setUserModel(new UserModel());
if (Config::isAccessSynchronizationEnabled()) {
$result->setUserAccessMapper(UserAccessMapper::makeConfigured());
Log::debug("UserSynchronizer::%s(): Using UserAccessMapper when synchronizing users.", __FUNCTION__);
} else {
Log::debug("UserSynchronizer::%s(): LDAP access synchronization not enabled.", __FUNCTION__);
}
$defaultSitesWithViewAccess = Config::getDefaultSitesToGiveViewAccessTo();
if (!empty($defaultSitesWithViewAccess)) {
$siteIds = Access::doAsSuperUser(function () use($defaultSitesWithViewAccess) {
return Site::getIdSitesFromIdSitesString($defaultSitesWithViewAccess);
});
if (empty($siteIds)) {
Log::warning("UserSynchronizer::%s(): new_user_default_sites_view_access INI config option has no " . "entries. Newly synchronized users will not have any access.", __FUNCTION__);
}
$result->setNewUserDefaultSitesWithViewAccess($siteIds);
}
Log::debug("UserSynchronizer::%s: configuring with defaultSitesWithViewAccess = %s", __FUNCTION__, $defaultSitesWithViewAccess);
return $result;
}
/**
* Returns the authentication implementation to use in LoginLdap based on certain
* INI configuration values.
*
* @return Base
*/
public static function factory()
{
if (Config::shouldUseWebServerAuthentication()) {
return WebServerAuth::makeConfigured();
} else {
if (Config::getUseLdapForAuthentication()) {
return LdapAuth::makeConfigured();
} else {
return SynchronizedAuth::makeConfigured();
}
}
}
/**
* Creates a UserAccessAttributeParser instance using INI configuration.
*
* @return UserAccessAttributeParser
*/
public static function makeConfigured()
{
$result = new UserAccessAttributeParser();
$serverSpecificationDelimiter = Config::getUserAccessAttributeServerSpecificationDelimiter();
if (!empty($serverSpecificationDelimiter)) {
$result->setServerSpecificationDelimiter($serverSpecificationDelimiter);
}
$serverListSeparator = Config::getUserAccessAttributeServerSiteListSeparator();
if (!empty($serverListSeparator)) {
$result->setServerIdsSeparator($serverListSeparator);
}
$thisPiwikInstanceName = Config::getDesignatedPiwikInstanceName();
if (!empty($thisPiwikInstanceName)) {
$result->setThisPiwikInstanceName($thisPiwikInstanceName);
} else {
if ($result->getServerIdsSeparator() == ':') {
Log::info("UserAttributesParser::%s: Configured with no instance name so matching by URL, but server/site IDs" . " separator set to special ':' character. This character may show up in URLs in LDAP, which will " . "cause problems. We recommend you use a character not often found in URLs, such as '|'.", __FUNCTION__);
}
}
Log::debug("UserAccessAttributeParser::%s: configuring with serverSpecificationDelimiter = %s, serverSiteIdListSeparator = %s, " . "thisPiwikInstanceName = %s", __FUNCTION__, $serverSpecificationDelimiter, $serverListSeparator, $thisPiwikInstanceName);
return $result;
}
/**
* Returns a configured UserAccessMapper instance. The instance is configured
* using INI config option values.
*
* @return UserAccessMapper
*/
public static function makeConfigured()
{
$result = new UserAccessMapper();
$result->setUserAccessAttributeParser(UserAccessAttributeParser::makeConfigured());
$viewAttributeName = Config::getLdapViewAccessField();
if (!empty($viewAttributeName)) {
$result->setViewAttributeName($viewAttributeName);
}
$adminAttributeName = Config::getLdapAdminAccessField();
if (!empty($adminAttributeName)) {
$result->setAdminAttributeName($adminAttributeName);
}
$superuserAttributeName = Config::getSuperUserAccessField();
if (!empty($superuserAttributeName)) {
$result->setSuperuserAttributeName($superuserAttributeName);
}
Log::debug("UserAccessMapper::%s: configuring with viewAttributeName = '%s', adminAttributeName = '%s', superuserAttributeName = '%s'", __FUNCTION__, $viewAttributeName, $adminAttributeName, $superuserAttributeName);
return $result;
}
/**
* Creates a new {@link LdapUsers} instance using config.ini.php values.
*
* @return LdapUsers
*/
public static function makeConfigured()
{
$result = new LdapUsers();
$result->setLdapServers(Config::getConfiguredLdapServers());
$usernameSuffix = Config::getLdapUserEmailSuffix();
if (!empty($usernameSuffix)) {
$result->setAuthenticationUsernameSuffix($usernameSuffix);
}
$requiredMemberOf = Config::getRequiredMemberOf();
if (!empty($requiredMemberOf)) {
$result->setAuthenticationRequiredMemberOf($requiredMemberOf);
}
$memberOfField = Config::getRequiredMemberOfField();
if (!empty($memberOfField)) {
$result->setAuthenticationMemberOfField($memberOfField);
}
$filter = Config::getLdapUserFilter();
if (!empty($filter)) {
$result->setAuthenticationLdapFilter($filter);
}
$timeoutSecs = Config::getLdapNetworkTimeout();
if (!empty($timeoutSecs)) {
$result->setLdapNetworkTimeout($timeoutSecs);
}
$result->setLdapUserMapper(UserMapper::makeConfigured());
return $result;
}
public static function getPluginOptionValuesWithDefaults()
{
$result = self::$defaultConfig;
foreach ($result as $name => $ignore) {
$actualValue = Config::getConfigOption($name);
// special check for useKerberos which can be a string
if ($name == 'use_webserver_auth' && $actualValue === 'false') {
$actualValue = 0;
}
if (isset($actualValue)) {
$result[$name] = $actualValue;
}
}
return $result;
}
/**
* Creates a UserAccessAttributeParser instance using INI configuration.
*
* @return UserAccessAttributeParser
*/
public static function makeConfigured()
{
$result = new UserAccessAttributeParser();
$serverSpecificationDelimiter = Config::getUserAccessAttributeServerSpecificationDelimiter();
if (!empty($serverSpecificationDelimiter)) {
$result->setServerSpecificationDelimiter($serverSpecificationDelimiter);
}
$serverListSeparator = Config::getUserAccessAttributeServerSiteListSeparator();
if (!empty($serverListSeparator)) {
$result->setServerIdsSeparator($serverListSeparator);
}
$thisPiwikInstanceName = Config::getDesignatedPiwikInstanceName();
if (!empty($thisPiwikInstanceName)) {
$result->setThisPiwikInstanceName($thisPiwikInstanceName);
} else {
if ($result->getServerIdsSeparator() == ':') {
// TODO: remove this warning and move it to the settings page.
/** @var LoggerInterface $logger */
$logger = StaticContainer::get('Psr\\Log\\LoggerInterface');
$logger->info("UserAttributesParser::{func}: Configured with no instance name so matching by URL, but server/site IDs" . " separator set to special ':' character. This character may show up in URLs in LDAP, which will " . "cause problems. We recommend you use a character not often found in URLs, such as '|'.", array('func' => __FUNCTION__));
}
}
return $result;
}
/**
* Returns a ServerInfo instance created using options in an INI config section.
* The INI config section's name is determined by prefixing `'LoginLdap_'` to the
* server name.
*
* The INI config section can have the following information:
*
* - **hostname** _(Required)_ The server's hostname.
* - **base_dn** _(Required)_ The base DN to use with this server.
* - **port** The port to use when connecting to the server.
* - **admin_user** The name of an admin user that has read access to other users.
* - **admin_pass** The password to use when binding with the admin user.
*
* @param string $name The name of the LDAP server in config. This value can be
* used in the `[LoginLdap] servers[] = ` config option to
* add an LDAP server to the list of servers LoginLdap will
* connect to.
* @return ServerInfo
* @throws Exception if the LDAP server config cannot be found or is missing
* required information.
*/
public static function makeConfigured($name)
{
$config = Config::getServerConfig($name);
if (empty($config)) {
throw new Exception("No configuration section [{$name}] found.");
}
if (empty($config['hostname'])) {
throw new Exception("Required config option 'hostname' not found in [{$name}] section.");
}
if (empty($config['base_dn'])) {
throw new Exception("Required config option 'base_dn' not found in [{$name}] section.");
}
$hostname = $config['hostname'];
$baseDn = $config['base_dn'];
$result = new ServerInfo($hostname, $baseDn);
$port = $config['port'];
if (!empty($port)) {
$result->setServerPort((int) $port);
}
$adminUser = $config['admin_user'];
if (!empty($adminUser)) {
$result->setAdminUsername($adminUser);
}
$adminPass = $config['admin_pass'];
if (!empty($adminPass)) {
$result->setAdminPassword($adminPass);
}
return $result;
}
