/**
* (non-PHPdoc)
* @see svnadmin\core\interfaces.IPathsEditProvider::assignUserToAccessPath()
*/
public function assignUserToAccessPath($objUser, $objAccessPath, $objPermission)
{
$p = self::resolvePermission($objPermission);
if ($p !== FALSE) {
return $this->m_authfile->addUserToRepository($objUser->name, $objAccessPath->path, $p);
}
return false;
}
/**
* Updates the SVNAuthFile with Users and Groups from LDAP server.
*/
public function updateSvnAuthFile($autoRemoveUsers = true, $autoRemoveGroups = true)
{
$this->init();
$E = \svnadmin\core\Engine::getInstance();
// Increase max_execution_time for big LDAP structures.
$maxTime = intval(ini_get('max_execution_time'));
if ($maxTime != 0 && $maxTime < 300) {
@ini_set('max_execution_time', 300);
}
// Check connection before doing the update.
$connector = new \IF_AbstractLdapConnector();
if (!$connector->connect($this->host_address, 0, $this->host_protocol_version)) {
throw new \Exception("Can not connect.", 0);
} else {
if (!$connector->bind($this->bind_dn, $this->bind_password)) {
throw new \Exception("Can not connect. Authentication failed.");
}
}
try {
// @todo Backup file.
// Step 1
// Load the current SVNAuthFile and remove/reset all existing groups.
// Load file.
$svnAuthFilePath = $E->getConfig()->getValue("Subversion", "SVNAuthFile");
$svnAuthFile = new \IF_SVNAuthFileC($svnAuthFilePath);
$svnAuthFileOld = new \IF_SVNAuthFileC($svnAuthFilePath);
// Remove groups.
$svnAuthFileGroups = $svnAuthFile->groups();
foreach ($svnAuthFileGroups as $g) {
$svnAuthFile->deleteGroup($g);
}
// Step 2
// Get all users and groups from LDAP server.
// Users.
$users = array();
$users = $this->p_getUserEntries();
// Groups.
$groups = array();
$groups = $this->p_getGroupEntries(true);
// Step 3
// Iterate all groups which has been fetched from LDAP server
// and create them in the SVNAuthFile. Addionally associate
// all users to a group which are defined as member of a it.
//
// @todo Add the Realname or DN of a user as Alias to the SVNAuthFile.
// Property name of a Group-Entry which holds the group's name.
$gp_name = strtolower($this->groups_attributes[0]);
// Property name of a Group-Entry which holds the member-id (DN).
$gp_member_id = strtolower($this->groups_to_users_attribute);
// Property name of a User-Entry which holds the user's name.
$up_name = strtolower($this->users_attributes[0]);
// Property name of a User-Entry which holds the value which is assigned in a Group-Entry as Member-ID.
$up_id = strtolower($this->groups_to_users_attribute_value);
foreach ($groups as $g) {
if (!property_exists($g, $gp_name)) {
continue;
}
// The group-name property doesn't exist.
try {
// Create group in SVNAuthFile. (throws Exception)
$svnAuthFile->createGroup($g->{$gp_name});
} catch (\Exception $except) {
$E->addException($except);
continue;
}
// Find members.
if (!property_exists($g, $gp_member_id)) {
// No members.
// @todo Should we delete empty groups from overview?
} elseif (is_array($g->{$gp_member_id})) {
// Multiple members.
foreach ($g->{$gp_member_id} as $member_id) {
// Get name of the member.
foreach ($users as $u) {
if ($u->{$up_id} == $member_id) {
// Add user to SVNAuthFile-Group.
$svnAuthFile->addUserToGroup($g->{$gp_name}, $u->{$up_name});
break;
}
}
}
} elseif (is_string($g->{$gp_member_id})) {
// One member.
$member_id = $g->{$gp_member_id};
// Get name of the member.
foreach ($users as $u) {
if ($u->{$up_id} == $member_id) {
// Add user to SVNAuthFile-Group.
$svnAuthFile->addUserToGroup($g->{$gp_name}, $u->{$up_name});
break;
}
}
}
}
// foreach($groups)
// Step 4
// Save new SVNAuthFile to disk.
$svnAuthFile->save();
// Step 5
// Compare with previous file to revoke AccessPath permissions of
// deleted groups and users.
//
// We need to reset the Provider object, because it holds the
// SVNAuthFile and should be reloaded, because of the cahnges
// above.
$apEditProvider = $E->getProvider(PROVIDER_ACCESSPATH_EDIT);
$apEditProvider->reset();
$removedUsers = array();
$removedGroups = array();
// Collect removed groups.
// Groups which are in the old file but not in the new one.
foreach ($svnAuthFileOld->groups() as $g) {
if (!$svnAuthFile->groupExists($g)) {
// The group $g is not in the new configuration (Removed from LDAP).
$removedGroups[] = $g;
if ($autoRemoveGroups) {
try {
$apEditProvider->removeGroupFromAllAccessPaths(new \svnadmin\core\entities\Group($g, $g));
$E->addMessage(tr("The group <b>%0</b> has been removed from LDAP. Removed all assigned permissions.", array($g)));
} catch (\Exception $e) {
$E->addException($e);
}
}
}
}
// Collect removed users and groups with direct associated
// Access-Path permissions and revoke the permissions.
foreach ($svnAuthFile->repositories() as $r) {
// Users.
foreach ($svnAuthFile->usersOfRepository($r) as $u) {
if ($u === "*") {
continue;
}
// #87 Do not check for * user in LDAP..
if (!$this->userExists(new \svnadmin\core\entities\User($u, $u))) {
// The user has direct AccessPath permissions but does
// not exist on LDAP server.
$removedUsers[] = $u;
if ($autoRemoveUsers) {
// Revoke permissions.
try {
$apEditProvider->removeUserFromAccessPath(new \svnadmin\core\entities\User($u, $u), new \svnadmin\core\entities\AccessPath($r));
$E->addMessage(tr("The user <b>%0</b> doesn't exist anymore. Removed direct Access-Path permission to <b>%1</b>", array($u, $r)));
} catch (\Exception $e) {
$E->addException($e);
}
}
}
}
// foreach (users)
// Groups.
foreach ($svnAuthFile->groupsOfRepository($r) as $g) {
// We can check against the new SVNAuthFile, because the
// containing groups are updated from LDAP.
//if (!$this->groupExists(new \svnadmin\core\entities\Group($g, $g)))
if (!$svnAuthFile->groupExists($g)) {
$removedGroups[] = $g;
if ($autoRemoveGroups) {
// Revoke permissions.
try {
$apEditProvider->removeGroupFromAccessPath(new \svnadmin\core\entities\Group($g, $g), new \svnadmin\core\entities\AccessPath($r));
$E->addMessage(tr("The group <b>%0</b> doesn't exist anymore. Removed direct Access-Path permission to <b>%1</b>", array($g, $r)));
} catch (\Exception $e) {
$E->addException($e);
}
}
}
}
// foreach (groups)
}
// foreach (repositories)
// Save changes made to "$apEditProvider".
$apEditProvider->save();
} catch (\Exception $ex) {
throw $ex;
}
}
