protected function execute(InputInterface $input, OutputInterface $output)
{
$login = $input->getArgument('login');
$user = $this->usersManagerApi->getUser($login);
if (!UserMapper::isUserLdapUser($user)) {
throw new Exception("User '{$login}' is not an LDAP user. To regenerate this user's token_auth, change the user's password.");
}
if (!$this->userMapper->isRandomTokenAuthGenerationEnabled()) {
throw new Exception("Random token_auth generation is disabled in [LoginLdap] config. This means any changes made by this " . "command will be overwritten when the user logs in. Aborting.");
}
$newPassword = $this->userMapper->generateRandomPassword();
$this->usersManagerApi->updateUser($login, $newPassword, $email = false, $alias = false, $isPasswordHash = true);
$user = $this->usersManagerApi->getUser($login);
$this->writeSuccessMessage($output, array("token_auth for '{$login}' regenerated successfully, new token_auth = '{$user['token_auth']}'"));
}
private function isUserLdapUser($login)
{
$user = Access::doAsSuperUser(function () use($login) {
return UsersManagerAPI::getInstance()->getUser($login);
});
return UserMapper::isUserLdapUser($user);
}
/**
* Converts a supplied LDAP entity into a Piwik user that is persisted in
* the MySQL DB.
*
* @param string $piwikLogin The username of the user who will be synchronized.
* @param string[] $ldapUser The LDAP user, eg, `array('uid' => ..., 'objectclass' => array(...), ...)`.
* @return string[] The Piwik user that was added. Will not contain the MD5 password
* hash in order to prevent accidental leaks.
*/
public function synchronizeLdapUser($piwikLogin, $ldapUser)
{
$userMapper = $this->userMapper;
$usersManagerApi = $this->usersManagerApi;
$userModel = $this->userModel;
$newUserDefaultSitesWithViewAccess = $this->newUserDefaultSitesWithViewAccess;
return Access::doAsSuperUser(function () use($piwikLogin, $ldapUser, $userMapper, $usersManagerApi, $userModel, $newUserDefaultSitesWithViewAccess) {
$piwikLogin = $userMapper->getExpectedLdapUsername($piwikLogin);
$existingUser = $userModel->getUser($piwikLogin);
$user = $userMapper->createPiwikUserFromLdapUser($ldapUser, $existingUser);
Log::debug("UserSynchronizer::synchronizeLdapUser: synchronizing user [ piwik login = %s, ldap login = %s ]", $piwikLogin, $user['login']);
if (empty($existingUser)) {
$usersManagerApi->addUser($user['login'], $user['password'], $user['email'], $user['alias'], $isPasswordHashed = true);
// set new user view access
if (!empty($newUserDefaultSitesWithViewAccess)) {
$usersManagerApi->setUserAccess($user['login'], 'view', $newUserDefaultSitesWithViewAccess);
}
} else {
if (!UserMapper::isUserLdapUser($existingUser)) {
Log::warning("Unable to synchronize LDAP user '%s', non-LDAP user with same name exists.", $existingUser['login']);
} else {
$usersManagerApi->updateUser($user['login'], $user['password'], $user['email'], $user['alias'], $isPasswordHashed = true);
}
}
return $usersManagerApi->getUser($user['login']);
});
}
public function test_isUserLdapUser_ReportsUserAsLdapUser_IfUserInfoHasNormalPasswordHash()
{
$isLdapUser = UserMapper::isUserLdapUser(array('password' => "..."));
$this->assertFalse($isLdapUser);
}
