From d3d3a6e3232eb7acbebc9d879d695f3110ef5fc3 Mon Sep 17 00:00:00 2001 From: "Jeroen van Meeuwen (Kolab Systems)" Date: Sun, 4 Dec 2011 14:11:07 +0000 Subject: [PATCH] Add kolab_auth capability to use nsroledn attribute values attached to a user's entry (roles for users) to imply loading/setting configuration settings and loading additional plugins --- plugins/kolab_auth/config.inc.php.dist | 34 +++++++++- plugins/kolab_auth/kolab_auth.php | 91 ++++++++++++++++++++++++++ 2 files changed, 122 insertions(+), 3 deletions(-) diff --git a/plugins/kolab_auth/config.inc.php.dist b/plugins/kolab_auth/config.inc.php.dist index ffdafa46..d14a3b92 100644 --- a/plugins/kolab_auth/config.inc.php.dist +++ b/plugins/kolab_auth/config.inc.php.dist @@ -22,13 +22,41 @@ $rcmail_config['kolab_auth_admin_password'] = ''; // Enable audit logging for abuse of administrative privileges. $rcmail_config['kolab_auth_auditlog'] = true; -// Administrative role field (from fieldmap configuration) which must be filled with -// specified value which adds privilege to login as another user. -$rcmail_config['kolab_auth_role'] = ''; +// Role field (from fieldmap configuration) +$rcmail_config['kolab_auth_role'] = 'role'; +// The required value for the role attribute to contain should the user be allowed +// to login as another user. $rcmail_config['kolab_auth_role_value'] = ''; // Administrative group name to which user must be assigned to // which adds privilege to login as another user. $rcmail_config['kolab_auth_group'] = ''; +// Enable plugins on a role-by-role basis. In this example, the 'acl' plugin +// is enabled for people with a 'cn=professional-user,dc=mykolab,dc=ch' role. +// +// Note that this does NOT mean the 'acl' plugin is disabled for other people. +$rcmail_config['kolab_auth_role_plugins'] = Array( + 'cn=professional-user,dc=mykolab,dc=ch' => Array( + 'acl', + ), + ); + +// Settings on a role-by-role basis. In this example, the 'htmleditor' setting +// is enabled(1) for people with a 'cn=professional-user,dc=mykolab,dc=ch' role, +// and it cannot be overridden. Sample use-case: disable htmleditor for normal people, +// do not allow the setting to be controlled through the preferences, enable the +// html editor for professional users and allow them to override the setting in +// the preferences. +$rcmail_config['kolab_auth_role_settings'] = Array( + 'cn=professional-user,dc=mykolab,dc=ch' => Array( + 'htmleditor' => Array( + 'mode' => 'override', + 'value' => 1, + 'allow_override' => true + ), + ), + ); + + ?> diff --git a/plugins/kolab_auth/kolab_auth.php b/plugins/kolab_auth/kolab_auth.php index 9e729479..3fa85248 100644 --- a/plugins/kolab_auth/kolab_auth.php +++ b/plugins/kolab_auth/kolab_auth.php @@ -38,6 +38,7 @@ class kolab_auth extends rcube_plugin $rcmail = rcmail::get_instance(); $this->add_hook('authenticate', array($this, 'authenticate')); + $this->add_hook('startup', array($this, 'startup')); $this->add_hook('user_create', array($this, 'user_create')); // Hooks related to "Login As" feature @@ -48,6 +49,7 @@ class kolab_auth extends rcube_plugin $this->add_hook('write_log', array($this, 'write_log')); + // TODO: This section does not actually seem to work if ($rcmail->config->get('kolab_auth_auditlog', false)) { $rcmail->config->set('debug_level', 1); $rcmail->config->set('devel_mode', true); @@ -64,6 +66,89 @@ class kolab_auth extends rcube_plugin } + public function startup($args) { + // Arguments are task / action, not interested + if (!empty($_SESSION['user_roledns'])) { + $this->load_user_role_plugins_and_settings($_SESSION['user_roledns']); + } + + return $args; + } + + public function load_user_role_plugins_and_settings($role_dns) { + $rcmail = rcmail::get_instance(); + $this->load_config(); + + // Check role dependent plugins to enable and settings to modify + + // Example 'kolab_auth_role_plugins' = + // + // Array( + // '' => Array('plugin1', 'plugin2'), + // ); + + $role_plugins = $rcmail->config->get('kolab_auth_role_plugins'); + + // Example $rcmail_config['kolab_auth_role_settings'] = + // + // Array( + // '' => Array( + // '$setting' => Array( + // 'mode' => '(override|merge)', (default: override) + // 'value' => <>, + // 'allow_override' => (true|false) (default: false) + // ), + // ), + // ); + + $role_settings = $rcmail->config->get('kolab_auth_role_settings'); + + foreach ($role_dns as $role_dn) { + if (isset($role_plugins[$role_dn]) && is_array($role_plugins[$role_dn])) { + foreach ($role_plugins[$role_dn] as $plugin) { + $this->require_plugin($plugin); + } + } + + if (isset($role_settings[$role_dn]) && is_array($role_settings[$role_dn])) { + foreach ($role_settings[$role_dn] as $setting_name => $setting) { + if (!isset($setting['mode'])) { + $setting['mode'] = 'override'; + } + + if ($setting['mode'] == "override") { + $rcmail->config->set($setting_name, $setting['value']); + } elseif ($setting['mode'] == "merge") { + $orig_setting = $rcmail->config->get($setting_name); + + if (!empty($orig_setting)) { + if (is_array($orig_setting)) { + $rcmail->config->set($setting_name, array_merge($orig_setting, $setting['value'])); + } + } else { + $rcmail->config->set($setting_name, $setting['value']); + } + } + + if (!isset($setting['allow_override']) || !$setting['allow_override']) { + $rcmail->config->set('dont_override', array_merge($rcmail->config->get('dont_override', Array()), Array($setting_name))); + } else { + $dont_override = $rcmail->config->get('dont_override'); + if (in_array($setting_name, $dont_override)) { + $_dont_override = Array(); + foreach ($dont_override as $_setting) { + if ($_setting != $setting_name) { + $_dont_override[] = $_setting; + } + } + $rcmail->config->set('dont_override', $_dont_override); + } + } + } + } + } + } + public function write_log($args) { $rcmail = rcmail::get_instance(); @@ -188,6 +273,12 @@ class kolab_auth extends rcube_plugin return $args; } + $role_attr = $rcmail->config->get('kolab_auth_role'); + + if (!empty($role_attr) && !empty($record[$role_attr])) { + $_SESSION['user_roledns'] = (array)($record[$role_attr]); + } + // Login As... if (!empty($loginas) && $admin_login) { // Authenticate to LDAP