This commit is contained in:
root 2020-07-07 10:29:55 +02:00
parent b5f7aa4b0a
commit 35d061ff82
10 changed files with 313 additions and 116 deletions

View File

@ -12,3 +12,6 @@ twig:
appName: '%appName%'
appCron: '%appCron%'
appMasteridentity: '%appMasteridentity'
sondeUse: '%sondeUse%'
sondeUrl: '%sondeUrl%'

View File

@ -47,15 +47,24 @@ parameters:
casLastname: '%env(resolve:CAS_LASTNAME)%'
casFirstname: '%env(resolve:CAS_FIRSTNAME)%'
proxyUser: '%env(resolve:PROXY_USE)%'
proxyUse: '%env(resolve:PROXY_USE)%'
proxyHost: '%env(resolve:PROXY_HOST)%'
proxyPort: '%env(resolve:PROXY_PORT)%'
sondeUse: '%env(resolve:SONDE_USE)%'
sondeUrl: '%env(resolve:SONDE_URL)%'
services:
# default configuration for services in *this* file
_defaults:
autowire: true # Automatically injects dependencies in your services.
autoconfigure: true # Automatically registers your services as commands, event subscribers, etc.
bind:
$ldapHost: '%ldapHost%'
$ldapPort: '%ldapPort%'
$ldapUser: '%ldapUser%'
$ldapPassword: '%ldapPassword%'
$ldapBasedn: '%ldapBasedn%'
# makes classes in src/ available to be used as services
# this creates a service per class whose id is the fully-qualified class name
@ -71,13 +80,6 @@ services:
# add more service definitions when explicit configuration is needed
# please note that last definitions always *replace* previous ones
app.session.listener:
public: true
class: App\Service\sessionListener
arguments: ['@service_container','@doctrine.orm.entity_manager',"@security.token_storage"]
tags:
- { name: kernel.event_listener, event: kernel.request, method: onDomainParse }
app.password.encoder:
public: true
class: App\Service\passwordEncoder

View File

@ -56,3 +56,8 @@ CAS_FIRSTNAME=firstname
PROXY_USE=false
PROXY_HOST=
PROXY_PORT=
# Sonde statistic
SONDE_USE=false
SONDE_URL=

View File

@ -47,7 +47,6 @@ class CronCommand extends Command
$appCron = $this->container->getParameter('appCron');
if(!$appCron)
{
$this->writelnred('CRON désactivé');
return 0;
}

View File

@ -122,9 +122,9 @@ class SynchroUsersCommand extends Command
// Options
$this->writeln('');
$this->writeln('== OPTIONS ==========================================');
$cn=$result["cn"];
$results = $this->ldap->search("type=Option", ['cn','description','gidNumber'], $this->ldap_basedn);
foreach($results as $result) {
$cn=$result["cn"];
$ldapfilter="(|(&(type=Option)(cn=$cn))(&(type=Equipe)(cn=profs-$cn))(&(ENTPersonProfils=Administratif)(divcod=$cn)))";
$label="OPTION = ".$result["cn"];
@ -396,40 +396,63 @@ class SynchroUsersCommand extends Command
$appmasterurl = $this->container->getParameter("appMasterurl");
$appmasterkey = $this->container->getParameter("appMasterkey");
// Déclaration du proxy
// Généraltion de l'urol de communication
if(stripos($appmasterurl,"/")===0) {
$url="https://".$this->container->getParameter("appWeburl").$appmasterurl;
}
else
$url=$appmasterurl;
$indomaine = (stripos($url,$this->container->getParameter("appWeburl"))!==false);
$url="http://172.27.7.67/ninegate";
$indomaine=true;
// Recherche des élèments de masterIdentify
// Entete
$headers = ['Accept' => 'application/json'];
$query = [];
/* si hor domaine on utilise le proxy si proxy il y a */
if(!$indomaine) {
$proxyUse = $this->container->getParameter("proxyUser");
// Paramétrage unirest
\Unirest\Request::verifyPeer(false);
\Unirest\Request::verifyHost(false);
\Unirest\Request::timeout(5);
// Login sans proxy
try{
$response = \Unirest\Request::post($url.'/rest/login',$headers,["key"=>$appmasterkey]);
}
catch (\Exception $e) {
// On tente avec le proxy s'il y en a un
$proxyUse = $this->container->getParameter("proxyUse");
if($proxyUse) {
$proxyHost = $this->container->getParameter("proxyHost");
$proxyPort = $this->container->getParameter("proxyPort");
\Unirest\Request::proxy($proxyHost, $proxyPort, CURLPROXY_HTTP, true);
try{
$response = \Unirest\Request::post($url.'/rest/login/'.$appmasterkey,$headers,$query);
}
catch (\Exception $e) {
die("Erreur de communication API = ".$e->getMessage()."\n");
}
}
else {
die("Erreur de communication API = ".$e->getMessage()."\n");
}
}
if($response->code!="200")
die("Erreur sur clé API\n");
$this->writeln('');
$this->writeln('== GROUPS ============================================');
// Récupération des informations groups issus du masteridentity
$response = \Unirest\Request::get($url.'/rest/groups/'.$appmasterkey,$headers,$query);
try{
$response = \Unirest\Request::post($url.'/rest/groups',$headers,["key"=>$appmasterkey]);
}
catch (\Exception $e) {
die("Erreur de communication API = ".$e->getMessage()."\n");
}
$lstgroups=[];
if($response->code="200" && is_object($response->body)) {
if($response->code=="200" && is_object($response->body)) {
$apigroups=$response->body;
foreach($apigroups as $apigroup) {
array_push($lstgroups,$apigroup->id);
@ -449,15 +472,21 @@ class SynchroUsersCommand extends Command
}
}
}
else die("Erreur de communication");
else die("Erreur de communication = ".print_r($response,true));
$this->writeln('');
$this->writeln('== USERS ============================================');
// Récupération des informations utilisateurs issus du masteridentity
$response = \Unirest\Request::get($url.'/rest/users/'.$appmasterkey,$headers,$query);
try{
$response = \Unirest\Request::post($url.'/rest/users',$headers,["key"=>$appmasterkey]);
}
catch (\Exception $e) {
die("Erreur de communication API = ".$e->getMessage()."\n");
}
$lstusers=[];
if($response->code="200"&&is_object($response->body)) {
if($response->code=="200"&&is_object($response->body)) {
$apiusers=$response->body;
foreach($apiusers as $apiuser) {
array_push($lstusers,$apiuser->username);
@ -477,6 +506,17 @@ class SynchroUsersCommand extends Command
$user->setEmail($apiuser->email);
$user->setAvatar($apiuser->avatar);
if(in_array($apiuser->username,$this->container->getParameter("ldapAdmins")))
$role="ROLE_ADMIN";
else
$role=($apiuser->role=="ROLE_ANIM"?"ROLE_MASTER":$apiuser->role);
if(!$user->hasRole($role)) {
$roles=$user->getRoles();
array_push($roles,$role);
$user->setRoles($roles);
}
$this->em->persist($user);
$this->em->flush();
}
@ -494,7 +534,9 @@ class SynchroUsersCommand extends Command
$this->writeln($group->getName());
$usergroups = $tabgroups[$group->getIdexternal()]["users"];
$usergroups=[];
if($tabgroups[$group->getIdexternal()])
$usergroups = $tabgroups[$group->getIdexternal()]["users"];
$tbusers=[];
foreach($usergroups as $user) {
array_push($tbusers,$user["username"]);
@ -622,13 +664,19 @@ class SynchroUsersCommand extends Command
$user->setFirstname($firstname);
$user->setEmail($email);
// Definition du role
if(in_array($username,$usersadmin))
$user->setRoles(["ROLE_ADMIN"]);
$role="ROLE_ADMIN";
else {
$ldapfilter="(|(&(uid=".$user->getUsername().")(ENTPersonProfils=enseignant))(&(uid=".$user->getUsername().")(typeadmin=0))(&(uid=".$user->getUsername().")(typeadmin=2)))";
$results = $this->ldap->search($ldapfilter, ['uid'], $this->ldap_basedn);
if($results) $user->setRoles(["ROLE_MASTER"]);
else $user->setRoles(["ROLE_USER"]);
if($results) $role="ROLE_MASTER";
else $role="ROLE_USER";
}
if(!$user->hasRole($role)) {
$roles=$user->getRoles();
array_push($roles,$role);
$user->setRoles($roles);
}
$this->em->persist($user);
@ -640,8 +688,20 @@ class SynchroUsersCommand extends Command
$user->setFirstname($firstname);
$user->setEmail($email);
// Definition du role
if(in_array($username,$usersadmin))
$user->setRole("ROLE_ADMIN");
$role="ROLE_ADMIN";
else {
$ldapfilter="(|(&(uid=".$user->getUsername().")(ENTPersonProfils=enseignant))(&(uid=".$user->getUsername().")(typeadmin=0))(&(uid=".$user->getUsername().")(typeadmin=2)))";
$results = $this->ldap->search($ldapfilter, ['uid'], $this->ldap_basedn);
if($results) $role="ROLE_MASTER";
else $role="ROLE_USER";
}
if(!$user->hasRole($role)) {
$roles=$user->getRoles();
array_push($roles,$role);
$user->setRoles($roles);
}
$this->em->persist($user);
$this->em->flush();

View File

@ -4,6 +4,8 @@
namespace App\Controller;
use App\Entity\User;
use App\Entity\Group;
use App\Service\ldapService as ldapService;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
@ -20,6 +22,13 @@ use jasig\phpcas\CAS;
class SecurityController extends AbstractController
{
private $ldapService;
public function __construct(ldapService $ldapService)
{
$this->ldapService = $ldapService;
}
public function login(Request $request, AuthenticationUtils $authenticationUtils)
{
$auth_mode=$this->getParameter("appAuth");
@ -45,7 +54,7 @@ class SecurityController extends AbstractController
public function logincas(Request $request, AuthenticationUtils $authenticationUtils)
{
// Récupération de la cible de navigation
$redirect = $request->get("redirect");
$redirect = $this->get('session')->get("_security.main.target_path");
// Init Client CAS
$alias=$this->getParameter('appAlias');
@ -98,8 +107,6 @@ class SecurityController extends AbstractController
$user->setPassword("CASPWD-".$username);
$user->setSalt("CASPWD-".$username);
$user->setRoles(["ROLE_STUDENT"]);
$em->persist($user);
$em->flush();
}
@ -112,6 +119,14 @@ class SecurityController extends AbstractController
$em->flush();
}
$masteridentity=$this->getParameter("appMasteridentity");
if($masteridentity=="Ninegate") {
$this->updateNinegate($user);
}
else {
$this->updateLDAP($user);
}
// Autoconnexion
// Récupérer le token de l'utilisateur
@ -170,4 +185,174 @@ class SecurityController extends AbstractController
return true;
}
private function updateNinegate($user) {
$em = $this->getDoctrine()->getManager();
$appmasterurl = $this->getParameter("appMasterurl");
$appmasterkey = $this->getParameter("appMasterkey");
// Généraltion de l'urol de communication
if(stripos($appmasterurl,"/")===0) {
$url="https://".$this->getParameter("appWeburl").$appmasterurl;
}
else
$url=$appmasterurl;
// Entete
$headers = ['Accept' => 'application/json'];
$query = [];
// Paramétrage unirest
\Unirest\Request::verifyPeer(false);
\Unirest\Request::verifyHost(false);
\Unirest\Request::timeout(5);
// Login sans proxy
try{
$response = \Unirest\Request::post($url.'/rest/login',$headers,["key"=>$appmasterkey]);
}
catch (\Exception $e) {
// On tente avec le proxy s'il y en a un
$proxyUse = $this->getParameter("proxyUse");
if($proxyUse) {
$proxyHost = $this->getParameter("proxyHost");
$proxyPort = $this->getParameter("proxyPort");
\Unirest\Request::proxy($proxyHost, $proxyPort, CURLPROXY_HTTP, true);
try{
$response = \Unirest\Request::post($url.'/rest/login',$headers,["key"=>$appmasterkey]);
}
catch (\Exception $e) {
die("Erreur de communication API = ".$e->getMessage()."\n");
}
}
else {
die("Erreur de communication API = ".$e->getMessage()."\n");
}
}
if($response->code!="200")
die("Erreur sur clé API\n");
// Récupération des informations du user
try{
$response = \Unirest\Request::post($url.'/rest/user/'.$user->getUsername(),$headers,["key"=>$appmasterkey]);
}
catch (\Exception $e) {
die("Erreur de communication API = ".$e->getMessage()."\n");
}
if($response->code=="200"&&is_object($response->body)) {
// Mise à jour du user
$user->setLastname($response->body->user->lastname);
$user->setFirstname($response->body->user->firstname);
$user->setEmail($response->body->user->email);
$user->setAvatar($response->body->user->avatar);
// Definition du role du user
if(in_array($user->getUsername(),$this->getParameter("ldapAdmins")))
$role="ROLE_ADMIN";
else
$role=($response->body->user->role=="ROLE_ANIM"?"ROLE_MASTER":$response->body->user->role);
if(!$user->hasRole($role)) {
$roles=$user->getRoles();
array_push($roles,$role);
$user->setRoles($roles);
}
// Sauvegarde user
$em->persist($user);
$em->flush();
// Mise à jour des groupes
$groups=$response->body->groups;
$mygroup=[];
foreach($groups as $groupexternal) {
array_push($mygroup,$groupexternal->id);
// Le groupe existe-t-il
$group=$em->getRepository("App:Group")->findOneBy(["idexternal"=>$groupexternal->id]);
if(!$group)
$group = new Group();
$group->setIdexternal($groupexternal->id);
$group->setName($groupexternal->title);
if(!$group->getUsers()->contains($user))
$group->addUser($user);
$em->persist($group);
$em->flush();
}
foreach($user->getGroups() as $group) {
if($group->getIdexternal()) {
if(!in_array($group->getIdexternal(),$mygroup)) {
$user->removeGroup($group);
$em->persist($user);
$em->flush();
}
}
}
}
}
private function updateLDAP($user) {
$em = $this->getDoctrine()->getManager();
$ldap_basedn = $this->getParameter('ldapBasedn');
$ldap_username = $this->getParameter('ldapUsername');
$ldap_firstname = $this->getParameter('ldapFirstname');
$ldap_lastname = $this->getParameter('ldapLastname');
$ldap_email = $this->getParameter('ldapEmail');
$ldap_admins = $this->getParameter('ldapAdmins');
$ldap_model = $this->getParameter('ldapModel');
$fieldstoread = array($ldap_username,$ldap_firstname,$ldap_lastname,$ldap_email);
if($ldap_model=="scribe") {
$ldap_filtergroup="(&(type=Groupe)(cn=*))";
$ldap_filteruser="(&(uid=*)(objectclass=inetOrgPerson)(!(description=Computer)))";
}
else {
$ldap_filtergroup=$this->getParameter('ldapFiltergroup');
$ldap_filteruser=$this->getParameter('ldapFilteruser');
}
// On recherche l'utilisateur dans l'annuaire
$results = $this->ldapService->search(str_replace("*",$user->getUsername(),$ldap_filteruser), $fieldstoread, $ldap_basedn);
foreach($results as $result) {
if(!isset($result[$ldap_lastname])) $result[$ldap_lastname] = "";
if(!isset($result[$ldap_firstname])) $result[$ldap_firstname] = "";
$result[$ldap_email]=strtolower($result[$ldap_email]);
$result[$ldap_email]=utf8_encode($result[$ldap_email]);
// Mise à jour du user
$user->setLastname($result[$ldap_lastname]);
$user->setFirstname($result[$ldap_firstname]);
$user->setEmail($result[$ldap_email]);
// Definition du role
if(in_array($user->getUsername(),$ldap_admins))
$role="ROLE_ADMIN";
else {
$ldapfilter="(|(&(uid=".$user->getUsername().")(ENTPersonProfils=enseignant))(&(uid=".$user->getUsername().")(typeadmin=0))(&(uid=".$user->getUsername().")(typeadmin=2)))";
$results = $this->ldapService->search($ldapfilter, ['uid'], $ldap_basedn);
if($results) $role="ROLE_MASTER";
else $role="ROLE_USER";
}
if(!$user->hasRole($role)) {
$roles=$user->getRoles();
array_push($roles,$role);
$user->setRoles($roles);
}
// Sauvegarde user
$em->persist($user);
$em->flush();
}
}
}

View File

@ -91,10 +91,9 @@ class User implements UserInterface, \Serializable
private $groups;
public function __construct(Container $container)
public function __construct()
{
$this->groups = new ArrayCollection();
}
public function getUsername(): ?string

View File

@ -16,13 +16,13 @@ class ldapService
private $connection = null;
public function __construct($host, $port, $user, $password, $basedn)
public function __construct($ldapHost, $ldapPort, $ldapUser, $ldapPassword, $ldapBasedn)
{
$this->host = $host;
$this->port = $port;
$this->user = $user;
$this->password = $password;
$this->basedn = $basedn;
$this->host = $ldapHost;
$this->port = $ldapPort;
$this->user = $ldapUser;
$this->password = $ldapPassword;
$this->basedn = $ldapBasedn;
}
public function connect() {

View File

@ -1,69 +0,0 @@
<?php
namespace App\Service;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\EventDispatcher\EventDispatcher;
use Symfony\Component\EventDispatcher\Event;
use Symfony\Component\HttpFoundation\Session\Session;
use Doctrine\ORM\EntityManager;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
class sessionListener {
protected $container;
protected $em;
public function __construct($container, EntityManager $em, TokenStorageInterface $token_storage)
{
$this->container = $container;
$this->em = $em;
$this->token_storage = $token_storage;
}
public function haveRole($roles,$tohave) {
$haverole=false;
if($roles=="") {
if(empty($tohave)) $haverole=true;
}
else {
foreach($roles as $role) {
if(in_array($role,$tohave))
$haverole=true;
}
}
return $haverole;
}
public function onDomainParse(Event $event) {
$session = new Session();
// Utilisateur en cours
$curentuserid=0;
$token = $this->token_storage->getToken();
if(!$token) return;
$curentuser=$token->getUser();
// Roles actif
if($curentuser=="anon.") $roles=[];
else $roles=$curentuser->getRoles();
$regen=false;
if (!$session->get('isuser') && $curentuser!="anon.") {
$regen=true;
$session->set('isuser',true);
}
if ($session->get('isuser') && $curentuser=="anon.") {
$regen=true;
$session->set('isuser',false);
}
// Initialisation de la session
if($regen) {
$session->set('activeactivity',true);
}
}
}

View File

@ -10,7 +10,7 @@ APP_WEBURL=%%web_url
APP_AUTH=CAS
APP_ALIAS=nineskeletor
APP_NAME=Nineskeletor
APP_CRON=true
APP_CRON=1
APP_MASTERIDENTITY=%%nineskeletor_masteridentity
%if %%getVar("nineskeletor_masteridentity", 'LDAP') == "LDAP"
APP_MASTERURL=
@ -99,11 +99,24 @@ CAS_FIRSTNAME=firstname
# Proxy
%if %%activer_proxy_client == 'oui'
PROXY_USE=true
PROXY_USE=1
PROXY_HOST=%%proxy_client_adresse
PROXY_PORT=%%proxy_client_port
%else
PROXY_USE=false
PROXY_USE=0
PROXY_HOST=
PROXY_PORT=
%end if
# Sonde statistic
%if %%getVar("activer_sondepiwik_local", 'non') == "oui"
SONDE_USE=1
SONDE_URL=/sondepiwik/envoleTrackeur.js.php
%else if %%getVar("activer_piwik", 'non') == "oui"
SONDE_USE=1
SONDE_URL=/piwik/envoleTrackeur.js.php
%else
SONDE_USE=0
SONDE_URL=
%end if