Skip to content
GitLab

Source

Target

View open merge request
Commits (36)
Hide whitespace changes
Inline Side-by-side
Showing
with 593 additions and 351 deletions
+593 -351
.gitignore
Edit View file @ 1a411f0a
.vendor/
.composer.lock
filelist
phpstan.neon
.idea/fusiondirectory-orchestrator.iml
.idea/modules.xml
.idea/php.xml
.idea/vcs.xml
.idea/codeStyles/codeStyleConfig.xml
.gitlab-ci.yml
Edit View file @ 1a411f0a
......@@ -93,10 +93,3 @@ trigger-ci-ubuntu-focal:
project: ubuntu/focal-fusiondirectory-orchestrator-dev
branch: "main"
trigger-ci-centos-7:
stage: trigger
only:
- dev
trigger:
project: centos/centos7-fusiondirectory-orchestrator-dev
branch: "main"
.idea/.gitignore 0 → 100755
Edit View file @ 1a411f0a
# Default ignored files
/shelf/
/workspace.xml
# Editor-based HTTP Client requests
/httpRequests/
# Datasource local storage ignored files
/dataSources/
/dataSources.local.xml
library/TaskController.php
Edit View file @ 1a411f0a
......@@ -55,7 +55,7 @@ class TaskController
switch ($objectType) {
case $objectType:
if (class_exists($objectType)) {
$endpoint = new $objectType;
$endpoint = new $objectType($this->gateway);
$result = $endpoint->processEndPointGet();
}
break;
......
library/Utils.php 0 → 100644
Edit View file @ 1a411f0a
<?php
class Utils
{
private function __construct() {}
/**
* @param array $array
* @return array
* Note : Recursively filters out empty values and arrays at any depth.
*/
public static function recursiveArrayFilter (array $array): array
{
// First filter the array for non-empty elements
$filtered = array_filter($array, function ($item) {
if (is_array($item)) {
// Recursively filter the sub-array
$item = $this->recursiveArrayFilter($item);
// Only retain non-empty arrays
return !empty($item);
} else {
// Retain non-empty scalar values
return !empty($item);
}
});
return $filtered;
}
/**
* Find matching keys between 2 lists.
*
* @param array|null $elements
* @param array $keys
* @return array
*/
public static function findMatchingKeys (?array $elements, array $keys): array
{
$matching = [];
if (!empty($elements)) {
foreach ($elements as $element) {
foreach ($keys as $key) {
if (!empty($element) && array_key_exists($key, $element)) {
$matching[] = $key;
}
}
}
}
return $matching;
}
/**
* @param $array
* @return array
* Note : simply return all values of a multi-dimensional array.
*/
public static function getArrayValuesRecursive ($array)
{
$values = [];
foreach ($array as $value) {
if (is_array($value)) {
// If value is an array, merge its values recursively
$values = array_merge($values, self::getArrayValuesRecursive($value));
} else {
// If value is not an array, add it to the result
$values[] = $value;
}
}
return $values;
}
/**
* @param string $text
* @return string
* Note : This come from jwtToken, as it is completely private - it is cloned here for now.
*/
public static function base64urlEncode (string $text): string
{
return str_replace(["+", "/", "="], ["A", "B", ""], base64_encode($text));
}
}
\ No newline at end of file
library/plugins/MailUtils.php 0 → 100644
Edit View file @ 1a411f0a
<?php
class MailUtils
{
public function __construct ()
{
}
public function sendMail ($setFrom, $setBCC, $recipients, $body, $signature, $subject, $receipt, $attachments)
{
$mail_controller = new \FusionDirectory\Mail\MailLib($setFrom,
$setBCC,
$recipients,
$body,
$signature,
$subject,
$receipt,
$attachments);
return $mail_controller->sendMail();
}
/**
* @return array
* Note : A simple retrieval methods of the mail backend configuration set in FusionDirectory
*/
public function getMailObjectConfiguration (TaskGateway $gateway): array
{
return $gateway->getLdapTasks(
"(objectClass=fdTasksConf)",
["fdTasksConfLastExecTime", "fdTasksConfIntervalEmails", "fdTasksConfMaxEmails"]
);
}
}
\ No newline at end of file
library/plugins/ReminderTokenUtils.php 0 → 100644
Edit View file @ 1a411f0a
<?php
class ReminderTokenUtils
{
public function __construct ()
{
}
/**
* @param string $userDN
* @param int $timeStamp
* @return string
* @throws Exception
*/
public function generateToken (string $userDN, int $timeStamp, TaskGateway $gateway): string
{
$token = NULL;
// Salt has been generated with APG.
$salt = '8onOlEsItKond';
$payload = json_encode($userDN . $salt);
// This allows the token to be different every time.
$time = time();
// Create hmac with sha256 alg and the key provided for JWT token signature in ENV.
$token_hmac = hash_hmac("sha256", $time . $payload, $_ENV["SECRET_KEY"], TRUE);
// We need to have a token allowed to be used within an URL.
$token = $this->base64urlEncode($token_hmac);
// Save token within LDAP
$this->saveTokenInLdap($userDN, $token, $timeStamp, $gateway);
return $token;
}
/**
* @param string $userDN
* @param string $token
* NOTE : UID is the full DN of the user. (uid=...).
* @param int $days
* @return bool
* @throws Exception
*/
private function saveTokenInLdap (string $userDN, string $token, int $days, TaskGateway $gateway): bool
{
$result = FALSE;
$currentTimestamp = time();
// Calculate the future timestamp by adding days to the current timestamp (We actually adds number of seconds).
$futureTimestamp = $currentTimestamp + ($days * 24 * 60 * 60);
preg_match('/uid=([^,]+),ou=/', $userDN, $matches);
$uid = $matches[1];
$dn = 'cn=' . $uid . ',' . 'ou=tokens' . ',' . $_ENV["LDAP_BASE"];
$ldap_entry["objectClass"] = ['top', 'fdTokenEntry'];
$ldap_entry["fdTokenUserDN"] = $userDN;
$ldap_entry["fdTokenType"] = 'reminder';
$ldap_entry["fdToken"] = $token;
$ldap_entry["fdTokenTimestamp"] = $futureTimestamp;
$ldap_entry["cn"] = $uid;
// set the dn for the token, only take what's between "uid=" and ",ou="
// Verify if token ou branch exists
if (!$this->tokenBranchExist('ou=tokens' . ',' . $_ENV["LDAP_BASE"], $gateway)) {
// Create the branch
$this->createBranchToken($gateway);
}
// The user token DN creation
$userTokenDN = 'cn=' . $uid . ',ou=tokens' . ',' . $_ENV["LDAP_BASE"];
// Verify if a token already exists for specified user and remove it to create new one correctly.
if ($this->tokenBranchExist($userTokenDN, $gateway)) {
// Remove the user token
$this->removeUserToken($userTokenDN, $gateway);
}
// Add token to LDAP for specific UID
try {
$result = ldap_add($gateway->ds, $dn, $ldap_entry); // bool returned
} catch (Exception $e) {
echo json_encode(["Ldap Error - Token could not be saved!" => "$e"]); // string returned
exit;
}
return $result;
}
/**
* @param int $subTaskCall
* @param int $firstCall
* @param int $secondCall
* @return int
* Note : Simply return the difference between first and second call. (First call can be null).
*/
public function getTokenExpiration (int $subTaskCall, int $firstCall, int $secondCall): int
{
// if firstCall is empty, secondCall is the timestamp expiry for the token.
$result = $secondCall;
if (!empty($firstCall)) {
// Verification if the subTask is the second reminder or the first reminder.
if ($subTaskCall === $firstCall) {
$result = $firstCall - $secondCall;
}
}
return $result;
}
/**
* @param $userTokenDN
* @return void
* Note : Simply remove the token for specific user DN
*/
private function removeUserToken ($userTokenDN, TaskGateway $gateway): void
{
// Add token to LDAP for specific UID
try {
$result = ldap_delete($gateway->ds, $userTokenDN); // bool returned
} catch (Exception $e) {
echo json_encode(["Ldap Error - User token could not be removed!" => "$e"]); // string returned
exit;
}
}
/**
* Create ou=pluginManager LDAP branch
* @throws Exception
*/
private function createBranchToken (TaskGateway $gateway): void
{
try {
ldap_add(
$gateway->ds, 'ou=tokens' . ',' . $_ENV["LDAP_BASE"],
[
'ou' => 'tokens',
'objectClass' => 'organizationalUnit',
]
);
} catch (Exception $e) {
echo json_encode(["Ldap Error - Impossible to create the token branch" => "$e"]); // string returned
exit;
}
}
/**
* @param string $token
* @param array $mailTemplateForm
* @param string $taskDN
* @return array
*/
public function generateTokenUrl (string $token, array $mailTemplateForm, string $taskDN): array
{
//Only take the cn of the main task name :
preg_match('/cn=([^,]+),ou=/', $taskDN, $matches);
$taskName = $matches[1];
// Remove the API URI
$cleanedUrl = preg_replace('#/rest\.php/v1$#', '', $_ENV['FUSION_DIRECTORY_API_URL']);
$url = $cleanedUrl . '/accountProlongation.php?token=' . $token . '&task=' . $taskName;
$mailTemplateForm['body'] .= $url;
return $mailTemplateForm;
}
/**
* @param string $dn
* @return bool
* Note : Simply inspect if the branch for token is existing.
*/
private function tokenBranchExist (string $dn, TaskGateway $gateway): bool
{
$result = FALSE;
try {
$search = ldap_search($gateway->ds, $dn, "(objectClass=*)");
// Check if the search was successful
if ($search) {
// Get the number of entries found
$entries = ldap_get_entries($gateway->ds, $search);
// If entries are found, set result to true
if ($entries["count"] > 0) {
$result = TRUE;
}
}
} catch (Exception $e) {
$result = FALSE;
}
return $result;
}
/**
* @param string $text
* @return string
* Note : This come from jwtToken, as it is completely private - it is cloned here for now.
*/
private function base64urlEncode (string $text): string
{
return str_replace(["+", "/", "="], ["A", "B", ""], base64_encode($text));
}
}
\ No newline at end of file
library/plugins/Utils.php 0 → 100644
Edit View file @ 1a411f0a
<?php
class Utils
{
public function __construct ()
{
}
/**
* @param array $array
* @return array
* Note : Recursively filters out empty values and arrays at any depth.
*/
public function recursiveArrayFilter (array $array): array
{
return array_filter($array, function ($item) {
if (is_array($item)) {
$item = $this->recursiveArrayFilter($item);
}
return !empty($item);
});
}
/**
* Find matching keys between 2 lists.
*
* @param array|null $elements
* @param array $keys
* @return array
*/
public function findMatchingKeys (?array $elements, array $keys): array
{
$matching = [];
if (!empty($elements)) {
foreach ($elements as $element) {
foreach ($keys as $key) {
if (!empty($element) && array_key_exists($key, $element)) {
$matching[] = $key;
}
}
}
}
return $matching;
}
/**
* @param $array
* @return array
* Note : simply return all values of a multi-dimensional array.
*/
public function getArrayValuesRecursive ($array)
{
return array_reduce($array, function ($carry, $value) {
return array_merge($carry, is_array($value) ? $this->getArrayValuesRecursive($value) : [$value]);
}, []);
}
}
\ No newline at end of file
plugins/tasks/Archive.php 0 → 100644
Edit View file @ 1a411f0a
<?php
use FusionDirectory\Rest\WebServiceCall;
class Archive implements EndpointInterface
{
private TaskGateway $gateway;
public function __construct (TaskGateway $gateway)
{
$this->gateway = $gateway;
}
/**
* @return array
* Part of the interface of orchestrator plugin to treat GET method
*/
public function processEndPointGet (): array
{
// Retrieve tasks of type 'archive'
return $this->gateway->getObjectTypeTask('archive');
}
/**
* @param array|null $data
* @return array
* @throws Exception
* Note: Part of the interface of orchestrator plugin to treat PATCH method
*/
public function processEndPointPatch (array $data = NULL): array
{
$result = [];
$archiveTasks = $this->gateway->getObjectTypeTask('archive');
// Initialize the WebServiceCall object for login
$webServiceCall = new WebServiceCall($_ENV['FUSION_DIRECTORY_API_URL'] . '/login', 'POST');
$webServiceCall->setCurlSettings(); // Perform login and set the token
foreach ($archiveTasks as $task) {
try {
if (!$this->gateway->statusAndScheduleCheck($task)) {
// Skip this task if it does not meet the status and schedule criteria
continue;
}
// Receive null or 'toBeArchived'
$supannState = $this->getUserSupannAccountStatus($task['fdtasksgranulardn'][0]);
if ($supannState !== 'toBeArchived') {
// The task does not meet the criteria for archiving and can therefore be suppressed
$result[$task['dn']]['result'] = "User does not meet the criteria for archiving.";
$this->gateway->removeSubTask($task['dn']);
continue;
}
// Set the archive endpoint and method using the same WebServiceCall object
$archiveUrl = $_ENV['FUSION_DIRECTORY_API_URL'] . '/archive/user/' . rawurlencode($task['fdtasksgranulardn'][0]);
$webServiceCall->setCurlSettings($archiveUrl, NULL, 'POST'); // Update settings for the archive request
$response = $webServiceCall->execute();
// Check if the HTTP status code is 204
if ($webServiceCall->getHttpStatusCode() === 204) {
$result[$task['dn']]['result'] = "User successfully archived.";
$this->gateway->updateTaskStatus($task['dn'], $task['cn'][0], '2');
} else {
throw new Exception("Unexpected HTTP status code: " . $webServiceCall->getHttpStatusCode());
}
} catch (Exception $e) {
$result[$task['dn']]['result'] = "Error archiving user: " . $e->getMessage();
$this->gateway->updateTaskStatus($task['dn'], $task['cn'][0], $e->getMessage());
}
}
return $result;
}
/**
* @param array|null $data
* @return array
* Note: Part of the interface of orchestrator plugin to treat POST method
*/
public function processEndPointPost (array $data = NULL): array
{
return [];
}
/**
* @param array|null $data
* @return array
* Note: Part of the interface of orchestrator plugin to treat DELETE method
*/
public function processEndPointDelete (array $data = NULL): array
{
return [];
}
/**
* Retrieve the supannAccountStatus of a user
* @param string $userDn
* @return string|null
*/
private function getUserSupannAccountStatus (string $userDn): ?string
{
$supannState = $this->gateway->getLdapTasks(
'(objectClass=supannPerson)',
['supannRessourceEtatDate'],
'',
$userDn
);
if ($this->hasToBeArchived($supannState)) {
return 'toBeArchived';
}
return NULL;
}
private function hasToBeArchived (array $supannState): bool
{
if (!isset($supannState[0]['supannressourceetatdate']) || !is_array($supannState[0]['supannressourceetatdate'])) {
return FALSE;
}
foreach ($supannState[0]['supannressourceetatdate'] as $key => $value) {
// Skip non-numeric keys (e.g., 'count')
if (!is_numeric($key)) {
continue;
}
if (strpos($value, '{COMPTE}I:toBeArchived') !== FALSE) {
return TRUE;
}
}
return FALSE;
}
}
\ No newline at end of file
plugins/tasks/Audit.php
Edit View file @ 1a411f0a
......@@ -4,10 +4,12 @@ class Audit implements EndpointInterface
{
private TaskGateway $gateway;
private Utils $utils;
public function __construct (TaskGateway $gateway)
{
$this->gateway = $gateway;
$this->utils = new Utils();
}
/**
......@@ -47,7 +49,7 @@ class Audit implements EndpointInterface
$result = $this->processAuditDeletion($this->gateway->getObjectTypeTask('Audit'));
// Recursive function to filter out empty arrays at any depth
$nonEmptyResults = $this->recursiveArrayFilter($result);
$nonEmptyResults = $this->utils->recursiveArrayFilter($result);
if (!empty($nonEmptyResults)) {
return $nonEmptyResults;
......@@ -119,27 +121,4 @@ class Audit implements EndpointInterface
return $audit;
}
/**
* @param array $array
* @return array
* Note : Recursively filters out empty values and arrays at any depth.
*/
private function recursiveArrayFilter (array $array): array
{
// First filter the array for non-empty elements
$filtered = array_filter($array, function ($item) {
if (is_array($item)) {
// Recursively filter the sub-array
$item = $this->recursiveArrayFilter($item);
// Only retain non-empty arrays
return !empty($item);
} else {
// Retain non-empty scalar values
return !empty($item);
}
});
return $filtered;
}
}
\ No newline at end of file
plugins/tasks/Notifications.php
Edit View file @ 1a411f0a
......@@ -4,10 +4,15 @@ class Notifications implements EndpointInterface
{
private TaskGateway $gateway;
private string $errorMessage = 'No matching audited attributes with monitored attributes, safely removed!';
private Utils $utils;
private MailUtils $mailUtils;
public function __construct (TaskGateway $gateway)
{
$this->gateway = $gateway;
$this->utils = new Utils();
$this->mailUtils = new MailUtils();
}
/**
......@@ -69,26 +74,7 @@ class Notifications implements EndpointInterface
// Generate the mail form with all mail controller requirements
$mailTemplateForm = $this->generateMainTaskMailTemplate($notificationsMainTask);
// Simply retrieve the list of audited attributes
$auditAttributes = $this->decodeAuditAttributes($task);
// Recovering monitored attributes list from the defined notification task.
$monitoredAttrs = $notificationsMainTask[0]['fdtasksnotificationsattributes'];
// Reformat supann
$monitoredSupannResource = $this->getSupannResourceState($notificationsMainTask[0]);
// Simply remove keys with 'count' reported by ldap.
$this->gateway->unsetCountKeys($monitoredAttrs);
$this->gateway->unsetCountKeys($monitoredSupannResource);
// Find matching attributes between audited and monitored attributes
$matchingAttrs = $this->findMatchingAttributes($auditAttributes, $monitoredAttrs);
// Verify Supann resource state if applicable
if ($this->shouldVerifySupannResource($monitoredSupannResource, $auditAttributes)) {
// Adds it to the mating attrs for further notification process.
$matchingAttrs[] = 'supannRessourceEtat';
}
$matchingAttrs = $this->getMatchingAttrs($notificationsMainTask, $task);
if (!empty($matchingAttrs)) {
// Fill an array with UID of audited user and related matching attributes
......@@ -103,7 +89,7 @@ class Notifications implements EndpointInterface
} else { // Simply remove the subTask has no notifications are required
$result[$task['dn']]['Removed'] = $this->gateway->removeSubTask($task['dn']);
$result[$task['dn']]['Status'] = 'No matching audited attributes with monitored attributes, safely removed!';
$result[$task['dn']]['Status'] = $this->errorMessage;
}
}
}
......@@ -115,6 +101,32 @@ class Notifications implements EndpointInterface
return $result;
}
private function getMatchingAttrs (array $notificationsMainTask, array $task): array
{
// Simply retrieve the list of audited attributes
$auditAttributes = $this->decodeAuditAttributes($task);
// Recovering monitored attributes list from the defined notification task.
$monitoredAttrs = $notificationsMainTask[0]['fdtasksnotificationsattributes'];
// Reformat supann
$monitoredSupannResource = $this->getSupannResourceState($notificationsMainTask[0]);
// Simply remove keys with 'count' reported by ldap.
$this->gateway->unsetCountKeys($monitoredAttrs);
$this->gateway->unsetCountKeys($monitoredSupannResource);
// Find matching attributes between audited and monitored attributes
$matchingAttrs = $this->utils->findMatchingKeys($auditAttributes, $monitoredAttrs);
// Verify Supann resource state if applicable
if ($this->shouldVerifySupannResource($monitoredSupannResource, $auditAttributes)) {
// Adds it to the mating attrs for further notification process.
$matchingAttrs[] = 'supannRessourceEtat';
}
return $matchingAttrs;
}
/**
* Determine if Supann resource verification is needed.
*
......@@ -165,30 +177,6 @@ class Notifications implements EndpointInterface
return $auditAttributes;
}
/**
* Find matching attributes between audit and monitored attributes.
*
* @param array|null $auditAttributes
* @param array $monitoredAttrs
* @return array
*/
private function findMatchingAttributes (?array $auditAttributes, array $monitoredAttrs): array
{
$matchingAttrs = [];
if (!empty($auditAttributes)) {
foreach ($auditAttributes as $attributeName) {
foreach ($monitoredAttrs as $monitoredAttr) {
if (!empty($attributeName) && array_key_exists($monitoredAttr, $attributeName)) {
$matchingAttrs[] = $monitoredAttr;
}
}
}
}
return $matchingAttrs;
}
/**
* @param array $supannResource
* @param array $auditedAttrs
......@@ -197,45 +185,15 @@ class Notifications implements EndpointInterface
*/
private function verifySupannState (array $supannResource, array $auditedAttrs): bool
{
$result = FALSE;
//Construct Supann Resource State as string
$monitoredSupannState = '{' . $supannResource['resource'][0] . '}' . $supannResource['state'][0];
if (!empty($supannResource['subState'][0])) {
$monitoredSupannState = '{' . $supannResource['resource'][0] . '}' . $supannResource['state'][0] . ':' . $supannResource['subState'][0];
} else {
$monitoredSupannState = '{' . $supannResource['resource'][0] . '}' . $supannResource['state'][0];
$monitoredSupannState = $monitoredSupannState . ':' . $supannResource['subState'][0];
}
// Get all the values only of a multidimensional array.
$auditedValues = $this->getArrayValuesRecursive($auditedAttrs);
if (in_array($monitoredSupannState, $auditedValues)) {
$result = TRUE;
} else {
$result = FALSE;
}
return $result;
}
/**
* @param $array
* @return array
* Note : simply return all values of a multi-dimensional array.
*/
public function getArrayValuesRecursive ($array)
{
$values = [];
foreach ($array as $value) {
if (is_array($value)) {
// If value is an array, merge its values recursively
$values = array_merge($values, $this->getArrayValuesRecursive($value));
} else {
// If value is not an array, add it to the result
$values[] = $value;
}
}
return $values;
$auditedValues = $this->utils->getArrayValuesRecursive($auditedAttrs);
return in_array($monitoredSupannState, $auditedValues);
}
/**
......@@ -364,19 +322,14 @@ class Notifications implements EndpointInterface
foreach ($notifications as $data) {
$numberOfRecipients = count($data['mailForm']['recipients']);
$mail_controller = new \FusionDirectory\Mail\MailLib(
$data['mailForm']['setFrom'],
NULL,
$data['mailForm']['recipients'],
$data['mailForm']['body'],
$data['mailForm']['signature'],
$data['mailForm']['subject'],
$data['mailForm']['receipt'],
NULL
);
$mailSentResult = $mail_controller->sendMail();
$setFrom = $data['mailForm']['setFrom'];
$recipients = $data['mailForm']['recipients'];
$body = $data['mailForm']['body'];
$signature = $data['mailForm']['signature'];
$subject = $data['mailForm']['subject'];
$receipt = $data['mailForm']['receipt'];
$mailSentResult = $this->mailUtils->sendMail($setFrom, NULL, $recipients, $body, $signature, $subject, $receipt, NULL);
$result[] = $this->processMailResponseAndUpdateTasks($mailSentResult, $data, $fdTasksConf);
// Verification anti-spam max mails to be sent and quit loop if matched.
......
plugins/tasks/Reminder.php
Edit View file @ 1a411f0a
......@@ -4,10 +4,12 @@ class Reminder implements EndpointInterface
{
private TaskGateway $gateway;
private ReminderTokenUtils $reminderTokenUtils;
public function __construct (TaskGateway $gateway)
{
$this->gateway = $gateway;
$this->reminderTokenUtils = new ReminderTokenUtils();
}
/**
......@@ -109,13 +111,13 @@ class Reminder implements EndpointInterface
$reminders[$remindersMainTaskName]['subTask'][$task['cn'][0]]['uid'] = $task['fdtasksgranulardn'][0];
// Create timeStamp expiration for token
$tokenExpire = $this->getTokenExpiration($task['fdtasksgranularhelper'][0],
$tokenExpire = $this->reminderTokenUtils->getTokenExpiration($task['fdtasksgranularhelper'][0],
$remindersMainTask[0]['fdtasksreminderfirstcall'][0],
$remindersMainTask[0]['fdtasksremindersecondcall'][0]);
// Create token for SubTask
$token = $this->generateToken($task['fdtasksgranulardn'][0], $tokenExpire);
$token = $this->reminderTokenUtils->generateToken($task['fdtasksgranulardn'][0], $tokenExpire, $this->gateway);
// Edit the mailForm with the url link containing the token
$tokenMailTemplateForm = $this->generateTokenUrl($token, $mailTemplateForm, $remindersMainTaskName);
$tokenMailTemplateForm = $this->reminderTokenUtils->generateTokenUrl($token, $mailTemplateForm, $remindersMainTaskName);
// Recipient email form
$reminders[$remindersMainTaskName]['subTask'][$task['cn'][0]]['mail'] = $tokenMailTemplateForm;
......@@ -136,13 +138,13 @@ class Reminder implements EndpointInterface
$reminders[$remindersMainTaskName]['subTask'][$task['cn'][0]]['uid'] = $task['fdtasksgranulardn'][0];
// Create timeStamp expiration for token
$tokenExpire = $this->getTokenExpiration($task['fdtasksgranularhelper'][0],
$tokenExpire = $this->reminderTokenUtils->getTokenExpiration($task['fdtasksgranularhelper'][0],
$remindersMainTask[0]['fdtasksreminderfirstcall'][0],
$remindersMainTask[0]['fdtasksremindersecondcall'][0]);
// Create token for SubTask
$token = $this->generateToken($task['fdtasksgranulardn'][0], $tokenExpire);
$token = $this->reminderTokenUtils->generateToken($task['fdtasksgranulardn'][0], $tokenExpire, $this->gateway);
// Edit the mailForm with the url link containing the token
$tokenMailTemplateForm = $this->generateTokenUrl($token, $mailTemplateForm, $remindersMainTaskName);
$tokenMailTemplateForm = $this->reminderTokenUtils->generateTokenUrl($token, $mailTemplateForm, $remindersMainTaskName);
// Recipient email form
$reminders[$remindersMainTaskName]['subTask'][$task['cn'][0]]['mail'] = $tokenMailTemplateForm;
......@@ -217,207 +219,6 @@ class Reminder implements EndpointInterface
return $result;
}
/**
* @param string $token
* @param array $mailTemplateForm
* @param string $taskDN
* @return array
*/
private function generateTokenUrl (string $token, array $mailTemplateForm, string $taskDN): array
{
//Only take the cn of the main task name :
preg_match('/cn=([^,]+),ou=/', $taskDN, $matches);
$taskName = $matches[1];
// Remove the API URI
$cleanedUrl = preg_replace('#/rest\.php/v1$#', '', $_ENV['FUSION_DIRECTORY_API_URL']);
$url = $cleanedUrl . '/accountProlongation.php?token=' . $token . '&task=' . $taskName;
$mailTemplateForm['body'] .= $url;
return $mailTemplateForm;
}
/**
* @param int $subTaskCall
* @param int $firstCall
* @param int $secondCall
* @return int
* Note : Simply return the difference between first and second call. (First call can be null).
*/
private function getTokenExpiration (int $subTaskCall, int $firstCall, int $secondCall): int
{
// if firstCall is empty, secondCall is the timestamp expiry for the token.
$result = $secondCall;
if (!empty($firstCall)) {
// Verification if the subTask is the second reminder or the first reminder.
if ($subTaskCall === $firstCall) {
$result = $firstCall - $secondCall;
}
}
return $result;
}
/**
* @param string $userDN
* @param int $timeStamp
* @return string
* @throws Exception
*/
private function generateToken (string $userDN, int $timeStamp): string
{
$token = NULL;
// Salt has been generated with APG.
$salt = '8onOlEsItKond';
$payload = json_encode($userDN . $salt);
// This allows the token to be different every time.
$time = time();
// Create hmac with sha256 alg and the key provided for JWT token signature in ENV.
$token_hmac = hash_hmac("sha256", $time . $payload, $_ENV["SECRET_KEY"], TRUE);
// We need to have a token allowed to be used within an URL.
$token = $this->base64urlEncode($token_hmac);
// Save token within LDAP
$this->saveTokenInLdap($userDN, $token, $timeStamp);
return $token;
}
/**
* @param string $userDN
* @param string $token
* NOTE : UID is the full DN of the user. (uid=...).
* @param int $days
* @return bool
* @throws Exception
*/
private function saveTokenInLdap (string $userDN, string $token, int $days): bool
{
$result = FALSE;
$currentTimestamp = time();
// Calculate the future timestamp by adding days to the current timestamp (We actually adds number of seconds).
$futureTimestamp = $currentTimestamp + ($days * 24 * 60 * 60);
preg_match('/uid=([^,]+),ou=/', $userDN, $matches);
$uid = $matches[1];
$dn = 'cn=' . $uid . ',' . 'ou=tokens' . ',' . $_ENV["LDAP_BASE"];
$ldap_entry["objectClass"] = ['top', 'fdTokenEntry'];
$ldap_entry["fdTokenUserDN"] = $userDN;
$ldap_entry["fdTokenType"] = 'reminder';
$ldap_entry["fdToken"] = $token;
$ldap_entry["fdTokenTimestamp"] = $futureTimestamp;
$ldap_entry["cn"] = $uid;
// set the dn for the token, only take what's between "uid=" and ",ou="
// Verify if token ou branch exists
if (!$this->tokenBranchExist('ou=tokens' . ',' . $_ENV["LDAP_BASE"])) {
// Create the branch
$this->createBranchToken();
}
// The user token DN creation
$userTokenDN = 'cn=' . $uid . ',ou=tokens' . ',' . $_ENV["LDAP_BASE"];
// Verify if a token already exists for specified user and remove it to create new one correctly.
if ($this->tokenBranchExist($userTokenDN)) {
// Remove the user token
$this->removeUserToken($userTokenDN);
}
// Add token to LDAP for specific UID
try {
$result = ldap_add($this->gateway->ds, $dn, $ldap_entry); // bool returned
} catch (Exception $e) {
echo json_encode(["Ldap Error - Token could not be saved!" => "$e"]); // string returned
exit;
}
return $result;
}
/**
* @param $userTokenDN
* @return void
* Note : Simply remove the token for specific user DN
*/
private function removeUserToken ($userTokenDN): void
{
// Add token to LDAP for specific UID
try {
$result = ldap_delete($this->gateway->ds, $userTokenDN); // bool returned
} catch (Exception $e) {
echo json_encode(["Ldap Error - User token could not be removed!" => "$e"]); // string returned
exit;
}
}
/**
* Create ou=pluginManager LDAP branch
* @throws Exception
*/
protected function createBranchToken (): void
{
try {
ldap_add(
$this->gateway->ds, 'ou=tokens' . ',' . $_ENV["LDAP_BASE"],
[
'ou' => 'tokens',
'objectClass' => 'organizationalUnit',
]
);
} catch (Exception $e) {
echo json_encode(["Ldap Error - Impossible to create the token branch" => "$e"]); // string returned
exit;
}
}
/**
* @param string $dn
* @return bool
* Note : Simply inspect if the branch for token is existing.
*/
private function tokenBranchExist (string $dn): bool
{
$result = FALSE;
try {
$search = ldap_search($this->gateway->ds, $dn, "(objectClass=*)");
// Check if the search was successful
if ($search) {
// Get the number of entries found
$entries = ldap_get_entries($this->gateway->ds, $search);
// If entries are found, set result to true
if ($entries["count"] > 0) {
$result = TRUE;
}
}
} catch (Exception $e) {
$result = FALSE;
}
return $result;
}
/**
* @param string $text
* @return string
* Note : This come from jwtToken, as it is completely private - it is cloned here for now.
*/
private function base64urlEncode (string $text): string
{
return str_replace(["+", "/", "="], ["A", "B", ""], base64_encode($text));
}
/**
* @param string $dn
* @return string
......@@ -592,26 +393,6 @@ class Reminder implements EndpointInterface
return DateTime::createFromFormat('Ymd', $dateString);
}
/**
* @param $array
* @return array
* Note : simply return all values of a multi-dimensional array.
*/
public function getArrayValuesRecursive ($array)
{
$values = [];
foreach ($array as $value) {
if (is_array($value)) {
// If value is an array, merge its values recursively
$values = array_merge($values, $this->getArrayValuesRecursive($value));
} else {
// If value is not an array, add it to the result
$values[] = $value;
}
}
return $values;
}
/**
* @param string $mainTaskDn
* @return array
......