Fixed the problem where LDAP calls RPC method in PerunIdentity

Signed-off-by: Pavel Vyskočil <[email protected]>

Author: BaranekD

CHANGELOG.md

@@ -5,6 +5,9 @@ All notable changes to this project will be documented in this file.
  [Added]
  - List of services is displayed as JSON if parameter 'output=json' is set in URL
 
+ [Fixed]
+ - Fixed the problem where LDAP calls RPC method in PerunIdentity filter
+ 
  ## [v2.1.0]
  [Added]
  - Added new atribute in PerunIdentity process filter with list of Services identifier's for which we don't want to show page with information, that the user will be redirected to other page 

lib/Adapter.php

@@ -156,6 +156,13 @@ public abstract function getUserExtSourceAttributes($userExtSourceId, $attribute
 	 */
 	public abstract function setUserExtSourceAttributes($userExtSourceId, $attributes);
 
+	/**
+	 * @param sspmod_perun_model_User $user user
+	 * @param sspmod_perun_model_Vo $vo vo
+	 * @return string status, null if member does not exist
+	 */
+	public abstract function getMemberStatusByUserAndVo($user, $vo);
+
 	/**
 	 * @param sspmod_perun_model_HasId[] $entities
 	 * @return sspmod_perun_model_HasId[] without duplicates

lib/AdapterLdap.php

@@ -264,5 +264,19 @@ public function getUsersGroupsOnFacility($spEntityId, $userId)
 		return $resultGroups;
 	}
 
+	public function getMemberStatusByUserAndVo($user, $vo)
+	{
+		$groupId = $this->connector->searchForEntity($this->ldapBase,
+			"(&(objectClass=perunGroup)(cn=members)(perunVoId=" . $vo->getId() . ")(uniqueMember=perunUserId=" . $user->getId() . ",ou=People,dc=perun,dc=cesnet,dc=cz))",
+			array("perunGroupid")
+		);
+
+		if (empty($groupId)) {
+			return sspmod_perun_model_Member::INVALID;
+		} else {
+			return sspmod_perun_model_Member::VALID;
+		}
+	}
+
 
 }

lib/AdapterRpc.php

@@ -391,4 +391,15 @@ public function setUserExtSourceAttributes($userExtSourceId, $attributes)
 			"attributes" => $attributes
 		));
 	}
+
+	public function getMemberStatusByUserAndVo($user, $vo)
+	{
+		try {
+			$member = $this->getMemberByUser($user, $vo);
+		} catch (Exception $ex) {
+			return null;
+		}
+		return $member->getStatus();
+	}
+
 }

lib/Auth/Process/PerunIdentity.php

@@ -411,34 +411,40 @@ protected function getSPAttributes($spEntityID) {
 	 * @param $uids
 	 */
 	protected function checkMemberStateDefaultVo($request, $user, $uids) {
-		$member = null;
-		$vo = null;
+		$status = null;
 		try {
 			$vo = $this->adapter->getVoByShortName($this->voShortName);
 			if (!is_null($user)) {
-				$member = $this->rpcAdapter->getMemberByUser($user, $vo);
+				$status = $this->adapter->getMemberStatusByUserAndVo($user, $vo);
 			}
 		} catch (Exception $ex) {
-			SimpleSAML\Logger::warning("perun:PerunIdentity: " . $ex);
+			throw new SimpleSAML_Error_Exception('perun:PerunIdentity: ' . $ex);
 		}
 
 		if (is_null($vo)) {
 			throw new SimpleSAML_Error_Exception('perun:PerunIdentity: Vo with short name ' . $this->voShortName . ' does not exist.');
 		}
 
-		if (is_null($user) ||  is_null($member) || $member->getStatus() === sspmod_perun_model_Member::EXPIRED) {
+		if ($this->adapter instanceof sspmod_perun_AdapterLdap && $status === sspmod_perun_model_Member::INVALID) {
+			try {
+				$status = $this->rpcAdapter->getMemberStatusByUserAndVo($user, $vo);
+			} catch (Exception $ex) {
+				SimpleSAML\Logger::info('Member status for perun user with identity/ies: ' . implode(',', $uids) . ' was not VALID and it is not possible to get more info (RPC is not working)');
+				$this->unauthorized($request);
+			}
+		}
+
+		if (is_null($user) || is_null($status) || $status === sspmod_perun_model_Member::EXPIRED) {
 			if (is_null($user)) {
 				SimpleSAML\Logger::info('Perun user with identity/ies: '. implode(',', $uids).' has NOT been found. He is being redirected to register.');
-			}
-			elseif (is_null($member)) {
+			} elseif (is_null($status)) {
 				SimpleSAML\Logger::info('Perun user with identity/ies: '. implode(',', $uids).' is NOT member in vo with short name ' . $this->voShortName . '(default VO). He is being redirected to register.');
-			}
-			else {
+			} else {
 				SimpleSAML\Logger::info('Member status for perun user with identity/ies: '. implode(',', $uids).' was expired. He is being redirected to register.');
 			}
 			$this->register($request, array($vo), $this->defaultRegisterUrl,false);
 
-		} elseif (!($member->getStatus() === sspmod_perun_model_Member::VALID)) {
+		} elseif (!($status === sspmod_perun_model_Member::VALID)) {
 			SimpleSAML\Logger::warning('Member status for perun user with identity/ies: '. implode(',', $uids).' was INVALID/SUSPENDED/DISABLED. ');
 			$this->unauthorized($request);
 		}