Added resource capabilities into entitlements

Author: vyskocilpavel

CHANGELOG.md

@@ -4,6 +4,7 @@ All notable changes to this project will be documented in this file.
 ## [Unreleased]
 #### Added
 - Added method getFacilityByEntityId
+- Added resource capabilities into entitlements
 
 #### Changed
 - Slightly modified text displayed on WAYF
@@ -14,6 +15,7 @@ All notable changes to this project will be documented in this file.
 - Double quotes changed to single quotes
 - getFacilitiesByEntityId marked as deprecated (getFacilityByEntityId should be used instead)
 - Using of getFacilityByEntityId instead of getFacilitiesByEntityId
+- Filters JoinGroupsAdnEduPersonEntitlement and PerunGroups merged into PerunEntitlement
 
 #### Fixed
 - Fixed wrong dictionary name in post.php

config-templates/module_perun.php

@@ -33,6 +33,18 @@
     //'ldap.username' => '_proxy-idp',
     //'ldap.password' => 'password'
 
+    /**
+     * Perun group name to eduPersonEntitlement mapping. Mapping is according to the spec in
+     *      https://aarc-project.eu/wp-content/uploads/2017/11/AARC-JRA1.4A-201710.pdf
+     * groupNameAARC - enable group naming according to AARC spec globally,
+     *      every SP can overide it with groupMapping option
+     * entitlementPrefix - prefix put in front of the Perun entitlement, do not forget to add ':' at the end
+     * entitlementAuthority - name of the authority issuing the entitlement
+     */
+    'groupNameAARC' => true/false,
+    'entitlementPrefix' => 'prefix',
+    'entitlementAuthority' => 'authority',
+
     /**
      * specify if disco module should filter out IdPs which are not whitelisted neither commited to CoCo or RaS.
      * default is false.

lib/Adapter.php

@@ -183,6 +183,13 @@ abstract public function setUserExtSourceAttributes($userExtSourceId, $attribute
      */
     abstract public function getMemberStatusByUserAndVo($user, $vo);
 
+    /**
+     * @param $entityId int entityId
+     * @param $userGroups array of groups where user belongs to
+     * @return array of resource capabilities
+     */
+    abstract public function getResourceCapabilities($entityId, $userGroups);
+
     /**
      * @param HasId[] $entities
      * @return HasId[] without duplicates

lib/AdapterLdap.php

@@ -32,6 +32,8 @@ class AdapterLdap extends Adapter
     const PERUN_FACILITY_ID = 'perunFacilityId';
     const CN = 'cn';
     const DESCRIPTION = 'description';
+    const CAPABILITIES = 'capabilities';
+    const ASSIGNED_GROUP_ID = 'assignedGroupId';
 
     private $ldapBase;
 
@@ -228,7 +230,8 @@ public function getUserAttributes($user, $attrNames)
 
     public function getFacilitiesByEntityId($spEntityId)
     {
-        // TODO: Implement getEntityByEntityId() method.
+        throw new BadMethodCallException('NotImplementedException');
+        // TODO: Implement getFacilitiesByEntityId() method.
     }
 
     public function getFacilityByEntityId($spEntityId)
@@ -372,4 +375,47 @@ public function getMemberStatusByUserAndVo($user, $vo)
         }
         return Member::VALID;
     }
+
+    public function getResourceCapabilities($entityId, $userGroups)
+    {
+        $facility = $this->getFacilityByEntityId($entityId);
+
+        if ($facility === null) {
+            return [];
+        }
+
+        $facilityId = $facility->getId();
+
+        $resources = $this->connector->searchForEntities(
+            $this->ldapBase,
+            '(&(objectClass=perunResource)(perunFacilityDn=perunFacilityId=' . $facilityId . ','
+            . $this->ldapBase . '))',
+            [self::CAPABILITIES, self::ASSIGNED_GROUP_ID]
+        );
+
+        $userGroupsIds = [];
+        foreach ($userGroups as $userGroup) {
+            array_push($userGroupsIds, $userGroup->getId());
+        }
+
+        $resourceCapabilities = [];
+        foreach ($resources as $resource) {
+            if (
+                !array_key_exists(self::ASSIGNED_GROUP_ID, $resource) ||
+                !array_key_exists(self::CAPABILITIES, $resource)
+            ) {
+                continue;
+            }
+            foreach ($resource[self::ASSIGNED_GROUP_ID] as $groupId) {
+                if (in_array($groupId, $userGroupsIds)) {
+                    foreach ($resource[self::CAPABILITIES] as $resourceCapability) {
+                        array_push($resourceCapabilities, $resourceCapability);
+                    }
+                    break;
+                }
+            }
+        }
+
+        return $resourceCapabilities;
+    }
 }

lib/AdapterRpc.php

@@ -505,4 +505,49 @@ public function getMemberStatusByUserAndVo($user, $vo)
         }
         return $member->getStatus();
     }
+
+    public function getResourceCapabilities($entityId, $userGroups)
+    {
+        $facility = $this->getFacilityByEntityId($entityId);
+
+        if ($facility === null) {
+            return [];
+        }
+
+        $resources = $this->connector->get('facilitiesManager', 'getAssignedResources', [
+            'facility' => $facility->getId()
+        ]);
+
+        $userGroupsIds = [];
+        foreach ($userGroups as $userGroup) {
+            array_push($userGroupsIds, $userGroup->getId());
+        }
+
+        $capabilities = [];
+        foreach ($resources as $resource) {
+            $resourceGroups = $this->connector->get('resourcesManager', 'getAssignedGroups', [
+               'resource' => $resource['id']
+            ]);
+
+            $resourceCapabilities = $this->connector->get('attributesManager', 'getAttribute', [
+                'resource' => $resource['id'],
+                'attributeName' => 'urn:perun:resource:attribute-def:def:capabilities'
+            ])['value'];
+
+            if ($resourceCapabilities === null) {
+                continue;
+            }
+
+            foreach ($resourceGroups as $resourceGroup) {
+                if (in_array($resourceGroup['id'], $userGroupsIds)) {
+                    foreach ($resourceCapabilities as $capability) {
+                        array_push($capabilities, $capability);
+                    }
+                    break;
+                }
+            }
+        }
+
+        return $capabilities;
+    }
 }