From 22a4768d8e24a7a3a81b267e449bc3bb5a82d55f Mon Sep 17 00:00:00 2001 From: "jaimepc@gmail.com" Date: Mon, 24 Feb 2014 11:37:13 +0000 Subject: [PATCH] Add an attribute policy (either add, merge or replace values) to AttributeAddFromLDAP. git-svn-id: http://simplesamlphp.googlecode.com/svn/trunk@3375 44740490-163a-0410-bde0-09ae8108e29a --- modules/ldap/docs/ldap.txt | 18 +++++++++++ .../lib/Auth/Process/AttributeAddFromLDAP.php | 32 +++++++++++++++++-- 2 files changed, 48 insertions(+), 2 deletions(-) diff --git a/modules/ldap/docs/ldap.txt b/modules/ldap/docs/ldap.txt index c19141e1..f24dc8b5 100644 --- a/modules/ldap/docs/ldap.txt +++ b/modules/ldap/docs/ldap.txt @@ -249,6 +249,24 @@ specific configuration options: */ 'attributes' => array('mail', 'jpegPhoto' => 'jpegphoto'), + /** + * The attribute policy that defines what to do with attributes that are + * already part of the attributes of the user. Can be one of: + * + * - add: blindly add the values. If the attribute already exists and has + * the same value, the result of the filter will be two equal values. + * + * - merge: carefully merge the values. If a value is already part of + * the attribute, do not add a duplicate. + * + * - replace: if the attribute is present before running the filter, + * replace its values with the ones obtained at this point. + * + * Default: merge + * Required: No + */ + 'attribute.policy' => 'merge', + /** * The search filter to find the user in LDAP. * diff --git a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php index 4f0b412d..4a311b86 100644 --- a/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php +++ b/modules/ldap/lib/Auth/Process/AttributeAddFromLDAP.php @@ -48,6 +48,13 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro protected $search_filter; + /** + * What to do with attributes when the target already exists. Either replace, merge or add. + * + * @var string + */ + protected $attr_policy; + /** * Initialize this filter. * @@ -114,6 +121,9 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro $this->search_attributes[$new_attribute] = $this->config->getString('search.attribute'); } $this->search_filter = $this->config->getString('search.filter'); + + // get the attribute policy + $this->attr_policy = $this->config->getString('attribute.policy', 'merge'); } @@ -145,11 +155,17 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro $filter = str_replace($arrSearch, $arrReplace, $this->search_filter); if (strpos($filter, '%') !== FALSE) { - SimpleSAML_Logger::info('There are non-existing attributes in the search filter. ('. + SimpleSAML_Logger::info('AttributeAddFromLDAP: There are non-existing attributes in the search filter. ('. $this->search_filter.')'); return; } + if (!in_array($this->attr_policy, array('merge', 'replace', 'add'))) { + SimpleSAML_Logger::warning("AttributeAddFromLDAP: 'attribute.policy' must be one of 'merge',". + "'replace' or 'add'."); + return; + } + // search for matching entries try { $entries = $this->getLdap()->searchformultiple($this->base_dn, $filter, @@ -164,11 +180,23 @@ class sspmod_ldap_Auth_Process_AttributeAddFromLDAP extends sspmod_ldap_Auth_Pro if (is_numeric($target)) { $target = $name; } + + if (isset($attributes[$target]) && $this->attr_policy === 'replace') { + unset($attributes[$target]); + } $name = strtolower($name); if (isset($entry[$name])) { unset($entry[$name]['count']); if (isset($attributes[$target])) { - $attributes[$target] = array_merge($attributes[$target], array_values($entry[$name])); + foreach(array_values($entry[$name]) as $value) { + if ($this->attr_policy === 'merge') { + if (!in_array($value, $attributes[$target])) { + $attributes[$target][] = $value; + } + } else { + $attributes[$target][] = $value; + } + } } else { $attributes[$target] = array_values($entry[$name]); }