src/Platform/SecurityBundle/Listeners/OneRoster/OneRosterLinkUserSubscriber.php line 178

Open in your IDE?
  1. <?php
  3. namespace Platform\SecurityBundle\Listeners\OneRoster;
  5. use Cms\CoreBundle\Entity\OneRoster\OneRosterUser;
  6. use Cms\CoreBundle\Entity\OneRosterSync;
  7. use Cms\CoreBundle\Events\OneRosterLinkEvent;
  8. use Cms\CoreBundle\Model\Interfaces\OneRosterable\AbstractOneRosterableSubscriber;
  9. use Doctrine\Common\Util\ClassUtils;
  10. use Platform\SecurityBundle\Entity\Access\GroupAccount;
  11. use Platform\SecurityBundle\Entity\Identity\Account;
  12. use Platform\SecurityBundle\Entity\Identity\Group;
  14. /**
  15.  * Class OneRosterLinkUserSubscriber
  16.  * @package Platform\SecurityBundle\Listeners\OneRoster
  17.  */
  18. final class OneRosterLinkUserSubscriber extends AbstractOneRosterableSubscriber
  19. {
  20.     /**
  21.      * {@inheritdoc}
  22.      */
  23.     static public function getSubscribedEvents(): array
  24.     {
  25.         return [
  26.             OneRosterLinkEvent::EVENT__USER => [
  27.                 ['groupSyncOld'0],
  28.                 ['groupsSync'0],
  29.             ],
  30.         ];
  31.     }
  33.     /**
  34.      * @param OneRosterLinkEvent $event
  35.      */
  36.     public function groupSyncOld(OneRosterLinkEvent $event): void
  37.     {
  38.         // ensure we are meant to process this
  39.         if ( ! $this->checkTypes($event->getSync(), [
  40.             OneRosterSync::STRATEGIES__SSO,
  41.         ])) {
  42.             return;
  43.         }
  45.         // get the user
  46.         $user $event->getEntity();
  47.         if ( ! $user instanceof OneRosterUser) {
  48.             throw new \Exception(sprintf(
  49.                 'SSO: User is not of proper type, got "%s".',
  50.                 ClassUtils::getClass($user)
  51.             ));
  52.         }
  54.         // check and make sure that we are of a proper role
  55.         if ( ! $user->isRoleStaff()) {
  57.             // DEBUGGING
  58.             $event->getOutput()->writeln(sprintf(
  59.                 'User role for #%s is "%s", skipping...',
  60.                 $user->getSourcedId(),
  61.                 $user->getRole()
  62.             ));
  64.             // quit early, nothing else to do since not staff
  65.             return;
  67.         }
  69.         // attempt to load an account for us
  70.         $account $this->em->getRepository(Account::class)->findOneByOneRosterId(
  71.             $user->getSourcedId()
  72.         );
  74.         // if we don't have one, that may be a problem
  75.         if (empty($account)) {
  77.             // if the user doesn't have an email, this isn't weird as they would have been skipped over in the process phase
  78.             if ( ! $user->getEmail()) {
  80.                 // DEBUGGING
  81.                 $event->getOutput()->writeln(sprintf(
  82.                     'User missing email for #%s, skipping...',
  83.                     $user->getSourcedId()
  84.                 ));
  86.                 // quit early, nothing else to do since not staff
  87.                 return;
  89.             } else {
  91.                 // NOTE: JEZ 2022-01-20
  92.                 // there are many reasons why this would happen
  93.                 // some are legit, and some could be bugs in the syncing code
  94.                 // most are probably legit, so no longer throwing errors for this stuff
  96.                 // if the email is set and nothing matched, then we have an issue...
  97.                 /*
  98.                 throw new \Exception(
  99.                     'SSO: Could not find user account by OneRoster ID.'
  100.                 );
  101.                 */
  103.                 // DEBUGGING
  104.                 $event->getOutput()->writeln(sprintf(
  105.                     'User absent from database for #%s, skipping...',
  106.                     $user->getSourcedId()
  107.                 ));
  109.                 // quit early, nothing else to do since not staff
  110.                 return;
  112.             }
  114.         }
  116.         // we need to get the groups tied to us for oneroster
  117.         $group $this->em->getRepository(Group::class)->findOneBy([
  118.             'name' => $this->translator->trans(sprintf(
  119.                 OneRosterPrepareSubscriber::NAME_FORMAT,
  120.                 $user->getRole()
  121.             )),
  122.         ]);
  123.         if (empty($group)) {
  124.             throw new \Exception(sprintf(
  125.                 'SSO: Could not load security group for role "%s".',
  126.                 $user->getRole()
  127.             ));
  128.         }
  130.         // get our existing group association
  131.         $membership $this->em->getRepository(GroupAccount::class)->findByAccountAndGroup(
  132.             $account,
  133.             $group
  134.         );
  136.         // if we don't have one, need to make one
  137.         if ( ! $membership) {
  138.             $membership = new GroupAccount();
  139.         }
  141.         // set things
  142.         $membership
  143.             ->setAlias(sprintf(
  144.                 'campussuite.platform.security.membership.%s.%s',
  145.                 $group->getId(),
  146.                 $account->getId()
  147.             ))
  148.             ->setFixed(true)
  149.             ->setAccount($account)
  150.             ->setGroup($group);
  152.         // oneroster stuff
  153.         $membership
  154.             ->setOneRosterId($user->getSourcedId())
  155.             ->setOneRosterArchived($user->isStatusToBeDeleted());
  157.         // cache the output
  158.         $output sprintf(
  159.             '    %s    %s    (%s >> %s | %s | %s)',
  160.             (empty($membership->getId())) ? 'Generating' 'Updating',
  161.             ClassUtils::getClass($membership),
  162.             $membership->getAccount()->getUserIdentifier(),
  163.             $membership->getGroup()->getName(),
  164.             $membership->getOneRosterId(),
  165.             $membership->getId() ?: '-'
  166.         );
  168.         // do update
  169.         $this->em->save($membership);
  171.         // DEBUGGING
  172.         $event->getOutput()->writeln($output);
  173.     }
  175.     /**
  176.      * @param OneRosterLinkEvent $event
  177.      */
  178.     public function groupsSync(OneRosterLinkEvent $event): void
  179.     {
  180.         // ensure we are meant to process this
  181.         if ( ! $this->checkTypes($event->getSync(), [
  182.             OneRosterSync::STRATEGIES__SSO,
  183.         ])) {
  184.             return;
  185.         }
  187.         // get the user
  188.         $user $event->getEntity();
  189.         if ( ! $user instanceof OneRosterUser) {
  190.             throw new \Exception(sprintf(
  191.                 'SSO: User is not of proper type, got "%s".',
  192.                 ClassUtils::getClass($user)
  193.             ));
  194.         }
  196.         // check and make sure that we are of a proper role
  197.         if ( ! $user->isRoleStaff()) {
  199.             // DEBUGGING
  200.             $event->getOutput()->writeln(sprintf(
  201.                 'User role for #%s is "%s", skipping...',
  202.                 $user->getSourcedId(),
  203.                 $user->getRole()
  204.             ));
  206.             // quit early, nothing else to do since not staff
  207.             return;
  209.         }
  211.         // attempt to load an account for us
  212.         $account $this->em->getRepository(Account::class)->findOneByOneRosterId(
  213.             $user->getSourcedId()
  214.         );
  216.         // if we don't have one, that may be a problem
  217.         if (empty($account)) {
  219.             // if the user doesn't have an email, this isn't weird as they would have been skipped over in the process phase
  220.             if ( ! $user->getEmail()) {
  222.                 // DEBUGGING
  223.                 $event->getOutput()->writeln(sprintf(
  224.                     'User missing email for #%s, skipping...',
  225.                     $user->getSourcedId()
  226.                 ));
  228.                 // quit early, nothing else to do since not staff
  229.                 return;
  231.             } else {
  233.                 // NOTE: JEZ 2022-01-20
  234.                 // there are many reasons why this would happen
  235.                 // some are legit, and some could be bugs in the syncing code
  236.                 // most are probably legit, so no longer throwing errors for this stuff
  238.                 // if the email is set and nothing matched, then we have an issue...
  239.                 /*
  240.                 throw new \Exception(
  241.                     'SSO: Could not find user account by OneRoster ID.'
  242.                 );
  243.                 */
  245.                 // DEBUGGING
  246.                 $event->getOutput()->writeln(sprintf(
  247.                     'User absent from database for #%s, skipping...',
  248.                     $user->getSourcedId()
  249.                 ));
  251.                 // quit early, nothing else to do since not staff
  252.                 return;
  254.             }
  256.         }
  258.         // determine the aliases we need to look for
  259.         $aliases array_values(array_filter(array_unique([
  260.             'oneroster.global.all',
  261.             $user->getRole() ? 'oneroster.global.'.$user->getRole() : null,
  262.             ...array_merge(...array_map(
  263.                 function (array $org) use ($user) {
  264.                     return [
  265.                         sprintf(
  266.                             'oneroster.school.all.%s',
  267.                             $org['sourcedId']
  268.                         ),
  269.                         sprintf(
  270.                             'oneroster.school.%s.%s',
  271.                             $user->getRole(),
  272.                             $org['sourcedId']
  273.                         ),
  274.                     ];
  275.                 },
  276.                 $user->getOrgs()
  277.             ))
  278.         ])));
  280.         // we need to get the groups tied to us for oneroster
  281.         $groups $this->em->getRepository(Group::class)->findBy([
  282.             'alias' => $aliases,
  283.         ]);
  284.         if (empty($groups)) {
  285.             throw new \Exception(sprintf(
  286.                 'SSO: Could not load security groups for role "%s".',
  287.                 $user->getRole()
  288.             ));
  289.         }
  291.         // TODO: should we check that the number of groups found matches the number of aliases?
  293.         // find all of our existing memberships that are covered by this code
  294.         /** @var GroupAccount[] $memberships */
  295.         $memberships $this->em->getRepository(GroupAccount::class)->createQueryBuilder('memberships')
  296.             ->andWhere('memberships.account = :account')
  297.             ->setParameter('account'$account)
  298.             ->andWhere('memberships.alias LIKE :alias')
  299.             ->setParameter('alias''oneroster.%')
  300.             ->getQuery()
  301.             ->getResult();
  303.         // loop over the groups
  304.         $managed = [];
  305.         foreach ($groups as $group) {
  307.             // try to find an existing relationship
  308.             $membership null;
  309.             foreach ($memberships as $thing) {
  310.                 if ($thing->getGroup() === $group) {
  311.                     $membership $thing;
  312.                     break;
  313.                 }
  314.             }
  316.             // if we don't have one, we may need to make one
  317.             if ( ! $membership) {
  319.                 // first, see if the person has been added to this group manually
  320.                 // if so, it will become managed by syncing code
  321.                 $membership $this->em->getRepository(GroupAccount::class)->findByAccountAndGroup(
  322.                     $account,
  323.                     $group
  324.                 );
  326.                 // if we still don't have one, that means we need to make a brand new one
  327.                 if ( ! $membership) {
  328.                     $membership = new GroupAccount();
  329.                 }
  330.             }
  332.             // set things
  333.             $managed[] = $membership
  334.                 ->setAlias(sprintf(
  335.                     'oneroster.%s.%s',
  336.                     $group->getOneRosterId(),
  337.                     $account->getOneRosterId()
  338.                 ))
  339.                 ->setFixed(true)
  340.                 ->setAccount($account)
  341.                 ->setGroup($group);
  343.             // oneroster stuff
  344.             $membership
  345.                 ->setOneRosterId($user->getSourcedId())
  346.                 ->setOneRosterArchived($user->isStatusToBeDeleted());
  348.         }
  350.         // DEBUGGING
  351.         array_walk($managed, function (GroupAccount $membership) use ($event) {
  352.             $event->getOutput()->writeln(sprintf(
  353.                 '    %s    %s (%s >> %s | %s | %s)',
  354.                 (empty($membership->getId())) ? 'Generating' 'Updating',
  355.                 ClassUtils::getClass($membership),
  356.                 $membership->getAccount()->getEmail(),
  357.                 $membership->getGroup()->getName(),
  358.                 $membership->getOneRosterId(),
  359.                 $membership->getId() ?: '-'
  360.             ));
  361.         });
  363.         // go ahead and save the things we know want to keep
  364.         // this allows us to get ids that are needed in the following checks
  365.         $this->em->saveAll($managed);
  367.         // determine which ones we need to remove
  368.         $removals array_udiff($memberships$managed, function (GroupAccount $aGroupAccount $b) {
  369.             return ($a === $b) ? $a->getId() <=> $b->getId();
  370.         });
  372.         // DEBUGGING
  373.         array_walk($removals, function (GroupAccount $membership) use ($event) {
  374.             $event->getOutput()->writeln(sprintf(
  375.                 '    Deleting    %s (%s >> %s | %s | %s)',
  376.                 ClassUtils::getClass($membership),
  377.                 $membership->getAccount()->getEmail(),
  378.                 $membership->getGroup()->getName(),
  379.                 $membership->getOneRosterId(),
  380.                 $membership->getId() ?: '-'
  381.             ));
  382.         });
  384.         // remove things we no longer need
  385.         $this->em->deleteAll($removals);
  386.     }
  387. }