LSauth add filter_function parameter

doc/conf/srv-ldap.docbook

@@ -25,6 +25,7 @@ serveur LDAP.</para>
           '[object type 1]',
           '[object type 2]' => array(
             'filter' => '[LDAP filter]',
+            'filter_function' => [callable],
             'password_attribute' => '[attribute name]',
             'web_access' => [booléen],
             'api_access' => [booléen],
@@ -170,6 +171,21 @@ serveur LDAP.</para>
   </listitem>
 </varlistentry>
 
+<varlistentry>
+  <term>filter_function</term>
+  <listitem>
+    <simpara><emphasis>Callable</emphasis> (au sens PHP) utilisé pour filtrer les utilisateurs
+    trouvés dans l'annuaire à partir des autres paramètres : cette fonction, si elle est définie,
+    sera appelée pour chaque utilisateur trouvé, avec pour unique paramètre, une référence à l'objet
+    LDAP correspondant (<literal>LSldapObject</literal>). Cette méthode devra alors retourner
+    <literal>true</literal> ou <literal>false</literal> pour respectivement autoriser ou interdire
+    l'accès à l'application à l'utilisateur.</simpara>
+    <note><simpara>Si un utilisateur est exclus par cette méthode et qu'aucun autre utilisateur
+    correspondant n'a été trouvé dans l'annuaire, une page d'erreur sera affichée et indiquera que
+    l'accès à l'application est refusée.</simpara></note>
+  </listitem>
+</varlistentry>
+
 <varlistentry>
   <term>password_attribute</term>
   <listitem>

src/includes/class/class.LSauth.php

@@ -132,6 +132,7 @@ class LSauth extends LSlog_staticLoggerClass {
 
       $objTypes[$objType] = array(
         'filter' => self :: getConfig("LSobjects.$objType.filter", null, 'string'),
+        'filter_function' => self :: getConfig("LSobjects.$objType.filter_function", null),
         'password_attribute' => self :: getConfig("LSobjects.$objType.password_attribute", 'userPassword', 'string'),
       );
     }
@@ -169,11 +170,19 @@ class LSauth extends LSlog_staticLoggerClass {
    */
   public static function username2LSobjects($username) {
     $user_objects = array();
+    $excluded_objects = false;
     foreach (self :: getAuthObjectTypes() as $objType => $objParams) {
       if (!LSsession :: loadLSobject($objType)) {
         LSerror :: addErrorCode('LSauth_03', $objType);
         return false;
       }
+      if (isset($objParams['filter_function']) && !is_callable($objParams['filter_function'])) {
+        LSerror :: addErrorCode(
+          'LSauth_09',
+          ['objtype' => $objType, 'function' => format_callable($objParams['filter_function'])]
+        );
+        return false;
+      }
       $authobject = new $objType();
       $result = $authobject -> searchObject(
         $username,
@@ -181,12 +190,28 @@ class LSauth extends LSlog_staticLoggerClass {
         $objParams['filter'],
         array('withoutCache' => true, 'onlyAccessible' => false)
       );
-      for($i=0; $i<count($result); $i++)
+      for($i=0; $i<count($result); $i++) {
+        if (
+          isset($objParams['filter_function'])
+          && !call_user_func_array($objParams['filter_function'], [$result[$i]])
+        ) {
+          self :: log_debug(
+            sprintf(
+              'username2LSobjects(%s): user %s filtered out by filter function %s',
+              $username, $result[$i]->getDn(), format_callable($objParams['filter_function'])
+            )
+          );
+          $excluded_objects = true;
+          continue;
+        }
         $user_objects[$result[$i] -> getDn()] = $result[$i];
+      }
     }
 
     $nbresult = count($user_objects);
     if ($nbresult == 0) {
+      if ($excluded_objects)
+        self :: accessDenied();
       // incorrect login
       self :: log_debug('Invalid username');
       LSerror :: addErrorCode('LSauth_01');
@@ -306,6 +331,29 @@ class LSauth extends LSlog_staticLoggerClass {
     return self :: $params['displayLoginForm'];
   }
 
+  /**
+   * Handle access denied error
+   *
+   * @return never
+   **/
+  public static function accessDenied() {
+    http_response_code(401);
+    if (LSsession :: get('api_mode') || LSsession :: getAjaxDisplay()) {
+      header('Content-Type: application/json');
+      $errors = array(_("You are not authorized to access this application."));
+      echo json_encode(
+        ['errors' => [_("You are not authorized to access this application.")], 'success' => false],
+        (isset($_REQUEST['pretty'])?JSON_PRETTY_PRINT:0)
+      );
+    }
+    else if (class_exists('LStemplate')) {
+      LStemplate :: assign('pagetitle', _("Access denied."));
+      LStemplate :: assign('error', _("You are not authorized to access this application."));
+      LStemplate :: display("error.tpl");
+    }
+    exit();
+  }
+
 }
 
 /*
@@ -335,3 +383,6 @@ ___("LSauth : Failed to get authentication informations from provider.")
 LSerror :: defineError('LSauth_08',
 ___("LSauth : Method %{method} configured doesn't support API mode.")
 );
+LSerror :: defineError('LSauth_09',
+___("LSauth : The filter function speficied for %{objtype} is not callable (%{function}).")
+);

src/lang/fr_FR.UTF8/LC_MESSAGES/ldapsaisie.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: LdapSaisie\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: \n"
-"PO-Revision-Date: 2023-07-19 12:07+0200\n"
+"PO-Revision-Date: 2023-08-18 15:44+0200\n"
 "Last-Translator: Benjamin Renard <brenard@easter-eggs.com>\n"
 "Language-Team: LdapSaisie <ldapsaisie-users@lists.labs.libre-entreprise."
 "org>\n"
@@ -2708,43 +2708,60 @@ msgstr ""
 "LSattr_ldap_password : La fonction d'encodage %{function} n'est pas "
 "disponible. Le mot de passe sera stocké en clair."
 
-#: includes/class/class.LSauth.php:315
+#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
+#: includes/class/class.LSauth.php:351
+msgid "You are not authorized to access this application."
+msgstr "Vous n'êtes pas autorisé à accéder à cette application."
+
+#: includes/class/class.LSauth.php:350
+msgid "Access denied."
+msgstr "Accès interdit."
+
+#: includes/class/class.LSauth.php:363
 msgid "LSauth : Login or password incorrect."
 msgstr "LSauth : Identifiant ou mot de passe incorrects."
 
-#: includes/class/class.LSauth.php:318
+#: includes/class/class.LSauth.php:366
 msgid "LSauth : Impossible to identify you : Duplication of identities."
 msgstr "LSauth : Impossible de vous identifier : Duplication d'identité."
 
-#: includes/class/class.LSauth.php:321
+#: includes/class/class.LSauth.php:369
 msgid "LSauth : Could not load type of identifiable objects %{type}."
 msgstr "LSauth : Impossible de charger le type d'objets identifiables %{type}."
 
-#: includes/class/class.LSauth.php:324
+#: includes/class/class.LSauth.php:372
 msgid "LSauth : Can't load authentication method %{method}."
 msgstr ""
 "LSauth : Impossible de charger la méthode d'authentification %{method}."
 
-#: includes/class/class.LSauth.php:327
+#: includes/class/class.LSauth.php:375
 msgid "LSauth : Failed to build the authentication provider %{method}."
 msgstr ""
 "LSauth : Impossible de construire le gestionnaire d'authentification "
 "%{method}."
 
-#: includes/class/class.LSauth.php:330
+#: includes/class/class.LSauth.php:378
 msgid "LSauth : Not correctly initialized."
 msgstr "LSauth : Mauvaise initialisation."
 
-#: includes/class/class.LSauth.php:333
+#: includes/class/class.LSauth.php:381
 msgid "LSauth : Failed to get authentication informations from provider."
 msgstr ""
 "LSauth : Impossible de récupérer les informations authentification auprès du "
 "gestionnaire."
 
-#: includes/class/class.LSauth.php:336
+#: includes/class/class.LSauth.php:384
 msgid "LSauth : Method %{method} configured doesn't support API mode."
 msgstr "LSauth : La méthode %{method} configurée ne supporte pas le mode API."
 
+#: includes/class/class.LSauth.php:387
+msgid ""
+"LSauth : The filter function speficied for %{objtype} is not callable "
+"(%{function})."
+msgstr ""
+"LSauth : La fonction de filtrage pour les %{objtype} n'est pas exécutable "
+"(%{function})."
+
 #: includes/class/class.LSformElement_supannEtuInscription.php:41
 msgid "Organism"
 msgstr "Etablissement"

src/lang/ldapsaisie.pot

@@ -2299,38 +2299,53 @@ msgid ""
 "password will be stored in clear text."
 msgstr ""
 
-#: includes/class/class.LSauth.php:315
+#: includes/class/class.LSauth.php:343 includes/class/class.LSauth.php:345
+#: includes/class/class.LSauth.php:351
+msgid "You are not authorized to access this application."
+msgstr ""
+
+#: includes/class/class.LSauth.php:350
+msgid "Access denied."
+msgstr ""
+
+#: includes/class/class.LSauth.php:363
 msgid "LSauth : Login or password incorrect."
 msgstr ""
 
-#: includes/class/class.LSauth.php:318
+#: includes/class/class.LSauth.php:366
 msgid "LSauth : Impossible to identify you : Duplication of identities."
 msgstr ""
 
-#: includes/class/class.LSauth.php:321
+#: includes/class/class.LSauth.php:369
 msgid "LSauth : Could not load type of identifiable objects %{type}."
 msgstr ""
 
-#: includes/class/class.LSauth.php:324
+#: includes/class/class.LSauth.php:372
 msgid "LSauth : Can't load authentication method %{method}."
 msgstr ""
 
-#: includes/class/class.LSauth.php:327
+#: includes/class/class.LSauth.php:375
 msgid "LSauth : Failed to build the authentication provider %{method}."
 msgstr ""
 
-#: includes/class/class.LSauth.php:330
+#: includes/class/class.LSauth.php:378
 msgid "LSauth : Not correctly initialized."
 msgstr ""
 
-#: includes/class/class.LSauth.php:333
+#: includes/class/class.LSauth.php:381
 msgid "LSauth : Failed to get authentication informations from provider."
 msgstr ""
 
-#: includes/class/class.LSauth.php:336
+#: includes/class/class.LSauth.php:384
 msgid "LSauth : Method %{method} configured doesn't support API mode."
 msgstr ""
 
+#: includes/class/class.LSauth.php:387
+msgid ""
+"LSauth : The filter function speficied for %{objtype} is not callable "
+"(%{function})."
+msgstr ""
+
 #: includes/class/class.LSformElement_supannEtuInscription.php:41
 msgid "Organism"
 msgstr ""