Plugin: Azure: Register users as student and then update their status according defined groups - refs BT#21930

Author: AngelFQC

main/inc/lib/usermanager.lib.php

@@ -6250,7 +6250,7 @@ public static function get_favicon_from_url($url1, $url2 = null)
         return $icon_link;
     }
 
-    public static function addUserAsAdmin(User $user)
+    public static function addUserAsAdmin(User $user, bool $andFlush = true)
     {
         if ($user) {
             $userId = $user->getId();
@@ -6261,19 +6261,19 @@ public static function addUserAsAdmin(User $user)
             }
 
             $user->addRole('ROLE_SUPER_ADMIN');
-            self::getManager()->updateUser($user, true);
+            self::getManager()->updateUser($user, $andFlush);
         }
     }
 
-    public static function removeUserAdmin(User $user)
+    public static function removeUserAdmin(User $user, bool $andFlush = true)
     {
         $userId = (int) $user->getId();
         if (self::is_admin($userId)) {
             $table = Database::get_main_table(TABLE_MAIN_ADMIN);
             $sql = "DELETE FROM $table WHERE user_id = $userId";
             Database::query($sql);
             $user->removeRole('ROLE_SUPER_ADMIN');
-            self::getManager()->updateUser($user, true);
+            self::getManager()->updateUser($user, $andFlush);
         }
     }
 

plugin/azure_active_directory/src/AzureActiveDirectory.php

@@ -1,7 +1,7 @@
 <?php
 /* For license terms, see /license.txt */
 
-use League\OAuth2\Client\Token\AccessTokenInterface;
+use Chamilo\UserBundle\Entity\User;
 use TheNetworg\OAuth2\Client\Provider\Azure;
 
 /**
@@ -213,11 +213,7 @@ public function getUserIdByVerificationOrder(array $azureUserData, string $azure
      * @throws Exception
      */
     public function registerUser(
-        AccessTokenInterface &$token,
-        Azure $provider,
         array $azureUserInfo,
-        string $apiGroupsRef = 'me/memberOf',
-        string $objectIdKey = 'objectId',
         string $azureUidKey = 'objectId'
     ) {
         if (empty($azureUserInfo)) {
@@ -241,15 +237,13 @@ public function registerUser(
                 $authSource,
                 $active,
                 $extra,
-                $userRole,
-                $isAdmin,
-            ] = $this->formatUserData($token, $provider, $azureUserInfo, $apiGroupsRef, $objectIdKey, $azureUidKey);
+            ] = $this->formatUserData($azureUserInfo, $azureUidKey);
 
             // If the option is set to create users, create it
             $userId = UserManager::create_user(
                 $firstNme,
                 $lastName,
-                $userRole,
+                STUDENT,
                 $email,
                 $username,
                 '',
@@ -263,8 +257,7 @@ public function registerUser(
                 null,
                 $extra,
                 null,
-                null,
-                $isAdmin
+                null
             );
 
             if (!$userId) {
@@ -284,9 +277,7 @@ public function registerUser(
                 $authSource,
                 $active,
                 $extra,
-                $userRole,
-                $isAdmin,
-            ] = $this->formatUserData($token, $provider, $azureUserInfo, $apiGroupsRef, $objectIdKey, $azureUidKey);
+            ] = $this->formatUserData($azureUserInfo, $azureUidKey);
 
             $userId = UserManager::update_user(
                 $userId,
@@ -296,7 +287,7 @@ public function registerUser(
                 '',
                 $authSource,
                 $email,
-                $userRole,
+                STUDENT,
                 null,
                 $phone,
                 null,
@@ -319,24 +310,9 @@ public function registerUser(
      * @throws Exception
      */
     private function formatUserData(
-        AccessTokenInterface &$token,
-        Azure $provider,
         array $azureUserInfo,
-        string $apiGroupsRef,
-        string $groupObjectIdKey,
         string $azureUidKey
     ): array {
-        try {
-            [$userRole, $isAdmin] = $this->getUserRoleAndCheckIsAdmin(
-                $token,
-                $provider,
-                $apiGroupsRef,
-                $groupObjectIdKey
-            );
-        } catch (Exception $e) {
-            throw new Exception('Exception when formatting user '.$azureUserInfo[$azureUidKey].' data: '.$e->getMessage());
-        }
-
         $phone = null;
 
         if (isset($azureUserInfo['telephoneNumber'])) {
@@ -369,52 +345,44 @@ private function formatUserData(
             $authSource,
             $active,
             $extra,
-            $userRole,
-            $isAdmin,
         ];
     }
 
     /**
-     * @throws Exception
+     * @return array<string, string|false>
      */
-    private function getUserRoleAndCheckIsAdmin(
-        AccessTokenInterface &$token,
-        Azure $provider,
-        string $apiRef = 'me/memberOf',
-        string $groupObjectIdKey = 'objectId'
-    ): array {
-        // If any specific group ID has been defined for a specific role, use that
-        // ID to give the user the right role
-        $userRole = STUDENT;
-        $isAdmin = false;
-
-        $groupRoles = [
+    public function getGroupUidPerRole(): array
+    {
+        $groupUidList = [
             'admin' => $this->get(self::SETTING_GROUP_ID_ADMIN),
             'sessionAdmin' => $this->get(self::SETTING_GROUP_ID_SESSION_ADMIN),
             'teacher' => $this->get(self::SETTING_GROUP_ID_TEACHER),
         ];
 
-        if ($groupRoles = array_filter($groupRoles)) {
-            try {
-                $groups = $provider->get($apiRef, $token);
-            } catch (Exception $e) {
-                throw new Exception('Exception when requesting user groups from Azure: '.$e->getMessage());
-            }
+        return array_filter($groupUidList);
+    }
 
-            foreach ($groups as $group) {
-                $groupId = $group[$groupObjectIdKey];
-
-                if (isset($groupRoles['admin']) && $groupRoles['admin'] === $groupId) {
-                    $userRole = COURSEMANAGER;
-                    $isAdmin = true;
-                } elseif (isset($groupRoles['sessionAdmin']) && $groupRoles['sessionAdmin'] === $groupId) {
-                    $userRole = SESSIONADMIN;
-                } elseif (isset($groupRoles['teacher']) && $groupRoles['teacher'] === $groupId && $userRole !== SESSIONADMIN) {
-                    $userRole = COURSEMANAGER;
-                }
-            }
-        }
+    /**
+     * @return array<string, callable>
+     */
+    public function getActionPerRole(): array
+    {
+        return [
+            'admin' => function (User $user) {
+                $user->setStatus(COURSEMANAGER);
+
+                UserManager::addUserAsAdmin($user, false);
+            },
+            'sessionAdmin' => function (User $user) {
+                $user->setStatus(SESSIONADMIN);
 
-        return [$userRole, $isAdmin];
+                UserManager::removeUserAdmin($user, false);
+            },
+            'teacher' => function (User $user) {
+                $user->setStatus(COURSEMANAGER);
+
+                UserManager::removeUserAdmin($user, false);
+            },
+        ];
     }
 }

plugin/azure_active_directory/src/AzureCommand.php

@@ -42,4 +42,17 @@ protected function getToken(?AccessTokenInterface $currentToken = null): AccessT
 
         return $currentToken;
     }
+
+    /**
+     * @throws IdentityProviderException
+     */
+    protected function generateOrRefreshToken(?AccessTokenInterface &$token)
+    {
+        if (!$token || ($token->getExpires() && !$token->getRefreshToken())) {
+            $token = $this->provider->getAccessToken(
+                'client_credentials',
+                ['resource' => $this->provider->resource]
+            );
+        }
+    }
 }

plugin/azure_active_directory/src/AzureSyncUsersCommand.php

@@ -2,7 +2,7 @@
 
 /* For license terms, see /license.txt */
 
-use League\OAuth2\Client\Token\AccessTokenInterface;
+use Chamilo\UserBundle\Entity\User;
 
 class AzureSyncUsersCommand extends AzureCommand
 {
@@ -15,33 +15,54 @@ public function __invoke(): Generator
     {
         yield 'Synchronizing users from Azure.';
 
-        $token = $this->getToken();
-
+        /** @var array<string, int> $existingUsers */
         $existingUsers = [];
 
-        foreach ($this->getAzureUsers($token) as $azureUserInfo) {
+        foreach ($this->getAzureUsers() as $azureUserInfo) {
             try {
-                $token = $this->getToken($token);
-
-                $userId = $this->plugin->registerUser(
-                    $token,
-                    $this->provider,
-                    $azureUserInfo,
-                    'users/'.$azureUserInfo['id'].'/memberOf',
-                    'id',
-                    'id'
-                );
+                $userId = $this->plugin->registerUser($azureUserInfo, 'id');
             } catch (Exception $e) {
                 yield $e->getMessage();
 
                 continue;
             }
 
-            $existingUsers[] = $userId;
+            $existingUsers[$azureUserInfo['id']] = $userId;
+
+            yield sprintf('User (ID %d) with received info: %s ', $userId, serialize($azureUserInfo));
+        }
+
+        yield '----------------';
+        yield 'Updating users status';
+
+        $roleGroups = $this->plugin->getGroupUidPerRole();
+        $roleActions = $this->plugin->getActionPerRole();
+
+        $userManager = UserManager::getManager();
+        $em = Database::getManager();
+
+        foreach ($roleGroups as $userRole => $groupUid) {
+            $azureGroupMembersInfo = iterator_to_array($this->getAzureGroupMembers($groupUid));
+            $azureGroupMembersUids = array_column($azureGroupMembersInfo, 'id');
+
+            foreach ($azureGroupMembersUids as $azureGroupMembersUid) {
+                $userId = $existingUsers[$azureGroupMembersUid] ?? null;
+
+                if (!$userId) {
+                    continue;
+                }
+
+                if (isset($roleActions[$userRole])) {
+                    /** @var User $user */
+                    $user = $userManager->find($userId);
+
+                    $roleActions[$userRole]($user);
 
-            $userInfo = api_get_user_info($userId);
+                    yield sprintf('User (ID %d) status %s', $userId, $userRole);
+                }
+            }
 
-            yield sprintf('User info: %s', serialize($userInfo));
+            $em->flush();
         }
 
         if ('true' === $this->plugin->get(AzureActiveDirectory::SETTING_DEACTIVATE_NONEXISTING_USERS)) {
@@ -73,7 +94,7 @@ function ($user) {
      *
      * @return Generator<int, array<string, string>>
      */
-    private function getAzureUsers(AccessTokenInterface $token): Generator
+    private function getAzureUsers(): Generator
     {
         $userFields = [
             'givenName',
@@ -93,8 +114,10 @@ private function getAzureUsers(AccessTokenInterface $token): Generator
             implode(',', $userFields)
         );
 
+        $token = null;
+
         do {
-            $token = $this->getToken($token);
+            $this->generateOrRefreshToken($token);
 
             try {
                 $azureUsersRequest = $this->provider->request(
@@ -120,4 +143,49 @@ private function getAzureUsers(AccessTokenInterface $token): Generator
             }
         } while ($hasNextLink);
     }
+
+    /**
+     * @throws Exception
+     */
+    public function getAzureGroupMembers(string $groupUid): Generator
+    {
+        $userFields = [
+            'id',
+        ];
+
+        $query = sprintf(
+            '$top=%d&$select=%s',
+            AzureActiveDirectory::API_PAGE_SIZE,
+            implode(',', $userFields)
+        );
+
+        $token = null;
+
+        do {
+            $this->generateOrRefreshToken($token);
+
+            try {
+                $azureGroupMembersRequest = $this->provider->request(
+                    'get',
+                    "groups/$groupUid/members?$query",
+                    $token
+                );
+            } catch (Exception $e) {
+                throw new Exception('Exception when requesting group members from Azure: '.$e->getMessage());
+            }
+
+            $azureGroupMembers = $azureGroupMembersRequest['value'] ?? [];
+
+            foreach ($azureGroupMembers as $azureGroupMember) {
+                yield $azureGroupMember;
+            }
+
+            $hasNextLink = false;
+
+            if (!empty($azureGroupMembersRequest['@odata.nextLink'])) {
+                $hasNextLink = true;
+                $query = parse_url($azureGroupMembersRequest['@odata.nextLink'], PHP_URL_QUERY);
+            }
+        } while ($hasNextLink);
+    }
 }