-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathos2web_simplesaml.module
426 lines (362 loc) · 15.1 KB
/
os2web_simplesaml.module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
<?php
/**
* @file
* OS2Web SimpleSAML functionality module.
*/
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Url;
use Drupal\user\UserInterface;
/**
* Implements hook_form_FORM_ID_alter().
*
* Adds redirect IPs settings to simplesamlphp_auth_local_settings_form.
*/
function os2web_simplesaml_form_simplesamlphp_auth_local_settings_form_alter(&$form, FormStateInterface $form_state, $form_id) {
$config = \Drupal::config('os2web_simplesaml.settings');
$form['os2web_simplesaml_additional_settings'] = [
'#type' => 'fieldset',
'#title' => t('OS2Web SimpleSAML additional settings'),
];
$form['os2web_simplesaml_additional_settings']['redirect_ips'] = [
'#type' => 'textfield',
'#title' => t("Redirect IP's to SimpleSAML login"),
'#default_value' => $config->get('redirect_ips'),
'#description' => t('Comma separated. Ex. 192.168.1.1,192.168.2.1'),
];
$form['os2web_simplesaml_additional_settings']['redirect_trigger_path'] = [
'#type' => 'textfield',
'#title' => t('Redirect triggering paths'),
'#default_value' => $config->get('redirect_trigger_path'),
'#description' => t('Comma separated paths that will trigger the redirect The \'*\' character is a wildcard. Ex. /form/*,/node/add/webform NB! The caching for that path will be programmatically disabled.'),
];
$form['os2web_simplesaml_additional_settings']['redirect_cookies_ttl'] = [
'#type' => 'number',
'#min' => 0,
'#step' => 10,
'#title' => t('Redirect cookies time to live (TTL)'),
'#default_value' => $config->get('redirect_cookies_ttl'),
'#description' => t('Number of seconds, after which the positive or negative redirect decision will expire. Setting long time improves the performance, but IP rules change will take longer to become active for all users.'),
'#required' => TRUE,
];
$form['#validate'][] = 'os2web_simplesaml_auth_local_settings_form_validate';
$form['#submit'][] = 'os2web_simplesaml_auth_local_settings_form_submit';
}
/**
* Validation for simplesamlphp_auth_local_settings_form.
*
* Checks provided IP list format.
*/
function os2web_simplesaml_auth_local_settings_form_validate(&$form, FormStateInterface $form_state) {
if ($form_state->hasValue('redirect_ips')) {
$redirect_ips = $form_state->getValue('redirect_ips');
if (preg_match("/[^0-9.,]/", $redirect_ips)) {
$form_state->setErrorByName('redirect_ips', t('Invalid format, must be comma separated. Ex. 192.168.1.1,192.168.2.1'));
}
}
}
/**
* Submit for simplesamlphp_auth_local_settings_form.
*
* Saves redirect_ips into configuration.
*/
function os2web_simplesaml_auth_local_settings_form_submit(&$form, FormStateInterface $form_state) {
$redirect_ips = $form_state->getValue('redirect_ips');
$redirect_trigger_path = $form_state->getValue('redirect_trigger_path');
$redirect_cookies_ttl = $form_state->getValue('redirect_cookies_ttl');
$config = \Drupal::service('config.factory')
->getEditable('os2web_simplesaml.settings');
$config->set('redirect_ips', $redirect_ips);
$config->set('redirect_trigger_path', $redirect_trigger_path);
$config->set('redirect_cookies_ttl', $redirect_cookies_ttl);
$config->save();
// Invalidating router cache, so that new settings are applied.
\Drupal::service("router.builder")->rebuild();
}
/**
* Implements hook_form_FORM_ID_alter().
*
* Adds mapping fields settings to simplesamlphp_auth_syncing_settings_form.
*/
function os2web_simplesaml_form_simplesamlphp_auth_syncing_settings_form_alter(&$form, FormStateInterface $form_state, $form_id) {
$config = \Drupal::config('os2web_simplesaml.settings');
$fieldsMapping = unserialize($config->get('simplesaml_fields_mapping'));
if (!is_array($fieldsMapping)) {
$fieldsMapping = [];
}
/** @var \Drupal\simplesamlphp_auth\Service\SimplesamlphpAuthManager $simplesaml */
$simplesaml = \Drupal::service('simplesamlphp_auth.manager');
$hasSamlSession = $simplesaml->isAuthenticated();
// User SimpleSAML Fields.
$form['os2web_simplesaml_user_attributes'] = [
'#type' => 'details',
'#title' => t('Current User SimpleSAML attributes'),
'#weight' => -1,
];
if ($hasSamlSession) {
$header = [t('SimpleSAML attribute'), t('Value')];
$rows = [];
foreach ($simplesaml->getAttributes() as $attr_key => $attr_value) {
$values = [
'#theme' => 'item_list',
'#items' => $attr_value,
];
$rows[] = [
$attr_key,
\Drupal::service('renderer')->renderPlain($values),
];
}
$attributesTable = [
'#caption' => t('If attribute has nested value, using the attribute without index will fetch the value from first index, like this: </br></br><b>eduPersonAffiliation</b></br></br>If you require value from specific index, e.g. index <b>2</b>, you can fetch it like this: </br></br><b>eduPersonAffiliation[1]</b></br></br>Using <b>eduPersonAffiliation</b> and <b>eduPersonAffiliation[0]</b> will have the same result.</br></br>'),
'#theme' => 'table',
'#header' => $header,
'#rows' => $rows,
'#empty' => t('No data'),
];
$form['os2web_simplesaml_user_attributes'][] = [
'#markup' => \Drupal::service('renderer')->renderPlain($attributesTable),
];
}
else {
$form['os2web_simplesaml_user_attributes'][] = [
'#markup' => t('Cannot fetch SAML session'),
];
}
// User fields mapping.
$form['os2web_simplesaml_user_fields_mapping'] = [
'#type' => 'details',
'#title' => t('OS2Web User fields mapping'),
'#weight' => -1,
];
$userFieldsLink = NULL;
/* @var \Drupal\Core\Routing\RouteProviderInterface $route_provider */
$route_provider = \Drupal::service('router.route_provider');
if (count($route_provider->getRoutesByNames(['entity.user.field_ui_fields']))) {
$userFieldsLink = Url::fromRoute('entity.user.field_ui_fields')->toString();
}
$form['os2web_simplesaml_user_fields_mapping']['fields_mapping'] = [
'#type' => 'table',
'#header' => [
t('Field'),
t('Field type'),
t('SimpleSAML attribute'),
t('Force sync on every login'),
t('Value example'),
],
'#caption' => ($userFieldsLink) ? t('User fields can be adde or changed on <a href=":link">account settings page</a>', [':link' => $userFieldsLink]) : NULL,
];
// Disabling those system fields.
$disabledFields = ['name', 'mail', 'init'];
// Among enabled fields we support mapping of those types only.
$allowedFieldTypes = ['email', 'string', 'entity_reference'];
$userFields = \Drupal::service('entity_field.manager')->getFieldDefinitions('user', 'user');
/** @var \Drupal\os2web_simplesaml\Service\SimpleSamlManager $simpleSamlUtils */
$simpleSamlUtils = \Drupal::service('os2web_simplesaml_manager');
/** @var \Drupal\field\Entity\FieldConfig $field */
foreach ($userFields as $field_key => $field) {
// Limiting field available for mapping.
if (in_array($field_key, $disabledFields) || !in_array($field->getType(), $allowedFieldTypes)) {
continue;
}
// If fieldType is entity_reference, we only support taxonomy terms.
if ($field->getType() == 'entity_reference' && $field->getSetting('target_type') !== 'taxonomy_term') {
continue;
}
$simpleSamlAttr = array_key_exists($field_key, $fieldsMapping) ? $fieldsMapping[$field_key]['simplesaml_attr'] : NULL;
$forceSync = array_key_exists($field_key, $fieldsMapping) ? $fieldsMapping[$field_key]['force_sync'] : NULL;
$form['os2web_simplesaml_user_fields_mapping']['fields_mapping'][$field_key][] = [
'#plain_text' => $field_key,
];
$form['os2web_simplesaml_user_fields_mapping']['fields_mapping'][$field_key][] = [
'#plain_text' => $field->getType(),
];
$form['os2web_simplesaml_user_fields_mapping']['fields_mapping'][$field_key]['simplesaml_attr'] = [
'#type' => 'textfield',
'#title' => t('SimpleSAML attribute'),
'#title_display' => 'invisible',
'#default_value' => $simpleSamlAttr,
];
$form['os2web_simplesaml_user_fields_mapping']['fields_mapping'][$field_key]['force_sync'] = [
'#type' => 'checkbox',
'#title' => t('Force synchronize on every login'),
'#title_display' => 'invisible',
'#default_value' => $forceSync,
];
if ($hasSamlSession) {
$form['os2web_simplesaml_user_fields_mapping']['fields_mapping'][$field_key][] = [
'#plain_text' => ($simpleSamlAttr) ? $simpleSamlUtils->extractAttribute($simpleSamlAttr) : NULL,
];
}
else {
$form['os2web_simplesaml_user_fields_mapping']['fields_mapping'][$field_key][] = [
'#plain_text' => t('Cannot fetch SAML session'),
];
}
}
$form['#submit'][] = 'os2web_simplesaml_auth_syncing_settings_form_submit';
}
/**
* Submit for simplesamlphp_auth_syncing_settings_form.
*
* Saves fields mapping into the configuration.
*/
function os2web_simplesaml_auth_syncing_settings_form_submit(&$form, FormStateInterface $form_state) {
$fieldsMapping = $form_state->getValue('fields_mapping');
$config = \Drupal::service('config.factory')
->getEditable('os2web_simplesaml.settings');
$config->set('simplesaml_fields_mapping', serialize($fieldsMapping));
$config->save();
}
/**
* Implements hook_entity_extra_field_info().
*/
function os2web_simplesaml_entity_extra_field_info() {
$fields = [];
$fields['user']['user']['form']['os2web_simplesaml_uid'] = [
'label' => t('SimpleSAML UID'),
'description' => '',
'weight' => 0,
'visible' => TRUE,
];
return $fields;
}
/**
* Implements hook_form_FORM_ID_alter().
*
* @see AccountForm::form()
* @see os2web_simplesaml_user_form_includes()
*/
function os2web_simplesaml_form_user_form_alter(&$form, FormStateInterface $form_state, $form_id) {
os2web_simplesaml_user_form_includes($form);
// If the user has a simplesamlphp_auth authmap record, then fetch it and
// prefill the field.
$authmap = \Drupal::service('externalauth.authmap');
$account = $form_state->getFormObject()->getEntity();
if ($account->id()) {
$authname = $authmap->get($account->id(), 'simplesamlphp_auth');
if ($authname) {
$form['os2web_simplesaml_uid']['#default_value'] = $authname;
}
}
}
/**
* Implements hook_form_FORM_ID_alter().
*
* @see AccountForm::form()
* @see os2web_simplesaml_user_form_includes()
*/
function os2web_simplesaml_form_user_register_form_alter(&$form, FormStateInterface $form_state, $form_id) {
os2web_simplesaml_user_form_includes($form);
}
/**
* Helper function to include the BC SimpleSAML on user forms.
*
* Alters the user register form to include a textfield for providing custom
* SimpleSAML value.
*
* @param array $form
* The user account form.
*
* @see os2web_simplesaml_user_form_submit()
*/
function os2web_simplesaml_user_form_includes(array &$form) {
// Getting SimpleSAML existing authname to use as an example.
$query = \Drupal::database()->select('authmap', 'am')
->fields('am', ['authname'])
->condition('provider', 'simplesamlphp_auth')
->range(0, 1);
$simplesamlExample = $query->execute()->fetchField();
$form['os2web_simplesaml_uid'] = [
'#type' => 'textfield',
'#title' => t('SimpleSAML UID'),
'#access' => \Drupal::currentUser()->hasPermission('change saml authentication setting'),
'#description' => $simplesamlExample ? t('Example of the existing SimpleSAML entry from authmap table: <b>@simplesaml</b>', ['@simplesaml' => $simplesamlExample]) : t('Provide a string serves the UID of the user.'),
];
// Adding custom validation.
$form['#validate'][] = 'os2web_simplesaml_user_form_validate';
// Adding custom submit.
$form['actions']['submit']['#submit'][] = 'os2web_simplesaml_user_form_submit';
}
/**
* Form validation handler for user_form.
*/
function os2web_simplesaml_user_form_validate($form, FormStateInterface $form_state) {
$simplesaml_uid = NULL;
if ($form_state->getValue('os2web_simplesaml_uid')) {
$simplesaml_uid = $form_state->getValue('os2web_simplesaml_uid');
}
if (!$form_state->getValue('simplesamlphp_auth_user_enable') && !empty($simplesaml_uid)) {
$form_state->setErrorByName('os2web_simplesaml_uid', t('Field SimpleSAML UID is provided but SAML authentication is not checked, mapping will not be created'));
}
}
/**
* Form submission handler for user_form.
*/
function os2web_simplesaml_user_form_submit($form, FormStateInterface $form_state) {
$authmap = \Drupal::service('externalauth.authmap');
$externalauth = \Drupal::service('externalauth.externalauth');
// Remove this user from the ExternalAuth authmap table.
$authmap->delete($form_state->getValue('uid'));
if ($form_state->getValue('os2web_simplesaml_uid')) {
$simplesaml_uid = $form_state->getValue('os2web_simplesaml_uid');
}
// Add an authmap entry for this account, so it can leverage SAML
// authentication.
if ($simplesaml_uid) {
$account = $form_state->getFormObject()->getEntity();
$externalauth->linkExistingAccount($simplesaml_uid, 'simplesamlphp_auth', $account);
}
}
/**
* Implements hook_simplesamlphp_auth_user_attributes().
*/
function os2web_simplesaml_simplesamlphp_auth_user_attributes(UserInterface $account, $attributes) {
$userChanged = FALSE;
$config = \Drupal::config('os2web_simplesaml.settings');
$fieldsMapping = unserialize($config->get('simplesaml_fields_mapping'));
// Nothing to map.
if (empty($fieldsMapping)) {
return FALSE;
}
$userFields = \Drupal::service('entity_field.manager')->getFieldDefinitions('user', 'user');
/** @var \Drupal\os2web_simplesaml\Service\SimpleSamlManager $simpleSamlUtils */
$simpleSamlUtils = \Drupal::service('os2web_simplesaml_manager');
/** @var \Drupal\field\Entity\FieldConfig $field */
foreach ($userFields as $field_key => $field) {
$simpleSamlAttr = array_key_exists($field_key, $fieldsMapping) ? $fieldsMapping[$field_key]['simplesaml_attr'] : NULL;
$forceSync = array_key_exists($field_key, $fieldsMapping) ? $fieldsMapping[$field_key]['force_sync'] : NULL;
if ($simpleSamlAttr) {
if ($forceSync || empty($account->get($field_key)->getValue())) {
$simpleSamlValue = $simpleSamlUtils->extractAttribute($simpleSamlAttr);
$currentValue = $account->get($field_key)->getString();
// If fieldType is entity_reference, we only support taxonomy terms.
if ($field->getType() == 'entity_reference' && $field->getSetting('target_type') == 'taxonomy_term') {
$vid = $field->getSetting('handler_settings')['target_bundles'];
$vid = reset($vid);
// Getting term id.
$properties = [
'name' => $simpleSamlValue,
'vid' => $vid,
];
$terms = \Drupal::entityTypeManager()->getStorage('taxonomy_term')->loadByProperties($properties);
if ($terms) {
$term = reset($terms);
// Replace simplesaml Value with the term ID.
$simpleSamlValue = $term->id();
}
// Term not found, setting value NULL.
else {
$simpleSamlValue = NULL;
}
}
if (strcmp($simpleSamlValue, $currentValue) !== 0) {
$account->set($field_key, $simpleSamlValue);
$userChanged = TRUE;
}
}
}
}
if ($userChanged) {
return $account;
}
return FALSE;
}