Allow for disabling OAuth.

ministryofjustice · Apr 10, 2024 · 8d9c4a1 · 8d9c4a1
1 parent db6aa48
commit 8d9c4a1
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/public/app/mu-plugins/moj-auth/moj-auth.php b/public/app/mu-plugins/moj-auth/moj-auth.php
@@ -144,7 +144,7 @@ public function handlePageRequest(string $required_role = 'reader'): void
             return;
         }
 
-        // Handle Azure AD/Entra ID OAuth. It redirects to Azure, php code execution always stops here.
+        // Handle Azure AD/Entra ID OAuth. It redirects to Azure or xeits with 401 if disabled. php code execution always stops here.
         $this->oauthLogin();
     }
 

diff --git a/public/app/mu-plugins/moj-auth/oauth.php b/public/app/mu-plugins/moj-auth/oauth.php
@@ -16,6 +16,7 @@
 trait AuthOauth
 {
 
+    private $oauth_enabled    = true;
     private $oauth_tennant_id = '';
     private $oauth_authority  = '';
     private $oauth_app_id     = '';
@@ -33,6 +34,13 @@ public function initOauth()
     {
         $this->log('initOauth()');
 
+        // Check for required environment variables. OAuth can be disable by not setting these.
+        if(empty($_ENV['OAUTH_TENNANT_ID']) || empty($_ENV['OAUTH_CLIENT_ID']) || empty($_ENV['OAUTH_CLIENT_SECRET'])) {
+            $this->log('Missing OAuth environment variables');
+            $this->oauth_enabled = false;
+            return;
+        }
+
         $this->oauth_tennant_id = $_ENV['OAUTH_TENNANT_ID'];
         $this->oauth_authority  = 'https://login.microsoftonline.com/' . $this->oauth_tennant_id;
         $this->oauth_app_id     = $_ENV['OAUTH_CLIENT_ID'];
@@ -49,6 +57,9 @@ public function initOauth()
         ) {
             $this->oauth_action = $_GET['action'];
         }
+
+        // Clear OAUTH_CLIENT_SECRET from $_ENV global. It's not required elsewhere in the app.
+        unset($_ENV['OAUTH_CLIENT_SECRET']);
     }
 
     /**
@@ -83,6 +94,11 @@ public function oauthLogin(): void
     {
         $this->log('oauthLogin()');
 
+        if(!$this->oauth_enabled) {
+            $this->log('OAuth is not enabled');
+            http_response_code(401) && exit();
+        }
+
         $oauth_client = $this->getOAuthClient();
 
         $authUrl = $oauth_client->getAuthorizationUrl();
@@ -116,6 +132,11 @@ public function oauthCallback(): AccessTokenInterface
     {
         $this->log('oauthCallback()');
 
+        if(!$this->oauth_enabled) {
+            $this->log('OAuth is not enabled');
+            http_response_code(401) && exit();
+        }
+
         if (!isset($_SERVER['REQUEST_URI']) || !str_starts_with($_SERVER['REQUEST_URI'], $this::OAUTH_CALLBACK_URI)) {
             $this->log('in oauthCallback(), request uri does not match');
             http_response_code(401) && exit();
-Original file line number
+Diff line change
@@ Expand Up @@
                 return;
             }
-            // Handle Azure AD/Entra ID OAuth. It redirects to Azure, php code execution always stops here.
+            // Handle Azure AD/Entra ID OAuth. It redirects to Azure or xeits with 401 if disabled. php code execution always stops here.
             $this->oauthLogin();
         }
@@ Expand Down @@