-
Notifications
You must be signed in to change notification settings - Fork 3
/
simplesamlphp_auth.module
375 lines (349 loc) · 12.4 KB
/
simplesamlphp_auth.module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
<?php
/**
* @file
* simpleSAMLphp authentication module for Drupal.
*
* This authentication module is based on the shibboleth authentication module,
* with changes to adopt to use simpleSAMLphp.
*
* KLUDGE: Drupal does not kill the session on logout, even with
* drupal_session_destroy_uid(), so I had to use session_destroy().
*
* This module belongs to Andreas Åkre Solberg, Snorre Løvås and Steve Moitozo (Maintenance)
* the adjustments we're doing is to allow multiple IDPs and SPs on the same website with custom
* logic from TA
* @version 7.x.3.5
* @author Pablo Tapia <[email protected]>
* @author Angel Alvarado <[email protected]>
*/
/**
* We load the custom Simple SAML Auth object to store all the IDP information
*/
module_load_include('inc', 'simplesamlphp_auth', 'includes/simplesamlphp_auth.drupal');
/**
* Implements hook_menu().
*/
function simplesamlphp_auth_menu() {
$items = [];
$items['admin/config/people/simplesamlphp_auth'] = [
'title' => 'Simple SAML Auth Settings',
'description' => 'Control the various settings of the simpleSAMLphp authentication module',
'page callback' => 'drupal_get_form',
'page arguments' => ['simplesamlphp_auth_settings'],
'access arguments' => ['administer simpleSAMLphp authentication'],
'file' => 'simplesamlphp_auth.admin.inc',
];
$items['admin/config/people/simplesamlphp_auth/default'] = [
'title' => 'SAML Auth Settings',
'type' => MENU_DEFAULT_LOCAL_TASK,
'weight' => -10
];
$items['admin/config/people/simplesamlphp_auth/idp'] = [
'title' => 'IDP Auth Settings',
'description' => 'Provides a form with settings to manage IDP entries',
'type' => MENU_LOCAL_TASK,
'page callback' => 'simplesamlphp_auth_idp_settings',
'access arguments' => ['administer simpleSAMLphp authentication'],
'file' => 'simplesamlphp_auth.admin.inc',
];
$items['admin/config/people/simplesamlphp_auth/%ssaml_auth'] = [
'title' => 'SimpleSAML PHP Authentication',
'page callback' => 'drupal_get_form',
'page arguments' => ['simplesamlphp_auth_form', 4],
'access arguments' => ['administer simpleSAMLphp authentication'],
'file' => 'simplesamlphp_auth.admin.inc',
];
$items['admin/config/people/simplesamlphp_auth/%ssaml_auth/edit'] = [
'title' => 'IDP Edit Auth Settings',
'type' => MENU_DEFAULT_LOCAL_TASK,
];
$items['admin/config/people/simplesamlphp_auth/%ssaml_auth/delete'] = [
'title' => 'IDP Delete Auth Settings',
'type' => MENU_CALLBACK,
'page callback' => 'drupal_get_form',
'page arguments' => ['simplesamlphp_auth_delete', 4],
'access arguments' => ['administer simpleSAMLphp authentication'],
'file' => 'simplesamlphp_auth.admin.inc',
];
$items['saml_login/%ssaml_auth'] = [
'title' => 'Logon to the site',
'type' => MENU_CALLBACK,
'page callback' => 'simplesamlphp_auth_loginpage',
'page arguments' => [1],
'access callback' => TRUE,
'file' => 'simplesamlphp_auth.pages.inc',
];
$items['saml_redirect'] = [
'type' => MENU_CALLBACK,
'page callback' => '_saml_redirect',
'access callback' => TRUE,
'delivery callback' => '_saml_redirection_delivery',
'file' => 'simplesamlphp_auth.pages.inc',
];
return $items;
}
/**
* Loads an IDP from the database.
*
* The method retrieves the ID of the IDP
* created on Drupal from the URL using hook_menu
*/
function ssaml_auth_load($id) {
if (!is_numeric($id)) {
return FALSE;
} // end if.
watchdog('simplesamlphp_auth', 'Load IdP with %id', array('%id' => $id), WATCHDOG_DEBUG);
return db_query("SELECT * FROM {saml_idp_settings} WHERE id = :id", array(':id' => $id))->fetchObject();
}
/**
* Implements hook_admin_paths().
*/
function simplesamlphp_auth_admin_paths() {
return array('admin/config/people/simplesamlphp_auth' => TRUE);
}
/**
* Implements hook_help().
*/
function simplesamlphp_auth_help($path, $arg) {
switch ($path) {
case 'admin/config/people/simplesamlphp_auth':
$output = t('<p>This module integrates Drupal with a SAML PHP Service Points (SP), effectively federating Drupal.</p>');
return $output;
}
// End switch.
}
/**
* Implements hook_permission().
*/
function simplesamlphp_auth_permission() {
return array(
'administer simpleSAMLphp authentication' => array(
'title' => t('Administer simpleSAMLphp authentication'),
'description' => t('Warning: Give to trusted roles only; this permission has security implications.'),
),
);
}
/**
* Implements hook_user_logout().
*
* Log out user from Drupal and IdP (If SP is configured to do so)
*/
function simplesamlphp_auth_user_logout() {
if (isset($_COOKIE['_lta']) && $_COOKIE['_lta'] && $_COOKIE['_lta'] == filter_xss($_COOKIE['_lta'])) {
$idp = (int) filter_xss(($_COOKIE['_lta']));
$idp_record = db_query('SELECT source_name FROM {saml_idp_settings} WHERE id = :id', array(':id' => $idp))->fetchField();
if ($idp_record) {
try {
$simplesamlphp_drupal = SimpleSAML_Drupal::factory();
$simplesamlphp_drupal->load($idp);
$simplesamlphp_auth_as = $simplesamlphp_drupal->getSimpleSAMLAuthSimple();
$simplesamlphp_auth_saml_attributes = $simplesamlphp_drupal->getAttrsFromAssertion();
}
catch (Exception $e) {
watchdog_exception('simplesamlphp', $e, 'Error logging out user from IdP !id', array('!id' => $idp));
}
// End try - catch.
if (!empty($simplesamlphp_auth_saml_attributes)) {
/**
* KLUDGE: for some reason Drupal is not killing the session, even if I were to
* call drupal_session_destroy_uid() here.
*/
session_destroy();
$gotourl = base_path();
if (variable_get('simplesamlphp_auth_logoutgotourl', '')) {
$gotourl = variable_get('simplesamlphp_auth_logoutgotourl', '');
}
// End if.
$simplesamlphp_auth_as->logout($gotourl);
}
// End if.
}
}
}
/**
* Implements hook_user_delete().
*/
function simplesamlphp_auth_user_delete($account) {
db_delete('authmap')->condition('uid', $account->uid)->condition('authname', $account->name)->execute();
}
/**
* Implements hook_form_alter().
* Change form themes on registration and profile pages.
* @param
* $form: array; elements in the form
* $form_state: array: elements once form in being filled
* $form_id: block id
**/
function simplesamlphp_auth_form_alter(&$form, $form_state, $form_id) {
try {
SimpleSAML_Drupal::factory();
}
catch (Exception $e) {
watchdog_exception('simplesamlphp_auth', $e);
}
// End try - catch.
/**
* If the user has a simplesamlphp_auth authmap record, then don't require them to know their Drupal password.
* This will allow them to change their e-mail address, and set a Drupal password if they want to (and are allowed).
*/
if ((isset($form['#user']->init) && $form['#user']->init) &&
(_simplesaml_auth_user_has_authmap($form['#user']->init) && $form_id == 'user_profile_form')
) {
unset($form['account']['current_pass']);
unset($form['account']['current_pass_required_values']);
$form['#validate'] = array_diff($form['#validate'], array('user_validate_current_pass'));
// If the user is a simplesamlphp_auth user and is NOT allowed to set their Drupal password, remove the fields from the form.
if (!variable_get('simplesamlphp_auth_allowsetdrupalpwd')) {
unset($form['account']['pass']);
} // End if.
} // End if.
/**
* We don't need to add a Federated Login anymore .. the modified version of the Login form is already
* @todo remove this function
* taking care of redirecting the user to the appropiated IDP
*/
}
/**
* Forces HTTPS connections.
*/
function _simplesamlphp_auth_forcehttps_rewrite($url) {
if (variable_get('simplesamlphp_auth_forcehttps', TRUE)) {
$url = str_replace('http://', 'https://', $url);
_simplesaml_auth_debug('forcehttps rewrite: ' . $url);
} // end if
return $url;
}
/****************************************************************************
* Private functions ********************************************************
****************************************************************************/
/**
* See if the user has an authmap record for simplesamlphp_auth
*/
function _simplesaml_auth_user_has_authmap($authname) {
$authmaps = user_get_authmaps($authname);
$return = 0;
if (is_array($authmaps)) {
$return = in_array('simplesamlphp_auth', array_keys($authmaps));
}
// End if.
return $return;
}
/**
* This helper function is used by developers to debug the form API workflow in this module.
*/
function _simplesaml_auth_debug($message) {
watchdog('simplesamlphp', $message, NULL, WATCHDOG_DEBUG);
}
/**
* Helper function for logging out a user that is has a active session in Drupal but not with simpleSAML.
*/
function _simplesamlphp_auth_destroy_drupal_session() {
global $user;
watchdog('user', 'Session closed for %name.', array('%name' => $user->name));
// Destroy the current session:
session_destroy();
drupal_save_session(FALSE);
// Only variables can be passed by reference workaround.
$null = NULL;
user_module_invoke('logout', $null, $user);
// Load the anonymous user.
$user = drupal_anonymous_user();
drupal_goto();
}
/**
* Implements hook_form_FORM_ID_alter().
*
* Changes the logic of the login form
*/
function simplesamlphp_auth_form_user_login_alter(&$form, &$form_state) {
$GLOBALS['conf']['cache'] = FALSE;
if (!array_key_exists("step", $form_state) && empty($form_state['step'])) {
// Adding a new step 'form-element' to provide a 'multistepform'
$form_state['step'] = 1;
$form['next'] = array(
'#type' => 'submit',
'#value' => t('Next'),
'#name' => 'next',
'#submit' => array('saml_user_submit'),
'#limit_validation_errors' => array(),
);
$form['pass']['#access'] = FALSE;
$form['persistent_login']['#access'] = FALSE;
$form['ip_login']['#access'] = FALSE;
$form['actions']['submit']['#access'] = FALSE;
}
}
/**
* Implements hook_init().
*
* Loads javascript to redirecr SSO users to their IdP
* This provides a great seemsly deeplink integration
* The current URL the user is browsing is taken as
* the RelayState parameter
*/
function simplesamlphp_auth_init() {
global $base_url;
if (user_is_anonymous()) {
// Javascript code to attach click event to redirect users
// to their IdP if the IdP cookie exists.
drupal_add_js($base_url . '/' . drupal_get_path('module', 'simplesamlphp_auth') . '/theme/login-redirect.js',
array(
'type' => 'file',
'scope' => 'footer',
'weight' => 100,
'group' => JS_THEME,
'requires_jquery' => FALSE
));
// Unccoment redirect.js to take SSO user authomatically
// to their IdP (if the IdP cookie exists).
// This assumes the SSO user has log in at least once
// and cookies haven't been deleted.
// @todo add in the UI a list of URLs where this script will be triggered.
//drupal_add_js('sites/all/modules/custom/simplesamlphp_auth/theme/redirect.js');
}
// End if.
if ($_GET['q'] == 'user') {
drupal_page_is_cacheable(FALSE);
}
// End if.
}
/**
* Helper funtion to find out the idp domain
* @return true and redirect users to their idp login
*/
function saml_user_submit($form, &$form_state) {
$mail = $form_state['input']['name'];
if (!empty($mail)) {
$mail = check_plain($mail);
$domain = substr(strrchr($mail, "@"), 1);
$allowed_chars = preg_replace("/[a-zA-Z\.]/", "", $domain);
$idpId = 0;
if (empty($allowed_chars)) {
$source = db_query("SELECT id, domain FROM saml_idp_settings")->fetchAll();
foreach ($source as $idp) {
if (strpos($domain, $idp->domain) !== FALSE) {
$idpId = $idp->id;
break;
} // end if
} // end for each
} // end if
if ($idpId) {
global $base_url;
$base_url_saml = _simplesamlphp_auth_forcehttps_rewrite($base_url);
header("Location: " . $base_url_saml . '/saml_login/' . $idpId, TRUE, 301);
die();
}
else {
$form_state['rebuild'] = TRUE;
return;
} // end if else
} // end if - mail
}
/**
* Alter the list of projects before fetching data and comparing versions.
* Disabling updates for this module
* @see hook_update_projects_alter
*/
function simplesamlphp_auth_update_projects_alter(&$projects){
unset($projects['simplesamlphp_auth']);
}