Skip to content
Snippets Groups Projects
Commit a4708eeb authored by Daniel Sabatino's avatar Daniel Sabatino
Browse files

Merge branch 'release/1.5.0' into 7.x-1.x

parents 2d9ddb65 744556eb
No related merge requests found
Hide whitespace changes
Inline Side-by-side
ocio_simplesamlphp_auth.install
+ 10
0
View file @ a4708eeb
......@@ -16,6 +16,11 @@ function ocio_simplesamlphp_auth_install() {
variable_set('ocio_simplesamlphp_auth_metadata_path', 'sites/default/files/private/simplesamlphp/metadata/');
variable_set('ocio_simplesamlphp_auth_metadata_files', 'shib13-idp-remote.php,saml20-idp-remote.php');
variable_set('ocio_simplesamlphp_auth_login_block_msg', 'While you have successfuly authenticated, you are not authorized to access this site. Please contact the administrators to obtain access to this site.');
// require login variables
variable_set('ocio_simplesamlphp_auth_require_login_enabled', 0);
variable_set('ocio_simplesamlphp_auth_require_login_msg', 'You must login to use this site.');
variable_set('ocio_simplesamlphp_auth_require_login_excluded_paths', '');
variable_set('ocio_simplesamlphp_auth_require_login_auth_path', '/saml_login');
// set variables created by simplesamlphp_auth to our defaults
variable_set('simplesamlphp_auth_user_name', 'urn:oid:0.9.2342.19200300.100.1.3');
......@@ -36,6 +41,11 @@ function ocio_simplesamlphp_auth_uninstall() {
variable_del('ocio_simplesamlphp_auth_cron_path');
variable_del('ocio_simplesamlphp_auth_metadata_path');
variable_del('ocio_simplesamlphp_auth_metadata_files');
variable_del('ocio_simplesamlphp_auth_login_block_msg');
variable_del('ocio_simplesamlphp_auth_require_login_enabled');
variable_del('ocio_simplesamlphp_auth_require_login_msg');
variable_del('ocio_simplesamlphp_auth_require_login_excluded_paths');
variable_del('ocio_simplesamlphp_auth_require_login_auth_path');
}
/**
......
ocio_simplesamlphp_auth.module
+ 179
27
View file @ a4708eeb
......@@ -137,10 +137,20 @@ function ocio_simplesamlphp_auth_menu_alter(&$items) {
* FORM_ID = simplesamlphp_auth_settings
*/
function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form, &$form_state) {
// check for pantheon environment; display path if found
$pantheon_environment = _ocio_simplesamlphp_auth_get_pantheon_env();
$path_note = '';
if ($pantheon_environment) {
$envPath = _ocio_simplesamlphp_auth_get_env_path();
$path_note = '</br>Pantheon environment detected (' . $pantheon_environment . '). ' . $envPath . ' will be prepended to your path.';
}
// hide the automatic role population section as it can cause problems with shibboleth auth
$form['simplesamlphp_auth_grp_user']['simplesamlphp_auth_rolepopulation']['#access'] = FALSE;
$form['simplesamlphp_auth_grp_user']['simplesamlphp_auth_roleevaleverytime']['#access'] = FALSE;
// add default role setting to User Provisioning section
// -- -- alter user provisioning section
// default role setting
$form['simplesamlphp_auth_grp_reg']['ocio_simplesamlphp_auth_default_role_id'] = array(
'#title' => 'Default Role',
'#description' => 'The default role to assign auto-provisioned users.',
......@@ -154,7 +164,7 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
'disabled' => array(':input[name="ocio_simplesamlphp_auth_whitelist_only"]' => array('checked' => TRUE)),
),
);
// add whitelist restriction setting to User Provising section
// whitelist restriction
$form['simplesamlphp_auth_grp_reg']['ocio_simplesamlphp_auth_whitelist_only'] = array(
'#type' => 'checkbox',
'#title' => 'Restrict to Whitelisted Users',
......@@ -165,6 +175,7 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
'visible' => array(':input[name="simplesamlphp_auth_registerusers"]' => array('checked' => TRUE)),
),
);
// custom login blocked message
$form['simplesamlphp_auth_grp_reg']['ocio_simplesamlphp_auth_login_block_msg'] = array(
'#type' => 'textarea',
'#title' => 'Blocked Message',
......@@ -175,14 +186,15 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
'invisible' => array(':input[name="ocio_simplesamlphp_auth_whitelist_only"]' => array('checked' => FALSE)),
),
);
// create new section for metadata refresh settings
// -- -- create metadata refresh section
$form['metadata_refresh'] = array(
'#type' => 'fieldset',
'#title' => 'Metadata Refresh',
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
// cron key
$form['metadata_refresh']['ocio_simplesamlphp_auth_cron_key'] = array(
'#type' => 'textfield',
'#title' => t('Cron Access Key'),
......@@ -192,7 +204,7 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
'#description' => t('Cron access key for simpleSAMLphp.'),
'#required' => TRUE,
);
// cron path
$form['metadata_refresh']['ocio_simplesamlphp_auth_cron_path'] = array(
'#type' => 'textfield',
'#title' => t('Cron Path'),
......@@ -202,13 +214,7 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
'#description' => t('Path to simpleSAMLphp cron.php.'),
'#required' => TRUE,
);
// -- check for pantheon environment; display path if found
$pantheon_environment = _ocio_simplesamlphp_auth_get_pantheon_env();
$path_note = '';
if ($pantheon_environment) {
$envPath = _ocio_simplesamlphp_auth_get_env_path();
$path_note = '</br>Pantheon environment detected (' . $pantheon_environment . '). ' . $envPath . ' will be prepended to your path.';
}
// metadata path
$form['metadata_refresh']['ocio_simplesamlphp_auth_metadata_path'] = array(
'#type' => 'textfield',
'#title' => t('IDP Metadata File Path'),
......@@ -218,6 +224,7 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
'#description' => t('Path to IDP metadata files.' . $path_note),
'#required' => TRUE,
);
// metadata files
$form['metadata_refresh']['ocio_simplesamlphp_auth_metadata_files'] = array(
'#type' => 'textfield',
'#title' => t('IDP Metadata Files'),
......@@ -227,6 +234,48 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
'#description' => t('List each IDP metadata file to refresh. Separate each file with a comma.'),
'#required' => TRUE,
);
// -- -- create require login section
$form['require_login'] = array(
'#type' => 'fieldset',
'#title' => 'Require Login',
'#collapsible' => TRUE,
'#collapsed' => TRUE,
);
// enable checkbox
$form['require_login']['ocio_simplesamlphp_auth_require_login_enabled'] = array(
'#type' => 'checkbox',
'#title' => t('Require Login'),
'#description' => t('Require all users to login to access this site.'),
'#default_value' => variable_get('ocio_simplesamlphp_auth_require_login_enabled', 0),
);
// login path
$form['require_login']['ocio_simplesamlphp_auth_require_login_auth_path'] = array(
'#type' => 'textfield',
'#title' => t('User Login Path'),
'#description' => t('Relative login redirect path for anonymous users.'),
'#default_value' => variable_get('ocio_simplesamlphp_auth_require_login_auth_path', '/saml_login'),
);
// require login message
$form['require_login']['ocio_simplesamlphp_auth_require_login_msg'] = array(
'#type' => 'textarea',
'#title' => t('Blocked Message'),
'#description' => t('Message to display when user is required to login.'),
'#default_value' => variable_get('ocio_simplesamlphp_auth_login_required_msg', 'You must log in to use this site.'),
);
// excluded paths
$excludeInstructions = array(
t('Use &lt;front &gt; to exclude the front page.'),
t('Use relative path to exclude content and other internal Drupal pages. <em>Example: /about/contact</em>'),
t('Use absolute path to exclude Drupal bootstrap enabled PHP scripts. <em>Example: /path/to/drupal/script/filename.php</em>'),
);
$form['require_login']['ocio_simplesamlphp_auth_require_login_excluded_paths'] = array(
'#type' => 'textarea',
'#title' => t('Excluded Paths'),
'#description' => t('Use the excluded paths setting to disable user authentication in specific areas. Enter one exclusion per line using the following formats:') .
theme('item_list', array('items' => $excludeInstructions)),
'#default_value' => variable_get('ocio_simplesamlphp_auth_require_login_excluded_paths', ''),
);
}
/**
......@@ -464,6 +513,68 @@ function ocio_simplesamlphp_auth_cron() {
}
/**
* Implements hook_init().
*/
function ocio_simplesamlphp_auth_init() {
global $base_url;
// check for expired metadata
if (current_path() == 'user/login' || current_path() == 'saml_login') {
$metaExpire = _ocio_simplesamlphp_auth_get_metadata_expire();
if (time() > $metaExpire) {
watchdog('ocio_simplesamlphp_auth', 'Expired metadata detected. Expires: ' . date('Y-m-d h:i:s a', $metaExpire)
. '. Current: ' . date('Y-m-d h:i:s a', time()) . '. Refreshing.');
_ocio_simplesamlphp_auth_refresh_metadata();
}
}
// when logging in with simplesaml, fix broken paths to simplesaml application.
if (current_path() == 'saml_login' && !is_dir(variable_get('simplesamlphp_auth_installdir'))) {
$saml_path = _ocio_simplesamlphp_auth_get_env_path() . '/code/private/simplesaml';
// update var
if (is_dir($saml_path)) {
variable_set('simplesamlphp_auth_installdir', $saml_path);
}
}
// get login required setting
$loginRequired = variable_get('ocio_simplesamlphp_auth_require_login_enabled', '0');
// check user authentication status if enabled; redirect non-authenticated users to configured login path
if ($loginRequired && !_ocio_simplesamlphp_auth_authcheck()) {
$query = array('destination' => $_GET['q']);
// display access denied message.
$deny_message = filter_xss_admin(trim(variable_get('ocio_simplesamlphp_auth_require_login_msg', 'You must login to use this site.')));
drupal_set_message(t($deny_message), 'warning');
// exclude external PHP scripts from destination query.
if (preg_match('/^.*\.php$/i', request_uri())) {
$query = array();
}
// prepare authentication redirect path.
$redirect = array(
'path' => '/user/login',
'query' => $query,
);
if ($auth_path = filter_xss_admin(trim(variable_get('ocio_simplesamlphp_auth_require_login_auth_path', '/saml_login')))) {
$redirect = drupal_parse_url($auth_path);
}
// support for simpleSAMLphp returnTo query param
$returnTo = base_path() . request_path();
if (strlen($returnTo)) {
$redirect['query']['ReturnTo'] = $base_url . $returnTo;
}
drupal_goto(ltrim($redirect['path'], ''), array(
'query' => isset($redirect['query']) ? $redirect['query'] : array(),
'fragment' => isset($redirect['fragment']) ? $redirect['fragment'] : '',
));
}
}
/** ***************************
* Private Functions
***************************** */
......@@ -690,25 +801,66 @@ function _ocio_simplesamlphp_auth_check_cron_key() {
}
/**
* Implements hook_init().
* helper function to determine if user is authenticated
*
* @return boolean
* Returns TRUE if authenticated and FALSE otherwise.
*/
function ocio_simplesamlphp_auth_init() {
// check for expired metadata
if (current_path() == 'user/login' || current_path() == 'saml_login') {
$metaExpire = _ocio_simplesamlphp_auth_get_metadata_expire();
if (time() > $metaExpire) {
watchdog('ocio_simplesamlphp_auth', 'Expired metadata detected. Expires: ' . date('Y-m-d h:i:s a', $metaExpire)
. '. Current: ' . date('Y-m-d h:i:s a', time()) . '. Refreshing.');
_ocio_simplesamlphp_auth_refresh_metadata();
}
function _ocio_simplesamlphp_auth_authcheck() {
global $base_path, $base_url;
$path = '/'. drupal_get_path_alias($_GET['q']);
// Isolate request path from subdirectory when present.
$raw_uri = request_uri();
if ($base_path != '/') {
$current_uri = '/'. str_replace($base_path, '', $raw_uri);
}
else {
$current_uri = $raw_uri;
}
// If logging in with simplesaml, fix broken paths to simplesaml application.
if (current_path() == 'saml_login' && !is_dir(variable_get('simplesamlphp_auth_installdir'))) {
$saml_path = _ocio_simplesamlphp_auth_get_env_path() . '/code/private/simplesaml';
// Detect PHP script running Drupal bootstrap.
if (preg_match('/^.*\.php$/i', $raw_uri)) {
$path = $base_path . trim($current_uri, '/');
}
if (is_dir($saml_path)) {
variable_set('simplesamlphp_auth_installdir', $saml_path);
// Compare current URL with customizable excluded paths. Returns TRUE when
// at least one excluded path matches the current page path. Also includes
// custom configured user login path with exclusions.
$exclude_paths = explode(PHP_EOL, variable_get('ocio_simplesamlphp_auth_require_login_excluded_paths', ''));
foreach ($exclude_paths as $key => $exclude_path) {
$exclude_paths[$key] = trim($exclude_path);
if ($exclude_paths[$key] == '<front>') {
$exclude_paths[$key] = '/'. drupal_get_path_alias(variable_get('site_frontpage', 'node'));
}
}
if ($auth_path = filter_xss_admin(trim(variable_get('require_login_auth_path', '')))) {
$auth_path = drupal_parse_url($auth_path);
$exclude_paths[] = trim($auth_path['path']);
}
if (drupal_match_path($path, implode(PHP_EOL, $exclude_paths))) {
return TRUE;
}
// Various checks to determine exceptions for current page. Returns TRUE
// when at least one check has evaluated as TRUE.
$checks = array(
(user_is_logged_in()), // Authentication
(variable_get('maintenance_mode', 0)), // Maintenance Mode
(isset($_SESSION['openid'])), // OpenID
(preg_match('/^\/cron.php/i', $current_uri)), // Cron
(preg_match('/\/update.php/i', request_uri())), // Update
(preg_match('/\/install.php/i', request_uri())), // Install
(arg(0) == 'user' && (!arg(1) || !is_numeric(arg(1)))), // User Pages
(function_exists('drupal_is_cli') && drupal_is_cli()), // Drush
);
foreach ($checks as $check) {
if ($check) {
return TRUE;
}
}
// Return FALSE when checks have all passed.
return FALSE;
}
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment