Overriding '/saml_login' page callback to rename cookie because pantheon

a58f7af7 · bcweaver · dc2dc1f0 · a58f7af7
Commit a58f7af7 authored 6 years ago by bcweaver
--- a/ocio_simplesamlphp_auth.module
+++ b/ocio_simplesamlphp_auth.module
@@ -131,6 +131,12 @@ function ocio_simplesamlphp_auth_menu_alter(&$items) {
  // whitelist entity form as tab
  $items['admin/config/people/simplesamlphp_auth/ocio_simplesamlphp_auth_whitelist']['type'] = MENU_LOCAL_TASK;
  $items['admin/config/people/simplesamlphp_auth/ocio_simplesamlphp_auth_whitelist']['title'] = 'Whitelist';
+
+  if (defined('PANTHEON_ENVIRONMENT')) {
+    if(isset($items['saml_login'])) {
+      $items['saml_login']['page callback'] = 'ocio_simplesamlphp_auth_loginpage';
+    }
+  }
 }

 /**
@@ -149,9 +155,9 @@ function ocio_simplesamlphp_auth_form_simplesamlphp_auth_settings_alter(&$form,
  // hide the automatic role population section as it can cause problems with shibboleth auth
  $form['simplesamlphp_auth_grp_user']['simplesamlphp_auth_rolepopulation']['#access'] = FALSE;
  $form['simplesamlphp_auth_grp_user']['simplesamlphp_auth_roleevaleverytime']['#access'] = FALSE;
-  
-  // -- -- alter user provisioning section 
-  // default role setting 
+
+  // -- -- alter user provisioning section
+  // default role setting
  $form['simplesamlphp_auth_grp_reg']['ocio_simplesamlphp_auth_default_role_id'] = array(
    '#title' => 'Default Role',
    '#description' => 'The default role to assign auto-provisioned users.',
@@ -580,7 +586,7 @@ function ocio_simplesamlphp_auth_cron() {
 */
 function ocio_simplesamlphp_auth_init() {
  global $base_url;
-  
+
  // check for expired metadata
  if (current_path() == 'user/login' || current_path() == 'saml_login') {
    $metaExpire = _ocio_simplesamlphp_auth_get_metadata_expire();
@@ -602,7 +608,7 @@ function ocio_simplesamlphp_auth_init() {

  // get login required setting
  $loginRequired = variable_get('ocio_simplesamlphp_auth_require_login_enabled', '0');
-  // check user authentication status if enabled; redirect non-authenticated users to configured login path 
+  // check user authentication status if enabled; redirect non-authenticated users to configured login path
  if ($loginRequired && !_ocio_simplesamlphp_auth_authcheck()) {
    $query = array('destination' => $_GET['q']);

@@ -767,11 +773,15 @@ function _ocio_simplesamlphp_auth_refresh_metadata($httpOptions = array()){
    'https' => TRUE,
  );
  $urlString = url($cron_path, $urlOptions);
+  watchdog('ocio_simplesamlphp_auth', "Fetching metadata from $urlString");
  // use curl to hit refresh URL
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_URL, $urlString);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  $output = curl_exec($ch);
+  watchdog('ocio_simplesamlphp_auth', "curl result: " . print_r($output, true));
+  $error = curl_error($ch);
+  watchdog('ocio_simplesamlphp_auth', "curl error: $error");
  curl_close($ch);
  // log
  $metaExpire = _ocio_simplesamlphp_auth_get_metadata_expire();
@@ -927,3 +937,106 @@ function _ocio_simplesamlphp_auth_authcheck() {
  return FALSE;
 }

+
+/**
+ * Page callback for /saml_login
+ */
+function ocio_simplesamlphp_auth_loginpage() {
+  global $user;
+  global $base_url;
+  global $_simplesamlphp_auth_as;
+  global $_simplesamlphp_auth_saml_attributes;
+
+  $fail = NULL;
+  $output = NULL;
+
+  if (!_simplesamlphp_auth_isEnabled()) {
+    // Exit without initializing.
+    drupal_set_message(t('We\'re sorry this feature is not yet enabled.'));
+    return '';
+  }
+
+  // Do some sanity checking before attempting anything.
+  $config = SimpleSAML_Configuration::getInstance();
+  $configStoreType = $config->getValue('store.type');
+
+  // Make sure phpsession is NOT being used.
+  if ($configStoreType == 'phpsession') {
+    watchdog('ocio_simplesamlphp_auth', 'A user attempted to login using simplesamlphp but the store.type is phpsession, use memcache or sql for simplesamlphp session storage. See: simplesamlphp/config/config.php.', NULL, WATCHDOG_WARNING);
+    $fail = TRUE;
+  }
+
+  // Make sure there is an instance of SimpleSAML_Auth_Simple.
+  if (!$_simplesamlphp_auth_as) {
+    watchdog('ocio_simplesamlphp_auth', 'A user attempted to login using this module but there was a problem.', NULL, WATCHDOG_WARNING);
+    $fail = TRUE;
+  }
+
+  // There was a problem, we can't go on, but we don't want to tell the user any specifics either.
+  if ($fail) {
+    drupal_set_message(t('We\'re sorry. There was a problem. The issue has been logged for the administrator.'));
+    drupal_goto(base_path());
+  }
+
+  $returnto  = NULL;
+
+  // Support for deep linking.
+
+  // See if a URL has been explicitly provided in ReturnTo. If so, use it (as long as it points to this site).
+  if ((isset($_REQUEST['ReturnTo']) && $_REQUEST['ReturnTo']) &&
+      (valid_url($_REQUEST['ReturnTo']) && stristr($_REQUEST['ReturnTo'], $base_url))) {
+
+        $returnto = $_REQUEST['ReturnTo'];
+
+  // If not, see if a REFERER URL is available. If so, use it (as long as it points to this site).
+  }
+  elseif ((isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']) &&
+          (valid_url($_SERVER['HTTP_REFERER']) && stristr($_SERVER['HTTP_REFERER'], $base_url))) {
+
+        $returnto = $_SERVER['HTTP_REFERER'];
+  }
+
+  // If the user is anonymous, set the cookie (if we can) and require authentication.
+  if ($user->uid == 0) {
+
+    if ($returnto) {
+      // Set the cookie so we can deliver the user to the place they started
+      setrawcookie('SimpleSAMLRedirectLocation', $returnto, time()+60*60);
+    }
+
+    // Require the user to be authenticated.
+    $_simplesamlphp_auth_as->requireAuth();
+
+
+  // If the user is authenticated, send them along.
+  }
+  else {
+
+    $gotourl = NULL;
+
+    // Check to see if we've set a cookie. If there is one, give it priority.
+    if (isset($_COOKIE['SimpleSAMLRedirectLocation']) && $_COOKIE['SimpleSAMLRedirectLocation']) {
+      // use the cookie for the ReturnTo
+      $gotourl = $_COOKIE['SimpleSAMLRedirectLocation'];
+
+      // unset the cookie
+      setrawcookie('SimpleSAMLRedirectLocation', '');
+
+    }
+    elseif ($returnto) {
+      $gotourl = $returnto;
+    }
+
+
+    // If a ReturnTo has been set.
+    if ($gotourl) {
+      drupal_goto(str_replace($base_url . '/', '', $gotourl));
+    }
+    else {
+      drupal_goto('user/' . $user->uid);
+    }
+
+  }
+
+  return $output;
+}