Add possibility to enforce local user account

Fixes https://github.com/nextcloud/user_saml/issues/12 Fixes https://github.com/nextcloud/user_saml/issues/5
2024-04-26 22:34:53 +02:00 · 2016-06-29 20:34:10 +02:00 · 2016-06-29 20:34:10 +02:00 · f734958836
parent 487bf76165
commit f734958836
8 changed files with 98 additions and 5 deletions
--- a/appinfo/app.php
+++ b/appinfo/app.php
@ -39,6 +39,7 @@ $userBackend = new \OCA\User_SAML\UserBackend(
 	\OC::$server->getSession(),
 	\OC::$server->getDb()
 );
+$userBackend->registerBackends(\OC::$server->getUserManager()->getBackends());
 OC_User::useBackend($userBackend);
 OC_User::handleApacheAuth();

--- a/appinfo/routes.php
+++ b/appinfo/routes.php
@ -50,6 +50,11 @@ namespace OCA\User_SAML\AppInfo;
 				'url' => '/saml/sls',
 				'verb' => 'GET',
 			],
+			[
+				'name' => 'SAML#notProvisioned',
+				'url' => '/saml/notProvisioned',
+				'verb' => 'GET',
+			],
 		]
 	]
 );
--- a/js/admin.js
+++ b/js/admin.js
@ -45,6 +45,19 @@ $(function() {
 		}
 	});

+	$('#user-saml-general input[type="checkbox"]').change(function(e) {
+		var el = $(this);
+		$.when(el.focusout()).then(function() {
+			var key = $(this).attr('name');
+			if($(this).val() === "0") {
+				$(this).val("1");
+			} else {
+				$(this).val("0");
+			}
+			setSAMLConfigValue('general', key, $(this).val());
+		});
+	});
+
 	$('#user-saml-security input[type="checkbox"]').change(function(e) {
 		var el = $(this);
 		$.when(el.focusout()).then(function() {
--- a/lib/controller/samlcontroller.php
+++ b/lib/controller/samlcontroller.php
@ -108,6 +108,16 @@ class SAMLController extends Controller {
 			exit();
 		}

+		// Check whether the user actually exists, if not redirect to an error page
+		// explaining the issue.
+		$uidMapping = \OC::$server->getConfig()->getAppValue('user_saml', 'general-uid_mapping', '');
+		if(isset($auth->getAttributes()[$uidMapping])) {
+			$uid = $auth->getAttributes()[$uidMapping][0];
+			$userExists = \OC::$server->getUserManager()->userExists($uid);
+			if(!$userExists) {
+				return new Http\RedirectResponse(\OC::$server->getURLGenerator()->linkToRouteAbsolute('user_saml.SAML.notProvisioned'));
+			}
+		}

 		$this->session->set('user_saml.samlUserData', $auth->getAttributes());
 		$this->session->set('user_saml.samlNameId', $auth->getNameId());
@ -135,4 +145,12 @@ class SAMLController extends Controller {
 		$this->userSession->logout();
 		$auth->logout($returnTo, $parameters, $nameId, $sessionIndex);
 	}
+
+	/**
+	 * @PublicPage
+	 * @NoCSRFRequired
+	 */
+	public function notProvisioned() {
+		return new Http\TemplateResponse($this->appName, 'notProvisioned', [], 'guest');
+	}
 }
--- a/lib/controller/settingscontroller.php
+++ b/lib/controller/settingscontroller.php
@ -80,7 +80,10 @@ class SettingsController extends Controller {
 				'type' => 'line',
 				'required' => true,
 			],
-
+			'require_provisioned_account' => [
+				'text' => $this->l10n->t('Only allow authentication if an account is existent on some other backend. (e.g. LDAP)'),
+				'type' => 'checkbox',
+			],
 		];

 		$params = [
--- a/lib/samlsettings.php
+++ b/lib/samlsettings.php
@ -72,7 +72,6 @@ class SAMLSettings {
 			],
 		];

-
 		$spx509cert = $this->config->getAppValue('user_saml', 'sp-x509cert', '');
 		$spxprivateKey = $this->config->getAppValue('user_saml', 'sp-privateKey', '');
 		if($spx509cert !== '') {
--- a/lib/userbackend.php
+++ b/lib/userbackend.php
@ -42,6 +42,8 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
 	private $session;
 	/** @var IDb */
 	private $db;
+	/** @var \OCP\UserInterface[] */
+	private $backends;

 	/**
 	 * @param IConfig $config
@ -72,7 +74,7 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
 	 * @since 4.5.0
 	 */
 	public function implementsActions($actions) {
-		return (bool)((\OC_User_Backend::CHECK_PASSWORD | \OC_User_Backend::GET_DISPLAYNAME)
+		return (bool)((\OC_User_Backend::CHECK_PASSWORD)
 			& $actions);
 	}

@ -136,7 +138,15 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
 	 * @since 4.5.0
 	 */
 	public function userExists($uid) {
-		return true;
+		if($backend = $this->getActualUserBackend($uid)) {
+			return $backend->userExists($uid);
+		}
+
+		if($this->autoprovisionAllowed()) {
+			return true;
+		} else {
+			return false;
+		}
 	}

 	/**
@ -210,7 +220,10 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
 		$uidMapping = $this->config->getAppValue('user_saml', 'general-uid_mapping', '');

 		if($uidMapping !== '' && isset($samlData[$uidMapping])) {
-			return $samlData[$uidMapping][0];
+			$uid = $samlData[$uidMapping][0];
+			if($this->userExists($uid)) {
+				return $uid;
+			}
 		}

 		return '';
@ -226,4 +239,39 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
 		return 'user_saml';
 	}

+	/**
+	 * Whether autoprovisioning is enabled or not
+	 *
+	 * @return bool
+	 */
+	private function autoprovisionAllowed() {
+		return $this->config->getAppValue('user_saml', 'general-require_provisioned_account', '0') === '0';
+	}
+
+	/**
+	 * Gets the actual user backend of the user
+	 *
+	 * @param string $uid
+	 * @return null|UserInterface
+	 */
+	public function getActualUserBackend($uid) {
+		foreach($this->backends as $backend) {
+			if($backend->userExists($uid)) {
+				return $backend;
+			}
+		}
+
+		return null;
+	}
+
+	/**
+	 * Registers the used backends, used later to get the actual user backend
+	 * of the user.
+	 *
+	 * @param \OCP\UserInterface[] $backends
+	 */
+	public function registerBackends(array $backends) {
+		$this->backends = $backends;
+	}
+
 }
--- a/templates/notProvisioned.php
+++ b/templates/notProvisioned.php
@ -0,0 +1,6 @@
+<ul>
+	<li class="error">
+		<?php p($l->t('Account not provisioned.')) ?><br>
+		<p class="hint"><?php p($l->t('Your account is not provisioned, access to this service is thus not possible.')) ?></p>
+	</li>
+</ul>