mirror of
https://github.com/netzbegruenung/user_saml.git
synced 2024-04-26 22:34:53 +02:00
Add possibility to enforce local user account
Fixes https://github.com/nextcloud/user_saml/issues/12 Fixes https://github.com/nextcloud/user_saml/issues/5
This commit is contained in:
parent
487bf76165
commit
f734958836
|
@ -39,6 +39,7 @@ $userBackend = new \OCA\User_SAML\UserBackend(
|
|||
\OC::$server->getSession(),
|
||||
\OC::$server->getDb()
|
||||
);
|
||||
$userBackend->registerBackends(\OC::$server->getUserManager()->getBackends());
|
||||
OC_User::useBackend($userBackend);
|
||||
OC_User::handleApacheAuth();
|
||||
|
||||
|
|
|
@ -50,6 +50,11 @@ namespace OCA\User_SAML\AppInfo;
|
|||
'url' => '/saml/sls',
|
||||
'verb' => 'GET',
|
||||
],
|
||||
[
|
||||
'name' => 'SAML#notProvisioned',
|
||||
'url' => '/saml/notProvisioned',
|
||||
'verb' => 'GET',
|
||||
],
|
||||
]
|
||||
]
|
||||
);
|
||||
|
|
13
js/admin.js
13
js/admin.js
|
@ -45,6 +45,19 @@ $(function() {
|
|||
}
|
||||
});
|
||||
|
||||
$('#user-saml-general input[type="checkbox"]').change(function(e) {
|
||||
var el = $(this);
|
||||
$.when(el.focusout()).then(function() {
|
||||
var key = $(this).attr('name');
|
||||
if($(this).val() === "0") {
|
||||
$(this).val("1");
|
||||
} else {
|
||||
$(this).val("0");
|
||||
}
|
||||
setSAMLConfigValue('general', key, $(this).val());
|
||||
});
|
||||
});
|
||||
|
||||
$('#user-saml-security input[type="checkbox"]').change(function(e) {
|
||||
var el = $(this);
|
||||
$.when(el.focusout()).then(function() {
|
||||
|
|
|
@ -108,6 +108,16 @@ class SAMLController extends Controller {
|
|||
exit();
|
||||
}
|
||||
|
||||
// Check whether the user actually exists, if not redirect to an error page
|
||||
// explaining the issue.
|
||||
$uidMapping = \OC::$server->getConfig()->getAppValue('user_saml', 'general-uid_mapping', '');
|
||||
if(isset($auth->getAttributes()[$uidMapping])) {
|
||||
$uid = $auth->getAttributes()[$uidMapping][0];
|
||||
$userExists = \OC::$server->getUserManager()->userExists($uid);
|
||||
if(!$userExists) {
|
||||
return new Http\RedirectResponse(\OC::$server->getURLGenerator()->linkToRouteAbsolute('user_saml.SAML.notProvisioned'));
|
||||
}
|
||||
}
|
||||
|
||||
$this->session->set('user_saml.samlUserData', $auth->getAttributes());
|
||||
$this->session->set('user_saml.samlNameId', $auth->getNameId());
|
||||
|
@ -135,4 +145,12 @@ class SAMLController extends Controller {
|
|||
$this->userSession->logout();
|
||||
$auth->logout($returnTo, $parameters, $nameId, $sessionIndex);
|
||||
}
|
||||
|
||||
/**
|
||||
* @PublicPage
|
||||
* @NoCSRFRequired
|
||||
*/
|
||||
public function notProvisioned() {
|
||||
return new Http\TemplateResponse($this->appName, 'notProvisioned', [], 'guest');
|
||||
}
|
||||
}
|
||||
|
|
|
@ -80,7 +80,10 @@ class SettingsController extends Controller {
|
|||
'type' => 'line',
|
||||
'required' => true,
|
||||
],
|
||||
|
||||
'require_provisioned_account' => [
|
||||
'text' => $this->l10n->t('Only allow authentication if an account is existent on some other backend. (e.g. LDAP)'),
|
||||
'type' => 'checkbox',
|
||||
],
|
||||
];
|
||||
|
||||
$params = [
|
||||
|
|
|
@ -72,7 +72,6 @@ class SAMLSettings {
|
|||
],
|
||||
];
|
||||
|
||||
|
||||
$spx509cert = $this->config->getAppValue('user_saml', 'sp-x509cert', '');
|
||||
$spxprivateKey = $this->config->getAppValue('user_saml', 'sp-privateKey', '');
|
||||
if($spx509cert !== '') {
|
||||
|
|
|
@ -42,6 +42,8 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
|
|||
private $session;
|
||||
/** @var IDb */
|
||||
private $db;
|
||||
/** @var \OCP\UserInterface[] */
|
||||
private $backends;
|
||||
|
||||
/**
|
||||
* @param IConfig $config
|
||||
|
@ -72,7 +74,7 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
|
|||
* @since 4.5.0
|
||||
*/
|
||||
public function implementsActions($actions) {
|
||||
return (bool)((\OC_User_Backend::CHECK_PASSWORD | \OC_User_Backend::GET_DISPLAYNAME)
|
||||
return (bool)((\OC_User_Backend::CHECK_PASSWORD)
|
||||
& $actions);
|
||||
}
|
||||
|
||||
|
@ -136,7 +138,15 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
|
|||
* @since 4.5.0
|
||||
*/
|
||||
public function userExists($uid) {
|
||||
return true;
|
||||
if($backend = $this->getActualUserBackend($uid)) {
|
||||
return $backend->userExists($uid);
|
||||
}
|
||||
|
||||
if($this->autoprovisionAllowed()) {
|
||||
return true;
|
||||
} else {
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -210,7 +220,10 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
|
|||
$uidMapping = $this->config->getAppValue('user_saml', 'general-uid_mapping', '');
|
||||
|
||||
if($uidMapping !== '' && isset($samlData[$uidMapping])) {
|
||||
return $samlData[$uidMapping][0];
|
||||
$uid = $samlData[$uidMapping][0];
|
||||
if($this->userExists($uid)) {
|
||||
return $uid;
|
||||
}
|
||||
}
|
||||
|
||||
return '';
|
||||
|
@ -226,4 +239,39 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend {
|
|||
return 'user_saml';
|
||||
}
|
||||
|
||||
/**
|
||||
* Whether autoprovisioning is enabled or not
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
private function autoprovisionAllowed() {
|
||||
return $this->config->getAppValue('user_saml', 'general-require_provisioned_account', '0') === '0';
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the actual user backend of the user
|
||||
*
|
||||
* @param string $uid
|
||||
* @return null|UserInterface
|
||||
*/
|
||||
public function getActualUserBackend($uid) {
|
||||
foreach($this->backends as $backend) {
|
||||
if($backend->userExists($uid)) {
|
||||
return $backend;
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Registers the used backends, used later to get the actual user backend
|
||||
* of the user.
|
||||
*
|
||||
* @param \OCP\UserInterface[] $backends
|
||||
*/
|
||||
public function registerBackends(array $backends) {
|
||||
$this->backends = $backends;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
6
templates/notProvisioned.php
Normal file
6
templates/notProvisioned.php
Normal file
|
@ -0,0 +1,6 @@
|
|||
<ul>
|
||||
<li class="error">
|
||||
<?php p($l->t('Account not provisioned.')) ?><br>
|
||||
<p class="hint"><?php p($l->t('Your account is not provisioned, access to this service is thus not possible.')) ?></p>
|
||||
</li>
|
||||
</ul>
|
Loading…
Reference in a new issue