class LoginController in LDAP Single Sign On 8
Same name and namespace in other branches
- 8.4 src/Controller/LoginController.php \Drupal\ldap_sso\Controller\LoginController
Class LoginController.
@package Drupal\ldap_sso\Controller
Hierarchy
- class \Drupal\Core\Controller\ControllerBase implements ContainerInjectionInterface uses LoggerChannelTrait, MessengerTrait, LinkGeneratorTrait, RedirectDestinationTrait, UrlGeneratorTrait, StringTranslationTrait
- class \Drupal\ldap_sso\Controller\LoginController
Expanded class hierarchy of LoginController
File
- src/
Controller/ LoginController.php, line 26
Namespace
Drupal\ldap_sso\ControllerView source
class LoginController extends ControllerBase {
protected $request;
protected $detailLog;
protected $config;
protected $logger;
protected $validator;
/**
* The current user account.
*
* @var \Drupal\Core\Session\AccountInterface
*/
protected $account;
/**
* Constructor containing logger and watchdog level.
*
* @param \Psr\Log\LoggerInterface $logger
* The logging interface.
* @param \Drupal\Core\Config\ConfigFactory $configFactory
* Factory for configuration for LDAP and logging level.
* @param \Drupal\ldap_authentication\Controller\LoginValidator $validator
* Controller for doing the login procedures.
* @param \Drupal\ldap_servers\Logger\LdapDetailLog $detailLog
* Logger interface for conditional logging.
* @param \Drupal\Core\Session\AccountInterface $account
* The current user account.
*/
public function __construct(LoggerInterface $logger, ConfigFactory $configFactory, LoginValidator $validator, LdapDetailLog $detailLog, AccountInterface $account) {
$this->logger = $logger;
$this->config = $configFactory
->get('ldap_sso.settings');
$this->validator = $validator;
$this->detailLog = $detailLog;
$this->account = $account;
}
/**
* {@inheritdoc}
*/
public static function create(ContainerInterface $container) {
return new static($container
->get('logger.channel.ldap_sso'), $container
->get('config.factory'), $container
->get('ldap_authentication.login_validator'), $container
->get('ldap.detail_log'), $container
->get('current_user'));
}
/**
* Login.
*
* A proxy function for the actual authentication routine. This is in place
* so various implementations of grabbing NTLM credentials can be used and
* selected from an administration page. This is the real gatekeeper since
* this assumes that any NTLM authentication from the underlying web server
* is good enough, and only checks that there are values in place for the
* user name, and anything else that is set for a particular implementation.
* In the case that there are no credentials set by the underlying web server,
* the user is redirected to the normal user login form.
*
* @param \Symfony\Component\HttpFoundation\Request $request
* The current Symfony HTTP Request.
*/
public function login(Request $request) {
$this->detailLog
->log('Beginning SSO login.', [], 'ldap_sso');
$remote_user = FALSE;
$realm = NULL;
if (isset($_SERVER[$this->config
->get('ssoVariable')])) {
$remote_user = $_SERVER[$this->config
->get('ssoVariable')];
}
if ($this->config
->get('ssoSplitUserRealm')) {
list($remote_user, $realm) = $this
->splitUserNameRealm($remote_user);
}
$this->detailLog
->log('SSO raw result is username=@remote_user, (realm=@realm).', [
'@remote_user' => $remote_user,
'@realm' => $realm,
], 'ldap_sso');
if ($remote_user) {
$this->detailLog
->log('User found, logging in.', [], 'ldap_sso');
$this
->loginRemoteUser($remote_user, $realm);
$destination = $request->query
->get('destination', NULL);
if ($destination == NULL) {
$finalDestination = Url::fromRoute('<front>');
}
else {
$finalDestination = Url::fromUserInput($destination);
}
}
else {
$this->detailLog
->log('User missing.', [], 'ldap_sso');
$this
->remoteUserMissing();
$finalDestination = Url::fromRoute('user.login');
}
// Removes our automated SSO semaphore, should it have been set.
$cookies[] = new Cookie('sso_login_running', '', REQUEST_TIME - 3600, base_path());
return new RedirectResponseWithCookie($finalDestination
->toString(), 302, $cookies);
}
/**
* Access callback.
*/
public function access() {
if ($this->account
->isAnonymous()) {
return AccessResult::allowed();
}
else {
return AccessResult::forbidden();
}
}
/**
* Perform the actual logging in of the user.
*
* @param string $remote_user
* Remote user name.
* @param string $realm
* Realm information.
*/
private function loginRemoteUser($remote_user, $realm) {
if ($this->config
->get('ssoRemoteUserStripDomainName')) {
$remote_user = $this
->stripDomainName($remote_user);
}
$this->detailLog
->log('Continuing SSO login with username=@remote_user, (realm=@realm).', [
'@remote_user' => $remote_user,
'@realm' => $realm,
], 'ldap_sso');
$user = $this
->validateUser($remote_user);
if ($user && !$user
->isAnonymous()) {
$this
->loginUserSetFinalize($user);
}
else {
$this
->loginUserNotSetFinalize();
}
}
/**
* Validate an unvalidated user.
*
* @param string $remote_user
* Remote user name.
*
* @return \Drupal\user\Entity\User|false
* Returns the user if available or FALSE when the authentication is not
* successful.
*/
private function validateUser($remote_user) {
$this->detailLog
->log('Starting validation for SSO user.', [], 'ldap_sso');
$authentication_successful = $this->validator
->processSsoLogin(Html::escape($remote_user));
if ($authentication_successful) {
$this->detailLog
->log('Remote user has local uid @uid', [
'@uid' => $this->validator
->getDrupalUser()
->id(),
], 'ldap_sso');
return $this->validator
->getDrupalUser();
}
else {
$this->detailLog
->log('Remote user not valid.', [], 'ldap_sso');
return FALSE;
}
}
/**
* Returns the relevant lifetime from configuration.
*
* @return int
* Expiration in seconds or 0 for session.
*/
private function getCookieLifeTime() {
if ($this->config
->get('cookieExpire')) {
// Length of session.
$cookie_lifetime = 0;
}
else {
// A value quickly in the past.
$cookie_lifetime = REQUEST_TIME - 3600;
}
return $cookie_lifetime;
}
/**
* Finalize login with user not set.
*/
private function loginUserNotSetFinalize() {
$this->detailLog
->log('User not found, SSO aborted.', [], 'ldap_sso');
setcookie('sso_stop', 'true', $this
->getCookieLifeTime(), base_path(), '');
$this
->messenger()
->addError($this
->t('Sorry, your LDAP credentials were not found or the LDAP server is not available. You may log in with other credentials on the %user_login_form.', [
'%user_login_form' => Link::fromTextAndUrl('login form', Url::fromRoute('user.login'))
->toString(),
]));
$this->detailLog
->log('User not found or server error, redirecting to front page', [], 'ldap_sso');
}
/**
* Finalize login with user set.
*
* @param \Drupal\user\UserInterface $account
* Valid user account.
*/
private function loginUserSetFinalize(UserInterface $account) {
$this->detailLog
->log('Success with SSO login', [], 'ldap_sso');
user_login_finalize($account);
if ($this->config
->get('enableLoginConfirmationMessage')) {
$this
->messenger()
->addStatus($this
->t('You have been successfully authenticated'));
}
$this->detailLog
->log('Login successful, redirecting to front page.', [], 'ldap_sso');
}
/**
* Handle missing remote user.
*/
private function remoteUserMissing() {
$this->logger
->debug('$_SERVER[\'@variable\'] not found', [
'@variable' => $this->config
->get('ssoVariable'),
]);
$this->detailLog
->log('Authentication failure, redirecting to login', [], 'ldap_sso');
setcookie('sso_stop', 'true', $this
->getCookieLifeTime(), base_path(), 0);
$this
->messenger()
->addError($this
->t('You were not authenticated by the server. You may log in with your credentials below.'));
}
/**
* Strip the domain name from the remote user.
*
* @param string $remote_user
* The remote user name.
*
* @return string
* Returns the user without domain.
*/
private function stripDomainName($remote_user) {
// Might be in the form of <remote_user>@<domain> or <domain>\<remote_user>.
$domain = NULL;
$exploded = preg_split('/[\\@\\\\]/', $remote_user);
if (count($exploded) == 2) {
if (strpos($remote_user, '@') !== FALSE) {
$remote_user = $exploded[0];
$domain = $exploded[1];
}
else {
$domain = $exploded[0];
$remote_user = $exploded[1];
}
$this->detailLog
->log('Domain stripped: remote_user=@remote_user, domain=@domain', [
'@remote_user' => $remote_user,
'@domain' => $domain,
], 'ldap_sso');
}
return $remote_user;
}
/**
* Split username from realm.
*
* @param string $remote_user
* String to split at '@'.
*
* @return array
* Remote user and realm string separated.
*/
protected function splitUserNameRealm($remote_user) {
$realm = NULL;
$domainMatch = preg_match('/^([A-Za-z0-9_\\-\\.]+)@([A-Za-z0-9_\\-.]+)$/', $remote_user, $matches);
if ($remote_user && $domainMatch) {
$remote_user = $matches[1];
// This can be used later if realms is ever supported properly.
$realm = $matches[2];
}
return [
$remote_user,
$realm,
];
}
}
Members
Name | Modifiers | Type | Description | Overrides |
---|---|---|---|---|
ControllerBase:: |
protected | property | The configuration factory. | |
ControllerBase:: |
protected | property | The current user service. | 1 |
ControllerBase:: |
protected | property | The entity form builder. | |
ControllerBase:: |
protected | property | The entity manager. | |
ControllerBase:: |
protected | property | The entity type manager. | |
ControllerBase:: |
protected | property | The form builder. | 2 |
ControllerBase:: |
protected | property | The key-value storage. | 1 |
ControllerBase:: |
protected | property | The language manager. | 1 |
ControllerBase:: |
protected | property | The module handler. | 2 |
ControllerBase:: |
protected | property | The state service. | |
ControllerBase:: |
protected | function | Returns the requested cache bin. | |
ControllerBase:: |
protected | function | Retrieves a configuration object. | |
ControllerBase:: |
private | function | Returns the service container. | |
ControllerBase:: |
protected | function | Returns the current user. | 1 |
ControllerBase:: |
protected | function | Retrieves the entity form builder. | |
ControllerBase:: |
protected | function | Retrieves the entity manager service. | |
ControllerBase:: |
protected | function | Retrieves the entity type manager. | |
ControllerBase:: |
protected | function | Returns the form builder service. | 2 |
ControllerBase:: |
protected | function | Returns a key/value storage collection. | 1 |
ControllerBase:: |
protected | function | Returns the language manager service. | 1 |
ControllerBase:: |
protected | function | Returns the module handler. | 2 |
ControllerBase:: |
protected | function |
Returns a redirect response object for the specified route. Overrides UrlGeneratorTrait:: |
|
ControllerBase:: |
protected | function | Returns the state storage service. | |
LinkGeneratorTrait:: |
protected | property | The link generator. | 1 |
LinkGeneratorTrait:: |
protected | function | Returns the link generator. | |
LinkGeneratorTrait:: |
protected | function | Renders a link to a route given a route name and its parameters. | |
LinkGeneratorTrait:: |
public | function | Sets the link generator service. | |
LoggerChannelTrait:: |
protected | property | The logger channel factory service. | |
LoggerChannelTrait:: |
protected | function | Gets the logger for a specific channel. | |
LoggerChannelTrait:: |
public | function | Injects the logger channel factory. | |
LoginController:: |
protected | property | The current user account. | |
LoginController:: |
protected | property | ||
LoginController:: |
protected | property | ||
LoginController:: |
protected | property | ||
LoginController:: |
protected | property | ||
LoginController:: |
protected | property | ||
LoginController:: |
public | function | Access callback. | |
LoginController:: |
public static | function |
Instantiates a new instance of this class. Overrides ControllerBase:: |
|
LoginController:: |
private | function | Returns the relevant lifetime from configuration. | |
LoginController:: |
public | function | Login. | |
LoginController:: |
private | function | Perform the actual logging in of the user. | |
LoginController:: |
private | function | Finalize login with user not set. | |
LoginController:: |
private | function | Finalize login with user set. | |
LoginController:: |
private | function | Handle missing remote user. | |
LoginController:: |
protected | function | Split username from realm. | |
LoginController:: |
private | function | Strip the domain name from the remote user. | |
LoginController:: |
private | function | Validate an unvalidated user. | |
LoginController:: |
public | function | Constructor containing logger and watchdog level. | |
MessengerTrait:: |
protected | property | The messenger. | 29 |
MessengerTrait:: |
public | function | Gets the messenger. | 29 |
MessengerTrait:: |
public | function | Sets the messenger. | |
RedirectDestinationTrait:: |
protected | property | The redirect destination service. | 1 |
RedirectDestinationTrait:: |
protected | function | Prepares a 'destination' URL query parameter for use with \Drupal\Core\Url. | |
RedirectDestinationTrait:: |
protected | function | Returns the redirect destination service. | |
RedirectDestinationTrait:: |
public | function | Sets the redirect destination service. | |
StringTranslationTrait:: |
protected | property | The string translation service. | 1 |
StringTranslationTrait:: |
protected | function | Formats a string containing a count of items. | |
StringTranslationTrait:: |
protected | function | Returns the number of plurals supported by a given language. | |
StringTranslationTrait:: |
protected | function | Gets the string translation service. | |
StringTranslationTrait:: |
public | function | Sets the string translation service to use. | 2 |
StringTranslationTrait:: |
protected | function | Translates a string to the current language or to a given language. | |
UrlGeneratorTrait:: |
protected | property | The url generator. | |
UrlGeneratorTrait:: |
protected | function | Returns the URL generator service. | |
UrlGeneratorTrait:: |
public | function | Sets the URL generator service. | |
UrlGeneratorTrait:: |
protected | function | Generates a URL or path for a specific route based on the given parameters. |