simplesamlphp_auth.module in simpleSAMLphp Authentication 7.3
Same filename and directory in other branches
simpleSAMLphp authentication module for Drupal.
This authentication module is based on the shibboleth authentication module, with changes to adapt to use simpleSAMLphp.
ISSUES and TODOs: ISSUE: User is always dropped on user page after login, instead of where they were when they clicked "Federated Log In". Because of this, deep linking to access controlled content does not work. Usability would be considerably increased if this were resolved. FYI: Drupal now requires knowledge of the local user password in order to change e-mail address, etc. This could be an issue for users of accounts that are auto-provisioned by this module, though Drupal does give users the ability to reset their password to something they know via the Request new password feature. KLUDGE: Drupal does not kill the session on logout, even with drupal_session_destroy_uid(), so I had to use session_destroy(). @todo Rework the default login limitation logic to use a drupal permission rather than a list of UIDs. @todo When denying access because the administrator has chosen not to allow the module to register/create accounts, the user is told to contact the administrator; the message should provide the contact information. ISSUE: Until Drupal issue #754560 is resolved users will not see logout notices.
File
simplesamlphp_auth.moduleView source
<?php
/**
* @file
* simpleSAMLphp authentication module for Drupal.
*
* This authentication module is based on the shibboleth authentication module,
* with changes to adapt to use simpleSAMLphp.
*
* ISSUES and TODOs:
* ISSUE: User is always dropped on user page after login, instead of where
* they were when they clicked "Federated Log In". Because of this, deep
* linking to access controlled content does not work. Usability would
* be considerably increased if this were resolved.
* FYI: Drupal now requires knowledge of the local user password in order to
* change e-mail address, etc. This could be an issue for users of
* accounts that are auto-provisioned by this module, though Drupal does
* give users the ability to reset their password to something they know
* via the Request new password feature.
* KLUDGE: Drupal does not kill the session on logout, even with
* drupal_session_destroy_uid(), so I had to use session_destroy().
* @todo Rework the default login limitation logic to use a drupal permission
* rather than a list of UIDs.
* @todo When denying access because the administrator has chosen not to allow
* the module to register/create accounts, the user is told to contact
* the administrator; the message should provide the contact information.
* ISSUE: Until Drupal issue #754560 is resolved users will not see logout
* notices.
*/
/**
* Implements hook_menu().
*/
function simplesamlphp_auth_menu() {
$login_path = variable_get('simplesamlphp_auth_login_path', 'saml_login');
$items = array();
$items['admin/config/people/simplesamlphp_auth'] = array(
'title' => 'SimpleSAMLphp Auth Settings',
'description' => 'Control the various settings of the simpleSAMLphp authentication module',
'page callback' => 'drupal_get_form',
'page arguments' => array(
'simplesamlphp_auth_settings_basic',
),
'access arguments' => array(
'administer simpleSAMLphp authentication',
),
'file' => 'simplesamlphp_auth.admin.inc',
'type' => MENU_LOCAL_TASK | MENU_NORMAL_ITEM,
);
$items['admin/config/people/simplesamlphp_auth/basic'] = array(
'title' => 'Basic settings',
'description' => 'Control the various settings of the simpleSAMLphp authentication module',
'page callback' => 'drupal_get_form',
'page arguments' => array(
'simplesamlphp_auth_settings_basic',
),
'access arguments' => array(
'administer simpleSAMLphp authentication',
),
'file' => 'simplesamlphp_auth.admin.inc',
'type' => MENU_DEFAULT_LOCAL_TASK,
);
$items['admin/config/people/simplesamlphp_auth/sync'] = array(
'title' => 'User info and syncing',
'description' => 'Control the various settings of the simpleSAMLphp authentication module',
'page callback' => 'drupal_get_form',
'page arguments' => array(
'simplesamlphp_auth_settings_sync',
),
'access arguments' => array(
'administer simpleSAMLphp authentication',
),
'file' => 'simplesamlphp_auth.admin.inc',
'type' => MENU_LOCAL_TASK,
);
$items['admin/config/people/simplesamlphp_auth/local'] = array(
'title' => 'Local authentication',
'description' => 'Configure local only authentication options',
'page callback' => 'drupal_get_form',
'page arguments' => array(
'simplesamlphp_auth_settings_local',
),
'access arguments' => array(
'administer simpleSAMLphp authentication',
),
'file' => 'simplesamlphp_auth.admin.inc',
'type' => MENU_LOCAL_TASK,
);
$items[$login_path] = array(
'title' => 'Logon to the site',
'description' => 'Provides a site login page',
'page callback' => 'simplesamlphp_auth_loginpage',
'access callback' => '_simplesamlphp_auth_isEnabled',
'file' => 'simplesamlphp_auth.pages.inc',
'type' => MENU_CALLBACK,
);
return $items;
}
/**
* Implements hook_menu_site_status_alter().
*/
function simplesamlphp_auth_menu_site_status_alter(&$menu_site_status, $path) {
// Allow access to authenticate even if site is in offline mode.
$login_path = variable_get('simplesamlphp_auth_login_path', 'saml_login');
if ($menu_site_status == MENU_SITE_OFFLINE && user_is_anonymous() && $path == $login_path) {
$menu_site_status = MENU_SITE_ONLINE;
}
}
/**
* Implements hook_help().
*/
function simplesamlphp_auth_help($path, $arg) {
switch ($path) {
case 'admin/config/people/simplesamlphp_auth':
$output = '<p>' . t('This module integrates Drupal with a SimpleSAMLphp Service Point (SP), effectively federating Drupal.') . '</p>';
return $output;
}
}
/**
* Implements hook_permission().
*/
function simplesamlphp_auth_permission() {
return array(
'administer simpleSAMLphp authentication' => array(
'title' => t('Administer simpleSAMLphp authentication'),
'restrict access' => TRUE,
),
'change saml authentication setting' => array(
'title' => t('Change SAML authentication setting for individual accounts'),
'description' => t('Allow users to enable or disable SAML authentication per user on user edit forms.'),
'restrict access' => TRUE,
),
);
}
/**
* Loads simplesamlphp class and initializes global variables.
*/
function _simplesaml_auth_autoload() {
if (!_simplesamlphp_auth_isEnabled()) {
return FALSE;
}
global $_simplesamlphp_auth_as;
global $_simplesamlphp_auth_saml_attributes;
global $_simplesamlphp_auth_saml_config;
global $_simplesamlphp_auth_saml_version;
// Get the simplesamlphp session.
if (!class_exists('SimpleSAML_Configuration')) {
// Register SimpleSAMLphp autoloader (only if needed)
$basedir = variable_get('simplesamlphp_auth_installdir', '/usr/share/simplesamlphp');
if (file_exists($basedir . '/lib/_autoload.php')) {
require_once $basedir . '/lib/_autoload.php';
}
else {
return FALSE;
}
}
$_simplesamlphp_auth_saml_config = SimpleSAML_Configuration::getInstance();
$_simplesamlphp_auth_saml_version = $_simplesamlphp_auth_saml_config
->getVersion();
// Load simpleSAMLphp, configuration and metadata.
$_simplesamlphp_auth_as = new SimpleSAML_Auth_Simple(variable_get('simplesamlphp_auth_authsource', 'default-sp'));
$_simplesamlphp_auth_saml_attributes = $_simplesamlphp_auth_as
->getAttributes();
return TRUE;
}
/**
* Implements hook_init().
*
* If the user has logged out via SAML, log out the user in Drupal as well.
*/
function simplesamlphp_auth_init() {
if (user_is_anonymous()) {
return FALSE;
}
if (!_simplesaml_auth_autoload()) {
return FALSE;
}
global $user;
global $_simplesamlphp_auth_as;
global $_simplesamlphp_auth_saml_attributes;
// Get users that are allowed default login.
$allowed_default_login_users = variable_get('simplesamlphp_auth_allowdefaultloginusers', '');
$allowed_uids = explode(",", $allowed_default_login_users);
// Get roles that are allowed default login.
$allowed_default_login_roles = variable_get('simplesamlphp_auth_allowdefaultloginroles', array());
// Check if user is allowed default login.
$user_allowed_default_login_roles = array_intersect_key($user->roles, $allowed_default_login_roles);
if (variable_get('simplesamlphp_auth_allowdefaultlogin', TRUE) && (in_array($user->uid, $allowed_uids) || !empty($user_allowed_default_login_roles))) {
$user_allowed_default_login = TRUE;
}
// Logs out user if not SAML authenticated and not allowed default login.
if (!$_simplesamlphp_auth_as
->isAuthenticated() && !$user_allowed_default_login) {
module_load_include('pages.inc', 'user');
user_logout();
}
}
/**
* Implements hook_user_insert().
*/
function simplesamlphp_auth_user_insert(&$edit, $account, $category = NULL) {
global $_simplesamlphp_auth_as;
global $_simplesamlphp_auth_saml_attributes;
if (!_simplesaml_auth_autoload()) {
// Exit without initializing.
return;
}
if ($category == 'account') {
// If user registration has a valid session...
if ($_simplesamlphp_auth_as
->isAuthenticated() && _simplesamlphp_auth_get_authname() == $account->init) {
// Get name from default attributes.
try {
if (variable_get('simplesamlphp_auth_debug', 0)) {
watchdog('simplesamlphp_auth', 'Registering user [%acctname]', array(
'%acctname' => $account->name,
), WATCHDOG_DEBUG);
}
$account->name = _simplesamlphp_auth_get_default_name($account->uid);
} catch (Exception $e) {
drupal_set_message(t('Your user name was not provided by your identity provider (IDP).'), "error");
watchdog('simplesamlphp_auth', $e
->getMessage(), NULL, WATCHDOG_CRITICAL);
}
module_load_include('inc', 'simplesamlphp_auth');
// Update username and email address.
// @todo Make this conditional.
_simplesaml_auth_user_update($account);
if (module_exists('rules')) {
rules_invoke_all('simplesamlphp_auth_rules_event_register', $account);
}
// Reload the user object to ensure that all properties are populated.
$user = user_load($account->uid);
_simplesaml_auth_user_login($user);
}
}
}
/**
* Implements hook_user_logout().
*/
function simplesamlphp_auth_user_logout($account) {
global $user;
global $_simplesamlphp_auth_as;
global $_simplesamlphp_auth_saml_attributes;
global $base_url;
_simplesaml_auth_autoload();
if (!empty($_simplesamlphp_auth_saml_attributes)) {
$config = SimpleSAML_Configuration::getInstance();
// KLUDGE: for some reason Drupal is not killing the session, even if I
// were to call drupal_session_destroy_uid() here.
session_destroy();
$gotourl = base_path();
if (variable_get('simplesamlphp_auth_logoutgotourl', '')) {
$gotourl = variable_get('simplesamlphp_auth_logoutgotourl', '');
}
// Allow modules to alter $gotourl.
drupal_alter('simplesamlphp_auth_logout_gotourl', $gotourl, $account);
$_simplesamlphp_auth_as
->logout($gotourl);
}
}
/**
* Implements hook_user_delete().
*/
function simplesamlphp_auth_user_delete($account) {
db_delete('authmap')
->condition('uid', $account->uid)
->condition('authname', $account->name)
->execute();
}
/**
* Implements hook_form_alter().
*/
function simplesamlphp_auth_form_alter(&$form, $form_state, $form_id) {
if (!_simplesamlphp_auth_isEnabled()) {
// Exit without executing.
return;
}
$is_user_profile_account_form = $form_id == 'user_profile_form' && $form['#user_category'] == 'account';
$login_path = variable_get('simplesamlphp_auth_login_path', 'saml_login');
$login_name = variable_get('simplesamlphp_auth_login_link_display_name', t('Federated Log In'));
$destination = drupal_get_destination();
$link = l($login_name, $login_path, array(
'query' => $destination,
));
// Add SAML login link to user login form.
if ($form_id == 'user_login_block' || $form_id == 'user_account_form') {
$links = $form['links']['#markup'];
$links = str_replace('</ul>', '<li class="saml">' . $link . '</li></ul>', $links);
$form['links']['#markup'] = $links;
}
if ($form_id == 'user_login') {
$form['links']['#markup'] = $link;
}
if (($form_id == 'user_register_form' || $is_user_profile_account_form) && user_access('change saml authentication setting')) {
$form['saml'] = array(
'#type' => 'checkbox',
'#title' => t('Enable this user to leverage SAML authentication'),
'#default_value' => $form_id == 'user_register_form' ? TRUE : (bool) user_get_authmaps($form['#user']->name),
);
$form['#submit'][] = 'simplesaml_auth_user_profile_form_submit';
}
// If the user has a simplesamlphp_auth authmap record, then don't require
// them to know their Drupal password. This will allow them to change their
// e-mail address, and set a Drupal password if they want to (and are
// allowed).
if ($is_user_profile_account_form && (isset($form['#user']->init) && $form['#user']->init) && _simplesaml_auth_user_has_authmap($form['#user']->name)) {
unset($form['account']['current_pass']);
unset($form['account']['current_pass_required_values']);
$form['#validate'] = array_diff($form['#validate'], array(
'user_validate_current_pass',
));
// If the user is a simplesamlphp_auth user and is NOT allowed to set their
// Drupal password, remove the fields from the form.
if (!variable_get('simplesamlphp_auth_allowsetdrupalpwd')) {
unset($form['account']['pass']);
}
}
}
/**
* Submit callback to enable SAML authentication for a given user.
*/
function simplesaml_auth_user_profile_form_submit(&$form, $form_state) {
$values = $form_state['values'];
if (isset($values['saml'])) {
// Enter this username into the authmap table.
if ($values['saml']) {
db_merge('authmap')
->key(array(
'uid' => $values['uid'],
'module' => 'simplesamlphp_auth',
))
->fields(array(
'authname' => $values['name'],
))
->execute();
}
else {
db_delete('authmap')
->condition('uid', $values['uid'])
->execute();
}
}
}
/**
* Implements hook_block_view().
*/
function simplesamlphp_auth_block_view($delta = '') {
if (!_simplesaml_auth_autoload()) {
// Exit without executing.
return;
}
$block = array();
switch ($delta) {
case 0:
$block = array(
'subject' => t('simpleSAMLphp login'),
'content' => _simplesamlphp_auth_generate_block_text(),
);
break;
}
return $block;
}
/**
* Implements hook_block_info().
*/
function simplesamlphp_auth_block_info() {
$block = array(
array(
'info' => t('simpleSAMLphp authentication'),
'cache' => DRUPAL_NO_CACHE,
),
);
return $block;
}
/****************************************************************************
* Private functions ********************************************************
****************************************************************************/
/**
* Checks if authentication via SimpleSAMLphp should be activated.
*
* @param bool $show_inactive_msg
* Whether to display the "module not activated" message
*
* @return bool
* TRUE if simplesamlphp_auth is enabled.
*/
function _simplesamlphp_auth_isEnabled($show_inactive_msg = FALSE) {
global $user;
$failure = NULL;
$is_activated = variable_get('simplesamlphp_auth_activate');
$basedir = variable_get('simplesamlphp_auth_installdir', '/usr/share/simplesamlphp');
if ($is_activated) {
// Make sure we know where SimpleSAMLphp is.
if (!file_exists($basedir)) {
$failure = t('SimpleSAMLphp could not be found at %basedir . The simplesamlphp_auth module cannot function until the path to the local SimpleSAMLphp instance is configured.', array(
'%basedir' => $basedir,
));
watchdog('simplesamlphp_auth', $failure, NULL, WATCHDOG_WARNING);
}
}
else {
$failure = t('SimpleSAMLphp auth is not yet activated.');
}
// If there were no failures, then it should be activated.
if (!$failure) {
return TRUE;
}
else {
// Communicate but don't be too annoying.
if ($show_inactive_msg && (1 == $user->uid || user_access('access administration pages')) && (preg_match('/admin\\/people/', request_uri()) || preg_match('/admin\\/modules/', request_uri()) || preg_match('/admin\\/config/', request_uri()))) {
drupal_set_message($failure);
}
}
return FALSE;
}
/**
* Gets the authname attribute from the SAML assertion.
*
* @return string
* The authname attribute.
*
* @throws Exception
* Throws an exception if no valid unique id attribute is set in SAML session.
*/
function _simplesamlphp_auth_get_authname() {
global $_simplesamlphp_auth_saml_attributes;
$authname = '';
// Check if valid local session exists.
if (isset($_simplesamlphp_auth_saml_attributes)) {
if (variable_get('simplesamlphp_auth_debug', 0)) {
watchdog('simplesamlphp_auth', '_simplesamlphp_auth_get_authname: Valid local SAML session exists', NULL, WATCHDOG_DEBUG);
}
if (isset($_simplesamlphp_auth_saml_attributes[variable_get('simplesamlphp_auth_unique_id', 'eduPersonPrincipalName')])) {
$authname = $_simplesamlphp_auth_saml_attributes[variable_get('simplesamlphp_auth_unique_id', 'eduPersonPrincipalName')][0];
}
else {
throw new Exception(t('Error in simplesamlphp_auth.module: no valid unique id attribute set.'));
}
}
return $authname;
}
/**
* Gets the default name attribute from the SAML assertion.
*
* @return string
* The name attribute.
*/
function _simplesamlphp_auth_get_default_name($account) {
global $_simplesamlphp_auth_as;
global $_simplesamlphp_auth_saml_attributes;
$default_name = '';
// Check if valid local session exists..
if ($_simplesamlphp_auth_as
->isAuthenticated()) {
$auth_user_name_attr = variable_get('simplesamlphp_auth_user_name', 'eduPersonPrincipalName');
if (!isset($_simplesamlphp_auth_saml_attributes[$auth_user_name_attr]) || !isset($_simplesamlphp_auth_saml_attributes[$auth_user_name_attr][0]) || $_simplesamlphp_auth_saml_attributes[$auth_user_name_attr][0] == '') {
throw new Exception(t('There was no set attribute named "%auth_user_name_attr" returned for user %uid.', array(
'%auth_user_name_attr' => $auth_user_name_attr,
'%uid' => $account,
)));
}
$default_name = $_simplesamlphp_auth_saml_attributes[$auth_user_name_attr][0];
}
return $default_name;
}
/**
* Gets the mail attribute.
*
* @return string
* The mail attribute.
*/
function _simplesamlphp_auth_get_mail() {
global $_simplesamlphp_auth_as;
global $_simplesamlphp_auth_saml_attributes;
$mail_address = '';
// Check if valid local session exists..
if ($_simplesamlphp_auth_as
->isAuthenticated()) {
if (isset($_simplesamlphp_auth_saml_attributes[variable_get('simplesamlphp_auth_mailattr', 'mail')])) {
$mail_address = $_simplesamlphp_auth_saml_attributes[variable_get('simplesamlphp_auth_mailattr', 'mail')][0];
}
else {
throw new Exception(t('Error in simplesamlphp_auth.module: No valid mail attribute set.'));
}
}
return $mail_address;
}
/**
* Generates the text for the log in block.
*/
function _simplesamlphp_auth_generate_block_text() {
global $_simplesamlphp_auth_as;
$block_content = '';
global $user;
if (!_simplesamlphp_auth_isEnabled()) {
// Exit without executing.
return;
}
// Check if valid local session exists..
if ($_simplesamlphp_auth_as
->isAuthenticated()) {
$block_content .= '<p>' . t('Logged in as: @username', array(
'@username' => $user->name,
)) . '<br />' . l(t('Log Out'), 'user/logout') . '</p>';
}
else {
$login_path = variable_get('simplesamlphp_auth_login_path', 'saml_login');
$login_name = variable_get('simplesamlphp_auth_login_link_display_name', t('Federated Log In'));
$block_content .= '<p>' . l($login_name, $login_path) . '</p>';
}
return $block_content;
}
/**
* Evaluates a role rule.
*
* The rules work as follows:
* = does an exact match on an attribute and will iterate over array values if
* the array is multivalued.
* @= matches the domain portion of an email address. It assumes the attribute
* is a string, and will not iterate over an array (but take the first value).
* ~= does a partial string match on the attribute, and does iterate over
* multiple values, returning true if any of the values match.
*
* @param array $roleruleevaluation
* An array containing the role rule to evaluate.
* @param array $attributes
* An array containing the identity attributes.
*
* @return array
* An array containing role value and the attribute, or FALSE.
*/
function _simplesamlphp_auth_evaulaterolerule($roleruleevaluation, $attributes) {
if (variable_get('simplesamlphp_auth_debug', 0)) {
watchdog('simplesamlphp_auth', 'Evaluate rule (key=%key,operator=%op,value=%val)', array(
'%key' => $roleruleevaluation[0],
'%op' => $roleruleevaluation[1],
'%val' => $roleruleevaluation[2],
), WATCHDOG_DEBUG);
}
if (!array_key_exists($roleruleevaluation[0], $attributes)) {
return FALSE;
}
$attribute = $attributes[$roleruleevaluation[0]];
switch ($roleruleevaluation[1]) {
case '=':
return in_array($roleruleevaluation[2], $attribute);
case '@=':
$dc = explode('@', $attribute[0]);
if (count($dc) != 2) {
return FALSE;
}
return $dc[1] == $roleruleevaluation[2];
case '~=':
foreach ($attribute as $subattr) {
$pos = strpos($subattr, $roleruleevaluation[2]);
if ($pos !== FALSE) {
return TRUE;
}
}
return FALSE;
}
return FALSE;
}
/**
* Performs role population.
*
* @param array $rolemap
* A string containing the role map.
*
* @return array
* An array containing user's roles.
*/
function _simplesamlphp_auth_rolepopulation($rolemap) {
global $_simplesamlphp_auth_as;
global $_simplesamlphp_auth_saml_attributes;
$roles = array();
if (variable_get('simplesamlphp_auth_debug', 0)) {
watchdog('simplesamlphp_auth', 'Rolemap: %rolemap', array(
'%rolemap' => $rolemap,
), WATCHDOG_DEBUG);
}
// Check if valid local session exists..
if (!empty($rolemap) && $_simplesamlphp_auth_as
->isAuthenticated()) {
$attributes = $_simplesamlphp_auth_saml_attributes;
if (variable_get('simplesamlphp_auth_debug', 0)) {
watchdog('simplesamlphp_auth', 'Evaluate rolemap: %rolemap', array(
'%rolemap' => $rolemap,
), WATCHDOG_DEBUG);
}
$rolerules = explode('|', $rolemap);
foreach ($rolerules as $rolerule) {
if (variable_get('simplesamlphp_auth_debug', 0)) {
watchdog('simplesamlphp_auth', 'Evaluate role rule: %rolerule', array(
'%rolerule' => $rolerule,
), WATCHDOG_DEBUG);
}
$roleruledecompose = explode(':', $rolerule, 2);
$roleid = $roleruledecompose[0];
$roleruleevaluations = explode(';', $roleruledecompose[1]);
$addnew = TRUE;
foreach ($roleruleevaluations as $roleruleevaluation) {
if (variable_get('simplesamlphp_auth_debug', 0)) {
watchdog('simplesamlphp_auth', 'Evaluate role evaulation: %roleruleeval', array(
'%roleruleeval' => $roleruleevaluation,
), WATCHDOG_DEBUG);
}
$roleruleevaluationdc = str_getcsv($roleruleevaluation);
if (!_simplesamlphp_auth_evaulaterolerule($roleruleevaluationdc, $attributes)) {
$addnew = FALSE;
}
}
if ($addnew) {
$roles[$roleid] = $roleid;
if (variable_get('simplesamlphp_auth_debug', 0)) {
watchdog('simplesamlphp_auth', 'Add new role: %roleid', array(
'%roleid' => $roleid,
), WATCHDOG_DEBUG);
}
}
}
}
drupal_alter('simplesamlphp_auth_user_roles', $roles);
return $roles;
}
/**
* See if the user has an authmap record for simplesamlphp_auth.
*/
function _simplesaml_auth_user_has_authmap($authname) {
$authmaps = user_get_authmaps($authname);
$return = 0;
if (is_array($authmaps)) {
$return = in_array('simplesamlphp_auth', array_keys($authmaps));
}
return $return;
}
/**
* Logs out a user who has an active Drupal session but not with simpleSAML.
*/
function _simplesamlphp_auth_destroy_drupal_session() {
module_load_include('pages.inc', 'user');
user_logout();
}