You are here

function simplesamlphp_auth_init in simpleSAMLphp Authentication 6.3

Same name and namespace in other branches
  1. 6.2 simplesamlphp_auth.module \simplesamlphp_auth_init()
  2. 7.3 simplesamlphp_auth.module \simplesamlphp_auth_init()
  3. 7 simplesamlphp_auth.module \simplesamlphp_auth_init()
  4. 7.2 simplesamlphp_auth.module \simplesamlphp_auth_init()

Implementation of hook_init().

File

./simplesamlphp_auth.module, line 182
simpleSAMLphp authentication module for Drupal.

Code

function simplesamlphp_auth_init() {
  global $user;
  global $_simplesamlphp_auth_as;
  global $_simplesamlphp_auth_saml_attributes;
  global $_simplesamlphp_auth_saml_config;
  global $_simplesamlphp_auth_saml_version;
  if (!_simplesamlphp_auth_isEnabled(TRUE)) {

    // Exit without initializing.
    return;
  }

  // Get the simplesamlphp session.
  $basedir = variable_get('simplesamlphp_auth_installdir', '/var/simplesamlphp');

  // Make sure we know where SimpleSAMLphp is.
  if (!file_exists($basedir)) {
    $failure = t('SimpleSAMLphp could not be found at %basedir . The simplesamlphp_auth module cannot function until the path to the local SimpleSAMLphp instance is configured.', array(
      '%basedir' => $basedir,
    ));
    watchdog('simplesamlphp_auth', $failure, NULL, WATCHDOG_WARNING);
    if ($user->uid != 0) {
      drupal_set_message($failure);
    }

    // Exit without initializing.
    return;
  }
  require_once $basedir . '/lib/_autoload.php';
  $_simplesamlphp_auth_saml_config = SimpleSAML_Configuration::getInstance();
  $_simplesamlphp_auth_saml_version = $_simplesamlphp_auth_saml_config
    ->getVersion();

  // Load simpleSAMLphp, configuration and metadata.
  $_simplesamlphp_auth_as = new SimpleSAML_Auth_Simple(variable_get('simplesamlphp_auth_authsource', 'default-sp'));
  $_simplesamlphp_auth_saml_attributes = $_simplesamlphp_auth_as
    ->getAttributes();
  if ($user->uid == 0) {

    // User is not logged in - Drupal.
    if ($_simplesamlphp_auth_as
      ->isAuthenticated()) {

      // User is logged in - SimpleSAMLphp, user is not logged in - Drupal.
      // Get unique identifier from saml attributes.
      $authname = _simplesamlphp_auth_get_authname();
      _simplesaml_auth_debug(t('Authname is [%authname] userid is [%uid]', array(
        '%authname' => $authname,
        '%uid' => $user->uid,
      )));
      if (!empty($authname)) {

        // User is logged in with SAML authentication and we got the unique identifier.
        // Try to log into Drupal.
        _simplesaml_auth_debug(t('Load user [%authname]', array(
          '%authname' => $authname,
        )));

        // Retrieve user mapping and attempt to log the user in.
        $user = user_external_load($authname);
        if (!$user) {

          // If unsuccessful, register the user. This will trigger simplesamlphp_auth_user() and any other _user() hooks.
          // First we check the admin settings for simpleSAMLphp and find out if we are allowed to register users.
          if (variable_get('simplesamlphp_auth_registerusers', TRUE)) {

            // We are allowed to register new users.
            _simplesaml_auth_debug(t('Register [%authname]', array(
              '%authname' => $authname,
            )));
            user_external_login_register($authname, 'simplesamlphp_auth');
            if ($user) {

              // Populate roles based on configuration setting.
              $roles = _simplesamlphp_auth_rolepopulation(variable_get('simplesamlphp_auth_rolepopulation', ''));
              $userinfo = array(
                'roles' => $roles,
              );
              $user = user_save($user, $userinfo);

              // @todo - Fjernet rolle-delen her da den gav en bra feilmelding når roller ikke finnes ;)
            }
          }
          else {

            // We are not allowed to register new users on the site through simpleSAML.
            // We let the user know about this and redirect to the user/login page.
            $msg = t('We are sorry. While you have successfully authenticated, you are not yet entitled to access this site.
              Please ask the site administrator to provision access for you.');
            drupal_set_message($msg);
            $_simplesamlphp_auth_as
              ->logout(base_path());
          }
        }
        else {

          // If successfully logged into Drupal.
          // See if we're supposed to re-evaluate role assignments.
          if (variable_get('simplesamlphp_auth_roleevaleverytime', 0)) {

            // If the user is already registered, update the roles and populate roles based on configuration setting.
            _simplesaml_auth_debug(t('User already registered [%authname] updating roles.', array(
              '%authname' => $authname,
            )));
            $roles = _simplesamlphp_auth_rolepopulation(variable_get('simplesamlphp_auth_rolepopulation', ''));
            $userinfo = array(
              'roles' => $roles,
            );
            $user = user_save($user, $userinfo);
          }
        }

        // Finalizing the login, calls hook_user op login.
        $edit = array();
        user_authenticate_finalize($edit);
      }

      // End if !empty authname.
    }

    // End if isset saml_session.
  }
  else {

    // The user is already logged into Drupal.
    // If we forbid users from loggin in using local accounts.
    if (FALSE == variable_get('simplesamlphp_auth_allowdefaultlogin', TRUE)) {

      // If the user has NOT been authenticated via simpleSAML.
      if (!$_simplesamlphp_auth_as
        ->isAuthenticated()) {

        // FYI: Until Drupal issue #754560 is corrected this message will never be seen by the user.
        drupal_set_message(t("We are sorry, users are not permitted to log in using local accounts."));

        // Destroy the user's session (log them out).
        _simplesamlphp_auth_destroy_drupal_session();
      }
    }
    else {

      // If we are allowing users to log in with local accounts.
      // If the user has NOT been authenticated via simpleSAML.
      if (!$_simplesamlphp_auth_as
        ->isAuthenticated()) {

        // See if we limit this privilege to specified users.
        $strAllwDefLogUsers = variable_get('simplesamlphp_auth_allowdefaultloginusers', '');
        $arrAllwDefLogUsers = array();

        // If user IDs are specified, we let them in, but everyone else gets logged out.
        if (drupal_strlen($strAllwDefLogUsers)) {

          // @todo perform a test to make sure that only numbers, spaces, or commas are in the string.
          // Convert the string into an array.
          $arrAllwDefLogUsers = explode(',', $strAllwDefLogUsers);

          // If we still have something to work with.
          if (0 < count($arrAllwDefLogUsers)) {

            // Log the user out of Drupal if the current user's uid is NOT in the list of allowed uids.
            if (!in_array($user->uid, $arrAllwDefLogUsers)) {

              // User is logged into Drupal, but may not be logged into simpleSAML.
              // If this is the case we're supposed to log the user out of Drupal.
              // FYI: Until Drupal issue #754560 is corrected this message will never be seen by the user.
              drupal_set_message(t("We are sorry, you are not permitted to log in using a local account."));
              _simplesamlphp_auth_destroy_drupal_session();
            }
          }
        }

        // End test for specified users.
      }

      // End if $_simplesamlphp_auth_as->isAuthenticated().
    }

    // End test to see if we allow default logins.
  }

  // End if user->uid.
}