Initial commit

stankut · stankut · commit 6c01bdcad242 · 2019-11-20T13:41:21.000+02:00
diff --git a/README.md b/README.md
@@ -0,0 +1,27 @@
+#Module purpose
+
+The aim of this module is to enhance integration with **simplesamlphp_auth** module, by force triggering **SimpleSAML auth page** redirect when certain criteria are met. 
+
+#How does it work
+
+Module performs checks on a single redirect triggering page. In order for it to work the cache for anonymous user for that page response is programmatically killed.
+
+The redirect check cannot be done on all pages. Reason for that is the performance. The redirect only works properly when page response cache is killed (otherwise response is cached for all anonymous users), so in order for it to work on all pages anonymous page response caches must be killed (which is the same as disabling page cache entirely).
+
+As a compromise between the functionality and performance it has been decided to use a single page to trigger redirect check.
+
+If the request passes all the criteria (meaning user is anonymous and the IP is within whitelist), request is redirected to **SimpleSAML auth page**.
+
+To improve the performance, the redirect decision is stored in cookies to a limited time.
+
+Additionally module provides a special field for user entity, called **SimpleSAML UID** that allows to create a **SimpleSAML mapping** with the existing Drupal users.
+
+#Additional setings
+
+- **IP's whitelist**
+Comma separate values of IP or IP ranges that will be redirected to SimpleSAML auth page. 
+- **Redirect triggering page**
+A certain page that triggers the redirect to SimpleSAML auth page if the criteria pass (_defaults: front page "/"_).
+- **Cookies TTL**
+Stores the redirect response in the cookies for a certain period of time (_defaults: 5min_).
+
diff --git a/composer.json b/composer.json
@@ -0,0 +1,11 @@
+{
+    "name": "os2web/os2web_simplesaml",
+    "type": "drupal-module",
+    "description": "Enhances integration with simplesamlphp_auth module, by force triggering SimpleSAML auth page redirect when certain criteria are met",
+    "minimum-stability": "dev",
+    "prefer-stable": true,
+    "license": "GPL-2.0+",
+    "require": {
+        "drupal/simplesamlphp_auth": "^3.1"
+    }
+}
diff --git a/config/install/os2web_simplesaml.settings.yml b/config/install/os2web_simplesaml.settings.yml
@@ -0,0 +1,3 @@
+redirect_ips: ''
+redirect_trigger_path: /
+redirect_cookies_ttl: '300'
diff --git a/os2web_simplesaml.info.yml b/os2web_simplesaml.info.yml
@@ -0,0 +1,9 @@
+name: OS2Web SimpleSAML Authentication
+type: module
+description: Enhances integration with simplesamlphp_auth module, by force triggering SimpleSAML auth page redirect when certain criteria are met.
+package: OS2Web
+core: 8.x
+configure: simplesamlphp_auth.admin_settings_local
+
+dependencies:
+  - simplesamlphp_auth
diff --git a/os2web_simplesaml.module b/os2web_simplesaml.module
@@ -0,0 +1,202 @@
+<?php
+
+/**
+ * @file
+ * OS2Web SimpleSAML functionality module.
+ */
+
+use Drupal\Core\Form\FormStateInterface;
+use Drupal\Core\Url;
+
+/**
+ * Implements hook_form_FORM_ID_alter().
+ *
+ * Adds redirect IPs settings to simplesamlphp_auth_local_settings_form.
+ */
+function os2web_simplesaml_form_simplesamlphp_auth_local_settings_form_alter(&$form, FormStateInterface $form_state, $form_id) {
+  $config = \Drupal::config('os2web_simplesaml.settings');
+
+  $form['os2web_simplesaml_additional_settings'] = array(
+    '#type' => 'fieldset',
+    '#title' => t('OS2Web SimpleSAML additional settings'),
+  );
+  $form['os2web_simplesaml_additional_settings']['redirect_ips'] = array(
+    '#type' => 'textfield',
+    '#title' => t("Redirect IP's to SimpleSAML login"),
+    '#default_value' => $config->get('redirect_ips'),
+    '#description' => t('Comma separated. Ex. 192.168.1.1,192.168.2.1'),
+  );
+  $form['os2web_simplesaml_additional_settings']['redirect_trigger_path'] = array(
+    '#type' => 'textfield',
+    '#title' => t('Redirect triggering path'),
+    '#default_value' => $config->get('redirect_trigger_path'),
+    '#description' => t('The path that will trigger the redirect. NB! The caching for that path will be programmatically disabled.'),
+    '#required' => TRUE,
+  );
+  $form['os2web_simplesaml_additional_settings']['redirect_cookies_ttl'] = array(
+    '#type' => 'number',
+    '#min' => 0,
+    '#step' => 10,
+    '#title' => t('Redirect cookies time to live (TTL)'),
+    '#default_value' => $config->get('redirect_cookies_ttl'),
+    '#description' => t('Number of seconds, after which the positive or negative redirect decision will expire. Setting long time improves the performance, but IP rules change will take longer to become active for all users.'),
+    '#required' => TRUE,
+  );
+
+  $form['#validate'][] = 'os2web_simplesaml_form_validate';
+  $form['#submit'][] = 'os2web_simplesaml_form_submit';
+}
+
+/**
+ * Validation for simplesamlphp_auth_local_settings_form.
+ *
+ * Checks provided IP list format.
+ */
+function os2web_simplesaml_form_validate(&$form, FormStateInterface $form_state) {
+  if ($form_state->hasValue('redirect_ips')) {
+    $redirect_ips = $form_state->getValue('redirect_ips');
+    if (preg_match("/[^0-9.,]/", $redirect_ips)) {
+      $form_state->setErrorByName('redirect_ips', t('Invalid format, must be comma separated. Ex. 192.168.1.1,192.168.2.1'));
+    }
+  }
+  if ($form_state->hasValue('redirect_trigger_path')) {
+    $redirect_trigger_path = $form_state->getValue('redirect_trigger_path');
+    $url = Url::fromUserInput($redirect_trigger_path);
+    if (!$url->isRouted()) {
+      $form_state->setErrorByName('redirect_trigger_path', t('Invalid URL, this URL does not exist'));
+    }
+  }
+}
+
+/**
+ * Submit for simplesamlphp_auth_local_settings_form.
+ *
+ * Saves redirect_ips into configuration.
+ */
+function os2web_simplesaml_form_submit(&$form, FormStateInterface $form_state) {
+  $redirect_ips = $form_state->getValue('redirect_ips');
+  $redirect_trigger_path = $form_state->getValue('redirect_trigger_path');
+  $redirect_cookies_ttl = $form_state->getValue('redirect_cookies_ttl');
+
+  $config = \Drupal::service('config.factory')
+    ->getEditable('os2web_simplesaml.settings');
+  $config->set('redirect_ips', $redirect_ips);
+  $config->set('redirect_trigger_path', $redirect_trigger_path);
+  $config->set('redirect_cookies_ttl', $redirect_cookies_ttl);
+  $config->save();
+
+  // Invalidating router cache, so that new settings are applied.
+  \Drupal::service("router.builder")->rebuild();
+}
+
+/**
+ * Implements hook_entity_extra_field_info().
+ */
+function os2web_simplesaml_entity_extra_field_info() {
+  $fields = [];
+  $fields['user']['user']['form']['os2web_simplesaml_uid'] = [
+    'label' => t('SimpleSAML UID'),
+    'description' => '',
+    'weight' => 0,
+    'visible' => TRUE,
+  ];
+  return $fields;
+}
+
+/**
+ * Implements hook_form_FORM_ID_alter().
+ *
+ * @see AccountForm::form()
+ * @see os2web_simplesaml_user_form_includes()
+ */
+function os2web_simplesaml_form_user_form_alter(&$form, FormStateInterface $form_state, $form_id) {
+  os2web_simplesaml_user_form_includes($form);
+
+  // If the user has a simplesamlphp_auth authmap record, then fetch it and
+  // prefill the field.
+  $authmap = \Drupal::service('externalauth.authmap');
+  $account = $form_state->getFormObject()->getEntity();
+  $authname = $authmap->get($account->id(), 'simplesamlphp_auth');
+  if ($authname) {
+    $form['os2web_simplesaml_uid']['#default_value'] = $authname;
+  }
+}
+
+/**
+ * Implements hook_form_FORM_ID_alter().
+ *
+ * @see AccountForm::form()
+ * @see os2web_simplesaml_user_form_includes()
+ */
+function os2web_simplesaml_form_user_register_form_alter(&$form, FormStateInterface $form_state, $form_id) {
+  os2web_simplesaml_user_form_includes($form);
+}
+
+/**
+ * Helper function to include the BC SimpleSAML on user forms.
+ *
+ * Alters the user register form to include a textfield for providing custom
+ * SimpleSAML value.
+ *
+ * @param array $form
+ *   The user account form.
+ *
+ * @see os2web_simplesaml_user_form_submit()
+ */
+function os2web_simplesaml_user_form_includes(&$form) {
+  // Getting SimpleSAML existing authname to use as an example.
+  $query = \Drupal::database()->select('authmap', 'am')
+    ->fields('am', ['authname'])
+    ->condition('provider', 'simplesamlphp_auth')
+    ->range(0, 1);
+  $simplesamlExample = $query->execute()->fetchField();
+
+  $form['os2web_simplesaml_uid'] = [
+    '#type' => 'textfield',
+    '#title' => t('SimpleSAML UID'),
+    '#access' => \Drupal::currentUser()->hasPermission('change saml authentication setting'),
+    '#description' => $simplesamlExample ? t('Example of the existing SimpleSAML entry from authmap table: <b>@simplesaml</b>', array('@simplesaml' => $simplesamlExample)) : t('Provide a string serves the UID of the user.')
+  ];
+
+  // Adding custom validation.
+  $form['#validate'][] = 'os2web_simplesaml_user_form_validate';
+
+  // Adding custom submit.
+  $form['actions']['submit']['#submit'][] = 'os2web_simplesaml_user_form_submit';
+}
+
+/**
+ * Form validation handler for user_form.
+ */
+function os2web_simplesaml_user_form_validate($form, FormStateInterface $form_state) {
+  $simplesaml_uid = NULL;
+  if ($form_state->getValue('os2web_simplesaml_uid')) {
+    $simplesaml_uid = $form_state->getValue('os2web_simplesaml_uid');
+  }
+
+  if (!$form_state->getValue('simplesamlphp_auth_user_enable') && !empty($simplesaml_uid)) {
+    $form_state->setErrorByName('os2web_simplesaml_uid', t('Field SimpleSAML UID is provided but SAML authentication is not checked, mapping will not be created'));
+  }
+}
+
+/**
+ * Form submission handler for user_form.
+ */
+function os2web_simplesaml_user_form_submit($form, FormStateInterface $form_state) {
+  $authmap = \Drupal::service('externalauth.authmap');
+  $externalauth = \Drupal::service('externalauth.externalauth');
+
+  // Remove this user from the ExternalAuth authmap table.
+  $authmap->delete($form_state->getValue('uid'));
+
+  if ($form_state->getValue('os2web_simplesaml_uid')) {
+    $simplesaml_uid = $form_state->getValue('os2web_simplesaml_uid');
+  }
+
+  // Add an authmap entry for this account, so it can leverage SAML
+  // authentication.
+  if ($simplesaml_uid) {
+    $account = $form_state->getFormObject()->getEntity();
+    $externalauth->linkExistingAccount($simplesaml_uid, 'simplesamlphp_auth', $account);
+  }
+}
diff --git a/os2web_simplesaml.services.yml b/os2web_simplesaml.services.yml
@@ -0,0 +1,6 @@
+services:
+  os2web_simplesaml_event_subscriber:
+    class: Drupal\os2web_simplesaml\EventSubscriber\SimplesamlSubscriber
+    arguments: ['@simplesamlphp_auth.manager', '@current_user']
+    tags:
+      - {name: event_subscriber}
diff --git a/src/EventSubscriber/SimplesamlSubscriber.php b/src/EventSubscriber/SimplesamlSubscriber.php
@@ -0,0 +1,130 @@
+<?php
+
+namespace Drupal\os2web_simplesaml\EventSubscriber;
+
+use Drupal\Core\Session\AccountInterface;
+use Drupal\Core\Url;
+use Drupal\simplesamlphp_auth\Service\SimplesamlphpAuthManager;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\HttpKernel\Event\GetResponseEvent;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+
+/**
+ * Event subscriber subscribing to KernelEvents::REQUEST.
+ */
+class SimplesamlSubscriber implements EventSubscriberInterface {
+
+  /**
+   * The SimpleSAML Authentication helper service.
+   *
+   * @var \Drupal\simplesamlphp_auth\Service\SimplesamlphpAuthManager
+   */
+  protected $simplesaml;
+
+  /**
+   * The current account.
+   *
+   * @var \Drupal\Core\Session\AccountInterface
+   */
+  protected $account;
+
+  /**
+   * {@inheritdoc}
+   *
+   * @param \Drupal\simplesamlphp_auth\Service\SimplesamlphpAuthManager $simplesaml
+   *   The SimpleSAML Authentication helper service.
+   * @param \Drupal\Core\Session\AccountInterface $account
+   *   The current account.
+   */
+  public function __construct(SimplesamlphpAuthManager $simplesaml, AccountInterface $account) {
+    $this->simplesaml = $simplesaml;
+    $this->account = $account;
+  }
+
+  /**
+   * Redirect anonymous user to SimpleSAML auth page if IP matches redirect IPs.
+   *
+   * @param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
+   *   The subscribed event.
+   */
+  public function redirectToSimplesamlLogin(GetResponseEvent $event) {
+    // If user is not anonymous, if SimpleSAML is not activated or if PHP_SAPI
+    // is cli - don't do any redirects.
+    if (!$this->account->isAnonymous() || !$this->simplesaml->isActivated() || PHP_SAPI === 'cli') {
+      return;
+    }
+
+    $request = $event->getRequest();
+    $config = \Drupal::config('os2web_simplesaml.settings');
+
+    // Only redirect if we are on redirect triggering page.
+    if ($request->getRequestUri() == $config->get('redirect_trigger_path')) {
+      // Killing cache for redirect triggering page.
+      \Drupal::service('page_cache_kill_switch')->trigger();
+
+      // Check has been already performed, wait for the cookies to expire.
+      if ($request->cookies->has('os2web_simplesaml_redirect_to_saml')) {
+        return;
+      }
+
+      $simplesamlRedirect = FALSE;
+      $remoteIp = $request->getClientIp();
+
+      $config = \Drupal::config('os2web_simplesaml.settings');
+      $redirectIps = $config->get('redirect_ips');
+
+      if (empty($redirectIps)) {
+        // No redirect IPs set, then redirect for all IPs.
+        $simplesamlRedirect = TRUE;
+      }
+      else {
+        $customIps = explode(',', $redirectIps);
+
+        // If the client request is from one of the IP's, login using
+        // SimpleSAMLphp; otherwise use nemid login.
+        //
+        // Check performed on parts of the ip address.
+        // This makes it possible to add only the beginning of the IP range.
+        // F.ex. 192.168 will allow all ip addresses including 192.168 as part
+        // of the it.
+        foreach ($customIps as $customIp) {
+          if (strpos($remoteIp, $customIp) !== FALSE) {
+            $simplesamlRedirect = TRUE;
+            break;
+          }
+        }
+      }
+
+      // Getting cookies time to live (TTL).
+      $cookies_ttl = $config->get('redirect_cookies_ttl');
+
+      if ($simplesamlRedirect) {
+        // Get the path (default: '/saml_login') from the
+        // 'simplesamlphp_auth.saml_login' route.
+        $saml_login_path = Url::fromRoute('simplesamlphp_auth.saml_login')->toString();
+
+        // Set 5min cookies to prevent further checks and looping redirect.
+        setrawcookie('os2web_simplesaml_redirect_to_saml', 'TRUE', time() + $cookies_ttl);
+
+        // Redirect directly to the external IdP.
+        $response = new RedirectResponse($saml_login_path, RedirectResponse::HTTP_FOUND);
+        $event->setResponse($response);
+        $event->stopPropagation();
+      }
+      else {
+        // Set 5min cookies to prevent further checks and looping redirect.
+        setrawcookie('os2web_simplesaml_redirect_to_saml', 'FALSE', time() + $cookies_ttl);
+      }
+    }
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public static function getSubscribedEvents() {
+    $events[KernelEvents::REQUEST][] = ['redirectToSimplesamlLogin'];
+    return $events;
+  }
+
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+redirect_ips: ''`
	`2`	`+redirect_trigger_path: /`
	`3`	`+redirect_cookies_ttl: '300'`