-
Notifications
You must be signed in to change notification settings - Fork 1
/
stanford_samlauth.install
125 lines (107 loc) · 4.33 KB
/
stanford_samlauth.install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
<?php
/**
* @file
* Migrate data from stanford_ssp module.
*/
use Drupal\user\Entity\Role;
use Drupal\user\RoleInterface;
/**
* Implements hook_install().
*/
function stanford_samlauth_install() {
$field_mapping_config = \Drupal::configFactory()
->getEditable('samlauth_user_fields.mappings');
// Make sure there weren't configured field mappings already.
if (!$field_mapping_config->get('field_mappings')) {
$field_mapping_config->set('field_mappings', [
[
'attribute_name' => 'displayName',
'field_name' => 'su_display_name',
'link_user_order' => NULL,
],
])->save();
}
$samlauth_config = \Drupal::configFactory()
->getEditable('samlauth.authentication');
// Some settings have already been configured. Don't overwrite them.
if ($samlauth_config->get('sp_entity_id')) {
return;
}
$role_ids = array_keys(Role::loadMultiple());
$role_ids = array_combine($role_ids, $role_ids);
unset($role_ids[RoleInterface::AUTHENTICATED_ID]);
// Set the SamlAuth settings.
$samlauth_config
->set('sp_entity_id', '')
->set('unique_id_attribute', 'uid')
->set('sp_x509_certificate', 'file:/path/to/file.crt')
->set('sp_private_key', 'file:/path/to/file.key')
->set('idp_certs', [])
->set('sp_name_id_format', 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient')
->set('idp_entity_id', 'https://idp.stanford.edu/')
->set('idp_single_sign_on_service', 'https://login.stanford.edu/idp/profile/SAML2/Redirect/SSO')
->set('map_users_roles', $role_ids)
->set('map_users_name', TRUE)
->set('map_users_mail', TRUE)
->set('create_users', TRUE)
->set('user_name_attribute', 'uid')
->set('user_mail_attribute', 'mail')
->save();
$stanford_samlauth_config = \Drupal::configFactory()
->getEditable('stanford_samlauth.settings');
$modules = \Drupal::moduleHandler();
$module_installer = \Drupal::service('module_installer');
if ($modules->moduleExists('simplesamlphp_auth')) {
$saml_config = \Drupal::config('simplesamlphp_auth.settings');
if ($modules->moduleExists('stanford_ssp')) {
$ssp_config = \Drupal::config('stanford_ssp.settings');
// Convert the simplesamlphp role mapping to a structured array.
$role_mappings = [];
$simplesaml_role_mapping = array_filter(explode('|', $saml_config->get('role.population')));
foreach ($simplesaml_role_mapping as $mapping) {
[$role, $condition] = explode(':', $mapping, 2);
[$attribute, , $value] = explode(',', $condition, 3);
$role_mappings[] = [
'role' => $role,
'attribute' => $attribute,
'value' => $value,
];
}
$role_eval = ['none', 'all', 'new'];
$stanford_samlauth_config->set('hide_local_login', $ssp_config->get('hide_local_login'))
->set('local_login_fieldset_label', $ssp_config->get('local_login_fieldset_label') ?: 'Drupal Login')
->set('local_login_fieldset_open', $ssp_config->get('local_login_fieldset_open') ?: FALSE)
->set('role_mapping.workgroup_api.cert', $ssp_config->get('workgroup_api_cert'))
->set('role_mapping.workgroup_api.key', $ssp_config->get('workgroup_api_key'))
->set('role_mapping.reevaluate', $role_eval[$saml_config->get('role.eval_every_time')])
->set('role_mapping.mapping', $role_mappings)
->set('allowed.restrict', $ssp_config->get('restriction') != 'all')
->set('allowed.affiliations', $ssp_config->get('allowed.affiliations'))
->set('allowed.users', $ssp_config->get('allowed.users'))
->set('allowed.groups', $ssp_config->get('allowed.groups'))
->save();
$module_installer->uninstall(['stanford_ssp']);
}
$module_installer->uninstall(['simplesamlphp_auth']);
}
// Set auto logout to 12 hours.
\Drupal::configFactory()
->getEditable('autologout.settings')
->set('timeout', 43200)
->save();
// Add no index header and excluded paths.
\Drupal::configFactory()
->getEditable('r4032login.settings')
->set('add_noindex_header', TRUE)
->set('match_noredirect_pages', "/jsonapi\r\n/jsonapi/*\r\n/subrequests")
->save();
}
/**
* Add request timeout config value.
*/
function stanford_samlauth_update_8001() {
\Drupal::configFactory()
->getEditable('stanford_samlauth.settings')
->set('role_mapping.workgroup_api.timeout', 30)
->save();
}