Merge #14 Add event based provisioning V31

Author: memurats

lib/AppInfo/Application.php

@@ -75,7 +75,6 @@ public function register(IRegistrationContext $context): void {
 
 	public function boot(IBootContext $context): void {
 		$context->injectFn(\Closure::fromCallable([$this->backend, 'injectSession']));
-		$context->injectFn(\Closure::fromCallable([$this, 'checkLoginToken']));
 		/** @var IUserSession $userSession */
 		$userSession = $this->getContainer()->get(IUserSession::class);
 		if ($userSession->isLoggedIn()) {

lib/Controller/LoginController.php

@@ -23,6 +23,7 @@
 use OCA\UserOIDC\Service\DiscoveryService;
 use OCA\UserOIDC\Service\LdapService;
 use OCA\UserOIDC\Service\ProviderService;
+use OCA\UserOIDC\Service\ProvisioningDeniedException;
 use OCA\UserOIDC\Service\ProvisioningService;
 use OCA\UserOIDC\Service\TokenService;
 use OCA\UserOIDC\Vendor\Firebase\JWT\JWT;
@@ -480,26 +481,51 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		}
 
 		$autoProvisionAllowed = (!isset($oidcSystemConfig['auto_provision']) || $oidcSystemConfig['auto_provision']);
+		$softAutoProvisionAllowed = (!isset($oidcSystemConfig['soft_auto_provision']) || $oidcSystemConfig['soft_auto_provision']);
+
+		$shouldDoUserLookup = !$autoProvisionAllowed || ($softAutoProvisionAllowed && !$this->provisioningService->hasOidcUserProvisitioned($userId));
+		if ($shouldDoUserLookup && $this->ldapService->isLDAPEnabled()) {
+			// in case user is provisioned by user_ldap, userManager->search() triggers an ldap search which syncs the results
+			// so new users will be directly available even if they were not synced before this login attempt
+			$this->userManager->search($userId, 1, 0);
+			$this->ldapService->syncUser($userId);
+		}
 
-		// in case user is provisioned by user_ldap, userManager->search() triggers an ldap search which syncs the results
-		// so new users will be directly available even if they were not synced before this login attempt
-		$this->userManager->search($userId);
-		$this->ldapService->syncUser($userId);
 		$userFromOtherBackend = $this->userManager->get($userId);
 		if ($userFromOtherBackend !== null && $this->ldapService->isLdapDeletedUser($userFromOtherBackend)) {
 			$userFromOtherBackend = null;
 		}
 
 		if ($autoProvisionAllowed) {
-			$softAutoProvisionAllowed = (!isset($oidcSystemConfig['soft_auto_provision']) || $oidcSystemConfig['soft_auto_provision']);
-			if (!$softAutoProvisionAllowed && $userFromOtherBackend !== null) {
-				// if soft auto-provisioning is disabled,
-				// we refuse login for a user that already exists in another backend
-				$message = $this->l10n->t('User conflict');
-				return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => 'non-soft auto provision, user conflict'], false);
+			// $softAutoProvisionAllowed = (!isset($oidcSystemConfig['soft_auto_provision']) || $oidcSystemConfig['soft_auto_provision']);
+			// if (!$softAutoProvisionAllowed && $userFromOtherBackend !== null) {
+			// if soft auto-provisioning is disabled,
+			// we refuse login for a user that already exists in another backend
+			// $message = $this->l10n->t('User conflict');
+			// return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => 'non-soft auto provision, user conflict'], false);
+			// }
+
+			// TODO: (proposal) refactor all provisioning strategies into event handlers
+			$user = null;
+
+			try {
+				$user = $this->provisioningService->provisionUser($userId, $providerId, $idTokenPayload, $userFromOtherBackend);
+			} catch (ProvisioningDeniedException $denied) {
+				// TODO MagentaCLOUD should upstream the exception handling
+				$redirectUrl = $denied->getRedirectUrl();
+				if ($redirectUrl === null) {
+					$message = $this->l10n->t('Failed to provision user');
+					return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => $denied->getMessage()]);
+				} else {
+					// error response is a redirect, e.g. to a booking site
+					// so that you can immediately get the registration page
+					return new RedirectResponse($redirectUrl);
+				}
 			}
+
 			// use potential user from other backend, create it in our backend if it does not exist
-			$user = $this->provisioningService->provisionUser($userId, $providerId, $idTokenPayload, $userFromOtherBackend);
+			// $user = $this->provisioningService->provisionUser($userId, $providerId, $idTokenPayload, $userFromOtherBackend);
+			// no default exception handling to pass on unittest assertion failures
 		} else {
 			// when auto provision is disabled, we assume the user has been created by another user backend (or manually)
 			$user = $userFromOtherBackend;
@@ -526,12 +552,12 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		$this->session->remove(self::NONCE);
 
 		// store all token information for potential token exchange requests
-		$tokenData = array_merge(
-			$data,
-			['provider_id' => $providerId],
-		);
-		$this->tokenService->storeToken($tokenData);
-		$this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1');
+		// $tokenData = array_merge(
+			// $data,
+			// ['provider_id' => $providerId],
+		// );
+		// $this->tokenService->storeToken($tokenData);
+		// $this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1');
 
 		// Set last password confirm to the future as we don't have passwords to confirm against with SSO
 		$this->session->set('last-password-confirm', strtotime('+4 year', time()));
@@ -758,7 +784,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 	 * @return JSONResponse
 	 */
 	private function getBackchannelLogoutErrorResponse(
-		string $error, string $description, array $throttleMetadata = [],
+		string $error, string $description, array $throttleMetadata = [], ?bool $throttle = null,
 	): JSONResponse {
 		$this->logger->debug('Backchannel logout error. ' . $error . ' ; ' . $description);
 		return new JSONResponse(

lib/Db/UserMapper.php

@@ -14,21 +14,25 @@
 use OCP\Cache\CappedMemoryCache;
 use OCP\IConfig;
 use OCP\IDBConnection;
+use Psr\Log\LoggerInterface;
 
 /**
  * @extends QBMapper<User>
  */
 class UserMapper extends QBMapper {
 
 	private CappedMemoryCache $userCache;
+	private LoggerInterface $logger;
 
 	public function __construct(
 		IDBConnection $db,
+		LoggerInterface $logger,
 		private LocalIdService $idService,
 		private IConfig $config,
 	) {
 		parent::__construct($db, 'user_oidc', User::class);
 		$this->userCache = new CappedMemoryCache();
+		$this->logger = $logger;
 	}
 
 	/**

lib/Event/UserAccountChangeEvent.php

@@ -0,0 +1,87 @@
+<?php
+/*
+ * @copyright Copyright (c) 2023 T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-systems.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ */
+
+declare(strict_types=1);
+
+namespace OCA\UserOIDC\Event;
+
+use OCP\EventDispatcher\Event;
+
+/**
+ * Event to provide custom mapping logic based on the OIDC token data
+ * In order to avoid further processing the event propagation should be stopped
+ * in the listener after processing as the value might get overwritten afterwards
+ * by other listeners through $event->stopPropagation();
+ */
+class UserAccountChangeEvent extends Event {
+	private $uid;
+	private $displayname;
+	private $mainEmail;
+	private $quota;
+	private $claims;
+	private $result;
+
+
+	public function __construct(string $uid, ?string $displayname, ?string $mainEmail, ?string $quota, object $claims, bool $accessAllowed = false) {
+		parent::__construct();
+		$this->uid = $uid;
+		$this->displayname = $displayname;
+		$this->mainEmail = $mainEmail;
+		$this->quota = $quota;
+		$this->claims = $claims;
+		$this->result = new UserAccountChangeResult($accessAllowed, 'default');
+	}
+
+	/**
+	 * @return get event username (uid)
+	 */
+	public function getUid(): string {
+		return $this->uid;
+	}
+
+	/**
+	 * @return get event displayname
+	 */
+	public function getDisplayName(): ?string {
+		return $this->displayname;
+	}
+
+	/**
+	 * @return get event main email
+	 */
+	public function getMainEmail(): ?string {
+		return $this->mainEmail;
+	}
+
+	/**
+	 * @return get event quota
+	 */
+	public function getQuota(): ?string {
+		return $this->quota;
+	}
+
+	/**
+	 * @return array the array of claim values associated with the event
+	 */
+	public function getClaims(): object {
+		return $this->claims;
+	}
+
+	/**
+	 * @return value for the logged in user attribute
+	 */
+	public function getResult(): UserAccountChangeResult {
+		return $this->result;
+	}
+
+	public function setResult(bool $accessAllowed, string $reason = '', ?string $redirectUrl = null) : void {
+		$this->result = new UserAccountChangeResult($accessAllowed, $reason, $redirectUrl);
+	}
+}

lib/Event/UserAccountChangeResult.php

@@ -0,0 +1,74 @@
+<?php
+/*
+ * @copyright Copyright (c) 2023 T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-systems.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ */
+
+declare(strict_types=1);
+
+namespace OCA\UserOIDC\Event;
+
+/**
+ * Event to provide custom mapping logic based on the OIDC token data
+ * In order to avoid further processing the event propagation should be stopped
+ * in the listener after processing as the value might get overwritten afterwards
+ * by other listeners through $event->stopPropagation();
+ */
+class UserAccountChangeResult {
+
+	/** @var bool */
+	private $accessAllowed;
+	/** @var string */
+	private $reason;
+	/** @var string */
+	private $redirectUrl;
+
+	public function __construct(bool $accessAllowed, string $reason = '', ?string $redirectUrl = null) {
+		$this->accessAllowed = $accessAllowed;
+		$this->redirectUrl = $redirectUrl;
+		$this->reason = $reason;
+	}
+
+	/**
+	 * @return value for the logged in user attribute
+	 */
+	public function isAccessAllowed(): bool {
+		return $this->accessAllowed;
+	}
+
+	public function setAccessAllowed(bool $accessAllowed): void {
+		$this->accessAllowed = $accessAllowed;
+	}
+
+	/**
+	 * @return get optional alternate redirect address
+	 */
+	public function getRedirectUrl(): ?string {
+		return $this->redirectUrl;
+	}
+
+	/**
+	 * @return set optional alternate redirect address
+	 */
+	public function setRedirectUrl(?string $redirectUrl): void {
+		$this->redirectUrl = $redirectUrl;
+	}
+
+	/**
+	 * @return get decision reason
+	 */
+	public function getReason(): string {
+		return $this->reason;
+	}
+
+	/**
+	 * @return set decision reason
+	 */
+	public function setReason(string $reason): void {
+		$this->reason = $reason;
+	}
+}

lib/Service/LdapService.php

@@ -8,6 +8,7 @@
 
 namespace OCA\UserOIDC\Service;
 
+use OCP\App\IAppManager;
 use OCP\AppFramework\QueryException;
 use OCP\IUser;
 use Psr\Log\LoggerInterface;
@@ -16,16 +17,25 @@ class LdapService {
 
 	public function __construct(
 		private LoggerInterface $logger,
+		private IAppManager $appManager,
 	) {
 	}
 
+	public function isLDAPEnabled(): bool {
+		return $this->appManager->isEnabledForUser('user_ldap');
+	}
+
 	/**
 	 * @param IUser $user
 	 * @return bool
 	 * @throws \Psr\Container\ContainerExceptionInterface
 	 * @throws \Psr\Container\NotFoundExceptionInterface
 	 */
 	public function isLdapDeletedUser(IUser $user): bool {
+		if ($this->isLDAPEnabled()) {
+			return false;
+		}
+		
 		$className = $user->getBackendClassName();
 		if ($className !== 'LDAP') {
 			return false;

lib/Service/ProvisioningDeniedException.php

@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2023, T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-Systems.com>
+ *
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCA\UserOIDC\Service;
+
+/**
+ * Exception if the precondition of the config update method isn't met
+ * @since 1.4.0
+ */
+class ProvisioningDeniedException extends \Exception {
+	private $redirectUrl;
+
+	/**
+	 * Exception constructor including an option redirect url.
+	 *
+	 * @param string $message The error message. It will be not revealed to the
+	 *                        the user (unless the hint is empty) and thus
+	 *                        should be not translated.
+	 * @param string $hint A useful message that is presented to the end
+	 *                     user. It should be translated, but must not
+	 *                     contain sensitive data.
+	 * @param int $code Set default to 403 (Forbidden)
+	 * @param \Exception|null $previous
+	 */
+	public function __construct(string $message, ?string $redirectUrl = null, int $code = 403, ?\Exception $previous = null) {
+		parent::__construct($message, $code, $previous);
+		$this->redirectUrl = $redirectUrl;
+	}
+
+	/**
+	 * Read optional failure redirect if available
+	 * @return string|null
+	 */
+	public function getRedirectUrl(): ?string {
+		return $this->redirectUrl;
+	}
+
+	/**
+	 * Include redirect in string serialisation.
+	 *
+	 * @return string
+	 */
+	public function __toString(): string {
+		$redirect = $this->redirectUrl ?? '<no redirect>';
+		return __CLASS__ . ": [{$this->code}]: {$this->message} ({$redirect})\n";
+	}
+}