-
Notifications
You must be signed in to change notification settings - Fork 1
/
helfi_tunnistamo.module
114 lines (97 loc) · 3.26 KB
/
helfi_tunnistamo.module
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
<?php
/**
* @file
* Contains alterations for the Hel.fi tunnistamo module.
*/
declare(strict_types=1);
use Drupal\Component\Uuid\Uuid;
use Drupal\Core\Database\Query\AlterableInterface;
use Drupal\Core\Database\Query\SelectInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\helfi_tunnistamo\Plugin\OpenIDConnectClient\Tunnistamo;
use Drupal\openid_connect\Entity\OpenIDConnectClientEntity;
use Drupal\user\UserInterface;
/**
* Implements hook_openid_connect_post_authorize().
*/
function helfi_tunnistamo_openid_connect_post_authorize(UserInterface $account, array $context) : void {
$plugin = OpenIDConnectClientEntity::load($context['plugin_id'])?->getPlugin();
if (!$plugin instanceof Tunnistamo) {
return;
}
$plugin->mapRoles($account, $context);
$plugin->setUserPreferredAdminLanguage($account);
// Once user logs in with openid connect, set user password to null.
// This prevents the user from logging in with the local user in the
// future.
if ($account->getPassword()) {
$account
->setPassword(NULL)
->save();
}
}
/**
* Implements hook_form_FORM_ID_alter().
*/
function helfi_tunnistamo_form_user_form_alter(&$form, FormStateInterface $form_state, $form_id) : void {
$mail = $form['account']['mail']['#default_value'] ?? '';
if (!$account = user_load_by_mail($mail)) {
return;
}
if (!Drupal::service('externalauth.authmap')->getAll($account->id())) {
return;
}
// Prevent users from changing the email if they have used openid_connect
// to log in.
$form['account']['mail']['#type'] = 'item';
$form['account']['mail']['#markup'] = $account->getEmail();
// External users password cannot be changed.
$form['account']['pass']['#access'] = FALSE;
$form['account']['current_pass']['#access'] = FALSE;
}
/**
* Generates an email address for the given userinfo array.
*
* @param array $userinfo
* The userinfo.
*
* @return string
* The autogenerated email.
*/
function helfi_tunnistamo_create_email(array $userinfo) : string {
return $userinfo['sub'] . '[email protected]';
}
/**
* Implements hook_openid_connect_userinfo_alter().
*/
function helfi_tunnistamo_openid_connect_userinfo_alter(
array &$userinfo,
array $context,
) : void {
$plugin = OpenIDConnectClientEntity::load($context['plugin_id'])?->getPlugin();
if (!$plugin instanceof Tunnistamo) {
return;
}
// If the user email is missing, replace it with a made-up address (issue
// with @edu.hel.fi users).
if (empty($userinfo['email'])) {
$userinfo['email'] = helfi_tunnistamo_create_email($userinfo);
}
// Unset preferred_username if it is a UUID so that new users get their
// name from `name` field instead.
if (!empty($userinfo['preferred_username']) && Uuid::isValid($userinfo['preferred_username'])) {
unset($userinfo['preferred_username']);
}
}
/**
* Implements hook_query_TAG_alter().
*
* Exclude Tunnistamo users from User Expire feature.
*/
function helfi_tunnistamo_query_expired_users_alter(AlterableInterface $query) : void {
assert($query instanceof SelectInterface);
// Only load users that have no 'authmap' entry. This should exclude
// all Tunnistamo users.
$query->leftJoin('authmap', 'a', 'a.uid = users_field_data.uid');
$query->condition('a.uid', operator: 'IS NULL');
}