Disable external user password on login and deploy

City-of-Helsinki · Jun 17, 2024 · 49afbc6 · 49afbc6
1 parent e968d82
commit 49afbc6
Show file tree

Hide file tree

Showing 5 changed files with 129 additions and 5 deletions.
diff --git a/helfi_tunnistamo.module b/helfi_tunnistamo.module
@@ -26,6 +26,15 @@ function helfi_tunnistamo_openid_connect_post_authorize(UserInterface $account,
   }
   $plugin->mapRoles($account, $context);
   $plugin->setUserPreferredAdminLanguage($account);
+
+  // Once user logs in with openid connect, set user password to null.
+  // This prevents the user from logging in with the local user in the
+  // future.
+  if ($account->getPassword()) {
+    $account
+      ->setPassword(NULL)
+      ->save();
+  }
 }
 
 /**

diff --git a/helfi_tunnistamo.services.yml b/helfi_tunnistamo.services.yml
@@ -1,9 +1,11 @@
 services:
-  helfi_tunnistamo.http_exception_subscriber:
-    class: Drupal\helfi_tunnistamo\EventSubscriber\HttpExceptionSubscriber
-    arguments: ['@entity_type.manager', '@openid_connect.session', '@current_user']
-    tags:
-      - { name: event_subscriber }
+  _defaults:
+    autowire: true
+    autoconfigure: true
+
   logger.channel.helfi_tunnistamo:
     parent: logger.channel_base
     arguments: [ 'helfi_tunnistamo' ]
+
+  Drupal\helfi_tunnistamo\EventSubscriber\HttpExceptionSubscriber: ~
+  Drupal\helfi_tunnistamo\EventSubscriber\DisableExternalUsersPasswordSubscriber: ~
diff --git a/src/EventSubscriber/DisableExternalUsersPasswordSubscriber.php b/src/EventSubscriber/DisableExternalUsersPasswordSubscriber.php
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\helfi_tunnistamo\EventSubscriber;
+
+use Drupal\Core\Database\Connection;
+use Drupal\Core\Entity\EntityTypeManagerInterface;
+use Drupal\helfi_api_base\EventSubscriber\DeployHookEventSubscriberBase;
+use Symfony\Contracts\EventDispatcher\Event;
+
+/**
+ * Sets tunnistamo users' password to NULL.
+ *
+ * This should prevent given users from logging in using password.
+ */
+final class DisableExternalUsersPasswordSubscriber extends DeployHookEventSubscriberBase {
+
+  /**
+   * Constructs a new instance.
+   *
+   * @param \Drupal\Core\Database\Connection $database
+   *   Database connection.
+   * @param \Drupal\Core\Entity\EntityTypeManagerInterface $entityTypeManager
+   *   The entity type manager.
+   */
+  public function __construct(
+    private readonly Connection $database,
+    private readonly EntityTypeManagerInterface $entityTypeManager,
+  ) {
+  }
+
+  /**
+   * {@inheritdoc}
+   */
+  public function onPostDeploy(Event $event) : void {
+    // Query tunnistamo users that have their passwords set.
+    $query = $this->database->select('authmap', 'am');
+    $query->leftJoin('users_field_data', 'ufd', 'ufd.uid = am.uid');
+    $query
+      ->fields('am', ['uid'])
+      ->condition('ufd.pass', NULL, 'IS NOT NULL')
+      // Make sure we have an upper bound.
+      ->range(0, 50);
+
+    $storage = $this->entityTypeManager->getStorage('user');
+    foreach ($query->execute()->fetchCol() as $id) {
+      /** @var \Drupal\user\UserInterface $account */
+      $account = $storage->load($id);
+
+      // Set user password to null. This prevents the user
+      // from logging in with the local user in the future.
+      $account
+        ->setPassword(NULL)
+        ->save();
+    }
+  }
+
+}
diff --git a/src/EventSubscriber/HttpExceptionSubscriber.php b/src/EventSubscriber/HttpExceptionSubscriber.php
@@ -9,6 +9,7 @@
 use Drupal\Core\Session\AccountProxyInterface;
 use Drupal\helfi_tunnistamo\Plugin\OpenIDConnectClient\Tunnistamo;
 use Drupal\openid_connect\OpenIDConnectSession;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Symfony\Component\HttpKernel\Event\ExceptionEvent;
 
 /**
@@ -28,6 +29,7 @@ final class HttpExceptionSubscriber extends HttpExceptionSubscriberBase {
    */
   public function __construct(
     private EntityTypeManagerInterface $entityTypeManager,
+    #[Autowire(service: 'openid_connect.session')]
     private OpenIDConnectSession $session,
     private AccountProxyInterface $accountProxy,
   ) {

diff --git a/tests/src/Kernel/DisableExternalUsersPasswordSubscriberTest.php b/tests/src/Kernel/DisableExternalUsersPasswordSubscriberTest.php
@@ -0,0 +1,52 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\Tests\helfi_tunnistamo\Kernel;
+
+use Drupal\helfi_api_base\Event\PostDeployEvent;
+use Drupal\Tests\user\Traits\UserCreationTrait;
+use Drupal\user\Entity\User;
+
+/**
+ * Tests disable local users subscriber.
+ *
+ * @group helfi_tunnistamo
+ */
+class DisableExternalUsersPasswordSubscriberTest extends KernelTestBase {
+
+  use UserCreationTrait;
+
+  /**
+   * Tests that deploy prevents external users from logging in with password.
+   */
+  public function testSubscriber() : void {
+    /** @var \Drupal\externalauth\Authmap $authmap */
+    $authmap = $this->container->get('externalauth.authmap');
+    $external = $this->createUser(values: ['pass' => '123']);
+    $local = $this->createUser(values: ['pass' => '123']);
+
+    // Add external auth to user.
+    $authmap->save($external, 'test_provider', 'test_authname');
+
+    // User login is enabled.
+    $this->assertNotEmpty($external->getPassword());
+    $this->assertNotEmpty($local->getPassword());
+
+    $this->triggerEvent();
+
+    // User password is disabled.
+    $this->assertEmpty(User::load($external->id())->getPassword());
+    $this->assertNotEmpty(User::load($local->id())->getPassword());
+  }
+
+  /**
+   * Triggers the post deploy event.
+   */
+  private function triggerEvent() : void {
+    /** @var \Symfony\Contracts\EventDispatcher\EventDispatcherInterface $service */
+    $service = $this->container->get('event_dispatcher');
+    $service->dispatch(new PostDeployEvent());
+  }
+
+}