diff --git a/README.md b/README.md index a97b005..f592eec 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,12 @@ $config['openid_connect.client.azure-ad']['settings']['ad_roles'] = [ ]; ``` +Disable role mapping for some AMRs. With this setting, OpenID users keep their manually assigned roles. + +```php +$config['openid_connect.client.azure-ad']['settings']['ad_roles_disabled_amr'] = ['eduad']; +``` + ## Local development Add something like this to your `local.settings.php` file: diff --git a/config/schema/helfi_tunnistamo.schema.yml b/config/schema/helfi_tunnistamo.schema.yml index ce6ec20..8b73208 100644 --- a/config/schema/helfi_tunnistamo.schema.yml +++ b/config/schema/helfi_tunnistamo.schema.yml @@ -28,6 +28,11 @@ openid_connect.client.plugin.tunnistamo: label: 'Client roles to automatically map to user using this client' sequence: type: string + ad_roles_disabled_amr: + type: sequence + label: 'AMRs where ad role mapping is disabled' + sequence: + type: string ad_roles: type: sequence label: 'AD roles to automatically map to user using this client' diff --git a/src/Plugin/OpenIDConnectClient/Tunnistamo.php b/src/Plugin/OpenIDConnectClient/Tunnistamo.php index 7e6d911..045c05a 100644 --- a/src/Plugin/OpenIDConnectClient/Tunnistamo.php +++ b/src/Plugin/OpenIDConnectClient/Tunnistamo.php @@ -193,6 +193,11 @@ public function buildConfigurationForm( $roleOptions[$role->id()] = $role->label(); } + $form['ad_roles_disabled_amr'] = [ + '#type' => 'markup', + '#markup' => $this->t('Disable AD role mapping for AMR. This must be done code. See README.md for more information'), + ]; + $form['ad_roles'] = [ '#type' => 'markup', '#markup' => $this->t('Map AD role to Drupal role. This must be done code. See README.md for more information'), @@ -220,6 +225,16 @@ public function getAdRoles() : array { return array_filter($this->configuration['ad_roles'] ?? []); } + /** + * Gets AMRs where ad role mapping is disabled. + * + * @return array + * The AMR list. + */ + public function getDisabledAmr() : array { + return array_filter($this->configuration['ad_roles_disabled_amr'] ?? []); + } + /** * Grant given roles to user. * @@ -236,6 +251,11 @@ public function mapRoles(UserInterface $account, array $context) : void { ])); } + // Skip role mapping for configured authentication methods. + if (array_intersect($context['userinfo']['amr'] ?? [], $this->getDisabledAmr())) { + return; + } + // User groups has values when authenticated through Helsinki/Espoo AD, // otherwise the variable is empty. Do not modify manually assigned roles // if ad_groups variable is not set. diff --git a/tests/src/Kernel/RoleMapTest.php b/tests/src/Kernel/RoleMapTest.php index ffdc675..7cff818 100644 --- a/tests/src/Kernel/RoleMapTest.php +++ b/tests/src/Kernel/RoleMapTest.php @@ -28,6 +28,13 @@ public function testRoleMap() : void { // Create a new role and tell our plugin to map the role. $role = $this->createRole([], 'test'); $this->setPluginConfiguration('client_roles', [$role => $role]); + $this->setPluginConfiguration('ad_roles_disabled_amr', ['something']); + + $this->getPlugin()->mapRoles($account, ['userinfo' => ['ad_groups' => [], 'amr' => ['something']]]); + // Our account should not have the newly added role now, amr is disabled. + $this->assertEquals([ + AccountInterface::AUTHENTICATED_ROLE, + ], $account->getRoles()); $this->getPlugin()->mapRoles($account, ['userinfo' => ['ad_groups' => []]]); // Our account should have the newly added role now.