From df1abba52c74ec02188368d92c911229210e7de1 Mon Sep 17 00:00:00 2001 From: Santeri Hurnanen Date: Thu, 20 Jun 2024 19:06:19 +0300 Subject: [PATCH 1/4] UHF-10169: Allow admins to edit user email This hack is part of eduad transition and should be reverted once the transition is complete. --- helfi_tunnistamo.module | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/helfi_tunnistamo.module b/helfi_tunnistamo.module index e8da065..8ee7877 100644 --- a/helfi_tunnistamo.module +++ b/helfi_tunnistamo.module @@ -50,10 +50,15 @@ function helfi_tunnistamo_form_user_form_alter(&$form, FormStateInterface $form_ if (!Drupal::service('externalauth.authmap')->getAll($account->id())) { return; } - // Prevent users from changing the email if they have used openid_connect - // to log in. - $form['account']['mail']['#type'] = 'item'; - $form['account']['mail']['#markup'] = $account->getEmail(); + + // Quick and dirty hack to enable admins to temporarily edit users emails. + // See: UHF-10169. + if (!array_intersect(['admin', 'super_administrator'], \Drupal::currentUser()->getRoles())) { + // Prevent users from changing the email if they have used openid_connect + // to log in. + $form['account']['mail']['#type'] = 'item'; + $form['account']['mail']['#markup'] = $account->getEmail(); + } // External users password cannot be changed. $form['account']['pass']['#access'] = FALSE; From c33c21f0d783c63751fe42fbeb97600da1cbfa5b Mon Sep 17 00:00:00 2001 From: Santeri Hurnanen Date: Mon, 24 Jun 2024 14:46:17 +0300 Subject: [PATCH 2/4] Revert "UHF-10169: Allow admins to edit user email" This reverts commit df1abba52c74ec02188368d92c911229210e7de1. --- helfi_tunnistamo.module | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/helfi_tunnistamo.module b/helfi_tunnistamo.module index 8ee7877..e8da065 100644 --- a/helfi_tunnistamo.module +++ b/helfi_tunnistamo.module @@ -50,15 +50,10 @@ function helfi_tunnistamo_form_user_form_alter(&$form, FormStateInterface $form_ if (!Drupal::service('externalauth.authmap')->getAll($account->id())) { return; } - - // Quick and dirty hack to enable admins to temporarily edit users emails. - // See: UHF-10169. - if (!array_intersect(['admin', 'super_administrator'], \Drupal::currentUser()->getRoles())) { - // Prevent users from changing the email if they have used openid_connect - // to log in. - $form['account']['mail']['#type'] = 'item'; - $form['account']['mail']['#markup'] = $account->getEmail(); - } + // Prevent users from changing the email if they have used openid_connect + // to log in. + $form['account']['mail']['#type'] = 'item'; + $form['account']['mail']['#markup'] = $account->getEmail(); // External users password cannot be changed. $form['account']['pass']['#access'] = FALSE; From 5bda2ccc8c4168ba39aace37c29dd9c6e0f6262d Mon Sep 17 00:00:00 2001 From: Santeri Hurnanen Date: Thu, 20 Jun 2024 19:26:41 +0300 Subject: [PATCH 3/4] UHF-10169: Allow disabling role mapping --- README.md | 6 ++++++ config/schema/helfi_tunnistamo.schema.yml | 5 +++++ src/Plugin/OpenIDConnectClient/Tunnistamo.php | 20 +++++++++++++++++++ 3 files changed, 31 insertions(+) diff --git a/README.md b/README.md index a97b005..f592eec 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,12 @@ $config['openid_connect.client.azure-ad']['settings']['ad_roles'] = [ ]; ``` +Disable role mapping for some AMRs. With this setting, OpenID users keep their manually assigned roles. + +```php +$config['openid_connect.client.azure-ad']['settings']['ad_roles_disabled_amr'] = ['eduad']; +``` + ## Local development Add something like this to your `local.settings.php` file: diff --git a/config/schema/helfi_tunnistamo.schema.yml b/config/schema/helfi_tunnistamo.schema.yml index ce6ec20..8b73208 100644 --- a/config/schema/helfi_tunnistamo.schema.yml +++ b/config/schema/helfi_tunnistamo.schema.yml @@ -28,6 +28,11 @@ openid_connect.client.plugin.tunnistamo: label: 'Client roles to automatically map to user using this client' sequence: type: string + ad_roles_disabled_amr: + type: sequence + label: 'AMRs where ad role mapping is disabled' + sequence: + type: string ad_roles: type: sequence label: 'AD roles to automatically map to user using this client' diff --git a/src/Plugin/OpenIDConnectClient/Tunnistamo.php b/src/Plugin/OpenIDConnectClient/Tunnistamo.php index 7e6d911..045c05a 100644 --- a/src/Plugin/OpenIDConnectClient/Tunnistamo.php +++ b/src/Plugin/OpenIDConnectClient/Tunnistamo.php @@ -193,6 +193,11 @@ public function buildConfigurationForm( $roleOptions[$role->id()] = $role->label(); } + $form['ad_roles_disabled_amr'] = [ + '#type' => 'markup', + '#markup' => $this->t('Disable AD role mapping for AMR. This must be done code. See README.md for more information'), + ]; + $form['ad_roles'] = [ '#type' => 'markup', '#markup' => $this->t('Map AD role to Drupal role. This must be done code. See README.md for more information'), @@ -220,6 +225,16 @@ public function getAdRoles() : array { return array_filter($this->configuration['ad_roles'] ?? []); } + /** + * Gets AMRs where ad role mapping is disabled. + * + * @return array + * The AMR list. + */ + public function getDisabledAmr() : array { + return array_filter($this->configuration['ad_roles_disabled_amr'] ?? []); + } + /** * Grant given roles to user. * @@ -236,6 +251,11 @@ public function mapRoles(UserInterface $account, array $context) : void { ])); } + // Skip role mapping for configured authentication methods. + if (array_intersect($context['userinfo']['amr'] ?? [], $this->getDisabledAmr())) { + return; + } + // User groups has values when authenticated through Helsinki/Espoo AD, // otherwise the variable is empty. Do not modify manually assigned roles // if ad_groups variable is not set. From 674d6341637b56f43f298c4052144445845013ca Mon Sep 17 00:00:00 2001 From: Santeri Hurnanen Date: Mon, 24 Jun 2024 14:46:46 +0300 Subject: [PATCH 4/4] UHF-10169: Add tests --- tests/src/Kernel/RoleMapTest.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/src/Kernel/RoleMapTest.php b/tests/src/Kernel/RoleMapTest.php index ffdc675..7cff818 100644 --- a/tests/src/Kernel/RoleMapTest.php +++ b/tests/src/Kernel/RoleMapTest.php @@ -28,6 +28,13 @@ public function testRoleMap() : void { // Create a new role and tell our plugin to map the role. $role = $this->createRole([], 'test'); $this->setPluginConfiguration('client_roles', [$role => $role]); + $this->setPluginConfiguration('ad_roles_disabled_amr', ['something']); + + $this->getPlugin()->mapRoles($account, ['userinfo' => ['ad_groups' => [], 'amr' => ['something']]]); + // Our account should not have the newly added role now, amr is disabled. + $this->assertEquals([ + AccountInterface::AUTHENTICATED_ROLE, + ], $account->getRoles()); $this->getPlugin()->mapRoles($account, ['userinfo' => ['ad_groups' => []]]); // Our account should have the newly added role now.