UHF-10169 disable role mapping with amr

README.md

@@ -36,6 +36,12 @@ $config['openid_connect.client.azure-ad']['settings']['ad_roles'] = [
 ];
 ```
 
+Disable role mapping for some AMRs. With this setting, OpenID users keep their manually assigned roles.
+
+```php
+$config['openid_connect.client.azure-ad']['settings']['ad_roles_disabled_amr'] = ['eduad'];
+```
+
 ## Local development
 
 Add something like this to your `local.settings.php` file:

config/schema/helfi_tunnistamo.schema.yml

@@ -28,6 +28,11 @@ openid_connect.client.plugin.tunnistamo:
       label: 'Client roles to automatically map to user using this client'
       sequence:
         type: string
+    ad_roles_disabled_amr:
+      type: sequence
+      label: 'AMRs where ad role mapping is disabled'
+      sequence:
+        type: string
     ad_roles:
       type: sequence
       label: 'AD roles to automatically map to user using this client'

src/Plugin/OpenIDConnectClient/Tunnistamo.php

@@ -193,6 +193,11 @@ public function buildConfigurationForm(
       $roleOptions[$role->id()] = $role->label();
     }
 
+    $form['ad_roles_disabled_amr'] = [
+      '#type' => 'markup',
+      '#markup' => $this->t('Disable AD role mapping for AMR. This must be done code. See README.md for more information'),
+    ];
+
     $form['ad_roles'] = [
       '#type' => 'markup',
       '#markup' => $this->t('Map AD role to Drupal role. This must be done code. See README.md for more information'),
@@ -220,6 +225,16 @@ public function getAdRoles() : array {
     return array_filter($this->configuration['ad_roles'] ?? []);
   }
 
+  /**
+   * Gets AMRs where ad role mapping is disabled.
+   *
+   * @return array
+   *   The AMR list.
+   */
+  public function getDisabledAmr() : array {
+    return array_filter($this->configuration['ad_roles_disabled_amr'] ?? []);
+  }
+
   /**
    * Grant given roles to user.
    *
@@ -236,6 +251,11 @@ public function mapRoles(UserInterface $account, array $context) : void {
       ]));
     }
 
+    // Skip role mapping for configured authentication methods.
+    if (array_intersect($context['userinfo']['amr'] ?? [], $this->getDisabledAmr())) {
+      return;
+    }
+
     // User groups has values when authenticated through Helsinki/Espoo AD,
     // otherwise the variable is empty. Do not modify manually assigned roles
     // if ad_groups variable is not set.

tests/src/Kernel/RoleMapTest.php

@@ -28,6 +28,13 @@ public function testRoleMap() : void {
     // Create a new role and tell our plugin to map the role.
     $role = $this->createRole([], 'test');
     $this->setPluginConfiguration('client_roles', [$role => $role]);
+    $this->setPluginConfiguration('ad_roles_disabled_amr', ['something']);
+
+    $this->getPlugin()->mapRoles($account, ['userinfo' => ['ad_groups' => [], 'amr' => ['something']]]);
+    // Our account should not have the newly added role now, amr is disabled.
+    $this->assertEquals([
+      AccountInterface::AUTHENTICATED_ROLE,
+    ], $account->getRoles());
 
     $this->getPlugin()->mapRoles($account, ['userinfo' => ['ad_groups' => []]]);
     // Our account should have the newly added role now.