From 1366fecc04dbaf0e0ddf55f33b401a2d7128693d Mon Sep 17 00:00:00 2001 From: gionkoch Date: Thu, 1 Feb 2018 10:45:36 +0100 Subject: [PATCH 1/2] [FEATURE] add /.well-known/configuration and custom role claim support --- .gitignore | 1 + Classes/Hooks/FeloginHook.php | 61 ++++++++++++++- Classes/Service/AuthenticationService.php | 82 +++++++++++++++++++-- Classes/Service/OAuthService.php | 4 +- Resources/Private/Language/locallang_db.xlf | 9 +++ ext_conf_template.txt | 17 ++++- 6 files changed, 158 insertions(+), 16 deletions(-) diff --git a/.gitignore b/.gitignore index dbc11c3..1def6bd 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ /Libraries/* +/.idea/* diff --git a/Classes/Hooks/FeloginHook.php b/Classes/Hooks/FeloginHook.php index a3d3f24..f0317eb 100644 --- a/Classes/Hooks/FeloginHook.php +++ b/Classes/Hooks/FeloginHook.php @@ -14,6 +14,7 @@ namespace Causal\Oidc\Hooks; +use TYPO3\CMS\Core\Utility\ExtensionManagementUtility; use TYPO3\CMS\Core\Utility\GeneralUtility; /** @@ -25,6 +26,7 @@ class FeloginHook /** * @param array $params * @param \TYPO3\CMS\Felogin\Controller\FrontendLoginController $pObj + * @return string */ public function postProcContent(array $params, \TYPO3\CMS\Felogin\Controller\FrontendLoginController $pObj) { @@ -32,7 +34,10 @@ public function postProcContent(array $params, \TYPO3\CMS\Felogin\Controller\Fro static::getLogger()->debug('Post-processing markers for felogin form', ['request' => $requestId]); $markerArray['###OPENID_CONNECT###'] = ''; - $settings = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['oidc']); + $extConf = isset($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['oidc']) + ? unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['oidc']) + : []; + $settings = $this->getConfig($extConf); if (empty($settings['oidcClientKey']) || empty($settings['oidcClientSecret']) @@ -135,6 +140,60 @@ protected function getUniqueId() return $uniqueId; } + /** + * Returns the extension config and tries to override endpoints if /.well-known/configuration exists on + * the issuer's side. + * + * @param array $config + * @return array + */ + protected function getConfig(array $config) + { + $extConfig = $config; + + if(isset($extConfig['oidcConfigUrl'])) { + try { + $wellKnownConfig = $this->getWellKnownConfig( + $extConfig['oidcConfigUrl'], + (int)$extConfig['oidcWellKnownCacheLifetime'] + ); + $extConfig['oidcEndpointAuthorize'] = $wellKnownConfig['authorization_endpoint']; + $extConfig['oidcEndpointToken'] = $wellKnownConfig['token_endpoint']; + $extConfig['oidcEndpointUserInfo'] = $wellKnownConfig['userinfo_endpoint']; + $extConfig['oidcEndpointRevoke'] = $wellKnownConfig['revocation_endpoint']; + $extConfig['oidcEndpointLogout'] = $wellKnownConfig['end_session_endpoint']; + } catch (\Exception $e) { + static::getLogger()->error('Could not process Well-Known Config', [ + 'message' => $e->getMessage(), + ]); + $extConfig = $config; + } + } + + return $extConfig; + } + + /** + * Get cached config from /.well-known/configuration URL, refreshes daily + * + * @param string $wellKnownUrl + * @param int $lifetime + * @return mixed + */ + protected function getWellKnownConfig(string $wellKnownUrl, int $lifetime) + { + $cache_path = PATH_site . 'typo3temp/'; + $filename = $cache_path . md5(ExtensionManagementUtility::extPath('oidc')); + + if(file_exists($filename) && (time() - $lifetime < filemtime($filename))) { + return json_decode(file_get_contents($filename), true); + } else { + $data = file_get_contents($wellKnownUrl); + file_put_contents($filename, $data); + return json_decode($data, true); + } + } + /** * Returns a logger. * diff --git a/Classes/Service/AuthenticationService.php b/Classes/Service/AuthenticationService.php index f865492..0ef3ce1 100644 --- a/Classes/Service/AuthenticationService.php +++ b/Classes/Service/AuthenticationService.php @@ -14,6 +14,7 @@ namespace Causal\Oidc\Service; +use TYPO3\CMS\Core\Utility\ExtensionManagementUtility; use TYPO3\CMS\Core\Utility\GeneralUtility; use TYPO3\CMS\Core\Utility\HttpUtility; use Causal\Oidc\Service\OAuthService; @@ -44,13 +45,20 @@ class AuthenticationService extends \TYPO3\CMS\Sv\AuthenticationService */ const STATUS_AUTHENTICATION_FAILURE_CONTINUE = 100; + /** + * @var array + */ + private $config; + /** * AuthenticationService constructor. */ public function __construct() { - $config = $GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['oidc']; - $this->config = $config ? unserialize($config) : []; + $extConf = isset($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['oidc']) + ? unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['oidc']) + : []; + $this->config = $this->getConfig($extConf); } /** @@ -178,7 +186,7 @@ protected function getUserFromAccessToken(OAuthService $service, $accessToken) $service->revokeToken($accessToken); throw new \RuntimeException( 'Resource owner does not have a sub part: ' . json_encode($resourceOwner) - . '. Your access token has been revoked. Please try again.', + . '. Your access token has been revoked. Please try again.', 1490086626 ); } @@ -189,7 +197,7 @@ protected function getUserFromAccessToken(OAuthService $service, $accessToken) /** * Authenticate a user * - * @oaram array $user + * @param array $user * @return int */ public function authUser(array $user) @@ -207,7 +215,7 @@ public function authUser(array $user) * Converts a resource owner into a TYPO3 Frontend user. * * @param array $info - * @return array + * @return array|bool * @throws \InvalidArgumentException */ protected function convertResourceOwner(array $info) @@ -281,14 +289,18 @@ protected function convertResourceOwner(array $info) } // Map OIDC roles to TYPO3 user groups - if (!empty($info['Roles'])) { + if (!empty($info[$this->config['oidcRolesClaim']])) { + $roles = $info[$this->config['oidcRolesClaim']]; $typo3Roles = $database->exec_SELECTgetRows( 'uid, tx_oidc_pattern', $userGroupTable, 'tx_oidc_pattern<>\'\' AND hidden=0 AND deleted=0' ); - $roles = GeneralUtility::trimExplode(',', $info['Roles'], true); - $roles = ',' . implode(',', $roles) . ','; + + if(!is_array($roles)) { + $roles = GeneralUtility::trimExplode(',', $roles, true); + } + $roles = ',' . implode(',', $info[$this->config['oidcRolesClaim']]) . ','; foreach ($typo3Roles as $typo3Role) { // Convert the pattern into a proper regular expression @@ -598,6 +610,60 @@ protected function getDatabaseConnection() return $GLOBALS['TYPO3_DB']; } + /** + * Returns the extension config and tries to override endpoints if /.well-known/configuration exists on + * the issuer's side. + * + * @param array $config + * @return array + */ + protected function getConfig(array $config) + { + $extConfig = $config; + + if(isset($extConfig['oidcConfigUrl'])) { + try { + $wellKnownConfig = $this->getWellKnownConfig( + $extConfig['oidcConfigUrl'], + (int)$extConfig['oidcWellKnownCacheLifetime'] + ); + $extConfig['oidcEndpointAuthorize'] = $wellKnownConfig['authorization_endpoint']; + $extConfig['oidcEndpointToken'] = $wellKnownConfig['token_endpoint']; + $extConfig['oidcEndpointUserInfo'] = $wellKnownConfig['userinfo_endpoint']; + $extConfig['oidcEndpointRevoke'] = $wellKnownConfig['revocation_endpoint']; + $extConfig['oidcEndpointLogout'] = $wellKnownConfig['end_session_endpoint']; + } catch (\Exception $e) { + static::getLogger()->error('Could not process Well-Known Config', [ + 'message' => $e->getMessage(), + ]); + $extConfig = $config; + } + } + + return $extConfig; + } + + /** + * Get cached config from /.well-known/configuration URL depending on lifetime + * + * @param string $wellKnownUrl + * @param int $lifetime + * @return mixed + */ + protected function getWellKnownConfig(string $wellKnownUrl, int $lifetime) + { + $cache_path = PATH_site . 'typo3temp/'; + $filename = $cache_path . md5(ExtensionManagementUtility::extPath('oidc')); + + if(file_exists($filename) && (time() - $lifetime < filemtime($filename))) { + return json_decode(file_get_contents($filename), true); + } else { + $data = file_get_contents($wellKnownUrl); + file_put_contents($filename, $data); + return json_decode($data, true); + } + } + /** * Returns a logger. * diff --git a/Classes/Service/OAuthService.php b/Classes/Service/OAuthService.php index 76c9067..49703d4 100644 --- a/Classes/Service/OAuthService.php +++ b/Classes/Service/OAuthService.php @@ -15,9 +15,7 @@ namespace Causal\Oidc\Service; use TYPO3\CMS\Core\Utility\GeneralUtility; -use TYPO3\CMS\Backend\Utility\BackendUtility; use League\OAuth2\Client\Token\AccessToken; -use TYPO3\CMS\Core\Utility\HttpUtility; /** * Class OAuthService. @@ -124,7 +122,7 @@ public function getAccessTokenWithRequestPathAuthentication($username, $password curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_VERBOSE, 1); curl_setopt($ch, CURLOPT_HEADER, 1); - $content = curL_exec($ch); + $content = curl_exec($ch); if ($content === false) { throw new \RuntimeException('Curl ERROR: ' . curl_error($ch), 1510049345); diff --git a/Resources/Private/Language/locallang_db.xlf b/Resources/Private/Language/locallang_db.xlf index 3efc630..18088be 100755 --- a/Resources/Private/Language/locallang_db.xlf +++ b/Resources/Private/Language/locallang_db.xlf @@ -12,6 +12,12 @@ Undelete Frontend Users: If ticked, will automatically restore Frontend users marked as "deleted" upon successful authentication + + Config URL (usually /.well-known/configuration) - leave empty for manual configuration: + + + Cache lifetime(in seconds) for /.well-known/configuration: + Client Key @@ -36,6 +42,9 @@ Endpoint URI for revoking the token + + Custom roles claim - default is "Roles" + Use Request Path Authentication: When ticked, this value will use Request Path Authentication instead of standard Password Grant. diff --git a/ext_conf_template.txt b/ext_conf_template.txt index f0b401b..aa55b2a 100644 --- a/ext_conf_template.txt +++ b/ext_conf_template.txt @@ -13,13 +13,19 @@ usersStoragePid = # cat=basic//2; type=string; label=Default user group(s) (comma-separated list of UIDs) usersDefaultGroup = -# cat=basic//3; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientKey +# cat=basic//3; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcConfigUrl +oidcConfigUrl = + +# cat=basic//4; type=int; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcWellKnownCacheLifetime +oidcWellKnownCacheLifetime = 86400 + +# cat=basic//5; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientKey oidcClientKey = -# cat=basic//4; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientSecret -oidcClientSecret = +# cat=basic//6; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientSecret +oidcClientSecret = -# cat=basic//5; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientScopes +# cat=basic//7; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientScopes oidcClientScopes = openid # cat=advanced/links/1; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcEndpointAuthorize @@ -37,6 +43,9 @@ oidcEndpointLogout = https://ids02.sac-cas.ch/oauth2/logout # cat=advanced/links/5; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcEndpointRevoke oidcEndpointRevoke = https://ids02.sac-cas.ch/oauth2/revoke +# cat=advanced/links/6; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcRolesClaim +oidcRolesClaim = Roles + # cat=advanced/enable/1; type=boolean; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcUseRequestPathAuthentication oidcUseRequestPathAuthentication = 0 From 50dc40d8a3dbcdfe58dfcc4542d882ddd65eabf9 Mon Sep 17 00:00:00 2001 From: gionkoch Date: Tue, 6 Feb 2018 10:09:01 +0100 Subject: [PATCH 2/2] Add group override option, excluding all manually assigned user groups --- Classes/Hooks/FeloginHook.php | 2 +- Classes/Service/AuthenticationService.php | 6 ++++-- Resources/Private/Language/locallang_db.xlf | 6 ++++++ ext_conf_template.txt | 18 ++++++++++++------ 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/Classes/Hooks/FeloginHook.php b/Classes/Hooks/FeloginHook.php index f0317eb..e08fd0b 100644 --- a/Classes/Hooks/FeloginHook.php +++ b/Classes/Hooks/FeloginHook.php @@ -180,7 +180,7 @@ protected function getConfig(array $config) * @param int $lifetime * @return mixed */ - protected function getWellKnownConfig(string $wellKnownUrl, int $lifetime) + protected function getWellKnownConfig($wellKnownUrl, $lifetime = 86400) { $cache_path = PATH_site . 'typo3temp/'; $filename = $cache_path . md5(ExtensionManagementUtility::extPath('oidc')); diff --git a/Classes/Service/AuthenticationService.php b/Classes/Service/AuthenticationService.php index 0ef3ce1..a3019ad 100644 --- a/Classes/Service/AuthenticationService.php +++ b/Classes/Service/AuthenticationService.php @@ -18,6 +18,7 @@ use TYPO3\CMS\Core\Utility\GeneralUtility; use TYPO3\CMS\Core\Utility\HttpUtility; use Causal\Oidc\Service\OAuthService; +use TYPO3\CMS\Extbase\Utility\DebuggerUtility; /** * OpenID Connect authentication service. @@ -271,7 +272,7 @@ protected function convertResourceOwner(array $info) $newUsergroups = []; $defaultUserGroups = GeneralUtility::intExplode(',', $this->config['usersDefaultGroup'], true); - if ($row) { + if ($row && !$this->config['overrideNonOIDCRoles']) { $currentUserGroups = GeneralUtility::intExplode(',', $row['usergroup'], true); if (!empty($currentUserGroups)) { $oidcUserGroups = $database->exec_SELECTgetRows( @@ -343,6 +344,7 @@ protected function convertResourceOwner(array $info) 'usergroup' => implode(',', $newUsergroups), 'crdate' => $GLOBALS['EXEC_TIME'], 'tx_oidc' => $info['sub'], + 'tx_extbase_type' => $this->config['usersExtbaseType'] ]); $database->exec_INSERTquery( $userTable, @@ -650,7 +652,7 @@ protected function getConfig(array $config) * @param int $lifetime * @return mixed */ - protected function getWellKnownConfig(string $wellKnownUrl, int $lifetime) + protected function getWellKnownConfig($wellKnownUrl, $lifetime) { $cache_path = PATH_site . 'typo3temp/'; $filename = $cache_path . md5(ExtensionManagementUtility::extPath('oidc')); diff --git a/Resources/Private/Language/locallang_db.xlf b/Resources/Private/Language/locallang_db.xlf index 18088be..24fd009 100755 --- a/Resources/Private/Language/locallang_db.xlf +++ b/Resources/Private/Language/locallang_db.xlf @@ -12,6 +12,12 @@ Undelete Frontend Users: If ticked, will automatically restore Frontend users marked as "deleted" upon successful authentication + + Override all non OIDC Roles: If ticked, all manually added user groups will be overridden by the oidc roles mapping + + + Default User Extbase Type + Config URL (usually /.well-known/configuration) - leave empty for manual configuration: diff --git a/ext_conf_template.txt b/ext_conf_template.txt index aa55b2a..50ec5ca 100644 --- a/ext_conf_template.txt +++ b/ext_conf_template.txt @@ -7,25 +7,31 @@ reEnableFrontendUsers = 0 # cat=basic/enable/3; type=boolean; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.undeleteFrontendUsers undeleteFrontendUsers = 0 +# cat=basic/enable/4; type=boolean; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.overrideNonOIDCRoles +overrideNonOIDCRoles = 0 + # cat=basic//1; type=int; label=Storage Pid: The Storage Pid of the Page, where the fe_users should be stored usersStoragePid = # cat=basic//2; type=string; label=Default user group(s) (comma-separated list of UIDs) usersDefaultGroup = -# cat=basic//3; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcConfigUrl +# cat=basic//3; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.defaultUserExtbaseType +usersExtbaseType = 0 + +# cat=basic//4; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcConfigUrl oidcConfigUrl = -# cat=basic//4; type=int; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcWellKnownCacheLifetime +# cat=basic//5; type=int; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcWellKnownCacheLifetime oidcWellKnownCacheLifetime = 86400 -# cat=basic//5; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientKey +# cat=basic//6; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientKey oidcClientKey = -# cat=basic//6; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientSecret -oidcClientSecret = +# cat=basic//7; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientSecret +oidcClientSecret = -# cat=basic//7; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientScopes +# cat=basic//8; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcClientScopes oidcClientScopes = openid # cat=advanced/links/1; type=string; label=LLL:EXT:oidc/Resources/Private/Language/locallang_db.xlf:settings.oidcEndpointAuthorize