Merge #14 Add event based provisioning V31

Author: memurats

lib/AppInfo/Application.php

@@ -60,7 +60,6 @@ public function register(IRegistrationContext $context): void {
 
 	public function boot(IBootContext $context): void {
 		$context->injectFn(\Closure::fromCallable([$this->backend, 'injectSession']));
-		$context->injectFn(\Closure::fromCallable([$this, 'checkLoginToken']));
 		/** @var IUserSession $userSession */
 		$userSession = $this->getContainer()->get(IUserSession::class);
 		if ($userSession->isLoggedIn()) {

lib/Controller/LoginController.php

@@ -23,6 +23,7 @@
 use OCA\UserOIDC\Service\DiscoveryService;
 use OCA\UserOIDC\Service\LdapService;
 use OCA\UserOIDC\Service\ProviderService;
+use OCA\UserOIDC\Service\ProvisioningDeniedException;
 use OCA\UserOIDC\Service\ProvisioningService;
 use OCA\UserOIDC\Service\TokenService;
 use OCA\UserOIDC\User\Backend;
@@ -486,14 +487,35 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		}
 
 		if ($autoProvisionAllowed) {
-			if (!$softAutoProvisionAllowed && $userFromOtherBackend !== null) {
-				// if soft auto-provisioning is disabled,
-				// we refuse login for a user that already exists in another backend
-				$message = $this->l10n->t('User conflict');
-				return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => 'non-soft auto provision, user conflict'], false);
+			// $softAutoProvisionAllowed = (!isset($oidcSystemConfig['soft_auto_provision']) || $oidcSystemConfig['soft_auto_provision']);
+			// if (!$softAutoProvisionAllowed && $userFromOtherBackend !== null) {
+			// if soft auto-provisioning is disabled,
+			// we refuse login for a user that already exists in another backend
+			// $message = $this->l10n->t('User conflict');
+			// return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => 'non-soft auto provision, user conflict'], false);
+			// }
+
+			// TODO: (proposal) refactor all provisioning strategies into event handlers
+			$user = null;
+
+			try {
+				$user = $this->provisioningService->provisionUser($userId, $providerId, $idTokenPayload, $userFromOtherBackend);
+			} catch (ProvisioningDeniedException $denied) {
+				// TODO MagentaCLOUD should upstream the exception handling
+				$redirectUrl = $denied->getRedirectUrl();
+				if ($redirectUrl === null) {
+					$message = $this->l10n->t('Failed to provision user');
+					return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => $denied->getMessage()]);
+				} else {
+					// error response is a redirect, e.g. to a booking site
+					// so that you can immediately get the registration page
+					return new RedirectResponse($redirectUrl);
+				}
 			}
+
 			// use potential user from other backend, create it in our backend if it does not exist
-			$user = $this->provisioningService->provisionUser($userId, $providerId, $idTokenPayload, $userFromOtherBackend);
+			// $user = $this->provisioningService->provisionUser($userId, $providerId, $idTokenPayload, $userFromOtherBackend);
+			// no default exception handling to pass on unittest assertion failures
 		} else {
 			// when auto provision is disabled, we assume the user has been created by another user backend (or manually)
 			$user = $userFromOtherBackend;
@@ -518,17 +540,6 @@ public function code(string $state = '', string $code = '', string $scope = '',
 			$this->eventDispatcher->dispatchTyped(new UserLoggedInEvent($user, $user->getUID(), null, false));
 		}
 
-		$tokenExchangeEnabled = (isset($oidcSystemConfig['token_exchange']) && $oidcSystemConfig['token_exchange'] === true);
-		if ($tokenExchangeEnabled) {
-			// store all token information for potential token exchange requests
-			$tokenData = array_merge(
-				$data,
-				['provider_id' => $providerId],
-			);
-			$this->tokenService->storeToken($tokenData);
-		}
-		$this->config->setUserValue($user->getUID(), Application::APP_ID, 'had_token_once', '1');
-
 		// Set last password confirm to the future as we don't have passwords to confirm against with SSO
 		$this->session->set('last-password-confirm', strtotime('+4 year', time()));
 
@@ -764,7 +775,7 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 	 * @return JSONResponse
 	 */
 	private function getBackchannelLogoutErrorResponse(
-		string $error, string $description, array $throttleMetadata = [],
+		string $error, string $description, array $throttleMetadata = [], ?bool $throttle = null,
 	): JSONResponse {
 		$this->logger->debug('Backchannel logout error. ' . $error . ' ; ' . $description);
 		return new JSONResponse(

lib/Db/UserMapper.php

@@ -14,21 +14,25 @@
 use OCP\Cache\CappedMemoryCache;
 use OCP\IConfig;
 use OCP\IDBConnection;
+use Psr\Log\LoggerInterface;
 
 /**
  * @extends QBMapper<User>
  */
 class UserMapper extends QBMapper {
 
 	private CappedMemoryCache $userCache;
+	private LoggerInterface $logger;
 
 	public function __construct(
 		IDBConnection $db,
+		LoggerInterface $logger,
 		private LocalIdService $idService,
 		private IConfig $config,
 	) {
 		parent::__construct($db, 'user_oidc', User::class);
 		$this->userCache = new CappedMemoryCache();
+		$this->logger = $logger;
 	}
 
 	/**

lib/Event/UserAccountChangeEvent.php

@@ -0,0 +1,87 @@
+<?php
+/*
+ * @copyright Copyright (c) 2023 T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-systems.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ */
+
+declare(strict_types=1);
+
+namespace OCA\UserOIDC\Event;
+
+use OCP\EventDispatcher\Event;
+
+/**
+ * Event to provide custom mapping logic based on the OIDC token data
+ * In order to avoid further processing the event propagation should be stopped
+ * in the listener after processing as the value might get overwritten afterwards
+ * by other listeners through $event->stopPropagation();
+ */
+class UserAccountChangeEvent extends Event {
+	private $uid;
+	private $displayname;
+	private $mainEmail;
+	private $quota;
+	private $claims;
+	private $result;
+
+
+	public function __construct(string $uid, ?string $displayname, ?string $mainEmail, ?string $quota, object $claims, bool $accessAllowed = false) {
+		parent::__construct();
+		$this->uid = $uid;
+		$this->displayname = $displayname;
+		$this->mainEmail = $mainEmail;
+		$this->quota = $quota;
+		$this->claims = $claims;
+		$this->result = new UserAccountChangeResult($accessAllowed, 'default');
+	}
+
+	/**
+	 * @return get event username (uid)
+	 */
+	public function getUid(): string {
+		return $this->uid;
+	}
+
+	/**
+	 * @return get event displayname
+	 */
+	public function getDisplayName(): ?string {
+		return $this->displayname;
+	}
+
+	/**
+	 * @return get event main email
+	 */
+	public function getMainEmail(): ?string {
+		return $this->mainEmail;
+	}
+
+	/**
+	 * @return get event quota
+	 */
+	public function getQuota(): ?string {
+		return $this->quota;
+	}
+
+	/**
+	 * @return array the array of claim values associated with the event
+	 */
+	public function getClaims(): object {
+		return $this->claims;
+	}
+
+	/**
+	 * @return value for the logged in user attribute
+	 */
+	public function getResult(): UserAccountChangeResult {
+		return $this->result;
+	}
+
+	public function setResult(bool $accessAllowed, string $reason = '', ?string $redirectUrl = null) : void {
+		$this->result = new UserAccountChangeResult($accessAllowed, $reason, $redirectUrl);
+	}
+}

lib/Event/UserAccountChangeResult.php

@@ -0,0 +1,74 @@
+<?php
+/*
+ * @copyright Copyright (c) 2023 T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-systems.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ */
+
+declare(strict_types=1);
+
+namespace OCA\UserOIDC\Event;
+
+/**
+ * Event to provide custom mapping logic based on the OIDC token data
+ * In order to avoid further processing the event propagation should be stopped
+ * in the listener after processing as the value might get overwritten afterwards
+ * by other listeners through $event->stopPropagation();
+ */
+class UserAccountChangeResult {
+
+	/** @var bool */
+	private $accessAllowed;
+	/** @var string */
+	private $reason;
+	/** @var string */
+	private $redirectUrl;
+
+	public function __construct(bool $accessAllowed, string $reason = '', ?string $redirectUrl = null) {
+		$this->accessAllowed = $accessAllowed;
+		$this->redirectUrl = $redirectUrl;
+		$this->reason = $reason;
+	}
+
+	/**
+	 * @return value for the logged in user attribute
+	 */
+	public function isAccessAllowed(): bool {
+		return $this->accessAllowed;
+	}
+
+	public function setAccessAllowed(bool $accessAllowed): void {
+		$this->accessAllowed = $accessAllowed;
+	}
+
+	/**
+	 * @return get optional alternate redirect address
+	 */
+	public function getRedirectUrl(): ?string {
+		return $this->redirectUrl;
+	}
+
+	/**
+	 * @return set optional alternate redirect address
+	 */
+	public function setRedirectUrl(?string $redirectUrl): void {
+		$this->redirectUrl = $redirectUrl;
+	}
+
+	/**
+	 * @return get decision reason
+	 */
+	public function getReason(): string {
+		return $this->reason;
+	}
+
+	/**
+	 * @return set decision reason
+	 */
+	public function setReason(string $reason): void {
+		$this->reason = $reason;
+	}
+}

lib/Service/ProvisioningDeniedException.php

@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2023, T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-Systems.com>
+ *
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCA\UserOIDC\Service;
+
+/**
+ * Exception if the precondition of the config update method isn't met
+ * @since 1.4.0
+ */
+class ProvisioningDeniedException extends \Exception {
+	private $redirectUrl;
+
+	/**
+	 * Exception constructor including an option redirect url.
+	 *
+	 * @param string $message The error message. It will be not revealed to the
+	 *                        the user (unless the hint is empty) and thus
+	 *                        should be not translated.
+	 * @param string $hint A useful message that is presented to the end
+	 *                     user. It should be translated, but must not
+	 *                     contain sensitive data.
+	 * @param int $code Set default to 403 (Forbidden)
+	 * @param \Exception|null $previous
+	 */
+	public function __construct(string $message, ?string $redirectUrl = null, int $code = 403, ?\Exception $previous = null) {
+		parent::__construct($message, $code, $previous);
+		$this->redirectUrl = $redirectUrl;
+	}
+
+	/**
+	 * Read optional failure redirect if available
+	 * @return string|null
+	 */
+	public function getRedirectUrl(): ?string {
+		return $this->redirectUrl;
+	}
+
+	/**
+	 * Include redirect in string serialisation.
+	 *
+	 * @return string
+	 */
+	public function __toString(): string {
+		$redirect = $this->redirectUrl ?? '<no redirect>';
+		return __CLASS__ . ": [{$this->code}]: {$this->message} ({$redirect})\n";
+	}
+}