simplesamlphp_auth.module

<?php

/**
 * @file
 * simpleSAMLphp authentication module for Drupal.
 *
 * This authentication module is based on the shibboleth authentication module,
 * with changes to adapt to use simpleSAMLphp.
 *
 * ISSUES and TODOs:
 *  ISSUE: User is always dropped on user page after login, instead of where
 *         they were when they clicked "Federated Log In". Because of this, deep
 *         linking to access controlled content does not work. Usability would
 *         be considerably increased if this were resolved.
 *  FYI: Drupal now requires knowledge of the local user password in order to
 *       change e-mail address, etc. This could be an issue for users of
 *       accounts that are auto-provisioned by this module, though Drupal does
 *       give users the ability to reset their password to something they know
 *       via the Request new password feature.
 *  KLUDGE: Drupal does not kill the session on logout, even with
 *          drupal_session_destroy_uid(), so I had to use session_destroy().
 * @todo Rework the default login limitation logic to use a drupal permission
 *        rather than a list of UIDs.
 * @todo When denying access because the administrator has chosen not to allow
 *        the module to register/create accounts, the user is told to contact
 *        the administrator; the message should provide the contact information.
 *  ISSUE: Until Drupal issue #754560 is resolved users will not see logout
 *         notices.
 */

/**
 * Implements hook_menu().
 */
function simplesamlphp_auth_menu() {
  $login_path = variable_get('simplesamlphp_auth_login_path', 'saml_login');
  $items = array();

  $items['admin/config/people/simplesamlphp_auth'] = array(
    'title' => 'SimpleSAMLphp Auth Settings',
    'description' => 'Control the various settings of the simpleSAMLphp authentication module',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('simplesamlphp_auth_settings_basic'),
    'access arguments' => array('administer simpleSAMLphp authentication'),
    'file' => 'simplesamlphp_auth.admin.inc',
    'type' => MENU_LOCAL_TASK | MENU_NORMAL_ITEM,
  );
  $items['admin/config/people/simplesamlphp_auth/basic'] = array(
    'title' => 'Basic settings',
    'description' => 'Control the various settings of the simpleSAMLphp authentication module',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('simplesamlphp_auth_settings_basic'),
    'access arguments' => array('administer simpleSAMLphp authentication'),
    'file' => 'simplesamlphp_auth.admin.inc',
    'type' => MENU_DEFAULT_LOCAL_TASK,
  );
  $items['admin/config/people/simplesamlphp_auth/sync'] = array(
    'title' => 'User info and syncing',
    'description' => 'Control the various settings of the simpleSAMLphp authentication module',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('simplesamlphp_auth_settings_sync'),
    'access arguments' => array('administer simpleSAMLphp authentication'),
    'file' => 'simplesamlphp_auth.admin.inc',
    'type' => MENU_LOCAL_TASK,
  );
  $items['admin/config/people/simplesamlphp_auth/local'] = array(
    'title' => 'Local authentication',
    'description' => 'Configure local only authentication options',
    'page callback' => 'drupal_get_form',
    'page arguments' => array('simplesamlphp_auth_settings_local'),
    'access arguments' => array('administer simpleSAMLphp authentication'),
    'file' => 'simplesamlphp_auth.admin.inc',
    'type' => MENU_LOCAL_TASK,
  );
  $items[$login_path] = array(
    'title' => 'Logon to the site',
    'description' => 'Provides a site login page',
    'page callback' => 'simplesamlphp_auth_loginpage',
    'access callback' => '_simplesamlphp_auth_isEnabled',
    'file' => 'simplesamlphp_auth.pages.inc',
    'type' => MENU_CALLBACK,
  );

  return $items;
}

/**
 * Implements hook_menu_site_status_alter().
 */
function simplesamlphp_auth_menu_site_status_alter(&$menu_site_status, $path) {
  // Allow access to authenticate even if site is in offline mode.
  $login_path = variable_get('simplesamlphp_auth_login_path', 'saml_login');
  if ($menu_site_status == MENU_SITE_OFFLINE && user_is_anonymous() && $path == $login_path) {
    $menu_site_status = MENU_SITE_ONLINE;
  }
}

/**
 * Implements hook_help().
 */
function simplesamlphp_auth_help($path, $arg) {
  switch ($path) {
    case 'admin/config/people/simplesamlphp_auth':
      $output = '<p>' . t('This module integrates Drupal with a SimpleSAMLphp Service Point (SP), effectively federating Drupal.') . '</p>';
      return $output;
  }
}

/**
 * Implements hook_permission().
 */
function simplesamlphp_auth_permission() {
  return array(
    'administer simpleSAMLphp authentication' => array(
      'title' => t('Administer simpleSAMLphp authentication'),
      'restrict access' => TRUE,
    ),
    'change saml authentication setting' => array(
      'title' => t('Change SAML authentication setting for individual accounts'),
      'description' => t('Allow users to enable or disable SAML authentication per user on user edit forms.'),
      'restrict access' => TRUE,
    ),
  );
}

/**
 * Loads simplesamlphp class and initializes global variables.
 */
function _simplesaml_auth_autoload() {
  if (!_simplesamlphp_auth_isEnabled()) {
    return FALSE;
  }

  global $_simplesamlphp_auth_as;
  global $_simplesamlphp_auth_saml_attributes;
  global $_simplesamlphp_auth_saml_config;
  global $_simplesamlphp_auth_saml_version;

  // Get the simplesamlphp session.
  if (!class_exists('SimpleSAML_Configuration')) {
    // Register SimpleSAMLphp autoloader (only if needed)
    $basedir = variable_get('simplesamlphp_auth_installdir', '/usr/share/simplesamlphp');
    if (file_exists($basedir . '/lib/_autoload.php')) {
      require_once $basedir . '/lib/_autoload.php';
    }
    else {
      return FALSE;
    }
  }

  $_simplesamlphp_auth_saml_config = SimpleSAML_Configuration::getInstance();
  $_simplesamlphp_auth_saml_version = $_simplesamlphp_auth_saml_config->getVersion();

  // Load simpleSAMLphp, configuration and metadata.
  $_simplesamlphp_auth_as = new SimpleSAML_Auth_Simple(variable_get('simplesamlphp_auth_authsource', 'default-sp'));
  $_simplesamlphp_auth_saml_attributes = $_simplesamlphp_auth_as->getAttributes();

  return TRUE;
}

/**
 * Implements hook_init().
 *
 * If the user has logged out via SAML, log out the user in Drupal as well.
 */
function simplesamlphp_auth_init() {
  if (user_is_anonymous()) {
    return FALSE;
  }

  if (!_simplesaml_auth_autoload()) {
    return FALSE;
  }

  global $user;
  global $_simplesamlphp_auth_as;
  global $_simplesamlphp_auth_saml_attributes;

  // Get users that are allowed default login.
  $allowed_default_login_users = variable_get('simplesamlphp_auth_allowdefaultloginusers', '');
  $allowed_uids = explode(",", $allowed_default_login_users);

  // Get roles that are allowed default login.
  $allowed_default_login_roles = variable_get('simplesamlphp_auth_allowdefaultloginroles', array());

  // Check if user is allowed default login.
  $user_allowed_default_login_roles = array_intersect_key($user->roles, $allowed_default_login_roles);
  if (variable_get('simplesamlphp_auth_allowdefaultlogin', TRUE) &&
    (in_array($user->uid, $allowed_uids) || !empty($user_allowed_default_login_roles))) {
    $user_allowed_default_login = TRUE;
  }

  // Logs out user if not SAML authenticated and not allowed default login.
  if (!$_simplesamlphp_auth_as->isAuthenticated() && !$user_allowed_default_login) {
    module_load_include('pages.inc', 'user');
    user_logout();
  }
}

/**
 * Implements hook_user_insert().
 */
function simplesamlphp_auth_user_insert(&$edit, $account, $category = NULL) {
  global $_simplesamlphp_auth_as;
  global $_simplesamlphp_auth_saml_attributes;

  if (!_simplesaml_auth_autoload()) {
    // Exit without initializing.
    return;
  }

  if ($category == 'account') {
    // If user registration has a valid session...
    if ($_simplesamlphp_auth_as->isAuthenticated() && _simplesamlphp_auth_get_authname() == $account->init) {
      // Get name from default attributes.
      try {
        if (variable_get('simplesamlphp_auth_debug', 0)) {
          watchdog('simplesamlphp_auth', 'Registering user [%acctname]', array('%acctname' => $account->name), WATCHDOG_DEBUG);
        }
        $account->name = _simplesamlphp_auth_get_default_name($account->uid);
      }
      catch (Exception $e) {
        drupal_set_message(t('Your user name was not provided by your identity provider (IDP).'), "error");
        watchdog('simplesamlphp_auth', $e->getMessage(), NULL, WATCHDOG_CRITICAL);
      }

      module_load_include('inc', 'simplesamlphp_auth');

      // Update username and email address.
      // @todo Make this conditional.
      _simplesaml_auth_user_update($account);

      if (module_exists('rules')) {
        rules_invoke_all('simplesamlphp_auth_rules_event_register', $account);
      }

      // Reload the user object to ensure that all properties are populated.
      $user = user_load($account->uid);
      _simplesaml_auth_user_login($user);
    }
  }
}

/**
 * Implements hook_user_logout().
 */
function simplesamlphp_auth_user_logout($account) {
  global $user;
  global $_simplesamlphp_auth_as;
  global $_simplesamlphp_auth_saml_attributes;
  global $base_url;

  _simplesaml_auth_autoload();

  if (!empty($_simplesamlphp_auth_saml_attributes)) {

    $config = SimpleSAML_Configuration::getInstance();

    // KLUDGE: for some reason Drupal is not killing the session, even if I
    // were to call drupal_session_destroy_uid() here.
    session_destroy();

    $gotourl = base_path();
    if (variable_get('simplesamlphp_auth_logoutgotourl', '')) {
      $gotourl = variable_get('simplesamlphp_auth_logoutgotourl', '');
    }

  // Allow modules to alter $gotourl.
  drupal_alter('simplesamlphp_auth_logout_gotourl', $gotourl, $account);

    $_simplesamlphp_auth_as->logout($gotourl);

  }
}

/**
 * Implements hook_user_delete().
 */
function simplesamlphp_auth_user_delete($account) {
  db_delete('authmap')
    ->condition('uid', $account->uid)
    ->condition('authname', $account->name)
    ->execute();
}

/**
 * Implements hook_form_alter().
 */
function simplesamlphp_auth_form_alter(&$form, $form_state, $form_id) {
  if (!_simplesamlphp_auth_isEnabled()) {
    // Exit without executing.
    return;
  }

  $is_user_profile_account_form = (($form_id == 'user_profile_form') && ($form['#user_category'] == 'account'));

  $login_path = variable_get('simplesamlphp_auth_login_path', 'saml_login');
  $login_name = variable_get('simplesamlphp_auth_login_link_display_name', t('Federated Log In'));
  $destination = drupal_get_destination();
  $link = l($login_name, $login_path, array('query' => $destination));

  // Add SAML login link to user login form.
  if ($form_id == 'user_login_block' || $form_id == 'user_account_form') {
    $links = $form['links']['#markup'];
    $links = str_replace('</ul>', '<li class="saml">' . $link . '</li></ul>', $links);
    $form['links']['#markup'] = $links;
  }

  if ($form_id == 'user_login') {
    $form['links']['#markup'] = $link;
  }

  if (($form_id == 'user_register_form' || $is_user_profile_account_form) && user_access('change saml authentication setting')) {
    $form['saml'] = array(
      '#type' => 'checkbox',
      '#title' => t('Enable this user to leverage SAML authentication'),
      '#default_value' => $form_id == 'user_register_form' ? TRUE : (bool) user_get_authmaps($form['#user']->name),
    );
    $form['#submit'][] = 'simplesaml_auth_user_profile_form_submit';
  }

  // If the user has a simplesamlphp_auth authmap record, then don't require
  // them to know their Drupal password. This will allow them to change their
  // e-mail address, and set a Drupal password if they want to (and are
  // allowed).
  if ($is_user_profile_account_form && (isset($form['#user']->init) && $form['#user']->init) && _simplesaml_auth_user_has_authmap($form['#user']->name)) {

    unset($form['account']['current_pass']);
    unset($form['account']['current_pass_required_values']);
    $form['#validate'] = array_diff($form['#validate'], array('user_validate_current_pass'));

    // If the user is a simplesamlphp_auth user and is NOT allowed to set their
    // Drupal password, remove the fields from the form.
    if (!variable_get('simplesamlphp_auth_allowsetdrupalpwd')) {
      unset($form['account']['pass']);
    }
  }
}

/**
 * Submit callback to enable SAML authentication for a given user.
 */
function simplesaml_auth_user_profile_form_submit(&$form, $form_state) {
  $values = $form_state['values'];

  if (isset($values['saml'])) {
    // Enter this username into the authmap table.
    if ($values['saml']) {
      db_merge('authmap')
        ->key(array(
          'uid' => $values['uid'],
          'module' => 'simplesamlphp_auth',
        ))
        ->fields(array(
          'authname' => $values['name'],
        ))
        ->execute();
    }
    // Remove this username from the authmap table.
    else {
      db_delete('authmap')
        ->condition('uid', $values['uid'])
        ->execute();
    }
  }
}

/**
 * Implements hook_block_view().
 */
function simplesamlphp_auth_block_view($delta = '') {
  if (!_simplesaml_auth_autoload()) {
    // Exit without executing.
    return;
  }

  $block = array();
  switch ($delta) {
    case 0:
      $block = array(
        'subject' => t('simpleSAMLphp login'),
        'content' => _simplesamlphp_auth_generate_block_text(),
      );
      break;
  }
  return $block;
}

/**
 * Implements hook_block_info().
 */
function simplesamlphp_auth_block_info() {
  $block = array(
    array(
      'info' => t('simpleSAMLphp authentication'),
      'cache' => DRUPAL_NO_CACHE,
    ),
  );
  return $block;
}

/****************************************************************************
 * Private functions ********************************************************
 ****************************************************************************/

/**
 * Checks if authentication via SimpleSAMLphp should be activated.
 *
 * @param bool $show_inactive_msg
 *   Whether to display the "module not activated" message
 *
 * @return bool
 *   TRUE if simplesamlphp_auth is enabled.
 */
function _simplesamlphp_auth_isEnabled($show_inactive_msg = FALSE) {
  global $user;

  $failure = NULL;
  $is_activated = variable_get('simplesamlphp_auth_activate');
  $basedir = variable_get('simplesamlphp_auth_installdir', '/usr/share/simplesamlphp');

  if ($is_activated) {
    // Make sure we know where SimpleSAMLphp is.
    if (!file_exists($basedir)) {
      $failure = t('SimpleSAMLphp could not be found at %basedir . The simplesamlphp_auth module cannot function until the path to the local SimpleSAMLphp instance is configured.', array('%basedir' => $basedir));
      watchdog('simplesamlphp_auth', $failure, NULL, WATCHDOG_WARNING);
    }

  }
  else {
    $failure = t('SimpleSAMLphp auth is not yet activated.');
  }

  // If there were no failures, then it should be activated.
  if (!$failure) {
    return TRUE;
  }
  else {

    // Communicate but don't be too annoying.
    if ($show_inactive_msg && (1 == $user->uid || user_access('access administration pages')) && (preg_match('/admin\/people/', request_uri()) || preg_match('/admin\/modules/', request_uri()) || preg_match('/admin\/config/', request_uri()))) {
      drupal_set_message($failure);
    }
  }
  return FALSE;
}

/**
 * Gets the authname attribute from the SAML assertion.
 *
 * @return string
 *   The authname attribute.
 *
 * @throws Exception
 *   Throws an exception if no valid unique id attribute is set in SAML session.
 */
function _simplesamlphp_auth_get_authname() {
  global $_simplesamlphp_auth_saml_attributes;

  $authname = '';

  // Check if valid local session exists.
  if (isset($_simplesamlphp_auth_saml_attributes)) {
    if (variable_get('simplesamlphp_auth_debug', 0)) {
      watchdog('simplesamlphp_auth', '_simplesamlphp_auth_get_authname: Valid local SAML session exists', NULL, WATCHDOG_DEBUG);
    }
    if (isset($_simplesamlphp_auth_saml_attributes[variable_get('simplesamlphp_auth_unique_id', 'eduPersonPrincipalName')])) {
      $authname = $_simplesamlphp_auth_saml_attributes[variable_get('simplesamlphp_auth_unique_id', 'eduPersonPrincipalName')][0];
    }
    else {
      throw new Exception(t('Error in simplesamlphp_auth.module: no valid unique id attribute set.'));
    }
  }

  return $authname;
}

/**
 * Gets the default name attribute from the SAML assertion.
 *
 * @return string
 *   The name attribute.
 */
function _simplesamlphp_auth_get_default_name($account) {
  global $_simplesamlphp_auth_as;
  global $_simplesamlphp_auth_saml_attributes;

  $default_name = '';

  // Check if valid local session exists..
  if ($_simplesamlphp_auth_as->isAuthenticated()) {
    $auth_user_name_attr = variable_get('simplesamlphp_auth_user_name', 'eduPersonPrincipalName');
    if ((!isset($_simplesamlphp_auth_saml_attributes[$auth_user_name_attr])) ||
      (!isset($_simplesamlphp_auth_saml_attributes[$auth_user_name_attr][0])) ||
      ($_simplesamlphp_auth_saml_attributes[$auth_user_name_attr][0] == '')
    ) {
      throw new Exception(t('There was no set attribute named "%auth_user_name_attr" returned for user %uid.',
        array(
          '%auth_user_name_attr' => $auth_user_name_attr,
          '%uid' => $account,
        )));
    }
    $default_name = $_simplesamlphp_auth_saml_attributes[$auth_user_name_attr][0];
  }

  return $default_name;
}

/**
 * Gets the mail attribute.
 *
 * @return string
 *   The mail attribute.
 */
function _simplesamlphp_auth_get_mail() {
  global $_simplesamlphp_auth_as;
  global $_simplesamlphp_auth_saml_attributes;
  $mail_address = '';
  // Check if valid local session exists..
  if ($_simplesamlphp_auth_as->isAuthenticated()) {
    if (isset($_simplesamlphp_auth_saml_attributes[variable_get('simplesamlphp_auth_mailattr', 'mail')])) {
      $mail_address = $_simplesamlphp_auth_saml_attributes[variable_get('simplesamlphp_auth_mailattr', 'mail')][0];
    }
    else {
      throw new Exception(t('Error in simplesamlphp_auth.module: No valid mail attribute set.'));
    }
  }

  return $mail_address;
}

/**
 * Generates the text for the log in block.
 */
function _simplesamlphp_auth_generate_block_text() {
  global $_simplesamlphp_auth_as;
  $block_content = '';
  global $user;

  if (!_simplesamlphp_auth_isEnabled()) {
    // Exit without executing.
    return;
  }

  // Check if valid local session exists..
  if ($_simplesamlphp_auth_as->isAuthenticated()) {
    $block_content .= '<p>' . t('Logged in as: @username', array('@username' => $user->name))
    . '<br />' . l(t('Log Out'), 'user/logout') . '</p>';
  }
  else {
    $login_path = variable_get('simplesamlphp_auth_login_path', 'saml_login');
    $login_name = variable_get('simplesamlphp_auth_login_link_display_name', t('Federated Log In'));
    $block_content .= '<p>' . l($login_name, $login_path) . '</p>';
  }

  return $block_content;
}

/**
 * Evaluates a role rule.
 *
 * The rules work as follows:
 * = does an exact match on an attribute and will iterate over array values if
 * the array is multivalued.
 * @= matches the domain portion of an email address. It assumes the attribute
 * is a string, and will not iterate over an array (but take the first value).
 * ~= does a partial string match on the attribute, and does iterate over
 * multiple values, returning true if any of the values match.
 *
 * @param array $roleruleevaluation
 *   An array containing the role rule to evaluate.
 * @param array $attributes
 *   An array containing the identity attributes.
 *
 * @return array
 *   An array containing role value and the attribute, or FALSE.
 */
function _simplesamlphp_auth_evaulaterolerule($roleruleevaluation, $attributes) {
  if (variable_get('simplesamlphp_auth_debug', 0)) {
    watchdog('simplesamlphp_auth', 'Evaluate rule (key=%key,operator=%op,value=%val)', array(
      '%key' => $roleruleevaluation[0],
      '%op' => $roleruleevaluation[1],
      '%val' => $roleruleevaluation[2],
    ), WATCHDOG_DEBUG);
  }

  if (!array_key_exists($roleruleevaluation[0], $attributes)) {
    return FALSE;
  }
  $attribute = $attributes[$roleruleevaluation[0]];

  switch ($roleruleevaluation[1]) {
    case '=':
      return in_array($roleruleevaluation[2], $attribute);

    case '@=':
      $dc = explode('@', $attribute[0]);
      if (count($dc) != 2) {
        return FALSE;
      }

      return $dc[1] == $roleruleevaluation[2];

    case '~=':
      foreach ($attribute as $subattr) {
        $pos = strpos($subattr, $roleruleevaluation[2]);
        if ($pos !== FALSE) {
          return TRUE;
        }
      }
      return FALSE;
  }

  return FALSE;
}

/**
 * Performs role population.
 *
 * @param array $rolemap
 *   A string containing the role map.
 *
 * @return array
 *   An array containing user's roles.
 */
function _simplesamlphp_auth_rolepopulation($rolemap) {
  global $_simplesamlphp_auth_as;
  global $_simplesamlphp_auth_saml_attributes;
  $roles = array();

  if (variable_get('simplesamlphp_auth_debug', 0)) {
    watchdog('simplesamlphp_auth', 'Rolemap: %rolemap', array('%rolemap' => $rolemap), WATCHDOG_DEBUG);
  }

  // Check if valid local session exists..
  if (!empty($rolemap) && $_simplesamlphp_auth_as->isAuthenticated()) {
    $attributes = $_simplesamlphp_auth_saml_attributes;

    if (variable_get('simplesamlphp_auth_debug', 0)) {
      watchdog('simplesamlphp_auth', 'Evaluate rolemap: %rolemap', array('%rolemap' => $rolemap), WATCHDOG_DEBUG);
    }

    $rolerules = explode('|', $rolemap);

    foreach ($rolerules as $rolerule) {
      if (variable_get('simplesamlphp_auth_debug', 0)) {
        watchdog('simplesamlphp_auth', 'Evaluate role rule: %rolerule', array('%rolerule' => $rolerule), WATCHDOG_DEBUG);
      }
      $roleruledecompose = explode(':', $rolerule, 2);

      $roleid = $roleruledecompose[0];
      $roleruleevaluations = explode(';', $roleruledecompose[1]);

      $addnew = TRUE;
      foreach ($roleruleevaluations as $roleruleevaluation) {

        if (variable_get('simplesamlphp_auth_debug', 0)) {
          watchdog('simplesamlphp_auth', 'Evaluate role evaulation: %roleruleeval', array('%roleruleeval' => $roleruleevaluation), WATCHDOG_DEBUG);
        }

        $roleruleevaluationdc = str_getcsv($roleruleevaluation);
        if (!_simplesamlphp_auth_evaulaterolerule($roleruleevaluationdc, $attributes)) {
          $addnew = FALSE;
        }
      }
      if ($addnew) {
        $roles[$roleid] = $roleid;
        if (variable_get('simplesamlphp_auth_debug', 0)) {
          watchdog('simplesamlphp_auth', 'Add new role: %roleid', array('%roleid' => $roleid), WATCHDOG_DEBUG);
        }
      }

    }
  }

  drupal_alter('simplesamlphp_auth_user_roles', $roles);

  return $roles;
}

/**
 * See if the user has an authmap record for simplesamlphp_auth.
 */
function _simplesaml_auth_user_has_authmap($authname) {
  $authmaps = user_get_authmaps($authname);

  $return = 0;

  if (is_array($authmaps)) {
    $return = in_array('simplesamlphp_auth', array_keys($authmaps));
  }

  return $return;

}

/**
 * Logs out a user who has an active Drupal session but not with simpleSAML.
 */
function _simplesamlphp_auth_destroy_drupal_session() {
  module_load_include('pages.inc', 'user');
  user_logout();
}