mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-01-19 06:18:28 +01:00
Code Issues Projects Releases Wiki Activity

MDL-58090 oauth2: Get rid of behaviour field

Browse Source 
OAuth services working fully from config - no more subclasses for each OAuth issuer.

Part of MDL-58220
This commit is contained in:
Damyon Wiese 2017-02-27 10:48:44 +08:00
parent 8445556b4c
commit 485a22fc98
10 changed files with 106 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
admin/tool/oauth2/classes/form/issuer.php
View File

@ -76,11 +76,33 @@ class issuer extends persistent {
$mform->addRule('baseurl', get_string('maximumchars', '', 1024), 'maxlength', 1024, 'client');
$mform->addHelpButton('baseurl', 'issuerbaseurl', 'tool_oauth2');
// Offline access type
// Offline access type.
$options = $endpoint->get_behaviour_list();
$mform->addElement('select', 'behaviour', get_string('issuerbehaviour', 'tool_oauth2'), $options);
$mform->addHelpButton('behaviour', 'issuerbehaviour', 'tool_oauth2');
// Login scopes.
$mform->addElement('text', 'loginscopes', get_string('issuerloginscopes', 'tool_oauth2'), 'maxlength="255"');
$mform->addRule('loginscopes', null, 'required', null, 'client');
$mform->addRule('loginscopes', get_string('maximumchars', '', 255), 'maxlength', 255, 'client');
$mform->addHelpButton('loginscopes', 'issuerloginscopes', 'tool_oauth2');
// Login scopes offline.
$mform->addElement('text', 'loginscopesoffline', get_string('issuerloginscopesoffline', 'tool_oauth2'), 'maxlength="255"');
$mform->addRule('loginscopesoffline', null, 'required', null, 'client');
$mform->addRule('loginscopesoffline', get_string('maximumchars', '', 255), 'maxlength', 255, 'client');
$mform->addHelpButton('loginscopesoffline', 'issuerloginscopesoffline', 'tool_oauth2');
// Login params.
$mform->addElement('text', 'loginparams', get_string('issuerloginparams', 'tool_oauth2'), 'maxlength="255"');
$mform->addRule('loginparams', get_string('maximumchars', '', 255), 'maxlength', 255, 'client');
$mform->addHelpButton('loginparams', 'issuerloginparams', 'tool_oauth2');
// Login params offline.
$mform->addElement('text', 'loginparamsoffline', get_string('issuerloginparamsoffline', 'tool_oauth2'), 'maxlength="255"');
$mform->addRule('loginparamsoffline', get_string('maximumchars', '', 255), 'maxlength', 255, 'client');
$mform->addHelpButton('loginparamsoffline', 'issuerloginparamsoffline', 'tool_oauth2');
// Image.
$mform->addElement('text', 'image', get_string('issuerimage', 'tool_oauth2'), 'maxlength="1024"');
$mform->addRule('image', get_string('maximumchars', '', 1024), 'maxlength', 1024, 'client');
@ -89,7 +111,6 @@ class issuer extends persistent {
// Show on login page.
$mform->addElement('checkbox', 'showonloginpage', get_string('issuershowonloginpage', 'tool_oauth2'));
$mform->addHelpButton('showonloginpage', 'issuershowonloginpage', 'tool_oauth2');
$mform->addElement('hidden', 'sortorder');
$mform->setType('sortorder', PARAM_INT);

8
admin/tool/oauth2/lang/en/tool_oauth2.php
View File

@ -43,6 +43,14 @@ $string['issuerclientsecret'] = 'Client Secret';
$string['issuerclientsecret_help'] = 'The OAuth client secret for this issuer.';
$string['issuerbaseurl'] = 'Service base url';
$string['issuerbaseurl_help'] = 'Base url used to access the service.';
$string['issuerloginscopes'] = 'Scopes included in a login request.';
$string['issuerloginscopes_help'] = 'Some systems require additional scopes for a login request in order to read the users basic profile. The standard scopes for an OpenID Connect compliant system are "openid profile email".';
$string['issuerloginscopesoffline'] = 'Scopes included in a login request for offline access.';
$string['issuerloginscopesoffline_help'] = 'Each OAuth system defines a different way to request offline access. E.g. Microsoft requires an additional scope "offline_access"';
$string['issuerloginparams'] = 'Additional parameters included in a login request.';
$string['issuerloginparams_help'] = 'Some systems require additional parameters for a login request in order to read the users basic profile.';
$string['issuerloginparamsoffline'] = 'Additional parameters included in a login request for offline access.';
$string['issuerloginparamsoffline_help'] = 'Each OAuth system defines a different way to request offline access. E.g. Google requires the additional params: "access_type=offline&prompt=consent" these parameters should be in url query parameter format.';
$string['issuershowonloginpage'] = 'Show on login page.';
$string['issuershowonloginpage_help'] = 'If the OpenID Connect Authentication plugin is enabled, this login issuer will be listed on the login page to allow users to login with accounts from this issuer.';
$string['issuerbehaviour'] = 'Behaviour';

9
lib/classes/oauth2/api.php
View File

@ -54,6 +54,7 @@ class api {
'baseurl' => 'http://accounts.google.com/',
'clientid' => '',
'clientsecret' => '',
'loginparamsoffline' => 'access_type=offline&prompt=consent',
'showonloginpage' => true
];
@ -75,6 +76,8 @@ class api {
'behaviour' => issuer::BEHAVIOUR_MICROSOFT,
'baseurl' => 'http://login.microsoftonline.com/common/oauth2/v2.0/',
'clientid' => '',
'loginscopes' => 'openid profile email user.read',
'loginscopesoffline' => 'openid profile email user.read offline_access',
'clientsecret' => '',
'showonloginpage' => true
];
@ -146,7 +149,7 @@ class api {
}
public static function get_user_oauth_client(issuer $issuer, moodle_url $currenturl, $additionalscopes = '') {
$client = \core\oauth2\client::create($issuer, $currenturl, $additionalscopes);
$client = new \core\oauth2\client($issuer, $currenturl, $additionalscopes);
if (!$client->is_logged_in()) {
redirect($client->get_login_url());
@ -186,7 +189,7 @@ class api {
$url = $issuer->get_endpoint_url('discovery');
if (!$url) {
$url = $issuer->get('url') . '/.well-known/openid-configuration';
$url = $issuer->get('baseurl') . '/.well-known/openid-configuration';
}
if (!$json = $curl->get($issuer->get_endpoint_url('discovery'))) {
@ -425,7 +428,7 @@ class api {
// Allow callbacks to inject non-standard scopes to the auth request.
$client = client::create($issuer, $returnurl, $scopesrequired, true);
$client = new client($issuer, $returnurl, $scopesrequired, true);
if (!optional_param('response', false, PARAM_BOOL)) {
$client->log_out();

62
lib/classes/oauth2/client.php
View File

@ -38,7 +38,7 @@ use stdClass;
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
abstract class client extends \oauth2_client {
class client extends \oauth2_client {
/** @var \core\oauth2\issuer $issuer */
private $issuer;
@ -52,30 +52,22 @@ abstract class client extends \oauth2_client {
* @param issuer $issuer
* @param moodle_url $returnurl
*/
public function __construct(issuer $issuer, moodle_url $returnurl, $scopesrequired, $system) {
public function __construct(issuer $issuer, moodle_url $returnurl, $scopesrequired, $system = false) {
$this->issuer = $issuer;
$this->system = $system;
$scopes = $this->get_login_scopes();
$additionalscopes = explode(' ', $scopesrequired);
foreach ($additionalscopes as $scope) {
if (strpos(' ' . $scopes . ' ', ' ' . $scope . ' ') === false) {
$scopes .= ' ' . $scope;
if (!empty($scope)) {
if (strpos(' ' . $scopes . ' ', ' ' . $scope . ' ') === false) {
$scopes .= ' ' . $scope;
}
}
}
parent::__construct($issuer->get('clientid'), $issuer->get('clientsecret'), $returnurl, $scopes);
}
public static function create(issuer $issuer, moodle_url $returnurl, $scopesrequired, $system = false) {
if ($issuer->get('behaviour') == issuer::BEHAVIOUR_OPENID_CONNECT) {
return new client_openid_connect($issuer, $returnurl, $scopesrequired, $system);
} else if ($issuer->get('behaviour') == issuer::BEHAVIOUR_OAUTH2) {
return new client_oauth2($issuer, $returnurl, $scopesrequired, $system);
} else if ($issuer->get('behaviour') == issuer::BEHAVIOUR_MICROSOFT) {
return new client_microsoft($issuer, $returnurl, $scopesrequired, $system);
}
}
/**
* Returns the auth url for OAuth 2.0 request
* @return string the auth url
@ -99,7 +91,22 @@ abstract class client extends \oauth2_client {
* @return array (name value pairs).
*/
public function get_additional_login_parameters() {
return [];
$params = '';
if ($this->system) {
if (!empty($this->issuer->get('loginparamsoffline'))) {
$params = $this->issuer->get('loginparamsoffline');
}
} else {
if (!empty($this->issuer->get('loginparams'))) {
$params = $this->issuer->get('loginparams');
}
}
if (empty($params)) {
return [];
}
$result = [];
parse_str($params, $result);
return $result;
}
/**
@ -108,7 +115,11 @@ abstract class client extends \oauth2_client {
* @return string
*/
protected function get_login_scopes() {
return 'openid profile email';
if ($this->system) {
return $this->issuer->get('loginscopesoffline');
} else {
return $this->issuer->get('loginscopes');
}
}
/**
@ -162,8 +173,23 @@ abstract class client extends \oauth2_client {
$user = new stdClass();
foreach ($map as $openidproperty => $moodleproperty) {
if (!empty($userinfo->$openidproperty)) {
$user->$moodleproperty = $userinfo->$openidproperty;
// We support nested objects via a-b-c syntax.
$getfunc = function($obj, $prop) use (&$getfunc) {
$proplist = explode('-', $prop, 2);
if (empty($proplist[0]) || empty($obj->{$proplist[0]})) {
return false;
}
$obj = $obj->{$proplist[0]};
if (count($proplist) > 1) {
return $getfunc($obj, $proplist[1]);
}
return $obj;
};
$resolved = $getfunc($userinfo, $openidproperty);
if (!empty($resolved)) {
$user->$moodleproperty = $resolved;
}
}

49
lib/classes/oauth2/client_microsoft.php
View File

@ -1,49 +0,0 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Configurable oauth2 client class.
*
* @package core\oauth2
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\oauth2;
defined('MOODLE_INTERNAL') || die();
use moodle_url;
use stdClass;
/**
* We have to call directly to the graph APIs because the Microsoft Open ID Connect API is
* lame.
*
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class client_microsoft extends client {
public function get_login_scopes() {
if ($this->system) {
return 'openid profile email user.read offline_access';
} else {
return 'openid profile email user.read';
}
}
}

43
lib/classes/oauth2/client_oauth2.php
View File

@ -1,43 +0,0 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Configurable oauth2 client class.
*
* @package core\oauth2
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\oauth2;
defined('MOODLE_INTERNAL') || die();
use moodle_url;
/**
* Configurable oauth2 client class where the urls come from DB.
*
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class client_oauth2 extends client {
public function get_additional_login_parameters() {
return ['access_type' => 'offline', 'prompt' => 'consent'];
}
}

46
lib/classes/oauth2/client_openid_connect.php
View File

@ -1,46 +0,0 @@
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Configurable oauth2 client class.
*
* @package core\oauth2
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\oauth2;
defined('MOODLE_INTERNAL') || die();
use moodle_url;
use stdClass;
use Exception;
/**
* Configurable oauth2 client class where the urls come from DB.
*
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class client_openid_connect extends client {
public function get_additional_login_parameters() {
if ($this->system) {
return ['access_type' => 'offline', 'prompt' => 'consent'];
}
return [];
}
}

17
lib/classes/oauth2/issuer.php
View File

@ -79,6 +79,22 @@ class issuer extends persistent {
'null' => NULL_ALLOWED,
'default' => null
),
'loginscopes' => array(
'type' => PARAM_RAW,
'default' => 'openid profile email'
),
'loginscopesoffline' => array(
'type' => PARAM_RAW,
'default' => 'openid profile email'
),
'loginparams' => array(
'type' => PARAM_RAW,
'default' => ''
),
'loginparamsoffline' => array(
'type' => PARAM_RAW,
'default' => ''
),
'sortorder' => array(
'type' => PARAM_INT,
'default' => 0,
@ -97,6 +113,7 @@ class issuer extends persistent {
}
return false;
}
public function is_authentication_supported() {
$supportedloginbehaviours = [
self::BEHAVIOUR_OPENID_CONNECT,

4
lib/db/install.xml
View File

@ -3489,6 +3489,10 @@
<FIELD NAME="baseurl" TYPE="text" NOTNULL="true" SEQUENCE="false" COMMENT="The base url to the issuer"/>
<FIELD NAME="clientid" TYPE="text" NOTNULL="true" SEQUENCE="false" COMMENT="The client id used to connect to this oauth2 service."/>
<FIELD NAME="clientsecret" TYPE="text" NOTNULL="true" SEQUENCE="false" COMMENT="The secret used to connect to this oauth2 service."/>
<FIELD NAME="loginscopes" TYPE="text" NOTNULL="true" DEFAULT="openid profile email" SEQUENCE="false" COMMENT="The scopes requested for a normal login attempt."/>
<FIELD NAME="loginscopesoffline" TYPE="text" NOTNULL="true" DEFAULT="openid profile email" SEQUENCE="false" COMMENT="The scopes requested for a login attempt to generate a refresh token."/>
<FIELD NAME="loginparams" TYPE="text" NOTNULL="true" DEFAULT="" SEQUENCE="false" COMMENT="Additional parameters sent for a login attempt."/>
<FIELD NAME="loginparamsoffline" TYPE="text" NOTNULL="true" DEFAULT="openid profile email" SEQUENCE="false" COMMENT="Additional parameters sent for a login attempt to generate a refresh token."/>
<FIELD NAME="behaviour" TYPE="char" LENGTH="32" NOTNULL="true" DEFAULT="none" SEQUENCE="false" COMMENT="The type of behaviour for this oauth client."/>
<FIELD NAME="scopessupported" TYPE="text" NOTNULL="false" SEQUENCE="false" COMMENT="The list of scopes this service supports."/>
<FIELD NAME="showonloginpage" TYPE="int" LENGTH="2" NOTNULL="true" DEFAULT="1" SEQUENCE="false"/>

4
lib/db/upgrade.php
View File

@ -2626,6 +2626,10 @@ function xmldb_main_upgrade($oldversion) {
$table->add_field('baseurl', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
$table->add_field('clientid', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
$table->add_field('clientsecret', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
$table->add_field('loginscopes', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
$table->add_field('loginscopesoffline', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
$table->add_field('loginparams', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
$table->add_field('loginparamsoffline', XMLDB_TYPE_TEXT, null, null, XMLDB_NOTNULL, null, null);
$table->add_field('behaviour', XMLDB_TYPE_CHAR, '32', null, XMLDB_NOTNULL, null, 'none');
$table->add_field('scopessupported', XMLDB_TYPE_TEXT, null, null, null, null, null);
$table->add_field('showonloginpage', XMLDB_TYPE_INTEGER, '2', null, XMLDB_NOTNULL, null, '1');