mirror of
https://github.com/moodle/moodle.git
synced 2025-05-04 15:27:34 +02:00
485a22fc98
OAuth services working fully from config - no more subclasses for each OAuth issuer. Part of MDL-58220
208 lines
6.1 KiB
PHP
208 lines
6.1 KiB
PHP
<?php
|
|
// This file is part of Moodle - http://moodle.org/
|
|
//
|
|
// Moodle is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// Moodle is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU General Public License
|
|
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
/**
|
|
* Configurable oauth2 client class.
|
|
*
|
|
* @package core\oauth2
|
|
* @copyright 2017 Damyon Wiese
|
|
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
|
|
*/
|
|
namespace core\oauth2;
|
|
|
|
defined('MOODLE_INTERNAL') || die();
|
|
|
|
require_once($CFG->libdir . '/oauthlib.php');
|
|
require_once($CFG->libdir . '/filelib.php');
|
|
|
|
use moodle_url;
|
|
use curl;
|
|
use stdClass;
|
|
|
|
/**
|
|
* Configurable oauth2 client class where the urls come from DB.
|
|
*
|
|
* @copyright 2017 Damyon Wiese
|
|
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
|
|
*/
|
|
class client extends \oauth2_client {
|
|
|
|
/** @var \core\oauth2\issuer $issuer */
|
|
private $issuer;
|
|
|
|
/** @var bool $system */
|
|
protected $system = false;
|
|
|
|
/**
|
|
* Constructor.
|
|
*
|
|
* @param issuer $issuer
|
|
* @param moodle_url $returnurl
|
|
*/
|
|
public function __construct(issuer $issuer, moodle_url $returnurl, $scopesrequired, $system = false) {
|
|
$this->issuer = $issuer;
|
|
$this->system = $system;
|
|
$scopes = $this->get_login_scopes();
|
|
$additionalscopes = explode(' ', $scopesrequired);
|
|
|
|
foreach ($additionalscopes as $scope) {
|
|
if (!empty($scope)) {
|
|
if (strpos(' ' . $scopes . ' ', ' ' . $scope . ' ') === false) {
|
|
$scopes .= ' ' . $scope;
|
|
}
|
|
}
|
|
}
|
|
parent::__construct($issuer->get('clientid'), $issuer->get('clientsecret'), $returnurl, $scopes);
|
|
}
|
|
|
|
/**
|
|
* Returns the auth url for OAuth 2.0 request
|
|
* @return string the auth url
|
|
*/
|
|
protected function auth_url() {
|
|
return $this->issuer->get_endpoint_url('authorization');
|
|
}
|
|
|
|
/**
|
|
* Get the oauth2 issuer for this client.
|
|
*
|
|
* @return \core\oauth2\issuer Issuer
|
|
*/
|
|
public function get_issuer() {
|
|
return $this->issuer;
|
|
}
|
|
|
|
/**
|
|
* Override to append additional params to a authentication request.
|
|
*
|
|
* @return array (name value pairs).
|
|
*/
|
|
public function get_additional_login_parameters() {
|
|
$params = '';
|
|
if ($this->system) {
|
|
if (!empty($this->issuer->get('loginparamsoffline'))) {
|
|
$params = $this->issuer->get('loginparamsoffline');
|
|
}
|
|
} else {
|
|
if (!empty($this->issuer->get('loginparams'))) {
|
|
$params = $this->issuer->get('loginparams');
|
|
}
|
|
}
|
|
if (empty($params)) {
|
|
return [];
|
|
}
|
|
$result = [];
|
|
parse_str($params, $result);
|
|
return $result;
|
|
}
|
|
|
|
/**
|
|
* Override to change the scopes requested with an authentiction request.
|
|
*
|
|
* @return string
|
|
*/
|
|
protected function get_login_scopes() {
|
|
if ($this->system) {
|
|
return $this->issuer->get('loginscopesoffline');
|
|
} else {
|
|
return $this->issuer->get('loginscopes');
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Returns the token url for OAuth 2.0 request
|
|
*
|
|
* We are overriding the parent function so we get this from the configured endpoint.
|
|
*
|
|
* @return string the auth url
|
|
*/
|
|
protected function token_url() {
|
|
return $this->issuer->get_endpoint_url('token');
|
|
}
|
|
|
|
/**
|
|
* We want a unique key for each issuer / and a different key for system vs user oauth.
|
|
*
|
|
* @return string The unique key for the session value.
|
|
*/
|
|
protected function get_tokenname() {
|
|
$name = 'oauth2-state-' . $this->issuer->get('id');
|
|
if ($this->system) {
|
|
$name .= '-system';
|
|
}
|
|
return $name;
|
|
}
|
|
|
|
protected function get_userinfo_mapping() {
|
|
$fields = user_field_mapping::get_records(['issuerid' => $this->issuer->get('id')]);
|
|
|
|
$map = [];
|
|
foreach ($fields as $field) {
|
|
$map[$field->get('externalfield')] = $field->get('internalfield');
|
|
}
|
|
return $map;
|
|
}
|
|
|
|
public function get_userinfo() {
|
|
$url = $this->get_issuer()->get_endpoint_url('userinfo');
|
|
$response = $this->get($url);
|
|
if (!$response) {
|
|
return false;
|
|
}
|
|
$userinfo = new stdClass();
|
|
try {
|
|
$userinfo = json_decode($response);
|
|
} catch (Exception $e) {
|
|
return false;
|
|
}
|
|
|
|
$map = $this->get_userinfo_mapping();
|
|
|
|
$user = new stdClass();
|
|
foreach ($map as $openidproperty => $moodleproperty) {
|
|
// We support nested objects via a-b-c syntax.
|
|
$getfunc = function($obj, $prop) use (&$getfunc) {
|
|
$proplist = explode('-', $prop, 2);
|
|
if (empty($proplist[0]) || empty($obj->{$proplist[0]})) {
|
|
return false;
|
|
}
|
|
$obj = $obj->{$proplist[0]};
|
|
|
|
if (count($proplist) > 1) {
|
|
return $getfunc($obj, $proplist[1]);
|
|
}
|
|
return $obj;
|
|
};
|
|
|
|
$resolved = $getfunc($userinfo, $openidproperty);
|
|
if (!empty($resolved)) {
|
|
$user->$moodleproperty = $resolved;
|
|
}
|
|
}
|
|
|
|
if (!empty($user->picture)) {
|
|
$user->picture = download_file_content($user->picture, null, null, false, 10, 10, true, null, false);
|
|
} else {
|
|
$pictureurl = $this->issuer->get_endpoint_url('userpicture');
|
|
if (!empty($pictureurl)) {
|
|
$user->picture = $this->get($pictureurl);
|
|
}
|
|
}
|
|
|
|
return (array)$user;
|
|
}
|
|
}
|