Merge #4 Add event based provisioning

Author: tsdicloud

lib/Controller/LoginController.php

@@ -36,6 +36,8 @@
 use OCA\UserOIDC\Service\DiscoveryService;
 use OCA\UserOIDC\Service\LdapService;
 use OCA\UserOIDC\Service\ProviderService;
+use OCA\UserOIDC\Service\EventProvisioningService;
+use OCA\UserOIDC\Service\ProvisioningDeniedException;
 use OCA\UserOIDC\Service\ProvisioningService;
 use OCA\UserOIDC\Vendor\Firebase\JWT\JWT;
 use OCA\UserOIDC\AppInfo\Application;
@@ -118,6 +120,9 @@ class LoginController extends BaseOidcController {
 	/** @var SessionMapper */
 	private $sessionMapper;
 
+	/** @var EventProvisioningService */
+	private $eventProvisioningService;
+
 	/** @var ProvisioningService */
 	private $provisioningService;
 
@@ -145,6 +150,7 @@ public function __construct(
 		IConfig $config,
 		IProvider $authTokenProvider,
 		SessionMapper $sessionMapper,
+		EventProvisioningService $eventProvisioningService,
 		ProvisioningService $provisioningService,
 		IL10N $l10n,
 		ILogger $logger,
@@ -168,6 +174,7 @@ public function __construct(
 		$this->ldapService = $ldapService;
 		$this->authTokenProvider = $authTokenProvider;
 		$this->sessionMapper = $sessionMapper;
+		$this->eventProvisioningService = $eventProvisioningService;
 		$this->provisioningService = $provisioningService;
 		$this->request = $request;
 		$this->l10n = $l10n;
@@ -471,10 +478,29 @@ public function code(string $state = '', string $code = '', string $scope = '',
 		}
 
 		$oidcSystemConfig = $this->config->getSystemValue('user_oidc', []);
+		$eventProvisionAllowed = (!isset($oidcSystemConfig['event_provision']) || $oidcSystemConfig['event_provision']);
 		$autoProvisionAllowed = (!isset($oidcSystemConfig['auto_provision']) || $oidcSystemConfig['auto_provision']);
 
 		// Provisioning
-		if ($autoProvisionAllowed) {
+		if ($eventProvisionAllowed) {
+			// for the moment, make event provisioning another (prio) config option
+			// TODO: (proposal) refactor all provisioning strategies into event handlers
+			try {
+				$user = $this->eventProvisioningService->provisionUser($userId, $providerId, $idTokenPayload);
+			} catch (ProvisioningDeniedException $denied) {
+				$redirectUrl = $denied->getRedirectUrl();
+				if ($redirectUrl === null) {
+					$message = $this->l10n->t('Failed to provision the user');
+					return $this->build403TemplateResponse($message, Http::STATUS_BAD_REQUEST, ['reason' => $denied->getMessage()]);
+				} else {
+					// error response is a redirect, e.g. to a booking site
+					// so that you can immediately get the registration page
+					return new RedirectResponse($redirectUrl);
+				}
+			} catch (\Exception $e) {
+				$user = null;
+			}
+		} elseif ($autoProvisionAllowed) {
 			$user = $this->provisioningService->provisionUser($userId, $providerId, $idTokenPayload);
 		} else {
 			// in case user is provisioned by user_ldap, userManager->search() triggers an ldap search which syncs the results
@@ -563,7 +589,8 @@ public function singleLogoutService() {
 					$endSessionEndpoint .= '&client_id=' . $provider->getClientId();
 					$shouldSendIdToken = $this->providerService->getSetting(
 						$provider->getId(),
-						ProviderService::SETTING_SEND_ID_TOKEN_HINT, '0'
+						ProviderService::SETTING_SEND_ID_TOKEN_HINT,
+						'0'
 					) === '1';
 					$idToken = $this->session->get(self::ID_TOKEN);
 					if ($shouldSendIdToken && $idToken) {
@@ -712,8 +739,12 @@ public function backChannelLogout(string $providerIdentifier, string $logout_tok
 	 * @param bool|null $throttle
 	 * @return JSONResponse
 	 */
-	private function getBackchannelLogoutErrorResponse(string $error, string $description,
-													   array $throttleMetadata = [], ?bool $throttle = null): JSONResponse {
+	private function getBackchannelLogoutErrorResponse(
+		string $error,
+		string $description,
+		array $throttleMetadata = [],
+		?bool $throttle = null
+	): JSONResponse {
 		$this->logger->debug('Backchannel logout error. ' . $error . ' ; ' . $description);
 		$response = new JSONResponse(
 			[

lib/Event/UserAccountChangeEvent.php

@@ -0,0 +1,87 @@
+<?php
+/*
+ * @copyright Copyright (c) 2023 T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-systems.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ */
+
+declare(strict_types=1);
+
+namespace OCA\UserOIDC\Event;
+
+use OCP\EventDispatcher\Event;
+
+/**
+ * Event to provide custom mapping logic based on the OIDC token data
+ * In order to avoid further processing the event propagation should be stopped
+ * in the listener after processing as the value might get overwritten afterwards
+ * by other listeners through $event->stopPropagation();
+ */
+class UserAccountChangeEvent extends Event {
+	private $uid;
+	private $displayname;
+	private $mainEmail;
+	private $quota;
+	private $claims;
+	private $result;
+
+
+	public function __construct(string $uid, ?string $displayname, ?string $mainEmail, ?string $quota, object $claims, bool $accessAllowed = false) {
+		parent::__construct();
+		$this->uid = $uid;
+		$this->displayname = $displayname;
+		$this->mainEmail = $mainEmail;
+		$this->quota = $quota;
+		$this->claims = $claims;
+		$this->result = new UserAccountChangeResult($accessAllowed, 'default');
+	}
+
+	/**
+	 * @return get event username (uid)
+	 */
+	public function getUid(): string {
+		return $this->uid;
+	}
+
+	/**
+	 * @return get event displayname
+	 */
+	public function getDisplayName(): ?string {
+		return $this->displayname;
+	}
+
+	/**
+	 * @return get event main email
+	 */
+	public function getMainEmail(): ?string {
+		return $this->mainEmail;
+	}
+
+	/**
+	 * @return get event quota
+	 */
+	public function getQuota(): ?string {
+		return $this->quota;
+	}
+
+	/**
+	 * @return array the array of claim values associated with the event
+	 */
+	public function getClaims(): object {
+		return $this->claims;
+	}
+
+	/**
+	 * @return value for the logged in user attribute
+	 */
+	public function getResult(): UserAccountChangeResult {
+		return $this->result;
+	}
+
+	public function setResult(bool $accessAllowed, string $reason = '', ?string $redirectUrl = null) : void {
+		$this->result = new UserAccountChangeResult($accessAllowed, $reason, $redirectUrl);
+	}
+}

lib/Event/UserAccountChangeResult.php

@@ -0,0 +1,74 @@
+<?php
+/*
+ * @copyright Copyright (c) 2023 T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-systems.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ */
+
+declare(strict_types=1);
+
+namespace OCA\UserOIDC\Event;
+
+/**
+ * Event to provide custom mapping logic based on the OIDC token data
+ * In order to avoid further processing the event propagation should be stopped
+ * in the listener after processing as the value might get overwritten afterwards
+ * by other listeners through $event->stopPropagation();
+ */
+class UserAccountChangeResult {
+
+	/** @var bool */
+	private $accessAllowed;
+	/** @var string */
+	private $reason;
+	/** @var string */
+	private $redirectUrl;
+
+	public function __construct(bool $accessAllowed, string $reason = '', ?string $redirectUrl = null) {
+		$this->accessAllowed = $accessAllowed;
+		$this->redirectUrl = $redirectUrl;
+		$this->reason = $reason;
+	}
+
+	/**
+	 * @return value for the logged in user attribute
+	 */
+	public function isAccessAllowed(): bool {
+		return $this->accessAllowed;
+	}
+
+	public function setAccessAllowed(bool $accessAllowed): void {
+		$this->accessAllowed = $accessAllowed;
+	}
+
+	/**
+	 * @return get optional alternate redirect address
+	 */
+	public function getRedirectUrl(): ?string {
+		return $this->redirectUrl;
+	}
+
+	/**
+	 * @return set optional alternate redirect address
+	 */
+	public function setRedirectUrl(?string $redirectUrl): void {
+		$this->redirectUrl = $redirectUrl;
+	}
+
+	/**
+	 * @return get decision reason
+	 */
+	public function getReason(): string {
+		return $this->reason;
+	}
+
+	/**
+	 * @return set decision reason
+	 */
+	public function setReason(string $reason): void {
+		$this->reason = $reason;
+	}
+}

lib/Service/ProvisioningDeniedException.php

@@ -0,0 +1,69 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2023, T-Systems International
+ *
+ * @author B. Rederlechner <bernd.rederlechner@t-Systems.com>
+ *
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program. If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCP;
+
+/**
+ * Exception if the precondition of the config update method isn't met
+ * @since 1.4.0
+ */
+class ProvisioningDeniedException extends \Exception {
+	private $redirectUrl;
+
+	/**
+	 * Exception constructor including an option redirect url.
+	 *
+	 * @param string $message  The error message. It will be not revealed to the
+	 *                         the user (unless the hint is empty) and thus
+	 *                         should be not translated.
+	 * @param string $hint     A useful message that is presented to the end
+	 *                         user. It should be translated, but must not
+	 *                         contain sensitive data.
+	 * @param int $code        Set default to 403 (Forbidden)
+	 * @param \Exception|null $previous
+	 */
+	public function __construct(string $message, ?string $redirectUrl = null, int $code = 403, \Exception $previous = null) {
+		parent::__construct($message, $code, $previous);
+		$this->redirectUrl = $redirectUrl;
+	}
+
+	/**
+	 * Read optional failure redirect if available
+	 * @return string|null
+	 */
+	public function getRedirectUrl(): ?string {
+		return $this->redirectUrl;
+	}
+
+	/**
+	 * Include redirect in string serialisation.
+	 *
+	 * @return string
+	 */
+	public function __toString(): string {
+		$redirect = $this->redirectUrl ?? '<no redirect>';
+		return __CLASS__ . ": [{$this->code}]: {$this->message} ({$redirect})\n";
+	}
+}