forked from psignoret/aad-sso-wordpress
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Settings.php
283 lines (243 loc) · 8.53 KB
/
Settings.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
<?php
/**
* Class containing all settings used by the AADSSO plugin.
*
* Installation-specific configuration settings should be kept in JSON and loaded with
* load_settings_from_json() or load_settings_from_json_file() methods rather than hard-coding here.
*/
class AADSSO_Settings {
/**
* @var \AADSSO_Settings $instance The settings instance.
*/
private static $instance = null;
/**
* @var string The client ID obtained after registering an application in AAD.
*/
public $client_id = '';
/**
* @var string The client secret key, which is generated on the app configuration page in AAD.
*/
public $client_secret = '';
/**
* @var string The URL to redirect to after signing in. Must also be configured in AAD.
*/
public $redirect_uri = '';
/**
* @var string The URL to redirect to after signing out (of Azure AD, not WordPress).
*/
public $logout_redirect_uri = '';
/**
* @var string The display name of the organization, used only in the link in the login page.
*/
public $org_display_name = '';
/**
* The value of the domain_hint is a registered domain for the tenant. If the tenant is federated
* to an on-premises directory, AAD redirects to the specified tenant federation server.
*
* @var string Provides a hint about the tenant or domain that the user should use to sign in.
*/
public $org_domain_hint = '';
/**
* Indicates which field is matched against the authenticated user's User Principal Name (UPN)
* to find a corresponding WordPress user. Valid options are 'login', 'email', or 'slug'.
*
* @var string The WordPress field which is matched to the AAD UserPrincipalName.
*/
public $field_to_match_to_upn = '';
/**
* Indicates whether or not a WordPress user should be matched against the authenticated user's
* alias portion of their UserPrincipalName ('bob'' in '[email protected]').
*
* @var boolean Whether or not to match based UPN alias
*/
public $match_on_upn_alias = false;
/**
* Indicates whether or not a WordPress user should be auto-provisioned if a user is able to
* authenticate with Azure AD, but was not matched to a current WordPress user.
*
* @var boolean Whether or not to auto-provision a new user.
*/
public $enable_auto_provisioning = false;
/**
* Indicates if unauthenticated users are automatically redirecteded to AAD for login, instead of
* being shown the WordPress login form. Can be overridden with 'aad_auto_forward_login' filter.
*
* @var boolean Whether or not to auto-redirect to AAD for sign-in
*/
public $enable_auto_forward_to_aad = false;
/**
* @var boolean Whether or not to use AAD group memberships to set WordPress roles.
*/
public $enable_aad_group_to_wp_role = false;
/**
* An associative array used to match up AAD group object ids (key) to WordPress roles (value).
*
* Since the user will be given the first role with a matching group, the order of this array
* is important!
*
* @var string[] The AAD group to WordPress role map.
*/
public $aad_group_to_wp_role_map = array();
/**
* The default WordPress role to assign to a user when not a member of defined AAD groups.
*
* This used only if $enable_aad_group_to_wp_role is true. Empty or null means that access will
* be denied to users who are not members of the groups defined in $aad_group_to_wp_role_map.
*
* @var string The default WordPress role to assign a user if not in any Azure AD group.
*/
public $default_wp_role = null;
/**
* Indicates whether a logout of WordPress should also trigger a logout of Azure AD.
*
* @var boolean Whether or not logging out of WordPress triggers logging out of Azure AD.
*/
public $enable_full_logout = false;
/**
* @var string The OpenID Connect configuration discovery endpoint.
*/
public $openid_configuration_endpoint = 'https://login.microsoftonline.com/common/.well-known/openid-configuration';
/**
* @var string The OAuth 2.0 authorization endpoint.
*/
public $authorization_endpoint = '';
/**
* @var string The OAuth 2.0 token endpoint.
*/
public $token_endpoint = '';
/**
* @var string The OpenID Connect JSON Web Key Set endpoint.
*/
public $jwks_uri = '';
/**
* @var string The sign out endpoint.
*/
public $end_session_endpoint = '';
/**
* @var string The URI of the Microsoft Graph API.
*/
public $graph_endpoint = 'https://graph.microsoft.com';
/**
* @var string The version of the Microsoft Graph API to use.
*/
public $graph_version = 'v1.0';
/**
* Returns a sensible set of defaults for the plugin.
*
* If key is provided, only that default is returned.
*
* @param string Optional settings key to return, if only one is desired.
*
* @return mixed Sensible default settings for the plugin.
*/
public static function get_defaults( $key = null ) {
$defaults = array(
'org_display_name' => get_bloginfo( 'name' ),
'field_to_match_to_upn' => 'email',
'default_wp_role' => null,
'enable_auto_provisioning' => false,
'match_on_upn_alias' => false,
'enable_auto_forward_to_aad' => false,
'enable_aad_group_to_wp_role' => false,
'redirect_uri' => wp_login_url(),
'logout_redirect_uri' => wp_login_url(),
'openid_configuration_endpoint' => 'https://login.microsoftonline.com/common/.well-known/openid-configuration',
);
if ( null === $key ) {
return $defaults;
} else {
if ( isset( $defaults[ $key ] ) ) {
return $defaults[ $key ];
} else {
return null;
}
}
}
/**
* Gets the (only) instance of the plugin.
*
* @return self The (only) instance of the class.
*/
public static function get_instance() {
if ( ! self::$instance ) {
self::$instance = new self;
}
return self::$instance;
}
/**
* Initializes values for using stored settings and cached Azure AD configuration.
*
* @return \AADSSO_Settings The (only) configured instance of this class.
*/
public static function init() {
$instance = self::get_instance();
// First, retrieve the settings stored in the WordPress database.
$instance->load_settings( get_option( 'aadsso_settings' ) );
/*
* Then, add the settings stored in the OpenID Connect configuration endpoint.
* We're using transient as a cache, to prevent from making a request on every WP page load.
* Default transient expiration is one hour (3600 seconds), but in case a forced load is
* required, adding aadsso_reload_openid_config=1 in the URL will do the trick.
*/
$openid_configuration = get_transient( 'aadsso_openid_configuration' );
if( false === $openid_configuration || isset( $_GET['aadsso_reload_openid_config'] ) ) {
$openid_configuration = json_decode(
self::get_remote_contents( $instance->openid_configuration_endpoint ),
true // Return associative array
);
set_transient( 'aadsso_openid_configuration', $openid_configuration, 3600 );
}
$instance->load_settings( $openid_configuration );
return $instance;
}
/**
* Loads contents of a text file (local or remote).
*
* @param string $file_path The path to the file. May be local or remote.
*
* @return string The contents of the file.
*/
public static function get_remote_contents( $file_path ) {
$response = wp_remote_get( $file_path );
$file_contents = wp_remote_retrieve_body( $response );
return $file_contents;
}
/**
* Sets provided settings inside the current instance.
*
* @param array $settings An associative array of settings to be added to current configuration.
*
* @return \AADSSO_Settings The current (only) instance with new configuration.
*/
function load_settings( $settings ) {
// Expecting $settings to be an associative array. Do nothing if it isn't.
if ( ! is_array( $settings ) || empty( $settings ) ) {
return $this;
}
/*
* Invert the <role> => <CSV list of groups> map (which is what is stored in the database) to a flat
* <group> => <role> map is used during the authorization check. If a group appears twice, the first
* occurence (the first role) will take precedence.
*/
if( ! empty( $settings['role_map'] ) ) {
$settings['aad_group_to_wp_role_map'] = array();
foreach ( $settings['role_map'] as $role_slug => $group_ids_list ) {
$group_ids = explode( ',', $group_ids_list );
if ( ! empty( $group_ids ) ) {
foreach ( $group_ids as $group_id ) {
if ( ! isset( $settings['aad_group_to_wp_role_map'][ $group_id ] ) ) {
$settings['aad_group_to_wp_role_map'][ $group_id ] = $role_slug;
}
}
}
}
}
// Overwrite any provided setting values.
foreach ( $settings as $key => $value ) {
if ( property_exists( $this, $key ) ) {
$this->{$key} = $value;
}
}
return $this;
}
}