Add functionality to stop users from reaching the regular Moodle login page.
This function forces users who try to access Moodle directly to be redirected to the "SSO Host". The functionality is enabled by setting a SSO redirect URl in the plugins admin settings The forced redirect can be overridden by using the query param "enrolkey_skipsso=on"
This commit is contained in:
Matt Porritt
Dmitrii Metelkin
parent
afc5ec3e3f
commit
68f7634066
4 changed files with 123 additions and 3 deletions
57
auth.php
57
auth.php
|
|
@ -57,6 +57,7 @@ class auth_plugin_userkey extends auth_plugin_base {
|
|||
'keylifetime' => 60,
|
||||
'iprestriction' => 0,
|
||||
'redirecturl' => '',
|
||||
'ssourl' => '',
|
||||
// TODO: use this field when implementing user creation. 'createuser' => 0.
|
||||
);
|
||||
|
||||
|
|
@ -69,6 +70,30 @@ class auth_plugin_userkey extends auth_plugin_base {
|
|||
$this->userkeymanager = new core_userkey_manager($this->config);
|
||||
}
|
||||
|
||||
/**
|
||||
* All the checking happens before the login page in this hook
|
||||
*/
|
||||
public function pre_loginpage_hook() {
|
||||
global $SESSION;
|
||||
|
||||
// If we previously tried to skip SSO on, but then navigated
|
||||
// away, and come in from another deep link while SSO only is
|
||||
// on, then reset the previous session memory of forcing SSO.
|
||||
if (isset($SESSION->enrolkey_skipsso)) {
|
||||
unset($SESSION->enrolkey_skipsso);
|
||||
}
|
||||
$this->loginpage_hook();
|
||||
}
|
||||
|
||||
/**
|
||||
* All the checking happens before the login page in this hook
|
||||
*/
|
||||
public function loginpage_hook() {
|
||||
if ($this->should_login_redirect()) {
|
||||
redirect($this->config->ssourl);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Don't allow login using login form.
|
||||
*
|
||||
|
|
@ -447,12 +472,39 @@ class auth_plugin_userkey extends auth_plugin_base {
|
|||
return $parameters;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if we should redirect a user as part of login.
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function should_login_redirect() {
|
||||
global $SESSION;
|
||||
$skipsso = optional_param('enrolkey_skipsso', 0, PARAM_BOOL);
|
||||
|
||||
// Check whether we've skipped SSO already.
|
||||
// This is here because loginpage_hook is called again during form
|
||||
// submission (all of login.php is processed) and ?skipsso=on is not
|
||||
// preserved forcing us to the SSO.
|
||||
if ((isset($SESSION->enrolkey_skipsso) && $SESSION->enrolkey_skipsso == 1)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
$SESSION->enrolkey_skipsso = $skipsso;
|
||||
|
||||
// If SSO only is set and user is not passing the skip param
|
||||
// or has it already set in their session then redirect to the SSO URL.
|
||||
if (isset($this->config->ssourl) && $this->config->ssourl != '' && !$skipsso) {
|
||||
return true;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if we should redirect a user after logout.
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
protected function should_redirect() {
|
||||
protected function should_logout_redirect() {
|
||||
global $SESSION;
|
||||
|
||||
if (!isset($SESSION->userkey)) {
|
||||
|
|
@ -470,6 +522,7 @@ class auth_plugin_userkey extends auth_plugin_base {
|
|||
return true;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Logout page hook.
|
||||
*
|
||||
|
|
@ -480,7 +533,7 @@ class auth_plugin_userkey extends auth_plugin_base {
|
|||
public function logoutpage_hook() {
|
||||
global $redirect;
|
||||
|
||||
if ($this->should_redirect()) {
|
||||
if ($this->should_logout_redirect()) {
|
||||
$redirect = $this->config->redirecturl;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -38,4 +38,6 @@ $string['redirecturl'] = 'Logout redirect URL';
|
|||
$string['redirecturl_desc'] = 'Optionally you can redirect users to this URL after they logged out from LMS.';
|
||||
$string['incorrectredirecturl'] = 'You should provide valid URL';
|
||||
$string['userkey:generatekey'] = 'Generate login user key';
|
||||
$string['pluginisdisabled'] = 'The userkey authentication plugin is disabled.';
|
||||
$string['pluginisdisabled'] = 'The userkey authentication plugin is disabled.';
|
||||
$string['ssourl'] = 'URL of SSO host';
|
||||
$string['ssourl_desc'] = 'URL of the SSO host to redirect users to. If defined users will be redirected here on login instead of the Moodle Login page';
|
||||
|
|
|
|||
|
|
@ -56,6 +56,13 @@ $fields = get_auth_plugin('userkey')->get_allowed_mapping_fields();
|
|||
<?php if (isset($err[$field])) { echo $OUTPUT->notification($err[$field], 'notifyfailure'); } ?>
|
||||
<?php print_string($field.'_desc', 'auth_userkey') ?></td>
|
||||
</tr>
|
||||
<tr valign="top">
|
||||
<?php $field = 'ssourl' ?>
|
||||
<td align="right"><label for="<?php echo $field ?>"><?php print_string($field, 'auth_userkey') ?></label></td>
|
||||
<td><input type="text" size="60" name="<?php echo $field ?>" value="<?php print $config->$field ?>" placeholder=""><br>
|
||||
<?php if (isset($err[$field])) { echo $OUTPUT->notification($err[$field], 'notifyfailure'); } ?>
|
||||
<?php print_string($field.'_desc', 'auth_userkey') ?></td>
|
||||
</tr>
|
||||
<!--UNCOMMENT FOLLOWING WHEN IMPLEMENT USER CREATION.-->
|
||||
<!--<tr valign="top">-->
|
||||
<!--<?php $field = 'createuser' ?>-->
|
||||
|
|
|
|||
|
|
@ -499,6 +499,7 @@ class auth_plugin_userkey_testcase extends advanced_testcase {
|
|||
$formconfig->keylifetime = 100;
|
||||
$formconfig->iprestriction = 0;
|
||||
$formconfig->redirecturl = 'http://google.com/';
|
||||
$formconfig->ssourl = 'http://google.com/';
|
||||
|
||||
$this->auth->process_config($formconfig);
|
||||
|
||||
|
|
@ -707,4 +708,61 @@ class auth_plugin_userkey_testcase extends advanced_testcase {
|
|||
$this->assertEquals('http://test.com/course/index.php?id=12&key=134', $redirect);
|
||||
}
|
||||
|
||||
/**
|
||||
* Test that login page hook redirects correctly.
|
||||
*/
|
||||
public function test_loginpage_hook_redirects_correctly() {
|
||||
global $SESSION;
|
||||
|
||||
$SESSION->enrolkey_skipsso = 0;
|
||||
set_config('ssourl', 'http://google.com', 'auth_userkey');
|
||||
$this->auth = new auth_plugin_userkey();
|
||||
|
||||
$userredirect = $this->auth->should_login_redirect();
|
||||
$this->assertEquals($userredirect, true);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Test that Moodle login page is displayed if url param is set correctly.
|
||||
*/
|
||||
public function test_login_page_displays_correctly_url_param_set() {
|
||||
global $SESSION;
|
||||
|
||||
$SESSION->enrolkey_skipsso = 1;
|
||||
set_config('ssourl', 'http://google.com', 'auth_userkey');
|
||||
$this->auth = new auth_plugin_userkey();
|
||||
$userredirect = $this->auth->should_login_redirect();
|
||||
$this->assertEquals($userredirect, false);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Test that Moodle login page is displayed if no redirect url and no param is set.
|
||||
*/
|
||||
public function test_login_page_displays_correctly() {
|
||||
global $SESSION;
|
||||
|
||||
$SESSION->enrolkey_skipsso = 0;
|
||||
set_config('ssourl', '', 'auth_userkey');
|
||||
$this->auth = new auth_plugin_userkey();
|
||||
$userredirect = $this->auth->should_login_redirect();
|
||||
$this->assertEquals($userredirect, false);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Test that Moodle login page is displayed if no redirect url, but param is set.
|
||||
*/
|
||||
public function test_login_page_displays_correctly_param_set() {
|
||||
global $SESSION;
|
||||
|
||||
$SESSION->enrolkey_skipsso = 1;
|
||||
set_config('ssourl', '', 'auth_userkey');
|
||||
$this->auth = new auth_plugin_userkey();
|
||||
$userredirect = $this->auth->should_login_redirect();
|
||||
$this->assertEquals($userredirect, false);
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue