References #1, #2, Implemented both features

Both features are implemented, although it should be determined if personal_code scope is required or not. It might also be possible to require personal code and not the strong session.
sisuloome · Feb 20, 2020 · 51422e3 · 51422e3
1 parent 53aeeff
commit 51422e3
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 4 deletions.
diff --git a/config/install/openid_connect.settings.harid.yml b/config/install/openid_connect.settings.harid.yml
@@ -2,3 +2,5 @@ enabled: false
 settings:
   client_id:
   client_secret:
+  require_strong_session: false
+  use_test_idp: false
diff --git a/config/schema/openid_connect.schema.yml b/config/schema/openid_connect.schema.yml
@@ -16,3 +16,9 @@ openid_connect.settings.harid:
         client_secret:
           type: string
           label: 'Client secret'
+        require_strong_session:
+          type: boolean
+          label: 'Require strong session'
+        use_test_idp:
+          type: boolean
+          label: 'Use test Identity Provider'
diff --git a/openid_connect_harid.install b/openid_connect_harid.install
@@ -0,0 +1,18 @@
+<?php
+
+/**
+ * @file
+ * Contains openid_connect_harid.install.
+ */
+
+/**
+ * Add require_strong_session and use_test_idp to HarID config.
+ */
+function openid_connect_harid_update_8101() {
+  $config = \Drupal::configFactory()->getEditable('openid_connect.settings.harid');
+  $settings = $config->get('settings');
+  $settings['require_strong_session'] = FALSE;
+  $settings['use_test_idp'] = FALSE;
+  $config->set('settings', $settings);
+  $config->save(TRUE);
+}
diff --git a/openid_connect_harid.module b/openid_connect_harid.module
@@ -37,3 +37,21 @@ function openid_connect_harid_openid_connect_post_authorize(array $tokens, UserI
     }
   }
 }
+
+/**
+ * Imlements hook_openid_connect_pre_authorize().
+ */
+function openid_connect_harid_openid_connect_pre_authorize(array $tokens, $account, array $userinfo, $plugin_id, $sub) {
+  if ($plugin_id === 'harid') {
+    $settings = \Drupal::configFactory()->get('openid_connect.settings.harid')->get('settings');
+
+    // TODO See if we should also check the presence of personal_code
+    if ($settings['require_strong_session'] === TRUE && $userinfo['strong_session'] !== TRUE) {
+      \Drupal::messenger()
+        ->addError(t('A strong session is required! Please use ID-card or Moble-ID to authenticate with HarID.'));
+      return FALSE;
+    }
+  }
+
+  return TRUE;
+}
diff --git a/src/Plugin/OpenIDConnectClient/OpenIDConnectHarIDClient.php b/src/Plugin/OpenIDConnectClient/OpenIDConnectHarIDClient.php
@@ -23,12 +23,31 @@ class OpenIDConnectHarIDClient extends OpenIDConnectClientBase {
    */
   const HARID_BASE_URL = 'https://harid.ee/et';
 
+  /**
+   * HarID test service base URL
+   * @var string
+   */
+  const HARID_TEST_BASE_URL = 'https://test.harid.ee/et';
+
   /**
    * {@inheritdoc}
    */
   public function buildConfigurationForm(array $form, FormStateInterface $form_state) {
     $form = parent::buildConfigurationForm($form, $form_state);
 
+    $form['require_strong_session'] = [
+      '#type' => 'checkbox',
+      '#title' => $this->t('Require strong session'),
+      '#description' => $this->t('If enabled, only users with strong sessions (ID-card or Mobile-ID) would be allowed.'),
+      '#default_value' => $this->configuration['require_strong_session'],
+    ];
+    $form['use_test_idp'] = [
+      '#type' => 'checkbox',
+      '#title' => $this->t('Use test Identity Provider'),
+      '#description' => $this->t('If enabled, test.harid.ee will be used instead of hardi.ee.'),
+      '#default_value' => $this->configuration['use_test_idp'],
+    ];
+
     $url = 'https://harid.ee/en/pages/dev-info';
     $form['description'] = [
       '#markup' => '<div class="description">' . $this->t('Please follow <a href="@url" target="_blank">instructions</a> to setup HarID client.', ['@url' => $url]) . '</div>',
@@ -37,22 +56,40 @@ public function buildConfigurationForm(array $form, FormStateInterface $form_sta
     return $form;
   }
 
+  /**
+   * Returns base URL for either live or test IdP service.
+   *
+   * @return string
+   *   Base URL of IdP serivice
+   */
+  private function getBaseUrl() : string {
+    if ($this->configuration['use_test_idp'] === TRUE) {
+      return self::HARID_TEST_BASE_URL;
+    }
+
+    return self::HARID_BASE_URL;
+  }
+
   /**
    * {@inheritdoc}
    */
   public function getEndpoints() {
+    $base_url = $this->getBaseUrl();
+
     return [
-      'authorization' => self::HARID_BASE_URL . '/authorizations/new',
-      'token' => self::HARID_BASE_URL . '/access_tokens',
-      'userinfo' => self::HARID_BASE_URL . '/user_info',
+      'authorization' => $base_url . '/authorizations/new',
+      'token' => $base_url . '/access_tokens',
+      'userinfo' => $base_url . '/user_info',
     ];
   }
 
   /**
    * {@inheritdoc}
    */
   public function authorize($scope = 'openid email') {
-    return parent::authorize('openid profile email roles');
+    // TODO See if we really need the personal_code scope to be present or it is
+    // enough to use the session_type and check for the strong session
+    return parent::authorize('openid profile email roles personal_code session_type');
   }
 
 }