From e12021325d403074f4f524dfba6c846b2bdd97df Mon Sep 17 00:00:00 2001
From: Bertrand Gauthier <bertrand.gauthier@unicaen.fr>
Date: Tue, 23 Apr 2019 15:02:13 +0200
Subject: [PATCH] =?UTF-8?q?Nouvelle=20cl=C3=A9=20de=20config=20obligatoire?=
=?UTF-8?q?=20pour=20l'authentification=20Shibboleth=20:=20unicaen-auth.sh?=
=?UTF-8?q?ibboleth.logout=5Furl?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
config/unicaen-auth.global.php.dist | 16 ++++++++
.../Options/ModuleOptionsFactory.php | 39 +++++++++++++++++++
src/UnicaenAuth/Service/ShibService.php | 6 +--
3 files changed, 58 insertions(+), 3 deletions(-)
diff --git a/config/unicaen-auth.global.php.dist b/config/unicaen-auth.global.php.dist
index 4a939cb..60918a2 100644
--- a/config/unicaen-auth.global.php.dist
+++ b/config/unicaen-auth.global.php.dist
@@ -28,6 +28,22 @@ $settings = [
'enabled' => true,
],
+ /**
+ * Configuration de l'authentification Shibboleth.
+ */
+ 'shibboleth' => [
+ /**
+ * Affichage ou non du formulaire d'authentification via l'annuaire LDAP.
+ * NB: en réalité cela permet aussi l'authentification avec un compte local.
+ */
+ 'enable' => false,
+
+ /**
+ * URL de déconnexion.
+ */
+ 'logout_url' => '/Shibboleth.sso/Logout?return=', // NB: '?return=' semble obligatoire!
+ ],
+
/**
* Flag indiquant si l'utilisateur authenitifié avec succès via l'annuaire LDAP doit
* être enregistré/mis à jour dans la table des utilisateurs de l'appli.
diff --git a/src/UnicaenAuth/Options/ModuleOptionsFactory.php b/src/UnicaenAuth/Options/ModuleOptionsFactory.php
index dd7e1a8..a07434a 100644
--- a/src/UnicaenAuth/Options/ModuleOptionsFactory.php
+++ b/src/UnicaenAuth/Options/ModuleOptionsFactory.php
@@ -2,6 +2,9 @@
namespace UnicaenAuth\Options;
+use Assert\Assertion;
+use Assert\AssertionFailedException;
+use UnicaenApp\Exception\RuntimeException;
use Zend\ServiceManager\FactoryInterface;
use Zend\ServiceManager\ServiceLocatorInterface;
@@ -24,6 +27,42 @@ class ModuleOptionsFactory implements FactoryInterface
$moduleConfig = isset($config['unicaen-auth']) ? $config['unicaen-auth'] : [];
$moduleConfig = array_merge($config['zfcuser'], $moduleConfig);
+ $this->validateConfig($moduleConfig);
+
return new ModuleOptions($moduleConfig);
}
+
+ /**
+ * @param array $config
+ */
+ private function validateConfig(array $config)
+ {
+ $configKeyPath = ['unicaen-auth'];
+
+ //
+ // Config shibboleth.
+ //
+ $parentKey = 'shibboleth';
+ if (array_key_exists($parentKey, $config)) {
+ $shibConfig = $config[$parentKey];
+ $configKeyPath[] = $parentKey;
+
+ try {
+ Assertion::keyExists($shibConfig, $k = 'logout_url');
+ } catch (AssertionFailedException $e) {
+ throw new RuntimeException(sprintf(
+ "La clé de configuration '%s.$k' est absente (inspirez-vous du fichier de config " .
+ "unicaen-auth.global.php.dist du module unicaen/auth si besoin)",
+ join('.', $configKeyPath)
+ ));
+ }
+
+ array_pop($configKeyPath);
+ }
+
+ //
+ // Autres.
+ //
+
+ }
}
\ No newline at end of file
diff --git a/src/UnicaenAuth/Service/ShibService.php b/src/UnicaenAuth/Service/ShibService.php
index 7d9d488..c47bc66 100644
--- a/src/UnicaenAuth/Service/ShibService.php
+++ b/src/UnicaenAuth/Service/ShibService.php
@@ -434,13 +434,13 @@ EOS;
return '/';
}
- $logoutRelativeUrl = '/Shibboleth.sso/Logout?return='; // NB: '?return=' semble obligatoire!
+ $logoutUrl = $this->shibbolethConfig['logout_url'];
if ($returnAbsoluteUrl) {
- $logoutRelativeUrl .= urlencode($returnAbsoluteUrl);
+ $logoutUrl .= urlencode($returnAbsoluteUrl);
}
- return $logoutRelativeUrl;
+ return $logoutUrl;
}
/**
--
GitLab