From 6c05344ee0f5b756c3fc7e272f7291f3d297cb58 Mon Sep 17 00:00:00 2001 From: Jakub Dolba Date: Thu, 13 Jun 2019 09:59:29 +1200 Subject: [PATCH] Add: GUID Transformation Callable --- _config/saml.yml | 1 + docs/en/developer.md | 13 +++++++++++++ src/Control/SAMLController.php | 5 +++++ src/Services/SAMLConfiguration.php | 19 +++++++++++++++++++ 4 files changed, 38 insertions(+) diff --git a/_config/saml.yml b/_config/saml.yml index c4e0e72..18076ca 100644 --- a/_config/saml.yml +++ b/_config/saml.yml @@ -21,6 +21,7 @@ SilverStripe\SAML\Services\SAMLConfiguration: debug: false expect_binary_nameid: true allow_insecure_email_linking: false + guid_transformation_callable: null Security: # Algorithm that the toolkit will use on signing process. Options: # - 'http://www.w3.org/2000/09/xmldsig#rsa-sha1' diff --git a/docs/en/developer.md b/docs/en/developer.md index 457824f..c4e08ec 100644 --- a/docs/en/developer.md +++ b/docs/en/developer.md @@ -21,6 +21,7 @@ We assume ADFS 2.0 or greater is used as an IdP. - [Service Provider (SP)](#service-provider-sp) - [Identity Provider (IdP)](#identity-provider-idp) - [Additional configuration for Azure AD](#additional-configuration-for-azure-ad) + - [GUID Transformation Callable](#guid-transformation-callable) - [Establish trust](#establish-trust) - [Configure SilverStripe Authenticators](#configure-silverstripe-authenticators) - [Show the SAML Login button on login form](#show-the-saml-login-button-on-login-form) @@ -149,6 +150,18 @@ SilverStripe\SAML\Extensions\SAMLMemberExtension: - 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name': 'Email' ``` +### GUID Transformation Callable + +If you prefer received GUID in lower-case or upper-case format you can use option `guid_transformation_callable` +to change GUID format. This option is `null` by default - no change will be applied. + +For example to change received GUID to upper-case just define callable (as string) in yaml configuration: +```yaml +SilverStripe\SAML\Services\SAMLConfiguration: + guid_transformation_callable: 'strtoupper' +``` +`$guid` will be passed as first argument to any given callable + ## Establish trust At this stage the SilverStripe site trusts the IdP, but the IdP does not have any way to establish the identity of the SilverStripe site. diff --git a/src/Control/SAMLController.php b/src/Control/SAMLController.php index 8a6e732..16ed4e5 100644 --- a/src/Control/SAMLController.php +++ b/src/Control/SAMLController.php @@ -147,6 +147,11 @@ public function acs() $guid = $auth->getNameId(); } + $guidTransformation = Config::inst()->get(SAMLConfiguration::class, 'guid_transformation_callable'); + if ($guidTransformation !== null) { + $guid = $guidTransformation($guid); + } + $attributes = $auth->getAttributes(); $fieldToClaimMap = array_flip(Member::config()->claims_field_mappings); diff --git a/src/Services/SAMLConfiguration.php b/src/Services/SAMLConfiguration.php index c144b8f..5e9bbcb 100644 --- a/src/Services/SAMLConfiguration.php +++ b/src/Services/SAMLConfiguration.php @@ -71,6 +71,14 @@ class SAMLConfiguration */ private static $allow_insecure_email_linking = false; + /** + * @config + * @var null|string|callable transform received GUID by given callable, if null + * + * defaults to null - no change is applied on received guid + */ + private static $guid_transformation_callable; + /** * @return array */ @@ -184,6 +192,17 @@ public function asArray() 'wantXMLValidation' => true, ]; + $guidTransformationCallback = $this->config()->get('guid_transformation_callable'); + if ($guidTransformationCallback !== null && !is_callable($guidTransformationCallback)) { + throw new \InvalidArgumentException( + sprintf( + '%s::guid_transformation_callable must be null or callable, `%s` given', + static::class, + var_export($guidTransformationCallback, true) + ) + ); + } + return $conf; } }