Commit 26ad944d authored by Robert Lyon's avatar Robert Lyon
Browse files

Bug 1691317: Making the LTI SSO be a child of another auth



Choose via the Admin -> Webservices -> External apps menu

Sponsored by Teachers College, Columbia University

behatnotneeded

Change-Id: I4d90e60388d3dc958d3b102de503ff4057923744
Signed-off-by: Robert Lyon's avatarRobert Lyon <robertl@catalyst.net.nz>
parent f8002f1e
<!-- @license http://www.gnu.org/copyleft/gpl.html GNU GPL version 3 or later -->
<!-- @copyright For copyright information on Mahara, please see the README file distributed with this software. -->
<h3>Parent authority</h3>
<p>If you set a parent authority, users will be able to log in using that
authority as well as single sign-on via LTI.</p>
<p>For example, you could set up SAML authentication in your institution
and have that be the parent of LTI. That means that users will be able
to log in via Mahara's inbuilt login form using the SSO button there
as well as via LTI SSO from an external application.</p>
<p>You do not have to set a parent authority. If you do not, users will
only be able to access Mahara via LTI.</p>
\ No newline at end of file
......@@ -28,3 +28,4 @@ $string['webserviceproviderenabled'] = 'Incoming web service requests allowed';
$string['institutiondenied'] = 'Access to \'%s\' is denied. Please contact your institution administrator.';
$string['notreadylabel'] = 'Not ready';
$string['readylabel'] = 'Ready';
$string['parentauthforlti'] = 'Parent authority';
......@@ -18,6 +18,7 @@ class PluginModuleLti extends PluginModule {
private static $default_config = array(
'autocreateusers' => false,
'parentauth' => null,
);
public static function postinst($fromversion) {
......@@ -143,22 +144,58 @@ class PluginModuleLti extends PluginModule {
}
public static function get_oauth_service_config_options($serverid) {
$dbconfig = get_records_assoc('oauth_server_config', 'oauthserverregistryid', $serverid, '', 'field, value');
$rawdbconfig = get_records_sql_array('SELECT c.field, c.value, r.institution FROM {oauth_server_registry} r
LEFT JOIN {oauth_server_config} c ON c.oauthserverregistryid = r.id
WHERE r.id = ?', array($serverid));
$dbconfig = new stdClass();
foreach ($rawdbconfig as $raw) {
$dbconfig->institution = $raw->institution;
if (!empty($raw->field)) {
$dbconfig->{$raw->field} = $raw->value;
}
}
$elements = array(
'institution' => array(
'type' => 'html',
'title' => get_string('institution'),
'value' => institution_display_name($dbconfig->institution),
),
'autocreateusers' => array(
'type' => 'switchbox',
'title' => get_string('autocreateusers', 'module.lti'),
'defaultvalue' => isset($dbconfig['autocreateusers']->value) ? $dbconfig['autocreateusers']->value : self::$default_config['autocreateusers'],
'defaultvalue' => isset($dbconfig->autocreateusers) ? $dbconfig->autocreateusers : self::$default_config['autocreateusers'],
),
);
// Get the active auth instances for this institution that are not webservices
if ($instances = get_records_sql_array("SELECT ai.* FROM {oauth_server_registry} osr
JOIN {auth_instance} ai ON ai.institution = osr.institution
WHERE osr.id = ? AND ai.active = 1 AND ai.authname != 'webservice'", array($serverid))) {
$options = array('' => get_string('None', 'admin'));
foreach ($instances as $instance) {
$options[$instance->id] = get_string('title', 'auth.' . $instance->authname);
}
$elements['parentauth'] = array(
'type' => 'select',
'title' => get_string('parentauthforlti', 'module.lti'),
'defaultvalue' => isset($dbconfig->parentauth) ? $dbconfig->parentauth : self::$default_config['parentauth'],
'options' => $options,
'help' => true,
);
}
return $elements;
}
public static function save_oauth_service_config_options($serverid, $values) {
return update_oauth_server_config($serverid, 'autocreateusers', (int)$values['autocreateusers']);
$options = array('autocreateusers', 'parentauth');
foreach ($options as $option) {
$fordb = isset($values[$option]) ? $values[$option] : null;
update_oauth_server_config($serverid, $option, $fordb);
}
return true;
}
// Disable form fields that are not needed by this plugin
......
......@@ -145,6 +145,7 @@ class module_lti_launch extends external_api {
// Auto create user if auth allowed
$canautocreate = get_field('oauth_server_config', 'value', 'oauthserverregistryid', $WEBSERVICE_OAUTH_SERVERID, 'field', 'autocreateusers');
$parentauthid = get_field('oauth_server_config', 'value', 'oauthserverregistryid', $WEBSERVICE_OAUTH_SERVERID, 'field', 'parentauth');
if (!$userid) {
if ($canautocreate) {
......@@ -154,7 +155,7 @@ class module_lti_launch extends external_api {
$user->password = sha1(uniqid('', true));
$user->firstname = $params['lis_person_name_given'];
$user->lastname = $params['lis_person_name_family'];
$user->authinstance = $authinstanceid;
$user->authinstance = !empty($parentauthid) ? $parentauthid : $authinstanceid;
// Make sure that the username doesn't already exist
if (get_record('usr', 'username', $user->email)) {
......@@ -168,6 +169,15 @@ class module_lti_launch extends external_api {
$updateremote = false;
$updateuser = false;
if ($parentauthid) {
$authremoteuser = new StdClass;
$authremoteuser->authinstance = $parentauthid;
$authremoteuser->remoteusername = $user->username;
$authremoteuser->localusr = $user->id;
insert_record('auth_remote_user', $authremoteuser);
}
}
else {
$USER->logout();
......@@ -180,6 +190,7 @@ class module_lti_launch extends external_api {
$user->email = $params['lis_person_contact_email_primary'];
$user->firstname = $params['lis_person_name_given'];
$user->lastname = $params['lis_person_name_family'];
$user->authinstance = !empty($parentauthid) ? $parentauthid : $authinstanceid;
unset($user->password);
$profilefields = new StdClass;
......
......@@ -608,6 +608,8 @@ function webservice_server_config_form($serverid) {
'sflist' => array(
'value' => pieform(array(
'name' => 'oauthconfigoptions',
'plugintype' => $moduletype,
'pluginname' => $module,
'successcallback' => 'webservice_server_config_submit',
'elements' => $elements)),
)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment