From f431f444379436fa1e19acdc3e8b19a0b4cb2d6a Mon Sep 17 00:00:00 2001
From: Are Johannessen <are.j@uib.no>
Date: Tue, 25 Mar 2025 14:52:29 +0100
Subject: [PATCH 1/2] WP110 #1191: Updated the uib_feide module to consume
 groups from Feide

The scope of the task has changed a bit since the issue was first
created and part of the work was to remove and rewrite code for
the previous assumptions we made.
---
 uib_feide.module | 79 ++++++++++++++++++++----------------------------
 1 file changed, 32 insertions(+), 47 deletions(-)

diff --git a/uib_feide.module b/uib_feide.module
index 09cac1c..0acf8f7 100644
--- a/uib_feide.module
+++ b/uib_feide.module
@@ -9,14 +9,25 @@
  */
 
 use Drupal\Component\Plugin\Exception\PluginException;
+use Drupal\user\UserInterface;
 
 /**
  * Implements hook_openid_connect_userinfo_alter().
  */
 function uib_feide_openid_connect_userinfo_alter(#[\SensitiveParameter] array &$userinfo, #[\SensitiveParameter] array $context) : void {
-  // Check if the claim exists within $userinfo before trying to access it.
-  if (isset($userinfo['https://n.feide.no/claims/eduPersonPrincipalName'])) {
-    $userinfo['preferred_username'] = $userinfo['https://n.feide.no/claims/eduPersonPrincipalName'];
+  $userinfo['preferred_username'] = $userinfo['https://n.feide.no/claims/eduPersonPrincipalName'] ?? $userinfo['email'];
+
+  /** @var GuzzleHttp\Client $response */
+  $response = Drupal::service('http_client')->request(
+    'GET',
+    'https://api.dataporten.no/userinfo/v1/userinfo',
+    ['headers' => ['Authorization' => 'Bearer ' . $context['tokens']['access_token']]]);
+  $extUserInfo = json_decode($response->getBody(), true);
+  $userinfo['groups'] = [];
+  if (count($extUserInfo) > 1 && isset($extUserInfo['eduPersonEntitlement'])) {
+    foreach ($extUserInfo['eduPersonEntitlement'] as $group) {
+      $userinfo['groups'][] = Roles::from($group)->name;
+    }
   }
 }
 
@@ -24,54 +35,28 @@ function uib_feide_openid_connect_userinfo_alter(#[\SensitiveParameter] array &$
  * Implements hook_openid_connect_pre_authorize().
  */
 function uib_feide_openid_connect_pre_authorize($account, array $context) : bool {
-  $domain_matches = FALSE;
-  $role_matches = FALSE;
-
-  // Retrieve the 'uib_feide' settings.
-  $config = Drupal::config('uib_feide.user_control_settings');
-
-  if ($config->get('domains_allowed') !== '') {
-    /** @var Drupal\uib_api_connector\ApiConnectorPluginManager $api_service */
-    $api_service = Drupal::service('plugin.manager.api_connector');
-    /** @var \Drupal\uib_profile\Plugin\ApiConnector\ScimConnector $scim_connector */
-
-    try {
-      $scim_connector = $api_service->createInstance('scim');
-    }
-    catch (PluginException $e) {
-      return FALSE;
-    }
-
-    $scim_data = $scim_connector->fetchScimUser($context['userinfo']['email']);
-    if ($scim_data !== FALSE) {
-      $roles = $scim_data->getRoles();
-
-      // Check if the user has the correct domain.
-      $domains_allowed = explode("\r", str_replace(["\r\n", "\n"], "\r", $config->get('domains_allowed') ?: ''));
-      $email_account_for_new_user = $context['userinfo']['email'];
-
-      if (str_contains($email_account_for_new_user, '@')) {
-        $domain_for_new_user = explode('@', $email_account_for_new_user)[1];
-        if (in_array($domain_for_new_user, $domains_allowed)) {
-          $domain_matches = TRUE;
-        }
-      }
-
-      // Check if the user has the correct variable.
-      $roles_allowed = explode("\r", str_replace(["\r\n", "\n"], "\r", $config->get('roles_allowed') ?: ''));
-
-      // Check each setting.
-      foreach ($roles_allowed as $role) {
-        if (in_array($role, $roles)) {
-          $role_matches = TRUE;
-          break;
-        }
+  if ($account) {
+    foreach (Roles::cases() as $role) {
+      if ($account->hasRole($role->name)) {
+        $account->removeRole($role->name);
       }
+    }
 
-      // If both the domain and role matches, then proceed to log in.
-      return $domain_matches && $role_matches;
+    foreach ($context['userinfo']['groups'] as $group) {
+      $account->addRole($group);
     }
   }
 
+  if (count($context['userinfo']['groups']) === 0) {
+    return FALSE;
+  }
+
   return TRUE;
 }
+
+enum Roles: string
+{
+  case study_program_contributor = 'https://api.uib.no/names/roles/eksternweb/uibno_studies_and_students_author';
+  case study_program_editor = 'https://api.uib.no/names/roles/eksternweb/uibno_studies_and_students_manager';
+
+}
-- 
GitLab


From 0c539bcc060b99281a5c7ecb2de1c961b3d693d5 Mon Sep 17 00:00:00 2001
From: Are Johannessen <are.j@uib.no>
Date: Tue, 25 Mar 2025 15:18:22 +0100
Subject: [PATCH 2/2] WP110 #1191: Fixed errors in coding standard and added
 function to comply

---
 uib_feide.module | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/uib_feide.module b/uib_feide.module
index 0acf8f7..c33a656 100644
--- a/uib_feide.module
+++ b/uib_feide.module
@@ -8,9 +8,6 @@
  * Feide OpenID connection.
  */
 
-use Drupal\Component\Plugin\Exception\PluginException;
-use Drupal\user\UserInterface;
-
 /**
  * Implements hook_openid_connect_userinfo_alter().
  */
@@ -22,11 +19,11 @@ function uib_feide_openid_connect_userinfo_alter(#[\SensitiveParameter] array &$
     'GET',
     'https://api.dataporten.no/userinfo/v1/userinfo',
     ['headers' => ['Authorization' => 'Bearer ' . $context['tokens']['access_token']]]);
-  $extUserInfo = json_decode($response->getBody(), true);
+  $extUserInfo = json_decode($response->getBody(), TRUE);
   $userinfo['groups'] = [];
   if (count($extUserInfo) > 1 && isset($extUserInfo['eduPersonEntitlement'])) {
     foreach ($extUserInfo['eduPersonEntitlement'] as $group) {
-      $userinfo['groups'][] = Roles::from($group)->name;
+      $userinfo['groups'][] = Roles::{Roles::from($group)->name}->getRole();
     }
   }
 }
@@ -54,9 +51,21 @@ function uib_feide_openid_connect_pre_authorize($account, array $context) : bool
   return TRUE;
 }
 
-enum Roles: string
-{
-  case study_program_contributor = 'https://api.uib.no/names/roles/eksternweb/uibno_studies_and_students_author';
-  case study_program_editor = 'https://api.uib.no/names/roles/eksternweb/uibno_studies_and_students_manager';
+/**
+ * Enum maintaining drupal roles and the associated group definitions in FEIDE.
+ */
+enum Roles: string {
+  case StudyProgramContributor = 'https://api.uib.no/names/roles/eksternweb/uibno_studies_and_students_author';
+  case StudyProgramEditor = 'https://api.uib.no/names/roles/eksternweb/uibno_studies_and_students_manager';
+
+  /**
+   * Function mapping drupal roles to enum cases.
+   */
+  public function getRole(): string {
+    return match ($this) {
+      Roles::StudyProgramContributor => 'study_program_contributor',
+      Roles::StudyProgramEditor => 'study_program_editor',
+    };
+  }
 
 }
-- 
GitLab