From 55a20544486ed6a9fbacf54f75405796eb87e4d1 Mon Sep 17 00:00:00 2001 From: Jakub Onderka Date: Fri, 29 Mar 2024 09:04:08 +0100 Subject: [PATCH] fix: [oidc] Use the same handling of org also for Oidc::isUserValid --- .../Component/Auth/OidcAuthenticate.php | 2 +- app/Plugin/OidcAuth/Lib/Oidc.php | 20 ++++++++++++------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php b/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php index 057e986a7..c19d53f56 100644 --- a/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php +++ b/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php @@ -13,7 +13,7 @@ App::uses('Oidc', 'OidcAuth.Lib'); * - OidcAuth.organisation_property (default: `organization`) * - OidcAuth.organisation_uuid_property (default: `organization_uuid`) * - OidcAuth.roles_property (default: `roles`) - * - OidcAuth.default_org - organisation ID, UUID or name if organsation is not provided by OIDC + * - OidcAuth.default_org - organisation ID, UUID or name if organisation is not provided by OIDC * - OidcAuth.unblock (boolean, default: false) * - OidcAuth.offline_access (boolean, default: false) * - OidcAuth.check_user_validity (integer, default `0`) diff --git a/app/Plugin/OidcAuth/Lib/Oidc.php b/app/Plugin/OidcAuth/Lib/Oidc.php index c3283a123..04705e228 100644 --- a/app/Plugin/OidcAuth/Lib/Oidc.php +++ b/app/Plugin/OidcAuth/Lib/Oidc.php @@ -227,13 +227,13 @@ class Oidc $roleProperty = $this->getConfig('roles_property', 'roles'); $roles = $claims->{$roleProperty} ?? $oidc->requestUserInfo($roleProperty); if ($roles === null) { - $this->log($user['email'], "Role property `$roleProperty` is missing in claims."); + $this->log($user['email'], "Role property `$roleProperty` is missing in claims.", LOG_ERR); return false; } $roleId = $this->getUserRole($roles, $user['email']); if ($roleId === null) { - $this->log($user['email'], 'No role was assigned.'); + $this->log($user['email'], 'No role was assigned.', LOG_WARNING); return false; } @@ -244,14 +244,20 @@ class Oidc // Check user org $organisationProperty = $this->getConfig('organisation_property', 'organization'); - $organisationName = $claims->{$organisationProperty} ?? $this->getConfig('default_org'); + $organisationName = $claims->{$organisationProperty} ?? null; $organisationUuidProperty = $this->getConfig('organisation_uuid_property', 'organization_uuid'); $organisationUuid = $claims->{$organisationUuidProperty} ?? null; $organisationId = $this->checkOrganization($organisationName, $organisationUuid, $user['email']); if (!$organisationId) { - return false; + $defaultOrganisationId = $this->defaultOrganisationId(); + if ($defaultOrganisationId) { + $organisationId = $defaultOrganisationId; + } else { + $this->log($user['email'], 'No organisation was assigned.', LOG_WARNING); + return false; + } } if ($update && $user['org_id'] != $organisationId) { @@ -406,11 +412,11 @@ class Oidc ]); if (empty($orgAux)) { if (is_numeric($defaultOrgName)) { - $this->log(null, "Could not find default organisation with ID `$defaultOrgName`."); + $this->log(null, "Could not find default organisation with ID `$defaultOrgName`.", LOG_ERR); } else if (Validation::uuid($defaultOrgName)) { - $this->log(null, "Could not find default organisation with UUID `$defaultOrgName`."); + $this->log(null, "Could not find default organisation with UUID `$defaultOrgName`.", LOG_ERR); } else { - $this->log(null, "Could not find default organisation with name `$defaultOrgName`."); + $this->log(null, "Could not find default organisation with name `$defaultOrgName`.", LOG_ERR); } return false; }