Isekai-Project
/
isekai-openid-connect-generic
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

3.9.0 Feature & Bugfix Release (#394)

Browse Source 
* Update openid-connect-generic-client-wrapper.php

Add openid-connect-generic-session-expired action before to allow consumers to act on the refresh token expiration

* Implement singleton pattern for OpenID_Connect_Generic class

This will allow developers who want to be able to call methods belonging to this class (or methods belonging to any of this class's properties) to do so, without having to create a new instance, and therefore repeat all the bootstrapping.

Instead, they will just be able to call OpenID_Connect_Generic::instance() to retrieve the singleton.

* Add functions.php file for global functions

These will act as wrappers for methods you would otherwise call by getting the Open_ID_Connect_Generic singleton and then calling the appropriate method.

* Make client_wrapper a public property

This allows us to access client_wrapper methods via the singleton of Open_ID_Connect_Generic.

* Support aggregated claims (#254)

* use tabs instead of spaces

* added define config with OIDC_LOGIN_TYPE and OIDC_CLIENT_SCOPE

scopes are needed when logging in so this is a no-brainer and this
can be deployed using deployments

login type can be defined here when you want to enforce SSO from the
deployment.

* More define-driven settings

* fix linting

* fix code analysis errors

* fix more linting, add more exception handling

* Added the OIDC_CREATE_IF_DOES_NOT_EXIST define

* Added documentation and phpstan defines

* Added data in environment_settings

* Fixes QS not being added to the redirect URL

* fix #178
Update last-token-response user meta after refresh

* add a basic method to refresh user claim outside of this plugin

* fix return doc

* add a basic method to refresh user claim outside of this plugin

* fix return doc

* Revert "fix return doc"

This reverts commit e19d6f3ffd3f7684dd843408ec911c4b6d614328.

* Revert "add a basic method to refresh user claim outside of this plugin"

This reverts commit 1a5fa9b045c7b50a17dc3cfd5482fc33be9aa6ee.

* Initial Codepsaces Development Environment

* Adds Gitpod Support Alongside Codespaces Support

* Only load admin CSS when showing settings page

* Updates Development Environment for PHP & WordPress

- Updates local development environment to use a Composer Docker
  container.
- Updates VS Code/Codespaces devcontainer to bullseye/PHP 7.4.
- Updates VS Code/Codespaces devcontainer & GitPod starting commands.
- Updates build environment to use PHP 7.4 & Composer 2.
- Updates build environment Composer packages.
- Updates Composer WordPress install to use the johnpbloch packages.

* Fixes Running PHPStan in Docker & Static Analysis Issues

- Updates the PHP/Composer Docker image memory limit to
  allow PHPStand to run properly.
- Fixes static analysis issues reported by PHPStan.
- Updates PHPStan & extensions to latest versions.
- Updates PHPStan configuration for latest version.

* Update GitHub Actions for PHP/Composer/WordPress Changes

- Updates GitHub Actions to use Composer v2.
- Updates GitHub Actions to use PHP 7.4.
- Updates GitHub Actions to use WordPress 5.7 as stable.

* Updates WordPress Version Composer Dependencies

- Updates the installed WordPress version to 5.7.
- Updates the installed WordPress stubs version to 5.7.

* Fixes GitHub Actions for Composer 2 Changes

* Fixes GitHub Actions for PHP Unit testing

- Changes PHPUnit switch to dev-master for PHP 8.0.

* Updates GrumPHP & GrumPHP Unit Testing PHP 8 Support

- Updates GrumPHP to a newer version.
- Updates Unit Testing PHP 8.0 to use GrumPHP dev-master.

* Updates Unit Testing for PHPUnit Testing w/ PHP8

* Updates Unit Testing Composer Updates to Run w/ PHP 8

* Updates Composer PHPUnit for PHP 8 Override

* Multisite/network configurations use your current blog as the default when using the WP_User_Query which means if a user already exists, from a different blog, you will not find them, but also can't create a new account because they already exist.  This overrides your current blog and will search 'all'

* CodeSpaces Dev Container Updates & Composer Updates

* Updating GrumPHP & Composer Dependencies

* Updates NPM Modules & Changes Plugin Instance Visibility

* Updates @wordpress/scripts & ~wordpress/env to the latest versions.
* Changes the visibility of the plugin class instance attribute.

* Bump tar from 4.4.13 to 4.4.19

Bumps [tar](https://github.com/npm/node-tar) from 4.4.13 to 4.4.19.
- [Release notes](https://github.com/npm/node-tar/releases)
- [Changelog](https://github.com/npm/node-tar/blob/main/CHANGELOG.md)
- [Commits](https://github.com/npm/node-tar/compare/v4.4.13...v4.4.19)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump hosted-git-info from 2.8.8 to 2.8.9

Bumps [hosted-git-info](https://github.com/npm/hosted-git-info) from 2.8.8 to 2.8.9.
- [Release notes](https://github.com/npm/hosted-git-info/releases)
- [Changelog](https://github.com/npm/hosted-git-info/blob/v2.8.9/CHANGELOG.md)
- [Commits](https://github.com/npm/hosted-git-info/compare/v2.8.8...v2.8.9)

---
updated-dependencies:
- dependency-name: hosted-git-info
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump lodash from 4.17.19 to 4.17.21

Bumps [lodash](https://github.com/lodash/lodash) from 4.17.19 to 4.17.21.
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](https://github.com/lodash/lodash/compare/4.17.19...4.17.21)

---
updated-dependencies:
- dependency-name: lodash
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump ssri from 6.0.1 to 6.0.2

Bumps [ssri](https://github.com/npm/ssri) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/npm/ssri/releases)
- [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md)
- [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2)

---
updated-dependencies:
- dependency-name: ssri
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump path-parse from 1.0.6 to 1.0.7

Bumps [path-parse](https://github.com/jbgutierrez/path-parse) from 1.0.6 to 1.0.7.
- [Release notes](https://github.com/jbgutierrez/path-parse/releases)
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7)

---
updated-dependencies:
- dependency-name: path-parse
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump ws from 6.2.1 to 6.2.2

Bumps [ws](https://github.com/websockets/ws) from 6.2.1 to 6.2.2.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/6.2.1...6.2.2)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* coding standards issues

* Fix wordpress coding standards issues

* Redone acr-values-support

acr-values support

* Fix code-standard errors

Fixed reported code-standard issues found

* Update openid-connect-generic-client.php

fixing code-indentment after report

* Update openid-connect-generic-client-wrapper.php

fix for reported code-standard errors

* Update openid-connect-generic-settings-page.php

Fixing code-standard reported errors

* Update openid-connect-generic-client.php

re-aligned line 225 ( indentment error)

* Refactors new ACR Handling Code for Better Code Quality

* Fixes some incorrect ACR handling code that incorrectly
  added the ACR when it wasn't set.
* Adds missing settings disable handling when ACR constant
  is set.
* Refactors code for simplicity and code quality.

* Fixes #243 Nickname from Claim Regression

* Fixes the regression caused by the code changes in 3.8.0
  which resulted in not performing proper fallbacks for
  missing cliams such as the nickname.
* Fixes invalid Node version in NVM configuration.

* Fixes Indentity Mapping & Creation Issues

* Fixes issues with improperly handling combinations of the
  "Link Existing Users", "Create user if does not exist", and
  "Identify with User Name" configuration options.
* Addresses issues related to case sensitivity of usernames
  when attempting to "Link Existing Users".
* Fixes typos and formatting on the plugin Settings screen.

* Dependabot Security Related Fixes & Refactoring

* Update to require Node v14 & NPM 6.14.15.
* Updates to Grunt 1.4.1.
* Forces resolution of dependencies for security fixes.
* Update @wordpress packages to their latest versions.
* Refactors the NPM & Composer scripts.

* Updates WP to Latest Dev Standard for Local Development

* Refactors Callable Refresh User Claims Function & Action

* Moves `openid-connect-generic-update-user-using-current-claim` action
  to within update user metadata during login.
* Adds a new publicly callable method that uses the plugin singleton.

* Prep for 3.9.0 Release

Co-authored-by: jkouris <35877237+jkouris@users.noreply.github.com>
Co-authored-by: Rob Skilling <rob@dxw.com>
Co-authored-by: Martin Schanzenbach <schanzen@gnunet.org>
Co-authored-by: Chloé "Matcha" Desoutter <chloe.desoutter@bluenove.com>
Co-authored-by: Martin <schanzen@users.noreply.github.com>
Co-authored-by: Sylwester Kardziejonek <sylwester.kardziejonek@gmail.com>
Co-authored-by: Nicolas Dhers <nicolas@rkcreation.fr>
Co-authored-by: Tom McCaffery <tom@weareadjacent.com>
Co-authored-by: Dan <dan@testinnovators.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: John Kouris <jkouris@everyincome.com>
Co-authored-by: Glowsome <administrator@comsolve.nl>
isekai^2
Tim Nolte 3 years ago committed by GitHub
parent a283a18fec
commit d4f0f4b51f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
35 changed files with 21891 additions and 23257 deletions
Show Stats Download Patch File Download Diff File

47
.devcontainer/Dockerfile
Unescape Escape View File

@ -0,0 +1,47 @@
# Note: You can use any Debian/Ubuntu based image you want.
FROM mcr.microsoft.com/vscode/devcontainers/base:bullseye
# [Option] Install zsh
ARG INSTALL_ZSH="true"
# [Option] Upgrade OS packages to their latest versions
ARG UPGRADE_PACKAGES="false"
# [Option] Enable non-root Docker access in container
ARG ENABLE_NONROOT_DOCKER="true"
# [Option] Use the OSS Moby Engine instead of the licensed Docker Engine
ARG USE_MOBY="true"
# Install needed packages and setup non-root user. Use a separate RUN statement to add your
# own dependencies. A user of "automatic" attempts to reuse an user ID if one already exists.
ARG USERNAME=automatic
ARG USER_UID=1000
ARG USER_GID=$USER_UID
COPY library-scripts/*.sh /tmp/library-scripts/
RUN apt-get update \
&& /bin/bash /tmp/library-scripts/common-debian.sh "${INSTALL_ZSH}" "${USERNAME}" "${USER_UID}" "${USER_GID}" "${UPGRADE_PACKAGES}" "true" "true" \
# Use Docker script from script library to set things up
&& /bin/bash /tmp/library-scripts/docker-in-docker-debian.sh "${ENABLE_NONROOT_DOCKER}" "${USERNAME}" "${USE_MOBY}" \
# Clean up
&& apt-get autoremove -y && apt-get clean -y && rm -rf /var/lib/apt/lists/* /tmp/library-scripts/
VOLUME [ "/var/lib/docker" ]
# Setting the ENTRYPOINT to docker-init.sh will start up the Docker Engine
# inside the container "overrideCommand": false is set in devcontainer.json.
# The script will also execute CMD if you need to alter startup behaviors.
ENTRYPOINT [ "/usr/local/share/docker-init.sh" ]
CMD [ "sleep", "infinity" ]
# [Optional] Uncomment this section to install additional OS packages.
RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
&& apt-get -y install php7.4-cli php7.4-curl php7.4-dom php7.4-intl php7.4-json php7.4-mbstring php7.4-xml
# Install Composer.
COPY --from=composer:2 /usr/bin/composer /usr/local/bin/composer
# [Choice] Node.js version: none, lts/*, 16, 14, 12, 10
# nvm environment variables
# ENV NVM_DIR /usr/local/nvm
ENV NODE_VERSION 12
# Install Node Version Manager(NVM).
RUN su vscode -c "curl --silent -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash"

29
.devcontainer/devcontainer.json
Unescape Escape View File

@ -0,0 +1,29 @@
// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
// https://github.com/microsoft/vscode-dev-containers/tree/v0.192.0/containers/docker-in-docker
{
"name": "Docker in Docker",
"dockerFile": "Dockerfile",
"runArgs": ["--init", "--privileged"],
"mounts": ["source=dind-var-lib-docker,target=/var/lib/docker,type=volume"],
"overrideCommand": false,
// Set *default* container specific settings.json values on container create.
"settings": {},
// Add the IDs of extensions you want installed when the container is created.
"extensions": [
"ms-azuretools.vscode-docker"
],
// Use 'forwardPorts' to make a list of ports inside the container available locally.
// "forwardPorts": [],
// Use 'postCreateCommand' to run commands after the container is created.
"postCreateCommand": "npm run setup",
// Use 'postStartCommand' to run commands after the container has started.
"postStartCommand": "npm start -- --update",
// Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
"remoteUser": "vscode"
}

478
.devcontainer/library-scripts/common-debian.sh
Unescape Escape View File

@ -0,0 +1,478 @@
#!/usr/bin/env bash
#-------------------------------------------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information.
#-------------------------------------------------------------------------------------------------------------
#
# Docs: https://github.com/microsoft/vscode-dev-containers/blob/main/script-library/docs/common.md
# Maintainer: The VS Code and Codespaces Teams
#
# Syntax: ./common-debian.sh [install zsh flag] [username] [user UID] [user GID] [upgrade packages flag] [install Oh My Zsh! flag] [Add non-free packages]
set -e
INSTALL_ZSH=${1:-"true"}
USERNAME=${2:-"automatic"}
USER_UID=${3:-"automatic"}
USER_GID=${4:-"automatic"}
UPGRADE_PACKAGES=${5:-"true"}
INSTALL_OH_MYS=${6:-"true"}
ADD_NON_FREE_PACKAGES=${7:-"false"}
SCRIPT_DIR="$(cd $(dirname "${BASH_SOURCE[0]}") && pwd)"
MARKER_FILE="/usr/local/etc/vscode-dev-containers/common"
if [ "$(id -u)" -ne 0 ]; then
echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
exit 1
fi
# Ensure that login shells get the correct path if the user updated the PATH using ENV.
rm -f /etc/profile.d/00-restore-env.sh
echo "export PATH=${PATH//$(sh -lc 'echo $PATH')/\$PATH}" > /etc/profile.d/00-restore-env.sh
chmod +x /etc/profile.d/00-restore-env.sh
# If in automatic mode, determine if a user already exists, if not use vscode
if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then
USERNAME=""
POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)")
for CURRENT_USER in ${POSSIBLE_USERS[@]}; do
if id -u ${CURRENT_USER} > /dev/null 2>&1; then
USERNAME=${CURRENT_USER}
break
fi
done
if [ "${USERNAME}" = "" ]; then
USERNAME=vscode
fi
elif [ "${USERNAME}" = "none" ]; then
USERNAME=root
USER_UID=0
USER_GID=0
fi
# Load markers to see which steps have already run
if [ -f "${MARKER_FILE}" ]; then
echo "Marker file found:"
cat "${MARKER_FILE}"
source "${MARKER_FILE}"
fi
# Ensure apt is in non-interactive to avoid prompts
export DEBIAN_FRONTEND=noninteractive
# Function to call apt-get if needed
apt_get_update_if_needed()
{
if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then
echo "Running apt-get update..."
apt-get update
else
echo "Skipping apt-get update."
fi
}
# Run install apt-utils to avoid debconf warning then verify presence of other common developer tools and dependencies
if [ "${PACKAGES_ALREADY_INSTALLED}" != "true" ]; then
package_list="apt-utils \
openssh-client \
gnupg2 \
iproute2 \
procps \
lsof \
htop \
net-tools \
psmisc \
curl \
wget \
rsync \
ca-certificates \
unzip \
zip \
nano \
vim-tiny \
less \
jq \
lsb-release \
apt-transport-https \
dialog \
libc6 \
libgcc1 \
libkrb5-3 \
libgssapi-krb5-2 \
libicu[0-9][0-9] \
liblttng-ust0 \
libstdc++6 \
zlib1g \
locales \
sudo \
ncdu \
man-db \
strace \
manpages \
manpages-dev \
init-system-helpers"
# Needed for adding manpages-posix and manpages-posix-dev which are non-free packages in Debian
if [ "${ADD_NON_FREE_PACKAGES}" = "true" ]; then
# Bring in variables from /etc/os-release like VERSION_CODENAME
. /etc/os-release
sed -i -E "s/deb http:\/\/(deb|httpredir)\.debian\.org\/debian ${VERSION_CODENAME} main/deb http:\/\/\1\.debian\.org\/debian ${VERSION_CODENAME} main contrib non-free/" /etc/apt/sources.list
sed -i -E "s/deb-src http:\/\/(deb|httredir)\.debian\.org\/debian ${VERSION_CODENAME} main/deb http:\/\/\1\.debian\.org\/debian ${VERSION_CODENAME} main contrib non-free/" /etc/apt/sources.list
sed -i -E "s/deb http:\/\/(deb|httpredir)\.debian\.org\/debian ${VERSION_CODENAME}-updates main/deb http:\/\/\1\.debian\.org\/debian ${VERSION_CODENAME}-updates main contrib non-free/" /etc/apt/sources.list
sed -i -E "s/deb-src http:\/\/(deb|httpredir)\.debian\.org\/debian ${VERSION_CODENAME}-updates main/deb http:\/\/\1\.debian\.org\/debian ${VERSION_CODENAME}-updates main contrib non-free/" /etc/apt/sources.list
sed -i "s/deb http:\/\/security\.debian\.org\/debian-security ${VERSION_CODENAME}\/updates main/deb http:\/\/security\.debian\.org\/debian-security ${VERSION_CODENAME}\/updates main contrib non-free/" /etc/apt/sources.list
sed -i "s/deb-src http:\/\/security\.debian\.org\/debian-security ${VERSION_CODENAME}\/updates main/deb http:\/\/security\.debian\.org\/debian-security ${VERSION_CODENAME}\/updates main contrib non-free/" /etc/apt/sources.list
sed -i "s/deb http:\/\/deb\.debian\.org\/debian ${VERSION_CODENAME}-backports main/deb http:\/\/deb\.debian\.org\/debian ${VERSION_CODENAME}-backports main contrib non-free/" /etc/apt/sources.list
sed -i "s/deb-src http:\/\/deb\.debian\.org\/debian ${VERSION_CODENAME}-backports main/deb http:\/\/deb\.debian\.org\/debian ${VERSION_CODENAME}-backports main contrib non-free/" /etc/apt/sources.list
echo "Running apt-get update..."
apt-get update
package_list="${package_list} manpages-posix manpages-posix-dev"
else
apt_get_update_if_needed
fi
# Install libssl1.1 if available
if [[ ! -z $(apt-cache --names-only search ^libssl1.1$) ]]; then
package_list="${package_list} libssl1.1"
fi
# Install appropriate version of libssl1.0.x if available
libssl_package=$(dpkg-query -f '${db:Status-Abbrev}\t${binary:Package}\n' -W 'libssl1\.0\.?' 2>&1 || echo '')
if [ "$(echo "$LIlibssl_packageBSSL" | grep -o 'libssl1\.0\.[0-9]:' | uniq | sort | wc -l)" -eq 0 ]; then
if [[ ! -z $(apt-cache --names-only search ^libssl1.0.2$) ]]; then
# Debian 9
package_list="${package_list} libssl1.0.2"
elif [[ ! -z $(apt-cache --names-only search ^libssl1.0.0$) ]]; then
# Ubuntu 18.04, 16.04, earlier
package_list="${package_list} libssl1.0.0"
fi
fi
echo "Packages to verify are installed: ${package_list}"
apt-get -y install --no-install-recommends ${package_list} 2> >( grep -v 'debconf: delaying package configuration, since apt-utils is not installed' >&2 )
# Install git if not already installed (may be more recent than distro version)
if ! type git > /dev/null 2>&1; then
apt-get -y install --no-install-recommends git
fi
PACKAGES_ALREADY_INSTALLED="true"
fi
# Get to latest versions of all packages
if [ "${UPGRADE_PACKAGES}" = "true" ]; then
apt_get_update_if_needed
apt-get -y upgrade --no-install-recommends
apt-get autoremove -y
fi
# Ensure at least the en_US.UTF-8 UTF-8 locale is available.
# Common need for both applications and things like the agnoster ZSH theme.
if [ "${LOCALE_ALREADY_SET}" != "true" ] && ! grep -o -E '^\s*en_US.UTF-8\s+UTF-8' /etc/locale.gen > /dev/null; then
echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen
locale-gen
LOCALE_ALREADY_SET="true"
fi
# Create or update a non-root user to match UID/GID.
if id -u ${USERNAME} > /dev/null 2>&1; then
# User exists, update if needed
if [ "${USER_GID}" != "automatic" ] && [ "$USER_GID" != "$(id -G $USERNAME)" ]; then
groupmod --gid $USER_GID $USERNAME
usermod --gid $USER_GID $USERNAME
fi
if [ "${USER_UID}" != "automatic" ] && [ "$USER_UID" != "$(id -u $USERNAME)" ]; then
usermod --uid $USER_UID $USERNAME
fi
else
# Create user
if [ "${USER_GID}" = "automatic" ]; then
groupadd $USERNAME
else
groupadd --gid $USER_GID $USERNAME
fi
if [ "${USER_UID}" = "automatic" ]; then
useradd -s /bin/bash --gid $USERNAME -m $USERNAME
else
useradd -s /bin/bash --uid $USER_UID --gid $USERNAME -m $USERNAME
fi
fi
# Add add sudo support for non-root user
if [ "${USERNAME}" != "root" ] && [ "${EXISTING_NON_ROOT_USER}" != "${USERNAME}" ]; then
echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME
chmod 0440 /etc/sudoers.d/$USERNAME
EXISTING_NON_ROOT_USER="${USERNAME}"
fi
# ** Shell customization section **
if [ "${USERNAME}" = "root" ]; then
user_rc_path="/root"
else
user_rc_path="/home/${USERNAME}"
fi
# Restore user .bashrc defaults from skeleton file if it doesn't exist or is empty
if [ ! -f "${user_rc_path}/.bashrc" ] || [ ! -s "${user_rc_path}/.bashrc" ] ; then
cp /etc/skel/.bashrc "${user_rc_path}/.bashrc"
fi
# Restore user .profile defaults from skeleton file if it doesn't exist or is empty
if [ ! -f "${user_rc_path}/.profile" ] || [ ! -s "${user_rc_path}/.profile" ] ; then
cp /etc/skel/.profile "${user_rc_path}/.profile"
fi
# .bashrc/.zshrc snippet
rc_snippet="$(cat << 'EOF'
if [ -z "${USER}" ]; then export USER=$(whoami); fi
if [[ "${PATH}" != *"$HOME/.local/bin"* ]]; then export PATH="${PATH}:$HOME/.local/bin"; fi
# Display optional first run image specific notice if configured and terminal is interactive
if [ -t 1 ] && [[ "${TERM_PROGRAM}" = "vscode" || "${TERM_PROGRAM}" = "codespaces" ]] && [ ! -f "$HOME/.config/vscode-dev-containers/first-run-notice-already-displayed" ]; then
if [ -f "/usr/local/etc/vscode-dev-containers/first-run-notice.txt" ]; then
cat "/usr/local/etc/vscode-dev-containers/first-run-notice.txt"
elif [ -f "/workspaces/.codespaces/shared/first-run-notice.txt" ]; then
cat "/workspaces/.codespaces/shared/first-run-notice.txt"
fi
mkdir -p "$HOME/.config/vscode-dev-containers"
# Mark first run notice as displayed after 10s to avoid problems with fast terminal refreshes hiding it
((sleep 10s; touch "$HOME/.config/vscode-dev-containers/first-run-notice-already-displayed") &)
fi
# Set the default git editor if not already set
if [ -z "$(git config --get core.editor)" ] && [ -z "${GIT_EDITOR}" ]; then
if [ "${TERM_PROGRAM}" = "vscode" ]; then
if [[ -n $(command -v code-insiders) && -z $(command -v code) ]]; then
export GIT_EDITOR="code-insiders --wait"
else
export GIT_EDITOR="code --wait"
fi
fi
fi
EOF
)"
# code shim, it fallbacks to code-insiders if code is not available
cat << 'EOF' > /usr/local/bin/code
#!/bin/sh
get_in_path_except_current() {
which -a "$1" | grep -A1 "$0" | grep -v "$0"
}
code="$(get_in_path_except_current code)"
if [ -n "$code" ]; then
exec "$code" "$@"
elif [ "$(command -v code-insiders)" ]; then
exec code-insiders "$@"
else
echo "code or code-insiders is not installed" >&2
exit 127
fi
EOF
chmod +x /usr/local/bin/code
# systemctl shim - tells people to use 'service' if systemd is not running
cat << 'EOF' > /usr/local/bin/systemctl
#!/bin/sh
set -e
if [ -d "/run/systemd/system" ]; then
exec /bin/systemctl/systemctl "$@"
else
echo '\n"systemd" is not running in this container due to its overhead.\nUse the "service" command to start services intead. e.g.: \n\nservice --status-all'
fi
EOF
chmod +x /usr/local/bin/systemctl
# Codespaces bash and OMZ themes - partly inspired by https://github.com/ohmyzsh/ohmyzsh/blob/master/themes/robbyrussell.zsh-theme
codespaces_bash="$(cat \
<<'EOF'
# Codespaces bash prompt theme
__bash_prompt() {
local userpart='`export XIT=$? \
&& [ ! -z "${GITHUB_USER}" ] && echo -n "\[\033[0;32m\]@${GITHUB_USER} " || echo -n "\[\033[0;32m\]\u " \
&& [ "$XIT" -ne "0" ] && echo -n "\[\033[1;31m\]➜" || echo -n "\[\033[0m\]➜"`'
local gitbranch='`\
export BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || git rev-parse --short HEAD 2>/dev/null); \
if [ "${BRANCH}" != "" ]; then \
echo -n "\[\033[0;36m\](\[\033[1;31m\]${BRANCH}" \
&& if git ls-files --error-unmatch -m --directory --no-empty-directory -o --exclude-standard ":/*" > /dev/null 2>&1; then \
echo -n " \[\033[1;33m\]✗"; \
fi \
&& echo -n "\[\033[0;36m\]) "; \
fi`'
local lightblue='\[\033[1;34m\]'
local removecolor='\[\033[0m\]'
PS1="${userpart} ${lightblue}\w ${gitbranch}${removecolor}\$ "
unset -f __bash_prompt
}
__bash_prompt
EOF
)"
codespaces_zsh="$(cat \
<<'EOF'
# Codespaces zsh prompt theme
__zsh_prompt() {
local prompt_username
if [ ! -z "${GITHUB_USER}" ]; then
prompt_username="@${GITHUB_USER}"
else
prompt_username="%n"
fi
PROMPT="%{$fg[green]%}${prompt_username} %(?:%{$reset_color%}➜ :%{$fg_bold[red]%}➜ )" # User/exit code arrow
PROMPT+='%{$fg_bold[blue]%}%(5~|%-1~/…/%3~|%4~)%{$reset_color%} ' # cwd
PROMPT+='$(git_prompt_info)%{$fg[white]%}$ %{$reset_color%}' # Git status
unset -f __zsh_prompt
}
ZSH_THEME_GIT_PROMPT_PREFIX="%{$fg_bold[cyan]%}(%{$fg_bold[red]%}"
ZSH_THEME_GIT_PROMPT_SUFFIX="%{$reset_color%} "
ZSH_THEME_GIT_PROMPT_DIRTY=" %{$fg_bold[yellow]%}✗%{$fg_bold[cyan]%})"
ZSH_THEME_GIT_PROMPT_CLEAN="%{$fg_bold[cyan]%})"
__zsh_prompt
EOF
)"
# Add notice that Oh My Bash! has been removed from images and how to provide information on how to install manually
omb_readme="$(cat \
<<'EOF'
"Oh My Bash!" has been removed from this image in favor of a simple shell prompt. If you
still wish to use it, remove "~/.oh-my-bash" and install it from: https://github.com/ohmybash/oh-my-bash
You may also want to consider "Bash-it" as an alternative: https://github.com/bash-it/bash-it
See here for infomation on adding it to your image or dotfiles: https://aka.ms/codespaces/omb-remove
EOF
)"
omb_stub="$(cat \
<<'EOF'
#!/usr/bin/env bash
if [ -t 1 ]; then
cat $HOME/.oh-my-bash/README.md
fi
EOF
)"
# Add RC snippet and custom bash prompt
if [ "${RC_SNIPPET_ALREADY_ADDED}" != "true" ]; then
echo "${rc_snippet}" >> /etc/bash.bashrc
echo "${codespaces_bash}" >> "${user_rc_path}/.bashrc"
echo 'export PROMPT_DIRTRIM=4' >> "${user_rc_path}/.bashrc"
if [ "${USERNAME}" != "root" ]; then
echo "${codespaces_bash}" >> "/root/.bashrc"
echo 'export PROMPT_DIRTRIM=4' >> "/root/.bashrc"
fi
chown ${USERNAME}:${USERNAME} "${user_rc_path}/.bashrc"
RC_SNIPPET_ALREADY_ADDED="true"
fi
# Add stub for Oh My Bash!
if [ ! -d "${user_rc_path}/.oh-my-bash}" ] && [ "${INSTALL_OH_MYS}" = "true" ]; then
mkdir -p "${user_rc_path}/.oh-my-bash" "/root/.oh-my-bash"
echo "${omb_readme}" >> "${user_rc_path}/.oh-my-bash/README.md"
echo "${omb_stub}" >> "${user_rc_path}/.oh-my-bash/oh-my-bash.sh"
chmod +x "${user_rc_path}/.oh-my-bash/oh-my-bash.sh"
if [ "${USERNAME}" != "root" ]; then
echo "${omb_readme}" >> "/root/.oh-my-bash/README.md"
echo "${omb_stub}" >> "/root/.oh-my-bash/oh-my-bash.sh"
chmod +x "/root/.oh-my-bash/oh-my-bash.sh"
fi
chown -R "${USERNAME}:${USERNAME}" "${user_rc_path}/.oh-my-bash"
fi
# Optionally install and configure zsh and Oh My Zsh!
if [ "${INSTALL_ZSH}" = "true" ]; then
if ! type zsh > /dev/null 2>&1; then
apt_get_update_if_needed
apt-get install -y zsh
fi
if [ "${ZSH_ALREADY_INSTALLED}" != "true" ]; then
echo "${rc_snippet}" >> /etc/zsh/zshrc
ZSH_ALREADY_INSTALLED="true"
fi
# Adapted, simplified inline Oh My Zsh! install steps that adds, defaults to a codespaces theme.
# See https://github.com/ohmyzsh/ohmyzsh/blob/master/tools/install.sh for official script.
oh_my_install_dir="${user_rc_path}/.oh-my-zsh"
if [ ! -d "${oh_my_install_dir}" ] && [ "${INSTALL_OH_MYS}" = "true" ]; then
template_path="${oh_my_install_dir}/templates/zshrc.zsh-template"
user_rc_file="${user_rc_path}/.zshrc"
umask g-w,o-w
mkdir -p ${oh_my_install_dir}
git clone --depth=1 \
-c core.eol=lf \
-c core.autocrlf=false \
-c fsck.zeroPaddedFilemode=ignore \
-c fetch.fsck.zeroPaddedFilemode=ignore \
-c receive.fsck.zeroPaddedFilemode=ignore \
"https://github.com/ohmyzsh/ohmyzsh" "${oh_my_install_dir}" 2>&1
echo -e "$(cat "${template_path}")\nDISABLE_AUTO_UPDATE=true\nDISABLE_UPDATE_PROMPT=true" > ${user_rc_file}
sed -i -e 's/ZSH_THEME=.*/ZSH_THEME="codespaces"/g' ${user_rc_file}
mkdir -p ${oh_my_install_dir}/custom/themes
echo "${codespaces_zsh}" > "${oh_my_install_dir}/custom/themes/codespaces.zsh-theme"
# Shrink git while still enabling updates
cd "${oh_my_install_dir}"
git repack -a -d -f --depth=1 --window=1
# Copy to non-root user if one is specified
if [ "${USERNAME}" != "root" ]; then
cp -rf "${user_rc_file}" "${oh_my_install_dir}" /root
chown -R ${USERNAME}:${USERNAME} "${user_rc_path}"
fi
fi
fi
# Persist image metadata info, script if meta.env found in same directory
meta_info_script="$(cat << 'EOF'
#!/bin/sh
. /usr/local/etc/vscode-dev-containers/meta.env
# Minimal output
if [ "$1" = "version" ] || [ "$1" = "image-version" ]; then
echo "${VERSION}"
exit 0
elif [ "$1" = "release" ]; then
echo "${GIT_REPOSITORY_RELEASE}"
exit 0
elif [ "$1" = "content" ] || [ "$1" = "content-url" ] || [ "$1" = "contents" ] || [ "$1" = "contents-url" ]; then
echo "${CONTENTS_URL}"
exit 0
fi
#Full output
echo
echo "Development container image information"
echo
if [ ! -z "${VERSION}" ]; then echo "- Image version: ${VERSION}"; fi
if [ ! -z "${DEFINITION_ID}" ]; then echo "- Definition ID: ${DEFINITION_ID}"; fi
if [ ! -z "${VARIANT}" ]; then echo "- Variant: ${VARIANT}"; fi
if [ ! -z "${GIT_REPOSITORY}" ]; then echo "- Source code repository: ${GIT_REPOSITORY}"; fi
if [ ! -z "${GIT_REPOSITORY_RELEASE}" ]; then echo "- Source code release/branch: ${GIT_REPOSITORY_RELEASE}"; fi
if [ ! -z "${BUILD_TIMESTAMP}" ]; then echo "- Timestamp: ${BUILD_TIMESTAMP}"; fi
if [ ! -z "${CONTENTS_URL}" ]; then echo && echo "More info: ${CONTENTS_URL}"; fi
echo
EOF
)"
if [ -f "${SCRIPT_DIR}/meta.env" ]; then
mkdir -p /usr/local/etc/vscode-dev-containers/
cp -f "${SCRIPT_DIR}/meta.env" /usr/local/etc/vscode-dev-containers/meta.env
echo "${meta_info_script}" > /usr/local/bin/devcontainer-info
chmod +x /usr/local/bin/devcontainer-info
fi
# Write marker file
mkdir -p "$(dirname "${MARKER_FILE}")"
echo -e "\
PACKAGES_ALREADY_INSTALLED=${PACKAGES_ALREADY_INSTALLED}\n\
LOCALE_ALREADY_SET=${LOCALE_ALREADY_SET}\n\
EXISTING_NON_ROOT_USER=${EXISTING_NON_ROOT_USER}\n\
RC_SNIPPET_ALREADY_ADDED=${RC_SNIPPET_ALREADY_ADDED}\n\
ZSH_ALREADY_INSTALLED=${ZSH_ALREADY_INSTALLED}" > "${MARKER_FILE}"
echo "Done!"

230
.devcontainer/library-scripts/docker-in-docker-debian.sh
Unescape Escape View File

@ -0,0 +1,230 @@
#!/usr/bin/env bash
#-------------------------------------------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information.
#-------------------------------------------------------------------------------------------------------------
#
# Docs: https://github.com/microsoft/vscode-dev-containers/blob/main/script-library/docs/docker-in-docker.md
# Maintainer: The VS Code and Codespaces Teams
#
# Syntax: ./docker-in-docker-debian.sh [enable non-root docker access flag] [non-root user] [use moby]
ENABLE_NONROOT_DOCKER=${1:-"true"}
USERNAME=${2:-"automatic"}
USE_MOBY=${3:-"true"}
MICROSOFT_GPG_KEYS_URI="https://packages.microsoft.com/keys/microsoft.asc"
set -e
if [ "$(id -u)" -ne 0 ]; then
echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
exit 1
fi
# Determine the appropriate non-root user
if [ "${USERNAME}" = "auto" ] || [ "${USERNAME}" = "automatic" ]; then
USERNAME=""
POSSIBLE_USERS=("vscode" "node" "codespace" "$(awk -v val=1000 -F ":" '$3==val{print $1}' /etc/passwd)")
for CURRENT_USER in ${POSSIBLE_USERS[@]}; do
if id -u ${CURRENT_USER} > /dev/null 2>&1; then
USERNAME=${CURRENT_USER}
break
fi
done
if [ "${USERNAME}" = "" ]; then
USERNAME=root
fi
elif [ "${USERNAME}" = "none" ] || ! id -u ${USERNAME} > /dev/null 2>&1; then
USERNAME=root
fi
# Get central common setting
get_common_setting() {
if [ "${common_settings_file_loaded}" != "true" ]; then
curl -sfL "https://aka.ms/vscode-dev-containers/script-library/settings.env" 2>/dev/null -o /tmp/vsdc-settings.env || echo "Could not download settings file. Skipping."
common_settings_file_loaded=true
fi
if [ -f "/tmp/vsdc-settings.env" ]; then
local multi_line=""
if [ "$2" = "true" ]; then multi_line="-z"; fi
local result="$(grep ${multi_line} -oP "$1=\"?\K[^\"]+" /tmp/vsdc-settings.env | tr -d '\0')"
if [ ! -z "${result}" ]; then declare -g $1="${result}"; fi
fi
echo "$1=${!1}"
}
# Function to run apt-get if needed
apt_get_update_if_needed()
{
if [ ! -d "/var/lib/apt/lists" ] || [ "$(ls /var/lib/apt/lists/ | wc -l)" = "0" ]; then
echo "Running apt-get update..."
apt-get update
else
echo "Skipping apt-get update."
fi
}
# Checks if packages are installed and installs them if not
check_packages() {
if ! dpkg -s "$@" > /dev/null 2>&1; then
apt_get_update_if_needed
apt-get -y install --no-install-recommends "$@"
fi
}
# Ensure apt is in non-interactive to avoid prompts
export DEBIAN_FRONTEND=noninteractive
# Install dependencies
check_packages apt-transport-https curl ca-certificates lxc pigz iptables gnupg2
# Swap to legacy iptables for compatibility
if type iptables-legacy > /dev/null 2>&1; then
update-alternatives --set iptables /usr/sbin/iptables-legacy
update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
fi
# Install Docker / Moby CLI if not already installed
if type docker > /dev/null 2>&1 && type dockerd > /dev/null 2>&1; then
echo "Docker / Moby CLI and Engine already installed."
else
# Source /etc/os-release to get OS info
. /etc/os-release
if [ "${USE_MOBY}" = "true" ]; then
# Import key safely (new 'signed-by' method rather than deprecated apt-key approach) and install
get_common_setting MICROSOFT_GPG_KEYS_URI
curl -sSL ${MICROSOFT_GPG_KEYS_URI} | gpg --dearmor > /usr/share/keyrings/microsoft-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/repos/microsoft-${ID}-${VERSION_CODENAME}-prod ${VERSION_CODENAME} main" > /etc/apt/sources.list.d/microsoft.list
apt-get update
apt-get -y install --no-install-recommends moby-cli moby-buildx moby-compose moby-engine
else
# Import key safely (new 'signed-by' method rather than deprecated apt-key approach) and install
curl -fsSL https://download.docker.com/linux/${ID}/gpg | gpg --dearmor > /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/${ID} ${VERSION_CODENAME} stable" > /etc/apt/sources.list.d/docker.list
apt-get update
apt-get -y install --no-install-recommends docker-ce-cli docker-ce
fi
fi
echo "Finished installing docker / moby"
# Install Docker Compose if not already installed and is on a supported architecture
if type docker-compose > /dev/null 2>&1; then
echo "Docker Compose already installed."
else
TARGET_COMPOSE_ARCH="$(uname -m)"
if [ "${TARGET_COMPOSE_ARCH}" = "amd64" ]; then
TARGET_COMPOSE_ARCH="x86_64"
fi
if [ "${TARGET_COMPOSE_ARCH}" != "x86_64" ]; then
# Use pip to get a version that runns on this architecture
if ! dpkg -s python3-minimal python3-pip libffi-dev python3-venv pipx > /dev/null 2>&1; then
apt_get_update_if_needed
apt-get -y install python3-minimal python3-pip libffi-dev python3-venv pipx
fi
export PIPX_HOME=/usr/local/pipx
mkdir -p ${PIPX_HOME}
export PIPX_BIN_DIR=/usr/local/bin
export PIP_CACHE_DIR=/tmp/pip-tmp/cache
pipx install --system-site-packages --pip-args '--no-cache-dir --force-reinstall' docker-compose
rm -rf /tmp/pip-tmp
else
LATEST_COMPOSE_VERSION=$(basename "$(curl -fsSL -o /dev/null -w "%{url_effective}" https://github.com/docker/compose/releases/latest)")
curl -fsSL "https://github.com/docker/compose/releases/download/${LATEST_COMPOSE_VERSION}/docker-compose-$(uname -s)-${TARGET_COMPOSE_ARCH}" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
fi
fi
# If init file already exists, exit
if [ -f "/usr/local/share/docker-init.sh" ]; then
echo "/usr/local/share/docker-init.sh already exists, so exiting."
exit 0
fi
echo "docker-init doesnt exist..."
# Add user to the docker group
if [ "${ENABLE_NONROOT_DOCKER}" = "true" ]; then
if ! getent group docker > /dev/null 2>&1; then
groupadd docker
fi
usermod -aG docker ${USERNAME}
fi
tee /usr/local/share/docker-init.sh > /dev/null \
<< 'EOF'
#!/usr/bin/env bash
#-------------------------------------------------------------------------------------------------------------
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information.
#-------------------------------------------------------------------------------------------------------------
sudoIf()
{
if [ "$(id -u)" -ne 0 ]; then
sudo "$@"
else
"$@"
fi
}
# explicitly remove dockerd and containerd PID file to ensure that it can start properly if it was stopped uncleanly
# ie: docker kill <ID>
sudoIf find /run /var/run -iname 'docker*.pid' -delete || :
sudoIf find /run /var/run -iname 'container*.pid' -delete || :
set -e
## Dind wrapper script from docker team
# Maintained: https://github.com/moby/moby/blob/master/hack/dind
export container=docker
if [ -d /sys/kernel/security ] && ! sudoIf mountpoint -q /sys/kernel/security; then
sudoIf mount -t securityfs none /sys/kernel/security || {
echo >&2 'Could not mount /sys/kernel/security.'
echo >&2 'AppArmor detection and --privileged mode might break.'
}
fi
# Mount /tmp (conditionally)
if ! sudoIf mountpoint -q /tmp; then
sudoIf mount -t tmpfs none /tmp
fi
# cgroup v2: enable nesting
if [ -f /sys/fs/cgroup/cgroup.controllers ]; then
# move the init process (PID 1) from the root group to the /init group,
# otherwise writing subtree_control fails with EBUSY.
sudoIf mkdir -p /sys/fs/cgroup/init
sudoIf echo 1 > /sys/fs/cgroup/init/cgroup.procs
# enable controllers
sudoIf sed -e 's/ / +/g' -e 's/^/+/' < /sys/fs/cgroup/cgroup.controllers \
> /sys/fs/cgroup/cgroup.subtree_control
fi
## Dind wrapper over.
# Handle DNS
set +e
cat /etc/resolv.conf | grep -i 'internal.cloudapp.net'
if [ $? -eq 0 ]
then
echo "Setting dockerd Azure DNS."
CUSTOMDNS="--dns 168.63.129.16"
else
echo "Not setting dockerd DNS manually."
CUSTOMDNS=""
fi
set -e
# Start docker/moby engine
( sudoIf dockerd $CUSTOMDNS > /tmp/dockerd.log 2>&1 ) &
set +e
# Execute whatever commands were passed in (if any). This allows us
# to set this script to ENTRYPOINT while still executing the default CMD.
exec "$@"
EOF
chmod +x /usr/local/share/docker-init.sh
chown ${USERNAME}:root /usr/local/share/docker-init.sh

4
.github/workflows/i18n.yml vendored
Unescape Escape View File

@ -27,7 +27,7 @@ jobs:
uses: actions/setup-node@v1
# https://github.com/marketplace/actions/setup-node-js-environment
with:
node-version: 12.x
node-version: 14.x
- name: Cache node modules
uses: actions/cache@v2
@ -43,7 +43,7 @@ jobs:
${{ runner.os }}-
- name: NPM Install
run: npm install
run: npm ci
- name: Check i18n Compliance
run: npm run i18n:check

4
.github/workflows/linting.yml vendored
Unescape Escape View File

@ -11,7 +11,7 @@ on:
- 'fix/**'
env:
PHP_VERSION: 7.3
PHP_VERSION: 7.4
WP_MULTISITE: 0
jobs:
@ -29,7 +29,7 @@ jobs:
# https://github.com/marketplace/actions/setup-php-action
with:
php-version: ${{ env.PHP_VERSION }}
tools: composer:v1
tools: composer:v2
- name: Cache Composer dependencies
uses: actions/cache@v2

29
.github/workflows/pr-unit-testing.yml vendored
Unescape Escape View File

@ -7,8 +7,8 @@ on:
pull_request:
env:
PHP_PREF_MIN_VERSION: '7.3'
WP_STABLE_VERSION: '5.6.*'
PHP_STABLE_VERSION: '7.4'
WP_PREF_STABLE_VERSION: '5.7.*'
WP_MULTISITE: 0
jobs:
@ -19,10 +19,10 @@ jobs:
fail-fast: false
matrix:
include:
- job-name: 'Latest Stable Requirements'
- job-name: 'Preferred Stable Requirements'
bleeding-edge: false
php-version: '7.3'
wordpress-version: '5.6.*'
php-version: '7.4'
wordpress-version: '5.7.*'
wp-multisite-mode: 0
name: '${{ matrix.job-name }} (PHP:${{ matrix.php-version }}/WP:${{ matrix.wordpress-version }})'
@ -36,13 +36,13 @@ jobs:
# https://github.com/marketplace/actions/setup-php-action
with:
php-version: ${{ matrix.php-version }}
tools: composer:v1
tools: composer:v2
- name: Setup Node Environment
uses: actions/setup-node@v1
# https://github.com/marketplace/actions/setup-node-js-environment
with:
node-version: 12.x
node-version: 14.x
- name: Cache Composer dependencies
uses: actions/cache@v2
@ -57,20 +57,13 @@ jobs:
${{ runner.os }}-
- name: Require Specified WordPress Version
run: composer require wordpress/wordpress:${{ matrix.wordpress-version }} --dev --prefer-source --update-with-all-dependencies
run: composer require johnpbloch/wordpress-core:${{ matrix.wordpress-version }} --dev --prefer-source --update-with-all-dependencies
- name: Update Composer Lockfile for Specified WordPress Version
run: composer update wordpress/wordpress:${{ matrix.wordpress-version }} --lock --prefer-source
- name: PHPUnit PHP 7.4 Support
if: matrix.php-version == '7.4'
run: |
composer global require phpunit/php-code-coverage=dev-master
composer global require sebastian/global-state:dev-master
composer global require phpunit/phpunit=dev-master
- name: Install Composer Dependencies
run: composer install
- name: NPM Setup
run: npm install
run: npm ci
- name: Unit Tests
run: npm run test

4
.github/workflows/release.yml vendored
Unescape Escape View File

@ -23,7 +23,7 @@ jobs:
uses: actions/setup-node@v1
# https://github.com/marketplace/actions/setup-node-js-environment
with:
node-version: 12.x
node-version: 14.x
- name: Cache Node Modules
uses: actions/cache@v2
@ -39,7 +39,7 @@ jobs:
${{ runner.os }}-
- name: NPM Install
run: npm install
run: npm ci
- name: Prepare a WordPress.org Release
run: npm run release

8
.github/workflows/static-analysis.yml vendored
Unescape Escape View File

@ -11,10 +11,10 @@ on:
- 'fix/**'
env:
PHP_VERSION: 7.3
PHP_VERSION: 7.4
WP_MODE: 'single'
WP_MULTISITE: 0
WP_VERSION: '5.6.*'
WP_VERSION: '5.7.*'
jobs:
check:
@ -31,7 +31,7 @@ jobs:
# https://github.com/marketplace/actions/setup-php-action
with:
php-version: ${{ env.PHP_VERSION }}
tools: composer:v1
tools: composer:v2
- name: Cache Composer dependencies
uses: actions/cache@v2
@ -46,7 +46,7 @@ jobs:
${{ runner.os }}-
- name: Require Specified WordPress Version
run: composer require wordpress/wordpress:${{ env.WP_VERSION }} --dev --prefer-source --update-with-all-dependencies
run: composer require johnpbloch/wordpress-core:${{ env.WP_VERSION }} --dev --prefer-source --update-with-all-dependencies
- name: Install Composer Dependencies
run: composer install

63
.github/workflows/unit-testing.yml vendored
Unescape Escape View File

@ -13,12 +13,13 @@ on:
- 'fix/**'
env:
PHP_MIN_VERSION: '7.1'
PHP_PREF_MIN_VERSION: '7.2'
PHP_MIN_VERSION: '7.2'
PHP_PREF_MIN_VERSION: '7.3'
PHP_STABLE_VERSION: '7.4'
WP_MIN_VERSION: '5.3.*'
WP_PREF_MIN_VERSION: '5.4.*'
WP_STABLE_VERSION: '5.6.*'
WP_MIN_VERSION: '5.5.*'
WP_PREF_MIN_VERSION: '5.6.*'
WP_PREF_STABLE_VERSION: '5.7.*'
WP_STABLE_VERSION: '5.8.*'
jobs:
test:
@ -31,28 +32,33 @@ jobs:
include:
- job-name: 'Latest Stable Requirements'
bleeding-edge: false
php-version: '7.3'
wordpress-version: '5.6.*'
php-version: '7.4'
wordpress-version: '5.8.*'
wp-multisite-mode: 0
- job-name: 'Preferred Stable Requirements'
bleeding-edge: false
php-version: '7.4'
wordpress-version: '5.7.*'
wp-multisite-mode: 0
- job-name: 'Preferred Minimum Requirements'
bleeding-edge: false
php-version: '7.2'
wordpress-version: '5.4.*'
php-version: '7.3'
wordpress-version: '5.6.*'
wp-multisite-mode: 0
- job-name: 'Minimum Requirements'
bleeding-edge: false
php-version: '7.1'
wordpress-version: '5.3.*'
php-version: '7.2'
wordpress-version: '5.5.*'
wp-multisite-mode: 0
- job-name: 'Bleeding Edge Requirements'
bleeding-edge: true
php-version: '7.4'
php-version: '8.0'
wordpress-version: 'dev-master'
wp-multisite-mode: 0
- job-name: 'Multisite Compatibility Requirements'
bleeding-edge: false
php-version: '7.3'
wordpress-version: '5.6.*'
php-version: '7.4'
wordpress-version: '5.7.*'
wp-multisite-mode: 1
name: '${{ matrix.job-name }} (PHP:${{ matrix.php-version }}/WP:${{ matrix.wordpress-version }})'
@ -66,13 +72,13 @@ jobs:
# https://github.com/marketplace/actions/setup-php-action
with:
php-version: ${{ matrix.php-version }}
tools: composer:v1
tools: composer:v2
- name: Setup Node Environment
uses: actions/setup-node@v1
# https://github.com/marketplace/actions/setup-node-js-environment
with:
node-version: 12.x
node-version: 14.x
- name: Cache Composer dependencies
uses: actions/cache@v2
@ -87,20 +93,25 @@ jobs:
${{ runner.os }}-
- name: Require Specified WordPress Version
run: composer require wordpress/wordpress:${{ matrix.wordpress-version }} --dev --prefer-source --update-with-all-dependencies
- name: Update Composer Lockfile for Specified WordPress Version
run: composer update wordpress/wordpress:${{ matrix.wordpress-version }} --lock --prefer-source
run: composer require johnpbloch/wordpress-core:${{ matrix.wordpress-version }} --dev --prefer-source --update-with-all-dependencies
- name: PHPUnit PHP 7.4 Support
if: matrix.php-version == '7.4'
- name: PHPUnit PHP 8.0 Support
if: matrix.php-version == '8.0'
run: |
composer global require phpunit/php-code-coverage=dev-master
composer global require sebastian/global-state:dev-master
composer global require phpunit/phpunit=dev-master
composer require sebastian/code-unit:^2.0 --dev -W --ignore-platform-req=php
composer require phpunit/phpunit:dev-master --dev -W --ignore-platform-req=php
composer require phpro/grumphp:dev-master --dev -W --ignore-platform-req=php
- name: Install Composer Dependencies (PHP 8.0)
if: matrix.php-version == '8.0'
run: composer install --ignore-platform-req=php
- name: Install Composer Dependencies
if: matrix.php-version != '8.0'
run: composer install
- name: NPM Setup
run: npm install
run: npm ci
- name: Unit Tests
env:

17
.gitpod.yml
Unescape Escape View File

@ -0,0 +1,17 @@
# List the start up tasks. Learn more https://www.gitpod.io/docs/config-start-tasks/
tasks:
- name: WordPress Development Environment
init: npm run setup # runs during prebuild
command: |
npm start -- --update
npm stop
npm start -- --update
# List the ports to expose. Learn more https://www.gitpod.io/docs/config-ports/
ports:
- port: 8888
onOpen: notify
visibility: public
- port: 8889
onOpen: notify
visibility: public

2
.nvmrc
Unescape Escape View File

@ -1 +1 @@
lts/erbium
lts/fermium

16
.vscode/tasks.json vendored
Unescape Escape View File

@ -0,0 +1,16 @@
{
"version": "2.0.0",
"tasks": [
{
"type": "npm",
"script": "build",
"group": {
"kind": "build",
"isDefault": true
},
"problemMatcher": [],
"label": "npm: build",
"detail": "npm run grunt build"
}
]
}

7
.wp-env.json
Unescape Escape View File

@ -1,6 +1,6 @@
{
"core": "./wordpress/build",
"phpVersion": "7.3",
"core": "./wordpress",
"phpVersion": "7.4",
"plugins": [
"."
],
@ -12,8 +12,9 @@
"plugins": [
".",
"https://downloads.wordpress.org/plugin/debug-bar.zip",
"https://downloads.wordpress.org/plugin/query-monitor.zip",
"https://downloads.wordpress.org/plugin/debug-bar-post-meta.zip",
"https://downloads.wordpress.org/plugin/display-environment-type.zip",
"https://downloads.wordpress.org/plugin/query-monitor.zip",
"https://downloads.wordpress.org/plugin/transients-manager.zip"
]
},

200
CHANGELOG.md
Unescape Escape View File

@ -1,168 +1,188 @@
# OpenId Connect Generic Changelog
3.8.5
* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
3.9.0
3.8.4
* Fix: @timnolte - Fixed invalid State object access for redirection handling.
* Improvement: @timnolte - Fixed local wp-env Docker development environment.
* Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.
- Feature: @matchaxnb - Added support for additional configuration constants.
- Feature: @schanzen - Added support for agregated claims.
- Fix: @rkcreation - Fixed access token not updating user metadata after login.
- Fix: @danc1248 - Fixed user creation issue on Multisite Networks.
- Feature: @RobjS - Added plugin singleton to support for more developer customization.
- Feature: @jkouris - Added action hook to allow custom handling of session expiration.
- Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.
- Feature: @rkcreation - Added method to refresh the user claim.
- Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.
- Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.
- Fix: @slykar - Fixed missing query string handling in redirect URL.
- Fix: @timnolte - Fixed issue with some user linking and user creation handling.
- Improvement: @timnolte - Fixed plugin settings typos and screen formatting.
- Security: @timnolte - Updated build tooling security vulnerabilities.
- Improvement: @timnolte - Changed build tooling scripts.
3.8.3
3.8.5
* Fix: @timnolte - Fixed problems with proper redirect handling.
* Improvement: @timnolte - Changes redirect handling to use State instead of cookies.
* Improvement: @timnolte - Refactored additional code to meet coding standards.
- Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
- Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.
- Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.
3.8.2
3.8.4
* Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
- Fix: @timnolte - Fixed invalid State object access for redirection handling.
- Improvement: @timnolte - Fixed local wp-env Docker development environment.
- Improvement: @timnolte - Fixed Composer scripts for linting and static analysis.
3.8.1
3.8.3
* Fix: @timnolte - Prevent SSO redirect on password protected posts.
* Fix: @timnolte - CI/CD build issues.
* Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.
- Fix: @timnolte - Fixed problems with proper redirect handling.
- Improvement: @timnolte - Changes redirect handling to use State instead of cookies.
- Improvement: @timnolte - Refactored additional code to meet coding standards.
3.8.0
3.8.2
* Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
* Improvement: @timnolte - NPM version requirements for development.
* Improvement: @timnolte - Travis CI build fixes.
* Improvement: @timnolte - GrumPHP configuration updates for code contributions.
* Improvement: @timnolte - Refactored to meet WordPress coding standards.
* Improvement: @timnolte - Refactored to provide localization.
* Improvement: @timnolte - Refactored to provide a Docker-based local development environment.
- Fix: @timnolte - Fixed reported XSS vulnerability on WordPress login screen.
3.7.1
3.8.1
* Fix: Release Version Number.
- Fix: @timnolte - Prevent SSO redirect on password protected posts.
- Fix: @timnolte - CI/CD build issues.
- Fix: @timnolte - Invalid redirect handling on logout for Auto Login setting.
3.7.0
3.8.0
- Feature: @timnolte - Ability to use 6 new constants for setting client configuration instead of storing in the DB.
- Improvement: @timnolte - NPM version requirements for development.
- Improvement: @timnolte - Travis CI build fixes.
- Improvement: @timnolte - GrumPHP configuration updates for code contributions.
- Improvement: @timnolte - Refactored to meet WordPress coding standards.
- Improvement: @timnolte - Refactored to provide localization.
- Improvement: @timnolte - Refactored to provide a Docker-based local development environment.
3.7.1
- Fix: Release Version Number.
3.7.0
- Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.
- Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
* Feature: @timnolte - Ability to enable/disable token refresh. Useful for IDPs that don't support token refresh.
* Feature: @timnolte - Support custom redirect URL(`redirect_to`) with the authentication URL & login button shortcodes.
- Supports additional attribute overrides including login `button_text`, `endpoint_login`, `scope`, `redirect_uri`.
3.6.0
3.6.0
* Improvement: @RobjS - Improved error messages during login state failure.
* Improvement: @RobjS - New developer filter for login form button URL.
* Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.
* Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.
* Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.
* Improvement: @flat235 - Username transliteration and normalization.
- Improvement: @RobjS - Improved error messages during login state failure.
- Improvement: @RobjS - New developer filter for login form button URL.
- Fix: @cs1m0n - Only increment username during new user creation if the "Link existing user" setting is enabled.
- Fix: @xRy-42 - Allow periods and spaces in usernames to match what WordPress core allows.
- Feature: @benochen - New setting named "Create user if does not exist" determines whether new users are created during login attempts.
- Improvement: @flat235 - Username transliteration and normalization.
3.5.1
3.5.1
* Fix: @daggerhart - New approach to state management using transients.
- Fix: @daggerhart - New approach to state management using transients.
3.5.0
3.5.0
* Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text
* Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php
* Feature: @gassan - New action on use login
* Fix: @daggerhart - Avoid double question marks in auth url query string
* Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules
* Syntax change: @mullikine - Change PHP keywords to comply with PSR2
- Readme fix: @thijskh - Fix syntax error in example openid-connect-generic-login-button-text
- Feature: @slavicd - Allow override of the plugin by posting credentials to wp-login.php
- Feature: @gassan - New action on use login
- Fix: @daggerhart - Avoid double question marks in auth url query string
- Fix: @drzraf - wp-cli bootstrap must not inhibit custom rewrite rules
- Syntax change: @mullikine - Change PHP keywords to comply with PSR2
**3.4.1**
* Minor documentation update and additional error checking.
- Minor documentation update and additional error checking.
**3.4.0**
* Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.
* Feature: @anttileppa - State time limit can now be changed on the settings page.
* Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.
* Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url
- Feature: @drzraf - New filter hook: ability to filter claim and derived user data before user creation.
- Feature: @anttileppa - State time limit can now be changed on the settings page.
- Fix: @drzraf - Fix PHP notice when using traditional login, $token_response may be empty.
- Fix: @drzraf - Fixed a notice when cookie does not contain expected redirect_url
**3.3.1**
* Prefixing classes for more efficient autoloading.
* Avoid altering global wp_remote_post() parameters.
* Minor metadata updates for wp.org
- Prefixing classes for more efficient autoloading.
- Avoid altering global wp_remote_post() parameters.
- Minor metadata updates for wp.org
**3.3.0**
* Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51
- Fix: @pjeby - Handle multiple user sessions better by using the `WP_Session_Tokens` object. Predecessor to fixes for multiple other issues: #49, #50, #51
**3.2.1**
* Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46
- Bug fix: @svenvanhal - Exit after issuing redirect. Fixes #46
**3.2.0**
* Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
* Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.
* Feature: New setting to set redirect URL when session expires.
* Feature: @robbiepaul - New filter for modifying authentication URL
* Fix: @cedrox - Adding id_token_hint to logout URL according to spec
* Bug fix: Provide port to the request header when requesting the user_claim
- Feature: @robbiepaul - trigger core action `wp_login` when user is logged in through this plugin
- Feature: @moriyoshi - Determine the WP_User display name with replacement tokens on the settings page. Tokens can be any property of the user_claim.
- Feature: New setting to set redirect URL when session expires.
- Feature: @robbiepaul - New filter for modifying authentication URL
- Fix: @cedrox - Adding id_token_hint to logout URL according to spec
- Bug fix: Provide port to the request header when requesting the user_claim
**3.1.0**
* Feature: @rwasef1830 - Refresh tokens
* Feature: @rwasef1830 - Integrated logout support with end_session endpoint
* Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax
* Feature: @ahatherly - Support for IDP behind reverse proxy
* Bug fix: @robertstaddon - case insensitive check for Bearer token
* Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue
* Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message
* Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found
* UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso
- Feature: @rwasef1830 - Refresh tokens
- Feature: @rwasef1830 - Integrated logout support with end_session endpoint
- Feature: May use an alternate redirect_uri that doesn't rely on admin-ajax
- Feature: @ahatherly - Support for IDP behind reverse proxy
- Bug fix: @robertstaddon - case insensitive check for Bearer token
- Bug fix: @rwasef1830 - "redirect to origin when auto-sso" cookie issue
- Bug fix: @rwasef1830 - PHP Warnings headers already sent due to attempts to redirect and set cookies during login form message
- Bug fix: @rwasef1830 - expire session when access_token expires if no refresh token found
- UX fix: @rwasef1830 - Show login button on error redirect when using auto-sso
**3.0.8**
* Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
- Feature: @wgengarelly - Added `openid-connect-generic-update-user-using-current-claim` action hook allowing other plugins/themes
to take action using the fresh claims received when an existing user logs in.
**3.0.7**
* Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in
section 5.3.1 of the specs.
- Bug fix: @wgengarelly - When requesting userinfo, send the access token using the Authorization header field as recommended in
section 5.3.1 of the specs.
**3.0.6**
* Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials
- Bug fix: @robertstaddon - If "Link Existing Users" is enabled, allow users who login with OpenID Connect to also log in with WordPress credentials
**3.0.5**
* Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
* Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.
- Feature: @robertstaddon - Added `[openid_connect_generic_login_button]` shortcode to allow the login button to be placed anywhere
- Feature: @robertstaddon - Added setting to "Redirect Back to Origin Page" after a successful login instead of redirecting to the home page.
**3.0.4**
* Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login
- Feature: @robertstaddon - Added setting to allow linking existing WordPress user accounts with newly-authenticated OpenID Connect login
**3.0.3**
* Using WordPresss's is_ssl() for setcookie()'s "secure" parameter
* Bug fix: Incrementing username in case of collision.
* Bug fix: Wrong error sent when missing token body
- Using WordPresss's is_ssl() for setcookie()'s "secure" parameter
- Bug fix: Incrementing username in case of collision.
- Bug fix: Wrong error sent when missing token body
**3.0.2**
* Added http_request_timeout setting
- Added http_request_timeout setting
**3.0.1**
* Finalizing 3.0.x api
- Finalizing 3.0.x api
**3.0**
* Complete rewrite to separate concerns
* Changed settings keys for clarity (requires updating settings if upgrading from another version)
* Error logging
- Complete rewrite to separate concerns
- Changed settings keys for clarity (requires updating settings if upgrading from another version)
- Error logging
**2.1**
* Working my way closer to spec. Possible breaking change. Now checking for preferred_username as priority.
* New username determination to avoid collisions
- Working my way closer to spec. Possible breaking change. Now checking for preferred_username as priority.
- New username determination to avoid collisions
**2.0**
Complete rewrite

7
HOWTO.md
Unescape Escape View File

@ -82,6 +82,13 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
- Userinfo Endpoint URL: `OIDC_ENDPOINT_USERINFO_URL`
- Token Validation Endpoint URL: `OIDC_ENDPOINT_TOKEN_URL`
- End Session Endpoint URL: `OIDC_ENDPOINT_LOGOUT_URL`
- OpenID scope: `OIDC_CLIENT_SCOPE` (space separated)
- OpenID login type: `OIDC_LOGIN_TYPE` ('button' or 'auto')
- Enforce privacy: `OIDC_ENFORCE_PRIVACY` (boolean)
- Create user if they do not exist: `OIDC_CREATE_IF_DOES_NOT_EXIST` (boolean)
- Link existing user: `OIDC_LINK_EXISTING_USERS` (boolean)
- Redirect user back to origin page: `OIDC_REDIRECT_USER_BACK` (boolean)
- Redirect on logout: `OIDC_REDIRECT_ON_LOGOUT` (boolean)
## Hooks

36
README.md
Unescape Escape View File

@ -1,11 +1,11 @@
# OpenID Connect Generic Client #
**Contributors:** [daggerhart](https://profiles.wordpress.org/daggerhart), [tnolte](https://profiles.wordpress.org/tnolte)
**Contributors:** [daggerhart](https://profiles.wordpress.org/daggerhart/), [tnolte](https://profiles.wordpress.org/tnolte/)
**Donate link:** http://www.daggerhart.com/
**Tags:** security, login, oauth2, openidconnect, apps, authentication, autologin, sso
**Requires at least:** 4.9
**Tested up to:** 5.7.1
**Stable tag:** 3.8.5
**Requires PHP:** 7.1
**Tested up to:** 5.9.2
**Stable tag:** 3.9.0
**Requires PHP:** 7.2
**License:** GPLv2 or later
**License URI:** http://www.gnu.org/licenses/gpl-2.0.html
@ -51,12 +51,30 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
## Changelog ##
### 3.8.5
### 3.9.0 ###
* Feature: @matchaxnb - Added support for additional configuration constants.
* Feature: @schanzen - Added support for agregated claims.
* Fix: @rkcreation - Fixed access token not updating user metadata after login.
* Fix: @danc1248 - Fixed user creation issue on Multisite Networks.
* Feature: @RobjS - Added plugin singleton to support for more developer customization.
* Feature: @jkouris - Added action hook to allow custom handling of session expiration.
* Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.
* Feature: @rkcreation - Added method to refresh the user claim.
* Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.
* Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.
* Fix: @slykar - Fixed missing query string handling in redirect URL.
* Fix: @timnolte - Fixed issue with some user linking and user creation handling.
* Improvement: @timnolte - Fixed plugin settings typos and screen formatting.
* Security: @timnolte - Updated build tooling security vulnerabilities.
* Improvement: @timnolte - Changed build tooling scripts.
### 3.8.5 ###
* Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
* Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.
* Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.
* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
###
### 3.8.4 ###
* Fix: @timnolte - Fixed invalid State object access for redirection handling.

63
composer.json
Unescape Escape View File

@ -25,45 +25,46 @@
},
"config": {
"platform": {
"php": "7.3"
"php": "7.4"
},
"optimize-autoloader": true
},
"repositories": [
{
"type": "git",
"url": "https://github.com/wordpress/wordpress-develop"
"optimize-autoloader": true,
"sort-packages": true,
"allow-plugins": {
"dealerdirect/phpcodesniffer-composer-installer": true,
"phpstan/extension-installer": true,
"composer/installers": true,
"johnpbloch/wordpress-core-installer": true,
"phpro/grumphp": true
}
],
},
"require": {
"php": ">=7.1.0",
"php": ">=7.1",
"composer/installers": "~1.0"
},
"require-dev": {
"php": ">=7.1.0",
"squizlabs/php_codesniffer": "^3.3",
"wp-coding-standards/wpcs": "^2.2",
"php": ">=7.1",
"brain/monkey": "^2.4",
"dealerdirect/phpcodesniffer-composer-installer": "~0.7",
"johnpbloch/wordpress-core": "~5.7.0",
"johnpbloch/wordpress-core-installer": "^2.0",
"mockery/mockery": "^1.3",
"php-stubs/wordpress-stubs": "~5.7.0",
"phpcompatibility/php-compatibility": "^9.0",
"phpcompatibility/phpcompatibility-wp": "^2.1",
"phpmd/phpmd": "^2.6",
"phpro/grumphp": "^1.5",
"phpstan/extension-installer": "^1.1",
"phpstan/phpstan": "^1.2",
"phpstan/phpstan-deprecation-rules": "^1.0",
"phpunit/phpunit": "^7",
"phpstan/phpstan": "*",
"phpstan/extension-installer": "^1.0",
"szepeviktor/phpstan-wordpress": "*",
"roave/security-advisories": "dev-master",
"mnsami/composer-custom-directory-installer": "~1.0",
"wordpress/wordpress": "~5.6.0",
"php-stubs/wordpress-stubs": "~5.6.0",
"dealerdirect/phpcodesniffer-composer-installer": "~0.6",
"brain/monkey": "^2.4",
"mockery/mockery": "^1.3",
"phpro/grumphp": "~0.20",
"sensiolabs/security-checker": "^5.0",
"phpstan/phpstan-deprecation-rules": "^0.12"
"squizlabs/php_codesniffer": "^3.6",
"szepeviktor/phpstan-wordpress": "^1.0",
"wp-coding-standards/wpcs": "^2.2"
},
"autoload-dev": {
"classmap": [
"wordpress/src/"
"wordpress/"
]
},
"autoload": {
@ -90,16 +91,12 @@
"phpcs": "vendor/bin/phpcs",
"phpcbf": "vendor/bin/phpcbf",
"phpstan": "vendor/bin/phpstan",
"lint": "vendor/bin/phpcs --report=full",
"lint-fix": "vendor/bin/phpcbf",
"analyze": "vendor/bin/phpstan analyze"
"lint": "@phpcs --report=full",
"lint-fix": "@phpcbf",
"analyze": "@phpstan analyze"
},
"extra": {
"installer-paths": {
"{$name}": [
"wordpress/wordpress"
]
},
"wordpress-install-dir": "wordpress",
"phpcodesniffer-search-depth": 5
}
}

2119
composer.lock generated
View File

File diff suppressed because it is too large Load Diff

0
docker-compose.override.yml → docker-compose.wp-env.yml
Unescape Escape View File

21
docker-compose.yml
Unescape Escape View File

@ -0,0 +1,21 @@
# This is the Compose file for command-line services.
# Anything that doesn't need to be run as part of the main `docker-compose up'
# command should reside in here and be invoked by a helper script.
version: "3.7"
services:
dev:
build: .devcontainer
working_dir: /app
user: 1000:1000
volumes:
- .:/app:cached
composer:
build: ./tools/docker/composer
entrypoint: composer
working_dir: /app
user: 1000:1000
volumes:
- .:/app:cached
- ~/.composer:/root/.composer:cached
volumes:
{}

30
includes/functions.php
Unescape Escape View File

@ -0,0 +1,30 @@
<?php
/**
* Global OIDCG functions.
*
* @package OpenID_Connect_Generic
* @author Jonathan Daggerhart <jonathan@daggerhart.com>
* @copyright 2015-2020 daggerhart
* @license http://www.gnu.org/licenses/gpl-2.0.txt GPL-2.0+
*/
/**
* Return a single use authentication URL.
*
* @return string
*/
function oidcg_get_authentication_url() {
return \OpenID_Connect_Generic::instance()->client_wrapper->get_authentication_url();
}
/**
* Refresh a user claim and update the user metadata.
*
* @param WP_User $user The user object.
* @param array $token_response The token response.
*
* @return WP_Error|array
*/
function oidcg_refresh_user_claim( $user, $token_response ) {
return \OpenID_Connect_Generic::instance()->client_wrapper->refresh_user_claim( $user, $token_response );
}

272
includes/openid-connect-generic-client-wrapper.php
Unescape Escape View File

@ -148,6 +148,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
* @return string
*/
public function get_redirect_to() {
// @var WP $wp WordPress environment setup class.
global $wp;
if ( isset( $GLOBALS['pagenow'] ) && 'wp-login.php' == $GLOBALS['pagenow'] && isset( $_GET['action'] ) && 'logout' === $_GET['action'] ) {
@ -170,8 +171,8 @@ class OpenID_Connect_Generic_Client_Wrapper {
// Capture the current URL if set to redirect back to origin page.
if ( $this->settings->redirect_user_back ) {
if ( ! empty( $wp->request ) ) {
if ( ! empty( $wp->did_permalink ) && $wp->did_permalink ) {
$redirect_url = home_url( trailingslashit( $wp->request ) );
if ( ! empty( $wp->did_permalink ) && boolval( $wp->did_permalink ) === true ) {
$redirect_url = home_url( add_query_arg( $_GET, trailingslashit( $wp->request ) ) );
} else {
$redirect_url = home_url( add_query_arg( null, null ) );
}
@ -210,6 +211,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
'client_id' => $this->settings->client_id,
'redirect_uri' => $this->client->get_redirect_uri(),
'redirect_to' => $this->get_redirect_to(),
'acr_values' => $this->settings->acr_values,
),
$atts,
'openid_connect_generic_auth_url'
@ -224,14 +226,21 @@ class OpenID_Connect_Generic_Client_Wrapper {
if ( stripos( $this->settings->endpoint_login, '?' ) !== false ) {
$separator = '&';
}
$url_format = '%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s';
if ( ! empty( $atts['acr_values'] ) ) {
$url_format .= '&acr_values=%7$s';
}
$url = sprintf(
'%1$s%2$sresponse_type=code&scope=%3$s&client_id=%4$s&state=%5$s&redirect_uri=%6$s',
$url_format,
$atts['endpoint_login'],
$separator,
rawurlencode( $atts['scope'] ),
rawurlencode( $atts['client_id'] ),
$this->client->new_state( $atts['redirect_to'] ),
rawurlencode( $atts['redirect_uri'] )
rawurlencode( $atts['redirect_uri'] ),
rawurlencode( $atts['acr_values'] )
);
$this->logger->log( apply_filters( 'openid-connect-generic-auth-url', $url ), 'make_authentication_url' );
@ -271,13 +280,16 @@ class OpenID_Connect_Generic_Client_Wrapper {
$refresh_expires = $refresh_token_info['refresh_expires'];
if ( ! $refresh_token || ( $refresh_expires && $current_time > $refresh_expires ) ) {
wp_logout();
if ( isset( $_SERVER['REQUEST_URI'] ) ) {
do_action( 'openid-connect-generic-session-expired', wp_get_current_user(), esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ) );
wp_logout();
if ( $this->settings->redirect_on_logout ) {
$this->error_redirect( new WP_Error( 'access-token-expired', __( 'Session expired. Please login again.', 'daggerhart-openid-connect-generic' ) ) );
}
if ( $this->settings->redirect_on_logout ) {
$this->error_redirect( new WP_Error( 'access-token-expired', __( 'Session expired. Please login again.', 'daggerhart-openid-connect-generic' ) ) );
}
return;
return;
}
}
$token_result = $this->client->request_new_tokens( $refresh_token );
@ -294,6 +306,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
$this->error_redirect( $token_response );
}
update_user_meta( $user_id, 'openid-connect-generic-last-token-response', $token_response );
$this->save_refresh_token( $manager, $token, $token_response );
}
@ -510,8 +523,10 @@ class OpenID_Connect_Generic_Client_Wrapper {
$subject_identity = $client->get_subject_identity( $id_token_claim );
$user = $this->get_user_by_identity( $subject_identity );
// A pre-existing IDP mapped user wasn't found.
if ( ! $user ) {
if ( $this->settings->create_if_does_not_exist ) {
// If linking existing users or creating new ones call the `create_new_user` method which handles both cases.
if ( $this->settings->link_existing_users || $this->settings->create_if_does_not_exist ) {
$user = $this->create_new_user( $subject_identity, $user_claim );
if ( is_wp_error( $user ) ) {
$this->error_redirect( $user );
@ -519,9 +534,6 @@ class OpenID_Connect_Generic_Client_Wrapper {
} else {
$this->error_redirect( new WP_Error( 'identity-not-map-existing-user', __( 'User identity is not linked to an existing WordPress user.', 'daggerhart-openid-connect-generic' ), $user_claim ) );
}
} else {
// Allow plugins / themes to take action using current claims on existing user (e.g. update role).
do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
}
// Validate the found / created user.
@ -534,6 +546,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
// Login the found / created user.
$this->login_user( $user, $token_response, $id_token_claim, $user_claim, $subject_identity );
// Allow plugins / themes to take action once a user is logged in.
do_action( 'openid-connect-generic-user-logged-in', $user );
// Log our success.
@ -579,6 +592,65 @@ class OpenID_Connect_Generic_Client_Wrapper {
return true;
}
/**
* Refresh user claim.
*
* @param WP_User $user The user object.
* @param array $token_response The token response.
*
* @return WP_Error|array
*/
public function refresh_user_claim( $user, $token_response ) {
$client = $this->client;
/**
* The id_token is used to identify the authenticated user, e.g. for SSO.
* The access_token must be used to prove access rights to protected
* resources e.g. for the userinfo endpoint
*/
$id_token_claim = $client->get_id_token_claim( $token_response );
// Allow for other plugins to alter data before validation.
$id_token_claim = apply_filters( 'openid-connect-modify-id-token-claim-before-validation', $id_token_claim );
if ( is_wp_error( $id_token_claim ) ) {
return $id_token_claim;
}
// Validate our id_token has required values.
$valid = $client->validate_id_token_claim( $id_token_claim );
if ( is_wp_error( $valid ) ) {
return $valid;
}
// If userinfo endpoint is set, exchange the token_response for a user_claim.
if ( ! empty( $this->settings->endpoint_userinfo ) && isset( $token_response['access_token'] ) ) {
$user_claim = $client->get_user_claim( $token_response );
} else {
$user_claim = $id_token_claim;
}
if ( is_wp_error( $user_claim ) ) {
return $user_claim;
}
// Validate our user_claim has required values.
$valid = $client->validate_user_claim( $user_claim, $id_token_claim );
if ( is_wp_error( $valid ) ) {
$this->error_redirect( $valid );
return $valid;
}
// Store the tokens for future reference.
update_user_meta( $user->ID, 'openid-connect-generic-last-token-response', $token_response );
update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
return $user_claim;
}
/**
* Record user meta data, and provide an authorization cookie.
*
@ -595,6 +667,8 @@ class OpenID_Connect_Generic_Client_Wrapper {
update_user_meta( $user->ID, 'openid-connect-generic-last-token-response', $token_response );
update_user_meta( $user->ID, 'openid-connect-generic-last-id-token-claim', $id_token_claim );
update_user_meta( $user->ID, 'openid-connect-generic-last-user-claim', $user_claim );
// Allow plugins / themes to take action using current claims on existing user (e.g. update role).
do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
// Create the WP session, so we know its token.
$expiration = time() + apply_filters( 'auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user->ID, false );
@ -656,10 +730,12 @@ class OpenID_Connect_Generic_Client_Wrapper {
'value' => $subject_identity,
),
),
// Override the default blog_id (get_current_blog_id) to find users on different sites of a multisite install.
'blog_id' => 0,
)
);
// If we found an existing users, grab the first one returned.
// If we found existing users, grab the first one returned.
if ( $user_query->get_total() > 0 ) {
$users = $user_query->get_results();
return $users[0];
@ -673,7 +749,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
*
* @param array $user_claim The IDP authenticated user claim data.
*
* @return string|WP_Error|null
* @return string|WP_Error
*/
private function get_username_from_claim( $user_claim ) {
@ -683,44 +759,33 @@ class OpenID_Connect_Generic_Client_Wrapper {
// Allow settings to take first stab at username.
if ( ! empty( $this->settings->identity_key ) && isset( $user_claim[ $this->settings->identity_key ] ) ) {
$desired_username = $user_claim[ $this->settings->identity_key ];
} else if ( isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) {
}
if ( empty( $desired_username ) && isset( $user_claim['preferred_username'] ) && ! empty( $user_claim['preferred_username'] ) ) {
$desired_username = $user_claim['preferred_username'];
} else if ( isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) {
}
if ( empty( $desired_username ) && isset( $user_claim['name'] ) && ! empty( $user_claim['name'] ) ) {
$desired_username = $user_claim['name'];
} else if ( isset( $user_claim['email'] ) && ! empty( $user_claim['email'] ) ) {
}
if ( empty( $desired_username ) && isset( $user_claim['email'] ) && ! empty( $user_claim['email'] ) ) {
$tmp = explode( '@', $user_claim['email'] );
$desired_username = $tmp[0];
} else {
}
if ( empty( $desired_username ) ) {
// Nothing to build a name from.
return new WP_Error( 'no-username', __( 'No appropriate username found.', 'daggerhart-openid-connect-generic' ), $user_claim );
}
// Normalize the data a bit.
// @var string $transliterated_username The username converted to ASCII from UTF-8.
$transliterated_username = iconv( 'UTF-8', 'ASCII//TRANSLIT', $desired_username );
if ( empty( $transliterated_username ) ) {
// translators: $1$s is a username from the IDP.
return new WP_Error( 'username-transliteration-failed', sprintf( __( 'Username %1$s could not be transliterated.', 'daggerhart-openid-connect-generic' ), $desired_username ), $desired_username );
}
$normalized_username = strtolower( preg_replace( '/[^a-zA-Z0-9 _.\-@]/', '', $transliterated_username ) );
if ( empty( $normalized_username ) ) {
// translators: %1$s is the ASCII version of the username from the IDP.
return new WP_Error( 'username-normalization-failed', sprintf( __( 'Username %1$s could not be normalized.', 'daggerhart-openid-connect-generic' ), $transliterated_username ), $transliterated_username );
// Don't use the full email address for a username.
$_desired_username = explode( '@', $desired_username );
$desired_username = $_desired_username[0];
// Use WordPress Core to sanitize the IDP username.
$sanitized_username = sanitize_user( $desired_username, true );
if ( empty( $sanitized_username ) ) {
// translators: %1$s is the santitized version of the username from the IDP.
return new WP_Error( 'username-sanitization-failed', sprintf( __( 'Username %1$s could not be sanitized.', 'daggerhart-openid-connect-generic' ), $desired_username ), $desired_username );
}
// Copy the username for incrementing.
$username = ! empty( $normalized_username ) ? $normalized_username : null;
if ( ! $this->settings->link_existing_users && ! is_null( $username ) ) {
// @example Original user gets "name", second user gets "name2", etc.
$count = 1;
while ( username_exists( $username ) ) {
$count ++;
$username = $normalized_username . $count;
}
}
return $username;
return $sanitized_username;
}
/**
@ -745,6 +810,75 @@ class OpenID_Connect_Generic_Client_Wrapper {
return $desired_nickname;
}
/**
* Checks if $claimname is in the body or _claim_names of the userinfo.
* If yes, returns the claim value. Otherwise, returns false.
*
* @param string $claimname the claim name to look for.
* @param array $userinfo the JSON to look in.
* @param string $claimvalue the source claim value ( from the body of the JWT of the claim source).
* @return true|false
*/
private function get_claim( $claimname, $userinfo, &$claimvalue ) {
/**
* If we find a simple claim, return it.
*/
if ( array_key_exists( $claimname, $userinfo ) ) {
$claimvalue = $userinfo[ $claimname ];
return true;
}
/**
* If there are no aggregated claims, it is over.
*/
if ( ! array_key_exists( '_claim_names', $userinfo ) ||
! array_key_exists( '_claim_sources', $userinfo ) ) {
return false;
}
$claim_src_ptr = $userinfo['_claim_names'];
if ( ! isset( $claim_src_ptr ) ) {
return false;
}
/**
* No reference found
*/
if ( ! array_key_exists( $claimname, $claim_src_ptr ) ) {
return false;
}
$src_name = $claim_src_ptr[ $claimname ];
// Reference found, but no corresponding JWT. This is a malformed userinfo.
if ( ! array_key_exists( $src_name, $userinfo['_claim_sources'] ) ) {
return false;
}
$src = $userinfo['_claim_sources'][ $src_name ];
// Source claim is not a JWT. Abort.
if ( ! array_key_exists( 'JWT', $src ) ) {
return false;
}
/**
* Extract claim from JWT.
* FIXME: We probably want to verify the JWT signature/issuer here.
* For example, using JWKS if applicable. For symmetrically signed
* JWTs (HMAC), we need a way to specify the acceptable secrets
* and each possible issuer in the config.
*/
$jwt = $src['JWT'];
list ( $header, $body, $rest ) = explode( '.', $jwt, 3 );
$body_str = base64_decode( $body, false );
if ( ! $body_str ) {
return false;
}
$body_json = json_decode( $body_str, true );
if ( ! isset( $body_json ) ) {
return false;
}
if ( ! array_key_exists( $claimname, $body_json ) ) {
return false;
}
$claimvalue = $body_json[ $claimname ];
return true;
}
/**
* Build a string from the user claim according to the specified format.
*
@ -757,12 +891,13 @@ class OpenID_Connect_Generic_Client_Wrapper {
private function format_string_with_claim( $format, $user_claim, $error_on_missing_key = false ) {
$matches = null;
$string = '';
$info = '';
$i = 0;
if ( preg_match_all( '/\{[^}]*\}/u', $format, $matches, PREG_OFFSET_CAPTURE ) ) {
foreach ( $matches[0] as $match ) {
$key = substr( $match[0], 1, -1 );
$string .= substr( $format, $i, $match[1] - $i );
if ( ! isset( $user_claim[ $key ] ) ) {
if ( ! $this->get_claim( $key, $user_claim, $info ) ) {
if ( $error_on_missing_key ) {
return new WP_Error(
'incomplete-user-claim',
@ -776,7 +911,7 @@ class OpenID_Connect_Generic_Client_Wrapper {
);
}
} else {
$string .= $user_claim[ $key ];
$string .= $info;
}
$i = $match[1] + strlen( $match[0] );
}
@ -835,30 +970,30 @@ class OpenID_Connect_Generic_Client_Wrapper {
// Allow claim details to determine username, email, nickname and displayname.
$_email = $this->get_email_from_claim( $user_claim, true );
if ( is_wp_error( $_email ) ) {
if ( is_wp_error( $_email ) || empty( $_email ) ) {
$values_missing = true;
} else if ( ! is_null( $_email ) ) {
} else {
$email = $_email;
}
$_username = $this->get_username_from_claim( $user_claim );
if ( is_wp_error( $_username ) ) {
if ( is_wp_error( $_username ) || empty( $_username ) ) {
$values_missing = true;
} else if ( ! is_null( $_username ) ) {
} else {
$username = $_username;
}
$_nickname = $this->get_nickname_from_claim( $user_claim );
if ( is_null( $_nickname ) ) {
if ( is_wp_error( $_nickname ) || empty( $_nickname ) ) {
$values_missing = true;
} else {
$nickname = $_nickname;
}
$_displayname = $this->get_displayname_from_claim( $user_claim, true );
if ( is_wp_error( $_displayname ) ) {
if ( is_wp_error( $_displayname ) || empty( $_displayname ) ) {
$values_missing = true;
} else if ( ! is_null( $_displayname ) ) {
} else {
$displayname = $_displayname;
}
@ -877,39 +1012,48 @@ class OpenID_Connect_Generic_Client_Wrapper {
$_email = $this->get_email_from_claim( $user_claim, true );
if ( is_wp_error( $_email ) ) {
return $_email;
} else if ( ! is_null( $_email ) ) {
}
// Use the email address from the latest userinfo request if not empty.
if ( ! empty( $_email ) ) {
$email = $_email;
}
$_username = $this->get_username_from_claim( $user_claim );
if ( is_wp_error( $_username ) ) {
return $_username;
} else if ( ! is_null( $_username ) ) {
}
// Use the username from the latest userinfo request if not empty.
if ( ! empty( $_username ) ) {
$username = $_username;
}
$_nickname = $this->get_nickname_from_claim( $user_claim );
if ( is_wp_error( $_nickname ) ) {
return $_nickname;
} else if ( is_null( $_nickname ) ) {
}
// Use the username as the nickname if the userinfo request nickname is empty.
if ( empty( $_nickname ) ) {
$nickname = $username;
}
$_displayname = $this->get_displayname_from_claim( $user_claim, true );
if ( is_wp_error( $_displayname ) ) {
return $_displayname;
} else if ( is_null( $_displayname ) ) {
}
// Use the nickname as the displayname if the userinfo request displayname is empty.
if ( empty( $_displayname ) ) {
$displayname = $nickname;
}
// Before trying to create the user, first check if a user with the same email already exists.
// Before trying to create the user, first check if a matching user exists.
if ( $this->settings->link_existing_users ) {
$uid = null;
if ( $this->settings->identify_with_username ) {
$uid = username_exists( $username );
} else {
$uid = email_exists( $email );
}
if ( $uid ) {
if ( ! empty( $uid ) ) {
$user = $this->update_existing_user( $uid, $subject_identity );
do_action( 'openid-connect-generic-update-user-using-current-claim', $user, $user_claim );
return $user;
@ -920,12 +1064,22 @@ class OpenID_Connect_Generic_Client_Wrapper {
* Allow other plugins / themes to determine authorization of new accounts
* based on the returned user claim.
*/
$create_user = apply_filters( 'openid-connect-generic-user-creation-test', true, $user_claim );
$create_user = apply_filters( 'openid-connect-generic-user-creation-test', $this->settings->create_if_does_not_exist, $user_claim );
if ( ! $create_user ) {
return new WP_Error( 'cannot-authorize', __( 'Can not authorize.', 'daggerhart-openid-connect-generic' ), $create_user );
}
// Copy the username for incrementing.
$_username = $username;
// Ensure prevention of linking usernames & collisions by incrementing the username if it exists.
// @example Original user gets "name", second user gets "name2", etc.
$count = 1;
while ( username_exists( $username ) ) {
$count ++;
$username = $_username . $count;
}
$user_data = array(
'user_login' => $username,
'user_pass' => wp_generate_password( 32, true, true ),

24
includes/openid-connect-generic-client.php
Unescape Escape View File

@ -82,6 +82,15 @@ class OpenID_Connect_Generic_Client {
*/
private $redirect_uri;
/**
* The specifically requested authentication contract at the IDP
*
* @see OpenID_Connect_Generic_Option_Settings::acr_values
*
* @var string
*/
private $acr_values;
/**
* The state time limit. States are only valid for 3 minutes.
*
@ -108,10 +117,11 @@ class OpenID_Connect_Generic_Client {
* @param string $endpoint_userinfo @see OpenID_Connect_Generic_Option_Settings::endpoint_userinfo for description.
* @param string $endpoint_token @see OpenID_Connect_Generic_Option_Settings::endpoint_token for description.
* @param string $redirect_uri @see OpenID_Connect_Generic_Option_Settings::redirect_uri for description.
* @param string $acr_values @see OpenID_Connect_Generic_Option_Settings::acr_values for description.
* @param int $state_time_limit @see OpenID_Connect_Generic_Option_Settings::state_time_limit for description.
* @param OpenID_Connect_Generic_Option_Logger $logger The plugin logging object instance.
*/
public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $state_time_limit, $logger ) {
public function __construct( $client_id, $client_secret, $scope, $endpoint_login, $endpoint_userinfo, $endpoint_token, $redirect_uri, $acr_values, $state_time_limit, $logger ) {
$this->client_id = $client_id;
$this->client_secret = $client_secret;
$this->scope = $scope;
@ -119,6 +129,7 @@ class OpenID_Connect_Generic_Client {
$this->endpoint_userinfo = $endpoint_userinfo;
$this->endpoint_token = $endpoint_token;
$this->redirect_uri = $redirect_uri;
$this->acr_values = $acr_values;
$this->state_time_limit = $state_time_limit;
$this->logger = $logger;
}
@ -212,6 +223,10 @@ class OpenID_Connect_Generic_Client {
'headers' => array( 'Host' => $host ),
);
if ( ! empty( $this->acr_values ) ) {
$request['body'] += array( 'acr_values' => $this->acr_values );
}
// Allow modifications to the request.
$request = apply_filters( 'openid-connect-generic-alter-request', $request, 'get-authentication-token' );
@ -464,6 +479,13 @@ class OpenID_Connect_Generic_Client {
return new WP_Error( 'no-subject-identity', __( 'No subject identity.', 'daggerhart-openid-connect-generic' ), $id_token_claim );
}
// Validate acr values when the option is set in the configuration.
if ( ! empty( $this->acr_values ) && isset( $id_token_claim['acr'] ) ) {
if ( $this->acr_values != $id_token_claim['acr'] ) {
return new WP_Error( 'no-match-acr', __( 'No matching acr values.', 'daggerhart-openid-connect-generic' ), $id_token_claim );
}
}
return true;
}

21
includes/openid-connect-generic-option-settings.php
Unescape Escape View File

@ -33,6 +33,7 @@
* @property string $endpoint_userinfo The IDP User information endpoint URL.
* @property string $endpoint_token The IDP token validation endpoint URL.
* @property string $endpoint_end_session The IDP logout endpoint URL.
* @property string $acr_values The Authentication contract as defined on the IDP.
*
* Non-standard Settings:
*
@ -86,12 +87,20 @@ class OpenID_Connect_Generic_Option_Settings {
* @var array<string,string>
*/
private $environment_settings = array(
'client_id' => 'OIDC_CLIENT_ID',
'client_secret' => 'OIDC_CLIENT_SECRET',
'endpoint_login' => 'OIDC_ENDPOINT_LOGIN_URL',
'endpoint_userinfo' => 'OIDC_ENDPOINT_USERINFO_URL',
'endpoint_token' => 'OIDC_ENDPOINT_TOKEN_URL',
'endpoint_end_session' => 'OIDC_ENDPOINT_LOGOUT_URL',
'client_id' => 'OIDC_CLIENT_ID',
'client_secret' => 'OIDC_CLIENT_SECRET',
'endpoint_end_session' => 'OIDC_ENDPOINT_LOGOUT_URL',
'endpoint_login' => 'OIDC_ENDPOINT_LOGIN_URL',
'endpoint_token' => 'OIDC_ENDPOINT_TOKEN_URL',
'endpoint_userinfo' => 'OIDC_ENDPOINT_USERINFO_URL',
'login_type' => 'OIDC_LOGIN_TYPE',
'scope' => 'OIDC_CLIENT_SCOPE',
'create_if_does_not_exist' => 'OIDC_CREATE_IF_DOES_NOT_EXIST',
'enforce_privacy' => 'OIDC_ENFORCE_PRIVACY',
'link_existing_users' => 'OIDC_LINK_EXISTING_USERS',
'redirect_on_logout' => 'OIDC_REDIRECT_ON_LOGOUT',
'redirect_user_back' => 'OIDC_REDIRECT_USER_BACK',
'acr_values' => 'OIDC_ACR_VALUES',
);
/**

24
includes/openid-connect-generic-settings-page.php
Unescape Escape View File

@ -216,6 +216,7 @@ class OpenID_Connect_Generic_Settings_Page {
'button' => __( 'OpenID Connect button on login form', 'daggerhart-openid-connect-generic' ),
'auto' => __( 'Auto Login - SSO', 'daggerhart-openid-connect-generic' ),
),
'disabled' => defined( 'OIDC_LOGIN_TYPE' ),
'section' => 'client_settings',
),
'client_id' => array(
@ -238,6 +239,7 @@ class OpenID_Connect_Generic_Settings_Page {
'description' => __( 'Space separated list of scopes this client should access.', 'daggerhart-openid-connect-generic' ),
'example' => 'email profile openid offline_access',
'type' => 'text',
'disabled' => defined( 'OIDC_CLIENT_SCOPE' ),
'section' => 'client_settings',
),
'endpoint_login' => array(
@ -272,6 +274,13 @@ class OpenID_Connect_Generic_Settings_Page {
'disabled' => defined( 'OIDC_ENDPOINT_LOGOUT_URL' ),
'section' => 'client_settings',
),
'acr_values' => array(
'title' => __( 'ACR values', 'daggerhart-openid-connect-generic' ),
'description' => __( 'Use a specific defined authentication contract from the IDP - optional.', 'daggerhart-openid-connect-generic' ),
'type' => 'text',
'disabled' => defined( 'OIDC_ACR_VALUES' ),
'section' => 'client_settings',
),
'identity_key' => array(
'title' => __( 'Identity Key', 'daggerhart-openid-connect-generic' ),
'description' => __( 'Where in the user claim array to find the user\'s identification data. Possible standard values: preferred_username, name, or sub. If you\'re having trouble, use "sub".', 'daggerhart-openid-connect-generic' ),
@ -297,6 +306,7 @@ class OpenID_Connect_Generic_Settings_Page {
'title' => __( 'Enforce Privacy', 'daggerhart-openid-connect-generic' ),
'description' => __( 'Require users be logged in to see the site.', 'daggerhart-openid-connect-generic' ),
'type' => 'checkbox',
'disabled' => defined( 'OIDC_ENFORCE_PRIVACY' ),
'section' => 'authorization_settings',
),
'alternate_redirect_uri' => array(
@ -348,24 +358,28 @@ class OpenID_Connect_Generic_Settings_Page {
'title' => __( 'Link Existing Users', 'daggerhart-openid-connect-generic' ),
'description' => __( 'If a WordPress account already exists with the same identity as a newly-authenticated user over OpenID Connect, login as that user instead of generating an error.', 'daggerhart-openid-connect-generic' ),
'type' => 'checkbox',
'disabled' => defined( 'OIDC_LINK_EXISTING_USERS' ),
'section' => 'user_settings',
),
'create_if_does_not_exist' => array(
'title' => __( 'Create user if does not exist', 'daggerhart-openid-connect-generic' ),
'description' => __( 'If the user identity is not link to an existing Wordpress user, it is created. If this setting is not enabled and if the user authenticates with an account which is not link to an existing Wordpress user then the authentication failed', 'daggerhart-openid-connect-generic' ),
'description' => __( 'If the user identity is not linked to an existing WordPress user, it is created. If this setting is not enabled, and if the user authenticates with an account which is not linked to an existing WordPress user, then the authentication will fail.', 'daggerhart-openid-connect-generic' ),
'type' => 'checkbox',
'disabled' => defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ),
'section' => 'user_settings',
),
'redirect_user_back' => array(
'title' => __( 'Redirect Back to Origin Page', 'daggerhart-openid-connect-generic' ),
'description' => __( 'After a successful OpenID Connect authentication, this will redirect the user back to the page on which they clicked the OpenID Connect login button. This will cause the login process to proceed in a traditional WordPress fashion. For example, users logging in through the default wp-login.php page would end up on the WordPress Dashboard and users logging in through the WooCommerce "My Account" page would end up on their account page.', 'daggerhart-openid-connect-generic' ),
'type' => 'checkbox',
'disabled' => defined( 'OIDC_REDIRECT_USER_BACK' ),
'section' => 'user_settings',
),
'redirect_on_logout' => array(
'title' => __( 'Redirect to the login screen when session is expired', 'daggerhart-openid-connect-generic' ),
'description' => __( 'When enabled, this will automatically redirect the user back to the WordPress login page if their access token has expired.', 'daggerhart-openid-connect-generic' ),
'type' => 'checkbox',
'disabled' => defined( 'OIDC_REDIRECT_ON_LOGOUT' ),
'section' => 'user_settings',
),
'enable_logging' => array(
@ -414,6 +428,8 @@ class OpenID_Connect_Generic_Settings_Page {
* @return void
*/
public function settings_page() {
wp_enqueue_style( 'daggerhart-openid-connect-generic-admin', plugin_dir_url( __DIR__ ) . 'css/styles-admin.css', array(), OpenID_Connect_Generic::VERSION, 'all' );
$redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
if ( $this->settings->alternate_redirect_uri ) {
@ -472,9 +488,9 @@ class OpenID_Connect_Generic_Settings_Page {
public function do_text_field( $field ) {
?>
<input type="<?php print esc_attr( $field['type'] ); ?>"
<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) ) ? ' disabled' : ''; ?>
<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) === true ) ? ' disabled' : ''; ?>
id="<?php print esc_attr( $field['key'] ); ?>"
class="large-text<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) ) ? ' disabled' : ''; ?>"
class="large-text<?php echo ( ! empty( $field['disabled'] ) && boolval( $field['disabled'] ) === true ) ? ' disabled' : ''; ?>"
name="<?php print esc_attr( $field['name'] ); ?>"
value="<?php print esc_attr( $this->settings->{ $field['key'] } ); ?>">
<?php
@ -530,7 +546,7 @@ class OpenID_Connect_Generic_Settings_Page {
public function do_field_description( $field ) {
?>
<p class="description">
<?php print esc_html( $field['description'] ); ?>
<?php print wp_kses_post( $field['description'] ); ?>
<?php if ( isset( $field['example'] ) ) : ?>
<br/><strong><?php esc_html_e( 'Example', 'daggerhart-openid-connect-generic' ); ?>: </strong>
<code><?php print esc_html( $field['example'] ); ?></code>

211
languages/openid-connect-generic.pot
Unescape Escape View File

@ -1,15 +1,15 @@
# Copyright (C) 2021 daggerhart
# Copyright (C) 2022 daggerhart
# This file is distributed under the GPL-2.0+.
msgid ""
msgstr ""
"Project-Id-Version: OpenID Connect Generic 3.8.5\n"
"Project-Id-Version: OpenID Connect Generic 3.9.0\n"
"Report-Msgid-Bugs-To: "
"https://github.com/daggerhart/openid-connect-generic/issues\n"
"POT-Creation-Date: 2021-04-16 03:38:39+00:00\n"
"POT-Creation-Date: 2022-03-22 03:28:37+00:00\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=utf-8\n"
"Content-Transfer-Encoding: 8bit\n"
"PO-Revision-Date: 2021-MO-DA HO:MI+ZONE\n"
"PO-Revision-Date: 2022-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
"Language: en\n"
@ -25,122 +25,121 @@ msgstr ""
"X-Textdomain-Support: yes\n"
"X-Generator: grunt-wp-i18n 1.0.3\n"
#: includes/openid-connect-generic-client-wrapper.php:277
#: includes/openid-connect-generic-client-wrapper.php:288
msgid "Session expired. Please login again."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:520
#: includes/openid-connect-generic-client-wrapper.php:535
msgid "User identity is not linked to an existing WordPress user."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:576
#: includes/openid-connect-generic-client-wrapper.php:589
msgid "Invalid user."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:695
#: includes/openid-connect-generic-client-wrapper.php:775
msgid "No appropriate username found."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:703
#. translators: $1$s is a username from the IDP.
msgid "Username %1$s could not be transliterated."
#: includes/openid-connect-generic-client-wrapper.php:785
#. translators: %1$s is the santitized version of the username from the IDP.
msgid "Username %1$s could not be sanitized."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:708
#. translators: %1$s is the ASCII version of the username from the IDP.
msgid "Username %1$s could not be normalized."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:742
#: includes/openid-connect-generic-client-wrapper.php:807
#. translators: %1$s is the configured User Claim nickname key.
msgid "No nickname found in user claim using key: %1$s."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:769
#: includes/openid-connect-generic-client-wrapper.php:904
msgid "User claim incomplete."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:871
#: includes/openid-connect-generic-client-wrapper.php:1006
msgid "Bad user claim result."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:926
#: includes/openid-connect-generic-client-wrapper.php:1070
msgid "Can not authorize."
msgstr ""
#: includes/openid-connect-generic-client-wrapper.php:945
#: includes/openid-connect-generic-client-wrapper.php:1099
msgid "Failed user creation."
msgstr ""
#: includes/openid-connect-generic-client.php:165
#: includes/openid-connect-generic-client.php:176
msgid "Missing state."
msgstr ""
#: includes/openid-connect-generic-client.php:169
#: includes/openid-connect-generic-client.php:180
msgid "Invalid state."
msgstr ""
#: includes/openid-connect-generic-client.php:184
#: includes/openid-connect-generic-client.php:195
msgid "Missing authentication code."
msgstr ""
#: includes/openid-connect-generic-client.php:223
#: includes/openid-connect-generic-client.php:238
msgid "Request for authentication token failed."
msgstr ""
#: includes/openid-connect-generic-client.php:254
#: includes/openid-connect-generic-client.php:269
msgid "Refresh token failed."
msgstr ""
#: includes/openid-connect-generic-client.php:269
#: includes/openid-connect-generic-client.php:284
msgid "Missing token body."
msgstr ""
#: includes/openid-connect-generic-client.php:277
#: includes/openid-connect-generic-client.php:292
msgid "Invalid token."
msgstr ""
#: includes/openid-connect-generic-client.php:328
#: includes/openid-connect-generic-client.php:343
msgid "Request for userinfo failed."
msgstr ""
#: includes/openid-connect-generic-client.php:388
#: includes/openid-connect-generic-client.php:403
msgid "Missing authentication state."
msgstr ""
#: includes/openid-connect-generic-client.php:425
#: includes/openid-connect-generic-client.php:440
msgid "No identity token."
msgstr ""
#: includes/openid-connect-generic-client.php:432
#: includes/openid-connect-generic-client.php:447
msgid "Missing identity token."
msgstr ""
#: includes/openid-connect-generic-client.php:459
#: includes/openid-connect-generic-client.php:474
msgid "Bad ID token claim."
msgstr ""
#: includes/openid-connect-generic-client.php:464
#: includes/openid-connect-generic-client.php:479
msgid "No subject identity."
msgstr ""
#: includes/openid-connect-generic-client.php:483
#: includes/openid-connect-generic-client.php:485
msgid "No matching acr values."
msgstr ""
#: includes/openid-connect-generic-client.php:505
msgid "Bad user claim."
msgstr ""
#: includes/openid-connect-generic-client.php:503
#: includes/openid-connect-generic-client.php:525
msgid "Invalid user claim."
msgstr ""
#: includes/openid-connect-generic-client.php:508
#: includes/openid-connect-generic-client.php:530
msgid "Error from the IDP."
msgstr ""
#: includes/openid-connect-generic-client.php:517
#: includes/openid-connect-generic-client.php:539
msgid "Incorrect user claim."
msgstr ""
#: includes/openid-connect-generic-client.php:524
#: includes/openid-connect-generic-client.php:546
msgid "Unauthorized access."
msgstr ""
@ -209,82 +208,90 @@ msgstr ""
msgid "Auto Login - SSO"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:222
#: includes/openid-connect-generic-settings-page.php:223
msgid "Client ID"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:223
#: includes/openid-connect-generic-settings-page.php:224
msgid ""
"The ID this client will be recognized as when connecting the to Identity "
"provider server."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:230
#: includes/openid-connect-generic-settings-page.php:231
msgid "Client Secret Key"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:231
#: includes/openid-connect-generic-settings-page.php:232
msgid ""
"Arbitrary secret key the server expects from this client. Can be anything, "
"but should be very unique."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:237
#: includes/openid-connect-generic-settings-page.php:238
msgid "OpenID Scope"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:238
#: includes/openid-connect-generic-settings-page.php:239
msgid "Space separated list of scopes this client should access."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:244
#: includes/openid-connect-generic-settings-page.php:246
msgid "Login Endpoint URL"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:245
#: includes/openid-connect-generic-settings-page.php:247
msgid "Identify provider authorization endpoint."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:252
#: includes/openid-connect-generic-settings-page.php:254
msgid "Userinfo Endpoint URL"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:253
#: includes/openid-connect-generic-settings-page.php:255
msgid "Identify provider User information endpoint."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:260
#: includes/openid-connect-generic-settings-page.php:262
msgid "Token Validation Endpoint URL"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:261
#: includes/openid-connect-generic-settings-page.php:263
msgid "Identify provider token endpoint."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:268
#: includes/openid-connect-generic-settings-page.php:270
msgid "End Session Endpoint URL"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:269
#: includes/openid-connect-generic-settings-page.php:271
msgid "Identify provider logout endpoint."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:276
#: includes/openid-connect-generic-settings-page.php:278
msgid "ACR values"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:279
msgid "Use a specific defined authentication contract from the IDP - optional."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:285
msgid "Identity Key"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:277
#: includes/openid-connect-generic-settings-page.php:286
msgid ""
"Where in the user claim array to find the user's identification data. "
"Possible standard values: preferred_username, name, or sub. If you're "
"having trouble, use \"sub\"."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:283
#: includes/openid-connect-generic-settings-page.php:292
msgid "Disable SSL Verify"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:285
#: includes/openid-connect-generic-settings-page.php:294
#. translators: %1$s HTML tags for layout/styles, %2$s closing HTML tag for
#. styles.
msgid ""
@ -295,27 +302,27 @@ msgid ""
"sites.%2$s"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:290
#: includes/openid-connect-generic-settings-page.php:299
msgid "HTTP Request Timeout"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:291
#: includes/openid-connect-generic-settings-page.php:300
msgid "Set the timeout for requests made to the IDP. Default value is 5."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:297
#: includes/openid-connect-generic-settings-page.php:306
msgid "Enforce Privacy"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:298
#: includes/openid-connect-generic-settings-page.php:307
msgid "Require users be logged in to see the site."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:303
#: includes/openid-connect-generic-settings-page.php:313
msgid "Alternate Redirect URI"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:304
#: includes/openid-connect-generic-settings-page.php:314
msgid ""
"Provide an alternative redirect route. Useful if your server is causing "
"issues with the default admin-ajax method. You must flush rewrite rules "
@ -323,90 +330,90 @@ msgid ""
"settings page."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:309
#: includes/openid-connect-generic-settings-page.php:319
msgid "Nickname Key"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:310
#: includes/openid-connect-generic-settings-page.php:320
msgid ""
"Where in the user claim array to find the user's nickname. Possible "
"standard values: preferred_username, name, or sub."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:316
#: includes/openid-connect-generic-settings-page.php:326
msgid "Email Formatting"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:317
#: includes/openid-connect-generic-settings-page.php:327
msgid ""
"String from which the user's email address is built. Specify \"{email}\" as "
"long as the user claim contains an email claim."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:323
#: includes/openid-connect-generic-settings-page.php:333
msgid "Display Name Formatting"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:324
#: includes/openid-connect-generic-settings-page.php:334
msgid "String from which the user's display name is built."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:330
#: includes/openid-connect-generic-settings-page.php:340
msgid "Identify with User Name"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:331
#: includes/openid-connect-generic-settings-page.php:341
msgid ""
"If checked, the user's identity will be determined by the user name instead "
"of the email address."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:336
#: includes/openid-connect-generic-settings-page.php:346
msgid "State time limit"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:337
#: includes/openid-connect-generic-settings-page.php:347
msgid "State valid time in seconds. Defaults to 180"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:342
#: includes/openid-connect-generic-settings-page.php:352
msgid "Enable Refresh Token"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:343
#: includes/openid-connect-generic-settings-page.php:353
msgid ""
"If checked, support refresh tokens used to obtain access tokens from "
"supported IDPs."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:348
#: includes/openid-connect-generic-settings-page.php:358
msgid "Link Existing Users"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:349
#: includes/openid-connect-generic-settings-page.php:359
msgid ""
"If a WordPress account already exists with the same identity as a "
"newly-authenticated user over OpenID Connect, login as that user instead of "
"generating an error."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:354
#: includes/openid-connect-generic-settings-page.php:365
msgid "Create user if does not exist"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:355
#: includes/openid-connect-generic-settings-page.php:366
msgid ""
"If the user identity is not link to an existing Wordpress user, it is "
"created. If this setting is not enabled and if the user authenticates with "
"an account which is not link to an existing Wordpress user then the "
"authentication failed"
"If the user identity is not linked to an existing WordPress user, it is "
"created. If this setting is not enabled, and if the user authenticates with "
"an account which is not linked to an existing WordPress user, then the "
"authentication will fail."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:360
#: includes/openid-connect-generic-settings-page.php:372
msgid "Redirect Back to Origin Page"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:361
#: includes/openid-connect-generic-settings-page.php:373
msgid ""
"After a successful OpenID Connect authentication, this will redirect the "
"user back to the page on which they clicked the OpenID Connect login "
@ -417,75 +424,75 @@ msgid ""
"account page."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:366
#: includes/openid-connect-generic-settings-page.php:379
msgid "Redirect to the login screen when session is expired"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:367
#: includes/openid-connect-generic-settings-page.php:380
msgid ""
"When enabled, this will automatically redirect the user back to the "
"WordPress login page if their access token has expired."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:372
#: includes/openid-connect-generic-settings-page.php:386
msgid "Enable Logging"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:373
#: includes/openid-connect-generic-settings-page.php:387
msgid "Very simple log messages for debugging purposes."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:378
#: includes/openid-connect-generic-settings-page.php:392
msgid "Log Limit"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:379
#: includes/openid-connect-generic-settings-page.php:393
msgid ""
"Number of items to keep in the log. These logs are stored as an option in "
"the database, so space is limited."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:439
#: includes/openid-connect-generic-settings-page.php:455
msgid "Notes"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:442
#: includes/openid-connect-generic-settings-page.php:458
msgid "Redirect URI"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:446
#: includes/openid-connect-generic-settings-page.php:462
msgid "Login Button Shortcode"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:450
#: includes/openid-connect-generic-settings-page.php:466
msgid "Authentication URL Shortcode"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:455
#: includes/openid-connect-generic-settings-page.php:471
msgid "Logs"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:535
#: includes/openid-connect-generic-settings-page.php:551
msgid "Example"
msgstr ""
#: includes/openid-connect-generic-settings-page.php:548
#: includes/openid-connect-generic-settings-page.php:564
msgid "Enter your OpenID Connect identity provider settings."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:557
#: includes/openid-connect-generic-settings-page.php:573
msgid "Modify the interaction between OpenID Connect and WordPress users."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:566
#: includes/openid-connect-generic-settings-page.php:582
msgid "Control the authorization mechanics of the site."
msgstr ""
#: includes/openid-connect-generic-settings-page.php:575
#: includes/openid-connect-generic-settings-page.php:591
msgid "Log information about login attempts through OpenID Connect Generic."
msgstr ""
#: openid-connect-generic.php:202
#: openid-connect-generic.php:213
msgid "Private site"
msgstr ""

71
openid-connect-generic.php
Unescape Escape View File

@ -16,7 +16,9 @@
* Plugin Name: OpenID Connect Generic
* Plugin URI: https://github.com/daggerhart/openid-connect-generic
* Description: Connect to an OpenID Connect generic client using Authorization Code Flow.
* Version: 3.8.5
* Version: 3.9.0
* Requires at least: 4.9
* Requires PHP: 7.2
* Author: daggerhart
* Author URI: http://www.daggerhart.com
* Text Domain: daggerhart-openid-connect-generic
@ -44,14 +46,16 @@ Notes
- openid-connect-modify-id-token-claim-before-validation - modify the token claim before validation
Actions
- openid-connect-generic-user-create - 2 args: fires when a new user is created by this plugin
- openid-connect-generic-user-update - 1 arg: user ID, fires when user is updated by this plugin
- openid-connect-generic-update-user-using-current-claim - 2 args: fires every time an existing user logs
- openid-connect-generic-redirect-user-back - 2 args: $redirect_url, $user. Allows interruption of redirect during login.
- openid-connect-generic-user-logged-in - 1 arg: $user, fires when user is logged in.
- openid-connect-generic-cron-daily - daily cron action
- openid-connect-generic-state-not-found - the given state does not exist in the database, regardless of its expiration.
- openid-connect-generic-state-expired - the given state exists, but expired before this login attempt.
- openid-connect-generic-user-create - 2 args: fires when a new user is created by this plugin
- openid-connect-generic-user-update - 1 arg: user ID, fires when user is updated by this plugin
- openid-connect-generic-update-user-using-current-claim - 2 args: fires every time an existing user logs in and the claims are updated.
- openid-connect-generic-redirect-user-back - 2 args: $redirect_url, $user. Allows interruption of redirect during login.
- openid-connect-generic-user-logged-in - 1 arg: $user, fires when user is logged in.
- openid-connect-generic-cron-daily - daily cron action
- openid-connect-generic-state-not-found - the given state does not exist in the database, regardless of its expiration.
- openid-connect-generic-state-expired - the given state exists, but expired before this login attempt.
Callable actions
User Meta
- openid-connect-generic-subject-identity - the identity of the user provided by the idp
@ -75,12 +79,19 @@ Notes
*/
class OpenID_Connect_Generic {
/**
* Singleton instance of self
*
* @var OpenID_Connect_Generic
*/
protected static $_instance = null;
/**
* Plugin version.
*
* @var
* @var string
*/
const VERSION = '3.8.5';
const VERSION = '3.9.0';
/**
* Plugin settings.
@ -108,7 +119,7 @@ class OpenID_Connect_Generic {
*
* @var OpenID_Connect_Generic_Client_Wrapper
*/
private $client_wrapper;
public $client_wrapper;
/**
* Setup the plugin
@ -121,6 +132,7 @@ class OpenID_Connect_Generic {
public function __construct( OpenID_Connect_Generic_Option_Settings $settings, OpenID_Connect_Generic_Option_Logger $logger ) {
$this->settings = $settings;
$this->logger = $logger;
self::$_instance = $this;
}
/**
@ -130,8 +142,6 @@ class OpenID_Connect_Generic {
*/
public function init() {
wp_enqueue_style( 'daggerhart-openid-connect-generic-admin', plugin_dir_url( __FILE__ ) . 'css/styles-admin.css', array(), self::VERSION, 'all' );
$redirect_uri = admin_url( 'admin-ajax.php?action=openid-connect-authorize' );
if ( $this->settings->alternate_redirect_uri ) {
@ -151,6 +161,7 @@ class OpenID_Connect_Generic {
$this->settings->endpoint_userinfo,
$this->settings->endpoint_token,
$redirect_uri,
$this->settings->acr_values,
$state_time_limit,
$this->logger
);
@ -327,14 +338,15 @@ class OpenID_Connect_Generic {
// Default settings values.
array(
// OAuth client settings.
'login_type' => 'button',
'login_type' => defined( 'OIDC_LOGIN_TYPE' ) ? OIDC_LOGIN_TYPE : 'button',
'client_id' => defined( 'OIDC_CLIENT_ID' ) ? OIDC_CLIENT_ID : '',
'client_secret' => defined( 'OIDC_CLIENT_SECRET' ) ? OIDC_CLIENT_SECRET : '',
'scope' => '',
'scope' => defined( 'OIDC_CLIENT_SCOPE' ) ? OIDC_CLIENT_SCOPE : '',
'endpoint_login' => defined( 'OIDC_ENDPOINT_LOGIN_URL' ) ? OIDC_ENDPOINT_LOGIN_URL : '',
'endpoint_userinfo' => defined( 'OIDC_ENDPOINT_USERINFO_URL' ) ? OIDC_ENDPOINT_USERINFO_URL : '',
'endpoint_token' => defined( 'OIDC_ENDPOINT_TOKEN_URL' ) ? OIDC_ENDPOINT_TOKEN_URL : '',
'endpoint_end_session' => defined( 'OIDC_ENDPOINT_LOGOUT_URL' ) ? OIDC_ENDPOINT_LOGOUT_URL : '',
'acr_values' => defined( 'OIDC_ACR_VALUES' ) ? OIDC_ACR_VALUES : '',
// Non-standard settings.
'no_sslverify' => 0,
@ -346,13 +358,13 @@ class OpenID_Connect_Generic {
'identify_with_username' => false,
// Plugin settings.
'enforce_privacy' => 0,
'enforce_privacy' => defined( 'OIDC_ENFORCE_PRIVACY' ) ? intval( OIDC_ENFORCE_PRIVACY ) : 0,
'alternate_redirect_uri' => 0,
'token_refresh_enable' => 1,
'link_existing_users' => 0,
'create_if_does_not_exist' => 1,
'redirect_user_back' => 0,
'redirect_on_logout' => 1,
'link_existing_users' => defined( 'OIDC_LINK_EXISTING_USERS' ) ? intval( OIDC_LINK_EXISTING_USERS ) : 0,
'create_if_does_not_exist' => defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ) ? intval( OIDC_CREATE_IF_DOES_NOT_EXIST ) : 1,
'redirect_user_back' => defined( 'OIDC_REDIRECT_USER_BACK' ) ? intval( OIDC_REDIRECT_USER_BACK ) : 0,
'redirect_on_logout' => defined( 'OIDC_REDIRECT_ON_LOGOUT' ) ? intval( OIDC_REDIRECT_ON_LOGOUT ) : 1,
'enable_logging' => 0,
'log_limit' => 1000,
)
@ -370,9 +382,24 @@ class OpenID_Connect_Generic {
add_filter( 'the_excerpt_rss', array( $plugin, 'enforce_privacy_feeds' ), 999 );
add_filter( 'comment_text_rss', array( $plugin, 'enforce_privacy_feeds' ), 999 );
}
/**
* Create (if needed) and return a singleton of self.
*
* @return OpenID_Connect_Generic
*/
public static function instance() {
if ( null === self::$_instance ) {
self::bootstrap();
}
return self::$_instance;
}
}
OpenID_Connect_Generic::bootstrap();
OpenID_Connect_Generic::instance();
register_activation_hook( __FILE__, array( 'OpenID_Connect_Generic', 'activation' ) );
register_deactivation_hook( __FILE__, array( 'OpenID_Connect_Generic', 'deactivation' ) );
// Provide publicly accessible plugin helper functions.
require_once( 'includes/functions.php' );

41001
package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

43
package.json
Unescape Escape View File

@ -1,6 +1,6 @@
{
"name": "openid-connect-generic",
"version": "3.8.5",
"version": "3.9.0",
"description": "OpenID Connect generic WordPress plugin.",
"main": "Gruntfile.js",
"repository": {
@ -21,16 +21,16 @@
"dev-require": "^0.1.0"
},
"engines": {
"node": "12.18.3",
"npm": "6.14.8"
"node": "14.18.3",
"npm": "6.14.15"
},
"devDependencies": {
"@floatwork/grunt-po2mo": "^0.3.0",
"@ndigitals/grunt-checkrepo": "^0.2.0",
"@wordpress/env": "~4.0.0",
"@wordpress/scripts": "12.6.1",
"@ndigitals/grunt-checkrepo": "0.2.3",
"@wordpress/env": "4.3.1",
"@wordpress/scripts": "22.2.1",
"check-node-version": "~4.1.0",
"grunt": "1.3.0",
"grunt": "1.4.1",
"grunt-checkbranch": "^1.0.4",
"grunt-checktextdomain": "^1.0.1",
"grunt-cli": "1.4.1",
@ -38,27 +38,30 @@
"grunt-contrib-copy": "^1.0.0",
"grunt-gitinfo": "^0.1.9",
"grunt-shell": "^2.1.0",
"grunt-version": "~2.0.0",
"grunt-version": "3.0.0",
"grunt-wp-i18n": "^1.0.3",
"grunt-wp-readme-to-markdown": "^2.0.0",
"grunt-wp-readme-to-markdown": "2.1.0",
"load-grunt-tasks": "^3.5",
"node": "^12.21.0",
"npm": "6.14.12",
"node": "14.18.3",
"npm": "6.14.15",
"puppeteer": "^1.20.0",
"typescript": "~3.9.9"
"typescript": "3.9.10"
},
"resolutions": {
"getobject": "1.0.0",
"shelljs": "0.8.5"
},
"wp-env": {
"plugin-dir": "daggerhart-openid-connect-generic",
"plugin-name": "OpenID Connect Generic",
"docker-template": "./docker-compose.override.yml",
"docker-template": "./docker-compose.wp-env.yml",
"welcome-build-command": "npm start"
},
"scripts": {
"setup": "npm run setup:npm && npm run setup:composer && npm run build:wordpress",
"setup:npm": "npm install",
"setup:composer": "composer install",
"preinstall": "npx force-resolutions",
"setup:composer": "docker-compose run composer install",
"composer": "docker-compose run composer",
"build": "npm run grunt build",
"build:wordpress": "cd wordpress && npm install && npm run build && cd .. && composer install --optimize-autoloader",
"release": "npm run grunt release",
"start": "wp-env start",
"stop": "wp-env stop",
@ -76,9 +79,9 @@
"i18n:make": "npm run grunt i18n",
"i18n:make:cli": "wp-env run cli wp i18n make-pot . languages/ --slug=daggerhart-openid-connect-generic --include=openid-connect-generic.php,includes",
"lint": "npm run lint:php",
"lint:php": "composer run-script lint",
"lint:php:fix": "composer run-script lint-fix",
"lint:php": "docker-compose run composer lint",
"lint:php:fix": "docker-compose run composer lint-fix",
"analyze": "npm run analyze:php",
"analyze:php": "composer run-script analyze"
"analyze:php": "docker-compose run composer analyze"
}
}

2
phpcs.xml.dist
Unescape Escape View File

@ -113,6 +113,6 @@
#############################################################################
-->
<config name="testVersion" value="7.3-"/>
<config name="testVersion" value="7.4-"/>
<rule ref="PHPCompatibilityWP" />
</ruleset>

4
phpstan.neon.dist
Unescape Escape View File

@ -23,7 +23,7 @@ parameters:
paths:
- includes/
- ./
excludes_analyse:
excludePaths:
- node_modules/
- scripts/
- tests/
@ -33,7 +33,7 @@ parameters:
# scanFiles:
# - includes/class.php
scanDirectories:
- wordpress/src/
- wordpress
ignoreErrors:
# Uses func_get_args()
- '#^Function apply_filters(_ref_array)? invoked with [34567] parameters, 2 required\.$#'

34
readme.txt
Unescape Escape View File

@ -3,9 +3,9 @@ Contributors: daggerhart, tnolte
Donate link: http://www.daggerhart.com/
Tags: security, login, oauth2, openidconnect, apps, authentication, autologin, sso
Requires at least: 4.9
Tested up to: 5.7.1
Stable tag: 3.8.5
Requires PHP: 7.1
Tested up to: 5.9.2
Stable tag: 3.9.0
Requires PHP: 7.2
License: GPLv2 or later
License URI: http://www.gnu.org/licenses/gpl-2.0.html
@ -51,11 +51,29 @@ On the settings page for this plugin (Dashboard > Settings > OpenID Connect Gene
== Changelog ==
= 3.8.5
* Fix: @timnolte - Fixes missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
* Fix: @timnolte - Fixes Redirect URL Logic to Handle Sub-directory Installs.
* Fix: @timnolte - Fixes to provide proper redirect user back for the openid_connect_generic_auth_url shortcode.
= 3.9.0 =
* Feature: @matchaxnb - Added support for additional configuration constants.
* Feature: @schanzen - Added support for agregated claims.
* Fix: @rkcreation - Fixed access token not updating user metadata after login.
* Fix: @danc1248 - Fixed user creation issue on Multisite Networks.
* Feature: @RobjS - Added plugin singleton to support for more developer customization.
* Feature: @jkouris - Added action hook to allow custom handling of session expiration.
* Fix: @tommcc - Fixed admin CSS loading only on the plugin settings screen.
* Feature: @rkcreation - Added method to refresh the user claim.
* Feature: @Glowsome - Added acr_values support & verification checks that it when defined in options is honored.
* Fix: @timnolte - Fixed regression which caused improper fallback on missing claims.
* Fix: @slykar - Fixed missing query string handling in redirect URL.
* Fix: @timnolte - Fixed issue with some user linking and user creation handling.
* Improvement: @timnolte - Fixed plugin settings typos and screen formatting.
* Security: @timnolte - Updated build tooling security vulnerabilities.
* Improvement: @timnolte - Changed build tooling scripts.
= 3.8.5 =
* Fix: @timnolte - Fixed missing URL request validation before use & ensure proper current page URL is setup for Redirect Back.
* Fix: @timnolte - Fixed Redirect URL Logic to Handle Sub-directory Installs.
* Fix: @timnolte - Fixed issue with redirecting user back when the openid_connect_generic_auth_url shortcode is used.
= 3.8.4 =

7
tests/phpstan-bootstrap.php
Unescape Escape View File

@ -23,3 +23,10 @@ defined( 'OIDC_ENDPOINT_LOGIN_URL' ) || define( 'OIDC_ENDPOINT_LOGIN_URL', 'http
defined( 'OIDC_ENDPOINT_USERINFO_URL' ) || define( 'OIDC_ENDPOINT_USERINFO_URL', 'https://oidc/oauth2/userinfo' );
defined( 'OIDC_ENDPOINT_TOKEN_URL' ) || define( 'OIDC_ENDPOINT_TOKEN_URL', 'https://oidc/oauth2/token' );
defined( 'OIDC_ENDPOINT_LOGOUT_URL' ) || define( 'OIDC_ENDPOINT_LOGOUT_URL', 'https://oidc/oauth2/logout' );
defined( 'OIDC_CLIENT_SCOPE' ) || define( 'OIDC_CLIENT_SCOPE', 'email profile openid' );
defined( 'OIDC_LOGIN_TYPE' ) || define( 'OIDC_LOGIN_TYPE', 'button' );
defined( 'OIDC_LINK_EXISTING_USERS' ) || define( 'OIDC_LINK_EXISTING_USERS', 0 );
defined( 'OIDC_ENFORCE_PRIVACY' ) || define( 'OIDC_ENFORCE_PRIVACY', 0 );
defined( 'OIDC_CREATE_IF_DOES_NOT_EXIST' ) || define( 'OIDC_CREATE_IF_DOES_NOT_EXIST', 1 );
defined( 'OIDC_REDIRECT_USER_BACK' ) || define( 'OIDC_REDIRECT_USER_BACK', 0 );
defined( 'OIDC_REDIRECT_ON_LOGOUT' ) || define( 'OIDC_REDIRECT_ON_LOGOUT', 1 );

20
tools/docker/composer/Dockerfile
Unescape Escape View File

@ -0,0 +1,20 @@
# Start with the official PHP CLI image.
FROM php:7.4-cli
# Increase the memory limit to allow for large processes, such as PHPStan.
RUN cd /usr/local/etc/php/conf.d/ && \
echo 'memory_limit = -1' >> /usr/local/etc/php/conf.d/docker-php-ram-limit.ini
# Copy the Composer PHAR from the official Composer image to the PHP CLI image.
COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
# Install additional packages required for Composer
RUN apt-get update \
&& apt-get install -y git zip unzip zlib1g-dev libzip-dev \
&& apt-get -y autoremove \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN docker-php-ext-install zip \
&& docker-php-ext-install pcntl \
&& docker-php-ext-install bcmath
Write Preview
Loading…
Cancel
Save