Search moodle.org's
Developer Documentation
Developer Documentation
See Release Notes
Long Term Support Release
- Bug fixes for general core bugs in 4.1.x will end 13 November 2023 (12 months).
- Bug fixes for security issues in 4.1.x will end 10 November 2025 (36 months).
- PHP version: minimum PHP 7.4.0 Note: minimum PHP version has increased since Moodle 4.0. PHP 8.0.x is supported too.
/lib/classes/oauth2/ -> issuer.php (source)
<?php
// This file is part of Moodle - http://moodle.org/
//
// Moodle is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// Moodle is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with Moodle. If not, see <http://www.gnu.org/licenses/>.
/**
* Class for loading/storing issuers from the DB.
*
* @package core
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
namespace core\oauth2;
defined('MOODLE_INTERNAL') || die();
use core\persistent;
use lang_string;
/**
* Class for loading/storing issuer from the DB
*
* @copyright 2017 Damyon Wiese
* @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
*/
class issuer extends persistent {
> /** @var int Issuer is displayed on both login page and in the services lists */
const TABLE = 'oauth2_issuer';
> const EVERYWHERE = 1;
> /** @var int Issuer is displayed on the login page only */
/**
> const LOGINONLY = 2;
* Return the definition of the properties of this model.
> /** @var int Issuer is displayed only in the services lists and can not be used for login */
*
> const SERVICEONLY = 0;
* @return array
>
*/
protected static function define_properties() {
return array(
'name' => array(
'type' => PARAM_TEXT
),
'image' => array(
'type' => PARAM_URL,
'null' => NULL_ALLOWED,
'default' => null
),
'clientid' => array(
'type' => PARAM_RAW_TRIMMED,
'default' => ''
),
'clientsecret' => array(
'type' => PARAM_RAW_TRIMMED,
'default' => ''
),
'baseurl' => array(
'type' => PARAM_URL,
'default' => ''
),
'enabled' => array(
'type' => PARAM_BOOL,
'default' => true
),
'showonloginpage' => array(
< 'type' => PARAM_BOOL,
< 'default' => false
> 'type' => PARAM_INT,
> 'default' => self::SERVICEONLY,
),
'basicauth' => array(
'type' => PARAM_BOOL,
'default' => false
),
'scopessupported' => array(
'type' => PARAM_RAW,
'null' => NULL_ALLOWED,
'default' => null
),
'loginscopes' => array(
'type' => PARAM_RAW,
'default' => 'openid profile email'
),
'loginscopesoffline' => array(
'type' => PARAM_RAW,
'default' => 'openid profile email'
),
'loginparams' => array(
'type' => PARAM_RAW,
'default' => ''
),
'loginparamsoffline' => array(
'type' => PARAM_RAW,
'default' => ''
),
'alloweddomains' => array(
'type' => PARAM_RAW,
'default' => ''
),
'sortorder' => array(
'type' => PARAM_INT,
'default' => 0,
),
'requireconfirmation' => array(
'type' => PARAM_BOOL,
'default' => true
< )
> ),
> 'servicetype' => array(
> 'type' => PARAM_ALPHANUM,
> 'null' => NULL_ALLOWED,
> 'default' => null,
> ),
> 'loginpagename' => array(
> 'type' => PARAM_TEXT,
> 'null' => NULL_ALLOWED,
> 'default' => null,
> ),
);
}
/**
* Hook to execute before validate.
*
* @return void
*/
protected function before_validate() {
if (($this->get('id') && $this->get('sortorder') === null) || !$this->get('id')) {
$this->set('sortorder', $this->count_records());
}
}
/**
* Helper the get a named service endpoint.
* @param string $type
* @return string|false
*/
public function get_endpoint_url($type) {
$endpoint = endpoint::get_record([
'issuerid' => $this->get('id'),
'name' => $type . '_endpoint'
]);
if ($endpoint) {
return $endpoint->get('url');
}
return false;
}
/**
* Perform matching against the list of allowed login domains for this issuer.
*
* @param string $email The email to check.
* @return boolean
*/
public function is_valid_login_domain($email) {
if (empty($this->get('alloweddomains'))) {
return true;
}
$validdomains = explode(',', $this->get('alloweddomains'));
$parts = explode('@', $email, 2);
$emaildomain = '';
if (count($parts) > 1) {
$emaildomain = $parts[1];
}
return \core\ip_utils::is_domain_in_allowed_list($emaildomain, $validdomains);
}
/**
* Does this OAuth service support user authentication?
* @return boolean
*/
public function is_authentication_supported() {
> debugging('Method is_authentication_supported() is deprecated, please use is_available_for_login()',
return (!empty($this->get_endpoint_url('userinfo')));
> DEBUG_DEVELOPER);
}
/**
> * Is this issue fully configured and enabled and can be used for login/signup
* Return true if this issuer looks like it has been configured.
> *
*
> * @return bool
* @return boolean
> * @throws \coding_exception
*/
> */
public function is_configured() {
> public function is_available_for_login(): bool {
return (!empty($this->get('clientid')) && !empty($this->get('clientsecret')));
> return $this->get('id') &&
}
> $this->is_configured() &&
> $this->get('showonloginpage') != self::SERVICEONLY &&
/**
> $this->get('enabled') &&
* Do we have a refresh token for a system account?
> !empty($this->get_endpoint_url('userinfo'));
* @return boolean
> }
*/
>
public function is_system_account_connected() {
> /**
if (!$this->is_configured()) {
return false;
}
$sys = system_account::get_record(['issuerid' => $this->get('id')]);
if (empty($sys) || empty($sys->get('refreshtoken'))) {
return false;
}
$scopes = api::get_system_scopes_for_issuer($this);
$grantedscopes = $sys->get('grantedscopes');
$scopes = explode(' ', $scopes);
foreach ($scopes as $scope) {
if (!empty($scope)) {
if (strpos(' ' . $grantedscopes . ' ', ' ' . $scope . ' ') === false) {
// We have not been granted all the scopes that are required.
return false;
}
}
}
return true;
}
/**
* Custom validator for end point URLs.
* Because we send Bearer tokens we must ensure SSL.
*
* @param string $value The value to check.
* @return lang_string|boolean
*/
protected function validate_baseurl($value) {
global $CFG;
include_once($CFG->dirroot . '/lib/validateurlsyntax.php');
if (!empty($value) && !validateUrlSyntax($value, 'S+')) {
return new lang_string('sslonlyaccess', 'error');
}
return true;
> }
}
>
}
> /**
> * Display name for the issuers used on the login page
> *
> * @return string
> */
> public function get_display_name(): string {
> return $this->get('loginpagename') ? $this->get('loginpagename') : $this->get('name');
