From e05f1fdb29e84f8cd4296ca0f98cb940800769fc Mon Sep 17 00:00:00 2001 From: Lai Wei Date: Wed, 5 Oct 2022 11:53:38 +0100 Subject: [PATCH] reset local_o365 settings on auth_oidc config changes --- auth/oidc/lang/en/auth_oidc.php | 2 ++ auth/oidc/manageapplication.php | 40 ++++++++++++++------------ local/o365/classes/observers.php | 48 ++++++++++++++++++++------------ 3 files changed, 54 insertions(+), 36 deletions(-) diff --git a/auth/oidc/lang/en/auth_oidc.php b/auth/oidc/lang/en/auth_oidc.php index 82604f0e3..3504f977e 100644 --- a/auth/oidc/lang/en/auth_oidc.php +++ b/auth/oidc/lang/en/auth_oidc.php @@ -154,6 +154,8 @@ $string['settings_section_other_params'] = 'Other parameters'; $string['authentication_and_endpoints_saved'] = 'Authentication and endpoint settings updated.'; $string['application_updated'] = 'OpenID Connect application setting was updated.'; +$string['application_updated_azure'] = 'OpenID Connect application setting was updated.
+Azure administrator will need to Provide admin consent and Verify setup again on the Microsoft 365 integration configuration page if "Identity Provider (IdP) Type" or "Client authentication method" settings are updated.'; $string['event_debug'] = 'Debug message'; diff --git a/auth/oidc/manageapplication.php b/auth/oidc/manageapplication.php index e5da71341..39d6a947e 100644 --- a/auth/oidc/manageapplication.php +++ b/auth/oidc/manageapplication.php @@ -73,37 +73,41 @@ if ($form->is_cancelled()) { redirect($url); } else if ($fromform = $form->get_data()) { - // Save idptype. - set_config('idptype', $fromform->idptype, 'auth_oidc'); - - // Save clientid. - set_config('clientid', $fromform->clientid, 'auth_oidc'); - - // Save tenantnameorguid. - set_config('tenantnameorguid', $fromform->tenantnameorguid, 'auth_oidc'); - - // Save clientauthmethod. + // Handle odd cases where clientauthmethod is not received. if (!isset($fromform->clientauthmethod)) { $fromform->clientauthmethod = optional_param('clientauthmethod', AUTH_OIDC_AUTH_METHOD_SECRET, PARAM_INT); } - set_config('clientauthmethod', $fromform->clientauthmethod, 'auth_oidc'); + + // Prepare config settings to save. + $configstosave = ['idptype', 'clientid', 'tenantnameorguid', 'clientauthmethod', 'authendpoint', 'tokenendpoint']; // Depending on the value of clientauthmethod, save clientsecret or (clientprivatekey and clientcert). switch ($fromform->clientauthmethod) { case AUTH_OIDC_AUTH_METHOD_SECRET: - set_config('clientsecret', $fromform->clientsecret, 'auth_oidc'); + $configstosave[] = 'clientsecret'; break; case AUTH_OIDC_AUTH_METHOD_CERTIFICATE: - set_config('clientprivatekey', $fromform->clientprivatekey, 'auth_oidc'); - set_config('clientcert', $fromform->clientcert, 'auth_oidc'); + $configstosave[] = 'clientprivatekey'; + $configstosave[] = 'clientcert'; break; } - // Save endpoints. - set_config('authendpoint', $fromform->authendpoint, 'auth_oidc'); - set_config('tokenendpoint', $fromform->tokenendpoint, 'auth_oidc'); + // Save config settings. + foreach ($configstosave as $config) { + $existingsetting = get_config('auth_oidc', $config); + if ($fromform->$config != $existingsetting) { + set_config($config, $fromform->$config, 'auth_oidc'); + add_to_config_log($config, $existingsetting, $fromform->$config, 'auth_oidc'); + } + } - redirect($url, get_string('application_updated', 'auth_oidc')); + // Redirect message depend on IdP type. + if ($fromform->idptype == AUTH_OIDC_IDP_TYPE_OTHER) { + redirect($url, get_string('application_updated', 'auth_oidc')); + } else { + $localo365configurl = new moodle_url('/admin/settings.php', ['section' => 'local_o365']); + redirect($url, get_string('application_updated_azure', 'auth_oidc', $localo365configurl->out())); + } } echo $OUTPUT->header(); diff --git a/local/o365/classes/observers.php b/local/o365/classes/observers.php index 50b16f300..150769313 100644 --- a/local/o365/classes/observers.php +++ b/local/o365/classes/observers.php @@ -841,25 +841,37 @@ public static function handle_config_log_created(config_log_created $event) : bo $eventdata = $event->get_data(); - if ($eventdata['other']['plugin'] == 'auth_oidc' && $eventdata['other']['name'] == 'clientid') { - // Clear local_o365_token table. - $DB->delete_records('local_o365_token'); - - // Clear auth_oidc_token table. - $DB->delete_records('auth_oidc_token'); - - // Clear local_o365_connections table. - $DB->delete_records('local_o365_connections'); - - // Clear user records in local_o365_objects table. - $DB->delete_records('local_o365_objects', ['type' => 'user']); + if ($eventdata['other']['plugin'] == 'auth_oidc') { + switch ($eventdata['other']['name']) { + case 'clientid': + // Clear local_o365_token table. + $DB->delete_records('local_o365_token'); + + // Clear auth_oidc_token table. + $DB->delete_records('auth_oidc_token'); + + // Clear local_o365_connections table. + $DB->delete_records('local_o365_connections'); + + // Clear user records in local_o365_objects table. + $DB->delete_records('local_o365_objects', ['type' => 'user']); + + // Delete delta user token, and force a user sync task run. + unset_config('local_o365', 'task_usersync_lastdeltatoken'); + if ($usersynctask = $DB->get_record('task_scheduled', + ['component' => 'local_o365', 'classname' => '\local_o365\task\usersync'])) { + $usersynctask->nextruntime = time(); + $DB->update_record('task_scheduled', $usersynctask); + } - // Delete delta user token, and force a user sync task run. - unset_config('local_o365', 'task_usersync_lastdeltatoken'); - if ($usersynctask = $DB->get_record('task_scheduled', - ['component' => 'local_o365', 'classname' => '\local_o365\task\usersync'])) { - $usersynctask->nextruntime = time(); - $DB->update_record('task_scheduled', $usersynctask); + // No call to "break;" on purpose. + case 'idptype': + case 'clientauthmethod': + // If client ID, IdP type, or authentication method has changed, unset token and verify setup results. + // Azure admin needs to set up again. + unset_config('apptokens', 'local_o365'); + unset_config('adminconsent', 'local_o365'); + unset_config('azuresetupresult', 'local_o365'); } }