MDL-73122 Auth: Add test settings for Oauth2

Provide a test page in authentication settings to allow administrators to test configured oAuth2 providers and to examine the data that is passed back on a successful test user authentication. Co-authored-by: Matt Porritt <[email protected]>
gjb2048 · Oct 3, 2022 · 1399974 · 1399974
1 parent 24f97ed
commit 1399974
Show file tree

Hide file tree

Showing 6 changed files with 266 additions and 0 deletions.
diff --git a/auth/oauth2/auth.php b/auth/oauth2/auth.php
@@ -35,6 +35,30 @@
  */
 class auth_plugin_oauth2 extends \auth_oauth2\auth {
 
+    /**
+     * Test the various configured Oauth2 providers.
+     */
+    public function test_settings() {
+        global $OUTPUT;
+
+        $authplugin = get_auth_plugin('oauth2');
+        $idps = $authplugin->loginpage_idp_list('');
+        $templateidps = [];
+
+        if (empty($idps)) {
+            echo $OUTPUT->notification(get_string('noconfiguredidps', 'auth_oauth2'), 'notifyproblem');
+            return;
+        } else {
+            foreach ($idps as $idp) {
+                $idpid = $idp['url']->get_param('id');
+                $sesskey = $idp['url']->get_param('sesskey');
+                $testurl = new moodle_url('/auth/oauth2/test.php', ['id' => $idpid, 'sesskey' => $sesskey]);
+
+                $templateidps[] = ['name' => $idp['name'], 'url' => $testurl->out(), 'iconurl' => $idp['iconurl']];
+            }
+            echo $OUTPUT->render_from_template('auth_oauth2/idps', ['idps' => $templateidps]);
+        }
+    }
 }
 
 
diff --git a/auth/oauth2/lang/en/auth_oauth2.php b/auth/oauth2/lang/en/auth_oauth2.php
@@ -88,13 +88,16 @@
 $string['info'] = 'External account';
 $string['issuer'] = 'OAuth 2 Service';
 $string['issuernologin'] = 'This issuer can not be used to login';
+$string['key'] = 'Key';
 $string['linkedlogins'] = 'Linked logins';
 $string['linkedloginshelp'] = 'Help with linked logins';
+$string['loggedin'] = 'User successfully authenticated with provider.';
 $string['loginerror_userincomplete'] = 'The user information returned did not contain a username and email address. The OAuth 2 service may be configured incorrectly.';
 $string['loginerror_nouserinfo'] = 'No user information was returned. The OAuth 2 service may be configured incorrectly.';
 $string['loginerror_invaliddomain'] = 'The email address is not allowed at this site.';
 $string['loginerror_authenticationfailed'] = 'The authentication process failed.';
 $string['loginerror_cannotcreateaccounts'] = 'An account with your email address could not be found.';
+$string['noconfiguredidps'] = 'There are no configured OAuth2 providers.';
 $string['noissuersavailable'] = 'None of the configured OAuth2 services allow you to link login accounts';
 $string['notloggedindebug'] = 'The login attempt failed. Reason: {$a}';
 $string['notwhileloggedinas'] = 'Linked logins cannot be managed while logged in as another user.';
@@ -115,3 +118,6 @@
 $string['privacy:metadata:auth_oauth2:userid'] = 'The ID of the user account which the OAuth 2 login is linked to.';
 $string['privacy:metadata:auth_oauth2:usermodified'] = 'The ID of the user who modified this account.';
 $string['privacy:metadata:auth_oauth2:username'] = 'The external username that maps to this account.';
+$string['testidplogin'] = 'Test login with:';
+$string['userinfo'] = 'User data from provider:';
+$string['value'] = 'Value';
diff --git a/auth/oauth2/templates/idpresponse.mustache b/auth/oauth2/templates/idpresponse.mustache
@@ -0,0 +1,65 @@
+{{!
+    This file is part of Moodle - http://moodle.org/
+
+    Moodle is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    Moodle is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+}}
+{{!
+    @template auth_oauth2/idpresponse
+
+    Render response returned from the oAuth IdP for
+    supplied test user.
+
+    Classes required for JS:
+    * none
+
+    Data attributes required for JS:
+    * none
+
+    Context variables required for this template:
+    * pairs - array of key value pairs return from the oAuth IdP
+      * name - the name field from the IdP for the field
+      * value - the value of the field for the supplied test user
+
+    Example context (json):
+    {
+        "pairs": [{
+            "name": "firstname",
+            "value": "Jane"
+        },
+        {
+            "name": "lastname",
+            "value": "Awesome"
+        }]
+    }
+}}
+
+<div class="container mb-3">
+    <h3>{{#str}}userinfo, auth_oauth2{{/str}}</h3>
+    <table class="table">
+        <thead>
+        <tr>
+            <th scope="col">{{#str}}key, auth_oauth2{{/str}}</th>
+            <th scope="col">{{#str}}value, auth_oauth2{{/str}}</th>
+        </tr>
+        </thead>
+        <tbody>
+        {{#pairs}}
+            <tr>
+                <td>{{name}}</td>
+                <td>{{{value}}}</td>
+            </tr>
+        {{/pairs}}
+        </tbody>
+    </table>
+</div>
diff --git a/auth/oauth2/templates/idps.mustache b/auth/oauth2/templates/idps.mustache
@@ -0,0 +1,60 @@
+{{!
+    This file is part of Moodle - http://moodle.org/
+
+    Moodle is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    Moodle is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+}}
+{{!
+    @template auth_oauth2/idps
+
+    Render available oauth2 idps for testing.
+
+    Classes required for JS:
+    * none
+
+    Data attributes required for JS:
+    * none
+
+    Context variables required for this template:
+    * idps - array of oAuth IdP objects
+      * name - the display name of the IdP
+      * url - the url of the oAuth test endpoint
+      * iconurl - the icon of the oAuth IdP
+
+    Example context (json):
+    {
+        "idps": [{
+            "name": "Microsoft",
+            "url": "http:\/\/localhost\/auth\/oauth2\/test.php?id=2&amp;sesskey=4js6afElZh",
+            "iconurl": "https:\/\/www.microsoft.com\/favicon.ico"
+        }]
+    }
+}}
+
+<div class="container mb-3">
+    <div class="potentialidps-header row">
+        <h3>{{#str}}testidplogin, auth_oauth2{{/str}}</h3>
+    </div>
+    <div class="potentialidps row">
+        <div class="potentialidplist">
+            {{#idps}}
+            <div class="potentialidp mb-2">
+                <a class="btn btn-secondary btn-block" href="{{{url}}}" title="{{name}}">
+                    {{#iconurl}}<img src="{{{iconurl}}}" alt="{{name}}" width="24" height="24" class="mr-1"/>{{/iconurl}}
+                    {{name}}
+                </a>
+            </div>
+            {{/idps}}
+        </div>
+    </div>
+</div>
diff --git a/auth/oauth2/test.php b/auth/oauth2/test.php
@@ -0,0 +1,85 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+/**
+ * This file allows for testing of login via configured oauth2 IDP poviders.
+ *
+ * @package auth_oauth2
+ * @copyright 2021 Matt Porritt <[email protected]>
+ * @license http://www.gnu.org/copyleft/gpl.html GNU Public License
+ */
+
+// Require_login is not needed here.
+// phpcs:disable moodle.Files.RequireLogin.Missing
+require_once('../../config.php');
+
+require_sesskey();
+
+$issuerid = required_param('id', PARAM_INT);
+$url = new moodle_url('/auth/oauth2/test.php', ['id' => $issuerid, 'sesskey' => sesskey()]);
+
+$PAGE->set_context(context_system::instance());
+$PAGE->set_url($url);
+$PAGE->set_pagelayout('admin');
+
+if (!\auth_oauth2\api::is_enabled()) {
+    throw new \moodle_exception('notenabled', 'auth_oauth2');
+}
+
+$issuer = new \core\oauth2\issuer($issuerid);
+if (!$issuer->is_available_for_login()) {
+    throw new \moodle_exception('issuernologin', 'auth_oauth2');
+}
+
+$client = \core\oauth2\api::get_user_oauth_client($issuer, $url);
+
+if ($client) {
+    // We have a valid client, now lets see if we can log into the IDP.
+    if (!$client->is_logged_in()) {
+        redirect($client->get_login_url());
+    }
+
+    echo $OUTPUT->header();
+
+    // We were successful logging into the IDP.
+    echo $OUTPUT->notification(get_string('loggedin', 'auth_oauth2'), 'notifysuccess');
+
+    // Try getting user info from the IDP.
+    $endpointurl = $client->get_issuer()->get_endpoint_url('userinfo');
+    $response = $client->get($endpointurl);
+    $userinfo = json_decode($response, true);
+
+    $templateinfo = [];
+    foreach ($userinfo as $key => $value) {
+        // We are just displaying the data from the IdP for testing purposes,
+        // so we are more interested in displaying it to the admin than
+        // processing it.
+        if (is_array($value)) {
+            $value = json_encode($value);
+        }
+        $templateinfo[] = ['name' => $key, 'value' => $value];
+    }
+
+    // Display user info.
+    if (!empty($templateinfo)) {
+        echo $OUTPUT->render_from_template('auth_oauth2/idpresponse', ['pairs' => $templateinfo]);
+    }
+
+} else {
+    throw new moodle_exception('Could not get an OAuth client.');
+}
+
+echo $OUTPUT->footer();
diff --git a/auth/oauth2/tests/behat/settings_test.feature b/auth/oauth2/tests/behat/settings_test.feature
@@ -0,0 +1,26 @@
+@auth @auth_oauth2 @javascript
+Feature: OAuth2 settings test functionality
+  In order to use them later for authentication
+  As an administrator
+  I need to be able to test configured OAuth2 login services.
+
+  Background:
+    Given I log in as "admin"
+    And I change window size to "large"
+
+  Scenario: Test oAuth2 authentication settings with no configured service.
+    Given I navigate to "Plugins > Authentication > Manage authentication" in site administration
+    And I click on "Test settings" "link" in the "OAuth 2" "table_row"
+    Then I should see "There are no configured OAuth2 providers"
+
+  Scenario: Test oAuth2 authentication settings for a configured service.
+    Given I navigate to "Server > OAuth 2 services" in site administration
+    And I press "Google"
+    And I set the following fields to these values:
+      | Name                       | Testing service                           |
+      | Client ID                  | thisistheclientid                         |
+      | Client secret              | supersecret                               |
+    And I press "Save changes"
+    And I navigate to "Plugins > Authentication > Manage authentication" in site administration
+    And I click on "Test settings" "link" in the "OAuth 2" "table_row"
+    Then I should see "Testing service"