D8CORE-8340: Block access to password reset and register routes based on saml settings (#31)

pookmish · web-flow · commit 4fd4408d2a8f · 2025-09-22T13:22:07.000-07:00
diff --git a/src/EventSubscriber/SamlAuthRouteSubscriber.php b/src/EventSubscriber/SamlAuthRouteSubscriber.php
@@ -0,0 +1,50 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Drupal\stanford_samlauth\EventSubscriber;
+
+use Drupal\Core\Config\ConfigFactoryInterface;
+use Drupal\Core\Routing\RouteSubscriberBase;
+use Symfony\Component\Routing\RouteCollection;
+
+/**
+ * Route subscriber.
+ */
+final class SamlAuthRouteSubscriber extends RouteSubscriberBase {
+
+  /**
+   * Constructs a SamlAuthRouteSubscriber object.
+   */
+  public function __construct(
+    private readonly ConfigFactoryInterface $configFactory,
+  ) {}
+
+  /**
+   * {@inheritdoc}
+   */
+  protected function alterRoutes(RouteCollection $collection): void {
+    $login_roles = $this->configFactory->get('samlauth.authentication')
+      ->get('drupal_login_roles') ?: [];
+    $hide_local_login = $this->configFactory->get('stanford_samlauth.settings')
+      ->get('hide_local_login');
+
+    // If local login is allowed or there are some allowed roles to use local
+    // login, don't restrict access to the routes.
+    if (array_filter($login_roles) || !$hide_local_login) {
+      return;
+    }
+    $routes_to_block = [
+      'user.register',
+      'user.pass',
+      'user.pass.http',
+      'user.login.http',
+    ];
+    foreach ($routes_to_block as $route) {
+      if ($route = $collection->get($route)) {
+        $route->setRequirement('_access', 'FALSE');
+      }
+    }
+  }
+
+}
diff --git a/stanford_samlauth.services.yml b/stanford_samlauth.services.yml
@@ -8,3 +8,9 @@ services:
     arguments: [ '@stanford_samlauth.workgroup_api', '@config.factory', '@current_user', '@path.matcher', '@path.current', '@path_alias.manager' ]
     tags:
       - { name: event_subscriber }
+
+  stanford_samlauth.route_subscriber:
+    class: Drupal\stanford_samlauth\EventSubscriber\SamlAuthRouteSubscriber
+    arguments: ['@config.factory']
+    tags:
+      - { name: event_subscriber }
diff --git a/tests/src/Kernel/EventSubscriber/SamlAuthRouteSubscriberTest.php b/tests/src/Kernel/EventSubscriber/SamlAuthRouteSubscriberTest.php
@@ -0,0 +1,48 @@
+<?php
+
+namespace Drupal\Tests\stanford_samlauth\Kernel\EventSubscriber;
+
+use Drupal\Tests\stanford_samlauth\Kernel\StanfordSamlAuthTestBase;
+use Drupal\user\Entity\Role;
+use PHPUnit\Framework\Attributes\TestWith;
+
+/**
+ * Test route subscriber.
+ */
+class SamlAuthRouteSubscriberTest extends StanfordSamlAuthTestBase {
+
+  /**
+   * {@inheritDoc}
+   */
+  public function setup(): void {
+    parent::setup();
+    $this->installConfig('samlauth');
+  }
+
+  #[TestWith(['hide_local_login' => TRUE, 'role_mapping' => TRUE])]
+  #[TestWith(['hide_local_login' => FALSE, 'role_mapping' => TRUE])]
+  #[TestWith(['hide_local_login' => TRUE, 'role_mapping' => FALSE])]
+  #[TestWith(['hide_local_login' => FALSE, 'role_mapping' => FALSE])]
+  public function testUserSyncEvent(bool $hide_local_login, bool $role_mapping) {
+    $this->config('stanford_samlauth.settings')
+      ->set('hide_local_login', $hide_local_login)
+      ->save();
+
+    if ($role_mapping) {
+      $roles = array_keys(Role::loadMultiple());
+      $this->config('samlauth.authentication')
+        ->set('drupal_login_roles', $roles)
+        ->save();
+    }
+
+    /** @var \Drupal\Core\Routing\Router $router */
+    $router = \Drupal::service('router.no_access_checks');
+    $access = $router->getRouteCollection()
+      ->get('user.pass')
+      ->getRequirement('_access');
+
+    $expected = $hide_local_login && !$role_mapping ? 'FALSE' : 'TRUE';
+    $this->assertEquals($expected, $access);
+  }
+
+}
