feat(idps): Allow to filter idps based on trusted domains

Signed-off-by: Jarkko Lehtoranta <[email protected]>

Author: jlehtoranta

appinfo/app.php

@@ -111,7 +111,7 @@
 }
 
 $multipleUserBackEnds = $samlSettings->allowMultipleUserBackEnds();
-$configuredIdps = $samlSettings->getListOfIdps();
+$configuredIdps = $samlSettings->getListOfIdps($request);
 $showLoginOptions = ($multipleUserBackEnds || count($configuredIdps) > 1) && $type === 'saml';
 
 if ($redirectSituation === true && $showLoginOptions) {
@@ -152,7 +152,7 @@
 		[
 			'requesttoken' => $csrfToken->getEncryptedValue(),
 			'originalUrl' => $originalUrl,
-			'idp' => array_keys($configuredIdps)[0] ?? '',
+			'idp' => array_key_first($configuredIdps) ?? '',
 		]
 	);
 	header('Location: '.$targetUrl);

lib/Controller/SAMLController.php

@@ -592,7 +592,7 @@ public function selectUserBackEnd(string $redirectUrl): Http\TemplateResponse {
 	 */
 	private function getIdps(string $redirectUrl): array {
 		$result = [];
-		$idps = $this->samlSettings->getListOfIdps();
+		$idps = $this->samlSettings->getListOfIdps($this->request);
 		foreach ($idps as $idpId => $displayName) {
 			$result[] = [
 				'url' => $this->getSSOUrl($redirectUrl, (string)$idpId),

lib/SAMLSettings.php

@@ -25,6 +25,7 @@ class SAMLSettings {
 	// IdP-specific keys
 	public const IDP_CONFIG_KEYS = [
 		'general-idp0_display_name',
+		'general-custom_hosts',
 		'general-uid_mapping',
 		'idp-entityId',
 		'idp-singleLogoutService.responseUrl',
@@ -95,11 +96,20 @@ public function __construct(
 	 * @return array<int, string>
 	 * @throws Exception
 	 */
-	public function getListOfIdps(): array {
+	public function getListOfIdps(?\OCP\IRequest $request = null): array {
+		$serverHost = !is_null($request) ? $request->getServerHost() : null;
+
 		$this->ensureConfigurationsLoaded();
 
 		$result = [];
 		foreach ($this->configurations as $configID => $config) {
+			// Filter configs which don't match the trusted host in the request
+			if (!empty($serverHost)) {
+				$customHosts = key_exists('general-custom_hosts', $config) ? array_map('trim', explode(',', $config['general-custom_hosts'])) : [];
+				if (!in_array($serverHost, $customHosts)) {
+					continue;
+				}
+			}
 			// no fancy array_* method, because there might be thousands
 			$result[$configID] = $config['general-idp0_display_name'] ?? '';
 		}

lib/Settings/Admin.php

@@ -81,6 +81,10 @@ public function getForm() {
 				'type' => 'line',
 				'required' => true,
 			],
+			'custom_hosts' => [
+				'text' => $this->l10n->t('Hostnames associated with this provider (e.g. nextcloud.a.com, nextcloud.b.com).'),
+				'type' => 'line',
+			],
 			'require_provisioned_account' => [
 				'text' => $this->l10n->t('Only allow authentication if an account exists on some other backend (e.g. LDAP).'),
 				'type' => 'checkbox',