feat(idps): Allow to filter idps based on trusted domains

jlehtoranta · jlehtoranta · commit cdf8015686ab · 2024-03-07T13:44:25.000+02:00
diff --git a/appinfo/app.php b/appinfo/app.php
@@ -151,7 +151,7 @@
 }
 
 $multipleUserBackEnds = $samlSettings->allowMultipleUserBackEnds();
-$configuredIdps = $samlSettings->getListOfIdps();
+$configuredIdps = $samlSettings->getListOfIdps($request);
 $showLoginOptions = ($multipleUserBackEnds || count($configuredIdps) > 1) && $type === 'saml';
 
 if ($redirectSituation === true && $showLoginOptions) {
@@ -192,7 +192,7 @@
 		[
 			'requesttoken' => $csrfToken->getEncryptedValue(),
 			'originalUrl' => $originalUrl,
-			'idp' => array_keys($configuredIdps)[0] ?? '',
+			'idp' => array_key_first($configuredIdps) ?? '',
 		]
 	);
 	header('Location: '.$targetUrl);
diff --git a/lib/Controller/SAMLController.php b/lib/Controller/SAMLController.php
@@ -608,7 +608,7 @@ public function selectUserBackEnd(string $redirectUrl): Http\TemplateResponse {
 	 */
 	private function getIdps(string $redirectUrl): array {
 		$result = [];
-		$idps = $this->samlSettings->getListOfIdps();
+		$idps = $this->samlSettings->getListOfIdps($this->request);
 		foreach ($idps as $idpId => $displayName) {
 			$result[] = [
 				'url' => $this->getSSOUrl($redirectUrl, (string)$idpId),
diff --git a/lib/SAMLSettings.php b/lib/SAMLSettings.php
@@ -40,6 +40,7 @@ class SAMLSettings {
 	// IdP-specific keys
 	public const IDP_CONFIG_KEYS = [
 		'general-idp0_display_name',
+		'general-custom_hosts',
 		'general-uid_mapping',
 		'idp-entityId',
 		'idp-singleLogoutService.responseUrl',
@@ -110,11 +111,20 @@ public function __construct(
 	 * @return array<int, string>
 	 * @throws Exception
 	 */
-	public function getListOfIdps(): array {
+	public function getListOfIdps(?\OCP\IRequest $request = null): array {
+		$serverHost = !is_null($request) ? $request->getServerHost() : null;
+
 		$this->ensureConfigurationsLoaded();
 
 		$result = [];
 		foreach ($this->configurations as $configID => $config) {
+			// Filter configs which don't match the trusted host in the request
+			if (!empty($serverHost)) {
+				$customHosts = key_exists('general-custom_hosts', $config) ? array_map('trim', explode(',', $config['general-custom_hosts'])) : [];
+				if (!in_array($serverHost, $customHosts)) {
+					continue;
+				}
+			}
 			// no fancy array_* method, because there might be thousands
 			$result[$configID] = $config['general-idp0_display_name'] ?? '';
 		}
diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php
@@ -98,6 +98,10 @@ public function getForm() {
 				'type' => 'line',
 				'required' => true,
 			],
+			'custom_hosts' => [
+				'text' => $this->l10n->t('Hostnames associated with this provider (e.g. nextcloud.a.com, nextcloud.b.com).'),
+				'type' => 'line',
+			],
 			'require_provisioned_account' => [
 				'text' => $this->l10n->t('Only allow authentication if an account exists on some other backend (e.g. LDAP).'),
 				'type' => 'checkbox',

Original file line number	Diff line number	Diff line change
`@@ -151,7 +151,7 @@`
`151`	`151`	`}`
`152`	`152`
`153`	`153`	`$multipleUserBackEnds = $samlSettings->allowMultipleUserBackEnds();`
`154`		`-$configuredIdps = $samlSettings->getListOfIdps();`
	`154`	`+$configuredIdps = $samlSettings->getListOfIdps($request);`
`155`	`155`	`$showLoginOptions = ($multipleUserBackEnds \|\| count($configuredIdps) > 1) && $type === 'saml';`
`156`	`156`
`157`	`157`	`if ($redirectSituation === true && $showLoginOptions) {`
`@@ -192,7 +192,7 @@`
`192`	`192`	`[`
`193`	`193`	`'requesttoken' => $csrfToken->getEncryptedValue(),`
`194`	`194`	`'originalUrl' => $originalUrl,`
`195`		`- 'idp' => array_keys($configuredIdps)[0] ?? '',`
	`195`	`+ 'idp' => array_key_first($configuredIdps) ?? '',`
`196`	`196`	`]`
`197`	`197`	`);`
`198`	`198`	`header('Location: '.$targetUrl);`