d8/dd3/functions__openid__connect_8php_source.html

<?php

/* Copyright (C) 2022   Jeritiana Ravelojaona <jeritiana.rav@smartone.ai>

 * Copyright (C) 2023-2024  Solution Libre SAS    <contact@solution-libre.fr>

 * Copyright (C) 2024   MDW           <mdeweerd@users.noreply.github.com>

 * Copyright (C) 2024   Maximilien Rozniecki  <mrozniecki@easya.solutions>

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation; either version 3 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program. If not, see <https://www.gnu.org/licenses/>.

 */


include_once DOL_DOCUMENT_ROOT.'/core/lib/geturl.lib.php';

include_once DOL_DOCUMENT_ROOT.'/core/lib/openid_connect.lib.php';


function check_user_password_openid_connect($usertotest, $passwordtotest, $entitytotest)

{

  global $db;


  if (getDolGlobalInt('MAIN_AUTHENTICATION_OIDC_ON', 0) <= 0) {

    $_SESSION["dol_loginmesg"] = "OpenID Connect is disabled";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect Module disabled");

    return false;

  }


  // Force master entity in transversal mode

  $entity = $entitytotest;

  if (isModEnabled('multicompany') && getDolGlobalString('MULTICOMPANY_TRANSVERSE_MODE')) {

    $entity = 1;

  }


  dol_syslog("functions_openid_connect::check_user_password_openid_connect usertotest=".$usertotest." passwordtotest=".preg_replace('/./', '*', $passwordtotest)." entitytotest=".$entitytotest);


  // Step 1 is done by user: request an authorization code


  if (GETPOSTISSET('username')) {

    // OIDC does not require credentials here: pass on to next auth handler

    $_SESSION["dol_loginmesg"] = "Not an OpenID Connect flow";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::not an OIDC flow");

    return false;

  } elseif (empty($_SESSION['oidc_state'])) {

    // No state in session (set by callback.php)

    $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (no state received)";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::no state received", LOG_ERR);

    return false;

  } elseif (empty($_SESSION['oidc_code'])) {

    // No code in session (set by callback.php)

    $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (no code received)";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::no code received", LOG_ERR);

    return false;

  }


  // Read OIDC params from session and clear immediately (single-use)

  $auth_code = $_SESSION['oidc_code'];

  $state = $_SESSION['oidc_state'];

  unset($_SESSION['oidc_code'], $_SESSION['oidc_state']);

  dol_syslog('functions_openid_connect::check_user_password_openid_connect state='.$state);


  if (!openid_connect_verify_state($state)) {

    // State signature invalid - not generated by this Dolibarr instance

    $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (state does not match)";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::state does not match", LOG_ERR);

    return false;

  }


  // Step 2: turn the authorization code into an access token, using client_secret

  $auth_param = [

    'grant_type'    => 'authorization_code',

    'client_id'     => getDolGlobalString('MAIN_AUTHENTICATION_OIDC_CLIENT_ID'),

    'client_secret' => getDolGlobalString('MAIN_AUTHENTICATION_OIDC_CLIENT_SECRET'),

    'code'          => $auth_code,

    'redirect_uri'  => openid_connect_get_redirect_url()

  ];


  $token_response = getURLContent(getDolGlobalString('MAIN_AUTHENTICATION_OIDC_TOKEN_URL'), 'POST', http_build_query($auth_param), 1, array(), array('https'), 2);

  $token_content = json_decode($token_response['content']);

  dol_syslog("functions_openid_connect::check_user_password_openid_connect /token=".print_r($token_response, true), LOG_DEBUG);


  if ($token_response['curl_error_no']) {

    // Token request error

    $_SESSION["dol_loginmesg"] = "Network error: ".$token_response['curl_error_msg']." (".$token_response['curl_error_no'].")";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::".$_SESSION["dol_loginmesg"], LOG_ERR);

    return false;

  } elseif ($token_response['http_code'] >= 400 && $token_response['http_code'] < 500) {

    // HTTP Error

    $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (".$token_response['content'].")";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::".$token_response['content'], LOG_ERR);

    return false;

  } elseif (property_exists($token_content, 'error') && $token_content->error) {

    // Got token response but content is an error

    $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (".$token_content->error_description.")";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::".$token_content->error_description, LOG_ERR);

    return false;

  } elseif (!property_exists($token_content, 'access_token')) {

    // Other token request error

    $_SESSION["dol_loginmesg"] = "Token request error (".$token_response['http_code'].")";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::".$_SESSION["dol_loginmesg"], LOG_ERR);

    return false;

  }


  // Step 3: retrieve user info (login, email, ...) from OIDC server using token

  $userinfo_headers = array('Authorization: Bearer '.$token_content->access_token);

  $userinfo_response = getURLContent(getDolGlobalString('MAIN_AUTHENTICATION_OIDC_USERINFO_URL'), 'GET', '', 1, $userinfo_headers, array('https'), 2);

  $userinfo_content = json_decode($userinfo_response['content']);


  dol_syslog("functions_openid_connect::check_user_password_openid_connect /userinfo=".print_r($userinfo_response, true), LOG_DEBUG);


  // Get the user attribute (claim) matching the Dolibarr login

  $login_claim = 'email'; // default

  if (getDolGlobalString('MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM')) {

    $login_claim = getDolGlobalString('MAIN_AUTHENTICATION_OIDC_LOGIN_CLAIM');

  }


  if ($userinfo_response['curl_error_no']) {

    // User info request error

    $_SESSION["dol_loginmesg"] = "Network error: ".$userinfo_response['curl_error_msg']." (".$userinfo_response['curl_error_no'].")";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::".$_SESSION["dol_loginmesg"], LOG_ERR);

    return false;

  } elseif ($userinfo_response['http_code'] >= 400 && $userinfo_response['http_code'] < 500) {

    // HTTP Error

    $_SESSION["dol_loginmesg"] = "OpenID Connect user info error: " . $userinfo_response['content'];

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::".$userinfo_response['content'], LOG_ERR);

    return false;

  } elseif (property_exists($userinfo_content, 'error') && $userinfo_content->error) {

    // Got user info response but content is an error

    $_SESSION["dol_loginmesg"] = "Error in OAuth 2.0 flow (".$userinfo_content->error_description.")";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::".$userinfo_content->error_description, LOG_ERR);

    return false;

  } elseif (!property_exists($userinfo_content, $login_claim)) {

    // Other user info request error

    $_SESSION["dol_loginmesg"] = "Userinfo request error (".$userinfo_response['http_code'].")";

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::".$_SESSION["dol_loginmesg"], LOG_ERR);

    return false;

  }


  // Success: retrieve claim to return to Dolibarr as login

  $sql = 'SELECT login, entity, datestartvalidity, dateendvalidity';

  $sql .= ' FROM '.MAIN_DB_PREFIX.'user';

  if ($login_claim === 'email') {

    // If login claim is email, check both login and email fields

    $sql .= " WHERE (login = '".$db->escape((string) $userinfo_content->$login_claim)."' OR email = '".$db->escape((string) $userinfo_content->$login_claim)."')";

  } else {

    $sql .= " WHERE login = '".$db->escape((string) $userinfo_content->$login_claim)."'";

  }

  $sql .= ' AND entity IN (0,'.(array_key_exists('dol_entity', $_SESSION) ? ((int) $_SESSION["dol_entity"]) : 1).')';


  dol_syslog("functions_openid::check_user_password_openid", LOG_DEBUG);


  $resql = $db->query($sql);

  if (!$resql) {

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::Error with sql query (".$db->error().")");

    return false;

  }

  $numres = $db->num_rows($resql);

  if ($numres > 1) {

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::Error more than 1 result from the query");

    return false;

  }

  $obj = $db->fetch_object($resql);

  if (!$obj) {

    // User not found in Dolibarr - check if auto-creation is enabled

    global $dolibarr_main_authentication_autocreateuser;

    if (empty($dolibarr_main_authentication_autocreateuser)) {

      $_SESSION["dol_loginmesg"] = "User not found in Dolibarr and auto-creation is disabled";

      dol_syslog("functions_openid_connect::check_user_password_openid_connect::User not found, auto-creation disabled");

      return false;

    }


    dol_syslog("functions_openid_connect::check_user_password_openid_connect::User not found, auto-creating from OIDC claims");


    $claim_value = (string) $userinfo_content->$login_claim;

    $result_create = openid_connect_create_user($db, $userinfo_content, $claim_value, $entity);

    if (is_numeric($result_create) && $result_create < 0) {

      $_SESSION["dol_loginmesg"] = "Error creating user from OIDC";

      dol_syslog("functions_openid_connect::check_user_password_openid_connect::Error creating user, result=".$result_create, LOG_ERR);

      return false;

    }


    // $result_create is the sanitized login string

    $newlogin = $result_create;

    dol_syslog("functions_openid_connect::check_user_password_openid_connect::User auto-created login=".$newlogin);


    $_SESSION['OPENID_CONNECT'] = true;

    return $newlogin;

  }


  $_SESSION['OPENID_CONNECT'] = true;


  // Note: Test on date validity is done later natively with isNotIntoValidityDateRange() by core after calling checkLoginPassEntity() that call this method

  dol_syslog("functions_openid_connect::check_user_password_openid_connect END");

  return $obj->login;

}


$db
if(!isModEnabled('ai')||!getDolGlobalString('AI_ASSISTANT_ENABLED')) global $db
API class for accounts.
Definition execute_tool.php:46

getDolGlobalInt
getDolGlobalInt($key, $default=0)
Return a Dolibarr global constant int value.
Definition functions.lib.php:321

getDolGlobalString
getDolGlobalString($key, $default='')
Return a Dolibarr global constant string value.
Definition functions.lib.php:286

isModEnabled
isModEnabled($module)
Is Dolibarr module enabled.
Definition functions.lib.php:489

dol_syslog
dol_syslog($message, $level=LOG_INFO, $ident=0, $suffixinfilename='', $restricttologhandler='', $logcontext=null)
Write log message into outputs.
Definition functions.lib.php:2754

check_user_password_openid_connect
check_user_password_openid_connect($usertotest, $passwordtotest, $entitytotest)
Check validity of user/password/entity If test is ko, reason must be filled into $_SESSION["dol_login...
Definition functions_openid_connect.php:41

getURLContent
getURLContent($url, $postorget='GET', $param='', $followlocation=1, $addheaders=array(), $allowedschemes=array('http', 'https'), $localurl=0, $ssl_verifypeer=-1, $timeoutconnect=0, $timeoutresponse=0, $otherCurlOptions=array(), $morelogsuffix='')
Function to get a content from an URL (use proxy if proxy defined).
Definition geturl.lib.php:51

string
print $langs trans("Show") . '< td style="' . $timeColor . '" align="center"> s</td > badge status0 badge status4 badge status3 Error badge status8< td align="center">< span class="badge ' . $badge . '"></span ></td >< td align="center">< a href="#" class="button button-small" onclick="openLogModal(this)" data-req="' . dol_escape_htmltag($reqSafe) . '" data-res="' . dol_escape_htmltag($resSafe) . '" data-err="' . dol_escape_htmltag($errSafe) . '">< span class="fa fa-search-plus"></span ></a ></td ></tr >< tr >< td colspan="' . $colspan . '" class="opacitymedium"></td ></tr ></table ></div ></form > logModal none logModal none s a JSON string
buildzip.php
Definition log_viewer.php:266

openid_connect_verify_state
openid_connect_verify_state($state)
Verify an OIDC state token.
Definition openid_connect.lib.php:58

openid_connect_create_user
openid_connect_create_user($db, $userinfo, $login, $entity)
Create a Dolibarr user from OIDC userinfo claims.
Definition openid_connect.lib.php:118

openid_connect_get_redirect_url
openid_connect_get_redirect_url()
Return the OIDC callback redirect URL.
Definition openid_connect.lib.php:85