From 2f4e4abf1b93835bb615eab7e16695a7d9b33524 Mon Sep 17 00:00:00 2001 From: Michael McNeill Date: Mon, 17 Aug 2020 06:30:35 -0400 Subject: [PATCH 1/5] Implementing multiple changes --- options-admin.php | 30 ++++++++++-- options-user.php | 115 +++++++++++++++++----------------------------- readme.txt | 20 ++++++-- shibboleth.php | 31 +++++++++++-- 4 files changed, 113 insertions(+), 83 deletions(-) diff --git a/options-admin.php b/options-admin.php index 8435fc7..3bfa7a2 100644 --- a/options-admin.php +++ b/options-admin.php @@ -67,6 +67,9 @@ function shibboleth_options_page() { if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD' ) ) { update_site_option( 'shibboleth_attribute_access_method', $_POST['attribute_access'] ); } + if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD_FALLBACK' ) ) { + update_site_option( 'shibboleth_attribute_access_method_fallback', $_POST['attribute_access_fallback'] ); + } if ( ! defined( 'SHIBBOLETH_ATTRIBUTE_CUSTOM_ACCESS_METHOD' ) ) { update_site_option( 'shibboleth_attribute_custom_access_method', $_POST['attribute_custom_access'] ); } @@ -201,6 +204,8 @@ function shibboleth_options_page() { $constant = $constant || $from_constant; list( $attribute_access, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_access_method', false, false, true ); $constant = $constant || $from_constant; + list( $attribute_access_fallback, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_access_method_fallback', false, false, true ); + $constant = $constant || $from_constant; list( $attribute_custom_access, $from_constant ) = shibboleth_getoption( 'shibboleth_attribute_custom_access_method', false, false, true ); $constant = $constant || $from_constant; list( $spoofkey, $from_constant ) = shibboleth_getoption( 'shibboleth_spoof_key', false, false, true ); @@ -293,6 +298,16 @@ function shibboleth_options_page() { . '
WARNING: If you incorrectly set this option, you will force ALL attempts to authenticate with Shibboleth to fail.', 'shibboleth'); ?>

+ > + + + /> + + +

+ + @@ -357,17 +372,26 @@ function AttributeAccessMethod() if (selectedValue == "custom") { - document.getElementById("attribute_custom_access_row").style.display = "table-row"; + document.getElementById("attribute_custom_access_row").style.display = "table-row"; + document.getElementById("attribute_access_fallback_row").style.display = "table-row"; document.getElementById("spoofkey_row").style.display = "none"; } else if (selectedValue == "http") { - document.getElementById("attribute_custom_access_row").style.display = "none"; + document.getElementById("attribute_custom_access_row").style.display = "none"; + document.getElementById("attribute_access_fallback_row").style.display = "table-row"; document.getElementById("spoofkey_row").style.display = "table-row"; + } + else if (selectedValue == "standard") + { + document.getElementById("attribute_custom_access_row").style.display = "none"; + document.getElementById("attribute_access_fallback_row").style.display = "none"; + document.getElementById("spoofkey_row").style.display = "none"; } else { - document.getElementById("attribute_custom_access_row").style.display = "none"; + document.getElementById("attribute_custom_access_row").style.display = "none"; + document.getElementById("attribute_access_fallback_row").style.display = "table-row"; document.getElementById("spoofkey_row").style.display = "none"; } } diff --git a/options-user.php b/options-user.php index 962dc2e..4990c9b 100644 --- a/options-user.php +++ b/options-user.php @@ -1,39 +1,41 @@ ID; + } else { + global $user_id; + } - if (get_user_meta( $user->ID, 'shibboleth_account') ) { + if ( get_user_meta( $user_id, 'shibboleth_account' ) ) { + add_filter( 'show_password_fields', '__return_false' ); - add_filter( 'show_password_fields', create_function( '$v', 'return false;' ) ); + add_action( 'admin_footer-user-edit.php', 'shibboleth_disable_managed_fields' ); - add_action( 'admin_footer-profile.php', 'shibboleth_admin_footer_profile' ); + add_action( 'admin_footer-profile.php', 'shibboleth_disable_managed_fields' ); } } +add_action( 'personal_options', 'shibboleth_edit_user_options' ); /** * For WordPress accounts that were created by Shibboleth, disable certain fields - * that they are allowed to modify. + * that users/administrators aren't allowed to modify. * - * @since 1.3 + * @since 1.3 (renamed in 2.3 from `shibboleth_admin_footer_edit_user`) */ -function shibboleth_admin_footer_profile() { +function shibboleth_disable_managed_fields() { $managed_fields = shibboleth_get_managed_user_fields(); + if ( shibboleth_getoption( 'shibboleth_update_roles' ) ) { + $managed_fields = array_merge( $managed_fields, array('role') ); + } if ( ! empty( $managed_fields ) ) { - $selectors = join( ',', array_map( create_function( '$a', 'return "#$a";' ), $managed_fields ) ); + $selectors = join( ',', array_map( function( $a ) { return "#$a"; }, $managed_fields ) ); echo ' '; } } -/** - * For WordPress accounts that were created by Shibboleth, warn the admin of - * Shibboleth managed attributes. - * - * @since 1.3 - */ -function shibboleth_admin_footer_edit_user() { - global $user_id; - - if ( get_user_meta( $user_id, 'shibboleth_account' ) ) { - $shibboleth_fields = array(); - - $shibboleth_fields = array_merge( $shibboleth_fields, shibboleth_get_managed_user_fields() ); - - $update = shibboleth_getoption( 'shibboleth_update_roles' ); - - if ( $update ) { - $shibboleth_fields = array_merge( $shibboleth_fields, array('role') ); - } - - if ( ! empty( $shibboleth_fields ) ) { - $selectors = array(); - - foreach( $shibboleth_fields as $field ) { - $selectors[] = 'label[for=\'' . $field . '\']'; - } - - echo ' - '; - } - } -} - - /** * Add change password link to the user profile for Shibboleth users. * - * @since 1.3 + * @since 1.3 (renamed in 2.3 from `shibboleth_show_user_profile`) */ -function shibboleth_show_user_profile() { +function shibboleth_change_password_profile_link() { $user = wp_get_current_user(); $password_change_url = shibboleth_getoption( 'shibboleth_password_change_url' ); @@ -112,41 +76,46 @@ function shibboleth_show_user_profile() { ID, 'shibboleth_account' ) ) { $managed = shibboleth_get_managed_user_fields(); if ( in_array( 'first_name', $managed ) ) { - add_filter( 'pre_user_first_name', create_function( '$n', 'return $GLOBALS["current_user"]->first_name;' ) ); + $_POST['first_name']=$user->first_name; } if ( in_array( 'last_name', $managed ) ) { - add_filter( 'pre_user_last_name', create_function( '$n', 'return $GLOBALS["current_user"]->last_name;' ) ); + $_POST['last_name']=$user->last_name; } if ( in_array( 'nickname', $managed ) ) { - add_filter( 'pre_user_nickname', create_function( '$n', 'return $GLOBALS["current_user"]->nickname;' ) ); + $_POST['nickname']=$user->nickname; } if ( in_array( 'display_name', $managed ) ) { - add_filter( 'pre_user_display_name', create_function( '$n', 'return $GLOBALS["current_user"]->display_name;' ) ); + $_POST['display_name']=$user->display_name; } if ( in_array( 'email', $managed ) ) { - add_filter( 'pre_user_email', create_function( '$e', 'return $GLOBALS["current_user"]->user_email;' ) ); + $_POST['email']=$user->user_email; } } } +add_action( 'personal_options_update', 'shibboleth_prevent_managed_fields_update' ); +add_action( 'edit_user_profile_update', 'shibboleth_prevent_managed_fields_update' ); /** * Adds a button to user profile pages if administrator has allowed diff --git a/readme.txt b/readme.txt index edc0b28..d164ea0 100644 --- a/readme.txt +++ b/readme.txt @@ -1,9 +1,10 @@ === Shibboleth === Contributors: michaelryanmcneill, willnorris, mitchoyoshitaka, jrchamp, dericcrago, bshelton229, Alhrath, dandalpiaz Tags: shibboleth, authentication, login, saml -Requires at least: 3.3 -Tested up to: 5.4.2 -Stable tag: 2.2.2 +Requires at least: 4.0 +Tested up to: 5.5 +Requires PHP: 5.6 +Stable tag: 2.3 Allows WordPress to externalize user authentication and account creation to a Shibboleth Service Provider. @@ -90,6 +91,10 @@ Yes, the plugin allows for all settings to be controlled via constants in `wp-co - Format: string - Available options: `'standard'` for the default "Environment Variables" option, `'redirect'` for the "Redirected Environment Variables" option, and `'http'` for the "HTTP Headers" option. - Example: `define('SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD', 'standard');` + - `SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD_FALLBACK` + - Format: boolean + - Available options: `true` to fallback to the standard "Environment Variables" options when the selected attribute access method does not return results or `false` to not fallback. + - Example: `define('SHIBBOLETH_ATTRIBUTE_ACCESS_METHOD_FALLBACK', true);` - `SHIBBOLETH_LOGIN_URL` - Format: string - Avaliable Options: none @@ -176,6 +181,9 @@ Yes, the plugin allows for all settings to be controlled via constants in `wp-co 3. Assign users into WordPress roles based on arbitrary data provided by Shibboleth == Upgrade Notice == += 2.3 = +This update increases the minimum PHP version to 5.6 and the minimum WordPress version to 4.0. The plugin will fail to activate if you are running below those minimum versions. + = 2.2.2 = This update re-implements a previously reverted conditional for three aliases of the Shibboleth Apache module: `mod_shib`, `mod_shib.c`, and `mod_shib.cpp`. If you run into issues related to this change, please open an issue on [GitHub](https://github.com/michaelryanmcneill/shibboleth/issues). @@ -189,6 +197,12 @@ This update brings with it a major change to the way Shibboleth attributes are a This update brings with it a major change to the way Shibboleth attributes are accessed. For most users, no additional configuration will be necessary. If you are using a specialized server configuration, such as a Shibboleth Service Provider on a reverse proxy or a server configuration that results in environment variables being sent with the prefix REDIRECT_, you should see the changelog for additional details: https://wordpress.org/plugins/shibboleth/#developers == Changelog == += version 2.3 (2020-XX-XX) = + - Implementing a fallback option for the "Shibboleth Attribute Access Method". For example, if your web server returns redirected environment variables, but occasionally returns standard environment variables, you would want to enable this option. + - Removing deprecated `create_function()` from use. + - Bumped minimum PHP and WordPress versions to 5.6 and 4.0 respectively. + - Greatly improved the handling of managed fields and cleaned up `options-user.php`. + = version 2.2.2 (2020-06-22) = - Re-implementing conditional for .htaccess to protect against the Shibboleth Apache module not being installed; [thanks to @jrchamp for reporting](https://github.com/michaelryanmcneill/shibboleth/issues/60). This change includes conditionals for `mod_shib`, `mod_shib.c`, and `mod_shib.cpp`. If you run into issues related to this change, please open an issue on [GitHub](https://github.com/michaelryanmcneill/shibboleth/issues). diff --git a/shibboleth.php b/shibboleth.php index 91de89d..e2e7dd9 100644 --- a/shibboleth.php +++ b/shibboleth.php @@ -4,13 +4,16 @@ Plugin URI: http://wordpress.org/extend/plugins/shibboleth Description: Easily externalize user authentication to a Shibboleth Service Provider Author: Michael McNeill, mitcho (Michael 芳貴 Erlewine), Will Norris - Version: 2.2.2 + Version: 2.3 + Requires PHP: 5.6 + Requires at least: 4.0 License: Apache 2 (http://www.apache.org/licenses/LICENSE-2.0.html) Text Domain: shibboleth */ -define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '3.3' ); -define( 'SHIBBOLETH_PLUGIN_VERSION', '2.2' ); +define( 'SHIBBOLETH_MINIMUM_WP_VERSION', '4.0' ); +define( 'SHIBBOLETH_MINIMUM_PHP_VERSION', '5.6'); +define( 'SHIBBOLETH_PLUGIN_VERSION', '2.3' ); /** * Determine if this is a new install or upgrade and, if so, run the @@ -79,11 +82,14 @@ function shibboleth_getenv( $var ) { // Get the specified shibboleth attribute access method; if one isn't specified // simply use standard environment variables since they're the safest $method = shibboleth_getoption( 'shibboleth_attribute_access_method', 'standard' ); + $fallback = shibboleth_getoption( 'shibboleth_attribute_access_method_fallback' ); switch ( $method ) { // Use standard by default for security case 'standard' : $var_method = ''; + // Disable fallback to prevent the same variables from being checked twice. + $fallback = false; break; // If specified, use redirect case 'redirect' : @@ -101,6 +107,8 @@ function shibboleth_getenv( $var ) { // Otherwise, fall back to standard for security default : $var_method = ''; + // Disable fallback to prevent the same variables from being checked twice. + $fallback = false; } // Using the selected attribute access method, check all possible cases @@ -115,6 +123,18 @@ function shibboleth_getenv( $var ) { $var_method . $var_under_upper => TRUE, ); + // If fallback is enabled, we will add the standard environment variables to the end of the array to allow for fallback + if ( $fallback ) { + $fallback_check_vars = array( + $var => TRUE, + $var_under => TRUE, + $var_upper => TRUE, + $var_under_upper => TRUE, + ); + + array_merge( $check_vars, $fallback_check_vars); + } + foreach ( $check_vars as $check_var => $true ) { if ( isset( $_SERVER[$check_var] ) && ( $result = $_SERVER[$check_var] ) !== FALSE ) { return $result; @@ -155,7 +175,10 @@ function shibboleth_auto_login() { function shibboleth_activate_plugin() { if ( version_compare( $GLOBALS['wp_version'], SHIBBOLETH_MINIMUM_WP_VERSION, '<' ) ) { deactivate_plugins( plugin_basename( __FILE__ ) ); - wp_die( __( 'Shibboleth requires WordPress '. SHIBBOLETH_MINIMUM_WP_VERSION . 'or higher!', 'shibboleth' ) ); + wp_die( __( 'Shibboleth requires WordPress '. SHIBBOLETH_MINIMUM_WP_VERSION . ' or higher!', 'shibboleth' ) ); + } elseif ( version_compare( PHP_VERSION, SHIBBOLETH_MINIMUM_PHP_VERSION, '<' ) ) { + deactivate_plugins( plugin_basename( __FILE__ ) ); + wp_die( __( 'Shibboleth requires PHP '. SHIBBOLETH_MINIMUM_PHP_VERSION . ' or higher!', 'shibboleth' ) ); } if ( function_exists( 'switch_to_blog' ) ) { From bb216a6a31c10a28db2b59551157d6f9f13747b8 Mon Sep 17 00:00:00 2001 From: Michael McNeill Date: Mon, 17 Aug 2020 10:38:31 -0400 Subject: [PATCH 2/5] Update reference to previous function Co-authored-by: Jonathan Champ --- options-user.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/options-user.php b/options-user.php index 4990c9b..d3e0d5b 100644 --- a/options-user.php +++ b/options-user.php @@ -26,7 +26,7 @@ function shibboleth_edit_user_options() { * For WordPress accounts that were created by Shibboleth, disable certain fields * that users/administrators aren't allowed to modify. * - * @since 1.3 (renamed in 2.3 from `shibboleth_admin_footer_edit_user`) + * @since 1.3 (renamed in 2.3 from `shibboleth_admin_footer_profile`) */ function shibboleth_disable_managed_fields() { $managed_fields = shibboleth_get_managed_user_fields(); From b3425577b42af32ed8cb1a1afcb9976c1986712d Mon Sep 17 00:00:00 2001 From: Michael McNeill Date: Mon, 17 Aug 2020 10:40:53 -0400 Subject: [PATCH 3/5] Store the result of the fallback array_merge Co-authored-by: Jonathan Champ --- shibboleth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shibboleth.php b/shibboleth.php index e2e7dd9..fa1934e 100644 --- a/shibboleth.php +++ b/shibboleth.php @@ -132,7 +132,7 @@ function shibboleth_getenv( $var ) { $var_under_upper => TRUE, ); - array_merge( $check_vars, $fallback_check_vars); + $check_vars = array_merge( $check_vars, $fallback_check_vars ); } foreach ( $check_vars as $check_var => $true ) { From 852a02fd8c41c09bbbae561dfccc4d24a0e6a7ae Mon Sep 17 00:00:00 2001 From: Michael McNeill Date: Mon, 17 Aug 2020 10:46:38 -0400 Subject: [PATCH 4/5] Adding padding to various parts of options-user.php --- options-user.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/options-user.php b/options-user.php index d3e0d5b..0fdab6a 100644 --- a/options-user.php +++ b/options-user.php @@ -89,28 +89,28 @@ function shibboleth_prevent_managed_fields_update( $user_id ) { if ( get_user_meta( $user_id, 'shibboleth_account' ) ) { - $user = get_user_by('id', $user_id ); + $user = get_user_by( 'id', $user_id ); $managed = shibboleth_get_managed_user_fields(); if ( in_array( 'first_name', $managed ) ) { - $_POST['first_name']=$user->first_name; + $_POST['first_name'] = $user->first_name; } if ( in_array( 'last_name', $managed ) ) { - $_POST['last_name']=$user->last_name; + $_POST['last_name'] = $user->last_name; } if ( in_array( 'nickname', $managed ) ) { - $_POST['nickname']=$user->nickname; + $_POST['nickname'] = $user->nickname; } if ( in_array( 'display_name', $managed ) ) { - $_POST['display_name']=$user->display_name; + $_POST['display_name'] = $user->display_name; } if ( in_array( 'email', $managed ) ) { - $_POST['email']=$user->user_email; + $_POST['email'] = $user->user_email; } } } From 50f8dbda7fee1548786afc967f04b6232c2346ab Mon Sep 17 00:00:00 2001 From: Michael McNeill Date: Mon, 17 Aug 2020 10:56:40 -0400 Subject: [PATCH 5/5] Adding release date --- readme.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/readme.txt b/readme.txt index d164ea0..79a3f7d 100644 --- a/readme.txt +++ b/readme.txt @@ -197,7 +197,7 @@ This update brings with it a major change to the way Shibboleth attributes are a This update brings with it a major change to the way Shibboleth attributes are accessed. For most users, no additional configuration will be necessary. If you are using a specialized server configuration, such as a Shibboleth Service Provider on a reverse proxy or a server configuration that results in environment variables being sent with the prefix REDIRECT_, you should see the changelog for additional details: https://wordpress.org/plugins/shibboleth/#developers == Changelog == -= version 2.3 (2020-XX-XX) = += version 2.3 (2020-08-17) = - Implementing a fallback option for the "Shibboleth Attribute Access Method". For example, if your web server returns redirected environment variables, but occasionally returns standard environment variables, you would want to enable this option. - Removing deprecated `create_function()` from use. - Bumped minimum PHP and WordPress versions to 5.6 and 4.0 respectively.