8.3.0

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Stanford SSP
 
+8.3.0
+--------------------------------------------------------------------------------
+_Release Date: 2023-05-03_
+
+- Added ability to exclude specific path patterns from redirecting, such as JSON API Endpoints.
+
 8.2.6
 --------------------------------------------------------------------------------
 _Release Date: 2023-01-09_

config/install/stanford_ssp.settings.yml

@@ -10,3 +10,6 @@ allowed:
   affiliations: {  }
   groups: {  }
   users: {  }
+exclude_redirect:
+  - /jsonapi
+  - /jsonapi/*

config/schema/stanford_ssp.schema.yml

@@ -52,3 +52,9 @@ stanford_ssp.settings:
           sequence:
             type: string
             label: 'Allowed User'
+    exclude_redirect:
+      type: sequence
+      label: 'Exclude Redirect'
+      sequence:
+        type: string
+        label: 'Exclude Redirect Path'

src/EventSubscriber/StanfordSSPEventSubscriber.php

@@ -3,10 +3,14 @@
 namespace Drupal\stanford_ssp\EventSubscriber;
 
 use Drupal\Core\Config\ConfigFactoryInterface;
+use Drupal\Core\Path\CurrentPathStack;
+use Drupal\Core\Path\PathMatcherInterface;
 use Drupal\Core\Session\AccountProxyInterface;
 use Drupal\Core\Url;
+use Drupal\path_alias\AliasManagerInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
@@ -33,25 +37,23 @@ class StanfordSSPEventSubscriber implements EventSubscriberInterface {
    */
   protected $stanfordConfig;
 
-  /**
-   * Current user account.
-   *
-   * @var \Drupal\Core\Session\AccountProxyInterface
-   */
-  protected $userAccount;
-
   /**
    * StanfordSSPEventSubscriber constructor.
    *
    * @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
    *   Config factory service.
-   * @param \Drupal\Core\Session\AccountProxyInterface $user_account
+   * @param \Drupal\Core\Session\AccountProxyInterface $userAccount
    *   Current user object.
+   * @param \Drupal\Core\Path\PathMatcherInterface $pathMatcher
+   *   Path matcher service.
+   * @param \Drupal\Core\Path\CurrentPathStack $currentPath
+   *   Current path service.
+   * @param \Drupal\path_alias\AliasManagerInterface $aliasManager
+   *   Alias manager service.
    */
-  public function __construct(ConfigFactoryInterface $config_factory, AccountProxyInterface $user_account) {
+  public function __construct(ConfigFactoryInterface $config_factory, protected AccountProxyInterface $userAccount, protected PathMatcherInterface $pathMatcher, protected CurrentPathStack $currentPath, protected AliasManagerInterface $aliasManager) {
     $this->samlConfig = $config_factory->get('simplesamlphp_auth.settings');
     $this->stanfordConfig = $config_factory->get('stanford_ssp.settings');
-    $this->userAccount = $user_account;
   }
 
   /**
@@ -70,11 +72,11 @@ public static function getSubscribedEvents() {
    *   Response event object..
    */
   public function responseHandler(ResponseEvent $event) {
-
     if (
       $event->getResponse()->getStatusCode() == Response::HTTP_FORBIDDEN &&
       $event->getRequestType() == HttpKernelInterface::MASTER_REQUEST &&
-      $this->userAccount->isAnonymous()
+      $this->userAccount->isAnonymous() &&
+      $this->redirectPath($event->getRequest())
     ) {
       $origin = $event->getRequest()->getPathInfo();
       $query = $event->getRequest()->getQueryString();
@@ -93,4 +95,32 @@ public function responseHandler(ResponseEvent $event) {
     }
   }
 
+  /**
+   * Check if the current path is excluded by the settings for redirecting.
+   *
+   * The logic of this function was taken from the RequestPath condition plugin.
+   *
+   * @param \Symfony\Component\HttpFoundation\Request $request
+   *   Current request stack.
+   *
+   * @return bool
+   *   If the current page should be redirected.
+   */
+  protected function redirectPath(Request $request): bool {
+    $exclude_paths = implode("\n", $this->stanfordConfig->get('exclude_redirect') ?? []);
+
+    $pages = mb_strtolower($exclude_paths);
+    if (!$pages) {
+      return TRUE;
+    }
+    // Compare the lowercase path alias (if any) and internal path.
+    $path = $this->currentPath->getPath($request);
+
+    // Do not trim a trailing slash if that is the complete path.
+    $path = $path === '/' ? $path : rtrim($path, '/');
+    $path_alias = mb_strtolower($this->aliasManager->getAliasByPath($path));
+
+    return !($this->pathMatcher->matchPath($path_alias, $pages) || (($path != $path_alias) && $this->pathMatcher->matchPath($path, $pages)));
+  }
+
 }

stanford_ssp.info.yml

@@ -2,7 +2,8 @@ name: Stanford SimpleSAML PHP
 description: Configures SimpleSAML PHP auth to work in Stanford web environment
 core_version_requirement: ^9 || ^10
 type: module
-version: 8.2.6
+version: 8.3.0
 package: Stanford
 dependencies:
   - simplesamlphp_auth:simplesamlphp_auth
+  - drupal:path_alias

stanford_ssp.install

@@ -114,3 +114,11 @@ function stanford_ssp_update_8200() {
   ];
   $config->set('allowed', $allowed)->save();
 }
+
+/**
+ * Update settings to exclude jsonapi paths from 403 redirect.
+ */
+function stanford_ssp_update_8201() {
+  $config = \Drupal::configFactory()->getEditable('stanford_ssp.settings');
+  $config->set('exclude_redirect', ['/jsonapi', '/jsonapi/*'])->save();
+}

stanford_ssp.services.yml

@@ -18,6 +18,7 @@ services:
     arguments: ['@simplesamlphp_auth.manager', '@config.factory', '@entity_type.manager', '@logger.channel.simplesamlphp_auth', '@externalauth.externalauth', '@current_user', '@messenger', '@module_handler', '@stanford_ssp.workgroup_api']
   stanford_ssp.event_subscriber:
     class: Drupal\stanford_ssp\EventSubscriber\StanfordSSPEventSubscriber
-    arguments: ['@config.factory', '@current_user']
+    arguments: ['@config.factory', '@current_user', '@path.matcher', '@path.current', '@path_alias.manager']
     tags:
       - { name: event_subscriber }
+

tests/src/Kernel/Commands/StanfordSspCommandsTest.php

@@ -25,6 +25,7 @@ class StanfordSspCommandsTest extends KernelTestBase {
     'externalauth',
     'user',
     'stanford_ssp_test',
+    'path_alias',
   ];
 
   /**

tests/src/Kernel/EventSubscriber/StanfordSSPEventSubscriberTest.php

@@ -2,6 +2,7 @@
 
 namespace Drupal\Tests\stanford_ssp\Kernel\EventSubscriber;
 
+use Drupal\Core\Routing\RouteObjectInterface;
 use Drupal\KernelTests\KernelTestBase;
 use Drupal\stanford_ssp\EventSubscriber\StanfordSSPEventSubscriber;
 use Symfony\Component\EventDispatcher\EventDispatcher;
@@ -10,6 +11,7 @@
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Routing\Route;
 
 /**
  * Class StanfordSSPEventSubscriberTest
@@ -28,6 +30,7 @@ class StanfordSSPEventSubscriberTest extends KernelTestBase {
     'simplesamlphp_auth',
     'externalauth',
     'user',
+    'path_alias',
   ];
 
   /**
@@ -42,6 +45,7 @@ protected function setUp(): void {
     \Drupal::configFactory()
       ->getEditable('stanford_ssp.settings')
       ->set('hide_local_login', TRUE)
+      ->set('exclude_redirect', ['/foo-bar/*'])
       ->save();
   }
 
@@ -54,7 +58,8 @@ public function testKernelResponse() {
 
     $request->headers
       ->set('HOST', 'example.com');
-    $listener = new StanfordSSPEventSubscriber(\Drupal::configFactory(), \Drupal::currentUser());
+
+    $listener = \Drupal::service('stanford_ssp.event_subscriber');
     $dispatcher->addListener(KernelEvents::RESPONSE, [
       $listener,
       'responseHandler',
@@ -67,6 +72,17 @@ public function testKernelResponse() {
 
     $target_url = $event->getResponse()->getTargetUrl();
     $this->assertStringContainsString('/saml_login?ReturnTo=http', $target_url);
+    $this->assertEquals(302, $event->getResponse()->getStatusCode());
+
+    $request = Request::create('/foo-bar/baz');
+    $response = new Response('', Response::HTTP_FORBIDDEN);
+    $kernel = $this->createMock('Symfony\\Component\\HttpKernel\\HttpKernelInterface');
+    $event = new ResponseEvent($kernel, $request, HttpKernelInterface::MASTER_REQUEST, $response);
+    $dispatcher->dispatch(KernelEvents::RESPONSE, $event);
+
+    /** @var \Symfony\Component\HttpFoundation\Response $response */
+    $response = $event->getResponse();
+    $this->assertEquals(403, $response->getStatusCode());
   }
 
 }

tests/src/Kernel/Form/AddUserFormTest.php

@@ -26,6 +26,7 @@ class AddUserFormTest extends KernelTestBase {
     'stanford_ssp',
     'simplesamlphp_auth',
     'externalauth',
+    'path_alias',
   ];
 
   /**

tests/src/Kernel/Form/AuthorizationsFormTest.php

@@ -22,6 +22,7 @@ class AuthorizationsFormTest extends KernelTestBase {
     'stanford_ssp',
     'simplesamlphp_auth',
     'externalauth',
+    'path_alias',
   ];
 
   /**

tests/src/Kernel/Form/LocalLoginFormTest.php

@@ -18,6 +18,7 @@ class LocalLoginFormTest extends KernelTestBase {
     'simplesamlphp_auth',
     'externalauth',
     'field',
+    'path_alias',
   ];
 
   /**

tests/src/Kernel/Form/RoleSyncFormTest.php

@@ -33,6 +33,7 @@ class RoleSyncFormTest extends KernelTestBase {
     'stanford_ssp',
     'simplesamlphp_auth',
     'externalauth',
+    'path_alias',
   ];
 
   /**

tests/src/Kernel/Routing/RouteSubscriber/RouteSubscriberTest.php

@@ -20,6 +20,7 @@ class RouteSubscriberTest extends KernelTestBase {
     'simplesamlphp_auth',
     'stanford_ssp',
     'system',
+    'path_alias',
   ];
 
   /**