forked from psignoret/aad-sso-wordpress
-
Notifications
You must be signed in to change notification settings - Fork 1
/
class-aadsso-settings-page.php
942 lines (829 loc) · 27.8 KB
/
class-aadsso-settings-page.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
<?php
/**
* File class-aadsso-settings-page.php
*
* @package aad-sso-wordpress
*/
/**
* The class holding all the logic for the 'Azure AD' settings page used to configure the plugin.
*
* Partially generated by the WordPress Option Page generator
* at http://jeremyhixon.com/wp-tools/option-page/
*/
class AADSSO_Settings_Page {
/**
* The stored settings (with defaults, if the setting isn't stored).
*
* @var array
*/
private $settings;
/**
* The option page's hook_suffix returned from add_options_page
*
* @var string
*/
private $options_page_id;
/**
* Constructs a AADSSO_Settings_Page class, used to set up the plugin's settings page.
*/
public function __construct() {
// Ensure jQuery is loaded.
add_action( 'admin_enqueue_scripts', array( $this, 'maybe_include_jquery' ) );
// Add the 'Azure AD' options page.
add_action( 'admin_menu', array( $this, 'add_options_page' ) );
// Register the settings.
add_action( 'admin_init', array( $this, 'register_settings' ) );
// Call the nonce router.
add_action( 'admin_init', array( $this, 'route_by_nonce' ) );
// If settings were reset, show confirmation.
add_action( 'all_admin_notices', array( $this, 'notify_if_reset_successful' ) );
// Load stored configuration values, with defaults if there's nothing set.
$default_settings = AADSSO_Settings::get_defaults();
$this->settings = get_option( 'aadsso_settings', $default_settings );
foreach ( $default_settings as $key => $default_value ) {
if ( ! isset( $this->settings[ $key ] ) ) {
$this->settings[ $key ] = $default_value;
}
}
}
/**
* Performs actions if the nonce is valid.
*/
public function route_by_nonce() {
if ( ! isset( $_GET['_wpnonce'] ) ) {
return;
}
// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
$nonce = wp_unslash( $_GET['_wpnonce'] );
if ( wp_verify_nonce( $nonce, 'aadsso_reset_settings' ) ) {
$this->reset_settings();
}
}
/**
* Generates a raw nonce URL for a given action.
*
* @param string $action The action to generate a nonce URL for.
* @return string A nonce'd URL, suitable for redirection.
*/
private function aadsso_action_url( $action = -1 ) {
$url = admin_url( 'options-general.php?page=aadsso_settings' );
// During debugging, add the action to the url to make tracing easier.
if ( defined( 'AADSSO_DEBUG' ) && AADSSO_DEBUG ) {
$url = add_query_arg( 'aadsso_nonce_hint', $action, $url );
}
return html_entity_decode( wp_nonce_url( $url, $action ) );
}
/**
* Checks the action of a link specified by the nonce.
*/
private function reset_settings() {
// If the reset settings button was clicked, clear the settings.
delete_option( 'aadsso_settings' );
// Redirect to the page with a success.
$url = $this->aadsso_action_url(
'aadsso_reset_settings_success'
);
// Redirect to the page with a success.
wp_safe_redirect( $url );
}
/**
* Verifies a query string nonce with some defaults.
*
* @param string $action The action to verify.
* @param string $param The query string parameter to check for the nonce.
*
* @return bool Whether the nonce is valid.
*/
public function is_aadsso_action( $action, $param = '_wpnonce' ) {
if ( ! isset( $_GET[ $param ] ) ) {
return false;
}
$unslashed_nonce = sanitize_text_field( wp_unslash( $_GET[ $param ] ) );
return wp_verify_nonce( $unslashed_nonce, $action );
}
/**
* Notifies user if settings reset was successful.
*/
public function notify_if_reset_successful() {
if ( $this->is_aadsso_action( 'aadsso_reset_settings_success' ) ) {
echo '<div id="message" class="notice notice-warning"><p>'
. esc_html__(
'Single Sign-on with Azure Active Directory settings have been reset to default.',
'aad-sso-wordpress'
)
. '</p></div>';
}
}
/**
* Adds the 'Azure AD' options page.
*/
public function add_options_page() {
$this->options_page_id = add_options_page(
__( 'Azure Active Directory Single Sign-on for WordPress', 'aad-sso-wordpress' ), // $page_title
'Azure AD', // $menu_title
'manage_options', // $capability
'aadsso_settings', // $menu_slug
array( $this, 'render_admin_page' ) // $callback
);
}
/**
* Renders the 'Azure AD' settings page.
*/
public function render_admin_page() {
require_once 'view/settings.php';
}
/**
* Registers settings, sections and fields.
*/
public function register_settings() {
register_setting(
'aadsso_settings', // $option_group
'aadsso_settings', // $option_name
array( $this, 'sanitize_settings' ) // $sanitize_callback
);
add_settings_section(
'aadsso_settings_general', // $id
__( 'General', 'aad-sso-wordpress' ), // $title
array( $this, 'settings_general_info' ), // $callback
'aadsso_settings_page' // $page
);
add_settings_section(
'aadsso_settings_advanced', // $id
__( 'Advanced', 'aad-sso-wordpress' ), // $title
array( $this, 'settings_advanced_info' ), // $callback
'aadsso_settings_page' // $page
);
add_settings_field(
'org_display_name', // $id
__( 'Display name', 'aad-sso-wordpress' ), // $title
array( $this, 'org_display_name_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'org_domain_hint', // $id
__( 'Domain hint', 'aad-sso-wordpress' ), // $title
array( $this, 'org_domain_hint_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'client_id', // $id
__( 'Client ID', 'aad-sso-wordpress' ), // $title
array( $this, 'client_id_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'client_secret', // $id
__( 'Client secret', 'aad-sso-wordpress' ), // $title
array( $this, 'client_secret_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'redirect_uri', // $id
__( 'Redirect URL', 'aad-sso-wordpress' ), // $title
array( $this, 'redirect_uri_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'logout_redirect_uri', // $id
__( 'Logout redirect URL', 'aad-sso-wordpress' ), // $title
array( $this, 'logout_redirect_uri_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'enable_full_logout', // $id
__( 'Enable full logout', 'aad-sso-wordpress' ), // $title
array( $this, 'enable_full_logout_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'field_to_match_to_upn', // $id
__( 'Field to match to UPN', 'aad-sso-wordpress' ), // $title
array( $this, 'field_to_match_to_upn_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'match_on_upn_alias', // $id
__( 'Match on alias of the UPN', 'aad-sso-wordpress' ), // $title
array( $this, 'match_on_upn_alias_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'enable_auto_provisioning', // $id
__( 'Enable auto-provisioning', 'aad-sso-wordpress' ), // $title
array( $this, 'enable_auto_provisioning_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'enable_auto_forward_to_aad', // $id
__( 'Enable auto-forward to Azure AD', 'aad-sso-wordpress' ), // $title
array( $this, 'enable_auto_forward_to_aad_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'enable_aad_group_to_wp_role', // $id
__( 'Enable Azure AD group to WP role association', 'aad-sso-wordpress' ), // $title
array( $this, 'enable_aad_group_to_wp_role_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'default_wp_role', // $id
__( 'Default WordPress role if not in Azure AD group', 'aad-sso-wordpress' ), // $title
array( $this, 'default_wp_role_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'role_map', // $id
__( 'WordPress role to Azure AD group map', 'aad-sso-wordpress' ), // $title
array( $this, 'role_map_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_general' // $section
);
add_settings_field(
'openid_configuration_endpoint', // $id
__( 'OpenID Connect configuration endpoint', 'aad-sso-wordpress' ), // $title
array( $this, 'openid_configuration_endpoint_callback' ), // $callback
'aadsso_settings_page', // $page
'aadsso_settings_advanced' // $section
);
}
/**
* Gets the array of roles determined by other plugins to be "editable".
*/
private function get_editable_roles() {
global $wp_roles;
$all_roles = $wp_roles->roles;
$editable_roles = apply_filters( 'editable_roles', $all_roles );
return $editable_roles;
}
/**
* Cleans and validates form information before saving.
*
* @param array $input key-value information to be cleaned before saving.
*
* @return array The sanitized and valid data to be stored.
*/
public function sanitize_settings( $input ) {
$sanitary_values = array();
$text_fields = array(
'org_display_name',
'org_domain_hint',
'client_id',
'client_secret',
'redirect_uri',
'logout_redirect_uri',
'openid_configuration_endpoint',
);
foreach ( $text_fields as $text_field ) {
if ( isset( $input[ $text_field ] ) ) {
$sanitary_values[ $text_field ] = sanitize_text_field( $input[ $text_field ] );
}
}
// Default field_to_match_to_upn is 'email'.
$sanitary_values['field_to_match_to_upn'] = 'email';
// phpcs:ignore
if ( isset( $input['field_to_match_to_upn'] )
&& in_array( $input['field_to_match_to_upn'], array( 'email', 'login' ), true )
) {
$sanitary_values['field_to_match_to_upn'] = $input['field_to_match_to_upn'];
}
// Default role for user that is not member of any Azure AD group is null, which denies access.
$sanitary_values['default_wp_role'] = null;
if ( isset( $input['default_wp_role'] ) ) {
$sanitary_values['default_wp_role'] = sanitize_text_field( $input['default_wp_role'] );
}
// Booleans: when input[$key] == $key, this is considered true, otherwise false.
// example: input['enable_auto_provisioning'] == 'enable_auto_provisioning' is true.
$boolean_settings = array(
'enable_auto_provisioning',
'enable_auto_forward_to_aad',
'enable_aad_group_to_wp_role',
'match_on_upn_alias',
'enable_full_logout',
);
foreach ( $boolean_settings as $boolean_setting ) {
if ( isset( $input[ $boolean_setting ] ) ) {
$sanitary_values[ $boolean_setting ] = ( $boolean_setting === $input[ $boolean_setting ] );
} else {
$sanitary_values[ $boolean_setting ] = false;
}
}
/*
* Many of the roles in WordPress will not have Azure AD groups associated with them.
* Go over all roles, removing the mapping for empty ones.
*/
if ( isset( $input['role_map'] ) ) {
foreach ( $input['role_map'] as $role_slug => $group_object_id ) {
if ( empty( $group_object_id ) ) {
unset( $input['role_map'][ $role_slug ] );
}
}
$sanitary_values['role_map'] = $input['role_map'];
}
// If the OpenID Connect configuration endpoint is changed, clear the cached values.
$stored_oidc_config_endpoint = isset( $this->settings['openid_configuration_endpoint'] )
? $this->settings['openid_configuration_endpoint']
: null;
// If the OID config endpoint changed, clear the cached values.
if ( $stored_oidc_config_endpoint !== $sanitary_values['openid_configuration_endpoint'] ) {
delete_transient( 'aadsso_openid_configuration' );
AADSSO::debug_log( 'Setting \'openid_configuration_endpoint\' changed, cleared cached OpenID Connect values.', AADSSO_LOG_INFO );
}
return $sanitary_values;
}
/**
* Renders details for the General settings section.
*/
public function settings_general_info() {
}
/**
* Renders details for the Advanced settings section.
*/
public function settings_advanced_info() {
}
/**
* Renders the `role_map` picker control.
*/
public function role_map_callback() {
$role_map = isset( $this->settings['role_map'] ) ? $this->settings['role_map'] : array();
$defined_name = 'AADSSO_AAD_GROUP_TO_WP_ROLE_MAP';
if ( defined( $defined_name ) ) {
$aad_group_to_wp_role_map = json_decode( constant( $defined_name ), true );
foreach ( $aad_group_to_wp_role_map as $aad_group => $wp_role ) {
if ( ! isset( $role_map[ $wp_role ] ) ) {
$role_map[ $wp_role ] = $aad_group;
}
}
}
$this
->render_description(
__( 'Map WordPress roles to Azure Active Directory groups.', 'aad-sso-wordpress' )
)->render_constant_message( 'aad_group_to_wp_role_map' );
echo '<table class="" style="width: 100%">';
printf(
'<thead><tr><th>%s</th><td><strong>%s</strong></td></tr></thead>',
esc_html__( 'WordPress Role', 'aad-sso-wordpress' ),
esc_html__( 'Azure AD Group Object ID', 'aad-sso-wordpress' )
);
echo '<tbody>';
foreach ( $this->get_editable_roles() as $role_slug => $role ) {
echo '<tr>';
echo '<th>' . esc_html( $role['name'] ) . '</th>';
echo '<td>';
// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
echo defined( $defined_name )
? ( empty( $role_map[ $role_slug ] )
? AADSSO_Html_Helper::get_tag( 'em', array(), 'not mapped' )
: AADSSO_Html_Helper::get_tag( 'code', array(), $role_map[ $role_slug ] ) )
: AADSSO_Html_Helper::get_tag(
'input',
array(
'type' => 'text',
'name' => 'aadsso_settings[role_map][' . $role_slug . ']',
'id' => 'role_map_' . $role_slug,
'value' => isset( $role_map[ $role_slug ] ) ? $role_map[ $role_slug ] : '',
'disabled' => defined( $defined_name ),
)
);
// phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped
echo '</td>';
echo '</tr>';
}
echo '</tbody>';
echo '</table>';
}
/**
* Renders the `org_display_name` form control.
*/
public function org_display_name_callback() {
$this
->render_text_field( 'org_display_name', get_bloginfo( 'name' ) )
->render_description(
__( 'Display Name will be shown on the WordPress login screen.', 'aad-sso-wordpress' )
)
->render_constant_message( 'org_display_name' );
}
/**
* Renders the `org_domain_hint` form control.
*/
public function org_domain_hint_callback() {
$description = implode(
' ',
array(
__( 'Provides a hint to Azure AD about the tenant or domain that the user should use to sign in.', 'aad-sso-wordpress' ),
__( 'If the domain is federated, the user will be automatically redirected to federation endpoint.', 'aad-sso-wordpress' ),
)
);
$this->render_text_field( 'org_domain_hint' )
->render_description( $description )
->render_constant_message( 'org_domain_hint' );
}
/**
* Renders the `client_id` form control
*/
public function client_id_callback() {
$this
->render_text_field( 'client_id' )
->render_description(
__( 'The client ID of the Azure AD application representing this blog.', 'aad-sso-wordpress' )
)
->render_constant_message( 'client_id' );
}
/**
* Renders the `client_secret` form control
**/
public function client_secret_callback() {
$this
->render_text_field( 'client_secret' )
->render_description(
__( 'A secret key for the Azure AD application representing this blog.', 'aad-sso-wordpress' )
)
->render_constant_message( 'client_secret' );
}
/**
* Renders the `redirect_uri` form control
**/
public function redirect_uri_callback() {
$description = implode(
' ',
array(
__( 'The URL where the user is redirected to after authenticating with Azure AD.', 'aad-sso-wordpress' ),
__(
'This URL must be registered in Azure AD as a valid redirect URL, and it must be a page that invokes the "authenticate" filter.',
'aad-sso-wordpress'
),
__( 'If you don\'t know what to set, leave the default value (which is this blog\'s login page).', 'aad-sso-wordpress' ),
)
);
$this
->render_text_field( 'redirect_uri', wp_login_url() )
->render_description( $description )
->render_constant_message( 'redirect_uri' );
}
/**
* Renders the `logout_redirect_uri` form control
**/
public function logout_redirect_uri_callback() {
$description = implode(
' ',
array(
__( 'The URL where the user is redirected to after signing out of Azure AD.', 'aad-sso-wordpress' ),
__( 'This URL must be registered in Azure AD as a valid redirect URL.', 'aad-sso-wordpress' ),
__( 'If you don\'t know what to set, leave the default value (which is this blog\'s login page).', 'aad-sso-wordpress' ),
)
);
$this
->render_text_field( 'logout_redirect_uri', wp_login_url() )
->render_description( $description )
->render_constant_message( 'logout_redirect_uri' );
}
/**
* Renders the `field_to_match_to_upn` form control.
*/
public function field_to_match_to_upn_callback() {
$disabled = false;
$selected = isset( $this->settings['field_to_match_to_upn'] )
? $this->settings['field_to_match_to_upn']
: '';
$define_name = 'AADSSO_FIELD_TO_MATCH_TO_UPN';
if ( defined( $define_name ) ) {
$disabled = true;
$selected = constant( $define_name );
}
$this
->render_select_field(
'field_to_match_to_upn',
$selected,
$disabled,
array(
'email' => __( 'Email Address', 'aad-sso-wordpress' ),
'login' => __( 'Login Name', 'aad-sso-wordpress' ),
)
)
->render_description(
__(
'This specifies the WordPress user field which will be used to match to the Azure AD user\'s UserPrincipalName.',
'aad-sso-wordpress'
)
)->render_constant_message( 'field_to_match_to_upn' );
}
/**
* Renders the `match_on_upn_alias` checkbox control.
*/
public function match_on_upn_alias_callback() {
$description = implode(
' ',
array(
__( 'Match WordPress users based on the alias of their Azure AD UserPrincipalName.', 'aad-sso-wordpress' ),
__( 'For example, Azure AD username <code>[email protected]</code> will match WordPress user <code>bob</code>.', 'aad-sso-wordpress' ),
)
);
$this
->render_checkbox_field(
'match_on_upn_alias',
$description
)->render_constant_message( 'match_on_upn_alias' );
}
/**
* Renders the `default_wp_role` control.
*/
public function default_wp_role_callback() {
// Default configuration should be most-benign.
if ( ! isset( $this->settings['default_wp_role'] ) ) {
$this->settings['default_wp_role'] = '';
}
$roles = array(
'' => __( '(None, deny access)', 'aad-sso-wordpress' ),
);
foreach ( $this->get_editable_roles() as $role_slug => $role ) {
$roles[ $role_slug ] = $role['name'];
}
$value = isset( $this->settings['default_wp_role'] )
? $this->settings['default_wp_role']
: '';
$defined_name = 'AADSSO_DEFAULT_WP_ROLE';
if ( defined( $defined_name ) ) {
$value = constant( $defined_name );
}
$description = implode(
' ',
array(
__( 'This is the default role that users will be assigned to if matching Azure AD group to WordPress roles is enabled, but the signed in user isn\'t a member of any of the configured Azure AD groups.', 'aad-sso-wordpress' ),
__( 'By default, this will not provision any WordPress users, and will deny access to the site.', 'aad-sso-wordpress' ),
)
);
$this
->render_select_field( 'default_wp_role', $value, defined( $defined_name ), $roles )
->render_description( $description )
->render_constant_message( 'default_wp_role' );
}
/**
* Renders the `enable_auto_provisioning` checkbox control.
*/
public function enable_auto_provisioning_callback() {
$this->render_checkbox_field(
'enable_auto_provisioning',
__(
'Automatically create WordPress users, if needed, for authenticated Azure AD users.',
'aad-sso-wordpress'
)
)->render_constant_message( 'enable_auto_provisioning' );
}
/**
* Renders the `enable_auto_forward_to_aad` checkbox control.
*/
public function enable_auto_forward_to_aad_callback() {
$this->render_checkbox_field(
'enable_auto_forward_to_aad',
__(
'Automatically forward users to the Azure AD to sign in, skipping the WordPress login screen.',
'aad-sso-wordpress'
)
)
->render_constant_message( 'enable_auto_forward_to_aad' );
}
/**
* Renders the `enable_aad_group_to_wp_role` checkbox control.
*/
public function enable_aad_group_to_wp_role_callback() {
$this->render_checkbox_field(
'enable_aad_group_to_wp_role',
__(
'Automatically assign WordPress user roles based on Azure AD group membership.',
'aad-sso-wordpress'
)
)->render_constant_message( 'enable_aad_group_to_wp_role' );
}
/**
* Renders the `openid_configuration_endpoint` form control
**/
public function openid_configuration_endpoint_callback() {
$description = implode(
' ',
array(
__( 'The OpenID Connect configuration endpoint to use.', 'aad-sso-wordpress' ),
__( 'To support Microsoft Accounts and external users (users invited in from other Azure AD directories, known sometimes as "B2B users" or "B2C users") you must use: <code>https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration</code>, where <code>{tenant-id}</code> is the tenant ID or a verified domain name of your directory.', 'aad-sso-wordpress' ),
)
);
$this->render_text_field( 'openid_configuration_endpoint', AADSSO_Settings::get_defaults( 'openid_configuration_endpoint' ) )
->render_description(
$description
)->render_constant_message( 'openid_configuration_endpoint' );
}
/**
* Renders the `enable_full_logout` checkbox control.
*/
public function enable_full_logout_callback() {
$this
->render_checkbox_field(
'enable_full_logout',
__(
'Do a full logout of Azure AD when logging out of WordPress.',
'aad-sso-wordpress'
)
)
->render_constant_message( 'enable_full_logout' );
}
/**
* Renders a simple text field and populates it with the setting value.
*
* @param string $name The setting name for the text input field.
* @param string $set_default_value If provided, a Set Default link will appear next to the control, allowing the user to reset the recommended value.
*/
public function render_text_field( $name, $set_default_value = null ) {
$define_name = 'AADSSO_' . strtoupper( $name );
$is_defined = defined( $define_name );
// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
echo AADSSO_Html_Helper::get_tag(
'input',
array(
'type' => 'text',
'name' => 'aadsso_settings[' . $name . ']',
'id' => $name,
'value' => $is_defined
? constant( $define_name )
: ( isset( $this->settings[ $name ] )
? esc_attr( $this->settings[ $name ] )
: '' ),
'disabled' => $is_defined,
)
);
// phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped
if ( ! $is_defined && null !== $set_default_value ) {
printf(
' <a href="#" onclick="jQuery(\'#%1$s\').val(\'%2$s\'); return false;">%3$s</a>',
esc_attr( $name ),
esc_attr( $set_default_value ),
esc_html__( 'Set default', 'aad-sso-wordpress' )
);
}
return $this;
}
/**
* Renders a p.description tag with some text.
*
* @param string $description The description to render. This will not be escaped.
*/
public function render_description( $description ) {
printf(
'<p class="description">%s</p>',
// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
$description
);
return $this;
}
/**
* Renders a notice about whether or not $name is set as a constant.
*
* @param string $name The setting name for the checkbox field.
*/
public function render_constant_message( $name ) {
$define_name = 'AADSSO_' . strtoupper( $name );
$is_defined = defined( $define_name );
return $this->render_description(
$is_defined
? sprintf(
// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
// translators: %s is the name of the constant.
__(
'This value is set using the constant <code>%s</code>.',
'aad-sso-wordpress'
),
$define_name
)
: sprintf(
// translators: %s is the name of the constant.
__(
'This value can be set using the constant <code>%s</code>.',
'aad-sso-wordpress'
),
$define_name
)
// phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped
);
}
/**
* Renders a checkbox field.
*
* @param string $name The setting name for the checkbox input field.
* @param string $selected_value The label for the checkbox input field.
* @param bool $disabled Whether the checkbox input field is disabled.
* @param array $options A $value => $label array to render as <option> tags.
*/
public function render_select_field( $name, $selected_value, $disabled, $options ) {
$option_values = array_keys( $options );
$options = array_map(
function ( $value, $label ) use ( $selected_value ) {
return AADSSO_Html_Helper::get_tag(
'option',
array(
'value' => $value,
'selected' => $value === $selected_value,
),
$label
);
},
$option_values,
$options
);
// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
echo AADSSO_Html_Helper::get_tag(
'select',
array(
'name' => sprintf( 'aadsso_settings[%s]', $name ),
'id' => $name,
'disabled' => $disabled,
),
implode( ' ', $options )
);
// phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped
return $this;
}
/**
* Renders a simple checkbox field and populates it with the setting value.
*
* @param string $name The setting name for the checkbox input field.
* @param string $label The label to use for the checkbox.
*/
public function render_checkbox_field( $name, $label ) {
$defined_name = 'AADSSO_' . strtoupper( $name );
$is_defined = defined( $defined_name );
// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
echo AADSSO_Html_Helper::get_tag(
'input',
array(
'type' => 'hidden',
'name' => sprintf( 'aadsso_settings[%s]', $name ),
'value' => '',
)
);
// phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped
AADSSO::debug_log(
wp_json_encode(
array(
'name' => $name,
'constant isset' => $is_defined,
'constant name' => $defined_name,
'constant value' => $is_defined ? constant( $defined_name ) : null,
'settings isset' => isset( $this->settings[ $name ] ),
'settings value' => $this->settings[ $name ],
),
JSON_PRETTY_PRINT
),
AADSSO_LOG_VERBOSE
);
// phpcs:disable WordPress.Security.EscapeOutput.OutputNotEscaped
echo AADSSO_Html_Helper::get_tag(
'input',
array(
'type' => 'checkbox',
'name' => sprintf( 'aadsso_settings[%s]', $name ),
'id' => $name,
'value' => $name,
'checked' => $is_defined
? true === filter_var( constant( $defined_name ), FILTER_VALIDATE_BOOLEAN )
: isset( $this->settings[ $name ] ) && true === $this->settings[ $name ],
'disabled' => $is_defined,
),
null
);
echo AADSSO_Html_Helper::get_tag(
'label',
array(
'for' => $name,
),
htmlspecialchars( $label )
);
// phpcs:enable WordPress.Security.EscapeOutput.OutputNotEscaped
return $this;
}
/**
* Indicates if user is currently on this settings page.
*
* @return bool True if user is on this settings page, false otherwise.
*/
public function is_on_options_page() {
$screen = get_current_screen();
return $screen->id === $this->options_page_id;
}
/**
* Ensures jQuery is loaded
*/
public function maybe_include_jquery() {
if ( $this->is_on_options_page() ) {
wp_enqueue_script( 'jquery' );
}
}
}