bsiggel/espocrm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
root
2026-01-19 17:44:46 +01:00
commit 823af8b11d
8721 changed files with 1130846 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
application/Espo/Core/Authentication/Oidc/UserProvider/DefaultUserProvider.php Normal file
View File

@@ -0,0 +1,171 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\ApplicationState;
use Espo\Core\Authentication\Oidc\ConfigDataProvider;
use Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\Utils\Log;
use Espo\Entities\User;
use RuntimeException;
class DefaultUserProvider implements UserProvider
{
public function __construct(
private ConfigDataProvider $configDataProvider,
private Sync $sync,
private UserRepository $userRepository,
private ApplicationState $applicationState,
private Log $log,
) {}
public function get(UserInfo $userInfo): ?User
{
$user = $this->findUser($userInfo);
if ($user === false) {
return null;
}
if ($user) {
$this->syncUser($user, $userInfo);
return $user;
}
return $this->tryToCreateUser($userInfo);
}
/**
* @return User|false|null
*/
private function findUser(UserInfo $userInfo): User|bool|null
{
$usernameClaim = $this->configDataProvider->getUsernameClaim();
if (!$usernameClaim) {
throw new RuntimeException("No username claim in config.");
}
$username = $userInfo->get($usernameClaim);
if (!$username) {
throw new RuntimeException("No username claim `$usernameClaim` in token and userinfo.");
}
$username = $this->sync->normalizeUsername($username);
$user = $this->userRepository->findByUsername($username);
if (!$user) {
return null;
}
$userId = $user->getId();
if (!$user->isActive()) {
$this->log->info("Oidc: User $userId found but it's not active.");
return false;
}
$isPortal = $this->applicationState->isPortal();
if (!$isPortal && !$user->isRegular() && !$user->isAdmin()) {
$this->log->info("Oidc: User $userId found but it's neither regular user nor admin.");
return false;
}
if ($isPortal && !$user->isPortal()) {
$this->log->info("Oidc: User $userId found but it's not portal user.");
return false;
}
if ($isPortal) {
$portalId = $this->applicationState->getPortalId();
if (!$user->getPortals()->hasId($portalId)) {
$this->log->info("Oidc: User $userId found but it's not related to current portal.");
return false;
}
}
if ($user->isSuperAdmin()) {
$this->log->info("Oidc: User $userId found but it's super-admin, not allowed.");
return false;
}
if ($user->isAdmin() && !$this->configDataProvider->allowAdminUser()) {
$this->log->info("Oidc: User $userId found but it's admin, not allowed.");
return false;
}
return $user;
}
private function tryToCreateUser(UserInfo $userInfo): ?User
{
if (!$this->configDataProvider->createUser()) {
return null;
}
$usernameClaim = $this->configDataProvider->getUsernameClaim();
if (!$usernameClaim) {
throw new RuntimeException("Could not create a user. No OIDC username claim in config.");
}
$username = $userInfo->get($usernameClaim);
if (!$username) {
throw new RuntimeException("Could not create a user. No username claim in token and userinfo.");
}
return $this->sync->createUser($userInfo);
}
private function syncUser(User $user, UserInfo $userInfo): void
{
if (
!$this->configDataProvider->sync() &&
!$this->configDataProvider->syncTeams()
) {
return;
}
$this->sync->syncUser($user, $userInfo);
}
}

247
application/Espo/Core/Authentication/Oidc/UserProvider/Sync.php Normal file
View File

@@ -0,0 +1,247 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\Acl\Cache\Clearer as AclCacheClearer;
use Espo\Core\ApplicationState;
use Espo\Core\Authentication\Oidc\ConfigDataProvider;
use Espo\Core\Field\LinkMultiple;
use Espo\Core\Name\Field;
use Espo\Core\Utils\Config;
use Espo\Core\Utils\PasswordHash;
use Espo\Core\Utils\Util;
use Espo\Entities\User;
use RuntimeException;
class Sync
{
public function __construct(
private UsernameValidator $usernameValidator,
private Config $config,
private ConfigDataProvider $configDataProvider,
private UserRepository $userRepository,
private PasswordHash $passwordHash,
private AclCacheClearer $aclCacheClearer,
private ApplicationState $applicationState,
) {}
public function createUser(UserInfo $userInfo): User
{
$username = $this->getUsernameFromToken($userInfo);
$this->usernameValidator->validate($username);
$user = $this->userRepository->getNew();
$user->setType(User::TYPE_REGULAR);
$user->setUserName($username);
$user->setMultiple([
'password' => $this->passwordHash->hash(Util::generatePassword(10, 4, 2, true)),
]);
$user->set($this->getUserDataFromToken($userInfo));
$user->set($this->getUserTeamsDataFromToken($userInfo));
if ($this->applicationState->isPortal()) {
$portalId = $this->applicationState->getPortalId();
$user->setType(User::TYPE_PORTAL);
$user->setPortals(LinkMultiple::create()->withAddedId($portalId));
}
$this->userRepository->save($user);
return $user;
}
public function syncUser(User $user, UserInfo $payload): void
{
$username = $this->getUsernameFromToken($payload);
$this->usernameValidator->validate($username);
if ($user->getUserName() !== $username) {
throw new RuntimeException("Could not sync user. Username mismatch.");
}
if ($this->configDataProvider->sync()) {
$user->set($this->getUserDataFromToken($payload));
}
$clearAclCache = false;
if ($this->configDataProvider->syncTeams()) {
$user->loadLinkMultipleField(Field::TEAMS);
$user->set($this->getUserTeamsDataFromToken($payload));
$clearAclCache = $user->isAttributeChanged('teamsIds');
}
$this->userRepository->save($user);
if ($clearAclCache) {
$this->aclCacheClearer->clearForUser($user);
}
}
/**
* @return array<string, mixed>
*/
private function getUserDataFromToken(UserInfo $userInfo): array
{
return [
'emailAddress' => $userInfo->get('email'),
'phoneNumber' => $userInfo->get('phone_number'),
'emailAddressData' => null,
'phoneNumberData' => null,
'firstName' => $userInfo->get('given_name'),
'lastName' => $userInfo->get('family_name'),
'middle_name' => $userInfo->get('middle_name'),
'gender' =>
in_array($userInfo->get('gender'), ['male', 'female']) ?
ucfirst($userInfo->get('gender') ?? '') :
null,
];
}
/**
* @return array<string, mixed>
*/
private function getUserTeamsDataFromToken(UserInfo $userInfo): array
{
return [
'teamsIds' => $this->getTeamIdList($userInfo),
];
}
private function getUsernameFromToken(UserInfo $userInfo): string
{
$usernameClaim = $this->configDataProvider->getUsernameClaim();
if (!$usernameClaim) {
throw new RuntimeException("No OIDC username claim in config.");
}
$username = $userInfo->get($usernameClaim);
if (!$username) {
throw new RuntimeException("No username claim returned in token.");
}
if (!is_string($username)) {
throw new RuntimeException("Bad username claim returned in token.");
}
return $this->normalizeUsername($username);
}
/**
* @return string[]
*/
private function getTeamIdList(UserInfo $userInfo): array
{
$idList = $this->configDataProvider->getTeamIds() ?? [];
$columns = $this->configDataProvider->getTeamColumns() ?? (object) [];
if ($idList === []) {
return [];
}
$groupList = $this->getGroups($userInfo);
$resultIdList = [];
foreach ($idList as $id) {
$group = ($columns->$id ?? (object) [])->group ?? null;
if (!$group || in_array($group, $groupList)) {
$resultIdList[] = $id;
}
}
return $resultIdList;
}
/**
* @return string[]
*/
private function getGroups(UserInfo $userInfo): array
{
$groupClaim = $this->configDataProvider->getGroupClaim();
if (!$groupClaim) {
return [];
}
$value = $userInfo->get($groupClaim);
if (!$value) {
return [];
}
if (is_string($value)) {
return [$value];
}
if (!is_array($value)) {
return [];
}
$list = [];
foreach ($value as $item) {
if (is_string($item)) {
$list[] = $item;
}
}
return $list;
}
public function normalizeUsername(string $username): string
{
/** @var ?string $regExp */
$regExp = $this->config->get('userNameRegularExpression');
if (!$regExp) {
throw new RuntimeException("No `userNameRegularExpression` in config.");
}
$username = strtolower($username);
/** @var string $result */
$result = preg_replace("/$regExp/", '_', $username);
/** @var string */
return str_replace(' ', '_', $result);
}
}

49
application/Espo/Core/Authentication/Oidc/UserProvider/UserInfo.php Normal file
View File

@@ -0,0 +1,49 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\Authentication\Jwt\Token\Payload;
class UserInfo
{
/**
* @internal
* @param array<string, mixed> $data
*/
public function __construct(
private Payload $payload,
private array $data,
) {}
public function get(string $name): mixed
{
return $this->payload->get($name) ?? $this->data[$name] ?? null;
}
}

85
application/Espo/Core/Authentication/Oidc/UserProvider/UserRepository.php Normal file
View File

@@ -0,0 +1,85 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Core\FieldProcessing\EmailAddress\Saver as EmailAddressSaver;
use Espo\Core\FieldProcessing\PhoneNumber\Saver as PhoneNumberSaver;
use Espo\Core\FieldProcessing\Relation\LinkMultipleSaver;
use Espo\Core\FieldProcessing\Saver\Params as SaverParams;
use Espo\Core\Name\Field;
use Espo\Core\ORM\Repository\Option\SaveOption;
use Espo\Entities\User;
use Espo\ORM\EntityManager;
class UserRepository
{
public function __construct(
private EntityManager $entityManager,
private LinkMultipleSaver $linkMultipleSaver,
private EmailAddressSaver $emailAddressSaver,
private PhoneNumberSaver $phoneNumberSaver
) {}
public function getNew(): User
{
return $this->entityManager->getRDBRepositoryByClass(User::class)->getNew();
}
public function save(User $user): void
{
$this->entityManager->saveEntity($user, [
// Prevent `user` service being loaded by hooks.
SaveOption::SKIP_HOOKS => true,
SaveOption::KEEP_NEW => true,
SaveOption::KEEP_DIRTY => true,
]);
$saverParams = SaverParams::create()->withRawOptions(['skipLinkMultipleHooks' => true]);
$this->linkMultipleSaver->process($user, Field::TEAMS, $saverParams);
$this->linkMultipleSaver->process($user, 'portals', $saverParams);
$this->linkMultipleSaver->process($user, 'portalRoles', $saverParams);
$this->emailAddressSaver->process($user, $saverParams);
$this->phoneNumberSaver->process($user, $saverParams);
$user->setAsNotNew();
$user->updateFetchedValues();
$this->entityManager->refreshEntity($user);
}
public function findByUsername(string $username): ?User
{
return $this->entityManager
->getRDBRepositoryByClass(User::class)
->where(['userName' => $username])
->findOne();
}
}

53
application/Espo/Core/Authentication/Oidc/UserProvider/UsernameValidator.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
/************************************************************************
* This file is part of EspoCRM.
*
* EspoCRM Open Source CRM application.
* Copyright (C) 2014-2025 EspoCRM, Inc.
* Website: https://www.espocrm.com
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
************************************************************************/
namespace Espo\Core\Authentication\Oidc\UserProvider;
use Espo\Entities\User;
use Espo\ORM\EntityManager;
use RuntimeException;
class UsernameValidator
{
public function __construct(private EntityManager $entityManager) {}
public function validate(string $username): void
{
$maxLength = $this->entityManager
->getDefs()
->getEntity(User::ENTITY_TYPE)
->getAttribute('userName')
->getLength();
if ($maxLength && $maxLength < strlen($username)) {
throw new RuntimeException("Value in username claim exceeds max length of `$maxLength`. " .
"Increase maxLength parameter for User.userName field (up to 255).");
}
}
}