chore: add tenant logic

chore: define custom provider for LFID

Author: smarcet

app/Providers/AppServiceProvider.php

@@ -15,6 +15,7 @@
 use App\libs\Utils\TextUtils;
 use Illuminate\Support\Facades\App;
 use Illuminate\Support\Facades\Config;
+use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\ServiceProvider;
 use Illuminate\Support\Facades\Validator;
@@ -127,6 +128,11 @@ public function boot()
 
             return true;
         });
+
+        Event::listen(function (\SocialiteProviders\Manager\SocialiteWasCalled $event) {
+            // custom tenants for AUTH0 providers
+            $event->extendSocialite('lfid', \SocialiteProviders\Auth0\Provider::class);
+        });
     }
 
     /**

app/libs/Auth/SocialLoginProviders.php

@@ -1,6 +1,4 @@
 <?php namespace App\libs\Auth;
-use Illuminate\Support\Facades\Config;
-
 /**
  * Copyright 2021 OpenStack Foundation
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -14,6 +12,10 @@
  * limitations under the License.
  **/
 
+use Illuminate\Support\Facades\Config;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Request;
+
 /**
  * Class SocialLoginProviders
  * @package App\libs\Auth
@@ -25,44 +27,115 @@ final class SocialLoginProviders
     const LinkedIn = "linkedin";
     const Google = "google";
     const OKTA = 'okta';
-
-    const AUTH0 = 'auth0';
+    const LFID = 'lfid';
 
     const ValidProviders = [
         self::Facebook,
         self::LinkedIn,
         self::Apple,
         //self::Google
         self::OKTA,
-        self::AUTH0,
+        self::LFID,
     ];
 
     /**
      * @param string $provider
      * @return bool
      */
-    public static function isSupportedProvider(string $provider):bool{
+    public static function isSupportedProvider(string $provider): bool
+    {
         return in_array($provider, self::ValidProviders);
     }
 
-    /**
-     * @param string $provider
-     * @return bool
-     */
-    public static function isEnabledProvider(string $provider):bool{
-        return !empty(Config::get("services.".$provider.".client_id", null)) &&
-        !empty(Config::get("services.".$provider.".client_secret", null));
-    }
-
     /**
      * @return string[]
      */
-    public static function buildSupportedProviders():array{
+    public static function buildSupportedProviders(): array
+    {
         $res = [];
-        foreach(self::ValidProviders as $provider){
-            if(self::isEnabledProvider($provider))
+        $tenant = trim(Request::get('tenant', ''));
+        $allowed_3rd_party_providers = self::toList(
+            Config::get("tenants.$tenant.allowed_3rd_party_providers", '')
+        );
+
+        Log::debug("SocialLoginProviders::buildSupportedProviders", ["tenant" => $tenant, "allowed_3rd_party_providers" => $allowed_3rd_party_providers]);
+        foreach (self::ValidProviders as $provider) {
+            Log::debug("SocialLoginProviders::buildSupportedProviders", ["tenant" => $tenant, "provider" => $provider]);
+
+            if (!self::isEnabledProvider($provider)) {
+                Log::warning("SocialLoginProviders::buildSupportedProviders provider is not enabled.", ["tenant" => $tenant, "provider" => $provider]);
+                continue;
+            }
+
+            // If no tenant param was provided, any enabled provider is allowed.
+            if ($tenant === '') {
                 $res[$provider] = ucfirst($provider);
+                continue;
+            }
+
+            // check if the 3rd party provider has defined some exclusive tenants ...
+            $tenants =  self::toList(
+                Config::get("services.$provider.tenants", '')
+            );
+
+            Log::debug(sprintf("SocialLoginProviders::buildSupportedProviders provider %s is enabled", $provider));
+            // 1. check if we have exclusive tenants defined at provider level
+            if (count($tenants) > 0 && !in_array($tenant, $tenants)) {
+                // tenant is not defined on the exclusive collection of the provider
+                Log::warning
+                (
+                    sprintf
+                    (
+                        "SocialLoginProviders::buildSupportedProviders provider %s is not enabled for tenant %s",
+                        $provider,
+                        $tenant
+                    ),
+                    ["tenants" => $tenants]
+                );
+                continue;
+            }
+            // 2. check if the tenant has that provider enabled
+            if (!count($tenants) && !in_array($provider, $allowed_3rd_party_providers)) {
+                Log::warning
+                (
+                    sprintf
+                    (
+                        "SocialLoginProviders::buildSupportedProviders provider %s is not enabled for tenant %s",
+                        $provider,
+                        $tenant
+                    ),
+                    ["allowed_3rd_party_providers" => $allowed_3rd_party_providers]
+                );
+                continue;
+            }
+
+            Log::debug(sprintf("SocialLoginProviders::buildSupportedProviders provider %s is added", $provider));
+            $res[$provider] = ucfirst($provider);
         }
+
         return $res;
     }
+
+    private static function toList($value): array
+    {
+        if (is_array($value)) {
+            return array_values(array_filter(array_map('trim', $value), static fn($v) => $v !== ''));
+        }
+        if (is_string($value)) {
+            if ($value === '') return [];
+            return array_values(array_filter(array_map('trim', explode(',', $value)), static fn($v) => $v !== ''));
+        }
+        return [];
+    }
+
+    /**
+     * @param string $provider
+     * @return bool
+     */
+    public static function isEnabledProvider(string $provider): bool
+    {
+        return !empty(Config::get("services." . $provider . ".client_id", null)) &&
+            !empty(Config::get("services." . $provider . ".client_secret", null));
+    }
+
 }

app/libs/OAuth2/Discovery/DiscoveryDocumentBuilder.php

@@ -261,9 +261,9 @@ public function addUserInfoEncryptionEncSupported($enc)
      * @return $this
      */
     public function addAvailableThirdPartyIdentityProviders(){
-        foreach(SocialLoginProviders::ValidProviders as $provider)
-            if(SocialLoginProviders::isEnabledProvider($provider))
-                $this->addArrayValue("third_party_identity_providers", $provider);
+        $providers = SocialLoginProviders::buildSupportedProviders();
+        foreach($providers as $provider => $value)
+            $this->addArrayValue("third_party_identity_providers", $provider);
         return $this;
     }
 

composer.json

@@ -50,6 +50,7 @@
     "s-ichikawa/laravel-sendgrid-driver": "^4.0",
     "smarcet/jose4php": "2.0.0",
     "socialiteproviders/apple": "^5.6.1",
+    "socialiteproviders/auth0": "^4.2",
     "socialiteproviders/facebook": "^4.1.0",
     "socialiteproviders/google": "^4.1.0",
     "socialiteproviders/linkedin": "^5.0.0",

composer.lock

@@ -1,6 +1,15 @@
 <?php
+$custom_auth0_tenants = [
+    'lfid' => [
+        'client_id' => env('LFID_CLIENT_ID'),
+        'client_secret' => env('LFID_CLIENT_SECRET'),
+        'redirect' => env('LFID_REDIRECT_URI'),
+        'base_url' => env('LFID_BASE_URL'),
+        'tenants' => env('LFID_TENANTS','lf'),
+    ]
+];
 
-return [
+return array_merge([
 
     /*
     |--------------------------------------------------------------------------
@@ -66,10 +75,4 @@
         'base_url' => env("OKTA_BASE_URL"),
         'redirect' => env('OKTA_REDIRECT_URI')
     ],
-    'auth0' => [
-        'client_id' => env('AUTH0_CLIENT_ID'),
-        'client_secret' => env('AUTH0_CLIENT_SECRET'),
-        'redirect' => env('AUTH0_REDIRECT_URI'),
-        'base_url' => env('AUTH0_BASE_URL'),
-    ]
-];
+], $custom_auth0_tenants);

config/services.php

@@ -0,0 +1,7 @@
+<?php
+
+return [
+    'lf' => [
+        'allowed_3rd_party_providers' =>  env('LFID_ALLOWED_3RD_PARTY_PROVIDERS', '')
+    ],
+];