diff --git a/appinfo/info.xml b/appinfo/info.xml
index d4c3e5e2b7600812905c135f66abcaf0804d5365..3997e0ee5a3094bb8918dbbf3522d04ada6a7c69 100644
--- a/appinfo/info.xml
+++ b/appinfo/info.xml
@@ -10,14 +10,14 @@
- 10.0.0
+ 10.0.1
agpl
Murena SAS
EcloudAccounts
tools
https://gitlab.e.foundation/e/management/issues
-
+
OCA\EcloudAccounts\Settings\DeleteShopAccountSetting
diff --git a/lib/Service/SSOService.php b/lib/Service/SSOService.php
index a6cb4d23848ec02282a76c8ded73d9b672f4caaf..05e591f521c34b06863db956a8cc0d9f385cf98b 100644
--- a/lib/Service/SSOService.php
+++ b/lib/Service/SSOService.php
@@ -20,10 +20,14 @@ class SSOService {
private array $ssoConfig = [];
private string $adminAccessToken;
private string $currentUserId;
+ private string $currentUserName;
private ICrypto $crypto;
private IFactory $l10nFactory;
private IUserManager $userManager;
+ private string $mainDomain;
+ private string $legacyDomain;
+
private const ADMIN_TOKEN_ENDPOINT = '/auth/realms/master/protocol/openid-connect/token';
private const USERS_ENDPOINT = '/users';
private const CREDENTIALS_ENDPOINT = '/users/{USER_ID}/credentials';
@@ -48,6 +52,9 @@ class SSOService {
$this->logger = $logger;
$this->l10nFactory = $l10nFactory;
$this->userManager = $userManager;
+
+ $this->mainDomain = $this->config->getSystemValue("main_domain");
+ $this->legacyDomain = $this->config->getSystemValue("legacy_domain");
}
public function shouldSync2FA() : bool {
@@ -55,9 +62,10 @@ class SSOService {
}
public function migrateCredential(string $username, string $secret) : void {
- if(empty($this->currentUserId)) {
+ if($this->isNotCurrentUser($username)) {
$this->getUserId($username);
}
+
$this->deleteCredentials($username);
$decryptedSecret = $this->crypto->decrypt($secret);
@@ -74,9 +82,10 @@ class SSOService {
}
public function deleteCredentials(string $username) : void {
- if(empty($this->currentUserId)) {
+ if($this->isNotCurrentUser($username)) {
$this->getUserId($username);
}
+
$credentialIds = $this->getCredentialIds();
foreach ($credentialIds as $credentialId) {
@@ -89,7 +98,7 @@ class SSOService {
}
public function logout(string $username) : void {
- if(empty($this->currentUserId)) {
+ if($this->isNotCurrentUser($username)) {
$this->getUserId($username);
}
@@ -166,6 +175,11 @@ class SSOService {
throw new SSOAdminAPIException('Error: no user found for search with url: ' . $url);
}
$this->currentUserId = $users[0]['id'];
+ $this->currentUserName = $this->sanitizeUserName($users[0]['username']);
+ $username = $this->sanitizeUserName($username);
+ if ($username !== $this->currentUserName) {
+ throw new SSOAdminAPIException('Error: retrieved wrong user info (' . $this->currentUserName . ') from SSO service for ' . $username);
+ }
}
private function getAdminAccessToken() : void {
@@ -235,4 +249,20 @@ class SSOService {
$answer = json_decode($answer, true);
return $answer;
}
+
+ private function sanitizeUserName(string $username): string {
+ $username = strtolower($username);
+
+ if (str_contains($username, "@" . $this->mainDomain) || str_contains($username, "@" . $this->legacyDomain)) {
+ list($name, $domain) = explode("@", $username);
+ $username = $name;
+ }
+
+ return $username;
+ }
+
+ private function isNotCurrentUser(string $username): bool {
+ $username = $this->sanitizeUserName($username);
+ return !(!empty($this->currentUserId) && !empty($this->currentUserName) && $username === $this->currentUserName);
+ }
}