idp: login form spacing; default idps

jrchamp · Apr 4, 2024 · 1ce938e · 1ce938e
1 parent d6f3a48
commit 1ce938e
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 25 deletions.
diff --git a/assets/css/shibboleth_login_form.css b/assets/css/shibboleth_login_form.css
@@ -54,7 +54,7 @@
 	width: 100%;
 	text-align: center;
 	text-decoration: none;
-	margin-top: 16px;
+	float: none;
 }
 
 .shibboleth-form-display #loginform > p,
@@ -71,6 +71,7 @@
 }
 
 .shibboleth-or {
+	margin-bottom: 16px;
 	position: relative;
 	text-align: center;
 }

diff --git a/shibboleth.php b/shibboleth.php
@@ -467,7 +467,8 @@ function shibboleth_authenticate( $user, $username, $password ) {
 	if ( shibboleth_session_active() ) {
 		return shibboleth_authenticate_user();
 	} else {
-		$idp = 'preset';
+		$idps = shibboleth_getoption( 'shibboleth_idps' );
+		$idp = key( $idps );
 		$redirect_to = null;
 
 		if ( isset( $_REQUEST['idp'] ) ) {
@@ -506,26 +507,29 @@ function shibboleth_login_form_shibboleth() {
 function shibboleth_get_password_reset_url( $user_login ) {
 	$user_idp = '';
 
-	if ( empty( $user_login ) ) {
-		// If no user was provided, try to use the preset values.
-		$user_idp = 'preset';
-	} else {
+	$idps = shibboleth_getoption( 'shibboleth_idps' );
+
+	if ( ! empty( $user_login ) ) {
 		$user = get_user_by( 'login', $user_login );
 		if ( $user ) {
 			$user_idp = shibboleth_get_user_idp( $user->ID );
+
+			if ( empty( $user_idp ) ) {
+				return null;
+			}
 		}
+	} elseif ( count( $idps ) === 1 ) {
+		// If there is only one IdP, we can use it as the default.
+		$user_idp = key( $idps );
 	}
 
-	if ( $user_idp ) {
-		// Use the provided constant for all Shibboleth accounts.
-		if ( defined( 'SHIBBOLETH_PASSWORD_RESET_URL' ) ) {
-			return SHIBBOLETH_PASSWORD_RESET_URL;
-		}
+	// Use the provided constant for all Shibboleth accounts.
+	if ( defined( 'SHIBBOLETH_PASSWORD_RESET_URL' ) ) {
+		return SHIBBOLETH_PASSWORD_RESET_URL;
+	}
 
-		$idps = shibboleth_getoption( 'shibboleth_idps' );
-		if ( isset( $idps[ $user_idp ] ) ) {
-			return $idps[ $user_idp ]['password_reset_url'];
-		}
+	if ( ! empty( $user_idp ) && isset( $idps[ $user_idp ] ) ) {
+		return $idps[ $user_idp ]['password_reset_url'];
 	}
 }
 
@@ -558,10 +562,14 @@ function shibboleth_login_url( $login_url ) {
 	$default = shibboleth_getoption( 'shibboleth_default_to_shib_login' );
 
 	if ( $default ) {
-		$login_url = add_query_arg( 'action', 'shibboleth', $login_url );
-	}
+		$idps = shibboleth_getoption( 'shibboleth_idps' );
 
-	// TODO: Do we need to add the idp_code here?
+		// Only send people directly to Shibboleth if there is only 1 IdP.
+		if ( count( $idps ) === 1 ) {
+			$login_url = add_query_arg( 'action', 'shibboleth', $login_url );
+			$login_url = add_query_arg( 'idp', key( $idps ), $login_url );
+		}
+	}
 
 	return $login_url;
 }
@@ -673,8 +681,13 @@ function shibboleth_set_user_idp( $user_id, $user_idp = null ) {
 	if ( empty( $user_idp ) ) {
 		$default_idp = null;
 
-		// TODO: Do we want the IdP 'environment header' to be configurable?
-		$session_entity_id = shibboleth_getenv( 'Shib-Identity-Provider' );
+		// Allow the environment variable name to be overriden.
+		$entity_id_env_var = 'Shib-Identity-Provider';
+		if ( defined( 'SHIBBOLETH_IDP_ENV_VAR' ) ) {
+			$entity_id_env_var = SHIBBOLETH_IDP_ENV_VAR;
+		}
+
+		$session_entity_id = shibboleth_getenv( $entity_id_env_var );
 
 		$idps = get_site_option( 'shibboleth_idps', array() );
 
@@ -1054,7 +1067,6 @@ function shibboleth_disable_login_form() {
 	$bypass = defined( 'SHIBBOLETH_ALLOW_LOCAL_AUTH' ) && SHIBBOLETH_ALLOW_LOCAL_AUTH;
 
 	if ( $disable && ! $bypass ) {
-		// TODO: Is this doing the right thing?
 		$password_reset_url = shibboleth_get_password_reset_url( '' );
 		?>
 		<style type="text/css">
@@ -1080,7 +1092,6 @@ function shibboleth_disable_login_form() {
  * @since 2.1
  */
 function shibboleth_custom_password_reset_url( $url ) {
-	// TODO: Is this doing the right thing?
 	$password_reset_url = shibboleth_get_password_reset_url( '' );
 
 	if ( $password_reset_url ) {
@@ -1110,6 +1121,8 @@ function shibboleth_login_form() {
 
 	$idps = shibboleth_getoption( 'shibboleth_idps', array() );
 
+	$first = true;
+
 	foreach ( $idps as $idp_code => $idp ) {
 		$idp_login_url = add_query_arg( 'idp', $idp_code, $login_url );
 
@@ -1121,9 +1134,9 @@ function shibboleth_login_form() {
 			$button_text = __( 'Log in with Shibboleth', 'shibboleth' );
 		}
 		?>
-	<div class="shibboleth-wrap" <?php echo $disable ? 'style="margin-top:0;"' : ''; ?>>
+	<div class="shibboleth-wrap" <?php echo ($first && $disable) ? 'style="margin-top:0;"' : ''; ?>>
 		<?php
-		if ( ! $disable ) {
+		if ( $first && ! $disable ) {
 			?>
 			<div class="shibboleth-or">
 				<span><?php esc_html_e( 'Or', 'shibboleth' ); ?></span>
@@ -1137,7 +1150,7 @@ function shibboleth_login_form() {
 		</a>
 	</div>
 		<?php
-		$disable = true;
+		$first = false;
 	}
 }
 add_action( 'login_form', 'shibboleth_login_form' );