1
0
Files
breadcrumb-the-shire/lib/Repository/Tenant/TenantMicrosoftAuthRepository.php
fs 1c784efd5c feat(auth): add domain-based SSO discovery for unprovisioned users
Users who exist in Microsoft Entra ID or LDAP but have no local account
were blocked at the email-first login step because the system required a
local user record before showing SSO options. This adds a domain-based
fallback: when the email is unknown locally, the system checks tenant SSO
configurations for matching allowed_domains and presents SSO-only login
options, enabling the existing JIT provisioning to trigger on callback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 14:35:57 +02:00

122 lines
4.9 KiB
PHP

<?php
namespace MintyPHP\Repository\Tenant;
use MintyPHP\DB;
/** Persists Microsoft Entra ID OAuth settings per tenant, including encrypted client secrets. */
class TenantMicrosoftAuthRepository implements TenantMicrosoftAuthRepositoryInterface
{
private function unwrap($row): ?array
{
if (!$row || !is_array($row)) {
return null;
}
if (isset($row['tenant_auth_microsoft']) && is_array($row['tenant_auth_microsoft'])) {
return $row['tenant_auth_microsoft'];
}
return $row;
}
public function findByTenantId(int $tenantId): ?array
{
$row = DB::selectOne(
'select id, tenant_id, enabled, enforce_microsoft_login, sync_profile_on_login, sync_profile_fields, entra_tenant_id, allowed_domains, use_shared_app, client_id_override, client_secret_override_enc, auto_remember_mode, created, modified from tenant_auth_microsoft where tenant_id = ? limit 1',
(string) $tenantId
);
return $this->unwrap($row);
}
public function listByTenantIds(array $tenantIds): array
{
$tenantIds = array_values(array_unique(array_map('intval', $tenantIds)));
$tenantIds = array_values(array_filter($tenantIds, static fn ($id) => $id > 0));
if (!$tenantIds) {
return [];
}
$placeholders = implode(',', array_fill(0, count($tenantIds), '?'));
$rows = DB::select(
'select id, tenant_id, enabled, enforce_microsoft_login, sync_profile_on_login, sync_profile_fields, entra_tenant_id, allowed_domains, use_shared_app, client_id_override, client_secret_override_enc, auto_remember_mode, created, modified from tenant_auth_microsoft where tenant_id in (' . $placeholders . ')',
...array_map('strval', $tenantIds)
);
if (!is_array($rows)) {
return [];
}
$result = [];
foreach ($rows as $row) {
$item = $this->unwrap($row);
if (!is_array($item)) {
continue;
}
$tenantId = (int) ($item['tenant_id'] ?? 0);
if ($tenantId <= 0) {
continue;
}
$result[$tenantId] = $item;
}
return $result;
}
public function upsertByTenantId(int $tenantId, array $data): bool
{
$autoRememberMode = $data['auto_remember_mode'] ?? null;
$autoRememberModeParam = $autoRememberMode !== null ? (string) (int) $autoRememberMode : null;
$result = DB::update(
'insert into tenant_auth_microsoft (tenant_id, enabled, enforce_microsoft_login, sync_profile_on_login, sync_profile_fields, entra_tenant_id, allowed_domains, use_shared_app, client_id_override, client_secret_override_enc, auto_remember_mode, created) values (?,?,?,?,?,?,?,?,?,?,?,NOW()) ' .
'on duplicate key update enabled = values(enabled), enforce_microsoft_login = values(enforce_microsoft_login), sync_profile_on_login = values(sync_profile_on_login), sync_profile_fields = values(sync_profile_fields), entra_tenant_id = values(entra_tenant_id), ' .
'allowed_domains = values(allowed_domains), use_shared_app = values(use_shared_app), client_id_override = values(client_id_override), ' .
'client_secret_override_enc = values(client_secret_override_enc), auto_remember_mode = values(auto_remember_mode), modified = NOW()',
(string) $tenantId,
!empty($data['enabled']) ? '1' : '0',
!empty($data['enforce_microsoft_login']) ? '1' : '0',
!empty($data['sync_profile_on_login']) ? '1' : '0',
$data['sync_profile_fields'] ?? null,
$data['entra_tenant_id'] ?? null,
$data['allowed_domains'] ?? null,
!empty($data['use_shared_app']) ? '1' : '0',
$data['client_id_override'] ?? null,
$data['client_secret_override_enc'] ?? null,
$autoRememberModeParam
);
return $result !== false;
}
public function findEnabledWithExplicitDomain(string $domain): array
{
$domain = strtolower(trim($domain));
if ($domain === '') {
return [];
}
$rows = DB::select(
"select tenant_id, allowed_domains from tenant_auth_microsoft where enabled = 1 and allowed_domains is not null and allowed_domains != '' and FIND_IN_SET(?, allowed_domains) > 0",
$domain
);
if (!is_array($rows)) {
return [];
}
$result = [];
foreach ($rows as $row) {
$item = $this->unwrap($row);
if (!is_array($item)) {
continue;
}
$tenantId = (int) ($item['tenant_id'] ?? 0);
if ($tenantId <= 0) {
continue;
}
$result[] = ['tenant_id' => $tenantId, 'allowed_domains' => (string) ($item['allowed_domains'] ?? '')];
}
return $result;
}
}