Do not force login on neither special URLs nor CLI

When user_saml is configured to force users to log in, some URLs have to be
excluded from the enforcement.

CLI works again when user_saml "force login" is set.

1 files changed, 30 insertions, 1 deletions

diff --git a/user_saml/appinfo/app.php b/user_saml/appinfo/app.php
index 6a26bbe91..b8d26bf0a 100644
--- a/user_saml/appinfo/app.php
+++ b/user_saml/appinfo/app.php
@@ -43,7 +43,9 @@ if (OCP\App::isEnabled('user_saml')) {
 	OCP\Util::connectHook('OC_User', 'post_login', 'OC_USER_SAML_Hooks', 'post_login');
 	OCP\Util::connectHook('OC_User', 'logout', 'OC_USER_SAML_Hooks', 'logout');
 
-	$forceLogin = OCP\Config::getAppValue('user_saml', 'saml_force_saml_login', false);
+	$forceLogin = OCP\Config::getAppValue('user_saml', 'saml_force_saml_login', false)
+		&& shouldEnforceAuthentication();
+
 
 	if( (isset($_GET['app']) && $_GET['app'] == 'user_saml') || (!OCP\User::isLoggedIn() && $forceLogin && !isset($_GET['admin_login']) )) {
 
@@ -72,3 +74,30 @@ if (OCP\App::isEnabled('user_saml')) {
 		OCP\Util::addScript('user_saml', 'utils');
 	}
 }
+
+
+/*
+ * Checks if requiring SAML authentication on current URL makes sense when
+ * forceLogin is set.
+ *
+ * Disables it when using the command line too
+ */
+function shouldEnforceAuthentication()
+{
+	if (OC::$CLI) {
+		return false;
+	}
+
+	$url = OCP\Util::getRequestUri();
+	$url_pieces = preg_split('/[\/?]/', $uri);
+
+	return !isset($url_pieces[0]) || !in_array(
+		$url_pieces[0],
+		array(
+			'cron.php',
+			'public.php',
+			'remote.php',
+			'status.php',
+		)
+	);
+}