Add switch to configure whether SAML auth is used for desktop clients

3 files changed, 44 insertions, 7 deletions

diff --git a/appinfo/app.php b/appinfo/app.php
index 8d5c188c..e59d594e 100644
--- a/appinfo/app.php
+++ b/appinfo/app.php
@@ -31,7 +31,7 @@ $samlSettings = new \OCA\User_SAML\SAMLSettings(
 );
 
 $userBackend = new \OCA\User_SAML\UserBackend(
-	\OC::$server->getConfig(),
+	$config,
 	\OC::$server->getURLGenerator(),
 	\OC::$server->getSession(),
 	\OC::$server->getDb()
@@ -58,10 +58,17 @@ if(!$userSession->isLoggedIn() && \OC::$server->getRequest()->getPathInfo() ===
 // If a request to OCS or remote.php is sent by the official desktop clients it can
 // be intercepted as it supports SAML. All other clients don't yet and thus we
 // require the usage of application specific passwords there.
-$currentUrl = substr(explode('?',$request->getRequestUri(), 2)[0], strlen(\OC::$WEBROOT));
-if(substr($currentUrl, 0, 12) === '/remote.php/' || substr($currentUrl, 0, 5) === '/ocs/') {
-	if(!$userSession->isLoggedIn() && $request->isUserAgent([\OC\AppFramework\Http\Request::USER_AGENT_OWNCLOUD_DESKTOP])) {
-		$redirectSituation = true;
+//
+// However, it is an opt-in setting to use SAML for the desktop clients. For better
+// UX (users don't have to reauthenticate) we default to disallow the access via
+// SAML at the moment.
+$useSamlForDesktopClients = $config->getAppValue('user_saml', 'general-use_saml_auth_for_desktop', '0');
+if($useSamlForDesktopClients === '1') {
+	$currentUrl = substr(explode('?',$request->getRequestUri(), 2)[0], strlen(\OC::$WEBROOT));
+	if(substr($currentUrl, 0, 12) === '/remote.php/' || substr($currentUrl, 0, 5) === '/ocs/') {
+		if(!$userSession->isLoggedIn() && $request->isUserAgent([\OC\AppFramework\Http\Request::USER_AGENT_OWNCLOUD_DESKTOP])) {
+			$redirectSituation = true;
+		}
 	}
 }
 
diff --git a/appinfo/info.xml b/appinfo/info.xml
index cc7ebc8e..210d5cd7 100644
--- a/appinfo/info.xml
+++ b/appinfo/info.xml
@@ -5,9 +5,9 @@
 	<description>Authenticates user against a SAML backend, such as Shibboleth.</description>
 	<licence>AGPL</licence>
 	<author>Lukas Reschke</author>
-	<version>1.2.0</version>
+	<version>1.2.1</version>
 	<dependencies>
-		<owncloud min-version="9.2" max-version="9.2" />
+		<owncloud min-version="9.1" max-version="9.2" />
 	</dependencies>
 	<namespace>User_SAML</namespace>
 	<types>
diff --git a/appinfo/update.php b/appinfo/update.php
new file mode 100644
index 00000000..d628d923
--- /dev/null
+++ b/appinfo/update.php
@@ -0,0 +1,30 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Lukas Reschke <lukas@nextcloud.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+$config = \OC::$server->getConfig();
+$installedVersion = $config->getAppValue('user_saml', 'installed_version');
+
+// Versions below 1.2.1 use SAML by default for the desktop client, this default
+// has been changed with 1.2.1. To not break existing installations the value gets
+// manually changed on update.
+if (version_compare($installedVersion, '1.2.1', '<')) {
+	$config->setAppValue('user_saml', 'general-use_saml_auth_for_desktop', '0');
+}