From 1855203e572c6eb1391cdb9ce0079038acf51156 Mon Sep 17 00:00:00 2001
From: pookmish <pookmish@gmail.com>
Date: Tue, 19 Sep 2023 15:53:53 -0500
Subject: [PATCH] Update samlauth settings when a role is created or deleted
 (#713)

---
 config/sync/config_ignore.settings.yml        |  1 +
 config/sync/user.role.site_manager.yml        | 12 ----
 src/EventSubscriber/EventSubscriber.php       | 58 +++++++++++++++----
 stanford_profile.post_update.php              | 15 +++++
 .../EventSubscriber/EventSubscriberTest.php   |  5 +-
 5 files changed, 63 insertions(+), 28 deletions(-)

diff --git a/config/sync/config_ignore.settings.yml b/config/sync/config_ignore.settings.yml
index 0b8b86c12..aba787354 100644
--- a/config/sync/config_ignore.settings.yml
+++ b/config/sync/config_ignore.settings.yml
@@ -13,4 +13,5 @@ ignored_config_entities:
   - 'system.action.user_add_role_action.custm_*'
   - 'system.action.user_remove_role_action.custm_*'
   - 'next.next_site.*'
+  - 'samlauth.authentication:map_users_roles'
 enable_export_filtering: false
diff --git a/config/sync/user.role.site_manager.yml b/config/sync/user.role.site_manager.yml
index ee843e3be..3c042ce71 100644
--- a/config/sync/user.role.site_manager.yml
+++ b/config/sync/user.role.site_manager.yml
@@ -112,7 +112,6 @@ permissions:
   - 'create terms in basic_page_types'
   - 'create terms in event_audience'
   - 'create terms in media_tags'
-  - 'create terms in media_tags'
   - 'create terms in stanford_event_types'
   - 'create terms in stanford_news_topics'
   - 'create terms in stanford_person_types'
@@ -163,7 +162,6 @@ permissions:
   - 'delete terms in basic_page_types'
   - 'delete terms in event_audience'
   - 'delete terms in media_tags'
-  - 'delete terms in media_tags'
   - 'delete terms in stanford_event_types'
   - 'delete terms in stanford_news_topics'
   - 'delete terms in stanford_person_types'
@@ -215,7 +213,6 @@ permissions:
   - 'edit terms in basic_page_types'
   - 'edit terms in event_audience'
   - 'edit terms in media_tags'
-  - 'edit terms in media_tags'
   - 'edit terms in stanford_event_types'
   - 'edit terms in stanford_news_topics'
   - 'edit terms in stanford_person_types'
@@ -256,16 +253,7 @@ permissions:
   - 'view any unpublished stanford_policy content'
   - 'view any unpublished stanford_publication content'
   - 'view editoria11y checker'
-  - 'view own unpublished content'
-  - 'view own unpublished media'
-  - 'view policy log'
   - 'view scheduled content'
-  - 'view stanford_course revisions'
-  - 'view stanford_event revisions'
-  - 'view stanford_event_series revisions'
-  - 'view stanford_news revisions'
-  - 'view stanford_page revisions'
-  - 'view stanford_person revisions'
   - 'view stanford_policy revisions'
   - 'view stanford_publication revisions'
   - 'view the administration theme'
diff --git a/src/EventSubscriber/EventSubscriber.php b/src/EventSubscriber/EventSubscriber.php
index 1190bce20..78182fd70 100644
--- a/src/EventSubscriber/EventSubscriber.php
+++ b/src/EventSubscriber/EventSubscriber.php
@@ -6,9 +6,13 @@
 use Drupal\Core\File\FileSystemInterface;
 use Drupal\Core\Logger\LoggerChannelFactoryInterface;
 use Drupal\Core\StreamWrapper\StreamWrapperManager;
+use Drupal\core_event_dispatcher\EntityHookEvents;
+use Drupal\core_event_dispatcher\Event\Entity\EntityDeleteEvent;
+use Drupal\core_event_dispatcher\Event\Entity\EntityInsertEvent;
 use Drupal\default_content\Event\DefaultContentEvents;
 use Drupal\default_content\Event\ImportEvent;
 use Drupal\file\FileInterface;
+use Drupal\user\RoleInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 
 /**
@@ -31,13 +35,6 @@ class EventSubscriber implements EventSubscriberInterface {
    */
   const FETCH_DIR = '/sites/default/files/';
 
-  /**
-   * File system service.
-   *
-   * @var \Drupal\Core\File\FileSystemInterface
-   */
-  protected $fileSystem;
-
   /**
    * Logger channel service.
    *
@@ -51,26 +48,63 @@ class EventSubscriber implements EventSubscriberInterface {
   public static function getSubscribedEvents() {
     return [
       DefaultContentEvents::IMPORT => 'onContentImport',
+      EntityHookEvents::ENTITY_INSERT => 'onEntityInsert',
+      EntityHookEvents::ENTITY_DELETE => 'onEntityDelete',
     ];
   }
 
   /**
    * EventSubscriber constructor.
    *
-   * @param \Drupal\Core\File\FileSystemInterface $file_system
+   * @param \Drupal\Core\File\FileSystemInterface $fileSystem
    *   File system service.
    * @param \Drupal\Core\Logger\LoggerChannelFactoryInterface $logger_factory
    *   Logger factory service.
    */
-  public function __construct(FileSystemInterface $file_system, LoggerChannelFactoryInterface $logger_factory) {
-    $this->fileSystem = $file_system;
+  public function __construct(protected FileSystemInterface $fileSystem, LoggerChannelFactoryInterface $logger_factory) {
     $this->logger = $logger_factory->get('stanford_profile');
   }
 
   /**
-   * Empty function to avoid errors until cache is cleared.
+   * On entity insert event.
+   *
+   * @param \Drupal\core_event_dispatcher\Event\Entity\EntityInsertEvent $event
+   *   Triggered event.
+   */
+  public function onEntityInsert(EntityInsertEvent $event) {
+    if ($event->getEntity()->getEntityTypeId() == 'user_role') {
+      self::updateSamlauthRoles();
+    }
+  }
+
+  /**
+   * On entity delete event.
+   *
+   * @param \Drupal\core_event_dispatcher\Event\Entity\EntityDeleteEvent $event
+   *   Triggered event.
    */
-  public function preSaveEntity(): void {}
+  public function onEntityDelete(EntityDeleteEvent $event) {
+    if ($event->getEntity()->getEntityTypeId() == 'user_role') {
+      self::updateSamlauthRoles();
+    }
+  }
+
+  /**
+   * Update samlauth allowed roles settings.
+   */
+  protected static function updateSamlauthRoles() {
+    if (!\Drupal::moduleHandler()->moduleExists('samlauth')) {
+      return;
+    }
+
+    $role_ids = array_keys(user_role_names(TRUE));
+    $role_ids = array_combine($role_ids, $role_ids);
+    unset($role_ids[RoleInterface::AUTHENTICATED_ID]);
+    asort($role_ids);
+
+    $config = \Drupal::configFactory()->getEditable('samlauth.authentication');
+    $config->set('map_users_roles', $role_ids)->save();
+  }
 
   /**
    * When content is imported, download the images.
diff --git a/stanford_profile.post_update.php b/stanford_profile.post_update.php
index 9231d301d..e2e9442b8 100644
--- a/stanford_profile.post_update.php
+++ b/stanford_profile.post_update.php
@@ -83,3 +83,18 @@ function stanford_profile_post_update_update_field_defs() {
     }
   }
 }
+
+/**
+ * Enable samlauth.
+ */
+function stanford_profile_post_update_samlauth() {
+  if (\Drupal::moduleHandler()->moduleExists('stanford_samlauth')) {
+    return;
+  }
+  $ignore_settings = \Drupal::configFactory()
+    ->getEditable('config_ignore.settings');
+  $ignored = $ignore_settings->get('ignored_config_entities');
+  $ignored[] = 'samlauth.authentication:map_users_roles';
+  $ignore_settings->set('ignored_config_entities', $ignored)->save();
+  \Drupal::service('module_installer')->install(['stanford_samlauth']);
+}
diff --git a/tests/src/Kernel/EventSubscriber/EventSubscriberTest.php b/tests/src/Kernel/EventSubscriber/EventSubscriberTest.php
index f5f7751b8..dbbf11822 100644
--- a/tests/src/Kernel/EventSubscriber/EventSubscriberTest.php
+++ b/tests/src/Kernel/EventSubscriber/EventSubscriberTest.php
@@ -87,10 +87,7 @@ protected function setUp(): void {
    * Test the consumer secret is randomized.
    */
   public function testConsumerSecretRandomized() {
-    $expected = [
-      'default_content.import' => 'onContentImport',
-    ];
-    $this->assertEquals($expected, StanfordEventSubscriber::getSubscribedEvents());
+    $this->assertContains('onContentImport', StanfordEventSubscriber::getSubscribedEvents());
     $consumer = Consumer::create([
       'client_id' => 'foobar',
       'label' => 'foobar',