Merge branch '38-make-it-possible-to-add-functions-to-functions-php' into...

Merge branch '38-make-it-possible-to-add-functions-to-functions-php' into '34-add-openid-connect-plugin-and-configuration'

Resolve "Make it possible to add functions to `functions.php`"

See merge request !28

values-local.yaml.example

@@ -66,6 +66,8 @@ openid_connect_settings:
   endpoint_end_session: https://end-session-endpoint-url
   no_sslverify: "0"
   enable_logging: "1"
+  role_mapping_enabled: false
+  role_key: roles
 
 # NOT USED YET
 deflect:

values.yaml

@@ -31,6 +31,12 @@ openid_connect_settings:
   # Where in the user claim array to find the user's nickname. Possible standard
   # values: preferred_username, name, or sub.
   nickname_key: "preferred_username"
+  # If set to true roles are mapped to users when they log in. If this value is
+  # set to true, role_key has to be set as well.
+  role_mapping_enabled: false
+  # Where in the user claim array to find the user's roles. Possible standard
+  # values: roles or groups
+  role_key: "roles"
   # String from which the user's email address is built. Specify "{email}" as
   # long as the user claim contains an email claim.
   # This value is quoted twice, because otherwise the wp cli call interprets
@@ -269,6 +275,7 @@ ansibleSecrets: |
   WP_WPML_ENABLED: {{ .Values.wordpress.site.wpml }}
   WP_WPS_PATH: {{ .Values.wordpress.site.alt_path }}
   WP_OPENID_CONNECT_ENABLED: {{ .Values.openid_connect_settings.enabled }}
+  WP_OPENID_CONNECT_ROLE_MAPPING_ENABLED: {{ .Values.openid_connect_settings.role_mapping_enabled }}
   WP_OPENID_CONNECT_SETTINGS:
     alternate_redirect_uri: {{ .Values.openid_connect_settings.alternate_redirect_uri }}
     client_id: {{ .Values.openid_connect_settings.client_id }}
@@ -293,6 +300,7 @@ ansibleSecrets: |
     redirect_user_back: {{ .Values.openid_connect_settings.redirect_user_back }}
     scope: {{ .Values.openid_connect_settings.scope }}
     state_time_limit: {{ .Values.openid_connect_settings.state_time_limit }}
+    role_key: {{ .Values.openid_connect_settings.role_key }}
   WP_SALTS:
     AUTH_KEY: {{ .Values.wpSalts.AUTH_KEY | default ( randAlphaNum 32) }}
     AUTH_SALT: {{ .Values.wpSalts.AUTH_SALT | default ( randAlphaNum 32) }}

wp-cli-docker/roles/wordpress-init/tasks/openid-connect.yml

@@ -5,3 +5,16 @@
 
 - name: Set openid connect plugin options
   command: wp {{ cli_args }} option set openid_connect_generic_settings --format=json '{{ WP_OPENID_CONNECT_SETTINGS | tojson }}'
+
+- name: Extend functions.php file
+  lineinfile:
+    path: "{{ wordpress_homedir }}/wp-includes/functions.php"
+    regexp: '^require.+additional_functions.php'
+    line:  require( ABSPATH . WPINC . '/additional_functions.php' );
+  when: WP_OPENID_CONNECT_ROLE_MAPPING_ENABLED
+
+- name: Copy additional functions file
+  template:
+    src: templates/additional_functions.php
+    dest: "{{ wordpress_homedir }}/wp-includes/additional_functions.php"
+  when: WP_OPENID_CONNECT_ROLE_MAPPING_ENABLED

wp-cli-docker/roles/wordpress-init/templates/additional_functions.php

+<?php
+add_action('openid-connect-generic-update-user-using-current-claim', function( $user, $user_claim) {
+    // Based on some data in the user_claim, modify the user.
+    if ( array_key_exists( '{{ WP_OPENID_CONNECT_SETTINGS.role_key }}', $user_claim ) ) {
+        if ( in_array('admin',$user_claim['{{ WP_OPENID_CONNECT_SETTINGS.role_key }}'] )) {
+            $user->set_role( 'administrator' );
+        }
+        else {
+            $user->set_role( 'contributor' );
+        }
+    }
+}, 10, 2);