Project page: https://drupal.org/sandbox/mvdijk/2123977
Git repository: git clone --branch 7.x-1.x http://git.drupal.org/sandbox/mvdijk/2123977.git ssoxs
Usage state: The Drupal 6 version of this module has been in active use for over 2 years on the website of the WeNMR project (www.wenmr.eu). The module was originally developed for this project no hosting a community of roughly 2500 users.

Description:
Single Sign On for eXternal Services (SSOXS); managing authentication and authorization for virtual communities with a distributed service infrastructure

“Unite and conquer”, professionals are organizing themselves more often in virtual communities. These communities link likeminded individuals together enabling a common knowledgebase, professional interaction and exposure to services valuable to the community. These services are often web-based tools organized through a common gateway or offered by the community’s users on their own infrastructure using their own implementation.
The “Single Sign On for eXternal Services” module, or SSOXS for short, extends Drupal to serve as a single-sign-on authentication, central user management and accounting portal for external web servers or services. It provides a complete solutions for all SSO and accounting needs for these communities.

The module offers a “My Services” page on the Drupal users profile page allowing them to easily ‘subscribe’ to external services.
The services offered are registered with the module by administrators of the service though the modules administration interface. A rich feature set allows the service administrator to fine-tune who may subscribe to the service, if there are additional subscription requirements to fulfill, the use of Token based access and more.
Registered services are allowed access to the modules API using the flexible XML-RPC communication standard. The extendable API enables secure communication between the external service and the SSOXS module enabling not only user authentication and authorization but also user management and accounting.
The service administration pages allow the service administrators to manage subscribed users, query the accounting information provided by the service through the API and get an overview of service usage and performance by beautiful reports with interactive graphs.

Finally, the module is designed to be a good “Drupal citizen” extending the core functionality with new features like the many other excellent open source modules do. It can therefore directly benefit from the many modules that extend Drupal with additional functionality such as authentication and authorization mechanisms like Social media credentials, Shibboleth, OAuth and OpenID. The module even hosts it’s own federate login functionality via the versatile simpleSAMLphp library allowing Drupal users to login using federate identity out of the box.

It is the combination between the online SSOXS administration interface and the flexible API that provides a closed infrastructure for everything related to authentication, authorization and accounting for a service. There is no longer a need to install independent modules or access different online services and “glue” them together to achieve the same functionality. The combination of these features makes this module unique. The service administrator is in control!

Documentation for the module is included in the modules README.txt file and a more elaborate description on the project page on Drupal (mentioned at the top of this summary)
This module was developed as part of the WeNMR project, and academic e-Infrastructure project funded by the European FP7 grant, contract no. 261572, (www.wenmr.eu)

CommentFileSizeAuthor
#16 Img.png60.07 KBrenatog

Comments

PA robot’s picture

PA robot commented
Status: Needs review » Needs work

There are some errors reported by automated review tools, did you already check them? See http://pareview.sh/pareview/httpgitdrupalorgsandboxmvdijk2123977git

We are currently quite busy with all the project applications and we prefer projects with a review bonus. Please help reviewing and put yourself on the high priority list, then we will take a look at your project right away :-)

Also, you should get your friends, colleagues or other community members involved to review this application. Let them go through the review checklist and post a comment that sets this issue to "needs work" (they found some problems with the project) or "reviewed & tested by the community" (they found no major flaws).

I'm a robot and this is an automated message from Project Applications Scraper.

david_garcia’s picture

david_garcia commented

[1] You are working on master, move code to branch such as 7.x-1.x

[2] Do not use include_once instead use drupal's module_load_include

[3] All your Javascript files are using $(document).ready, this should instead be done by implementing Drupal behaviours: Drupal has a scripting framework and it should be used.

[4] If your script and css files are form dependent, use form's #attach instead of drupal_add_js, for example in ssoxs_addservice_page in ssoxs_services.inc

[5] This is the hell of a big and heavy module, consider refactoring overal structure for PSR-4 code styling using XAutoload. This will easy future migration to D8 and regarding the size of the module, and will help a lot structuring it's code, improving maintainability and readability.

[6] There are many minor coding issues, It would be nice to see them fixed, just use the automated review tool for that.

[7] I can see this is sort of a D6 port, but is way lagging behind in using modern D7 tools, consider upgrading all you direct database manipulations to the Entity Framework. This will easy maintainability and make it future-proof.

[8] Some of the CSS selectors are very loosely defined, such as ".table span" there is a high probablity of undesired behaviours when using that sort of styling. Consider being more specific ore using custom classes.

Overally, this is a very big module and needs deeper review. Many of my statemtents are just recomendations and some of them (such as using PSR-4) would require revising the whole module head to feet as into how it is structured, but you have a good strating point because you are already using classes all around. It has good coding styles and comments.

Anonymous’s picture

Anonymous (not verified) commented

Dear david_garcia_garcia,

Thank you for having a look at the module.
I'm in the middle of correcting the issues brought forward by the automated reviewing tool and will include your recommendation in the process.

I can see the benefits of restructuring the code for the purpose of using PSR-4 and the Entity Framework but within the current road plan of rolling
out this module to the community I do not foresee these modifications to be including in the short term if it wasn't at least because of the size of
the module.

Anonymous’s picture

Anonymous (not verified) commented

Update for module reviewers:

- All issues brought forward by the automatic reviewing tool have been fixed where possible
- Module moved to branch 7.x-1.x
- Module improvement suggestions 1,2,3,4,6 and 8 mentioned by reviewer david_garcia_garcia have been included.

Anonymous’s picture

Anonymous (not verified) commented
Priority: Normal » Major

Dear module reviewers,

I have posted this module for review a while ago. In a quick response afterwards I received valuable feedback from one reviewer. In a response to that I updated the code incorporating most of his suggestions and more.

It has been quiet ever since however. In the meantime there is a growing number of projects in my community that would like to make use of the module and would appreciate an official module page and the associated update functionality. Last but not least, the major funding body of the modules development work (the wenmr project, EU funded) requires the module to be made publicly available.

Although I know that the module is rather big in size I would appreciate someone to take another look at it.

Kind regards,

Marc van Dijk

PA robot’s picture

PA robot commented
Status: Needs work » Closed (won't fix)

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

Anonymous’s picture

Anonymous (not verified) commented
Status: Closed (won't fix) » Needs review
mpdonadio’s picture

mpdonadio
he/him
Primary language English
Location Philadelphia/PA/USA (UTC-5)
commented

@mvdijk, there are a lot of projects to be reviewed right now. If you get a review bonus (see second paragraph of comment #1), you will get on the high priority list. Thanks for your patience with this.

ajits’s picture

ajits
he/him
Primary language Marathi
Location India
commented
Issue summary: View changes

Changing the GIT clone URL

InviteReferrals’s picture

InviteReferrals commented
Issue tags: +PAreview: review bonus

Codespell has found some spelling errors in your code.

./includes/ssoxs_services.inc:239: seperated ==> separated
./includes/ssoxs_toolkit.inc:1092: seperated ==> separated

Also solve the pareview.sh errors
http://pareview.sh/pareview/httpgitdrupalorgsandboxmvdijk2123977git

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Issue tags: -PAreview: review bonus

Removing review bonus tag which is not applicable here.

Gorka Guridi’s picture

Gorka Guridi commented
Status: Needs review » Needs work

Automated Review

Reported several problems by pareview.sh:
http://pareview.sh/pareview/httpgitdrupalorgsandboxmvdijk2123977git-7x-1x

Manual Review

Individual user account

Yes: Follows the guidelines for individual user accounts.

No duplication

Not sure if cause duplication and/or fragmentation.
Is this module trying to solve the same issue? https://www.drupal.org/project/openid_sso_provider

Master Branch

Yes: Follows the guidelines for master branch.

Licensing

Yes: Follows the licensing requirements.

3rd party assets/code

Yes: Follows the guidelines for 3rd party assets/code.

README.txt/README.md

Yes: Follows the guidelines for in-project documentation and/or the README Template.

Code long/complex enough for review

Yes: Follows the guidelines for project length and complexity.

Secure code

No: Doesn't met the security requirements.
* ssoxs_toolkit.inc:1646 : Use construction of the query directly. Even with addslashes, we should use db_insert or db_query (properly) which implement PDO.

Coding style & Drupal API usage

* ssoxs.module:25 : unnecessary initialization, as each case contains their own returns.
* ssoxs.module:28 (and more): style inside the tags make difficult override them via css if necessary. They must be moved to a css.
* ssoxs.module:712 : variable initialization not necessary.
* ssoxs.module:745 : declaration of a class in the module file. Please use the file[] directive for clarity.
* ssoxs.module:745 : declaration of a class in the module file. Please use the file[] directive for clarity.
* ssoxs_user_logout duplicates code in ssoxs_user_delete... it needs refactoring.
* ssoxs_toolkit.inc:66 : I think to force https in an url you can use drupal_goto($path, array('https' => TRUE). Is there any reason to do it on this way? I think the module should force the availability of https in the settings if necessary.
* ssoxs_toolkit.inc:302 : Does user_save throw exceptions?
* ssoxs_toolkit.inc:302 : Can SsoxUser have its own file? Please use the file[] directive for clarity.
* ssoxs_toolkit.inc:432 : That's dangerous. If other modules are adding properties to the user object (for different reasons) here the module is completely overriding it. Can we do a merge instead of a full override, or use another variable name with the scope of this method?
* ssoxs_toolkit.inc:640 : Can SsoxService have its own file? Please use the file[] directive for clarity.
* ssoxs_toolkit.inc:1136 : Can SsoxBlowfish have its own file? Please use the file[] directive for clarity.

The code is really hard to review. The functions do a lot of things, all together. For example, the function ssoxs_user_editservices_form has 440 lines by itself, doing tons of things that are really hard to follow. Some of the code is duplicated, like db_select('ssoxs_services', 'n') with a condition by the machine_name... etc. I think it needs a bit of work to solve the automated tests, and making the code a bit more clear for any developer that want to install it and check what it's doing.

PA robot’s picture

PA robot commented
Status: Needs work » Closed (won't fix)

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

Anonymous’s picture

Anonymous (not verified) commented
Status: Closed (won't fix) » Needs review

Dear Gorka,

Thank's for taking the time to review the SSOXS module. It's has been a while but I only now found time to look into it again.
With regards to your comments:

* ssoxs_toolkit.inc:1646 : Use construction of the query directly. Even with addslashes, we should use db_insert or db_query (properly) which implement PDO.

I agree that under normal circumstances this would be insecure code. The code, however, is part of a utility function to backup a SSOXS db table to file.
The query is thus written to file and not executed. There is of course still a risk if the dumped SQL table is imported again at a later time.
The function is not available if the "backup and migrate" module is installed. Perhaps having that module take care of all backup needs would be better anyway.

* ssoxs.module:25 : unnecessary initialization, as each case contains their own returns.
* ssoxs.module:28 (and more): style inside the tags make difficult override them via css if necessary. They must be moved to a css.
* ssoxs.module:712 : variable initialization not necessary.

Fixed.

* ssoxs.module:745 : declaration of a class in the module file. Please use the file[] directive for clarity.

Moved to ssoxs_formtypes.inc file included using files[] directive. For more clear module architecture.

* ssoxs_user_logout duplicates code in ssoxs_user_delete... it needs refactoring.

One line is functionally duplicated. That does not justify refactoring in my opinion.

* ssoxs_toolkit.inc:66 : I think to force https in an url you can use drupal_goto($path, array('https' => TRUE).
Is there any reason to do it on this way? I think the module should force the availability of https in the settings if necessary.

This is a good question. This class enables authentication using SAML (SimpleSAMLphp). The latter is a PHP package installed on the server and it allows the user to
specify http or https connections explicitly. HTTPS is preferred and set as default. I will have to test if always forcing HTTPS is not going to break anything.

* ssoxs_toolkit.inc:302 : Does user_save throw exceptions?

Yes it does.

* ssoxs_toolkit.inc:302 : Can SsoxUser have its own file? Please use the file[] directive for clarity.
* ssoxs_toolkit.inc:640 : Can SsoxService have its own file? Please use the file[] directive for clarity.
* ssoxs_toolkit.inc:1136 : Can SsoxBlowfish have its own file? Please use the file[] directive for clarity.

Sure, all classes could be moved to there own file. Did that now.

* ssoxs_toolkit.inc:432 : That's dangerous. If other modules are adding properties to the user object (for different reasons) here the module is completely overriding it.
Can we do a merge instead of a full override, or use another variable name with the scope of this method?

Hmm, I can see why this could be problematic. Need to look into this.

Final remarks:
This module was originally developed for Drupal 6 in the days where (many) of the functionality could not be covered by other modules or Drupal core functions.
The port to Drupal 7 could be changed to benefit of the new core functionality and many of the third-party modules that are now available like the very nice form-building
modules. That however would require a massive module rewrite....

Thank's again for taking the time to review.

kattekrab’s picture

kattekrab commented
Priority: Major » Critical
renatog’s picture

renatog commented
Status: Needs review » Needs work
StatusFileSize
new Img.png60.07 KB

Hi.

Congrats on the project.

Just some items:

A)
File: /CHANGELOG.txt
Line 3: Line exceeds 80 characters; contains 88 characters

B)
File: /includes/ssoxs_services.inc
Line 971: Unused variable $validated_urls.
Img

C)
File: /includes/ssoxs_formtypes.inc
Line: 184: Missing class doc comment

<?php
class SsoxsAhahIntegerType {

  /**
   * Class to manage the variable data field of type 'integer'.
   */

  protected $type = "SsoxsAhahIntegerType";
  public $form;
  public $delete = 0;
?>



Regards

klausi’s picture

klausi
he/him||they/them
Primary language German
Location 🇦🇹 Vienna
commented
Status: Needs work » Needs review

@renatog: those are some nice tips, but on their own surely not application blockers. Anything else that you found or should this be RTBC instead?

Toshiwo’s picture

Toshiwo commented
Priority: Critical » Normal
Status: Needs review » Needs work
Issue tags: +branching

manual review
- master branch should be removed
- possibly split the readme so that the installation instructions can be in a separate file
- $form_state['input'] shouldn't be used

Toshiwo’s picture

Toshiwo commented

I am new to the review bonus program so I might be wrong, anyhow, I found the following:

Manual Review

Master Branch
[No: Does not follow] I can still see a master branch, as per https://www.drupal.org/node/1127732, master should be removed.
Licensing
[Yes: Follows / No: Does not follow] the licensing requirements.
3rd party assets/code
[Yes: Follows / No: Does not follow] the guidelines for 3rd party assets/code.
README.txt/README.md
[No: Does not follow] the guidelines for in-project documentation and/or the README Template.
Does not follow in the following points:
  • The README-file should repeat the synopsis on the project page on Drupal.org.
  • If the README-file becomes large or complex, installation and configuration instructions may be moved into an additional file named INSTALL.txt or INSTALL.md (this one doesn't seem to be mandatory anyhow)
Code long/complex enough for review
[Yes: Follows]
Secure code
[No: List of security issues identified.] Security standards discourage the usage of $form_state['input']
Files: /root/repos/pareviewsh/pareview_temp/includes/ssoxs_jobadmin.inc
/root/repos/pareviewsh/pareview_temp/includes/ssoxs_statistics.inc
are including that, even if it is taken from e date field, and I guess in this case code injection is less probable, yet it is a coding standard issue.
Coding style & Drupal API usage
[List of identified issues in no particular order. Use (*) and (+) to indicate an issue importance. Replace the text below by the issues themselves:
  1. FILE: /root/repos/pareviewsh/pareview_temp/includes/ssoxs_overview.inc does have some Line 100:
    $service_edit_link['data'] = l('', $edit_path, array('attributes' => array('title' => 'Edit')));
    It does need translatable text

CONCLUSION

Possibly the only important things are:
- security, use $form_state['values'] instead of $form_state['input']
- git, remove the Master branch (possibly you can create a 7.x-1.x-dev for your development needs

joshideas’s picture

joshideas commented

Manual Review

Master Branch
[No: Does not follow] I can still see a master branch, as per https://www.drupal.org/node/1127732, master should be removed.
Licensing
[Yes: Follows / No: Does not follow] the licensing requirements.
README.txt/README.md
[No: Does not follow] the guidelines for in-project documentation and/or the README Template.
Does not follow in the following points:
  • The README-file should repeat the synopsis on the project page on Drupal.org.
  • If the README-file becomes large or complex, installation and configuration instructions may be moved into an additional file named INSTALL.txt or INSTALL.md (this one doesn't seem to be mandatory anyhow)
Code long/complex enough for review
[Yes: Follows]
Secure code
[No: List of security issues identified.] Security standards discourage the usage of $form_state['input']
Files: /root/repos/pareviewsh/pareview_temp/includes/ssoxs_jobadmin.inc
/root/repos/pareviewsh/pareview_temp/includes/ssoxs_statistics.inc
are including that, even if it is taken from e date field, and I guess in this case code injection is less probable, yet it is a coding standard issue.
Coding style & Drupal API usage
[List of identified issues in no particular order. Use (*) and (+) to indicate an issue importance. Replace the text below by the issues themselves:
  1. FILE: /root/repos/pareviewsh/pareview_temp/includes/ssoxs_overview.inc does have some Line 100:
    $service_edit_link['data'] = l('', $edit_path, array('attributes' => array('title' => 'Edit')));
    It does need translatable text

CONCLUSION

Possibly the only important things are:
- security, use $form_state['values'] instead of $form_state['input']
- git, remove the Master branch (possibly you can create a 7.x-1.x-dev for your development needs

PA robot’s picture

PA robot commented
Status: Needs work » Closed (won't fix)

Closing due to lack of activity. If you are still working on this application, you should fix all known problems and then set the status to "Needs review". (See also the project application workflow).

I'm a robot and this is an automated message from Project Applications Scraper.

Anonymous’s picture

Anonymous (not verified) commented

Dear module reviewers,

Thank you for you comments posted in the last few months.
I’m sorry to inform that as only developers of SSOXS I currently lack time to further maintain the project. I do not foresee this to change in the years to come.
The SSOXS module is perfectly functional for Drupal version 7 and I welcome others to use it as is or hopefully further develop it.
To increase exposure, I duplicated the repository on my personal GitHub at https://github.com/marcvdijk/ssoxs.

Thanks once more for your help and time!

avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Issue tags: -branching