feat: add local caching for remote IdP logos

classes/admin/setting_idpmetadata.php

@@ -19,6 +19,7 @@
 use admin_setting_configtextarea;
 use auth_saml2\idp_data;
 use auth_saml2\idp_parser;
+use auth_saml2\local\idp_logo_cache;
 use DOMDocument;
 use DOMElement;
 use DOMNodeList;
@@ -170,7 +171,8 @@ private function process_idp_xml(
             }
 
             if (!empty($logo) && $oldidp->logo !== $logo) {
-                $DB->set_field('auth_saml2_idps', 'logo', $logo, ['id' => $oldidp->id]);
+                idp_logo_cache::delete_cached_logo($oldidp->id);
+                idp_logo_cache::cache_logo($logo, $oldidp->id);
             }
 
             // Remove the idp from the current array so that we don't delete it later.
@@ -185,7 +187,11 @@ private function process_idp_xml(
             $newidp->defaultname = $idpname;
             $newidp->logo = $logo;
 
-            $DB->insert_record('auth_saml2_idps', $newidp);
+            $idpid = $DB->insert_record('auth_saml2_idps', $newidp);
+
+            if ($idpid) {
+                idp_logo_cache::cache_logo($logo, $idpid);
+            }
         }
     }
 
@@ -200,6 +206,7 @@ private function remove_old_idps($oldidps) {
         foreach ($oldidps as $metadataidps) {
             foreach ($metadataidps as $oldidp) {
                 $DB->delete_records('auth_saml2_idps', ['id' => $oldidp->id]);
+                idp_logo_cache::delete_cached_logo($oldidp->id);
             }
         }
     }

classes/auth.php

@@ -29,6 +29,7 @@
 use moodle_url;
 use pix_icon;
 use auth_saml2\admin\saml2_settings;
+use auth_saml2\local\idp_logo_cache;
 use coding_exception;
 use core\output\notification;
 use dml_exception;
@@ -293,11 +294,9 @@ class_exists(\tool_tenant\local\auth\saml2\manager::class) && !component_class_c
             $idpurl->param('passive', 'off');
 
             // A default icon.
-            $idpiconurl = null;
             $idpicon = null;
-            if (!empty($idp->logo)) {
-                $idpiconurl = new moodle_url($idp->logo);
-            } else {
+            $idpiconurl = idp_logo_cache::get_cached_logo($idp);
+            if (!$idpiconurl) {
                 $idpicon = new pix_icon('i/user', 'Login');
             }
 

classes/local/idp_logo_cache.php

@@ -0,0 +1,134 @@
+<?php
+// This file is part of Moodle - http://moodle.org/
+//
+// Moodle is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// Moodle is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
+
+namespace auth_saml2\local;
+
+use core\url as moodle_url;
+use core\context\system;
+use file_exception;
+
+/**
+ * Class idp_logo_cache
+ *
+ * @package    auth_saml2
+ * @copyright  2026 University of Graz
+ * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
+ */
+class idp_logo_cache {
+    const COMPONENT = 'auth_saml2';
+    const FILEAREA = 'idplogo';
+    const FILEPATH = '/';
+
+    /**
+     * Cache remote idp icon to local plugin filearea.
+     *
+     * @param string $remoteurl The remote origin URL of the icon/logo to cache.
+     * @param int    $itemid    The id of the idp in the auth_saml2_idps table.
+     * @return \stored_file|false
+     */
+    public static function cache_logo($remoteurl, $itemid) {
+        $fs = get_file_storage();
+
+        $fileinfo = [
+            'contextid' => system::instance()->id,
+            'component' => self::COMPONENT,
+            'filearea'  => self::FILEAREA,
+            'itemid'    => $itemid,
+            'filepath'  => self::FILEPATH,
+            'filename'  => self::get_filename($remoteurl),
+        ];
+
+        try {
+            $file = $fs->create_file_from_url($fileinfo, url: $remoteurl);
+            return $file;
+        } catch (file_exception $e) {
+            return false;
+        }
+    }
+
+    /**
+     * Delete a cached logo.
+     *
+     * @param int $itemid The id of the idp. `itemid` of the file is the `auth_saml2_idps.id`.
+     * @return void
+     */
+    public static function delete_cached_logo($itemid) {
+        $fs = get_file_storage();
+        $fs->delete_area_files(system::instance()->id, self::COMPONENT, self::FILEAREA, $itemid);
+    }
+
+    /**
+     * Get the URL of a cached logo, only if the file exists.
+     *
+     * @param object $idp
+     * @return null|moodle_url
+     */
+    public static function get_cached_logo($idp) {
+        if (empty($idp->logo)) {
+            return null;
+        }
+
+        $context   = system::instance();
+        $component = self::COMPONENT;
+        $filearea  = self::FILEAREA;
+        $itemid    = $idp->id;
+        $filepath  = self::FILEPATH;
+        $filename  = self::get_filename($idp->logo);
+
+        if ($filename === '' || $filename === null) {
+            return null;
+        }
+
+        $fs   = get_file_storage();
+        $file = $fs->get_file(
+            $context->id,
+            $component,
+            $filearea,
+            $itemid,
+            $filepath,
+            $filename
+        );
+
+        if (!$file) {
+            return null;
+        }
+
+        return \moodle_url::make_pluginfile_url(
+            $file->get_contextid(),
+            $file->get_component(),
+            $file->get_filearea(),
+            $file->get_itemid(),
+            $file->get_filepath(),
+            $file->get_filename(),
+            false
+        );
+    }
+
+
+    /**
+     * Generate a unique filename via hashing the remote source URL and taking the original file extension.
+     *
+     * @param mixed $remoteurl
+     * @return string
+     */
+    private static function get_filename($remoteurl): string {
+        $hash = md5($remoteurl);
+        // Try to preserve extension from URL, default to png.
+        $basename = basename(parse_url($remoteurl, PHP_URL_PATH) ?? '');
+        $ext = pathinfo($basename, PATHINFO_EXTENSION) ?: 'png';
+        return "{$hash}.{$ext}";
+    }
+}

db/upgrade.php

@@ -22,6 +22,7 @@
  * @license    http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
  */
 
+use auth_saml2\local\idp_logo_cache;
 use auth_saml2\task\metadata_refresh;
 use auth_saml2\ssl_algorithms;
 
@@ -408,5 +409,17 @@ function xmldb_auth_saml2_upgrade($oldversion) {
         upgrade_plugin_savepoint(true, 2023100300, 'auth', 'saml2');
     }
 
+     if ($oldversion < 2026021300) {
+        // Cache the idps logos.
+        $idps = $DB->get_records('auth_saml2_idps');
+        foreach ($idps as $idp) {
+            if (!empty($idp->logo)) {
+                idp_logo_cache::cache_logo($idp->logo, $idp->id);
+            }
+        }
+
+        upgrade_plugin_savepoint(true, 2026021300, 'auth', 'saml2');
+    }
+
     return true;
 }

lib.php

@@ -48,3 +48,46 @@ function auth_saml2_status_checks(): array {
     }
     return [];
 }
+
+/**
+ * Serve the files from the auth_saml2 file areas.
+ *
+ * @param stdClass $course the course object
+ * @param stdClass $cm the course module object
+ * @param stdClass $context the context
+ * @param string $filearea the name of the file area
+ * @param array $args extra arguments (itemid, path)
+ * @param bool $forcedownload whether or not force download
+ * @param array $options additional options affecting the file serving
+ * @return bool|void false if the file not found, just send the file otherwise and do not return anything
+ */
+function auth_saml2_pluginfile(
+    $course,
+    $cm,
+    $context,
+    string $filearea,
+    array $args,
+    bool $forcedownload,
+    array $options = []
+) {
+    global $DB;
+
+    if ($context->contextlevel != CONTEXT_SYSTEM) {
+        return false;
+    }
+    if ($filearea !== 'idplogo') {
+        return false;
+    }
+
+    $itemid = array_shift($args);
+    $filename = array_pop($args);
+    $filepath = '/';
+
+    $fs = get_file_storage();
+    $file = $fs->get_file($context->id, 'auth_saml2', $filearea, $itemid, $filepath, $filename);
+    if (!$file) {
+        return false;
+    }
+
+    send_stored_file($file, DAYSECS, 0, $forcedownload, $options);
+}