New translations editor.php (Slovak)

[bookstack] / app / Http / Controllers / Auth / Saml2Controller.php

diff --git a/app/Http/Controllers/Auth/Saml2Controller.php b/app/Http/Controllers/Auth/Saml2Controller.php
index d54e925bbf40ff17145564e123d3f44eafd10fc2..b84483961127fb0bd5ee9bed41957499df4986f8 100644 (file)
--- a/app/Http/Controllers/Auth/Saml2Controller.php
+++ b/app/Http/Controllers/Auth/Saml2Controller.php
@@ -5,10 +5,10 @@ namespace BookStack\Http\Controllers\Auth;
 use BookStack\Auth\Access\Saml2Service;
 use BookStack\Http\Controllers\Controller;
 use Illuminate\Http\Request;
 use BookStack\Auth\Access\Saml2Service;
 use BookStack\Http\Controllers\Controller;
 use Illuminate\Http\Request;

+use Illuminate\Support\Str;

 
 class Saml2Controller extends Controller
 {
 
 class Saml2Controller extends Controller
 {

-

     protected $samlService;
 
     /**
     protected $samlService;
 
     /**


@@ -16,8 +16,8 @@ class Saml2Controller extends Controller
      */
     public function __construct(Saml2Service $samlService)
     {
      */
     public function __construct(Saml2Service $samlService)
     {

-        parent::__construct();

         $this->samlService = $samlService;
         $this->samlService = $samlService;

+        $this->middleware('guard:saml2');

     }
 
     /**
     }
 
     /**


@@ -31,14 +31,29 @@ class Saml2Controller extends Controller
         return redirect($loginDetails['url']);
     }
 
         return redirect($loginDetails['url']);
     }
 

+    /**
+     * Start the logout flow via SAML2.
+     */
+    public function logout()
+    {
+        $logoutDetails = $this->samlService->logout(auth()->user());
+
+        if ($logoutDetails['id']) {
+            session()->flash('saml2_logout_request_id', $logoutDetails['id']);
+        }
+
+        return redirect($logoutDetails['url']);
+    }
+

     /*
      * Get the metadata for this SAML2 service provider.
      */
     public function metadata()
     {
         $metaData = $this->samlService->metadata();
     /*
      * Get the metadata for this SAML2 service provider.
      */
     public function metadata()
     {
         $metaData = $this->samlService->metadata();

+

         return response()->make($metaData, 200, [
         return response()->make($metaData, 200, [

-            'Content-Type' => 'text/xml'
+            'Content-Type' => 'text/xml',

         ]);
     }
 
         ]);
     }
 


@@ -48,24 +63,66 @@ class Saml2Controller extends Controller
      */
     public function sls()
     {
      */
     public function sls()
     {

-        // TODO
+        $requestId = session()->pull('saml2_logout_request_id', null);
+        $redirect = $this->samlService->processSlsResponse($requestId) ?? '/';
+
+        return redirect($redirect);
+    }
+
+    /**
+     * Assertion Consumer Service start URL. Takes the SAMLResponse from the IDP.
+     * Due to being an external POST request, we likely won't have context of the
+     * current user session due to lax cookies. To work around this we store the
+     * SAMLResponse data and redirect to the processAcs endpoint for the actual
+     * processing of the request with proper context of the user session.
+     */
+    public function startAcs(Request $request)
+    {
+        $samlResponse = $request->get('SAMLResponse', null);
+
+        if (empty($samlResponse)) {
+            $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
+
+            return redirect('/login');
+        }
+
+        $acsId = Str::random(16);
+        $cacheKey = 'saml2_acs:' . $acsId;
+        cache()->set($cacheKey, encrypt($samlResponse), 10);
+
+        return redirect()->guest('/saml2/acs?id=' . $acsId);

     }
 
     /**
     }
 
     /**

-     * Assertion Consumer Service.
-     * Processes the SAML response from the IDP.
+     * Assertion Consumer Service process endpoint.
+     * Processes the SAML response from the IDP with context of the current session.
+     * Takes the SAML request from the cache, added by the startAcs method above.

      */
      */

-    public function acs()
+    public function processAcs(Request $request)

     {
     {

+        $acsId = $request->get('id', null);
+        $cacheKey = 'saml2_acs:' . $acsId;
+        $samlResponse = null;
+
+        try {
+            $samlResponse = decrypt(cache()->pull($cacheKey));
+        } catch (\Exception $exception) {
+        }

         $requestId = session()->pull('saml2_request_id', null);
 
         $requestId = session()->pull('saml2_request_id', null);
 

-        $user = $this->samlService->processAcsResponse($requestId);
-        if ($user === null) {
+        if (empty($acsId) || empty($samlResponse)) {
+            $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
+
+            return redirect('/login');
+        }
+
+        $user = $this->samlService->processAcsResponse($requestId, $samlResponse);
+        if (is_null($user)) {

             $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
             $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));

+

             return redirect('/login');
         }
 
         return redirect()->intended();
     }
             return redirect('/login');
         }
 
         return redirect()->intended();
     }

-

 }
 }