-<?php namespace BookStack\Auth\Access;
+<?php
+
+namespace BookStack\Auth\Access;
use BookStack\Auth\User;
use BookStack\Exceptions\JsonDebugException;
use BookStack\Exceptions\SamlException;
+use BookStack\Exceptions\StoppedAuthenticationException;
use BookStack\Exceptions\UserRegistrationException;
use Exception;
use Illuminate\Support\Str;
{
protected $config;
protected $registrationService;
- protected $user;
+ protected $loginService;
/**
* Saml2Service constructor.
*/
- public function __construct(RegistrationService $registrationService, User $user)
+ public function __construct(RegistrationService $registrationService, LoginService $loginService)
{
$this->config = config('saml2');
$this->registrationService = $registrationService;
- $this->user = $user;
+ $this->loginService = $loginService;
}
/**
* Initiate a login flow.
+ *
* @throws Error
*/
public function login(): array
{
$toolKit = $this->getToolkit();
$returnRoute = url('/saml2/acs');
+
return [
'url' => $toolKit->login($returnRoute, [], false, false, true),
- 'id' => $toolKit->getLastRequestID(),
+ 'id' => $toolKit->getLastRequestID(),
];
}
/**
* Initiate a logout flow.
+ *
* @throws Error
*/
public function logout(): array
$returnRoute = url('/');
try {
- $url = $toolKit->logout($returnRoute, [], null, null, true);
+ $email = auth()->user()['email'];
+ $nameIdFormat = env('SAML2_SP_NAME_ID_Format', null);
+ $nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null);
+
+ $url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier);
$id = $toolKit->getLastRequestID();
} catch (Error $error) {
if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
* Process the ACS response from the idp and return the
* matching, or new if registration active, user matched to the idp.
* Returns null if not authenticated.
+ *
* @throws Error
* @throws SamlException
* @throws ValidationError
if (!empty($errors)) {
throw new Error(
- 'Invalid ACS Response: '.implode(', ', $errors)
+ 'Invalid ACS Response: ' . implode(', ', $errors)
);
}
/**
* Process a response for the single logout service.
+ *
* @throws Error
*/
public function processSlsResponse(?string $requestId): ?string
{
$toolkit = $this->getToolkit();
- $redirect = $toolkit->processSLO(true, $requestId, false, null, true);
+ $retrieveParametersFromServer = env('SAML2_RETRIEVE_PARAMETERS_FROM_SERVER', false);
+
+ $redirect = $toolkit->processSLO(true, $requestId, $retrieveParametersFromServer, null, true);
$errors = $toolkit->getErrors();
if (!empty($errors)) {
throw new Error(
- 'Invalid SLS Response: '.implode(', ', $errors)
+ 'Invalid SLS Response: ' . implode(', ', $errors)
);
}
$this->actionLogout();
+
return $redirect;
}
/**
* Get the metadata for this service provider.
+ *
* @throws Error
*/
public function metadata(): string
if (!empty($errors)) {
throw new Error(
- 'Invalid SP metadata: '.implode(', ', $errors),
+ 'Invalid SP metadata: ' . implode(', ', $errors),
Error::METADATA_SP_INVALID
);
}
/**
* Load the underlying Onelogin SAML2 toolkit.
+ *
* @throws Error
* @throws Exception
*/
$spSettings = $this->loadOneloginServiceProviderDetails();
$settings = array_replace_recursive($settings, $spSettings, $metaDataSettings, $overrides);
+
return new Auth($settings);
}
protected function loadOneloginServiceProviderDetails(): array
{
$spDetails = [
- 'entityId' => url('/saml2/metadata'),
+ 'entityId' => url('/saml2/metadata'),
'assertionConsumerService' => [
'url' => url('/saml2/acs'),
],
'singleLogoutService' => [
- 'url' => url('/saml2/sls')
+ 'url' => url('/saml2/sls'),
],
];
return [
'baseurl' => url('/saml2'),
- 'sp' => $spDetails
+ 'sp' => $spDetails,
];
}
}
/**
- * Calculate the display name
+ * Calculate the display name.
*/
protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string
{
return [
'external_id' => $externalId,
- 'name' => $this->getUserDisplayName($samlAttributes, $externalId),
- 'email' => $email,
- 'saml_id' => $samlID,
+ 'name' => $this->getUserDisplayName($samlAttributes, $externalId),
+ 'email' => $email,
+ 'saml_id' => $samlID,
];
}
$data = $data[0];
break;
}
+
return $data;
}
/**
* Get the user from the database for the specified details.
- * @throws SamlException
+ *
* @throws UserRegistrationException
*/
protected function getOrRegisterUser(array $userDetails): ?User
{
- $user = $this->user->newQuery()
+ $user = User::query()
->where('external_auth_id', '=', $userDetails['external_id'])
->first();
if (is_null($user)) {
$userData = [
- 'name' => $userDetails['name'],
- 'email' => $userDetails['email'],
- 'password' => Str::random(32),
+ 'name' => $userDetails['name'],
+ 'email' => $userDetails['email'],
+ 'password' => Str::random(32),
'external_auth_id' => $userDetails['external_id'],
];
/**
* Process the SAML response for a user. Login the user when
* they exist, optionally registering them automatically.
+ *
* @throws SamlException
* @throws JsonDebugException
* @throws UserRegistrationException
+ * @throws StoppedAuthenticationException
*/
public function processLoginCallback(string $samlID, array $samlAttributes): User
{
if ($this->config['dump_user_details']) {
throw new JsonDebugException([
- 'id_from_idp' => $samlID,
- 'attrs_from_idp' => $samlAttributes,
+ 'id_from_idp' => $samlID,
+ 'attrs_from_idp' => $samlAttributes,
'attrs_after_parsing' => $userDetails,
]);
}
$this->syncWithGroups($user, $groups);
}
- auth()->login($user);
+ $this->loginService->login($user, 'saml2');
+
return $user;
}
}
projects / bookstack / blobdiff