Refactored search runner a little to be neater

[bookstack] / app / Http / Controllers / Auth / Saml2Controller.php
diff --git a/app/Http/Controllers/Auth/Saml2Controller.php b/app/Http/Controllers/Auth/Saml2Controller.php

index 8a3bf065ed566b55062a184c76c7144797417060..bd3b25da770ab113e04c2298b6d0b4d3f7b6f907 100644 (file)
--- a/app/Http/Controllers/Auth/Saml2Controller.php
+++ b/app/Http/Controllers/Auth/Saml2Controller.php
@@ -4,10 +4,12 @@ namespace BookStack\Http\Controllers\Auth;
  
  use BookStack\Auth\Access\Saml2Service;
  use BookStack\Http\Controllers\Controller;
  
  use BookStack\Auth\Access\Saml2Service;
  use BookStack\Http\Controllers\Controller;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Cache;
+use Str;
  
  class Saml2Controller extends Controller
  {
  
  class Saml2Controller extends Controller
  {
-
      protected $samlService;
  
      /**
      protected $samlService;
  
      /**
@@ -35,7 +37,7 @@ class Saml2Controller extends Controller
       */
      public function logout()
      {
       */
      public function logout()
      {
-        $logoutDetails = $this->samlService->logout();
+        $logoutDetails = $this->samlService->logout(auth()->user());
  
          if ($logoutDetails['id']) {
              session()->flash('saml2_logout_request_id', $logoutDetails['id']);
  
          if ($logoutDetails['id']) {
              session()->flash('saml2_logout_request_id', $logoutDetails['id']);
@@ -50,8 +52,9 @@ class Saml2Controller extends Controller
      public function metadata()
      {
          $metaData = $this->samlService->metadata();
      public function metadata()
      {
          $metaData = $this->samlService->metadata();
+
          return response()->make($metaData, 200, [
          return response()->make($metaData, 200, [
-            'Content-Type' => 'text/xml'
+            'Content-Type' => 'text/xml',
          ]);
      }
  
          ]);
      }
  
@@ -63,24 +66,69 @@ class Saml2Controller extends Controller
      {
          $requestId = session()->pull('saml2_logout_request_id', null);
          $redirect = $this->samlService->processSlsResponse($requestId) ?? '/';
      {
          $requestId = session()->pull('saml2_logout_request_id', null);
          $redirect = $this->samlService->processSlsResponse($requestId) ?? '/';
+
          return redirect($redirect);
      }
  
      /**
          return redirect($redirect);
      }
  
      /**
-     * Assertion Consumer Service.
-     * Processes the SAML response from the IDP.
+     * Assertion Consumer Service start URL. Takes the SAMLResponse from the IDP.
+     * Due to being an external POST request, we likely won't have context of the
+     * current user session due to lax cookies. To work around this we store the
+     * SAMLResponse data and redirect to the processAcs endpoint for the actual
+     * processing of the request with proper context of the user session.
       */
       */
-    public function acs()
+    public function startAcs(Request $request)
      {
      {
-        $requestId = session()->pull('saml2_request_id', null);
+        // Note: This is a bit of a hack to prevent a session being stored
+        // on the response of this request. Within Laravel7+ this could instead
+        // be done via removing the StartSession middleware from the route.
+        config()->set('session.driver', 'array');
+
+        $samlResponse = $request->get('SAMLResponse', null);
  
  
-        $user = $this->samlService->processAcsResponse($requestId);
-        if ($user === null) {
+        if (empty($samlResponse)) {
              $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
              $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
+
              return redirect('/login');
          }
  
              return redirect('/login');
          }
  
-        return redirect()->intended();
+        $acsId = Str::random(16);
+        $cacheKey = 'saml2_acs:' . $acsId;
+        cache()->set($cacheKey, encrypt($samlResponse), 10);
+
+        return redirect()->guest('/saml2/acs?id=' . $acsId);
      }
  
      }
  
+    /**
+     * Assertion Consumer Service process endpoint.
+     * Processes the SAML response from the IDP with context of the current session.
+     * Takes the SAML request from the cache, added by the startAcs method above.
+     */
+    public function processAcs(Request $request)
+    {
+        $acsId = $request->get('id', null);
+        $cacheKey = 'saml2_acs:' . $acsId;
+        $samlResponse = null;
+
+        try {
+            $samlResponse = decrypt(cache()->pull($cacheKey));
+        } catch (\Exception $exception) {
+        }
+        $requestId = session()->pull('saml2_request_id', 'unset');
+
+        if (empty($acsId) || empty($samlResponse)) {
+            $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
+
+            return redirect('/login');
+        }
+
+        $user = $this->samlService->processAcsResponse($requestId, $samlResponse);
+        if (is_null($user)) {
+            $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
+
+            return redirect('/login');
+        }
+
+        return redirect()->intended();
+    }
  }
  }