BookStack Code Mirror - bookstack/blobdiff - app/Auth/Access/Saml2Service.php

index a9441dc40b948b2383f2c5f73a8fd3f204006105..8f9a24cdeacd142106c0a92411962bd59de877c5 100644 (file)

--- a/app/Auth/Access/Saml2Service.php

+++ b/app/Auth/Access/Saml2Service.php

@@ -1,9 +1,9 @@

<?php namespace BookStack\Auth\Access;

use BookStack\Auth\User;

-use BookStack\Auth\UserRepo;

use BookStack\Exceptions\JsonDebugException;

use BookStack\Exceptions\SamlException;

+use BookStack\Exceptions\UserRegistrationException;

use Exception;

use Illuminate\Support\Str;

use OneLogin\Saml2\Auth;

@@ -18,19 +18,17 @@ use OneLogin\Saml2\ValidationError;

class Saml2Service extends ExternalAuthService

{

protected $config;

- protected $userRepo;

+ protected $registrationService;

protected $user;

- protected $enabled;

/**

* Saml2Service constructor.

- public function __construct(UserRepo $userRepo, User $user)

+ public function __construct(RegistrationService $registrationService, User $user)

{

$this->config = config('saml2');

- $this->userRepo = $userRepo;

+ $this->registrationService = $registrationService;

$this->user = $user;

- $this->enabled = config('saml2.enabled') === true;

}

/**

@@ -80,13 +78,10 @@ class Saml2Service extends ExternalAuthService

* @throws SamlException

* @throws ValidationError

* @throws JsonDebugException

+ * @throws UserRegistrationException

public function processAcsResponse(?string $requestId): ?User

{

- if (is_null($requestId)) {

- throw new SamlException(trans('errors.saml_invalid_response_id'));

- }

$toolkit = $this->getToolkit();

$toolkit->processResponse($requestId);

$errors = $toolkit->getErrors();

@@ -208,7 +203,7 @@ class Saml2Service extends ExternalAuthService

protected function shouldSyncGroups(): bool

{

- return $this->enabled && $this->config['user_to_groups'] !== false;

+ return $this->config['user_to_groups'] !== false;

}

/**

@@ -251,17 +246,14 @@ class Saml2Service extends ExternalAuthService

/**

* Extract the details of a user from a SAML response.

- * @throws SamlException

- public function getUserDetails(string $samlID, $samlAttributes): array

+ protected function getUserDetails(string $samlID, $samlAttributes): array

{

$emailAttr = $this->config['email_attribute'];

$externalId = $this->getExternalId($samlAttributes, $samlID);

- $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null);

- if ($email === null) {

- throw new SamlException(trans('errors.saml_no_email_address'));

- }

+ $defaultEmail = filter_var($samlID, FILTER_VALIDATE_EMAIL) ? $samlID : null;

+ $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, $defaultEmail);

return [

'external_id' => $externalId,

@@ -317,43 +309,26 @@ class Saml2Service extends ExternalAuthService

return $defaultValue;

}

- /**

- * Register a user that is authenticated but not already registered.

- */

- protected function registerUser(array $userDetails): User

- {

- // Create an array of the user data to create a new user instance

- $userData = [

- 'name' => $userDetails['name'],

- 'email' => $userDetails['email'],

- 'password' => Str::random(32),

- 'external_auth_id' => $userDetails['external_id'],

- 'email_confirmed' => true,

- ];

- $existingUser = $this->user->newQuery()->where('email', '=', $userDetails['email'])->first();

- if ($existingUser) {

- throw new SamlException(trans('errors.saml_email_exists', ['email' => $userDetails['email']]));

- }

- $user = $this->user->forceCreate($userData);

- $this->userRepo->attachDefaultRole($user);

- $this->userRepo->downloadAndAssignUserAvatar($user);

- return $user;

- }

/**

* Get the user from the database for the specified details.

+ * @throws SamlException

+ * @throws UserRegistrationException

protected function getOrRegisterUser(array $userDetails): ?User

{

- $isRegisterEnabled = $this->config['auto_register'] === true;

- $user = $this->user

- ->where('external_auth_id', $userDetails['external_id'])

+ $user = $this->user->newQuery()

+ ->where('external_auth_id', '=', $userDetails['external_id'])

->first();

- if ($user === null && $isRegisterEnabled) {

- $user = $this->registerUser($userDetails);

+ if (is_null($user)) {

+ $userData = [

+ 'name' => $userDetails['name'],

+ 'email' => $userDetails['email'],

+ 'password' => Str::random(32),

+ 'external_auth_id' => $userDetails['external_id'],

+ ];

+ $user = $this->registrationService->registerUser($userData, null, false);

}

return $user;

@@ -364,6 +339,7 @@ class Saml2Service extends ExternalAuthService

* they exist, optionally registering them automatically.

* @throws SamlException

* @throws JsonDebugException

+ * @throws UserRegistrationException

public function processLoginCallback(string $samlID, array $samlAttributes): User

{

@@ -372,11 +348,16 @@ class Saml2Service extends ExternalAuthService

if ($this->config['dump_user_details']) {

throw new JsonDebugException([

+ 'id_from_idp' => $samlID,

'attrs_from_idp' => $samlAttributes,

'attrs_after_parsing' => $userDetails,

]);

}

+ if ($userDetails['email'] === null) {

+ throw new SamlException(trans('errors.saml_no_email_address'));

+ }

if ($isLoggedIn) {

throw new SamlException(trans('errors.saml_already_logged_in'), '/login');

}