BookStack Code Mirror - bookstack/blobdiff - app/Auth/Access/Saml2Service.php

-<?php namespace BookStack\Auth\Access;

+<?php

+

+namespace BookStack\Auth\Access;

-use BookStack\Auth\Access;

-use BookStack\Auth\Role;

use BookStack\Auth\User;

-use BookStack\Auth\UserRepo;

+use BookStack\Exceptions\JsonDebugException;

use BookStack\Exceptions\SamlException;

-use Illuminate\Contracts\Auth\Authenticatable;

-use Illuminate\Database\Eloquent\Builder;

-use Illuminate\Support\Facades\Auth;

-use Illuminate\Support\Facades\Log;

-

+use BookStack\Exceptions\StoppedAuthenticationException;

+use BookStack\Exceptions\UserRegistrationException;

+use Exception;

+use OneLogin\Saml2\Auth;

+use OneLogin\Saml2\Constants;

+use OneLogin\Saml2\Error;

+use OneLogin\Saml2\IdPMetadataParser;

+use OneLogin\Saml2\ValidationError;

/**

* Class Saml2Service

* Handles any app-specific SAML tasks.

/**

* Class Saml2Service

* Handles any app-specific SAML tasks.

- * @package BookStack\Services

*/

class Saml2Service

{

*/

class Saml2Service

{

- protected $config;

- protected $userRepo;

- protected $user;

- protected $enabled;

+ protected array $config;

+ protected RegistrationService $registrationService;

+ protected LoginService $loginService;

+ protected GroupSyncService $groupSyncService;

+

+ public function __construct(

+ RegistrationService $registrationService,

+ LoginService $loginService,

+ GroupSyncService $groupSyncService

+ ) {

+ $this->config = config('saml2');

+ $this->registrationService = $registrationService;

+ $this->loginService = $loginService;

+ $this->groupSyncService = $groupSyncService;

+ }

/**

- * Saml2Service constructor.

- * @param \BookStack\Auth\UserRepo $userRepo

+ * Initiate a login flow.

+ *

+ * @throws Error

*/

- public function __construct(UserRepo $userRepo, User $user)

+ public function login(): array

{

- $this->config = config('services.saml');

- $this->userRepo = $userRepo;

- $this->user = $user;

- $this->enabled = config('saml2_settings.enabled') === true;

+ $toolKit = $this->getToolkit();

+ $returnRoute = url('/saml2/acs');

+

+ return [

+ 'url' => $toolKit->login($returnRoute, [], false, false, true),

+ 'id' => $toolKit->getLastRequestID(),

+ ];

}

/**

}

/**

- * Check if groups should be synced.

- * @return bool

+ * Initiate a logout flow.

+ *

+ * @throws Error

*/

- public function shouldSyncGroups()

+ public function logout(User $user): array

{

- return $this->enabled && $this->config['user_to_groups'] !== false;

+ $toolKit = $this->getToolkit();

+ $returnRoute = url('/');

+

+ try {

+ $url = $toolKit->logout(

+ $returnRoute,

+ [],

+ $user->email,

+ null,

+ true,

+ Constants::NAMEID_EMAIL_ADDRESS

+ );

+ $id = $toolKit->getLastRequestID();

+ } catch (Error $error) {

+ if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {

+ throw $error;

+ }

+

+ $this->actionLogout();

+ $url = '/';

+ $id = null;

+ }

+

+ return ['url' => $url, 'id' => $id];

}

/**

}

/**

- * Extract the details of a user from a SAML response.

- * @param $samlID

- * @param $samlAttributes

- * @return array

+ * Process the ACS response from the idp and return the

+ * matching, or new if registration active, user matched to the idp.

+ * Returns null if not authenticated.

+ *

+ * @throws Error

+ * @throws SamlException

+ * @throws ValidationError

+ * @throws JsonDebugException

+ * @throws UserRegistrationException

*/

- public function getUserDetails($samlID, $samlAttributes)

+ public function processAcsResponse(?string $requestId, string $samlResponse): ?User

{

- $emailAttr = $this->config['email_attribute'];

- $displayNameAttr = $this->config['display_name_attribute'];

- $userNameAttr = $this->config['user_name_attribute'];

-

- $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null);

-

- if ($userNameAttr === null) {

- $userName = $samlID;

- } else {

- $userName = $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $samlID);

+ // The SAML2 toolkit expects the response to be within the $_POST superglobal

+ // so we need to manually put it back there at this point.

+ $_POST['SAMLResponse'] = $samlResponse;

+ $toolkit = $this->getToolkit();

+ $toolkit->processResponse($requestId);

+ $errors = $toolkit->getErrors();

+

+ if (!empty($errors)) {

+ $reason = $toolkit->getLastErrorReason();

+ $message = 'Invalid ACS Response; Errors: ' . implode(', ', $errors);

+ $message .= $reason ? "; Reason: {$reason}" : '';

+ throw new Error($message);

}

- $displayName = [];

- foreach ($displayNameAttr as $dnAttr) {

- $dnComponent = $this->getSamlResponseAttribute($samlAttributes, $dnAttr, null);

- if ($dnComponent !== null) {

- $displayName[] = $dnComponent;

- }

+ if (!$toolkit->isAuthenticated()) {

+ return null;

}

- if (count($displayName) == 0) {

- $displayName = $userName;

- } else {

- $displayName = implode(' ', $displayName);

+ $attrs = $toolkit->getAttributes();

+ $id = $toolkit->getNameId();

+

+ return $this->processLoginCallback($id, $attrs);

+ }

+

+ /**

+ * Process a response for the single logout service.

+ *

+ * @throws Error

+ */

+ public function processSlsResponse(?string $requestId): ?string

+ {

+ $toolkit = $this->getToolkit();

+

+ // The $retrieveParametersFromServer in the call below will mean the library will take the query

+ // parameters, used for the response signing, from the raw $_SERVER['QUERY_STRING']

+ // value so that the exact encoding format is matched when checking the signature.

+ // This is primarily due to ADFS encoding query params with lowercase percent encoding while

+ // PHP (And most other sensible providers) standardise on uppercase.

+ $redirect = $toolkit->processSLO(true, $requestId, true, null, true);

+ $errors = $toolkit->getErrors();

+

+ if (!empty($errors)) {

+ throw new Error(

+ 'Invalid SLS Response: ' . implode(', ', $errors)

+ );

}

- return [

- 'uid' => $userName,

- 'name' => $displayName,

- 'dn' => $samlID,

- 'email' => $email,

- ];

+ $this->actionLogout();

+

+ return $redirect;

}

/**

}

/**

- * Get the groups a user is a part of from the SAML response.

- * @param array $samlAttributes

- * @return array

+ * Do the required actions to log a user out.

*/

- public function getUserGroups($samlAttributes)

+ protected function actionLogout()

{

- $groupsAttr = $this->config['group_attribute'];

- $userGroups = $samlAttributes[$groupsAttr];

+ auth()->logout();

+ session()->invalidate();

+ }

- if (!is_array($userGroups)) {

- $userGroups = [];

+ /**

+ * Get the metadata for this service provider.

+ *

+ * @throws Error

+ */

+ public function metadata(): string

+ {

+ $toolKit = $this->getToolkit(true);

+ $settings = $toolKit->getSettings();

+ $metadata = $settings->getSPMetadata();

+ $errors = $settings->validateMetadata($metadata);

+

+ if (!empty($errors)) {

+ throw new Error(

+ 'Invalid SP metadata: ' . implode(', ', $errors),

+ Error::METADATA_SP_INVALID

+ );

}

- return $userGroups;

+ return $metadata;

}

/**

}

/**

- * Get a property from an SAML response.

- * Handles properties potentially being an array.

- * @param array $userDetails

- * @param string $propertyKey

- * @param $defaultValue

- * @return mixed

+ * Load the underlying Onelogin SAML2 toolkit.

+ *

+ * @throws Error

+ * @throws Exception

*/

- protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue)

+ protected function getToolkit(bool $spOnly = false): Auth

{

- if (isset($samlAttributes[$propertyKey])) {

- $data = $samlAttributes[$propertyKey];

- if (!is_array($data)) {

- return $data;

- } else if (count($data) == 0) {

- return $defaultValue;

- } else if (count($data) == 1) {

- return $data[0];

- } else {

- return $data;

- }

+ $settings = $this->config['onelogin'];

+ $overrides = $this->config['onelogin_overrides'] ?? [];

+

+ if ($overrides && is_string($overrides)) {

+ $overrides = json_decode($overrides, true);

}

- return $defaultValue;

+ $metaDataSettings = [];

+ if (!$spOnly && $this->config['autoload_from_metadata']) {

+ $metaDataSettings = IdPMetadataParser::parseRemoteXML($settings['idp']['entityId']);

+ }

+

+ $spSettings = $this->loadOneloginServiceProviderDetails();

+ $settings = array_replace_recursive($settings, $spSettings, $metaDataSettings, $overrides);

+

+ return new Auth($settings, $spOnly);

}

- protected function registerUser($userDetails) {

+ /**

+ * Load dynamic service provider options required by the onelogin toolkit.

+ */

+ protected function loadOneloginServiceProviderDetails(): array

+ {

+ $spDetails = [

+ 'entityId' => url('/saml2/metadata'),

+ 'assertionConsumerService' => [

+ 'url' => url('/saml2/acs'),

+ ],

+ 'singleLogoutService' => [

+ 'url' => url('/saml2/sls'),

+ ],

+ ];

- // Create an array of the user data to create a new user instance

- $userData = [

- 'name' => $userDetails['name'],

- 'email' => $userDetails['email'],

- 'password' => str_random(30),

- 'external_auth_id' => $userDetails['uid'],

- 'email_confirmed' => true,

+ return [

+ 'baseurl' => url('/saml2'),

+ 'sp' => $spDetails,

];

+ }

- $user = $this->user->forceCreate($userData);

- $this->userRepo->attachDefaultRole($user);

- $this->userRepo->downloadAndAssignUserAvatar($user);

- return $user;

+ /**

+ * Check if groups should be synced.

+ */

+ protected function shouldSyncGroups(): bool

+ {

+ return $this->config['user_to_groups'] !== false;

}

- public function processLoginCallback($samlID, $samlAttributes) {

+ /**

+ * Calculate the display name.

+ */

+ protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string

+ {

+ $displayNameAttr = $this->config['display_name_attributes'];

- $userDetails = $this->getUserDetails($samlID, $samlAttributes);

- $user = $this->user

- ->where('external_auth_id', $userDetails['uid'])

- ->first();

+ $displayName = [];

+ foreach ($displayNameAttr as $dnAttr) {

+ $dnComponent = $this->getSamlResponseAttribute($samlAttributes, $dnAttr, null);

+ if ($dnComponent !== null) {

+ $displayName[] = $dnComponent;

+ }

- $isLoggedIn = auth()->check();

+ if (count($displayName) == 0) {

+ $displayName = $defaultValue;

+ } else {

+ $displayName = implode(' ', $displayName);

+ }

- if (!$isLoggedIn) {

- if ($user === null && config('services.saml.auto_register') === true) {

- $user = $this->registerUser($userDetails);

- }

+ return $displayName;

+ }

- if ($user !== null) {

- auth()->login($user);

- }

+ /**

+ * Get the value to use as the external id saved in BookStack

+ * used to link the user to an existing BookStack DB user.

+ */

+ protected function getExternalId(array $samlAttributes, string $defaultValue)

+ {

+ $userNameAttr = $this->config['external_id_attribute'];

+ if ($userNameAttr === null) {

+ return $defaultValue;

}

- return $user;

+ return $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue);

}

/**

}

/**

- * Sync the SAML groups to the user roles for the current user

- * @param \BookStack\Auth\User $user

- * @param array $samlAttributes

+ * Extract the details of a user from a SAML response.

+ *

+ * @return array{external_id: string, name: string, email: string, saml_id: string}

*/

- public function syncGroups(User $user, array $samlAttributes)

+ protected function getUserDetails(string $samlID, $samlAttributes): array

{

- $userSamlGroups = $this->getUserGroups($samlAttributes);

+ $emailAttr = $this->config['email_attribute'];

+ $externalId = $this->getExternalId($samlAttributes, $samlID);

- // Get the ids for the roles from the names

- $samlGroupsAsRoles = $this->matchSamlGroupsToSystemsRoles($userSamlGroups);

+ $defaultEmail = filter_var($samlID, FILTER_VALIDATE_EMAIL) ? $samlID : null;

+ $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, $defaultEmail);

- // Sync groups

- if ($this->config['remove_from_groups']) {

- $user->roles()->sync($samlGroupsAsRoles);

- $this->userRepo->attachDefaultRole($user);

- } else {

- $user->roles()->syncWithoutDetaching($samlGroupsAsRoles);

- }

+ return [

+ 'external_id' => $externalId,

+ 'name' => $this->getUserDisplayName($samlAttributes, $externalId),

+ 'email' => $email,

+ 'saml_id' => $samlID,

+ ];

}

/**

}

/**

- * Match an array of group names from SAML to BookStack system roles.

- * Formats group names to be lower-case and hyphenated.

- * @param array $groupNames

- * @return \Illuminate\Support\Collection

+ * Get the groups a user is a part of from the SAML response.

*/

- protected function matchSamlGroupsToSystemsRoles(array $groupNames)

+ public function getUserGroups(array $samlAttributes): array

{

- foreach ($groupNames as $i => $groupName) {

- $groupNames[$i] = str_replace(' ', '-', trim(strtolower($groupName)));

+ $groupsAttr = $this->config['group_attribute'];

+ $userGroups = $samlAttributes[$groupsAttr] ?? null;

+

+ if (!is_array($userGroups)) {

+ $userGroups = [];

}

- $roles = Role::query()->where(function (Builder $query) use ($groupNames) {

- $query->whereIn('name', $groupNames);

- foreach ($groupNames as $groupName) {

- $query->orWhere('external_auth_id', 'LIKE', '%' . $groupName . '%');

- }

- })->get();

+ return $userGroups;

+ }

- $matchedRoles = $roles->filter(function (Role $role) use ($groupNames) {

- return $this->roleMatchesGroupNames($role, $groupNames);

- });

+ /**

+ * For an array of strings, return a default for an empty array,

+ * a string for an array with one element and the full array for

+ * more than one element.

+ */

+ protected function simplifyValue(array $data, $defaultValue)

+ {

+ switch (count($data)) {

+ case 0:

+ $data = $defaultValue;

+ break;

+ case 1:

+ $data = $data[0];

+ break;

+ }

- return $matchedRoles->pluck('id');

+ return $data;

}

/**

}

/**

- * Check a role against an array of group names to see if it matches.

- * Checked against role 'external_auth_id' if set otherwise the name of the role.

- * @param \BookStack\Auth\Role $role

- * @param array $groupNames

- * @return bool

+ * Get a property from an SAML response.

+ * Handles properties potentially being an array.

*/

- protected function roleMatchesGroupNames(Role $role, array $groupNames)

+ protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue)

{

- if ($role->external_auth_id) {

- $externalAuthIds = explode(',', strtolower($role->external_auth_id));

- foreach ($externalAuthIds as $externalAuthId) {

- if (in_array(trim($externalAuthId), $groupNames)) {

- return true;

- }

- return false;

+ if (isset($samlAttributes[$propertyKey])) {

+ return $this->simplifyValue($samlAttributes[$propertyKey], $defaultValue);

}

- $roleName = str_replace(' ', '-', trim(strtolower($role->display_name)));

- return in_array($roleName, $groupNames);

+ return $defaultValue;

}

+ /**

+ * Process the SAML response for a user. Login the user when

+ * they exist, optionally registering them automatically.

+ *

+ * @throws SamlException

+ * @throws JsonDebugException

+ * @throws UserRegistrationException

+ * @throws StoppedAuthenticationException

+ */

+ public function processLoginCallback(string $samlID, array $samlAttributes): User

+ {

+ $userDetails = $this->getUserDetails($samlID, $samlAttributes);

+ $isLoggedIn = auth()->check();

+

+ if ($this->config['dump_user_details']) {

+ throw new JsonDebugException([

+ 'id_from_idp' => $samlID,

+ 'attrs_from_idp' => $samlAttributes,

+ 'attrs_after_parsing' => $userDetails,

+ ]);

+ }

+

+ if ($userDetails['email'] === null) {

+ throw new SamlException(trans('errors.saml_no_email_address'));

+ }

+

+ if ($isLoggedIn) {

+ throw new SamlException(trans('errors.saml_already_logged_in'), '/login');

+ }

+

+ $user = $this->registrationService->findOrRegister(

+ $userDetails['name'],

+ $userDetails['email'],

+ $userDetails['external_id']

+ );

+

+ if ($user === null) {

+ throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');

+ }

+

+ if ($this->shouldSyncGroups()) {

+ $groups = $this->getUserGroups($samlAttributes);

+ $this->groupSyncService->syncUserWithFoundGroups($user, $groups, $this->config['remove_from_groups']);

+ }

+

+ $this->loginService->login($user, 'saml2');

+

+ return $user;

+ }

}