Guest create page: name field autofocus

[bookstack] / app / Auth / Access / Saml2Service.php

diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php
index c1038e7306b5955b24494e3cd385a2778f52ac5b..a95e3b1d2e8d410f510680b0911bc7307ebd2269 100644 (file)
--- a/app/Auth/Access/Saml2Service.php
+++ b/app/Auth/Access/Saml2Service.php
@@ -1,12 +1,15 @@
-<?php namespace BookStack\Auth\Access;
+<?php
+
+namespace BookStack\Auth\Access;

 
 use BookStack\Auth\User;
 
 use BookStack\Auth\User;

-use BookStack\Auth\UserRepo;

 use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\SamlException;
 use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\SamlException;

+use BookStack\Exceptions\StoppedAuthenticationException;
+use BookStack\Exceptions\UserRegistrationException;

 use Exception;
 use Exception;

-use Illuminate\Support\Str;

 use OneLogin\Saml2\Auth;
 use OneLogin\Saml2\Auth;

+use OneLogin\Saml2\Constants;

 use OneLogin\Saml2\Error;
 use OneLogin\Saml2\IdPMetadataParser;
 use OneLogin\Saml2\ValidationError;
 use OneLogin\Saml2\Error;
 use OneLogin\Saml2\IdPMetadataParser;
 use OneLogin\Saml2\ValidationError;


@@ -15,49 +18,59 @@ use OneLogin\Saml2\ValidationError;
  * Class Saml2Service
  * Handles any app-specific SAML tasks.
  */
  * Class Saml2Service
  * Handles any app-specific SAML tasks.
  */

-class Saml2Service extends ExternalAuthService
+class Saml2Service

 {
 {

-    protected $config;
-    protected $userRepo;
-    protected $user;
-    protected $enabled;
-
-    /**
-     * Saml2Service constructor.
-     */
-    public function __construct(UserRepo $userRepo, User $user)
-    {
+    protected array $config;
+    protected RegistrationService $registrationService;
+    protected LoginService $loginService;
+    protected GroupSyncService $groupSyncService;
+
+    public function __construct(
+        RegistrationService $registrationService,
+        LoginService $loginService,
+        GroupSyncService $groupSyncService
+    ) {

         $this->config = config('saml2');
         $this->config = config('saml2');

-        $this->userRepo = $userRepo;
-        $this->user = $user;
-        $this->enabled = config('saml2.enabled') === true;
+        $this->registrationService = $registrationService;
+        $this->loginService = $loginService;
+        $this->groupSyncService = $groupSyncService;

     }
 
     /**
      * Initiate a login flow.
     }
 
     /**
      * Initiate a login flow.

+     *

      * @throws Error
      */
     public function login(): array
     {
         $toolKit = $this->getToolkit();
         $returnRoute = url('/saml2/acs');
      * @throws Error
      */
     public function login(): array
     {
         $toolKit = $this->getToolkit();
         $returnRoute = url('/saml2/acs');

+

         return [
             'url' => $toolKit->login($returnRoute, [], false, false, true),
         return [
             'url' => $toolKit->login($returnRoute, [], false, false, true),

-            'id' => $toolKit->getLastRequestID(),
+            'id'  => $toolKit->getLastRequestID(),

         ];
     }
 
     /**
      * Initiate a logout flow.
         ];
     }
 
     /**
      * Initiate a logout flow.

+     *

      * @throws Error
      */
      * @throws Error
      */

-    public function logout(): array
+    public function logout(User $user): array

     {
         $toolKit = $this->getToolkit();
         $returnRoute = url('/');
 
         try {
     {
         $toolKit = $this->getToolkit();
         $returnRoute = url('/');
 
         try {

-            $url = $toolKit->logout($returnRoute, [], null, null, true);
+            $url = $toolKit->logout(
+                $returnRoute,
+                [],
+                $user->email,
+                null,
+                true,
+                Constants::NAMEID_EMAIL_ADDRESS
+            );

             $id = $toolKit->getLastRequestID();
         } catch (Error $error) {
             if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
             $id = $toolKit->getLastRequestID();
         } catch (Error $error) {
             if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {


@@ -76,21 +89,27 @@ class Saml2Service extends ExternalAuthService
      * Process the ACS response from the idp and return the
      * matching, or new if registration active, user matched to the idp.
      * Returns null if not authenticated.
      * Process the ACS response from the idp and return the
      * matching, or new if registration active, user matched to the idp.
      * Returns null if not authenticated.

+     *

      * @throws Error
      * @throws SamlException
      * @throws ValidationError
      * @throws JsonDebugException
      * @throws Error
      * @throws SamlException
      * @throws ValidationError
      * @throws JsonDebugException

+     * @throws UserRegistrationException

      */
      */

-    public function processAcsResponse(?string $requestId): ?User
+    public function processAcsResponse(?string $requestId, string $samlResponse): ?User

     {
     {

+        // The SAML2 toolkit expects the response to be within the $_POST superglobal
+        // so we need to manually put it back there at this point.
+        $_POST['SAMLResponse'] = $samlResponse;

         $toolkit = $this->getToolkit();
         $toolkit->processResponse($requestId);
         $errors = $toolkit->getErrors();
 
         if (!empty($errors)) {
         $toolkit = $this->getToolkit();
         $toolkit->processResponse($requestId);
         $errors = $toolkit->getErrors();
 
         if (!empty($errors)) {

-            throw new Error(
-                'Invalid ACS Response: '.implode(', ', $errors)
-            );
+            $reason = $toolkit->getLastErrorReason();
+            $message = 'Invalid ACS Response; Errors: ' . implode(', ', $errors);
+            $message .= $reason ? "; Reason: {$reason}" : '';
+            throw new Error($message);

         }
 
         if (!$toolkit->isAuthenticated()) {
         }
 
         if (!$toolkit->isAuthenticated()) {


@@ -105,22 +124,29 @@ class Saml2Service extends ExternalAuthService
 
     /**
      * Process a response for the single logout service.
 
     /**
      * Process a response for the single logout service.

+     *

      * @throws Error
      */
     public function processSlsResponse(?string $requestId): ?string
     {
         $toolkit = $this->getToolkit();
      * @throws Error
      */
     public function processSlsResponse(?string $requestId): ?string
     {
         $toolkit = $this->getToolkit();

-        $redirect = $toolkit->processSLO(true, $requestId, false, null, true);

 
 

+        // The $retrieveParametersFromServer in the call below will mean the library will take the query
+        // parameters, used for the response signing, from the raw $_SERVER['QUERY_STRING']
+        // value so that the exact encoding format is matched when checking the signature.
+        // This is primarily due to ADFS encoding query params with lowercase percent encoding while
+        // PHP (And most other sensible providers) standardise on uppercase.
+        $redirect = $toolkit->processSLO(true, $requestId, true, null, true);

         $errors = $toolkit->getErrors();
 
         if (!empty($errors)) {
             throw new Error(
         $errors = $toolkit->getErrors();
 
         if (!empty($errors)) {
             throw new Error(

-                'Invalid SLS Response: '.implode(', ', $errors)
+                'Invalid SLS Response: ' . implode(', ', $errors)

             );
         }
 
         $this->actionLogout();
             );
         }
 
         $this->actionLogout();

+

         return $redirect;
     }
 
         return $redirect;
     }
 


@@ -135,18 +161,19 @@ class Saml2Service extends ExternalAuthService
 
     /**
      * Get the metadata for this service provider.
 
     /**
      * Get the metadata for this service provider.

+     *

      * @throws Error
      */
     public function metadata(): string
     {
      * @throws Error
      */
     public function metadata(): string
     {

-        $toolKit = $this->getToolkit();
+        $toolKit = $this->getToolkit(true);

         $settings = $toolKit->getSettings();
         $metadata = $settings->getSPMetadata();
         $errors = $settings->validateMetadata($metadata);
 
         if (!empty($errors)) {
             throw new Error(
         $settings = $toolKit->getSettings();
         $metadata = $settings->getSPMetadata();
         $errors = $settings->validateMetadata($metadata);
 
         if (!empty($errors)) {
             throw new Error(

-                'Invalid SP metadata: '.implode(', ', $errors),
+                'Invalid SP metadata: ' . implode(', ', $errors),

                 Error::METADATA_SP_INVALID
             );
         }
                 Error::METADATA_SP_INVALID
             );
         }


@@ -156,10 +183,11 @@ class Saml2Service extends ExternalAuthService
 
     /**
      * Load the underlying Onelogin SAML2 toolkit.
 
     /**
      * Load the underlying Onelogin SAML2 toolkit.

+     *

      * @throws Error
      * @throws Exception
      */
      * @throws Error
      * @throws Exception
      */

-    protected function getToolkit(): Auth
+    protected function getToolkit(bool $spOnly = false): Auth

     {
         $settings = $this->config['onelogin'];
         $overrides = $this->config['onelogin_overrides'] ?? [];
     {
         $settings = $this->config['onelogin'];
         $overrides = $this->config['onelogin_overrides'] ?? [];


@@ -169,13 +197,14 @@ class Saml2Service extends ExternalAuthService
         }
 
         $metaDataSettings = [];
         }
 
         $metaDataSettings = [];

-        if ($this->config['autoload_from_metadata']) {
+        if (!$spOnly && $this->config['autoload_from_metadata']) {

             $metaDataSettings = IdPMetadataParser::parseRemoteXML($settings['idp']['entityId']);
         }
 
         $spSettings = $this->loadOneloginServiceProviderDetails();
         $settings = array_replace_recursive($settings, $spSettings, $metaDataSettings, $overrides);
             $metaDataSettings = IdPMetadataParser::parseRemoteXML($settings['idp']['entityId']);
         }
 
         $spSettings = $this->loadOneloginServiceProviderDetails();
         $settings = array_replace_recursive($settings, $spSettings, $metaDataSettings, $overrides);

-        return new Auth($settings);
+
+        return new Auth($settings, $spOnly);

     }
 
     /**
     }
 
     /**


@@ -184,18 +213,18 @@ class Saml2Service extends ExternalAuthService
     protected function loadOneloginServiceProviderDetails(): array
     {
         $spDetails = [
     protected function loadOneloginServiceProviderDetails(): array
     {
         $spDetails = [

-            'entityId' => url('/saml2/metadata'),
+            'entityId'                 => url('/saml2/metadata'),

             'assertionConsumerService' => [
                 'url' => url('/saml2/acs'),
             ],
             'singleLogoutService' => [
             'assertionConsumerService' => [
                 'url' => url('/saml2/acs'),
             ],
             'singleLogoutService' => [

-                'url' => url('/saml2/sls')
+                'url' => url('/saml2/sls'),

             ],
         ];
 
         return [
             'baseurl' => url('/saml2'),
             ],
         ];
 
         return [
             'baseurl' => url('/saml2'),

-            'sp' => $spDetails
+            'sp'      => $spDetails,

         ];
     }
 
         ];
     }
 


@@ -204,11 +233,11 @@ class Saml2Service extends ExternalAuthService
      */
     protected function shouldSyncGroups(): bool
     {
      */
     protected function shouldSyncGroups(): bool
     {

-        return $this->enabled && $this->config['user_to_groups'] !== false;
+        return $this->config['user_to_groups'] !== false;

     }
 
     /**
     }
 
     /**

-     * Calculate the display name
+     * Calculate the display name.

      */
     protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string
     {
      */
     protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string
     {


@@ -247,8 +276,10 @@ class Saml2Service extends ExternalAuthService
 
     /**
      * Extract the details of a user from a SAML response.
 
     /**
      * Extract the details of a user from a SAML response.

+     *
+     * @return array{external_id: string, name: string, email: string, saml_id: string}

      */
      */

-    public function getUserDetails(string $samlID, $samlAttributes): array
+    protected function getUserDetails(string $samlID, $samlAttributes): array

     {
         $emailAttr = $this->config['email_attribute'];
         $externalId = $this->getExternalId($samlAttributes, $samlID);
     {
         $emailAttr = $this->config['email_attribute'];
         $externalId = $this->getExternalId($samlAttributes, $samlID);


@@ -258,9 +289,9 @@ class Saml2Service extends ExternalAuthService
 
         return [
             'external_id' => $externalId,
 
         return [
             'external_id' => $externalId,

-            'name' => $this->getUserDisplayName($samlAttributes, $externalId),
-            'email' => $email,
-            'saml_id' => $samlID,
+            'name'        => $this->getUserDisplayName($samlAttributes, $externalId),
+            'email'       => $email,
+            'saml_id'     => $samlID,

         ];
     }
 
         ];
     }
 


@@ -294,6 +325,7 @@ class Saml2Service extends ExternalAuthService
                 $data = $data[0];
                 break;
         }
                 $data = $data[0];
                 break;
         }

+

         return $data;
     }
 
         return $data;
     }
 


@@ -310,53 +342,14 @@ class Saml2Service extends ExternalAuthService
         return $defaultValue;
     }
 
         return $defaultValue;
     }
 

-    /**
-     *  Register a user that is authenticated but not already registered.
-     */
-    protected function registerUser(array $userDetails): User
-    {
-        // Create an array of the user data to create a new user instance
-        $userData = [
-            'name' => $userDetails['name'],
-            'email' => $userDetails['email'],
-            'password' => Str::random(32),
-            'external_auth_id' => $userDetails['external_id'],
-            'email_confirmed' => true,
-        ];
-
-        $existingUser = $this->user->newQuery()->where('email', '=', $userDetails['email'])->first();
-        if ($existingUser) {
-            throw new SamlException(trans('errors.saml_email_exists', ['email' => $userDetails['email']]));
-        }
-
-        $user = $this->user->forceCreate($userData);
-        $this->userRepo->attachDefaultRole($user);
-        $this->userRepo->downloadAndAssignUserAvatar($user);
-        return $user;
-    }
-
-    /**
-     * Get the user from the database for the specified details.
-     */
-    protected function getOrRegisterUser(array $userDetails): ?User
-    {
-        $isRegisterEnabled = $this->config['auto_register'] === true;
-        $user = $this->user
-          ->where('external_auth_id', $userDetails['external_id'])
-          ->first();
-
-        if ($user === null && $isRegisterEnabled) {
-            $user = $this->registerUser($userDetails);
-        }
-
-        return $user;
-    }
-

     /**
      * Process the SAML response for a user. Login the user when
      * they exist, optionally registering them automatically.
     /**
      * Process the SAML response for a user. Login the user when
      * they exist, optionally registering them automatically.

+     *

      * @throws SamlException
      * @throws JsonDebugException
      * @throws SamlException
      * @throws JsonDebugException

+     * @throws UserRegistrationException
+     * @throws StoppedAuthenticationException

      */
     public function processLoginCallback(string $samlID, array $samlAttributes): User
     {
      */
     public function processLoginCallback(string $samlID, array $samlAttributes): User
     {


@@ -365,8 +358,8 @@ class Saml2Service extends ExternalAuthService
 
         if ($this->config['dump_user_details']) {
             throw new JsonDebugException([
 
         if ($this->config['dump_user_details']) {
             throw new JsonDebugException([

-                'id_from_idp' => $samlID,
-                'attrs_from_idp' => $samlAttributes,
+                'id_from_idp'         => $samlID,
+                'attrs_from_idp'      => $samlAttributes,

                 'attrs_after_parsing' => $userDetails,
             ]);
         }
                 'attrs_after_parsing' => $userDetails,
             ]);
         }


@@ -379,17 +372,23 @@ class Saml2Service extends ExternalAuthService
             throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
         }
 
             throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
         }
 

-        $user = $this->getOrRegisterUser($userDetails);
+        $user = $this->registrationService->findOrRegister(
+            $userDetails['name'],
+            $userDetails['email'],
+            $userDetails['external_id']
+        );
+

         if ($user === null) {
             throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
         }
 
         if ($this->shouldSyncGroups()) {
             $groups = $this->getUserGroups($samlAttributes);
         if ($user === null) {
             throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
         }
 
         if ($this->shouldSyncGroups()) {
             $groups = $this->getUserGroups($samlAttributes);

-            $this->syncWithGroups($user, $groups);
+            $this->groupSyncService->syncUserWithFoundGroups($user, $groups, $this->config['remove_from_groups']);

         }
 
         }
 

-        auth()->login($user);
+        $this->loginService->login($user, 'saml2');
+

         return $user;
     }
 }
         return $user;
     }
 }