X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/03dbe32f9926b53c1a0c35534e57f526c5d2bc2b..refs/pull/2393/head:/app/Auth/Access/Saml2Service.php diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php index 95049efd2..0316ff976 100644 --- a/app/Auth/Access/Saml2Service.php +++ b/app/Auth/Access/Saml2Service.php @@ -1,114 +1,277 @@ config = config('services.saml'); - $this->userRepo = $userRepo; + $this->config = config('saml2'); + $this->registrationService = $registrationService; $this->user = $user; - $this->enabled = config('saml2_settings.enabled') === true; + } + + /** + * Initiate a login flow. + * @throws Error + */ + public function login(): array + { + $toolKit = $this->getToolkit(); + $returnRoute = url('/http/source.bookstackapp.com/saml2/acs'); + return [ + 'url' => $toolKit->login($returnRoute, [], false, false, true), + 'id' => $toolKit->getLastRequestID(), + ]; + } + + /** + * Initiate a logout flow. + * @throws Error + */ + public function logout(): array + { + $toolKit = $this->getToolkit(); + $returnRoute = url('/'); + + try { + $url = $toolKit->logout($returnRoute, [], null, null, true); + $id = $toolKit->getLastRequestID(); + } catch (Error $error) { + if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) { + throw $error; + } + + $this->actionLogout(); + $url = '/'; + $id = null; + } + + return ['url' => $url, 'id' => $id]; + } + + /** + * Process the ACS response from the idp and return the + * matching, or new if registration active, user matched to the idp. + * Returns null if not authenticated. + * @throws Error + * @throws SamlException + * @throws ValidationError + * @throws JsonDebugException + * @throws UserRegistrationException + */ + public function processAcsResponse(?string $requestId): ?User + { + $toolkit = $this->getToolkit(); + $toolkit->processResponse($requestId); + $errors = $toolkit->getErrors(); + + if (!empty($errors)) { + throw new Error( + 'Invalid ACS Response: '.implode(', ', $errors) + ); + } + + if (!$toolkit->isAuthenticated()) { + return null; + } + + $attrs = $toolkit->getAttributes(); + $id = $toolkit->getNameId(); + + return $this->processLoginCallback($id, $attrs); + } + + /** + * Process a response for the single logout service. + * @throws Error + */ + public function processSlsResponse(?string $requestId): ?string + { + $toolkit = $this->getToolkit(); + $redirect = $toolkit->processSLO(true, $requestId, false, null, true); + + $errors = $toolkit->getErrors(); + + if (!empty($errors)) { + throw new Error( + 'Invalid SLS Response: '.implode(', ', $errors) + ); + } + + $this->actionLogout(); + return $redirect; + } + + /** + * Do the required actions to log a user out. + */ + protected function actionLogout() + { + auth()->logout(); + session()->invalidate(); + } + + /** + * Get the metadata for this service provider. + * @throws Error + */ + public function metadata(): string + { + $toolKit = $this->getToolkit(); + $settings = $toolKit->getSettings(); + $metadata = $settings->getSPMetadata(); + $errors = $settings->validateMetadata($metadata); + + if (!empty($errors)) { + throw new Error( + 'Invalid SP metadata: '.implode(', ', $errors), + Error::METADATA_SP_INVALID + ); + } + + return $metadata; + } + + /** + * Load the underlying Onelogin SAML2 toolkit. + * @throws Error + * @throws Exception + */ + protected function getToolkit(): Auth + { + $settings = $this->config['onelogin']; + $overrides = $this->config['onelogin_overrides'] ?? []; + + if ($overrides && is_string($overrides)) { + $overrides = json_decode($overrides, true); + } + + $metaDataSettings = []; + if ($this->config['autoload_from_metadata']) { + $metaDataSettings = IdPMetadataParser::parseRemoteXML($settings['idp']['entityId']); + } + + $spSettings = $this->loadOneloginServiceProviderDetails(); + $settings = array_replace_recursive($settings, $spSettings, $metaDataSettings, $overrides); + return new Auth($settings); + } + + /** + * Load dynamic service provider options required by the onelogin toolkit. + */ + protected function loadOneloginServiceProviderDetails(): array + { + $spDetails = [ + 'entityId' => url('/http/source.bookstackapp.com/saml2/metadata'), + 'assertionConsumerService' => [ + 'url' => url('/http/source.bookstackapp.com/saml2/acs'), + ], + 'singleLogoutService' => [ + 'url' => url('/http/source.bookstackapp.com/saml2/sls') + ], + ]; + + return [ + 'baseurl' => url('/http/source.bookstackapp.com/saml2'), + 'sp' => $spDetails + ]; } /** * Check if groups should be synced. - * @return bool */ - public function shouldSyncGroups() + protected function shouldSyncGroups(): bool { - return $this->enabled && $this->config['user_to_groups'] !== false; + return $this->config['user_to_groups'] !== false; } - /** Calculate the display name - * @param array $samlAttributes - * @param string $defaultValue - * @return string + /** + * Calculate the display name */ - protected function getUserDisplayName(array $samlAttributes, string $defaultValue) + protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string { - $displayNameAttr = $this->config['display_name_attribute']; + $displayNameAttr = $this->config['display_name_attributes']; $displayName = []; foreach ($displayNameAttr as $dnAttr) { - $dnComponent = $this->getSamlResponseAttribute($samlAttributes, $dnAttr, null); - if ($dnComponent !== null) { - $displayName[] = $dnComponent; - } + $dnComponent = $this->getSamlResponseAttribute($samlAttributes, $dnAttr, null); + if ($dnComponent !== null) { + $displayName[] = $dnComponent; + } } if (count($displayName) == 0) { - $displayName = $defaultValue; + $displayName = $defaultValue; } else { - $displayName = implode(' ', $displayName); + $displayName = implode(' ', $displayName); } return $displayName; } - protected function getUserName(array $samlAttributes, string $defaultValue) + /** + * Get the value to use as the external id saved in BookStack + * used to link the user to an existing BookStack DB user. + */ + protected function getExternalId(array $samlAttributes, string $defaultValue) { - $userNameAttr = $this->config['user_name_attribute']; - + $userNameAttr = $this->config['external_id_attribute']; if ($userNameAttr === null) { - $userName = $defaultValue; - } else { - $userName = $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue); + return $defaultValue; } - return $userName; + return $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue); } /** * Extract the details of a user from a SAML response. - * @param $samlID - * @param $samlAttributes - * @return array */ - public function getUserDetails($samlID, $samlAttributes) + protected function getUserDetails(string $samlID, $samlAttributes): array { $emailAttr = $this->config['email_attribute']; - $userName = $this->getUserName($samlAttributes, $samlID); + $externalId = $this->getExternalId($samlAttributes, $samlID); + + $defaultEmail = filter_var($samlID, FILTER_VALIDATE_EMAIL) ? $samlID : null; + $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, $defaultEmail); return [ - 'uid' => $userName, - 'name' => $this->getUserDisplayName($samlAttributes, $userName), - 'dn' => $samlID, - 'email' => $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null), + 'external_id' => $externalId, + 'name' => $this->getUserDisplayName($samlAttributes, $externalId), + 'email' => $email, + 'saml_id' => $samlID, ]; } /** * Get the groups a user is a part of from the SAML response. - * @param array $samlAttributes - * @return array */ - public function getUserGroups($samlAttributes) + public function getUserGroups(array $samlAttributes): array { $groupsAttr = $this->config['group_attribute']; - $userGroups = $samlAttributes[$groupsAttr]; + $userGroups = $samlAttributes[$groupsAttr] ?? null; if (!is_array($userGroups)) { $userGroups = []; @@ -118,95 +281,100 @@ class Saml2Service extends Access\ExternalAuthService } /** - * Get a property from an SAML response. - * Handles properties potentially being an array. - * @param array $userDetails - * @param string $propertyKey - * @param $defaultValue - * @return mixed + * For an array of strings, return a default for an empty array, + * a string for an array with one element and the full array for + * more than one element. */ - protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue) + protected function simplifyValue(array $data, $defaultValue) { - if (isset($samlAttributes[$propertyKey])) { - $data = $samlAttributes[$propertyKey]; - if (is_array($data)) { - if (count($data) == 0) { + switch (count($data)) { + case 0: $data = $defaultValue; - } else if (count($data) == 1) { + break; + case 1: $data = $data[0]; - } - } - } else { - $data = $defaultValue; + break; } - return $data; } /** - * Register a user that is authenticated but not - * already registered. - * @param array $userDetails - * @return User + * Get a property from an SAML response. + * Handles properties potentially being an array. */ - protected function registerUser($userDetails) + protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue) { - // Create an array of the user data to create a new user instance - $userData = [ - 'name' => $userDetails['name'], - 'email' => $userDetails['email'], - 'password' => str_random(30), - 'external_auth_id' => $userDetails['uid'], - 'email_confirmed' => true, - ]; + if (isset($samlAttributes[$propertyKey])) { + return $this->simplifyValue($samlAttributes[$propertyKey], $defaultValue); + } - $user = $this->user->forceCreate($userData); - $this->userRepo->attachDefaultRole($user); - $this->userRepo->downloadAndAssignUserAvatar($user); - return $user; + return $defaultValue; } /** * Get the user from the database for the specified details. - * @param array $userDetails - * @return User|null + * @throws UserRegistrationException */ - protected function getOrRegisterUser($userDetails) + protected function getOrRegisterUser(array $userDetails): ?User { - $isRegisterEnabled = config('services.saml.auto_register') === true; - $user = $this->user - ->where('external_auth_id', $userDetails['uid']) + $user = $this->user->newQuery() + ->where('external_auth_id', '=', $userDetails['external_id']) ->first(); - if ($user === null && $isRegisterEnabled) { - $user = $this->registerUser($userDetails); + if (is_null($user)) { + $userData = [ + 'name' => $userDetails['name'], + 'email' => $userDetails['email'], + 'password' => Str::random(32), + 'external_auth_id' => $userDetails['external_id'], + ]; + + $user = $this->registrationService->registerUser($userData, null, false); } return $user; } /** - * Process the SAML response for a user. Login the user when - * they exist, optionally registering them automatically. - * @param string $samlID - * @param array $samlAttributes + * Process the SAML response for a user. Login the user when + * they exist, optionally registering them automatically. + * @throws SamlException + * @throws JsonDebugException + * @throws UserRegistrationException */ - public function processLoginCallback($samlID, $samlAttributes) + public function processLoginCallback(string $samlID, array $samlAttributes): User { $userDetails = $this->getUserDetails($samlID, $samlAttributes); $isLoggedIn = auth()->check(); + if ($this->config['dump_user_details']) { + throw new JsonDebugException([ + 'id_from_idp' => $samlID, + 'attrs_from_idp' => $samlAttributes, + 'attrs_after_parsing' => $userDetails, + ]); + } + + if ($userDetails['email'] === null) { + throw new SamlException(trans('errors.saml_no_email_address')); + } + if ($isLoggedIn) { - logger()->error("Already logged in"); - } else { - $user = $this->getOrRegisterUser($userDetails); - if ($user === null) { - logger()->error("User does not exist"); - } else { - auth()->login($user); - } + throw new SamlException(trans('errors.saml_already_logged_in'), '/login'); + } + + $user = $this->getOrRegisterUser($userDetails); + if ($user === null) { + throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login'); + } + + if ($this->shouldSyncGroups()) { + $groups = $this->getUserGroups($samlAttributes); + $this->syncWithGroups($user, $groups); } + auth()->login($user); + Activity::add(ActivityType::AUTH_LOGIN, "saml2; {$user->logDescriptor()}"); return $user; } }