X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/03dbe32f9926b53c1a0c35534e57f526c5d2bc2b..refs/pull/2393/head:/app/Auth/Access/Saml2Service.php

diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php
index 95049efd2..0316ff976 100644
--- a/app/Auth/Access/Saml2Service.php
+++ b/app/Auth/Access/Saml2Service.php
@@ -1,114 +1,277 @@
 <?php namespace BookStack\Auth\Access;
 
-use BookStack\Auth\Access;
+use BookStack\Actions\ActivityType;
 use BookStack\Auth\User;
-use BookStack\Auth\UserRepo;
+use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\SamlException;
-use Illuminate\Contracts\Auth\Authenticatable;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Support\Facades\Log;
-
+use BookStack\Exceptions\UserRegistrationException;
+use BookStack\Facades\Activity;
+use Exception;
+use Illuminate\Support\Str;
+use OneLogin\Saml2\Auth;
+use OneLogin\Saml2\Error;
+use OneLogin\Saml2\IdPMetadataParser;
+use OneLogin\Saml2\ValidationError;
 
 /**
  * Class Saml2Service
  * Handles any app-specific SAML tasks.
- * @package BookStack\Services
  */
-class Saml2Service extends Access\ExternalAuthService
+class Saml2Service extends ExternalAuthService
 {
     protected $config;
-    protected $userRepo;
+    protected $registrationService;
     protected $user;
-    protected $enabled;
 
     /**
      * Saml2Service constructor.
-     * @param \BookStack\Auth\UserRepo $userRepo
      */
-    public function __construct(UserRepo $userRepo, User $user)
+    public function __construct(RegistrationService $registrationService, User $user)
     {
-        $this->config = config('services.saml');
-        $this->userRepo = $userRepo;
+        $this->config = config('saml2');
+        $this->registrationService = $registrationService;
         $this->user = $user;
-        $this->enabled = config('saml2_settings.enabled') === true;
+    }
+
+    /**
+     * Initiate a login flow.
+     * @throws Error
+     */
+    public function login(): array
+    {
+        $toolKit = $this->getToolkit();
+        $returnRoute = url('/http/source.bookstackapp.com/saml2/acs');
+        return [
+            'url' => $toolKit->login($returnRoute, [], false, false, true),
+            'id' => $toolKit->getLastRequestID(),
+        ];
+    }
+
+    /**
+     * Initiate a logout flow.
+     * @throws Error
+     */
+    public function logout(): array
+    {
+        $toolKit = $this->getToolkit();
+        $returnRoute = url('/');
+
+        try {
+            $url = $toolKit->logout($returnRoute, [], null, null, true);
+            $id = $toolKit->getLastRequestID();
+        } catch (Error $error) {
+            if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
+                throw $error;
+            }
+
+            $this->actionLogout();
+            $url = '/';
+            $id = null;
+        }
+
+        return ['url' => $url, 'id' => $id];
+    }
+
+    /**
+     * Process the ACS response from the idp and return the
+     * matching, or new if registration active, user matched to the idp.
+     * Returns null if not authenticated.
+     * @throws Error
+     * @throws SamlException
+     * @throws ValidationError
+     * @throws JsonDebugException
+     * @throws UserRegistrationException
+     */
+    public function processAcsResponse(?string $requestId): ?User
+    {
+        $toolkit = $this->getToolkit();
+        $toolkit->processResponse($requestId);
+        $errors = $toolkit->getErrors();
+
+        if (!empty($errors)) {
+            throw new Error(
+                'Invalid ACS Response: '.implode(', ', $errors)
+            );
+        }
+
+        if (!$toolkit->isAuthenticated()) {
+            return null;
+        }
+
+        $attrs = $toolkit->getAttributes();
+        $id = $toolkit->getNameId();
+
+        return $this->processLoginCallback($id, $attrs);
+    }
+
+    /**
+     * Process a response for the single logout service.
+     * @throws Error
+     */
+    public function processSlsResponse(?string $requestId): ?string
+    {
+        $toolkit = $this->getToolkit();
+        $redirect = $toolkit->processSLO(true, $requestId, false, null, true);
+
+        $errors = $toolkit->getErrors();
+
+        if (!empty($errors)) {
+            throw new Error(
+                'Invalid SLS Response: '.implode(', ', $errors)
+            );
+        }
+
+        $this->actionLogout();
+        return $redirect;
+    }
+
+    /**
+     * Do the required actions to log a user out.
+     */
+    protected function actionLogout()
+    {
+        auth()->logout();
+        session()->invalidate();
+    }
+
+    /**
+     * Get the metadata for this service provider.
+     * @throws Error
+     */
+    public function metadata(): string
+    {
+        $toolKit = $this->getToolkit();
+        $settings = $toolKit->getSettings();
+        $metadata = $settings->getSPMetadata();
+        $errors = $settings->validateMetadata($metadata);
+
+        if (!empty($errors)) {
+            throw new Error(
+                'Invalid SP metadata: '.implode(', ', $errors),
+                Error::METADATA_SP_INVALID
+            );
+        }
+
+        return $metadata;
+    }
+
+    /**
+     * Load the underlying Onelogin SAML2 toolkit.
+     * @throws Error
+     * @throws Exception
+     */
+    protected function getToolkit(): Auth
+    {
+        $settings = $this->config['onelogin'];
+        $overrides = $this->config['onelogin_overrides'] ?? [];
+
+        if ($overrides && is_string($overrides)) {
+            $overrides = json_decode($overrides, true);
+        }
+
+        $metaDataSettings = [];
+        if ($this->config['autoload_from_metadata']) {
+            $metaDataSettings = IdPMetadataParser::parseRemoteXML($settings['idp']['entityId']);
+        }
+
+        $spSettings = $this->loadOneloginServiceProviderDetails();
+        $settings = array_replace_recursive($settings, $spSettings, $metaDataSettings, $overrides);
+        return new Auth($settings);
+    }
+
+    /**
+     * Load dynamic service provider options required by the onelogin toolkit.
+     */
+    protected function loadOneloginServiceProviderDetails(): array
+    {
+        $spDetails = [
+            'entityId' => url('/http/source.bookstackapp.com/saml2/metadata'),
+            'assertionConsumerService' => [
+                'url' => url('/http/source.bookstackapp.com/saml2/acs'),
+            ],
+            'singleLogoutService' => [
+                'url' => url('/http/source.bookstackapp.com/saml2/sls')
+            ],
+        ];
+
+        return [
+            'baseurl' => url('/http/source.bookstackapp.com/saml2'),
+            'sp' => $spDetails
+        ];
     }
 
     /**
      * Check if groups should be synced.
-     * @return bool
      */
-    public function shouldSyncGroups()
+    protected function shouldSyncGroups(): bool
     {
-        return $this->enabled && $this->config['user_to_groups'] !== false;
+        return $this->config['user_to_groups'] !== false;
     }
 
-    /** Calculate the display name
-     *  @param array $samlAttributes
-     *  @param string $defaultValue
-     *  @return string
+    /**
+     * Calculate the display name
      */
-    protected function getUserDisplayName(array $samlAttributes, string $defaultValue)
+    protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string
     {
-        $displayNameAttr = $this->config['display_name_attribute'];
+        $displayNameAttr = $this->config['display_name_attributes'];
 
         $displayName = [];
         foreach ($displayNameAttr as $dnAttr) {
-          $dnComponent = $this->getSamlResponseAttribute($samlAttributes, $dnAttr, null);
-          if ($dnComponent !== null) {
-            $displayName[] = $dnComponent;
-          }
+            $dnComponent = $this->getSamlResponseAttribute($samlAttributes, $dnAttr, null);
+            if ($dnComponent !== null) {
+                $displayName[] = $dnComponent;
+            }
         }
 
         if (count($displayName) == 0) {
-          $displayName = $defaultValue;
+            $displayName = $defaultValue;
         } else {
-          $displayName = implode(' ', $displayName);
+            $displayName = implode(' ', $displayName);
         }
 
         return $displayName;
     }
 
-    protected function getUserName(array $samlAttributes, string $defaultValue)
+    /**
+     * Get the value to use as the external id saved in BookStack
+     * used to link the user to an existing BookStack DB user.
+     */
+    protected function getExternalId(array $samlAttributes, string $defaultValue)
     {
-        $userNameAttr = $this->config['user_name_attribute'];
-
+        $userNameAttr = $this->config['external_id_attribute'];
         if ($userNameAttr === null) {
-            $userName = $defaultValue;
-        } else {
-            $userName = $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue);
+            return $defaultValue;
         }
 
-        return $userName;
+        return $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue);
     }
 
     /**
      * Extract the details of a user from a SAML response.
-     * @param $samlID
-     * @param $samlAttributes
-     * @return array
      */
-    public function getUserDetails($samlID, $samlAttributes)
+    protected function getUserDetails(string $samlID, $samlAttributes): array
     {
         $emailAttr = $this->config['email_attribute'];
-        $userName = $this->getUserName($samlAttributes, $samlID);
+        $externalId = $this->getExternalId($samlAttributes, $samlID);
+
+        $defaultEmail = filter_var($samlID, FILTER_VALIDATE_EMAIL) ? $samlID : null;
+        $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, $defaultEmail);
 
         return [
-            'uid'   => $userName,
-            'name'  => $this->getUserDisplayName($samlAttributes, $userName),
-            'dn'    => $samlID,
-            'email' => $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null),
+            'external_id' => $externalId,
+            'name' => $this->getUserDisplayName($samlAttributes, $externalId),
+            'email' => $email,
+            'saml_id' => $samlID,
         ];
     }
 
     /**
      * Get the groups a user is a part of from the SAML response.
-     * @param array $samlAttributes
-     * @return array
      */
-    public function getUserGroups($samlAttributes)
+    public function getUserGroups(array $samlAttributes): array
     {
         $groupsAttr = $this->config['group_attribute'];
-        $userGroups = $samlAttributes[$groupsAttr];
+        $userGroups = $samlAttributes[$groupsAttr] ?? null;
 
         if (!is_array($userGroups)) {
             $userGroups = [];
@@ -118,95 +281,100 @@ class Saml2Service extends Access\ExternalAuthService
     }
 
     /**
-     * Get a property from an SAML response.
-     * Handles properties potentially being an array.
-     * @param array $userDetails
-     * @param string $propertyKey
-     * @param $defaultValue
-     * @return mixed
+     *  For an array of strings, return a default for an empty array,
+     *  a string for an array with one element and the full array for
+     *  more than one element.
      */
-    protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue)
+    protected function simplifyValue(array $data, $defaultValue)
     {
-        if (isset($samlAttributes[$propertyKey])) {
-            $data = $samlAttributes[$propertyKey];
-            if (is_array($data)) {
-              if (count($data) == 0) {
+        switch (count($data)) {
+            case 0:
                 $data = $defaultValue;
-              } else if (count($data) == 1) {
+                break;
+            case 1:
                 $data = $data[0];
-              }
-            }
-        } else {
-          $data = $defaultValue;
+                break;
         }
-
         return $data;
     }
 
     /**
-     *  Register a user that is authenticated but not
-     *  already registered.
-     *  @param array $userDetails
-     *  @return User
+     * Get a property from an SAML response.
+     * Handles properties potentially being an array.
      */
-    protected function registerUser($userDetails)
+    protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue)
     {
-        // Create an array of the user data to create a new user instance
-        $userData = [
-            'name' => $userDetails['name'],
-            'email' => $userDetails['email'],
-            'password' => str_random(30),
-            'external_auth_id' => $userDetails['uid'],
-            'email_confirmed' => true,
-        ];
+        if (isset($samlAttributes[$propertyKey])) {
+            return $this->simplifyValue($samlAttributes[$propertyKey], $defaultValue);
+        }
 
-        $user = $this->user->forceCreate($userData);
-        $this->userRepo->attachDefaultRole($user);
-        $this->userRepo->downloadAndAssignUserAvatar($user);
-        return $user;
+        return $defaultValue;
     }
 
     /**
      * Get the user from the database for the specified details.
-     * @param array $userDetails
-     * @return User|null
+     * @throws UserRegistrationException
      */
-    protected function getOrRegisterUser($userDetails)
+    protected function getOrRegisterUser(array $userDetails): ?User
     {
-        $isRegisterEnabled = config('services.saml.auto_register') === true;
-        $user = $this->user
-          ->where('external_auth_id', $userDetails['uid'])
+        $user = $this->user->newQuery()
+          ->where('external_auth_id', '=', $userDetails['external_id'])
           ->first();
 
-        if ($user === null && $isRegisterEnabled) {
-            $user = $this->registerUser($userDetails);
+        if (is_null($user)) {
+            $userData = [
+                'name' => $userDetails['name'],
+                'email' => $userDetails['email'],
+                'password' => Str::random(32),
+                'external_auth_id' => $userDetails['external_id'],
+            ];
+
+            $user = $this->registrationService->registerUser($userData, null, false);
         }
 
         return $user;
     }
 
     /**
-     *  Process the SAML response for a user. Login the user when
-     *  they exist, optionally registering them automatically.
-     *  @param string $samlID
-     *  @param array $samlAttributes
+     * Process the SAML response for a user. Login the user when
+     * they exist, optionally registering them automatically.
+     * @throws SamlException
+     * @throws JsonDebugException
+     * @throws UserRegistrationException
      */
-    public function processLoginCallback($samlID, $samlAttributes)
+    public function processLoginCallback(string $samlID, array $samlAttributes): User
     {
         $userDetails = $this->getUserDetails($samlID, $samlAttributes);
         $isLoggedIn = auth()->check();
 
+        if ($this->config['dump_user_details']) {
+            throw new JsonDebugException([
+                'id_from_idp' => $samlID,
+                'attrs_from_idp' => $samlAttributes,
+                'attrs_after_parsing' => $userDetails,
+            ]);
+        }
+
+        if ($userDetails['email'] === null) {
+            throw new SamlException(trans('errors.saml_no_email_address'));
+        }
+
         if ($isLoggedIn) {
-            logger()->error("Already logged in");
-        } else {
-            $user = $this->getOrRegisterUser($userDetails);
-            if ($user === null) {
-                logger()->error("User does not exist");
-            } else {
-                auth()->login($user);
-            }
+            throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
+        }
+
+        $user = $this->getOrRegisterUser($userDetails);
+        if ($user === null) {
+            throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
+        }
+
+        if ($this->shouldSyncGroups()) {
+            $groups = $this->getUserGroups($samlAttributes);
+            $this->syncWithGroups($user, $groups);
         }
 
+        auth()->login($user);
+        Activity::add(ActivityType::AUTH_LOGIN, "saml2; {$user->logDescriptor()}");
         return $user;
     }
 }