X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/488325f4593ec0dd88cd8b4cfda3b9a20e9489e4..refs/pull/2902/head:/app/Auth/Access/Saml2Service.php

diff --git a/app/Auth/Access/Saml2Service.php b/app/Auth/Access/Saml2Service.php
index a5ca54c8d..339701d27 100644
--- a/app/Auth/Access/Saml2Service.php
+++ b/app/Auth/Access/Saml2Service.php
@@ -1,13 +1,18 @@
-<?php namespace BookStack\Auth\Access;
+<?php
+
+namespace BookStack\Auth\Access;
 
 use BookStack\Auth\User;
-use BookStack\Auth\UserRepo;
 use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\SamlException;
+use BookStack\Exceptions\StoppedAuthenticationException;
+use BookStack\Exceptions\UserRegistrationException;
+use Exception;
 use Illuminate\Support\Str;
 use OneLogin\Saml2\Auth;
 use OneLogin\Saml2\Error;
 use OneLogin\Saml2\IdPMetadataParser;
+use OneLogin\Saml2\ValidationError;
 
 /**
  * Class Saml2Service
@@ -16,43 +21,75 @@ use OneLogin\Saml2\IdPMetadataParser;
 class Saml2Service extends ExternalAuthService
 {
     protected $config;
-    protected $userRepo;
-    protected $user;
-    protected $enabled;
+    protected $registrationService;
+    protected $loginService;
 
     /**
      * Saml2Service constructor.
      */
-    public function __construct(UserRepo $userRepo, User $user)
+    public function __construct(RegistrationService $registrationService, LoginService $loginService)
     {
         $this->config = config('saml2');
-        $this->userRepo = $userRepo;
-        $this->user = $user;
-        $this->enabled = config('saml2.enabled') === true;
+        $this->registrationService = $registrationService;
+        $this->loginService = $loginService;
     }
 
     /**
      * Initiate a login flow.
-     * @throws \OneLogin\Saml2\Error
+     *
+     * @throws Error
      */
     public function login(): array
     {
         $toolKit = $this->getToolkit();
         $returnRoute = url('/http/source.bookstackapp.com/saml2/acs');
+
         return [
             'url' => $toolKit->login($returnRoute, [], false, false, true),
-            'id' => $toolKit->getLastRequestID(),
+            'id'  => $toolKit->getLastRequestID(),
         ];
     }
 
+    /**
+     * Initiate a logout flow.
+     *
+     * @throws Error
+     */
+    public function logout(): array
+    {
+        $toolKit = $this->getToolkit();
+        $returnRoute = url('/');
+
+        try {
+            $email = auth()->user()['email'];
+            $nameIdFormat = env('SAML2_SP_NAME_ID_Format', null);
+            $nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null);
+
+            $url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier);
+            $id = $toolKit->getLastRequestID();
+        } catch (Error $error) {
+            if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
+                throw $error;
+            }
+
+            $this->actionLogout();
+            $url = '/';
+            $id = null;
+        }
+
+        return ['url' => $url, 'id' => $id];
+    }
+
     /**
      * Process the ACS response from the idp and return the
      * matching, or new if registration active, user matched to the idp.
      * Returns null if not authenticated.
+     *
      * @throws Error
      * @throws SamlException
-     * @throws \OneLogin\Saml2\ValidationError
+     * @throws ValidationError
      * @throws JsonDebugException
+     * @throws UserRegistrationException
      */
     public function processAcsResponse(?string $requestId): ?User
     {
@@ -60,13 +97,9 @@ class Saml2Service extends ExternalAuthService
         $toolkit->processResponse($requestId);
         $errors = $toolkit->getErrors();
 
-        if (is_null($requestId)) {
-            throw new SamlException(trans('errors.saml_invalid_response_id'));
-        }
-
         if (!empty($errors)) {
             throw new Error(
-                'Invalid ACS Response: '.implode(', ', $errors)
+                'Invalid ACS Response: ' . implode(', ', $errors)
             );
         }
 
@@ -80,8 +113,43 @@ class Saml2Service extends ExternalAuthService
         return $this->processLoginCallback($id, $attrs);
     }
 
+    /**
+     * Process a response for the single logout service.
+     *
+     * @throws Error
+     */
+    public function processSlsResponse(?string $requestId): ?string
+    {
+        $toolkit = $this->getToolkit();
+        $retrieveParametersFromServer = env('SAML2_RETRIEVE_PARAMETERS_FROM_SERVER', false);
+
+        $redirect = $toolkit->processSLO(true, $requestId, $retrieveParametersFromServer, null, true);
+
+        $errors = $toolkit->getErrors();
+
+        if (!empty($errors)) {
+            throw new Error(
+                'Invalid SLS Response: ' . implode(', ', $errors)
+            );
+        }
+
+        $this->actionLogout();
+
+        return $redirect;
+    }
+
+    /**
+     * Do the required actions to log a user out.
+     */
+    protected function actionLogout()
+    {
+        auth()->logout();
+        session()->invalidate();
+    }
+
     /**
      * Get the metadata for this service provider.
+     *
      * @throws Error
      */
     public function metadata(): string
@@ -93,7 +161,7 @@ class Saml2Service extends ExternalAuthService
 
         if (!empty($errors)) {
             throw new Error(
-                'Invalid SP metadata: '.implode(', ', $errors),
+                'Invalid SP metadata: ' . implode(', ', $errors),
                 Error::METADATA_SP_INVALID
             );
         }
@@ -103,8 +171,9 @@ class Saml2Service extends ExternalAuthService
 
     /**
      * Load the underlying Onelogin SAML2 toolkit.
-     * @throws \OneLogin\Saml2\Error
-     * @throws \Exception
+     *
+     * @throws Error
+     * @throws Exception
      */
     protected function getToolkit(): Auth
     {
@@ -122,6 +191,7 @@ class Saml2Service extends ExternalAuthService
 
         $spSettings = $this->loadOneloginServiceProviderDetails();
         $settings = array_replace_recursive($settings, $spSettings, $metaDataSettings, $overrides);
+
         return new Auth($settings);
     }
 
@@ -131,18 +201,18 @@ class Saml2Service extends ExternalAuthService
     protected function loadOneloginServiceProviderDetails(): array
     {
         $spDetails = [
-            'entityId' => url('/http/source.bookstackapp.com/saml2/metadata'),
+            'entityId'                 => url('/http/source.bookstackapp.com/saml2/metadata'),
             'assertionConsumerService' => [
                 'url' => url('/http/source.bookstackapp.com/saml2/acs'),
             ],
             'singleLogoutService' => [
-                'url' => url('/http/source.bookstackapp.com/saml2/sls')
+                'url' => url('/http/source.bookstackapp.com/saml2/sls'),
             ],
         ];
 
         return [
             'baseurl' => url('/http/source.bookstackapp.com/saml2'),
-            'sp' => $spDetails
+            'sp'      => $spDetails,
         ];
     }
 
@@ -151,11 +221,11 @@ class Saml2Service extends ExternalAuthService
      */
     protected function shouldSyncGroups(): bool
     {
-        return $this->enabled && $this->config['user_to_groups'] !== false;
+        return $this->config['user_to_groups'] !== false;
     }
 
     /**
-     * Calculate the display name
+     * Calculate the display name.
      */
     protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string
     {
@@ -194,23 +264,20 @@ class Saml2Service extends ExternalAuthService
 
     /**
      * Extract the details of a user from a SAML response.
-     * @throws SamlException
      */
-    public function getUserDetails(string $samlID, $samlAttributes): array
+    protected function getUserDetails(string $samlID, $samlAttributes): array
     {
         $emailAttr = $this->config['email_attribute'];
         $externalId = $this->getExternalId($samlAttributes, $samlID);
-        $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null);
 
-        if ($email === null) {
-            throw new SamlException(trans('errors.saml_no_email_address'));
-        }
+        $defaultEmail = filter_var($samlID, FILTER_VALIDATE_EMAIL) ? $samlID : null;
+        $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, $defaultEmail);
 
         return [
             'external_id' => $externalId,
-            'name' => $this->getUserDisplayName($samlAttributes, $externalId),
-            'email' => $email,
-            'saml_id' => $samlID,
+            'name'        => $this->getUserDisplayName($samlAttributes, $externalId),
+            'email'       => $email,
+            'saml_id'     => $samlID,
         ];
     }
 
@@ -244,6 +311,7 @@ class Saml2Service extends ExternalAuthService
                 $data = $data[0];
                 break;
         }
+
         return $data;
     }
 
@@ -260,43 +328,26 @@ class Saml2Service extends ExternalAuthService
         return $defaultValue;
     }
 
-    /**
-     *  Register a user that is authenticated but not already registered.
-     */
-    protected function registerUser(array $userDetails): User
-    {
-        // Create an array of the user data to create a new user instance
-        $userData = [
-            'name' => $userDetails['name'],
-            'email' => $userDetails['email'],
-            'password' => Str::random(32),
-            'external_auth_id' => $userDetails['external_id'],
-            'email_confirmed' => true,
-        ];
-
-        $existingUser = $this->user->newQuery()->where('email', '=', $userDetails['email'])->first();
-        if ($existingUser) {
-            throw new SamlException(trans('errors.saml_email_exists', ['email' => $userDetails['email']]));
-        }
-
-        $user = $this->user->forceCreate($userData);
-        $this->userRepo->attachDefaultRole($user);
-        $this->userRepo->downloadAndAssignUserAvatar($user);
-        return $user;
-    }
-
     /**
      * Get the user from the database for the specified details.
+     *
+     * @throws UserRegistrationException
      */
     protected function getOrRegisterUser(array $userDetails): ?User
     {
-        $isRegisterEnabled = $this->config['auto_register'] === true;
-        $user = $this->user
-          ->where('external_auth_id', $userDetails['external_id'])
+        $user = User::query()
+          ->where('external_auth_id', '=', $userDetails['external_id'])
           ->first();
 
-        if ($user === null && $isRegisterEnabled) {
-            $user = $this->registerUser($userDetails);
+        if (is_null($user)) {
+            $userData = [
+                'name'             => $userDetails['name'],
+                'email'            => $userDetails['email'],
+                'password'         => Str::random(32),
+                'external_auth_id' => $userDetails['external_id'],
+            ];
+
+            $user = $this->registrationService->registerUser($userData, null, false);
         }
 
         return $user;
@@ -305,8 +356,11 @@ class Saml2Service extends ExternalAuthService
     /**
      * Process the SAML response for a user. Login the user when
      * they exist, optionally registering them automatically.
+     *
      * @throws SamlException
      * @throws JsonDebugException
+     * @throws UserRegistrationException
+     * @throws StoppedAuthenticationException
      */
     public function processLoginCallback(string $samlID, array $samlAttributes): User
     {
@@ -315,11 +369,16 @@ class Saml2Service extends ExternalAuthService
 
         if ($this->config['dump_user_details']) {
             throw new JsonDebugException([
-                'attrs_from_idp' => $samlAttributes,
+                'id_from_idp'         => $samlID,
+                'attrs_from_idp'      => $samlAttributes,
                 'attrs_after_parsing' => $userDetails,
             ]);
         }
 
+        if ($userDetails['email'] === null) {
+            throw new SamlException(trans('errors.saml_no_email_address'));
+        }
+
         if ($isLoggedIn) {
             throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
         }
@@ -334,7 +393,8 @@ class Saml2Service extends ExternalAuthService
             $this->syncWithGroups($user, $groups);
         }
 
-        auth()->login($user);
+        $this->loginService->login($user, 'saml2');
+
         return $user;
     }
 }