- Aligned and formatted config options.
- Provided way to override onelogin lib options if required.
- Added endpoints in core bookstack routes.
- Provided way to debug details provided by idp and formatted by
bookstack.
- Started on test work
- Handled case of email address already in use.
use BookStack\Auth\User;
use BookStack\Auth\UserRepo;
+use BookStack\Exceptions\JsonDebugException;
use BookStack\Exceptions\SamlException;
use Illuminate\Support\Str;
+use OneLogin\Saml2\Auth;
+use OneLogin\Saml2\Error;
/**
* Class Saml2Service
*/
public function __construct(UserRepo $userRepo, User $user)
{
- $this->config = config('services.saml');
+ $this->config = config('saml2');
$this->userRepo = $userRepo;
$this->user = $user;
- $this->enabled = config('saml2_settings.enabled') === true;
+ $this->enabled = config('saml2.enabled') === true;
+ }
+
+ /**
+ * Initiate a login flow.
+ * @throws \OneLogin\Saml2\Error
+ */
+ public function login(): array
+ {
+ $toolKit = $this->getToolkit();
+ $returnRoute = url('/saml2/acs');
+ return [
+ 'url' => $toolKit->login($returnRoute, [], false, false, true),
+ 'id' => $toolKit->getLastRequestID(),
+ ];
+ }
+
+ /**
+ * Process the ACS response from the idp and return the
+ * matching, or new if registration active, user matched to the idp.
+ * Returns null if not authenticated.
+ * @throws Error
+ * @throws SamlException
+ * @throws \OneLogin\Saml2\ValidationError
+ * @throws JsonDebugException
+ */
+ public function processAcsResponse(?string $requestId): ?User
+ {
+ $toolkit = $this->getToolkit();
+ $toolkit->processResponse($requestId);
+ $errors = $toolkit->getErrors();
+
+ if (is_null($requestId)) {
+ throw new SamlException(trans('errors.saml_invalid_response_id'));
+ }
+
+ if (!empty($errors)) {
+ throw new Error(
+ 'Invalid ACS Response: '.implode(', ', $errors)
+ );
+ }
+
+ if (!$toolkit->isAuthenticated()) {
+ return null;
+ }
+
+ $attrs = $toolkit->getAttributes();
+ $id = $toolkit->getNameId();
+
+ return $this->processLoginCallback($id, $attrs);
+ }
+
+ /**
+ * Get the metadata for this service provider.
+ * @throws Error
+ */
+ public function metadata(): string
+ {
+ $toolKit = $this->getToolkit();
+ $settings = $toolKit->getSettings();
+ $metadata = $settings->getSPMetadata();
+ $errors = $settings->validateMetadata($metadata);
+
+ if (!empty($errors)) {
+ throw new Error(
+ 'Invalid SP metadata: '.implode(', ', $errors),
+ Error::METADATA_SP_INVALID
+ );
+ }
+
+ return $metadata;
+ }
+
+ /**
+ * Load the underlying Onelogin SAML2 toolkit.
+ * @throws \OneLogin\Saml2\Error
+ */
+ protected function getToolkit(): Auth
+ {
+ $settings = $this->config['onelogin'];
+ $overrides = $this->config['onelogin_overrides'] ?? [];
+
+ if ($overrides && is_string($overrides)) {
+ $overrides = json_decode($overrides, true);
+ }
+
+ $spSettings = $this->loadOneloginServiceProviderDetails();
+ $settings = array_replace_recursive($settings, $spSettings, $overrides);
+ return new Auth($settings);
+ }
+
+ /**
+ * Load dynamic service provider options required by the onelogin toolkit.
+ */
+ protected function loadOneloginServiceProviderDetails(): array
+ {
+ $spDetails = [
+ 'entityId' => url('/saml2/metadata'),
+ 'assertionConsumerService' => [
+ 'url' => url('/saml2/acs'),
+ ],
+ 'singleLogoutService' => [
+ 'url' => url('/saml2/sls')
+ ],
+ ];
+
+ return [
+ 'baseurl' => url('/saml2'),
+ 'sp' => $spDetails
+ ];
}
/**
'email_confirmed' => true,
];
- // TODO - Handle duplicate email address scenario
+ $existingUser = $this->user->newQuery()->where('email', '=', $userDetails['email'])->first();
+ if ($existingUser) {
+ throw new SamlException(trans('errors.saml_email_exists', ['email' => $userDetails['email']]));
+ }
+
$user = $this->user->forceCreate($userData);
$this->userRepo->attachDefaultRole($user);
$this->userRepo->downloadAndAssignUserAvatar($user);
*/
protected function getOrRegisterUser(array $userDetails): ?User
{
- $isRegisterEnabled = config('services.saml.auto_register') === true;
+ $isRegisterEnabled = $this->config['auto_register'] === true;
$user = $this->user
->where('external_auth_id', $userDetails['external_id'])
->first();
* Process the SAML response for a user. Login the user when
* they exist, optionally registering them automatically.
* @throws SamlException
+ * @throws JsonDebugException
*/
public function processLoginCallback(string $samlID, array $samlAttributes): User
{
$userDetails = $this->getUserDetails($samlID, $samlAttributes);
$isLoggedIn = auth()->check();
+ if ($this->config['dump_user_details']) {
+ throw new JsonDebugException([
+ 'attrs_from_idp' => $samlAttributes,
+ 'attrs_after_parsing' => $userDetails,
+ ]);
+ }
+
if ($isLoggedIn) {
throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
}
Intervention\Image\ImageServiceProvider::class,
Barryvdh\DomPDF\ServiceProvider::class,
Barryvdh\Snappy\ServiceProvider::class,
- Aacotroneo\Saml2\Saml2ServiceProvider::class,
// BookStack replacement service providers (Extends Laravel)
BookStack\Providers\PaginationServiceProvider::class,
--- /dev/null
+<?php
+
+return [
+
+ // Display name, shown to users, for SAML2 option
+ 'name' => env('SAML2_NAME', 'SSO'),
+ // Toggle whether the SAML2 option is active
+ 'enabled' => env('SAML2_ENABLED', false),
+ // Enable registration via SAML2 authentication
+ 'auto_register' => env('SAML2_AUTO_REGISTER', true),
+
+ // Dump user details after a login request for debugging purposes
+ 'dump_user_details' => env('SAML2_DUMP_USER_DETAILS', false),
+
+ // Attribute, within a SAML response, to find the user's email address
+ 'email_attribute' => env('SAML2_EMAIL_ATTRIBUTE', 'email'),
+ // Attribute, within a SAML response, to find the user's display name
+ 'display_name_attributes' => explode('|', env('SAML2_DISPLAY_NAME_ATTRIBUTES', 'username')),
+ // Attribute, within a SAML response, to use to connect a BookStack user to the SAML user.
+ 'external_id_attribute' => env('SAML2_EXTERNAL_ID_ATTRIBUTE', null),
+
+ // Group sync options
+ // Enable syncing, upon login, of SAML2 groups to BookStack groups
+ 'user_to_groups' => env('SAML2_USER_TO_GROUPS', false),
+ // Attribute, within a SAML response, to find group names on
+ 'group_attribute' => env('SAML2_GROUP_ATTRIBUTE', 'group'),
+ // When syncing groups, remove any groups that no longer match. Otherwise sync only adds new groups.
+ 'remove_from_groups' => env('SAML2_REMOVE_FROM_GROUPS', false),
+
+ // Overrides, in JSON format, to the configuration passed to underlying onelogin library.
+ 'onelogin_overrides' => env('SAML2_ONELOGIN_OVERRIDES', null),
+
+
+ 'onelogin' => [
+ // If 'strict' is True, then the PHP Toolkit will reject unsigned
+ // or unencrypted messages if it expects them signed or encrypted
+ // Also will reject the messages if not strictly follow the SAML
+ // standard: Destination, NameId, Conditions ... are validated too.
+ 'strict' => true,
+
+ // Enable debug mode (to print errors)
+ 'debug' => env('APP_DEBUG', false),
+
+ // Set a BaseURL to be used instead of try to guess
+ // the BaseURL of the view that process the SAML Message.
+ // Ex. http://sp.example.com/
+ // http://example.com/sp/
+ 'baseurl' => null,
+
+ // Service Provider Data that we are deploying
+ 'sp' => [
+ // Identifier of the SP entity (must be a URI)
+ 'entityId' => '',
+
+ // Specifies info about where and how the <AuthnResponse> message MUST be
+ // returned to the requester, in this case our SP.
+ 'assertionConsumerService' => [
+ // URL Location where the <Response> from the IdP will be returned
+ 'url' => '',
+ // SAML protocol binding to be used when returning the <Response>
+ // message. Onelogin Toolkit supports for this endpoint the
+ // HTTP-POST binding only
+ 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+ ],
+
+ // Specifies info about where and how the <Logout Response> message MUST be
+ // returned to the requester, in this case our SP.
+ 'singleLogoutService' => [
+ // URL Location where the <Response> from the IdP will be returned
+ 'url' => '',
+ // SAML protocol binding to be used when returning the <Response>
+ // message. Onelogin Toolkit supports for this endpoint the
+ // HTTP-Redirect binding only
+ 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+ ],
+
+ // Specifies constraints on the name identifier to be used to
+ // represent the requested subject.
+ // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
+ 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+ // Usually x509cert and privateKey of the SP are provided by files placed at
+ // the certs folder. But we can also provide them with the following parameters
+ 'x509cert' => '',
+ 'privateKey' => '',
+ ],
+ // Identity Provider Data that we want connect with our SP
+ 'idp' => [
+ // Identifier of the IdP entity (must be a URI)
+ 'entityId' => env('SAML2_IDP_ENTITYID', null),
+ // SSO endpoint info of the IdP. (Authentication Request protocol)
+ 'singleSignOnService' => [
+ // URL Target of the IdP where the SP will send the Authentication Request Message
+ 'url' => env('SAML2_IDP_SSO', null),
+ // SAML protocol binding to be used when returning the <Response>
+ // message. Onelogin Toolkit supports for this endpoint the
+ // HTTP-Redirect binding only
+ 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+ ],
+ // SLO endpoint info of the IdP.
+ 'singleLogoutService' => [
+ // URL Location of the IdP where the SP will send the SLO Request
+ 'url' => env('SAML2_IDP_SLO', null),
+ // URL location of the IdP where the SP will send the SLO Response (ResponseLocation)
+ // if not set, url for the SLO Request will be used
+ 'responseUrl' => '',
+ // SAML protocol binding to be used when returning the <Response>
+ // message. Onelogin Toolkit supports for this endpoint the
+ // HTTP-Redirect binding only
+ 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+ ],
+ // Public x509 certificate of the IdP
+ 'x509cert' => env('SAML2_IDP_x509', null),
+ /*
+ * Instead of use the whole x509cert you can use a fingerprint in
+ * order to validate the SAMLResponse, but we don't recommend to use
+ * that method on production since is exploitable by a collision
+ * attack.
+ * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
+ * or add for example the -sha256 , -sha384 or -sha512 parameter)
+ *
+ * If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
+ * let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
+ * 'sha1' is the default value.
+ */
+ // 'certFingerprint' => '',
+ // 'certFingerprintAlgorithm' => 'sha1',
+ /* In some scenarios the IdP uses different certificates for
+ * signing/encryption, or is under key rollover phase and more
+ * than one certificate is published on IdP metadata.
+ * In order to handle that the toolkit offers that parameter.
+ * (when used, 'x509cert' and 'certFingerprint' values are
+ * ignored).
+ */
+ // 'x509certMulti' => array(
+ // 'signing' => array(
+ // 0 => '<cert1-string>',
+ // ),
+ // 'encryption' => array(
+ // 0 => '<cert2-string>',
+ // )
+ // ),
+ ],
+ ],
+
+];
+++ /dev/null
-<?php
-
-//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
-$idp_host = env('SAML2_IDP_HOST', 'http://localhost:8000/simplesaml');
-
-return $settings = array(
-
- /**
- * Whether the SAML login is enabled
- */
- 'enabled' => env("SAML2_ENABLED", false),
-
- /**
- * If 'useRoutes' is set to true, the package defines five new routes:
- *
- * Method | URI | Name
- * -------|--------------------------|------------------
- * POST | {routesPrefix}/acs | saml_acs
- * GET | {routesPrefix}/login | saml_login
- * GET | {routesPrefix}/logout | saml_logout
- * GET | {routesPrefix}/metadata | saml_metadata
- * GET | {routesPrefix}/sls | saml_sls
- */
- 'useRoutes' => true,
-
- 'routesPrefix' => '/saml2',
-
- /**
- * which middleware group to use for the saml routes
- * Laravel 5.2 will need a group which includes StartSession
- */
- 'routesMiddleware' => ['saml'],
-
- /**
- * Indicates how the parameters will be
- * retrieved from the sls request for signature validation
- */
- 'retrieveParametersFromServer' => false,
-
- /**
- * Where to redirect after logout
- */
- 'logoutRoute' => '/',
-
- /**
- * Where to redirect after login if no other option was provided
- */
- 'loginRoute' => '/',
-
-
- /**
- * Where to redirect after login if no other option was provided
- */
- 'errorRoute' => '/',
-
-
-
-
- /*****
- * One Login Settings
- */
-
-
-
- // If 'strict' is True, then the PHP Toolkit will reject unsigned
- // or unencrypted messages if it expects them signed or encrypted
- // Also will reject the messages if not strictly follow the SAML
- // standard: Destination, NameId, Conditions ... are validated too.
- 'strict' => true, //@todo: make this depend on laravel config
-
- // Enable debug mode (to print errors)
- 'debug' => env('APP_DEBUG', false),
-
- // If 'proxyVars' is True, then the Saml lib will trust proxy headers
- // e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
- // your application is running behind a load balancer which terminates
- // SSL.
- 'proxyVars' => false,
-
- // Service Provider Data that we are deploying
- 'sp' => array(
-
- // Specifies constraints on the name identifier to be used to
- // represent the requested subject.
- // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
- 'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
-
- // Usually x509cert and privateKey of the SP are provided by files placed at
- // the certs folder. But we can also provide them with the following parameters
- 'x509cert' => env('SAML2_SP_x509',''),
- 'privateKey' => env('SAML2_SP_PRIVATEKEY',''),
-
- // Identifier (URI) of the SP entity.
- // Leave blank to use the 'saml_metadata' route.
- 'entityId' => env('SAML2_SP_ENTITYID',''),
-
- // Specifies info about where and how the <AuthnResponse> message MUST be
- // returned to the requester, in this case our SP.
- 'assertionConsumerService' => array(
- // URL Location where the <Response> from the IdP will be returned,
- // using HTTP-POST binding.
- // Leave blank to use the 'saml_acs' route
- 'url' => '',
-
- 'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
- ),
- // Specifies info about where and how the <Logout Response> message MUST be
- // returned to the requester, in this case our SP.
- // Remove this part to not include any URL Location in the metadata.
- 'singleLogoutService' => array(
- // URL Location where the <Response> from the IdP will be returned,
- // using HTTP-Redirect binding.
- // Leave blank to use the 'saml_sls' route
- 'url' => '',
- ),
- ),
-
- // Identity Provider Data that we want connect with our SP
- 'idp' => array(
- // Identifier of the IdP entity (must be a URI)
- 'entityId' => env('SAML2_IDP_ENTITYID', $idp_host . '/saml2/idp/metadata.php'),
- // SSO endpoint info of the IdP. (Authentication Request protocol)
- 'singleSignOnService' => array(
- // URL Target of the IdP where the SP will send the Authentication Request Message,
- // using HTTP-Redirect binding.
- 'url' => env('SAML2_IDP_SSO', $idp_host . '/saml2/idp/SSOService.php'),
- ),
- // SLO endpoint info of the IdP.
- 'singleLogoutService' => array(
- // URL Location of the IdP where the SP will send the SLO Request,
- // using HTTP-Redirect binding.
- 'url' => env('SAML2_IDP_SLO', $idp_host . '/saml2/idp/SingleLogoutService.php'),
- ),
- // Public x509 certificate of the IdP
- 'x509cert' => env('SAML2_IDP_x509', 'MIID/TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjAeFw0xNDEyMDExNDM2MjVaFw0yNDExMzAxNDM2MjVaMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbzW/EpEv+qqZzfT1Buwjg9nnNNVrxkCfuR9fQiQw2tSouS5X37W5h7RmchRt54wsm046PDKtbSz1NpZT2GkmHN37yALW2lY7MyVUC7itv9vDAUsFr0EfKIdCKgxCKjrzkZ5ImbNvjxf7eA77PPGJnQ/UwXY7W+cvLkirp0K5uWpDk+nac5W0JXOCFR1BpPUJRbz2jFIEHyChRt7nsJZH6ejzNqK9lABEC76htNy1Ll/D3tUoPaqo8VlKW3N3MZE0DB9O7g65DmZIIlFqkaMH3ALd8adodJtOvqfDU/A6SxuwMfwDYPjoucykGDu1etRZ7dF2gd+W+1Pn7yizPT1q8CAwEAAaNQME4wHQYDVR0OBBYEFPsn8tUHN8XXf23ig5Qro3beP8BuMB8GA1UdIwQYMBaAFPsn8tUHN8XXf23ig5Qro3beP8BuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGu60odWFiK+DkQekozGnlpNBQz5lQ/bwmOWdktnQj6HYXu43e7sh9oZWArLYHEOyMUekKQAxOK51vbTHzzw66BZU91/nqvaOBfkJyZKGfluHbD0/hfOl/D5kONqI9kyTu4wkLQcYGyuIi75CJs15uA03FSuULQdY/Liv+czS/XYDyvtSLnu43VuAQWN321PQNhuGueIaLJANb2C5qq5ilTBUw6PxY9Z+vtMjAjTJGKEkE/tQs7CvzLPKXX3KTD9lIILmX5yUC3dLgjVKi1KGDqNApYGOMtjr5eoxPQrqDBmyx3flcy0dQTdLXud3UjWVW3N0PYgJtw5yBsS74QTGD4='),
- /*
- * Instead of use the whole x509cert you can use a fingerprint
- * (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
- */
- // 'certFingerprint' => '',
- ),
-
- /***
- * OneLogin compression settings
- *
- */
- 'compress' => array(
- /** Whether requests should be GZ encoded */
- 'requests' => true,
- /** Whether responses should be GZ compressed */
- 'responses' => true,
- ),
-
- /***
- *
- * OneLogin advanced settings
- *
- *
- */
- // Security settings
- 'security' => array(
-
- /** signatures and encryptions offered */
-
- // Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
- // will be encrypted.
- 'nameIdEncrypted' => false,
-
- // Indicates whether the <samlp:AuthnRequest> messages sent by this SP
- // will be signed. [The Metadata of the SP will offer this info]
- 'authnRequestsSigned' => false,
-
- // Indicates whether the <samlp:logoutRequest> messages sent by this SP
- // will be signed.
- 'logoutRequestSigned' => false,
-
- // Indicates whether the <samlp:logoutResponse> messages sent by this SP
- // will be signed.
- 'logoutResponseSigned' => false,
-
- /* Sign the Metadata
- False || True (use sp certs) || array (
- keyFileName => 'metadata.key',
- certFileName => 'metadata.crt'
- )
- */
- 'signMetadata' => false,
-
-
- /** signatures and encryptions required **/
-
- // Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
- // <samlp:LogoutResponse> elements received by this SP to be signed.
- 'wantMessagesSigned' => false,
-
- // Indicates a requirement for the <saml:Assertion> elements received by
- // this SP to be signed. [The Metadata of the SP will offer this info]
- 'wantAssertionsSigned' => false,
-
- // Indicates a requirement for the NameID received by
- // this SP to be encrypted.
- 'wantNameIdEncrypted' => false,
-
- // Authentication context.
- // Set to false and no AuthContext will be sent in the AuthNRequest,
- // Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
- // Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
- 'requestedAuthnContext' => true,
- ),
-
- // Contact information template, it is recommended to suply a technical and support contacts
- 'contactPerson' => array(
- 'technical' => array(
- 'givenName' => 'name',
- ),
- 'support' => array(
- 'givenName' => 'Support',
- ),
- ),
-
- // Organization information template, the info in en_US lang is recomended, add more if required
- 'organization' => array(
- 'en-US' => array(
- 'name' => 'Name',
- 'displayname' => 'Display Name',
- 'url' => 'http://url'
- ),
- ),
-
-/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current
-
- 'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,
- // MUST NOT assume that the IdP validates the sign
- 'wantAssertionsSigned' => true,
- 'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
- 'wantNameIdEncrypted' => false,
-*/
-
-);
'tls_insecure' => env('LDAP_TLS_INSECURE', false),
],
- 'saml' => [
- 'name' => env('SAML_NAME', 'SSO'),
- 'enabled' => env('SAML2_ENABLED', false),
- 'auto_register' => env('SAML_AUTO_REGISTER', false),
- 'email_attribute' => env('SAML_EMAIL_ATTRIBUTE', 'email'),
- 'display_name_attributes' => explode('|', env('SAML_DISPLAY_NAME_ATTRIBUTES', 'username')),
- 'external_id_attribute' => env('SAML_EXTERNAL_ID_ATTRIBUTE', null),
- 'group_attribute' => env('SAML_GROUP_ATTRIBUTE', 'group'),
- 'remove_from_groups' => env('SAML_REMOVE_FROM_GROUPS', false),
- 'user_to_groups' => env('SAML_USER_TO_GROUPS', false),
- ]
-
];
--- /dev/null
+<?php namespace BookStack\Exceptions;
+
+use Exception;
+
+class JsonDebugException extends Exception
+{
+
+ protected $data;
+
+ /**
+ * JsonDebugException constructor.
+ */
+ public function __construct($data)
+ {
+ $this->data = $data;
+ }
+
+ /**
+ * Covert this exception into a response.
+ */
+ public function render()
+ {
+ return response()->json($this->data);
+ }
+}
\ No newline at end of file
{
$socialDrivers = $this->socialAuthService->getActiveDrivers();
$authMethod = config('auth.method');
- $samlEnabled = config('services.saml.enabled') == true;
+ $samlEnabled = config('saml2.enabled') === true;
if ($request->has('email')) {
session()->flashInput([
--- /dev/null
+<?php
+
+namespace BookStack\Http\Controllers\Auth;
+
+use BookStack\Auth\Access\Saml2Service;
+use BookStack\Http\Controllers\Controller;
+use Illuminate\Http\Request;
+
+class Saml2Controller extends Controller
+{
+
+ protected $samlService;
+
+ /**
+ * Saml2Controller constructor.
+ */
+ public function __construct(Saml2Service $samlService)
+ {
+ parent::__construct();
+ $this->samlService = $samlService;
+ }
+
+ /**
+ * Start the login flow via SAML2.
+ */
+ public function login()
+ {
+ $loginDetails = $this->samlService->login();
+ session()->flash('saml2_request_id', $loginDetails['id']);
+
+ return redirect($loginDetails['url']);
+ }
+
+ /*
+ * Get the metadata for this SAML2 service provider.
+ */
+ public function metadata()
+ {
+ $metaData = $this->samlService->metadata();
+ return response()->make($metaData, 200, [
+ 'Content-Type' => 'text/xml'
+ ]);
+ }
+
+ /**
+ * Single logout service.
+ * Handle logout requests and responses.
+ */
+ public function sls()
+ {
+ // TODO
+ }
+
+ /**
+ * Assertion Consumer Service.
+ * Processes the SAML response from the IDP.
+ */
+ public function acs()
+ {
+ $requestId = session()->pull('saml2_request_id', null);
+
+ $user = $this->samlService->processAcsResponse($requestId);
+ if ($user === null) {
+ $this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
+ return redirect('/login');
+ }
+
+ return redirect()->intended();
+ }
+
+}
'throttle:60,1',
'bindings',
],
- 'saml' => [
- \BookStack\Http\Middleware\EncryptCookies::class,
- \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
- \Illuminate\Session\Middleware\StartSession::class,
- ],
];
/**
* @var array
*/
protected $except = [
- //
+ 'saml2/*'
];
}
+++ /dev/null
-<?php namespace BookStack\Listeners;
-
-use BookStack\Auth\Access\Saml2Service;
-use Illuminate\Queue\InteractsWithQueue;
-use Illuminate\Contracts\Queue\ShouldQueue;
-use Aacotroneo\Saml2\Events\Saml2LoginEvent;
-use Illuminate\Support\Facades\Log;
-
-class Saml2LoginEventListener
-{
- protected $saml;
-
- /**
- * Create the event listener.
- *
- * @return void
- */
- public function __construct(Saml2Service $saml)
- {
- $this->saml = $saml;
- }
-
- /**
- * Handle the event.
- *
- * @param Saml2LoginEvent $event
- * @return void
- */
- public function handle(Saml2LoginEvent $event)
- {
- $messageId = $event->getSaml2Auth()->getLastMessageId();
- // TODO: Add your own code preventing reuse of a $messageId to stop replay attacks
-
- $samlUser = $event->getSaml2User();
-
- $attrs = $samlUser->getAttributes();
- $id = $samlUser->getUserId();
- //$assertion = $user->getRawSamlAssertion()
-
- $user = $this->saml->processLoginCallback($id, $attrs);
- }
-}
use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider;
use SocialiteProviders\Manager\SocialiteWasCalled;
-use Aacotroneo\Saml2\Events\Saml2LoginEvent;
class EventServiceProvider extends ServiceProvider
{
'SocialiteProviders\Twitch\TwitchExtendSocialite@handle',
'SocialiteProviders\Discord\DiscordExtendSocialite@handle',
],
- Saml2LoginEvent::class => [
- 'BookStack\Listeners\Saml2LoginEventListener@handle',
- ]
];
/**
"laravel/framework": "^6.0",
"laravel/socialite": "^4.2",
"league/flysystem-aws-s3-v3": "^1.0",
+ "onelogin/php-saml": "^3.3",
"predis/predis": "^1.1",
"socialiteproviders/discord": "^2.0",
"socialiteproviders/gitlab": "^3.0",
"socialiteproviders/microsoft-azure": "^3.0",
"socialiteproviders/okta": "^1.0",
"socialiteproviders/slack": "^3.0",
- "socialiteproviders/twitch": "^5.0",
- "aacotroneo/laravel-saml2": "^1.0"
+ "socialiteproviders/twitch": "^5.0"
},
"require-dev": {
"barryvdh/laravel-debugbar": "^3.2.8",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "42d7a337f6d603ab247b525ade5c3cee",
+ "content-hash": "140c7a04a20cef6d7ed8c1fc48257e66",
"packages": [
- {
- "name": "aacotroneo/laravel-saml2",
- "version": "1.0.0",
- "source": {
- "type": "git",
- "url": "https://github.com/aacotroneo/laravel-saml2.git",
- "reference": "5045701a07bcd7600a17c92971368669870f546a"
- },
- "dist": {
- "type": "zip",
- "url": "https://api.github.com/repos/aacotroneo/laravel-saml2/zipball/5045701a07bcd7600a17c92971368669870f546a",
- "reference": "5045701a07bcd7600a17c92971368669870f546a",
- "shasum": ""
- },
- "require": {
- "ext-openssl": "*",
- "illuminate/support": ">=5.0.0",
- "onelogin/php-saml": "^3.0.0",
- "php": ">=5.4.0"
- },
- "require-dev": {
- "mockery/mockery": "0.9.*"
- },
- "type": "library",
- "extra": {
- "laravel": {
- "providers": [
- "Aacotroneo\\Saml2\\Saml2ServiceProvider"
- ],
- "aliases": {
- "Saml2": "Aacotroneo\\Saml2\\Facades\\Saml2Auth"
- }
- }
- },
- "autoload": {
- "psr-0": {
- "Aacotroneo\\Saml2\\": "src/"
- }
- },
- "notification-url": "https://packagist.org/downloads/",
- "license": [
- "MIT"
- ],
- "authors": [
- {
- "name": "aacotroneo",
- }
- ],
- "description": "A Laravel package for Saml2 integration as a SP (service provider) based on OneLogin toolkit, which is much lightweight than simplesamlphp",
- "homepage": "https://github.com/aacotroneo/laravel-saml2",
- "keywords": [
- "SAML2",
- "laravel",
- "onelogin",
- "saml"
- ],
- "time": "2018-11-08T14:03:58+00:00"
- },
{
"name": "aws/aws-sdk-php",
"version": "3.117.2",
<server name="GOOGLE_SELECT_ACCOUNT" value=""/>
<server name="APP_URL" value="http://bookstack.dev"/>
<server name="DEBUGBAR_ENABLED" value="false"/>
+ <server name="SAML2_ENABLED" value="false"/>
</php>
</phpunit>
'saml_already_logged_in' => 'Already logged in',
'saml_user_not_registered' => 'The user :name is not registered and automatic registration is disabled',
'saml_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
+ 'saml_invalid_response_id' => 'The request from the external authentication system is not recognised by a process started by this application. Navigating back after a login could cause this issue.',
+ 'saml_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
+ 'saml_email_exists' => 'Registration unsuccessful since a user already exists with email address ":email"',
'social_no_action_defined' => 'No action defined',
'social_login_bad_response' => "Error received during :socialAccount login: \n:error",
'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.',
@endif
@if($samlEnabled)
- <hr class="my-l">
- <div>
- <a id="saml-login" class="button outline block svg" href="{{ url("/saml2/login") }}">
+ <hr class="my-l">
+
<a id="saml-login" class="button outline block svg" href="{{ url("/saml2/login") }}">
{{-- @icon('auth/github') --}}
- {{ trans('auth.log_in_with', ['socialDriver' => config('services.saml.name')]) }}
- </a>
- </div>
+ {{ trans('auth.log_in_with', ['socialDriver' => config('saml2.name')]) }}
+ </a>
+ </div>
@endif
@if(setting('registration-enabled', false))
@include('form.text', ['name' => 'description'])
</div>
- @if(config('auth.method') === 'ldap' || config('services.saml.enabled') === true)
+ @if(config('auth.method') === 'ldap' || config('saml2.enabled') === true)
<div class="form-group">
<label for="name">{{ trans('settings.role_external_auth_id') }}</label>
@include('form.text', ['name' => 'external_auth_id'])
</div>
</div>
-@if(($authMethod === 'ldap' || config('services.saml.enabled') === true) && userCan('users-manage'))
+@if(($authMethod === 'ldap' || config('saml2.enabled') === true) && userCan('users-manage'))
<div class="grid half gap-xl v-center">
<div>
<label class="setting-list-label">{{ trans('settings.users_external_auth_id') }}</label>
Route::get('/register/confirm/{token}', 'Auth\ConfirmEmailController@confirm');
Route::post('/register', 'Auth\RegisterController@postRegister');
+// SAML routes
+// TODO - Prevent access without SAML2 enabled via middleware
+Route::get('/saml2/login', 'Auth\Saml2Controller@login');
+// TODO - Handle logout?
+// Route::get('/saml2/logout', 'Auth\Saml2Controller@logout');
+Route::get('/saml2/metadata', 'Auth\Saml2Controller@metadata');
+Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
+Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');
+
// User invitation routes
Route::get('/register/invite/{token}', 'Auth\UserInviteController@showSetPassword');
Route::post('/register/invite/{token}', 'Auth\UserInviteController@setPassword');
--- /dev/null
+<?php namespace Tests;
+
+
+class Saml2 extends TestCase
+{
+
+ public function setUp(): void
+ {
+ parent::setUp();
+ // Set default config for SAML2
+ config()->set([
+ 'saml2.name' => 'SingleSignOn',
+ 'saml2.enabled' => true,
+ 'saml2.auto_register' => true,
+ 'saml2.email_attribute' => 'email',
+ 'saml2.display_name_attributes' => 'username',
+ 'saml2.external_id_attribute' => 'external_id',
+ 'saml2.user_to_groups' => false,
+ 'saml2.group_attribute' => 'group',
+ 'saml2.remove_from_groups' => false,
+ 'saml2.onelogin_overrides' => null,
+ 'saml2.onelogin.idp.entityId' => 'https://example.com/saml2/idp/metadata',
+ 'saml2.onelogin.idp.singleSignOnService.url' => 'https://example.com/saml2/idp/sso',
+ 'saml2.onelogin.idp.singleLogoutService.url' => 'https://example.com/saml2/idp/sls',
+ 'saml2.onelogin.idp.x509cert' => 'MIIEazCCAtOgAwIBAgIUe7a088Cnr4izmrnBEnx5q3HTMvYwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTExMTYxMjE3MTVaFw0yOTExMTUxMjE3MTVaMEUxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDzLe9FfdyplTxHp4SuQ9gQtZT3t+SDfvEL72ppCfFZw7+B5s5B/T73aXpoQ3S53pGI1RIWCge2iCUQ2tzm27aSNH0iu9aJYcUQZ/RITqd0ayyDks1NA2PT3TW6t3m7KV5re4P0Nb+YDeuyHdkz+jcMtpn8CmBoT0H+skha0hiqINkjkRPiHvLHVGp+tHUEA/I6mN4aB/UExSTLs79NsLUfteqqxe9+tvdUaToyDPrhPFjONs+9NKCkzIC6vcv7J6AtuKG6nET+zB9yOWgtGYQifXqQA2y5dL81BB0q5uMaBLS2pq3aPPjzU2F3+EysjySWTnCkfk7C5SsCXRu8Q+U95tunpNfwf5olE6Was48NMM+PwV7iCNMPkNzllq6PCiM+P8DrMSczzUZZQUSv6dSwPCo+YSVimEM0Og3XJTiNhQ5ANlaIn66Kw5gfoBfuiXmyIKiSDyAiDYmFaf4395wWwLkTR+cw8WfjaHswKZTomn1MR3OJsY2UJ0eRBYM+YSsCAwEAAaNTMFEwHQYDVR0OBBYEFImp2CYCGfcb7w91H/cShTCkXwR/MB8GA1UdIwQYMBaAFImp2CYCGfcb7w91H/cShTCkXwR/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBAA+g/C7uL9ln+W+qBknLW81kojYflgPK1I1MHIwnMvl/ZTHX4dRXKDrk7KcUq1KjqajNV66f1cakp03IijBiO0Xi1gXUZYLoCiNGUyyp9XloiIy9Xw2PiWnrw0+yZyvVssbehXXYJl4RihBjBWul9R4wMYLOUSJDe2WxcUBhJnxyNRs+P0xLSQX6B2n6nxoDko4p07s8ZKXQkeiZ2iwFdTxzRkGjthMUv704nzsVGBT0DCPtfSaO5KJZW1rCs3yiMthnBxq4qEDOQJFIl+/LD71KbB9vZcW5JuavzBFmkKGNro/6G1I7el46IR4wijTyNFCYUuD9dtignNmpWtN8OW+ptiL/jtTySWukjys0s+vLn83CVvjB0dJtVAIYOgXFdIuii66gczwwM/LGiOExJn0dTNzsJ/IYhpxL4FBEuP0pskY0o0aUlJ2LS2j+wSQTRKsBgMjyrUrekle2ODStStn3eabjIx0/FHlpFr0jNIm/oMP7kwjtUX4zaNe47QI4Gg==',
+ ]);
+ }
+
+ public function test_metadata_endpoint_displays_xml_as_expected()
+ {
+ $req = $this->get('/saml2/metadata');
+ $req->assertHeader('Content-Type', 'text/xml; charset=UTF-8');
+ $req->assertSee('md:EntityDescriptor');
+ $req->assertSee(url('/saml2/acs'));
+ }
+
+ public function test_onelogin_overrides_functions_as_expected()
+ {
+ $json = '{"sp": {"assertionConsumerService": {"url": "https://example.com/super-cats"}}, "contactPerson": {"technical": {"givenName": "Barry Scott", "emailAddress": "
[email protected]"}}}';
+ config()->set(['saml2.onelogin_overrides' => $json]);
+
+ $req = $this->get('/saml2/metadata');
+ $req->assertSee('https://example.com/super-cats');
+ $req->assertSee('md:ContactPerson');
+ $req->assertSee('<md:GivenName>Barry Scott</md:GivenName>');
+ }
+}
projects / bookstack / commitdiff