2019-11-17 14:26:43 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
namespace BookStack\Http\Controllers\Auth;
|
|
|
|
|
|
|
|
use BookStack\Auth\Access\Saml2Service;
|
|
|
|
use BookStack\Http\Controllers\Controller;
|
2021-10-20 14:30:45 +02:00
|
|
|
use Illuminate\Http\Request;
|
2021-11-14 22:13:24 +01:00
|
|
|
use Illuminate\Support\Str;
|
2019-11-17 14:26:43 +01:00
|
|
|
|
|
|
|
class Saml2Controller extends Controller
|
|
|
|
{
|
|
|
|
protected $samlService;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Saml2Controller constructor.
|
|
|
|
*/
|
|
|
|
public function __construct(Saml2Service $samlService)
|
|
|
|
{
|
|
|
|
$this->samlService = $samlService;
|
2020-02-02 14:10:21 +01:00
|
|
|
$this->middleware('guard:saml2');
|
2019-11-17 14:26:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Start the login flow via SAML2.
|
|
|
|
*/
|
|
|
|
public function login()
|
|
|
|
{
|
|
|
|
$loginDetails = $this->samlService->login();
|
|
|
|
session()->flash('saml2_request_id', $loginDetails['id']);
|
|
|
|
|
|
|
|
return redirect($loginDetails['url']);
|
|
|
|
}
|
|
|
|
|
2019-11-17 16:40:36 +01:00
|
|
|
/**
|
|
|
|
* Start the logout flow via SAML2.
|
|
|
|
*/
|
|
|
|
public function logout()
|
|
|
|
{
|
2021-10-23 18:26:01 +02:00
|
|
|
$logoutDetails = $this->samlService->logout(auth()->user());
|
2019-11-17 16:40:36 +01:00
|
|
|
|
|
|
|
if ($logoutDetails['id']) {
|
|
|
|
session()->flash('saml2_logout_request_id', $logoutDetails['id']);
|
|
|
|
}
|
|
|
|
|
|
|
|
return redirect($logoutDetails['url']);
|
|
|
|
}
|
|
|
|
|
2019-11-17 14:26:43 +01:00
|
|
|
/*
|
|
|
|
* Get the metadata for this SAML2 service provider.
|
|
|
|
*/
|
|
|
|
public function metadata()
|
|
|
|
{
|
|
|
|
$metaData = $this->samlService->metadata();
|
2021-06-26 17:23:15 +02:00
|
|
|
|
2019-11-17 14:26:43 +01:00
|
|
|
return response()->make($metaData, 200, [
|
2021-06-26 17:23:15 +02:00
|
|
|
'Content-Type' => 'text/xml',
|
2019-11-17 14:26:43 +01:00
|
|
|
]);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Single logout service.
|
|
|
|
* Handle logout requests and responses.
|
|
|
|
*/
|
|
|
|
public function sls()
|
|
|
|
{
|
2019-11-17 16:40:36 +01:00
|
|
|
$requestId = session()->pull('saml2_logout_request_id', null);
|
|
|
|
$redirect = $this->samlService->processSlsResponse($requestId) ?? '/';
|
2021-06-26 17:23:15 +02:00
|
|
|
|
2019-11-17 16:40:36 +01:00
|
|
|
return redirect($redirect);
|
2019-11-17 14:26:43 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2021-10-20 14:30:45 +02:00
|
|
|
* Assertion Consumer Service start URL. Takes the SAMLResponse from the IDP.
|
|
|
|
* Due to being an external POST request, we likely won't have context of the
|
|
|
|
* current user session due to lax cookies. To work around this we store the
|
|
|
|
* SAMLResponse data and redirect to the processAcs endpoint for the actual
|
|
|
|
* processing of the request with proper context of the user session.
|
2019-11-17 14:26:43 +01:00
|
|
|
*/
|
2021-10-20 14:30:45 +02:00
|
|
|
public function startAcs(Request $request)
|
2019-11-17 14:26:43 +01:00
|
|
|
{
|
2021-10-20 14:30:45 +02:00
|
|
|
$samlResponse = $request->get('SAMLResponse', null);
|
|
|
|
|
|
|
|
if (empty($samlResponse)) {
|
|
|
|
$this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
|
2021-10-20 14:40:27 +02:00
|
|
|
|
2021-10-20 14:30:45 +02:00
|
|
|
return redirect('/login');
|
|
|
|
}
|
|
|
|
|
|
|
|
$acsId = Str::random(16);
|
|
|
|
$cacheKey = 'saml2_acs:' . $acsId;
|
|
|
|
cache()->set($cacheKey, encrypt($samlResponse), 10);
|
|
|
|
|
|
|
|
return redirect()->guest('/saml2/acs?id=' . $acsId);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Assertion Consumer Service process endpoint.
|
|
|
|
* Processes the SAML response from the IDP with context of the current session.
|
|
|
|
* Takes the SAML request from the cache, added by the startAcs method above.
|
|
|
|
*/
|
|
|
|
public function processAcs(Request $request)
|
|
|
|
{
|
|
|
|
$acsId = $request->get('id', null);
|
|
|
|
$cacheKey = 'saml2_acs:' . $acsId;
|
|
|
|
$samlResponse = null;
|
2021-10-20 14:40:27 +02:00
|
|
|
|
2021-10-20 14:30:45 +02:00
|
|
|
try {
|
|
|
|
$samlResponse = decrypt(cache()->pull($cacheKey));
|
2021-10-20 14:40:27 +02:00
|
|
|
} catch (\Exception $exception) {
|
|
|
|
}
|
2021-11-14 22:13:24 +01:00
|
|
|
$requestId = session()->pull('saml2_request_id', null);
|
2021-10-20 14:30:45 +02:00
|
|
|
|
|
|
|
if (empty($acsId) || empty($samlResponse)) {
|
2019-11-17 14:26:43 +01:00
|
|
|
$this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
|
2021-10-20 14:40:27 +02:00
|
|
|
|
2021-10-20 14:30:45 +02:00
|
|
|
return redirect('/login');
|
|
|
|
}
|
2021-06-26 17:23:15 +02:00
|
|
|
|
2021-10-20 14:30:45 +02:00
|
|
|
$user = $this->samlService->processAcsResponse($requestId, $samlResponse);
|
|
|
|
if (is_null($user)) {
|
|
|
|
$this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
|
2021-10-20 14:40:27 +02:00
|
|
|
|
2019-11-17 14:26:43 +01:00
|
|
|
return redirect('/login');
|
|
|
|
}
|
|
|
|
|
|
|
|
return redirect()->intended();
|
|
|
|
}
|
|
|
|
}
|