Started using OneLogin SAML lib directly

- Aligned and formatted config options.
- Provided way to override onelogin lib options if required.
- Added endpoints in core bookstack routes.
- Provided way to debug details provided by idp and formatted by
bookstack.
- Started on test work
- Handled case of email address already in use.
This commit is contained in:
Dan Brown 2019-11-17 13:26:43 +00:00
parent 9bba84684f
commit 3a17ba2cb9
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
21 changed files with 442 additions and 381 deletions

View file

@ -2,8 +2,11 @@
use BookStack\Auth\User;
use BookStack\Auth\UserRepo;
use BookStack\Exceptions\JsonDebugException;
use BookStack\Exceptions\SamlException;
use Illuminate\Support\Str;
use OneLogin\Saml2\Auth;
use OneLogin\Saml2\Error;
/**
* Class Saml2Service
@ -21,10 +24,119 @@ class Saml2Service extends ExternalAuthService
*/
public function __construct(UserRepo $userRepo, User $user)
{
$this->config = config('services.saml');
$this->config = config('saml2');
$this->userRepo = $userRepo;
$this->user = $user;
$this->enabled = config('saml2_settings.enabled') === true;
$this->enabled = config('saml2.enabled') === true;
}
/**
* Initiate a login flow.
* @throws \OneLogin\Saml2\Error
*/
public function login(): array
{
$toolKit = $this->getToolkit();
$returnRoute = url('/saml2/acs');
return [
'url' => $toolKit->login($returnRoute, [], false, false, true),
'id' => $toolKit->getLastRequestID(),
];
}
/**
* Process the ACS response from the idp and return the
* matching, or new if registration active, user matched to the idp.
* Returns null if not authenticated.
* @throws Error
* @throws SamlException
* @throws \OneLogin\Saml2\ValidationError
* @throws JsonDebugException
*/
public function processAcsResponse(?string $requestId): ?User
{
$toolkit = $this->getToolkit();
$toolkit->processResponse($requestId);
$errors = $toolkit->getErrors();
if (is_null($requestId)) {
throw new SamlException(trans('errors.saml_invalid_response_id'));
}
if (!empty($errors)) {
throw new Error(
'Invalid ACS Response: '.implode(', ', $errors)
);
}
if (!$toolkit->isAuthenticated()) {
return null;
}
$attrs = $toolkit->getAttributes();
$id = $toolkit->getNameId();
return $this->processLoginCallback($id, $attrs);
}
/**
* Get the metadata for this service provider.
* @throws Error
*/
public function metadata(): string
{
$toolKit = $this->getToolkit();
$settings = $toolKit->getSettings();
$metadata = $settings->getSPMetadata();
$errors = $settings->validateMetadata($metadata);
if (!empty($errors)) {
throw new Error(
'Invalid SP metadata: '.implode(', ', $errors),
Error::METADATA_SP_INVALID
);
}
return $metadata;
}
/**
* Load the underlying Onelogin SAML2 toolkit.
* @throws \OneLogin\Saml2\Error
*/
protected function getToolkit(): Auth
{
$settings = $this->config['onelogin'];
$overrides = $this->config['onelogin_overrides'] ?? [];
if ($overrides && is_string($overrides)) {
$overrides = json_decode($overrides, true);
}
$spSettings = $this->loadOneloginServiceProviderDetails();
$settings = array_replace_recursive($settings, $spSettings, $overrides);
return new Auth($settings);
}
/**
* Load dynamic service provider options required by the onelogin toolkit.
*/
protected function loadOneloginServiceProviderDetails(): array
{
$spDetails = [
'entityId' => url('/saml2/metadata'),
'assertionConsumerService' => [
'url' => url('/saml2/acs'),
],
'singleLogoutService' => [
'url' => url('/saml2/sls')
],
];
return [
'baseurl' => url('/saml2'),
'sp' => $spDetails
];
}
/**
@ -155,7 +267,11 @@ class Saml2Service extends ExternalAuthService
'email_confirmed' => true,
];
// TODO - Handle duplicate email address scenario
$existingUser = $this->user->newQuery()->where('email', '=', $userDetails['email'])->first();
if ($existingUser) {
throw new SamlException(trans('errors.saml_email_exists', ['email' => $userDetails['email']]));
}
$user = $this->user->forceCreate($userData);
$this->userRepo->attachDefaultRole($user);
$this->userRepo->downloadAndAssignUserAvatar($user);
@ -167,7 +283,7 @@ class Saml2Service extends ExternalAuthService
*/
protected function getOrRegisterUser(array $userDetails): ?User
{
$isRegisterEnabled = config('services.saml.auto_register') === true;
$isRegisterEnabled = $this->config['auto_register'] === true;
$user = $this->user
->where('external_auth_id', $userDetails['external_id'])
->first();
@ -183,12 +299,20 @@ class Saml2Service extends ExternalAuthService
* Process the SAML response for a user. Login the user when
* they exist, optionally registering them automatically.
* @throws SamlException
* @throws JsonDebugException
*/
public function processLoginCallback(string $samlID, array $samlAttributes): User
{
$userDetails = $this->getUserDetails($samlID, $samlAttributes);
$isLoggedIn = auth()->check();
if ($this->config['dump_user_details']) {
throw new JsonDebugException([
'attrs_from_idp' => $samlAttributes,
'attrs_after_parsing' => $userDetails,
]);
}
if ($isLoggedIn) {
throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
}

View file

@ -105,7 +105,6 @@ return [
Intervention\Image\ImageServiceProvider::class,
Barryvdh\DomPDF\ServiceProvider::class,
Barryvdh\Snappy\ServiceProvider::class,
Aacotroneo\Saml2\Saml2ServiceProvider::class,
// BookStack replacement service providers (Extends Laravel)
BookStack\Providers\PaginationServiceProvider::class,

145
app/Config/saml2.php Normal file
View file

@ -0,0 +1,145 @@
<?php
return [
// Display name, shown to users, for SAML2 option
'name' => env('SAML2_NAME', 'SSO'),
// Toggle whether the SAML2 option is active
'enabled' => env('SAML2_ENABLED', false),
// Enable registration via SAML2 authentication
'auto_register' => env('SAML2_AUTO_REGISTER', true),
// Dump user details after a login request for debugging purposes
'dump_user_details' => env('SAML2_DUMP_USER_DETAILS', false),
// Attribute, within a SAML response, to find the user's email address
'email_attribute' => env('SAML2_EMAIL_ATTRIBUTE', 'email'),
// Attribute, within a SAML response, to find the user's display name
'display_name_attributes' => explode('|', env('SAML2_DISPLAY_NAME_ATTRIBUTES', 'username')),
// Attribute, within a SAML response, to use to connect a BookStack user to the SAML user.
'external_id_attribute' => env('SAML2_EXTERNAL_ID_ATTRIBUTE', null),
// Group sync options
// Enable syncing, upon login, of SAML2 groups to BookStack groups
'user_to_groups' => env('SAML2_USER_TO_GROUPS', false),
// Attribute, within a SAML response, to find group names on
'group_attribute' => env('SAML2_GROUP_ATTRIBUTE', 'group'),
// When syncing groups, remove any groups that no longer match. Otherwise sync only adds new groups.
'remove_from_groups' => env('SAML2_REMOVE_FROM_GROUPS', false),
// Overrides, in JSON format, to the configuration passed to underlying onelogin library.
'onelogin_overrides' => env('SAML2_ONELOGIN_OVERRIDES', null),
'onelogin' => [
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => true,
// Enable debug mode (to print errors)
'debug' => env('APP_DEBUG', false),
// Set a BaseURL to be used instead of try to guess
// the BaseURL of the view that process the SAML Message.
// Ex. http://sp.example.com/
// http://example.com/sp/
'baseurl' => null,
// Service Provider Data that we are deploying
'sp' => [
// Identifier of the SP entity (must be a URI)
'entityId' => '',
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => [
// URL Location where the <Response> from the IdP will be returned
'url' => '',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-POST binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
],
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
'singleLogoutService' => [
// URL Location where the <Response> from the IdP will be returned
'url' => '',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
],
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => '',
'privateKey' => '',
],
// Identity Provider Data that we want connect with our SP
'idp' => [
// Identifier of the IdP entity (must be a URI)
'entityId' => env('SAML2_IDP_ENTITYID', null),
// SSO endpoint info of the IdP. (Authentication Request protocol)
'singleSignOnService' => [
// URL Target of the IdP where the SP will send the Authentication Request Message
'url' => env('SAML2_IDP_SSO', null),
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
],
// SLO endpoint info of the IdP.
'singleLogoutService' => [
// URL Location of the IdP where the SP will send the SLO Request
'url' => env('SAML2_IDP_SLO', null),
// URL location of the IdP where the SP will send the SLO Response (ResponseLocation)
// if not set, url for the SLO Request will be used
'responseUrl' => '',
// SAML protocol binding to be used when returning the <Response>
// message. Onelogin Toolkit supports for this endpoint the
// HTTP-Redirect binding only
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
],
// Public x509 certificate of the IdP
'x509cert' => env('SAML2_IDP_x509', null),
/*
* Instead of use the whole x509cert you can use a fingerprint in
* order to validate the SAMLResponse, but we don't recommend to use
* that method on production since is exploitable by a collision
* attack.
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
* or add for example the -sha256 , -sha384 or -sha512 parameter)
*
* If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
* let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
* 'sha1' is the default value.
*/
// 'certFingerprint' => '',
// 'certFingerprintAlgorithm' => 'sha1',
/* In some scenarios the IdP uses different certificates for
* signing/encryption, or is under key rollover phase and more
* than one certificate is published on IdP metadata.
* In order to handle that the toolkit offers that parameter.
* (when used, 'x509cert' and 'certFingerprint' values are
* ignored).
*/
// 'x509certMulti' => array(
// 'signing' => array(
// 0 => '<cert1-string>',
// ),
// 'encryption' => array(
// 0 => '<cert2-string>',
// )
// ),
],
],
];

View file

@ -1,241 +0,0 @@
<?php
//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_host = env('SAML2_IDP_HOST', 'http://localhost:8000/simplesaml');
return $settings = array(
/**
* Whether the SAML login is enabled
*/
'enabled' => env("SAML2_ENABLED", false),
/**
* If 'useRoutes' is set to true, the package defines five new routes:
*
* Method | URI | Name
* -------|--------------------------|------------------
* POST | {routesPrefix}/acs | saml_acs
* GET | {routesPrefix}/login | saml_login
* GET | {routesPrefix}/logout | saml_logout
* GET | {routesPrefix}/metadata | saml_metadata
* GET | {routesPrefix}/sls | saml_sls
*/
'useRoutes' => true,
'routesPrefix' => '/saml2',
/**
* which middleware group to use for the saml routes
* Laravel 5.2 will need a group which includes StartSession
*/
'routesMiddleware' => ['saml'],
/**
* Indicates how the parameters will be
* retrieved from the sls request for signature validation
*/
'retrieveParametersFromServer' => false,
/**
* Where to redirect after logout
*/
'logoutRoute' => '/',
/**
* Where to redirect after login if no other option was provided
*/
'loginRoute' => '/',
/**
* Where to redirect after login if no other option was provided
*/
'errorRoute' => '/',
/*****
* One Login Settings
*/
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => true, //@todo: make this depend on laravel config
// Enable debug mode (to print errors)
'debug' => env('APP_DEBUG', false),
// If 'proxyVars' is True, then the Saml lib will trust proxy headers
// e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
// your application is running behind a load balancer which terminates
// SSL.
'proxyVars' => false,
// Service Provider Data that we are deploying
'sp' => array(
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => env('SAML2_SP_x509',''),
'privateKey' => env('SAML2_SP_PRIVATEKEY',''),
// Identifier (URI) of the SP entity.
// Leave blank to use the 'saml_metadata' route.
'entityId' => env('SAML2_SP_ENTITYID',''),
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array(
// URL Location where the <Response> from the IdP will be returned,
// using HTTP-POST binding.
// Leave blank to use the 'saml_acs' route
'url' => '',
'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
// Remove this part to not include any URL Location in the metadata.
'singleLogoutService' => array(
// URL Location where the <Response> from the IdP will be returned,
// using HTTP-Redirect binding.
// Leave blank to use the 'saml_sls' route
'url' => '',
),
),
// Identity Provider Data that we want connect with our SP
'idp' => array(
// Identifier of the IdP entity (must be a URI)
'entityId' => env('SAML2_IDP_ENTITYID', $idp_host . '/saml2/idp/metadata.php'),
// SSO endpoint info of the IdP. (Authentication Request protocol)
'singleSignOnService' => array(
// URL Target of the IdP where the SP will send the Authentication Request Message,
// using HTTP-Redirect binding.
'url' => env('SAML2_IDP_SSO', $idp_host . '/saml2/idp/SSOService.php'),
),
// SLO endpoint info of the IdP.
'singleLogoutService' => array(
// URL Location of the IdP where the SP will send the SLO Request,
// using HTTP-Redirect binding.
'url' => env('SAML2_IDP_SLO', $idp_host . '/saml2/idp/SingleLogoutService.php'),
),
// Public x509 certificate of the IdP
'x509cert' => env('SAML2_IDP_x509', 'MIID/TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjAeFw0xNDEyMDExNDM2MjVaFw0yNDExMzAxNDM2MjVaMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbzW/EpEv+qqZzfT1Buwjg9nnNNVrxkCfuR9fQiQw2tSouS5X37W5h7RmchRt54wsm046PDKtbSz1NpZT2GkmHN37yALW2lY7MyVUC7itv9vDAUsFr0EfKIdCKgxCKjrzkZ5ImbNvjxf7eA77PPGJnQ/UwXY7W+cvLkirp0K5uWpDk+nac5W0JXOCFR1BpPUJRbz2jFIEHyChRt7nsJZH6ejzNqK9lABEC76htNy1Ll/D3tUoPaqo8VlKW3N3MZE0DB9O7g65DmZIIlFqkaMH3ALd8adodJtOvqfDU/A6SxuwMfwDYPjoucykGDu1etRZ7dF2gd+W+1Pn7yizPT1q8CAwEAAaNQME4wHQYDVR0OBBYEFPsn8tUHN8XXf23ig5Qro3beP8BuMB8GA1UdIwQYMBaAFPsn8tUHN8XXf23ig5Qro3beP8BuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGu60odWFiK+DkQekozGnlpNBQz5lQ/bwmOWdktnQj6HYXu43e7sh9oZWArLYHEOyMUekKQAxOK51vbTHzzw66BZU91/nqvaOBfkJyZKGfluHbD0/hfOl/D5kONqI9kyTu4wkLQcYGyuIi75CJs15uA03FSuULQdY/Liv+czS/XYDyvtSLnu43VuAQWN321PQNhuGueIaLJANb2C5qq5ilTBUw6PxY9Z+vtMjAjTJGKEkE/tQs7CvzLPKXX3KTD9lIILmX5yUC3dLgjVKi1KGDqNApYGOMtjr5eoxPQrqDBmyx3flcy0dQTdLXud3UjWVW3N0PYgJtw5yBsS74QTGD4='),
/*
* Instead of use the whole x509cert you can use a fingerprint
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
*/
// 'certFingerprint' => '',
),
/***
* OneLogin compression settings
*
*/
'compress' => array(
/** Whether requests should be GZ encoded */
'requests' => true,
/** Whether responses should be GZ compressed */
'responses' => true,
),
/***
*
* OneLogin advanced settings
*
*
*/
// Security settings
'security' => array(
/** signatures and encryptions offered */
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
// will be encrypted.
'nameIdEncrypted' => false,
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
// will be signed. [The Metadata of the SP will offer this info]
'authnRequestsSigned' => false,
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
// will be signed.
'logoutRequestSigned' => false,
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
// will be signed.
'logoutResponseSigned' => false,
/* Sign the Metadata
False || True (use sp certs) || array (
keyFileName => 'metadata.key',
certFileName => 'metadata.crt'
)
*/
'signMetadata' => false,
/** signatures and encryptions required **/
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
// <samlp:LogoutResponse> elements received by this SP to be signed.
'wantMessagesSigned' => false,
// Indicates a requirement for the <saml:Assertion> elements received by
// this SP to be signed. [The Metadata of the SP will offer this info]
'wantAssertionsSigned' => false,
// Indicates a requirement for the NameID received by
// this SP to be encrypted.
'wantNameIdEncrypted' => false,
// Authentication context.
// Set to false and no AuthContext will be sent in the AuthNRequest,
// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
'requestedAuthnContext' => true,
),
// Contact information template, it is recommended to suply a technical and support contacts
'contactPerson' => array(
'technical' => array(
'givenName' => 'name',
'emailAddress' => 'no@reply.com'
),
'support' => array(
'givenName' => 'Support',
'emailAddress' => 'no@reply.com'
),
),
// Organization information template, the info in en_US lang is recomended, add more if required
'organization' => array(
'en-US' => array(
'name' => 'Name',
'displayname' => 'Display Name',
'url' => 'http://url'
),
),
/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current
'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,
// MUST NOT assume that the IdP validates the sign
'wantAssertionsSigned' => true,
'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
'wantNameIdEncrypted' => false,
*/
);

View file

@ -132,16 +132,4 @@ return [
'tls_insecure' => env('LDAP_TLS_INSECURE', false),
],
'saml' => [
'name' => env('SAML_NAME', 'SSO'),
'enabled' => env('SAML2_ENABLED', false),
'auto_register' => env('SAML_AUTO_REGISTER', false),
'email_attribute' => env('SAML_EMAIL_ATTRIBUTE', 'email'),
'display_name_attributes' => explode('|', env('SAML_DISPLAY_NAME_ATTRIBUTES', 'username')),
'external_id_attribute' => env('SAML_EXTERNAL_ID_ATTRIBUTE', null),
'group_attribute' => env('SAML_GROUP_ATTRIBUTE', 'group'),
'remove_from_groups' => env('SAML_REMOVE_FROM_GROUPS', false),
'user_to_groups' => env('SAML_USER_TO_GROUPS', false),
]
];

View file

@ -0,0 +1,25 @@
<?php namespace BookStack\Exceptions;
use Exception;
class JsonDebugException extends Exception
{
protected $data;
/**
* JsonDebugException constructor.
*/
public function __construct($data)
{
$this->data = $data;
}
/**
* Covert this exception into a response.
*/
public function render()
{
return response()->json($this->data);
}
}

View file

@ -119,7 +119,7 @@ class LoginController extends Controller
{
$socialDrivers = $this->socialAuthService->getActiveDrivers();
$authMethod = config('auth.method');
$samlEnabled = config('services.saml.enabled') == true;
$samlEnabled = config('saml2.enabled') === true;
if ($request->has('email')) {
session()->flashInput([

View file

@ -0,0 +1,71 @@
<?php
namespace BookStack\Http\Controllers\Auth;
use BookStack\Auth\Access\Saml2Service;
use BookStack\Http\Controllers\Controller;
use Illuminate\Http\Request;
class Saml2Controller extends Controller
{
protected $samlService;
/**
* Saml2Controller constructor.
*/
public function __construct(Saml2Service $samlService)
{
parent::__construct();
$this->samlService = $samlService;
}
/**
* Start the login flow via SAML2.
*/
public function login()
{
$loginDetails = $this->samlService->login();
session()->flash('saml2_request_id', $loginDetails['id']);
return redirect($loginDetails['url']);
}
/*
* Get the metadata for this SAML2 service provider.
*/
public function metadata()
{
$metaData = $this->samlService->metadata();
return response()->make($metaData, 200, [
'Content-Type' => 'text/xml'
]);
}
/**
* Single logout service.
* Handle logout requests and responses.
*/
public function sls()
{
// TODO
}
/**
* Assertion Consumer Service.
* Processes the SAML response from the IDP.
*/
public function acs()
{
$requestId = session()->pull('saml2_request_id', null);
$user = $this->samlService->processAcsResponse($requestId);
if ($user === null) {
$this->showErrorNotification(trans('errors.saml_fail_authed', ['system' => config('saml2.name')]));
return redirect('/login');
}
return redirect()->intended();
}
}

View file

@ -39,11 +39,6 @@ class Kernel extends HttpKernel
'throttle:60,1',
'bindings',
],
'saml' => [
\BookStack\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
],
];
/**

View file

@ -19,6 +19,6 @@ class VerifyCsrfToken extends Middleware
* @var array
*/
protected $except = [
//
'saml2/*'
];
}

View file

@ -1,42 +0,0 @@
<?php namespace BookStack\Listeners;
use BookStack\Auth\Access\Saml2Service;
use Illuminate\Queue\InteractsWithQueue;
use Illuminate\Contracts\Queue\ShouldQueue;
use Aacotroneo\Saml2\Events\Saml2LoginEvent;
use Illuminate\Support\Facades\Log;
class Saml2LoginEventListener
{
protected $saml;
/**
* Create the event listener.
*
* @return void
*/
public function __construct(Saml2Service $saml)
{
$this->saml = $saml;
}
/**
* Handle the event.
*
* @param Saml2LoginEvent $event
* @return void
*/
public function handle(Saml2LoginEvent $event)
{
$messageId = $event->getSaml2Auth()->getLastMessageId();
// TODO: Add your own code preventing reuse of a $messageId to stop replay attacks
$samlUser = $event->getSaml2User();
$attrs = $samlUser->getAttributes();
$id = $samlUser->getUserId();
//$assertion = $user->getRawSamlAssertion()
$user = $this->saml->processLoginCallback($id, $attrs);
}
}

View file

@ -4,7 +4,6 @@ namespace BookStack\Providers;
use Illuminate\Foundation\Support\Providers\EventServiceProvider as ServiceProvider;
use SocialiteProviders\Manager\SocialiteWasCalled;
use Aacotroneo\Saml2\Events\Saml2LoginEvent;
class EventServiceProvider extends ServiceProvider
{
@ -22,9 +21,6 @@ class EventServiceProvider extends ServiceProvider
'SocialiteProviders\Twitch\TwitchExtendSocialite@handle',
'SocialiteProviders\Discord\DiscordExtendSocialite@handle',
],
Saml2LoginEvent::class => [
'BookStack\Listeners\Saml2LoginEventListener@handle',
]
];
/**

View file

@ -22,14 +22,14 @@
"laravel/framework": "^6.0",
"laravel/socialite": "^4.2",
"league/flysystem-aws-s3-v3": "^1.0",
"onelogin/php-saml": "^3.3",
"predis/predis": "^1.1",
"socialiteproviders/discord": "^2.0",
"socialiteproviders/gitlab": "^3.0",
"socialiteproviders/microsoft-azure": "^3.0",
"socialiteproviders/okta": "^1.0",
"socialiteproviders/slack": "^3.0",
"socialiteproviders/twitch": "^5.0",
"aacotroneo/laravel-saml2": "^1.0"
"socialiteproviders/twitch": "^5.0"
},
"require-dev": {
"barryvdh/laravel-debugbar": "^3.2.8",

61
composer.lock generated
View file

@ -4,67 +4,8 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "42d7a337f6d603ab247b525ade5c3cee",
"content-hash": "140c7a04a20cef6d7ed8c1fc48257e66",
"packages": [
{
"name": "aacotroneo/laravel-saml2",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/aacotroneo/laravel-saml2.git",
"reference": "5045701a07bcd7600a17c92971368669870f546a"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/aacotroneo/laravel-saml2/zipball/5045701a07bcd7600a17c92971368669870f546a",
"reference": "5045701a07bcd7600a17c92971368669870f546a",
"shasum": ""
},
"require": {
"ext-openssl": "*",
"illuminate/support": ">=5.0.0",
"onelogin/php-saml": "^3.0.0",
"php": ">=5.4.0"
},
"require-dev": {
"mockery/mockery": "0.9.*"
},
"type": "library",
"extra": {
"laravel": {
"providers": [
"Aacotroneo\\Saml2\\Saml2ServiceProvider"
],
"aliases": {
"Saml2": "Aacotroneo\\Saml2\\Facades\\Saml2Auth"
}
}
},
"autoload": {
"psr-0": {
"Aacotroneo\\Saml2\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "aacotroneo",
"email": "aacotroneo@gmail.com"
}
],
"description": "A Laravel package for Saml2 integration as a SP (service provider) based on OneLogin toolkit, which is much lightweight than simplesamlphp",
"homepage": "https://github.com/aacotroneo/laravel-saml2",
"keywords": [
"SAML2",
"laravel",
"onelogin",
"saml"
],
"time": "2018-11-08T14:03:58+00:00"
},
{
"name": "aws/aws-sdk-php",
"version": "3.117.2",

View file

@ -48,5 +48,6 @@
<server name="GOOGLE_SELECT_ACCOUNT" value=""/>
<server name="APP_URL" value="http://bookstack.dev"/>
<server name="DEBUGBAR_ENABLED" value="false"/>
<server name="SAML2_ENABLED" value="false"/>
</php>
</phpunit>

View file

@ -20,6 +20,9 @@ return [
'saml_already_logged_in' => 'Already logged in',
'saml_user_not_registered' => 'The user :name is not registered and automatic registration is disabled',
'saml_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
'saml_invalid_response_id' => 'The request from the external authentication system is not recognised by a process started by this application. Navigating back after a login could cause this issue.',
'saml_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
'saml_email_exists' => 'Registration unsuccessful since a user already exists with email address ":email"',
'social_no_action_defined' => 'No action defined',
'social_login_bad_response' => "Error received during :socialAccount login: \n:error",
'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.',

View file

@ -46,13 +46,13 @@
@endif
@if($samlEnabled)
<hr class="my-l">
<div>
<a id="saml-login" class="button outline block svg" href="{{ url("/saml2/login") }}">
<hr class="my-l">
<div>
<a id="saml-login" class="button outline block svg" href="{{ url("/saml2/login") }}">
{{-- @icon('auth/github') --}}
{{ trans('auth.log_in_with', ['socialDriver' => config('services.saml.name')]) }}
</a>
</div>
{{ trans('auth.log_in_with', ['socialDriver' => config('saml2.name')]) }}
</a>
</div>
@endif
@if(setting('registration-enabled', false))

View file

@ -19,7 +19,7 @@
@include('form.text', ['name' => 'description'])
</div>
@if(config('auth.method') === 'ldap' || config('services.saml.enabled') === true)
@if(config('auth.method') === 'ldap' || config('saml2.enabled') === true)
<div class="form-group">
<label for="name">{{ trans('settings.role_external_auth_id') }}</label>
@include('form.text', ['name' => 'external_auth_id'])

View file

@ -25,7 +25,7 @@
</div>
</div>
@if(($authMethod === 'ldap' || config('services.saml.enabled') === true) && userCan('users-manage'))
@if(($authMethod === 'ldap' || config('saml2.enabled') === true) && userCan('users-manage'))
<div class="grid half gap-xl v-center">
<div>
<label class="setting-list-label">{{ trans('settings.users_external_auth_id') }}</label>

View file

@ -216,6 +216,15 @@ Route::post('/register/confirm/resend', 'Auth\ConfirmEmailController@resend');
Route::get('/register/confirm/{token}', 'Auth\ConfirmEmailController@confirm');
Route::post('/register', 'Auth\RegisterController@postRegister');
// SAML routes
// TODO - Prevent access without SAML2 enabled via middleware
Route::get('/saml2/login', 'Auth\Saml2Controller@login');
// TODO - Handle logout?
// Route::get('/saml2/logout', 'Auth\Saml2Controller@logout');
Route::get('/saml2/metadata', 'Auth\Saml2Controller@metadata');
Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');
// User invitation routes
Route::get('/register/invite/{token}', 'Auth\UserInviteController@showSetPassword');
Route::post('/register/invite/{token}', 'Auth\UserInviteController@setPassword');

47
tests/Auth/Saml2.php Normal file
View file

@ -0,0 +1,47 @@
<?php namespace Tests;
class Saml2 extends TestCase
{
public function setUp(): void
{
parent::setUp();
// Set default config for SAML2
config()->set([
'saml2.name' => 'SingleSignOn',
'saml2.enabled' => true,
'saml2.auto_register' => true,
'saml2.email_attribute' => 'email',
'saml2.display_name_attributes' => 'username',
'saml2.external_id_attribute' => 'external_id',
'saml2.user_to_groups' => false,
'saml2.group_attribute' => 'group',
'saml2.remove_from_groups' => false,
'saml2.onelogin_overrides' => null,
'saml2.onelogin.idp.entityId' => 'https://example.com/saml2/idp/metadata',
'saml2.onelogin.idp.singleSignOnService.url' => 'https://example.com/saml2/idp/sso',
'saml2.onelogin.idp.singleLogoutService.url' => 'https://example.com/saml2/idp/sls',
'saml2.onelogin.idp.x509cert' => 'MIIEazCCAtOgAwIBAgIUe7a088Cnr4izmrnBEnx5q3HTMvYwDQYJKoZIhvcNAQELBQAwRTELMAkGA1UEBhMCR0IxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0xOTExMTYxMjE3MTVaFw0yOTExMTUxMjE3MTVaMEUxCzAJBgNVBAYTAkdCMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDzLe9FfdyplTxHp4SuQ9gQtZT3t+SDfvEL72ppCfFZw7+B5s5B/T73aXpoQ3S53pGI1RIWCge2iCUQ2tzm27aSNH0iu9aJYcUQZ/RITqd0ayyDks1NA2PT3TW6t3m7KV5re4P0Nb+YDeuyHdkz+jcMtpn8CmBoT0H+skha0hiqINkjkRPiHvLHVGp+tHUEA/I6mN4aB/UExSTLs79NsLUfteqqxe9+tvdUaToyDPrhPFjONs+9NKCkzIC6vcv7J6AtuKG6nET+zB9yOWgtGYQifXqQA2y5dL81BB0q5uMaBLS2pq3aPPjzU2F3+EysjySWTnCkfk7C5SsCXRu8Q+U95tunpNfwf5olE6Was48NMM+PwV7iCNMPkNzllq6PCiM+P8DrMSczzUZZQUSv6dSwPCo+YSVimEM0Og3XJTiNhQ5ANlaIn66Kw5gfoBfuiXmyIKiSDyAiDYmFaf4395wWwLkTR+cw8WfjaHswKZTomn1MR3OJsY2UJ0eRBYM+YSsCAwEAAaNTMFEwHQYDVR0OBBYEFImp2CYCGfcb7w91H/cShTCkXwR/MB8GA1UdIwQYMBaAFImp2CYCGfcb7w91H/cShTCkXwR/MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggGBAA+g/C7uL9ln+W+qBknLW81kojYflgPK1I1MHIwnMvl/ZTHX4dRXKDrk7KcUq1KjqajNV66f1cakp03IijBiO0Xi1gXUZYLoCiNGUyyp9XloiIy9Xw2PiWnrw0+yZyvVssbehXXYJl4RihBjBWul9R4wMYLOUSJDe2WxcUBhJnxyNRs+P0xLSQX6B2n6nxoDko4p07s8ZKXQkeiZ2iwFdTxzRkGjthMUv704nzsVGBT0DCPtfSaO5KJZW1rCs3yiMthnBxq4qEDOQJFIl+/LD71KbB9vZcW5JuavzBFmkKGNro/6G1I7el46IR4wijTyNFCYUuD9dtignNmpWtN8OW+ptiL/jtTySWukjys0s+vLn83CVvjB0dJtVAIYOgXFdIuii66gczwwM/LGiOExJn0dTNzsJ/IYhpxL4FBEuP0pskY0o0aUlJ2LS2j+wSQTRKsBgMjyrUrekle2ODStStn3eabjIx0/FHlpFr0jNIm/oMP7kwjtUX4zaNe47QI4Gg==',
]);
}
public function test_metadata_endpoint_displays_xml_as_expected()
{
$req = $this->get('/saml2/metadata');
$req->assertHeader('Content-Type', 'text/xml; charset=UTF-8');
$req->assertSee('md:EntityDescriptor');
$req->assertSee(url('/saml2/acs'));
}
public function test_onelogin_overrides_functions_as_expected()
{
$json = '{"sp": {"assertionConsumerService": {"url": "https://example.com/super-cats"}}, "contactPerson": {"technical": {"givenName": "Barry Scott", "emailAddress": "barry@example.com"}}}';
config()->set(['saml2.onelogin_overrides' => $json]);
$req = $this->get('/saml2/metadata');
$req->assertSee('https://example.com/super-cats');
$req->assertSee('md:ContactPerson');
$req->assertSee('<md:GivenName>Barry Scott</md:GivenName>');
}
}