BookStack/app/Auth/Access/Saml2Service.php

<?php namespace BookStack\Auth\Access;

use BookStack\Auth\User;
use BookStack\Auth\UserRepo;
use BookStack\Exceptions\SamlException;
use Illuminate\Support\Str;

/**
 * Class Saml2Service
 * Handles any app-specific SAML tasks.
 */
class Saml2Service extends ExternalAuthService
{
    protected $config;
    protected $userRepo;
    protected $user;
    protected $enabled;

    /**
     * Saml2Service constructor.
     */
    public function __construct(UserRepo $userRepo, User $user)
    {
        $this->config = config('services.saml');
        $this->userRepo = $userRepo;
        $this->user = $user;
        $this->enabled = config('saml2_settings.enabled') === true;
    }

    /**
     * Check if groups should be synced.
     */
    protected function shouldSyncGroups(): bool
    {
        return $this->enabled && $this->config['user_to_groups'] !== false;
    }

    /**
     * Calculate the display name
     */
    protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string
    {
        $displayNameAttr = $this->config['display_name_attributes'];

        $displayName = [];
        foreach ($displayNameAttr as $dnAttr) {
            $dnComponent = $this->getSamlResponseAttribute($samlAttributes, $dnAttr, null);
            if ($dnComponent !== null) {
                $displayName[] = $dnComponent;
            }
        }

        if (count($displayName) == 0) {
            $displayName = $defaultValue;
        } else {
            $displayName = implode(' ', $displayName);
        }

        return $displayName;
    }

    /**
     * Get the value to use as the external id saved in BookStack
     * used to link the user to an existing BookStack DB user.
     */
    protected function getExternalId(array $samlAttributes, string $defaultValue)
    {
        $userNameAttr = $this->config['external_id_attribute'];
        if ($userNameAttr === null) {
            return $defaultValue;
        }

        return $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue);
    }

    /**
     * Extract the details of a user from a SAML response.
     * @throws SamlException
     */
    public function getUserDetails(string $samlID, $samlAttributes): array
    {
        $emailAttr = $this->config['email_attribute'];
        $externalId = $this->getExternalId($samlAttributes, $samlID);
        $email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null);

        if ($email === null) {
            throw new SamlException(trans('errors.saml_no_email_address'));
        }

        return [
            'external_id' => $externalId,
            'name' => $this->getUserDisplayName($samlAttributes, $externalId),
            'email' => $email,
            'saml_id' => $samlID,
        ];
    }

    /**
     * Get the groups a user is a part of from the SAML response.
     */
    public function getUserGroups(array $samlAttributes): array
    {
        $groupsAttr = $this->config['group_attribute'];
        $userGroups = $samlAttributes[$groupsAttr] ?? null;

        if (!is_array($userGroups)) {
            $userGroups = [];
        }

        return $userGroups;
    }

    /**
     *  For an array of strings, return a default for an empty array,
     *  a string for an array with one element and the full array for
     *  more than one element.
     */
    protected function simplifyValue(array $data, $defaultValue)
    {
        switch (count($data)) {
            case 0:
                $data = $defaultValue;
                break;
            case 1:
                $data = $data[0];
                break;
        }
        return $data;
    }

    /**
     * Get a property from an SAML response.
     * Handles properties potentially being an array.
     */
    protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue)
    {
        if (isset($samlAttributes[$propertyKey])) {
            return $this->simplifyValue($samlAttributes[$propertyKey], $defaultValue);
        }

        return $defaultValue;
    }

    /**
     *  Register a user that is authenticated but not already registered.
     */
    protected function registerUser(array $userDetails): User
    {
        // Create an array of the user data to create a new user instance
        $userData = [
            'name' => $userDetails['name'],
            'email' => $userDetails['email'],
            'password' => Str::random(32),
            'external_auth_id' => $userDetails['external_id'],
            'email_confirmed' => true,
        ];

        // TODO - Handle duplicate email address scenario
        $user = $this->user->forceCreate($userData);
        $this->userRepo->attachDefaultRole($user);
        $this->userRepo->downloadAndAssignUserAvatar($user);
        return $user;
    }

    /**
     * Get the user from the database for the specified details.
     */
    protected function getOrRegisterUser(array $userDetails): ?User
    {
        $isRegisterEnabled = config('services.saml.auto_register') === true;
        $user = $this->user
          ->where('external_auth_id', $userDetails['external_id'])
          ->first();

        if ($user === null && $isRegisterEnabled) {
            $user = $this->registerUser($userDetails);
        }

        return $user;
    }

    /**
     * Process the SAML response for a user. Login the user when
     * they exist, optionally registering them automatically.
     * @throws SamlException
     */
    public function processLoginCallback(string $samlID, array $samlAttributes): User
    {
        $userDetails = $this->getUserDetails($samlID, $samlAttributes);
        $isLoggedIn = auth()->check();

        if ($isLoggedIn) {
            throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
        }

        $user = $this->getOrRegisterUser($userDetails);
        if ($user === null) {
            throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
        }

        if ($this->shouldSyncGroups()) {
            $groups = $this->getUserGroups($samlAttributes);
            $this->syncWithGroups($user, $groups);
        }

        auth()->login($user);
        return $user;
    }
}
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`<?php namespace BookStack\Auth\Access;`

			`use BookStack\Auth\User;`
			`use BookStack\Auth\UserRepo;`
			`use BookStack\Exceptions\SamlException;`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`use Illuminate\Support\Str;`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00
			`/**`
			`* Class Saml2Service`
			`* Handles any app-specific SAML tasks.`
			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`class Saml2Service extends ExternalAuthService`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`{`
			`protected $config;`
			`protected $userRepo;`
			`protected $user;`
			`protected $enabled;`

			`/**`
			`* Saml2Service constructor.`
			`*/`
			`public function __construct(UserRepo $userRepo, User $user)`
			`{`
			`$this->config = config('services.saml');`
			`$this->userRepo = $userRepo;`
			`$this->user = $user;`
			`$this->enabled = config('saml2_settings.enabled') === true;`
			`}`

			`/**`
			`* Check if groups should be synced.`
			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`protected function shouldSyncGroups(): bool`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`{`
			`return $this->enabled && $this->config['user_to_groups'] !== false;`
			`}`

Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`/**`
			`* Calculate the display name`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`{`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`$displayNameAttr = $this->config['display_name_attributes'];`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00
			`$displayName = [];`
			`foreach ($displayNameAttr as $dnAttr) {`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`$dnComponent = $this->getSamlResponseAttribute($samlAttributes, $dnAttr, null);`
			`if ($dnComponent !== null) {`
			`$displayName[] = $dnComponent;`
			`}`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`}`

			`if (count($displayName) == 0) {`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`$displayName = $defaultValue;`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`} else {`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`$displayName = implode(' ', $displayName);`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`}`

Refactor for codestyle 2019-08-07 06:07:21 -04:00			`return $displayName;`
			`}`

Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`/**`
			`* Get the value to use as the external id saved in BookStack`
			`* used to link the user to an existing BookStack DB user.`
			`*/`
			`protected function getExternalId(array $samlAttributes, string $defaultValue)`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`{`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`$userNameAttr = $this->config['external_id_attribute'];`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`if ($userNameAttr === null) {`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`return $defaultValue;`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`}`

Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`return $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue);`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`}`

			`/**`
			`* Extract the details of a user from a SAML response.`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`* @throws SamlException`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`public function getUserDetails(string $samlID, $samlAttributes): array`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`{`
			`$emailAttr = $this->config['email_attribute'];`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`$externalId = $this->getExternalId($samlAttributes, $samlID);`
			`$email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null);`

			`if ($email === null) {`
			`throw new SamlException(trans('errors.saml_no_email_address'));`
			`}`
Refactor for codestyle 2019-08-07 06:07:21 -04:00
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`return [`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`'external_id' => $externalId,`
			`'name' => $this->getUserDisplayName($samlAttributes, $externalId),`
			`'email' => $email,`
			`'saml_id' => $samlID,`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`];`
			`}`

			`/**`
			`* Get the groups a user is a part of from the SAML response.`
			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`public function getUserGroups(array $samlAttributes): array`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`{`
			`$groupsAttr = $this->config['group_attribute'];`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`$userGroups = $samlAttributes[$groupsAttr] ?? null;`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00
			`if (!is_array($userGroups)) {`
			`$userGroups = [];`
			`}`

			`return $userGroups;`
			`}`

Add error messages, fix LDAP error 2019-08-07 09:31:10 -04:00			`/**`
			`* For an array of strings, return a default for an empty array,`
			`* a string for an array with one element and the full array for`
			`* more than one element.`
			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`protected function simplifyValue(array $data, $defaultValue)`
			`{`
Add error messages, fix LDAP error 2019-08-07 09:31:10 -04:00			`switch (count($data)) {`
			`case 0:`
			`$data = $defaultValue;`
			`break;`
			`case 1:`
			`$data = $data[0];`
			`break;`
			`}`
			`return $data;`
			`}`

Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`/**`
			`* Get a property from an SAML response.`
			`* Handles properties potentially being an array.`
			`*/`
			`protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue)`
			`{`
			`if (isset($samlAttributes[$propertyKey])) {`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`return $this->simplifyValue($samlAttributes[$propertyKey], $defaultValue);`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`}`

Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`return $defaultValue;`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`}`

Refactor for codestyle 2019-08-07 06:07:21 -04:00			`/**`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`* Register a user that is authenticated but not already registered.`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`protected function registerUser(array $userDetails): User`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`{`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`// Create an array of the user data to create a new user instance`
			`$userData = [`
			`'name' => $userDetails['name'],`
Appeased codeclimate by extracting out external_auth_id group matching 2019-11-16 10:24:09 -05:00			`'email' => $userDetails['email'],`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`'password' => Str::random(32),`
			`'external_auth_id' => $userDetails['external_id'],`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`'email_confirmed' => true,`
			`];`

Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`// TODO - Handle duplicate email address scenario`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`$user = $this->user->forceCreate($userData);`
			`$this->userRepo->attachDefaultRole($user);`
			`$this->userRepo->downloadAndAssignUserAvatar($user);`
			`return $user;`
			`}`

Refactor for codestyle 2019-08-07 06:07:21 -04:00			`/**`
			`* Get the user from the database for the specified details.`
			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`protected function getOrRegisterUser(array $userDetails): ?User`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`{`
			`$isRegisterEnabled = config('services.saml.auto_register') === true;`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`$user = $this->user`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`->where('external_auth_id', $userDetails['external_id'])`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`->first();`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`if ($user === null && $isRegisterEnabled) {`
			`$user = $this->registerUser($userDetails);`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`}`

			`return $user;`
			`}`

			`/**`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`* Process the SAML response for a user. Login the user when`
			`* they exist, optionally registering them automatically.`
			`* @throws SamlException`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`*/`
Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`public function processLoginCallback(string $samlID, array $samlAttributes): User`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`{`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`$userDetails = $this->getUserDetails($samlID, $samlAttributes);`
			`$isLoggedIn = auth()->check();`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`if ($isLoggedIn) {`
Add error messages, fix LDAP error 2019-08-07 09:31:10 -04:00			`throw new SamlException(trans('errors.saml_already_logged_in'), '/login');`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`}`

Started review of SAML implementation - Updated PHPdoc of SAML service to use type hinting instead. - Updated groups to only sync if enabled. - Updated names of some config props. - Removed a couple of unused config props. - Added exception to handle no email on SAML response. 2019-11-16 09:42:51 -05:00			`$user = $this->getOrRegisterUser($userDetails);`
			`if ($user === null) {`
			`throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');`
			`}`

			`if ($this->shouldSyncGroups()) {`
			`$groups = $this->getUserGroups($samlAttributes);`
			`$this->syncWithGroups($user, $groups);`
			`}`

			`auth()->login($user);`
Refactor for codestyle 2019-08-07 06:07:21 -04:00			`return $user;`
Add login and automatic registration; Prepare Group sync 2019-08-06 17:42:46 -04:00			`}`
			`}`