mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 01:36:00 -04:00
Merge branch 'openid' of https://github.com/jasperweyne/BookStack into jasperweyne-openid
This commit is contained in:
commit
193d7fb3fe
@ -239,6 +239,14 @@ SAML2_USER_TO_GROUPS=false
|
||||
SAML2_GROUP_ATTRIBUTE=group
|
||||
SAML2_REMOVE_FROM_GROUPS=false
|
||||
|
||||
# OpenID Connect authentication configuration
|
||||
OPENID_CLIENT_ID=null
|
||||
OPENID_CLIENT_SECRET=null
|
||||
OPENID_ISSUER=https://example.com
|
||||
OPENID_PUBLIC_KEY=file:///my/public.key
|
||||
OPENID_URL_AUTHORIZE=https://example.com/authorize
|
||||
OPENID_URL_TOKEN=https://example.com/token
|
||||
|
||||
# Disable default third-party services such as Gravatar and Draw.IO
|
||||
# Service-specific options will override this option
|
||||
DISABLE_EXTERNAL_SERVICES=false
|
||||
|
@ -5,9 +5,47 @@ namespace BookStack\Auth\Access;
|
||||
use BookStack\Auth\Role;
|
||||
use BookStack\Auth\User;
|
||||
use Illuminate\Support\Collection;
|
||||
use Illuminate\Database\Eloquent\Builder;
|
||||
use Illuminate\Support\Str;
|
||||
|
||||
class ExternalAuthService
|
||||
{
|
||||
protected $registrationService;
|
||||
protected $user;
|
||||
|
||||
/**
|
||||
* ExternalAuthService base constructor.
|
||||
*/
|
||||
public function __construct(RegistrationService $registrationService, User $user)
|
||||
{
|
||||
$this->registrationService = $registrationService;
|
||||
$this->user = $user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the user from the database for the specified details.
|
||||
* @throws UserRegistrationException
|
||||
*/
|
||||
protected function getOrRegisterUser(array $userDetails): ?User
|
||||
{
|
||||
$user = User::query()
|
||||
->where('external_auth_id', '=', $userDetails['external_id'])
|
||||
->first();
|
||||
|
||||
if (is_null($user)) {
|
||||
$userData = [
|
||||
'name' => $userDetails['name'],
|
||||
'email' => $userDetails['email'],
|
||||
'password' => Str::random(32),
|
||||
'external_auth_id' => $userDetails['external_id'],
|
||||
];
|
||||
|
||||
$user = $this->registrationService->registerUser($userData, null, false);
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check a role against an array of group names to see if it matches.
|
||||
* Checked against role 'external_auth_id' if set otherwise the name of the role.
|
||||
|
79
app/Auth/Access/Guards/OpenIdSessionGuard.php
Normal file
79
app/Auth/Access/Guards/OpenIdSessionGuard.php
Normal file
@ -0,0 +1,79 @@
|
||||
<?php
|
||||
|
||||
namespace BookStack\Auth\Access\Guards;
|
||||
|
||||
use BookStack\Auth\Access\OpenIdService;
|
||||
use BookStack\Auth\Access\RegistrationService;
|
||||
use Illuminate\Contracts\Auth\UserProvider;
|
||||
use Illuminate\Contracts\Session\Session;
|
||||
|
||||
/**
|
||||
* OpenId Session Guard
|
||||
*
|
||||
* The OpenId login process is async in nature meaning it does not fit very well
|
||||
* into the default laravel 'Guard' auth flow. Instead most of the logic is done
|
||||
* via the OpenId controller & OpenIdService. This class provides a safer, thin
|
||||
* version of SessionGuard.
|
||||
*
|
||||
* @package BookStack\Auth\Access\Guards
|
||||
*/
|
||||
class OpenIdSessionGuard extends ExternalBaseSessionGuard
|
||||
{
|
||||
|
||||
protected $openidService;
|
||||
|
||||
/**
|
||||
* OpenIdSessionGuard constructor.
|
||||
*/
|
||||
public function __construct(
|
||||
$name,
|
||||
UserProvider $provider,
|
||||
Session $session,
|
||||
OpenIdService $openidService,
|
||||
RegistrationService $registrationService
|
||||
) {
|
||||
$this->openidService = $openidService;
|
||||
parent::__construct($name, $provider, $session, $registrationService);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the currently authenticated user.
|
||||
*
|
||||
* @return \Illuminate\Contracts\Auth\Authenticatable|null
|
||||
*/
|
||||
public function user()
|
||||
{
|
||||
// retrieve the current user
|
||||
$user = parent::user();
|
||||
|
||||
// refresh the current user
|
||||
if ($user && !$this->openidService->refresh()) {
|
||||
$this->user = null;
|
||||
}
|
||||
|
||||
return $this->user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Validate a user's credentials.
|
||||
*
|
||||
* @param array $credentials
|
||||
* @return bool
|
||||
*/
|
||||
public function validate(array $credentials = [])
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Attempt to authenticate a user using the given credentials.
|
||||
*
|
||||
* @param array $credentials
|
||||
* @param bool $remember
|
||||
* @return bool
|
||||
*/
|
||||
public function attempt(array $credentials = [], $remember = false)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
@ -47,7 +47,7 @@ class LoginService
|
||||
|
||||
// Authenticate on all session guards if a likely admin
|
||||
if ($user->can('users-manage') && $user->can('user-roles-manage')) {
|
||||
$guards = ['standard', 'ldap', 'saml2'];
|
||||
$guards = ['standard', 'ldap', 'saml2', 'openid'];
|
||||
foreach ($guards as $guard) {
|
||||
auth($guard)->login($user);
|
||||
}
|
||||
|
301
app/Auth/Access/OpenIdService.php
Normal file
301
app/Auth/Access/OpenIdService.php
Normal file
@ -0,0 +1,301 @@
|
||||
<?php namespace BookStack\Auth\Access;
|
||||
|
||||
use BookStack\Auth\User;
|
||||
use BookStack\Exceptions\JsonDebugException;
|
||||
use BookStack\Exceptions\OpenIdException;
|
||||
use BookStack\Exceptions\UserRegistrationException;
|
||||
use Exception;
|
||||
use Lcobucci\JWT\Token;
|
||||
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
|
||||
use OpenIDConnectClient\AccessToken;
|
||||
use OpenIDConnectClient\OpenIDConnectProvider;
|
||||
|
||||
/**
|
||||
* Class OpenIdService
|
||||
* Handles any app-specific OpenId tasks.
|
||||
*/
|
||||
class OpenIdService extends ExternalAuthService
|
||||
{
|
||||
protected $config;
|
||||
|
||||
/**
|
||||
* OpenIdService constructor.
|
||||
*/
|
||||
public function __construct(RegistrationService $registrationService, User $user)
|
||||
{
|
||||
parent::__construct($registrationService, $user);
|
||||
|
||||
$this->config = config('openid');
|
||||
}
|
||||
|
||||
/**
|
||||
* Initiate a authorization flow.
|
||||
* @throws Error
|
||||
*/
|
||||
public function login(): array
|
||||
{
|
||||
$provider = $this->getProvider();
|
||||
return [
|
||||
'url' => $provider->getAuthorizationUrl(),
|
||||
'state' => $provider->getState(),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* Initiate a logout flow.
|
||||
* @throws Error
|
||||
*/
|
||||
public function logout(): array
|
||||
{
|
||||
$this->actionLogout();
|
||||
$url = '/';
|
||||
$id = null;
|
||||
|
||||
return ['url' => $url, 'id' => $id];
|
||||
}
|
||||
|
||||
/**
|
||||
* Refresh the currently logged in user.
|
||||
* @throws Error
|
||||
*/
|
||||
public function refresh(): bool
|
||||
{
|
||||
// Retrieve access token for current session
|
||||
$json = session()->get('openid_token');
|
||||
|
||||
// If no access token was found, reject the refresh
|
||||
if (!$json) {
|
||||
$this->actionLogout();
|
||||
return false;
|
||||
}
|
||||
|
||||
$accessToken = new AccessToken(json_decode($json, true) ?? []);
|
||||
|
||||
// If the token is not expired, refreshing isn't necessary
|
||||
if ($this->isUnexpired($accessToken)) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// Try to obtain refreshed access token
|
||||
try {
|
||||
$newAccessToken = $this->refreshAccessToken($accessToken);
|
||||
} catch (\Exception $e) {
|
||||
// Log out if an unknown problem arises
|
||||
$this->actionLogout();
|
||||
throw $e;
|
||||
}
|
||||
|
||||
// If a token was obtained, update the access token, otherwise log out
|
||||
if ($newAccessToken !== null) {
|
||||
session()->put('openid_token', json_encode($newAccessToken));
|
||||
return true;
|
||||
} else {
|
||||
$this->actionLogout();
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether an access token or OpenID token isn't expired.
|
||||
*/
|
||||
protected function isUnexpired(AccessToken $accessToken): bool
|
||||
{
|
||||
$idToken = $accessToken->getIdToken();
|
||||
|
||||
$accessTokenUnexpired = $accessToken->getExpires() && !$accessToken->hasExpired();
|
||||
$idTokenUnexpired = !$idToken || !$idToken->isExpired();
|
||||
|
||||
return $accessTokenUnexpired && $idTokenUnexpired;
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate an updated access token, through the associated refresh token.
|
||||
* @throws Error
|
||||
*/
|
||||
protected function refreshAccessToken(AccessToken $accessToken): ?AccessToken
|
||||
{
|
||||
// If no refresh token available, abort
|
||||
if ($accessToken->getRefreshToken() === null) {
|
||||
return null;
|
||||
}
|
||||
|
||||
// ID token or access token is expired, we refresh it using the refresh token
|
||||
try {
|
||||
return $this->getProvider()->getAccessToken('refresh_token', [
|
||||
'refresh_token' => $accessToken->getRefreshToken(),
|
||||
]);
|
||||
} catch (IdentityProviderException $e) {
|
||||
// Refreshing failed
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Process the Authorization response from the authorization server and
|
||||
* return the matching, or new if registration active, user matched to
|
||||
* the authorization server.
|
||||
* Returns null if not authenticated.
|
||||
* @throws Error
|
||||
* @throws OpenIdException
|
||||
* @throws ValidationError
|
||||
* @throws JsonDebugException
|
||||
* @throws UserRegistrationException
|
||||
*/
|
||||
public function processAuthorizeResponse(?string $authorizationCode): ?User
|
||||
{
|
||||
$provider = $this->getProvider();
|
||||
|
||||
// Try to exchange authorization code for access token
|
||||
$accessToken = $provider->getAccessToken('authorization_code', [
|
||||
'code' => $authorizationCode,
|
||||
]);
|
||||
|
||||
return $this->processAccessTokenCallback($accessToken);
|
||||
}
|
||||
|
||||
/**
|
||||
* Do the required actions to log a user out.
|
||||
*/
|
||||
protected function actionLogout()
|
||||
{
|
||||
auth()->logout();
|
||||
session()->invalidate();
|
||||
}
|
||||
|
||||
/**
|
||||
* Load the underlying OpenID Connect Provider.
|
||||
* @throws Error
|
||||
* @throws Exception
|
||||
*/
|
||||
protected function getProvider(): OpenIDConnectProvider
|
||||
{
|
||||
// Setup settings
|
||||
$settings = $this->config['openid'];
|
||||
$overrides = $this->config['openid_overrides'] ?? [];
|
||||
|
||||
if ($overrides && is_string($overrides)) {
|
||||
$overrides = json_decode($overrides, true);
|
||||
}
|
||||
|
||||
$openIdSettings = $this->loadOpenIdDetails();
|
||||
$settings = array_replace_recursive($settings, $openIdSettings, $overrides);
|
||||
|
||||
// Setup services
|
||||
$services = $this->loadOpenIdServices();
|
||||
$overrides = $this->config['openid_services'] ?? [];
|
||||
|
||||
$services = array_replace_recursive($services, $overrides);
|
||||
|
||||
return new OpenIDConnectProvider($settings, $services);
|
||||
}
|
||||
|
||||
/**
|
||||
* Load services utilized by the OpenID Connect provider.
|
||||
*/
|
||||
protected function loadOpenIdServices(): array
|
||||
{
|
||||
return [
|
||||
'signer' => new \Lcobucci\JWT\Signer\Rsa\Sha256(),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* Load dynamic service provider options required by the OpenID Connect provider.
|
||||
*/
|
||||
protected function loadOpenIdDetails(): array
|
||||
{
|
||||
return [
|
||||
'redirectUri' => url('/openid/redirect'),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* Calculate the display name
|
||||
*/
|
||||
protected function getUserDisplayName(Token $token, string $defaultValue): string
|
||||
{
|
||||
$displayNameAttr = $this->config['display_name_attributes'];
|
||||
|
||||
$displayName = [];
|
||||
foreach ($displayNameAttr as $dnAttr) {
|
||||
$dnComponent = $token->getClaim($dnAttr, '');
|
||||
if ($dnComponent !== '') {
|
||||
$displayName[] = $dnComponent;
|
||||
}
|
||||
}
|
||||
|
||||
if (count($displayName) == 0) {
|
||||
$displayName = $defaultValue;
|
||||
} else {
|
||||
$displayName = implode(' ', $displayName);
|
||||
}
|
||||
|
||||
return $displayName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value to use as the external id saved in BookStack
|
||||
* used to link the user to an existing BookStack DB user.
|
||||
*/
|
||||
protected function getExternalId(Token $token, string $defaultValue)
|
||||
{
|
||||
$userNameAttr = $this->config['external_id_attribute'];
|
||||
if ($userNameAttr === null) {
|
||||
return $defaultValue;
|
||||
}
|
||||
|
||||
return $token->getClaim($userNameAttr, $defaultValue);
|
||||
}
|
||||
|
||||
/**
|
||||
* Extract the details of a user from an ID token.
|
||||
*/
|
||||
protected function getUserDetails(Token $token): array
|
||||
{
|
||||
$email = null;
|
||||
$emailAttr = $this->config['email_attribute'];
|
||||
if ($token->hasClaim($emailAttr)) {
|
||||
$email = $token->getClaim($emailAttr);
|
||||
}
|
||||
|
||||
return [
|
||||
'external_id' => $token->getClaim('sub'),
|
||||
'email' => $email,
|
||||
'name' => $this->getUserDisplayName($token, $email),
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* Processes a received access token for a user. Login the user when
|
||||
* they exist, optionally registering them automatically.
|
||||
* @throws OpenIdException
|
||||
* @throws JsonDebugException
|
||||
* @throws UserRegistrationException
|
||||
*/
|
||||
public function processAccessTokenCallback(AccessToken $accessToken): User
|
||||
{
|
||||
$userDetails = $this->getUserDetails($accessToken->getIdToken());
|
||||
$isLoggedIn = auth()->check();
|
||||
|
||||
if ($this->config['dump_user_details']) {
|
||||
throw new JsonDebugException($accessToken->jsonSerialize());
|
||||
}
|
||||
|
||||
if ($userDetails['email'] === null) {
|
||||
throw new OpenIdException(trans('errors.openid_no_email_address'));
|
||||
}
|
||||
|
||||
if ($isLoggedIn) {
|
||||
throw new OpenIdException(trans('errors.openid_already_logged_in'), '/login');
|
||||
}
|
||||
|
||||
$user = $this->getOrRegisterUser($userDetails);
|
||||
if ($user === null) {
|
||||
throw new OpenIdException(trans('errors.openid_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
|
||||
}
|
||||
|
||||
auth()->login($user);
|
||||
session()->put('openid_token', json_encode($accessToken));
|
||||
return $user;
|
||||
}
|
||||
}
|
@ -8,7 +8,6 @@ use BookStack\Exceptions\SamlException;
|
||||
use BookStack\Exceptions\StoppedAuthenticationException;
|
||||
use BookStack\Exceptions\UserRegistrationException;
|
||||
use Exception;
|
||||
use Illuminate\Support\Str;
|
||||
use OneLogin\Saml2\Auth;
|
||||
use OneLogin\Saml2\Error;
|
||||
use OneLogin\Saml2\IdPMetadataParser;
|
||||
@ -27,8 +26,10 @@ class Saml2Service extends ExternalAuthService
|
||||
/**
|
||||
* Saml2Service constructor.
|
||||
*/
|
||||
public function __construct(RegistrationService $registrationService, LoginService $loginService)
|
||||
public function __construct(RegistrationService $registrationService, LoginService $loginService, User $user),
|
||||
{
|
||||
parent::__construct($registrationService, $user);
|
||||
|
||||
$this->config = config('saml2');
|
||||
$this->registrationService = $registrationService;
|
||||
$this->loginService = $loginService;
|
||||
@ -322,31 +323,6 @@ class Saml2Service extends ExternalAuthService
|
||||
return $defaultValue;
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the user from the database for the specified details.
|
||||
*
|
||||
* @throws UserRegistrationException
|
||||
*/
|
||||
protected function getOrRegisterUser(array $userDetails): ?User
|
||||
{
|
||||
$user = User::query()
|
||||
->where('external_auth_id', '=', $userDetails['external_id'])
|
||||
->first();
|
||||
|
||||
if (is_null($user)) {
|
||||
$userData = [
|
||||
'name' => $userDetails['name'],
|
||||
'email' => $userDetails['email'],
|
||||
'password' => Str::random(32),
|
||||
'external_auth_id' => $userDetails['external_id'],
|
||||
];
|
||||
|
||||
$user = $this->registrationService->registerUser($userData, null, false);
|
||||
}
|
||||
|
||||
return $user;
|
||||
}
|
||||
|
||||
/**
|
||||
* Process the SAML response for a user. Login the user when
|
||||
* they exist, optionally registering them automatically.
|
||||
|
@ -40,6 +40,10 @@ return [
|
||||
'driver' => 'saml2-session',
|
||||
'provider' => 'external',
|
||||
],
|
||||
'openid' => [
|
||||
'driver' => 'openid-session',
|
||||
'provider' => 'external',
|
||||
],
|
||||
'api' => [
|
||||
'driver' => 'api-token',
|
||||
],
|
||||
|
46
app/Config/openid.php
Normal file
46
app/Config/openid.php
Normal file
@ -0,0 +1,46 @@
|
||||
<?php
|
||||
|
||||
return [
|
||||
|
||||
// Display name, shown to users, for OpenId option
|
||||
'name' => env('OPENID_NAME', 'SSO'),
|
||||
|
||||
// Dump user details after a login request for debugging purposes
|
||||
'dump_user_details' => env('OPENID_DUMP_USER_DETAILS', false),
|
||||
|
||||
// Attribute, within a OpenId token, to find the user's email address
|
||||
'email_attribute' => env('OPENID_EMAIL_ATTRIBUTE', 'email'),
|
||||
// Attribute, within a OpenId token, to find the user's display name
|
||||
'display_name_attributes' => explode('|', env('OPENID_DISPLAY_NAME_ATTRIBUTES', 'name')),
|
||||
// Attribute, within a OpenId token, to use to connect a BookStack user to the OpenId user.
|
||||
'external_id_attribute' => env('OPENID_EXTERNAL_ID_ATTRIBUTE', null),
|
||||
|
||||
// Overrides, in JSON format, to the configuration passed to underlying OpenIDConnectProvider library.
|
||||
'openid_overrides' => env('OPENID_OVERRIDES', null),
|
||||
|
||||
// Custom service instances, used by the underlying OpenIDConnectProvider library
|
||||
'openid_services' => [],
|
||||
|
||||
'openid' => [
|
||||
// OAuth2/OpenId client id, as configured in your Authorization server.
|
||||
'clientId' => env('OPENID_CLIENT_ID', ''),
|
||||
|
||||
// OAuth2/OpenId client secret, as configured in your Authorization server.
|
||||
'clientSecret' => env('OPENID_CLIENT_SECRET', ''),
|
||||
|
||||
// OAuth2 scopes that are request, by default the OpenId-native profile and email scopes.
|
||||
'scopes' => 'profile email',
|
||||
|
||||
// The issuer of the identity token (id_token) this will be compared with what is returned in the token.
|
||||
'idTokenIssuer' => env('OPENID_ISSUER', ''),
|
||||
|
||||
// Public key that's used to verify the JWT token with.
|
||||
'publicKey' => env('OPENID_PUBLIC_KEY', ''),
|
||||
|
||||
// OAuth2 endpoints.
|
||||
'urlAuthorize' => env('OPENID_URL_AUTHORIZE', ''),
|
||||
'urlAccessToken' => env('OPENID_URL_TOKEN', ''),
|
||||
'urlResourceOwnerDetails' => env('OPENID_URL_RESOURCE', ''),
|
||||
],
|
||||
|
||||
];
|
6
app/Exceptions/OpenIdException.php
Normal file
6
app/Exceptions/OpenIdException.php
Normal file
@ -0,0 +1,6 @@
|
||||
<?php namespace BookStack\Exceptions;
|
||||
|
||||
class OpenIdException extends NotifyException
|
||||
{
|
||||
|
||||
}
|
70
app/Http/Controllers/Auth/OpenIdController.php
Normal file
70
app/Http/Controllers/Auth/OpenIdController.php
Normal file
@ -0,0 +1,70 @@
|
||||
<?php
|
||||
|
||||
namespace BookStack\Http\Controllers\Auth;
|
||||
|
||||
use BookStack\Auth\Access\OpenIdService;
|
||||
use BookStack\Http\Controllers\Controller;
|
||||
|
||||
class OpenIdController extends Controller
|
||||
{
|
||||
|
||||
protected $openidService;
|
||||
|
||||
/**
|
||||
* OpenIdController constructor.
|
||||
*/
|
||||
public function __construct(OpenIdService $openidService)
|
||||
{
|
||||
parent::__construct();
|
||||
$this->openidService = $openidService;
|
||||
$this->middleware('guard:openid');
|
||||
}
|
||||
|
||||
/**
|
||||
* Start the authorization login flow via OpenId Connect.
|
||||
*/
|
||||
public function login()
|
||||
{
|
||||
$loginDetails = $this->openidService->login();
|
||||
session()->flash('openid_state', $loginDetails['state']);
|
||||
|
||||
return redirect($loginDetails['url']);
|
||||
}
|
||||
|
||||
/**
|
||||
* Start the logout flow via OpenId Connect.
|
||||
*/
|
||||
public function logout()
|
||||
{
|
||||
$logoutDetails = $this->openidService->logout();
|
||||
|
||||
if ($logoutDetails['id']) {
|
||||
session()->flash('saml2_logout_request_id', $logoutDetails['id']);
|
||||
}
|
||||
|
||||
return redirect($logoutDetails['url']);
|
||||
}
|
||||
|
||||
/**
|
||||
* Authorization flow Redirect.
|
||||
* Processes authorization response from the OpenId Connect Authorization Server.
|
||||
*/
|
||||
public function redirect()
|
||||
{
|
||||
$storedState = session()->pull('openid_state');
|
||||
$responseState = request()->query('state');
|
||||
|
||||
if ($storedState !== $responseState) {
|
||||
$this->showErrorNotification(trans('errors.openid_fail_authed', ['system' => config('saml2.name')]));
|
||||
return redirect('/login');
|
||||
}
|
||||
|
||||
$user = $this->openidService->processAuthorizeResponse(request()->query('code'));
|
||||
if ($user === null) {
|
||||
$this->showErrorNotification(trans('errors.openid_fail_authed', ['system' => config('saml2.name')]));
|
||||
return redirect('/login');
|
||||
}
|
||||
|
||||
return redirect()->intended();
|
||||
}
|
||||
}
|
@ -84,7 +84,7 @@ class UserController extends Controller
|
||||
if ($authMethod === 'standard' && !$sendInvite) {
|
||||
$validationRules['password'] = 'required|min:6';
|
||||
$validationRules['password-confirm'] = 'required|same:password';
|
||||
} elseif ($authMethod === 'ldap' || $authMethod === 'saml2') {
|
||||
} elseif ($authMethod === 'ldap' || $authMethod === 'saml2' || $authMethod === 'openid') {
|
||||
$validationRules['external_auth_id'] = 'required';
|
||||
}
|
||||
$this->validate($request, $validationRules);
|
||||
@ -93,7 +93,7 @@ class UserController extends Controller
|
||||
|
||||
if ($authMethod === 'standard') {
|
||||
$user->password = bcrypt($request->get('password', Str::random(32)));
|
||||
} elseif ($authMethod === 'ldap' || $authMethod === 'saml2') {
|
||||
} elseif ($authMethod === 'ldap' || $authMethod === 'saml2' || $authMethod === 'openid') {
|
||||
$user->external_auth_id = $request->get('external_auth_id');
|
||||
}
|
||||
|
||||
|
@ -20,5 +20,6 @@ class VerifyCsrfToken extends Middleware
|
||||
*/
|
||||
protected $except = [
|
||||
'saml2/*',
|
||||
'openid/*',
|
||||
];
|
||||
}
|
||||
|
@ -6,8 +6,10 @@ use BookStack\Api\ApiTokenGuard;
|
||||
use BookStack\Auth\Access\ExternalBaseUserProvider;
|
||||
use BookStack\Auth\Access\Guards\LdapSessionGuard;
|
||||
use BookStack\Auth\Access\Guards\Saml2SessionGuard;
|
||||
use BookStack\Auth\Access\Guards\OpenIdSessionGuard;
|
||||
use BookStack\Auth\Access\LdapService;
|
||||
use BookStack\Auth\Access\LoginService;
|
||||
use BookStack\Auth\Access\OpenIdService;
|
||||
use BookStack\Auth\Access\RegistrationService;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
use Illuminate\Support\ServiceProvider;
|
||||
@ -47,6 +49,17 @@ class AuthServiceProvider extends ServiceProvider
|
||||
$app[RegistrationService::class]
|
||||
);
|
||||
});
|
||||
|
||||
Auth::extend('openid-session', function ($app, $name, array $config) {
|
||||
$provider = Auth::createUserProvider($config['provider']);
|
||||
return new OpenIdSessionGuard(
|
||||
$name,
|
||||
$provider,
|
||||
$this->app['session.store'],
|
||||
$app[OpenIdService::class],
|
||||
$app[RegistrationService::class]
|
||||
);
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -35,7 +35,8 @@
|
||||
"socialiteproviders/okta": "^4.1",
|
||||
"socialiteproviders/slack": "^4.1",
|
||||
"socialiteproviders/twitch": "^5.3",
|
||||
"ssddanbrown/htmldiff": "^v1.0.1"
|
||||
"ssddanbrown/htmldiff": "^v1.0.1",
|
||||
"steverhoades/oauth2-openid-connect-client": "^0.3.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"barryvdh/laravel-debugbar": "^3.5.1",
|
||||
|
227
composer.lock
generated
227
composer.lock
generated
@ -2034,6 +2034,71 @@
|
||||
},
|
||||
"time": "2021-08-31T15:16:26+00:00"
|
||||
},
|
||||
{
|
||||
"name": "lcobucci/jwt",
|
||||
"version": "3.3.2",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/lcobucci/jwt.git",
|
||||
"reference": "56f10808089e38623345e28af2f2d5e4eb579455"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/lcobucci/jwt/zipball/56f10808089e38623345e28af2f2d5e4eb579455",
|
||||
"reference": "56f10808089e38623345e28af2f2d5e4eb579455",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"ext-mbstring": "*",
|
||||
"ext-openssl": "*",
|
||||
"php": "^5.6 || ^7.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"mikey179/vfsstream": "~1.5",
|
||||
"phpmd/phpmd": "~2.2",
|
||||
"phpunit/php-invoker": "~1.1",
|
||||
"phpunit/phpunit": "^5.7 || ^7.3",
|
||||
"squizlabs/php_codesniffer": "~2.3"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
"branch-alias": {
|
||||
"dev-master": "3.1-dev"
|
||||
}
|
||||
},
|
||||
"autoload": {
|
||||
"psr-4": {
|
||||
"Lcobucci\\JWT\\": "src"
|
||||
}
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"BSD-3-Clause"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Luís Otávio Cobucci Oblonczyk",
|
||||
"email": "lcobucci@gmail.com",
|
||||
"role": "Developer"
|
||||
}
|
||||
],
|
||||
"description": "A simple library to work with JSON Web Token and JSON Web Signature",
|
||||
"keywords": [
|
||||
"JWS",
|
||||
"jwt"
|
||||
],
|
||||
"funding": [
|
||||
{
|
||||
"url": "https://github.com/lcobucci",
|
||||
"type": "github"
|
||||
},
|
||||
{
|
||||
"url": "https://www.patreon.com/lcobucci",
|
||||
"type": "patreon"
|
||||
}
|
||||
],
|
||||
"time": "2020-05-22T08:21:12+00:00"
|
||||
},
|
||||
{
|
||||
"name": "league/commonmark",
|
||||
"version": "1.6.6",
|
||||
@ -2501,6 +2566,73 @@
|
||||
},
|
||||
"time": "2021-08-15T23:05:49+00:00"
|
||||
},
|
||||
{
|
||||
"name": "league/oauth2-client",
|
||||
"version": "2.4.1",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/thephpleague/oauth2-client.git",
|
||||
"reference": "cc114abc622a53af969e8664722e84ca36257530"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/thephpleague/oauth2-client/zipball/cc114abc622a53af969e8664722e84ca36257530",
|
||||
"reference": "cc114abc622a53af969e8664722e84ca36257530",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"guzzlehttp/guzzle": "^6.0",
|
||||
"paragonie/random_compat": "^1|^2|^9.99",
|
||||
"php": "^5.6|^7.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"eloquent/liberator": "^2.0",
|
||||
"eloquent/phony-phpunit": "^1.0|^3.0",
|
||||
"jakub-onderka/php-parallel-lint": "^0.9.2",
|
||||
"phpunit/phpunit": "^5.7|^6.0",
|
||||
"squizlabs/php_codesniffer": "^2.3|^3.0"
|
||||
},
|
||||
"type": "library",
|
||||
"extra": {
|
||||
"branch-alias": {
|
||||
"dev-2.x": "2.0.x-dev"
|
||||
}
|
||||
},
|
||||
"autoload": {
|
||||
"psr-4": {
|
||||
"League\\OAuth2\\Client\\": "src/"
|
||||
}
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"MIT"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Alex Bilbie",
|
||||
"email": "hello@alexbilbie.com",
|
||||
"homepage": "http://www.alexbilbie.com",
|
||||
"role": "Developer"
|
||||
},
|
||||
{
|
||||
"name": "Woody Gilk",
|
||||
"homepage": "https://github.com/shadowhand",
|
||||
"role": "Contributor"
|
||||
}
|
||||
],
|
||||
"description": "OAuth 2.0 Client Library",
|
||||
"keywords": [
|
||||
"Authentication",
|
||||
"SSO",
|
||||
"authorization",
|
||||
"identity",
|
||||
"idp",
|
||||
"oauth",
|
||||
"oauth2",
|
||||
"single sign on"
|
||||
],
|
||||
"time": "2018-11-22T18:33:57+00:00"
|
||||
},
|
||||
{
|
||||
"name": "monolog/monolog",
|
||||
"version": "2.3.4",
|
||||
@ -4380,6 +4512,101 @@
|
||||
],
|
||||
"time": "2021-01-24T18:51:30+00:00"
|
||||
},
|
||||
{
|
||||
"name": "steverhoades/oauth2-openid-connect-client",
|
||||
"version": "v0.3.0",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/steverhoades/oauth2-openid-connect-client.git",
|
||||
"reference": "0159471487540a4620b8d0b693f5f215503a8d75"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/steverhoades/oauth2-openid-connect-client/zipball/0159471487540a4620b8d0b693f5f215503a8d75",
|
||||
"reference": "0159471487540a4620b8d0b693f5f215503a8d75",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"lcobucci/jwt": "^3.2",
|
||||
"league/oauth2-client": "^2.0"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpmd/phpmd": "~2.2",
|
||||
"phpunit/php-invoker": "~1.1",
|
||||
"phpunit/phpunit": "~4.5",
|
||||
"squizlabs/php_codesniffer": "~2.3"
|
||||
},
|
||||
"type": "library",
|
||||
"autoload": {
|
||||
"psr-4": {
|
||||
"OpenIDConnectClient\\": "src/"
|
||||
}
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"MIT"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Steve Rhoades",
|
||||
"email": "sedonami@gmail.com"
|
||||
}
|
||||
],
|
||||
"description": "OAuth2 OpenID Connect Client that utilizes the PHP Leagues OAuth2 Client",
|
||||
"time": "2020-05-19T23:06:36+00:00"
|
||||
},
|
||||
{
|
||||
"name": "swiftmailer/swiftmailer",
|
||||
"version": "v6.2.3",
|
||||
"source": {
|
||||
"type": "git",
|
||||
"url": "https://github.com/ssddanbrown/HtmlDiff.git",
|
||||
"reference": "f60d5cc278b60305ab980a6665f46117c5b589c0"
|
||||
},
|
||||
"dist": {
|
||||
"type": "zip",
|
||||
"url": "https://api.github.com/repos/ssddanbrown/HtmlDiff/zipball/f60d5cc278b60305ab980a6665f46117c5b589c0",
|
||||
"reference": "f60d5cc278b60305ab980a6665f46117c5b589c0",
|
||||
"shasum": ""
|
||||
},
|
||||
"require": {
|
||||
"ext-mbstring": "*",
|
||||
"php": ">=7.2"
|
||||
},
|
||||
"require-dev": {
|
||||
"phpunit/phpunit": "^8.5|^9.4.3"
|
||||
},
|
||||
"type": "library",
|
||||
"autoload": {
|
||||
"psr-4": {
|
||||
"Ssddanbrown\\HtmlDiff\\": "src"
|
||||
}
|
||||
},
|
||||
"notification-url": "https://packagist.org/downloads/",
|
||||
"license": [
|
||||
"MIT"
|
||||
],
|
||||
"authors": [
|
||||
{
|
||||
"name": "Dan Brown",
|
||||
"email": "ssddanbrown@googlemail.com",
|
||||
"role": "Developer"
|
||||
}
|
||||
],
|
||||
"description": "HTML Content Diff Generator",
|
||||
"homepage": "https://github.com/ssddanbrown/htmldiff",
|
||||
"support": {
|
||||
"issues": "https://github.com/ssddanbrown/HtmlDiff/issues",
|
||||
"source": "https://github.com/ssddanbrown/HtmlDiff/tree/v1.0.1"
|
||||
},
|
||||
"funding": [
|
||||
{
|
||||
"url": "https://github.com/ssddanbrown",
|
||||
"type": "github"
|
||||
}
|
||||
],
|
||||
"time": "2021-01-24T18:51:30+00:00"
|
||||
},
|
||||
{
|
||||
"name": "swiftmailer/swiftmailer",
|
||||
"version": "v6.2.7",
|
||||
|
@ -23,6 +23,10 @@ return [
|
||||
'saml_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
|
||||
'saml_invalid_response_id' => 'The request from the external authentication system is not recognised by a process started by this application. Navigating back after a login could cause this issue.',
|
||||
'saml_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
|
||||
'openid_already_logged_in' => 'Already logged in',
|
||||
'openid_user_not_registered' => 'The user :name is not registered and automatic registration is disabled',
|
||||
'openid_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
|
||||
'openid_fail_authed' => 'Login using :system failed, system did not provide successful authorization',
|
||||
'social_no_action_defined' => 'No action defined',
|
||||
'social_login_bad_response' => "Error received during :socialAccount login: \n:error",
|
||||
'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.',
|
||||
|
11
resources/views/auth/parts/login-form-openid.blade.php
Normal file
11
resources/views/auth/parts/login-form-openid.blade.php
Normal file
@ -0,0 +1,11 @@
|
||||
<form action="{{ url('/openid/login') }}" method="POST" id="login-form" class="mt-l">
|
||||
{!! csrf_field() !!}
|
||||
|
||||
<div>
|
||||
<button id="saml-login" class="button outline block svg">
|
||||
@icon('saml2')
|
||||
<span>{{ trans('auth.log_in_with', ['socialDriver' => config('openid.name')]) }}</span>
|
||||
</button>
|
||||
</div>
|
||||
|
||||
</form>
|
@ -73,6 +73,8 @@
|
||||
<li>
|
||||
@if(config('auth.method') === 'saml2')
|
||||
<a href="{{ url('/saml2/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
|
||||
@elseif(config('auth.method') === 'openid')
|
||||
<a href="{{ url('/openid/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
|
||||
@else
|
||||
<a href="{{ url('/logout') }}">@icon('logout'){{ trans('auth.logout') }}</a>
|
||||
@endif
|
||||
|
@ -221,7 +221,7 @@
|
||||
'label' => trans('settings.reg_enable_toggle')
|
||||
])
|
||||
|
||||
@if(in_array(config('auth.method'), ['ldap', 'saml2']))
|
||||
@if(in_array(config('auth.method'), ['ldap', 'saml2', 'openid']))
|
||||
<div class="text-warn text-small mb-l">{{ trans('settings.reg_enable_external_warning') }}</div>
|
||||
@endif
|
||||
|
||||
|
0
resources/views/settings/roles/form.blade.php
Normal file
0
resources/views/settings/roles/form.blade.php
Normal file
@ -22,7 +22,7 @@
|
||||
@include('form.checkbox', ['name' => 'mfa_enforced', 'label' => trans('settings.role_mfa_enforced') ])
|
||||
</div>
|
||||
|
||||
@if(config('auth.method') === 'ldap' || config('auth.method') === 'saml2')
|
||||
@if(in_array(config('auth.method'), ['ldap', 'saml2', 'openid']))
|
||||
<div class="form-group">
|
||||
<label for="name">{{ trans('settings.role_external_auth_id') }}</label>
|
||||
@include('form.text', ['name' => 'external_auth_id'])
|
||||
|
@ -25,7 +25,7 @@
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@if(($authMethod === 'ldap' || $authMethod === 'saml2') && userCan('users-manage'))
|
||||
@if(in_array($authMethod, ['ldap', 'saml2', 'openid']) && userCan('users-manage'))
|
||||
<div class="grid half gap-xl v-center">
|
||||
<div>
|
||||
<label class="setting-list-label">{{ trans('settings.users_external_auth_id') }}</label>
|
||||
|
@ -267,6 +267,11 @@ Route::get('/saml2/metadata', 'Auth\Saml2Controller@metadata');
|
||||
Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
|
||||
Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');
|
||||
|
||||
// OpenId routes
|
||||
Route::post('/openid/login', 'Auth\OpenIdController@login');
|
||||
Route::get('/openid/logout', 'Auth\OpenIdController@logout');
|
||||
Route::get('/openid/redirect', 'Auth\OpenIdController@redirect');
|
||||
|
||||
// User invitation routes
|
||||
Route::get('/register/invite/{token}', 'Auth\UserInviteController@showSetPassword');
|
||||
Route::post('/register/invite/{token}', 'Auth\UserInviteController@setPassword');
|
||||
|
@ -318,6 +318,7 @@ class AuthTest extends TestCase
|
||||
$this->assertTrue(auth()->check());
|
||||
$this->assertTrue(auth('ldap')->check());
|
||||
$this->assertTrue(auth('saml2')->check());
|
||||
$this->assertTrue(auth('openid')->check());
|
||||
}
|
||||
|
||||
public function test_login_authenticates_nonadmins_on_default_guard_only()
|
||||
@ -330,6 +331,7 @@ class AuthTest extends TestCase
|
||||
$this->assertTrue(auth()->check());
|
||||
$this->assertFalse(auth('ldap')->check());
|
||||
$this->assertFalse(auth('saml2')->check());
|
||||
$this->assertFalse(auth('openid')->check());
|
||||
}
|
||||
|
||||
public function test_failed_logins_are_logged_when_message_configured()
|
||||
|
112
tests/Auth/OpenIdTest.php
Normal file
112
tests/Auth/OpenIdTest.php
Normal file
@ -0,0 +1,112 @@
|
||||
<?php namespace Tests\Auth;
|
||||
|
||||
use Tests\TestCase;
|
||||
|
||||
class OpenIdTest extends TestCase
|
||||
{
|
||||
|
||||
public function setUp(): void
|
||||
{
|
||||
parent::setUp();
|
||||
// Set default config for OpenID Connect
|
||||
config()->set([
|
||||
'auth.method' => 'openid',
|
||||
'auth.defaults.guard' => 'openid',
|
||||
'openid.name' => 'SingleSignOn-Testing',
|
||||
'openid.email_attribute' => 'email',
|
||||
'openid.display_name_attributes' => ['given_name', 'family_name'],
|
||||
'openid.external_id_attribute' => 'uid',
|
||||
'openid.openid_overrides' => null,
|
||||
'openid.openid.clientId' => 'testapp',
|
||||
'openid.openid.clientSecret' => 'testpass',
|
||||
'openid.openid.publicKey' => $this->testCert,
|
||||
'openid.openid.idTokenIssuer' => 'https://openid.local',
|
||||
'openid.openid.urlAuthorize' => 'https://openid.local/auth',
|
||||
'openid.openid.urlAccessToken' => 'https://openid.local/token',
|
||||
]);
|
||||
}
|
||||
|
||||
public function test_openid_overrides_functions_as_expected()
|
||||
{
|
||||
$json = '{"urlAuthorize": "https://openid.local/custom"}';
|
||||
config()->set(['openid.openid_overrides' => $json]);
|
||||
|
||||
$req = $this->get('/openid/login');
|
||||
$redirect = $req->headers->get('location');
|
||||
$this->assertStringStartsWith('https://openid.local/custom', $redirect, 'Login redirects to SSO location');
|
||||
}
|
||||
|
||||
public function test_login_option_shows_on_login_page()
|
||||
{
|
||||
$req = $this->get('/login');
|
||||
$req->assertSeeText('SingleSignOn-Testing');
|
||||
$req->assertElementExists('form[action$="/openid/login"][method=POST] button');
|
||||
}
|
||||
|
||||
public function test_login()
|
||||
{
|
||||
$req = $this->post('/openid/login');
|
||||
$redirect = $req->headers->get('location');
|
||||
|
||||
$this->assertStringStartsWith('https://openid.local/auth', $redirect, 'Login redirects to SSO location');
|
||||
$this->assertFalse($this->isAuthenticated());
|
||||
}
|
||||
|
||||
public function test_openid_routes_are_only_active_if_openid_enabled()
|
||||
{
|
||||
config()->set(['auth.method' => 'standard']);
|
||||
$getRoutes = ['/logout', '/metadata', '/sls'];
|
||||
foreach ($getRoutes as $route) {
|
||||
$req = $this->get('/openid' . $route);
|
||||
$this->assertPermissionError($req);
|
||||
}
|
||||
|
||||
$postRoutes = ['/login', '/acs'];
|
||||
foreach ($postRoutes as $route) {
|
||||
$req = $this->post('/openid' . $route);
|
||||
$this->assertPermissionError($req);
|
||||
}
|
||||
}
|
||||
|
||||
public function test_forgot_password_routes_inaccessible()
|
||||
{
|
||||
$resp = $this->get('/password/email');
|
||||
$this->assertPermissionError($resp);
|
||||
|
||||
$resp = $this->post('/password/email');
|
||||
$this->assertPermissionError($resp);
|
||||
|
||||
$resp = $this->get('/password/reset/abc123');
|
||||
$this->assertPermissionError($resp);
|
||||
|
||||
$resp = $this->post('/password/reset');
|
||||
$this->assertPermissionError($resp);
|
||||
}
|
||||
|
||||
public function test_standard_login_routes_inaccessible()
|
||||
{
|
||||
$resp = $this->post('/login');
|
||||
$this->assertPermissionError($resp);
|
||||
|
||||
$resp = $this->get('/logout');
|
||||
$this->assertPermissionError($resp);
|
||||
}
|
||||
|
||||
public function test_user_invite_routes_inaccessible()
|
||||
{
|
||||
$resp = $this->get('/register/invite/abc123');
|
||||
$this->assertPermissionError($resp);
|
||||
|
||||
$resp = $this->post('/register/invite/abc123');
|
||||
$this->assertPermissionError($resp);
|
||||
}
|
||||
|
||||
public function test_user_register_routes_inaccessible()
|
||||
{
|
||||
$resp = $this->get('/register');
|
||||
$this->assertPermissionError($resp);
|
||||
|
||||
$resp = $this->post('/register');
|
||||
$this->assertPermissionError($resp);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user