Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-01 01:36:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

Started review of SAML implementation

Browse Source 
- Updated PHPdoc of SAML service to use type hinting instead.
- Updated groups to only sync if enabled.
- Updated names of some config props.
- Removed a couple of unused config props.
- Added exception to handle no email on SAML response.
This commit is contained in:
Dan Brown 2019-11-16 14:42:51 +00:00
parent bb1f43cbd8
commit 8169c725d5
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
4 changed files with 577 additions and 422 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
app/Auth/Access/Saml2Service.php
View File

@ -1,18 +1,15 @@
<?php namespace BookStack\Auth\Access; <?php namespace BookStack\Auth\Access;
use BookStack\Auth\Access;
use BookStack\Auth\User; use BookStack\Auth\User;
use BookStack\Auth\UserRepo; use BookStack\Auth\UserRepo;
use BookStack\Exceptions\SamlException; use BookStack\Exceptions\SamlException;
use Illuminate\Contracts\Auth\Authenticatable; use Illuminate\Support\Str;
/** /**
* Class Saml2Service * Class Saml2Service
* Handles any app-specific SAML tasks. * Handles any app-specific SAML tasks.
* @package BookStack\Services
*/ */
class Saml2Service extends Access\ExternalAuthService class Saml2Service extends ExternalAuthService
{ {
protected $config; protected $config;
protected $userRepo; protected $userRepo;
@ -21,7 +18,6 @@ class Saml2Service extends Access\ExternalAuthService
/** /**
* Saml2Service constructor. * Saml2Service constructor.
* @param \BookStack\Auth\UserRepo $userRepo
*/ */
public function __construct(UserRepo $userRepo, User $user) public function __construct(UserRepo $userRepo, User $user)
{ {
@ -33,21 +29,18 @@ class Saml2Service extends Access\ExternalAuthService
/** /**
* Check if groups should be synced. * Check if groups should be synced.
* @return bool
*/ */
public function shouldSyncGroups() protected function shouldSyncGroups(): bool
{ {
return $this->enabled && $this->config['user_to_groups'] !== false; return $this->enabled && $this->config['user_to_groups'] !== false;
} }
/** Calculate the display name /**
* @param array $samlAttributes * Calculate the display name
* @param string $defaultValue
* @return string
*/ */
protected function getUserDisplayName(array $samlAttributes, string $defaultValue) protected function getUserDisplayName(array $samlAttributes, string $defaultValue): string
{ {
$displayNameAttr = $this->config['display_name_attribute']; $displayNameAttr = $this->config['display_name_attributes'];
$displayName = []; $displayName = [];
foreach ($displayNameAttr as $dnAttr) { foreach ($displayNameAttr as $dnAttr) {
@ -66,47 +59,49 @@ class Saml2Service extends Access\ExternalAuthService
return $displayName; return $displayName;
} }
protected function getUserName(array $samlAttributes, string $defaultValue) /**
* Get the value to use as the external id saved in BookStack
* used to link the user to an existing BookStack DB user.
*/
protected function getExternalId(array $samlAttributes, string $defaultValue)
{ {
$userNameAttr = $this->config['user_name_attribute']; $userNameAttr = $this->config['external_id_attribute'];
if ($userNameAttr === null) { if ($userNameAttr === null) {
$userName = $defaultValue; return $defaultValue;
} else {
$userName = $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue);
} }
return $userName; return $this->getSamlResponseAttribute($samlAttributes, $userNameAttr, $defaultValue);
} }
/** /**
* Extract the details of a user from a SAML response. * Extract the details of a user from a SAML response.
* @param $samlID * @throws SamlException
* @param $samlAttributes
* @return array
*/ */
public function getUserDetails($samlID, $samlAttributes) public function getUserDetails(string $samlID, $samlAttributes): array
{ {
$emailAttr = $this->config['email_attribute']; $emailAttr = $this->config['email_attribute'];
$userName = $this->getUserName($samlAttributes, $samlID); $externalId = $this->getExternalId($samlAttributes, $samlID);
$email = $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null);
if ($email === null) {
throw new SamlException(trans('errors.saml_no_email_address'));
}
return [ return [
'uid' => $userName, 'external_id' => $externalId,
'name' => $this->getUserDisplayName($samlAttributes, $userName), 'name' => $this->getUserDisplayName($samlAttributes, $externalId),
'dn' => $samlID, 'email' => $email,
'email' => $this->getSamlResponseAttribute($samlAttributes, $emailAttr, null), 'saml_id' => $samlID,
]; ];
} }
/** /**
* Get the groups a user is a part of from the SAML response. * Get the groups a user is a part of from the SAML response.
* @param array $samlAttributes
* @return array
*/ */
public function getUserGroups($samlAttributes) public function getUserGroups(array $samlAttributes): array
{ {
$groupsAttr = $this->config['group_attribute']; $groupsAttr = $this->config['group_attribute'];
$userGroups = $samlAttributes[$groupsAttr]; $userGroups = $samlAttributes[$groupsAttr] ?? null;
if (!is_array($userGroups)) { if (!is_array($userGroups)) {
$userGroups = []; $userGroups = [];
@ -119,12 +114,9 @@ class Saml2Service extends Access\ExternalAuthService
* For an array of strings, return a default for an empty array, * For an array of strings, return a default for an empty array,
* a string for an array with one element and the full array for * a string for an array with one element and the full array for
* more than one element. * more than one element.
*
* @param array $data
* @param $defaultValue
* @return string
*/ */
protected function simplifyValue(array $data, $defaultValue) { protected function simplifyValue(array $data, $defaultValue)
{
switch (count($data)) { switch (count($data)) {
case 0: case 0:
$data = $defaultValue; $data = $defaultValue;
@ -139,39 +131,32 @@ class Saml2Service extends Access\ExternalAuthService
/** /**
* Get a property from an SAML response. * Get a property from an SAML response.
* Handles properties potentially being an array. * Handles properties potentially being an array.
* @param array $userDetails
* @param string $propertyKey
* @param $defaultValue
* @return mixed
*/ */
protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue) protected function getSamlResponseAttribute(array $samlAttributes, string $propertyKey, $defaultValue)
{ {
if (isset($samlAttributes[$propertyKey])) { if (isset($samlAttributes[$propertyKey])) {
$data = $this->simplifyValue($samlAttributes[$propertyKey], $defaultValue); return $this->simplifyValue($samlAttributes[$propertyKey], $defaultValue);
} else {
$data = $defaultValue;
} }
return $data; return $defaultValue;
} }
/** /**
* Register a user that is authenticated but not * Register a user that is authenticated but not already registered.
* already registered.
* @param array $userDetails
* @return User
*/ */
protected function registerUser($userDetails) protected function registerUser(array $userDetails): User
{ {
// Create an array of the user data to create a new user instance // Create an array of the user data to create a new user instance
$userData = [ $userData = [
'name' => $userDetails['name'], 'name' => $userDetails['name'],
'email' => $userDetails['email'], 'email' => $userDetails['email'] ?? '',
'password' => str_random(30), 'password' => Str::random(32),
'external_auth_id' => $userDetails['uid'], 'external_auth_id' => $userDetails['external_id'],
'email_confirmed' => true, 'email_confirmed' => true,
]; ];
// TODO - Handle duplicate email address scenario
$user = $this->user->forceCreate($userData); $user = $this->user->forceCreate($userData);
$this->userRepo->attachDefaultRole($user); $this->userRepo->attachDefaultRole($user);
$this->userRepo->downloadAndAssignUserAvatar($user); $this->userRepo->downloadAndAssignUserAvatar($user);
@ -180,14 +165,12 @@ class Saml2Service extends Access\ExternalAuthService
/** /**
* Get the user from the database for the specified details. * Get the user from the database for the specified details.
* @param array $userDetails
* @return User|null
*/ */
protected function getOrRegisterUser($userDetails) protected function getOrRegisterUser(array $userDetails): ?User
{ {
$isRegisterEnabled = config('services.saml.auto_register') === true; $isRegisterEnabled = config('services.saml.auto_register') === true;
$user = $this->user $user = $this->user
->where('external_auth_id', $userDetails['uid']) ->where('external_auth_id', $userDetails['external_id'])
->first(); ->first();
if ($user === null && $isRegisterEnabled) { if ($user === null && $isRegisterEnabled) {
@ -200,28 +183,28 @@ class Saml2Service extends Access\ExternalAuthService
/** /**
* Process the SAML response for a user. Login the user when * Process the SAML response for a user. Login the user when
* they exist, optionally registering them automatically. * they exist, optionally registering them automatically.
* @param string $samlID
* @param array $samlAttributes
* @throws SamlException * @throws SamlException
*/ */
public function processLoginCallback($samlID, $samlAttributes) public function processLoginCallback(string $samlID, array $samlAttributes): User
{ {
$userDetails = $this->getUserDetails($samlID, $samlAttributes); $userDetails = $this->getUserDetails($samlID, $samlAttributes);
$isLoggedIn = auth()->check(); $isLoggedIn = auth()->check();
if ($isLoggedIn) { if ($isLoggedIn) {
throw new SamlException(trans('errors.saml_already_logged_in'), '/login'); throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
} else {
$user = $this->getOrRegisterUser($userDetails);
if ($user === null) {
throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['uid']]), '/login');
} else {
$groups = $this->getUserGroups($samlAttributes);
$this->syncWithGroups($user, $groups);
auth()->login($user);
}
} }
$user = $this->getOrRegisterUser($userDetails);
if ($user === null) {
throw new SamlException(trans('errors.saml_user_not_registered', ['name' => $userDetails['external_id']]), '/login');
}
if ($this->shouldSyncGroups()) {
$groups = $this->getUserGroups($samlAttributes);
$this->syncWithGroups($user, $groups);
}
auth()->login($user);
return $user; return $user;
} }
} }

7
app/Config/services.php
View File

@ -137,12 +137,11 @@ return [
'enabled' => env('SAML2_ENABLED', false), 'enabled' => env('SAML2_ENABLED', false),
'auto_register' => env('SAML_AUTO_REGISTER', false), 'auto_register' => env('SAML_AUTO_REGISTER', false),
'email_attribute' => env('SAML_EMAIL_ATTRIBUTE', 'email'), 'email_attribute' => env('SAML_EMAIL_ATTRIBUTE', 'email'),
'display_name_attribute' => explode('|', env('SAML_DISPLAY_NAME_ATTRIBUTE', 'username')), 'display_name_attributes' => explode('|', env('SAML_DISPLAY_NAME_ATTRIBUTES', 'username')),
'user_name_attribute' => env('SAML_USER_NAME_ATTRIBUTE', null), 'external_id_attribute' => env('SAML_EXTERNAL_ID_ATTRIBUTE', null),
'group_attribute' => env('SAML_GROUP_ATTRIBUTE', 'group'), 'group_attribute' => env('SAML_GROUP_ATTRIBUTE', 'group'),
'remove_from_groups' => env('SAML_REMOVE_FROM_GROUPS',false), 'remove_from_groups' => env('SAML_REMOVE_FROM_GROUPS', false),
'user_to_groups' => env('SAML_USER_TO_GROUPS', false), 'user_to_groups' => env('SAML_USER_TO_GROUPS', false),
'id_is_user_name' => env('SAML_ID_IS_USER_NAME', true),
] ]
]; ];

848
composer.lock generated
View File

File diff suppressed because it is too large Load Diff

1
resources/lang/en/errors.php
View File

@ -19,6 +19,7 @@ return [
'ldap_cannot_connect' => 'Cannot connect to ldap server, Initial connection failed', 'ldap_cannot_connect' => 'Cannot connect to ldap server, Initial connection failed',
'saml_already_logged_in' => 'Already logged in', 'saml_already_logged_in' => 'Already logged in',
'saml_user_not_registered' => 'The user :name is not registered and automatic registration is disabled', 'saml_user_not_registered' => 'The user :name is not registered and automatic registration is disabled',
'saml_no_email_address' => 'Could not find an email address, for this user, in the data provided by the external authentication system',
'social_no_action_defined' => 'No action defined', 'social_no_action_defined' => 'No action defined',
'social_login_bad_response' => "Error received during :socialAccount login: \n:error", 'social_login_bad_response' => "Error received during :socialAccount login: \n:error",
'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.', 'social_account_in_use' => 'This :socialAccount account is already in use, Try logging in via the :socialAccount option.',