Infra-Mirrors/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-01 01:36:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

Reviewed SAML SLS changes for ADFS, #2902

Browse Source 
- Migrated env usages to config.
- Removed potentially unneeded config options or auto-set signed options
  based upon provision of certificate.
- Aligned SP certificate env option naming with similar IDP option.

Tested via AFDS on windows server 2019. To test on other providers.
This commit is contained in:
Dan Brown 2021-10-23 17:26:01 +01:00
parent 2e9ac21b38
commit 98072ba4a9
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
4 changed files with 28 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.env.example.complete
View File

@ -232,11 +232,8 @@ SAML2_ONELOGIN_OVERRIDES=null
SAML2_DUMP_USER_DETAILS=false SAML2_DUMP_USER_DETAILS=false
SAML2_AUTOLOAD_METADATA=false SAML2_AUTOLOAD_METADATA=false
SAML2_IDP_AUTHNCONTEXT=true SAML2_IDP_AUTHNCONTEXT=true
SAML2_SP_CERTIFICATE=null SAML2_SP_x509=null
SAML2_SP_PRIVATEKEY=null SAML2_SP_x509_KEY=null
SAML2_SP_NAME_ID_Format=null
SAML2_SP_NAME_ID_SP_NAME_QUALIFIER=null
SAML2_RETRIEVE_PARAMETERS_FROM_SERVER=false
# SAML group sync configuration # SAML group sync configuration
# Refer to https://www.bookstackapp.com/docs/admin/saml2-auth/ # Refer to https://www.bookstackapp.com/docs/admin/saml2-auth/

25
app/Auth/Access/Saml2Service.php
View File

@ -9,6 +9,7 @@ use BookStack\Exceptions\StoppedAuthenticationException;
use BookStack\Exceptions\UserRegistrationException; use BookStack\Exceptions\UserRegistrationException;
use Exception; use Exception;
use OneLogin\Saml2\Auth; use OneLogin\Saml2\Auth;
use OneLogin\Saml2\Constants;
use OneLogin\Saml2\Error; use OneLogin\Saml2\Error;
use OneLogin\Saml2\IdPMetadataParser; use OneLogin\Saml2\IdPMetadataParser;
use OneLogin\Saml2\ValidationError; use OneLogin\Saml2\ValidationError;
@ -59,17 +60,20 @@ class Saml2Service
* *
* @throws Error * @throws Error
*/ */
public function logout(): array public function logout(User $user): array
{ {
$toolKit = $this->getToolkit(); $toolKit = $this->getToolkit();
$returnRoute = url('/'); $returnRoute = url('/');
try { try {
$email = auth()->user()['email']; $url = $toolKit->logout(
$nameIdFormat = env('SAML2_SP_NAME_ID_Format', null); $returnRoute,
$nameIdSPNameQualifier = env('SAML2_SP_NAME_ID_SP_NAME_QUALIFIER', null); [],
$user->email,
$url = $toolKit->logout($returnRoute, [], $email, null, true, $nameIdFormat, null, $nameIdSPNameQualifier); null,
true,
Constants::NAMEID_EMAIL_ADDRESS
);
$id = $toolKit->getLastRequestID(); $id = $toolKit->getLastRequestID();
} catch (Error $error) { } catch (Error $error) {
if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) { if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
@ -128,10 +132,13 @@ class Saml2Service
public function processSlsResponse(?string $requestId): ?string public function processSlsResponse(?string $requestId): ?string
{ {
$toolkit = $this->getToolkit(); $toolkit = $this->getToolkit();
$retrieveParametersFromServer = env('SAML2_RETRIEVE_PARAMETERS_FROM_SERVER', false);
$redirect = $toolkit->processSLO(true, $requestId, $retrieveParametersFromServer, null, true);
// The $retrieveParametersFromServer in the call below will mean the library will take the query
// parameters, used for the response signing, from the raw $_SERVER['QUERY_STRING']
// value so that the exact encoding format is matched when checking the signature.
// This is primarily due to ADFS encoding query params with lowercase percent encoding while
// PHP (And most other sensible providers) standardise on uppercase.
$redirect = $toolkit->processSLO(true, $requestId, true, null, true);
$errors = $toolkit->getErrors(); $errors = $toolkit->getErrors();
if (!empty($errors)) { if (!empty($errors)) {

14
app/Config/saml2.php
View File

@ -1,6 +1,7 @@
<?php <?php
$SAML2_IDP_AUTHNCONTEXT = env('SAML2_IDP_AUTHNCONTEXT', true); $SAML2_IDP_AUTHNCONTEXT = env('SAML2_IDP_AUTHNCONTEXT', true);
$SAML2_SP_x509 = env('SAML2_SP_x509', false);
return [ return [
@ -78,10 +79,11 @@ return [
// represent the requested subject. // represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress', 'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
// Usually x509cert and privateKey of the SP are provided by files placed at // Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters // the certs folder. But we can also provide them with the following parameters
'x509cert' => env('SAML2_SP_CERTIFICATE', ''), 'x509cert' => $SAML2_SP_x509 ?: '',
'privateKey' => env('SAML2_SP_PRIVATEKEY', ''), 'privateKey' => env('SAML2_SP_x509_KEY', ''),
], ],
// Identity Provider Data that we want connect with our SP // Identity Provider Data that we want connect with our SP
'idp' => [ 'idp' => [
@ -147,9 +149,11 @@ return [
// Multiple forced values can be passed via a space separated array, For example: // Multiple forced values can be passed via a space separated array, For example:
// SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" // SAML2_IDP_AUTHNCONTEXT="urn:federation:authentication:windows urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT, 'requestedAuthnContext' => is_string($SAML2_IDP_AUTHNCONTEXT) ? explode(' ', $SAML2_IDP_AUTHNCONTEXT) : $SAML2_IDP_AUTHNCONTEXT,
'logoutRequestSigned' => env('SAML2_LOGOUT_REQUEST_SIGNED', false), // Sign requests and responses if a certificate is in use
'logoutResponseSigned' => env('SAML2_LOGOUT_RESPONSE_SIGNED', false), 'logoutRequestSigned' => (bool) $SAML2_SP_x509,
'lowercaseUrlencoding' => env('SAML2_LOWERCASE_URLENCODING', false), 'logoutResponseSigned' => (bool) $SAML2_SP_x509,
'authnRequestsSigned' => (bool) $SAML2_SP_x509,
'lowercaseUrlencoding' => false,
], ],
], ],

2
app/Http/Controllers/Auth/Saml2Controller.php
View File

@ -37,7 +37,7 @@ class Saml2Controller extends Controller
*/ */
public function logout() public function logout()
{ {
$logoutDetails = $this->samlService->logout(); $logoutDetails = $this->samlService->logout(auth()->user());
if ($logoutDetails['id']) { if ($logoutDetails['id']) {
session()->flash('saml2_logout_request_id', $logoutDetails['id']); session()->flash('saml2_logout_request_id', $logoutDetails['id']);