Commit Graph

146 Commits

Author SHA1 Message Date
Dan Brown
8c738aedee
Added sessionindex to SAML2 single logout request to idp
related to  #3936
2023-04-28 13:55:25 +01:00
Dan Brown
f64ce71afc
Added oidc_id_token_pre_validate logical theme event
For #4200
2023-04-27 23:40:14 +01:00
Dan Brown
4835a0dcb1
Cleaned up old token services 2023-04-04 10:44:38 +01:00
Dan Brown
811be3a36a
Added option to change the OIDC claim regarded as the ID
Defined via a OIDC_EXTERNAL_ID_CLAIM env option.
For #3914
2023-01-26 16:43:15 +00:00
Dan Brown
e20c944350
Fixed OIDC handling when no JWKS 'use' prop exists
Now assume, based on OIDC discovery spec, that keys without 'use' are
'sig' keys. Should not affect existing use-cases since existance of such
keys would have throw exceptions in prev. versions of bookstack.

For #3869
2022-11-23 11:50:59 +00:00
Dan Brown
f0ac454be1
Prevented saml2 autodiscovery on metadata load
Fixes issue where metadata cannot be viewed if autload is active and
entityid url is not active.
For #2480
2022-10-16 09:50:08 +01:00
Dan Brown
f4388d5e4a
Removed usage of laravel/ui dependency
Brings app auth controller handling aligned within the app, rather than
having many overrides of the framwork packages causing confusion and
messiness over time.
2022-09-22 16:54:27 +01:00
Dan Brown
dce6a82954
Added reason, if existing, into SAML acs error
Closes #3731
2022-09-20 12:52:44 +01:00
Dan Brown
8a749c6acf
Added and ran PHPCS 2022-09-18 01:25:20 +01:00
Dan Brown
24f82749ff
Updated OIDC group attr option name
To match the existing option name for display names.
Closes #3704
2022-09-06 16:33:17 +01:00
Dan Brown
1cc7c649dc
Applied StyleCi changes, updated php deps 2022-08-29 17:46:41 +01:00
Dan Brown
b987bea37a
Added OIDC group sync functionality
Is generally aligned with out SAML2 group sync functionality, but for
OIDC based upon feedback in #3004.
Neeeded the tangental addition of being able to define custom scopes on
the initial auth request as some systems use this to provide additional
id token claims such as groups.

Includes tests to cover.
Tested live using Okta.
2022-08-02 16:56:56 +01:00
Dan Brown
0bcd1795cb
Auth group sync: Fixed unintential mapping behaviour change
Due to change in how casing was handled when used in the "External Auth
ID" role field.
Likely related to #3535.
Added test to cover.
2022-06-27 14:18:46 +01:00
Dan Brown
d795af04df
Added ability to escape role "External Auth ID" commas
- Using a backslash in this field before a comma.
- Could potentially (Although unlikely) be a breaking change.

For #3405
2022-05-04 21:03:13 +01:00
Dan Brown
2325a307a5
Applied latest styleCI changes 2022-03-25 11:14:27 +00:00
Dan Brown
8594f42584
Added LDAP group debugging env option
Closes #3345
2022-03-23 16:34:23 +00:00
Dan Brown
83082c32ef
Applied latest StyleCI changes 2022-02-24 15:04:09 +00:00
Dan Brown
ce566bea2a
Updated OIDC error handling for better error reporting
Fixes issue where certain errors would not show to the user
due to extra navigation jumps which lost the error message
in the process.
This simplifies and aligns exceptions with more directly
handled exception usage at the controller level.

Fixes #3264
2022-02-24 14:16:09 +00:00
Dan Brown
eb653bda16
Added user-create API endpoint
- Required extracting logic into repo.
- Changed some existing creation paths to standardise behaviour.
- Added test to cover new endpoint.
- Added extra test for user delete to test migration.
- Changed how permission errors are thrown to ensure the right status
  code can be reported when handled in API.
2022-02-04 00:26:19 +00:00
StyleCI Bot
4a1d060eb9 Apply fixes from StyleCI 2022-01-30 16:44:51 +00:00
Dan Brown
73eac83afe
Fixed OIDC JWT key parsing in microsoft environments
Made existence of 'alg' optional when JWK array set so we instead infer
it as RSA256 if not existing.

Fixes #3206
2022-01-28 14:00:55 +00:00
Dan Brown
024924eef3
Applied another round of static analysis updates 2021-11-22 23:33:55 +00:00
Dan Brown
1bf59f434b
Tweaked custom command registration, Added StyleCI fixes
Old command registration method was interfering with default commands,
causing only a limited subset of commands to show overall.
This change follows the method the frameworks uses when loading in from a
directory to prevent issues with run/load order.
2021-11-22 22:22:31 +00:00
Dan Brown
876bc10d4d
Applied another set of static analysis improvements 2021-11-20 14:03:56 +00:00
Dan Brown
f910738a80
Changed logout routes to POST instead of GET
As per #3047.

Also made some SAML specific fixes:
- IDP initiated login was broken due to forced default session value.
  Double checked against OneLogin lib docs that this reverted logic was fine.
- Changed how the saml login flow works to use 'withoutMiddleware' on
  the route instead of hacking out the session driver. This was due to
  the array driver (previously used for the hack) no longer being
  considered non-persistent.
2021-11-14 21:13:24 +00:00
Dan Brown
f2b1d2e1e7
Applied latest StyleCI changes 2021-11-06 22:00:33 +00:00
Dan Brown
8d7c8ac8bf
Done a round of phpstan fixes 2021-11-06 00:32:01 +00:00
Dan Brown
5c834f24a6
Updated AzureAD provider to use microsoft graph
Since AzureAD graph is going away.
Tested using old AzureAD graph usage for backwards-compatbility, did not
seem to break things. Could not test with conditional access though due
to azure never enforcing it no matter what I attempted.

Fpr #3028
2021-10-31 13:09:30 +00:00
Dan Brown
98072ba4a9
Reviewed SAML SLS changes for ADFS, #2902
- Migrated env usages to config.
- Removed potentially unneeded config options or auto-set signed options
  based upon provision of certificate.
- Aligned SP certificate env option naming with similar IDP option.

Tested via AFDS on windows server 2019. To test on other providers.
2021-10-23 17:26:01 +01:00
Dan Brown
2e9ac21b38
Merge branch 'master' of https://github.com/theodor-franke/BookStack into theodor-franke-master 2021-10-21 14:04:23 +01:00
Dan Brown
cdef1b3ab0
Updated SAML ACS post to retain user session
Session was being lost due to the callback POST request cookies
not being provided due to samesite=lax. This instead adds an additional
hop in the flow to route the request via a GET request so the session is
retained. SAML POST data is stored encrypted in cache via a unique ID
then pulled out straight afterwards, and restored into POST for the SAML
toolkit to validate.

Updated testing to cover.
2021-10-20 13:34:00 +01:00
Dan Brown
6e325de226
Applied latest styles changes from style CI 2021-10-16 16:01:59 +01:00
Dan Brown
263384cf99
Merge branch 'oidc' 2021-10-16 15:51:13 +01:00
Dan Brown
c9c0e5e16f
Fixed guest user email showing in TOTP setup url
- Occured during enforced MFA setup upon login.
- Added test to cover.

Fixes #2971
2021-10-14 18:02:16 +01:00
Dan Brown
855409bc4f
Fixed lack of oidc discovery filtering during testing
Tested oidc system on okta, Keycloak & Auth0
2021-10-14 13:37:55 +01:00
Dan Brown
a5d72aa458
Fleshed out testing for OIDC system 2021-10-13 16:51:27 +01:00
Dan Brown
c167f40af3
Renamed OIDC files to all be aligned 2021-10-12 23:04:28 +01:00
Dan Brown
06a0d829c8
Added OIDC basic autodiscovery support 2021-10-12 23:00:52 +01:00
Dan Brown
790723dfc5
Added further OIDC core class testing 2021-10-12 16:48:54 +01:00
Dan Brown
f3d54e4a2d
Added positive test case for OIDC implementation
- To continue coverage and spec cases next.
2021-10-12 00:01:51 +01:00
Dan Brown
6b182a435a
Got OIDC custom solution to a functional state
- Validation of all key/token elements now in place.
- Signing key system updated to work with jwk-style array or with
  file:// path to pem key.
2021-10-11 23:00:45 +01:00
Dan Brown
8c01c55684
Added token and key handling elements for oidc jwt
- Got basic signing support and structure checking done.
- Need to run through actual claim checking before providing details
  back to app.
2021-10-11 19:05:16 +01:00
Dan Brown
8ce696dff6
Started on a custom oidc oauth provider 2021-10-10 19:14:08 +01:00
Dan Brown
41438adbd1
Continued review of #2169
- Removed uneeded custom refresh or logout actions for OIDC.
- Restructured how the services and guards are setup for external auth
  systems. SAML2 and OIDC now directly share a lot more logic.
- Renamed any OpenId references to OIDC or OpenIdConnect
- Removed non-required CSRF excemption for OIDC

Not tested, Come to roadblock due to lack of PHP8 support in upstream
dependancies. Certificate was deemed to be non-valid on every test
attempt due to changes in PHP8.
2021-10-06 23:05:26 +01:00
Dan Brown
2ec0aa85ca
Started refactor for merge of OIDC
- Made oidc config more generic to not be overly reliant on the library
  based upon learnings from saml2 auth.
- Removed any settings that are redundant or not deemed required for
  initial implementation.
- Reduced some methods down where not needed.
- Renamed OpenID to OIDC
- Updated .env.example.complete to align with all options and their
  defaults

Related to #2169
2021-10-06 17:12:01 +01:00
Dan Brown
193d7fb3fe
Merge branch 'openid' of https://github.com/jasperweyne/BookStack into jasperweyne-openid 2021-10-06 13:18:21 +01:00
Dan Brown
8a7408bd31
Fixed social auth login audit log messages
Was logging the whole social account instance instead of just the
method.
Updated tests to cover.

Fixes #2930
2021-09-15 20:55:10 +01:00
Dan Brown
8565187138
Added border to generated TOTP QR code
To fix QR code not being scannable when in dark mode due to
lack of border matching background of QR code.

Fixes #2925
2021-09-13 14:23:54 +01:00
Dan Brown
a641b4da2c
Swapped injected db instance with facade
Injected db instance was causing the DB connection to be
made a lot earlier than desired or required.
Swapped to a facade for now but ideally this extension of services needs
to be cleaned up with a better approach in general.
2021-08-31 21:50:23 +01:00
Franke
234dd26d22 Fixes for CodeStyle 2021-08-30 14:43:35 +02:00