mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-30 15:42:41 +01:00
Added SAML singleLogoutService capabilities
This commit is contained in:
parent
488325f459
commit
aef6eb81e4
@ -4,10 +4,12 @@ use BookStack\Auth\User;
|
||||
use BookStack\Auth\UserRepo;
|
||||
use BookStack\Exceptions\JsonDebugException;
|
||||
use BookStack\Exceptions\SamlException;
|
||||
use Exception;
|
||||
use Illuminate\Support\Str;
|
||||
use OneLogin\Saml2\Auth;
|
||||
use OneLogin\Saml2\Error;
|
||||
use OneLogin\Saml2\IdPMetadataParser;
|
||||
use OneLogin\Saml2\ValidationError;
|
||||
|
||||
/**
|
||||
* Class Saml2Service
|
||||
@ -33,7 +35,7 @@ class Saml2Service extends ExternalAuthService
|
||||
|
||||
/**
|
||||
* Initiate a login flow.
|
||||
* @throws \OneLogin\Saml2\Error
|
||||
* @throws Error
|
||||
*/
|
||||
public function login(): array
|
||||
{
|
||||
@ -45,25 +47,50 @@ class Saml2Service extends ExternalAuthService
|
||||
];
|
||||
}
|
||||
|
||||
/**
|
||||
* Initiate a logout flow.
|
||||
* @throws Error
|
||||
*/
|
||||
public function logout(): array
|
||||
{
|
||||
$toolKit = $this->getToolkit();
|
||||
$returnRoute = url('/');
|
||||
|
||||
try {
|
||||
$url = $toolKit->logout($returnRoute, [], null, null, true);
|
||||
$id = $toolKit->getLastRequestID();
|
||||
} catch (Error $error) {
|
||||
if ($error->getCode() !== Error::SAML_SINGLE_LOGOUT_NOT_SUPPORTED) {
|
||||
throw $error;
|
||||
}
|
||||
|
||||
$this->actionLogout();
|
||||
$url = '/';
|
||||
$id = null;
|
||||
}
|
||||
|
||||
return ['url' => $url, 'id' => $id];
|
||||
}
|
||||
|
||||
/**
|
||||
* Process the ACS response from the idp and return the
|
||||
* matching, or new if registration active, user matched to the idp.
|
||||
* Returns null if not authenticated.
|
||||
* @throws Error
|
||||
* @throws SamlException
|
||||
* @throws \OneLogin\Saml2\ValidationError
|
||||
* @throws ValidationError
|
||||
* @throws JsonDebugException
|
||||
*/
|
||||
public function processAcsResponse(?string $requestId): ?User
|
||||
{
|
||||
$toolkit = $this->getToolkit();
|
||||
$toolkit->processResponse($requestId);
|
||||
$errors = $toolkit->getErrors();
|
||||
|
||||
if (is_null($requestId)) {
|
||||
throw new SamlException(trans('errors.saml_invalid_response_id'));
|
||||
}
|
||||
|
||||
$toolkit = $this->getToolkit();
|
||||
$toolkit->processResponse($requestId);
|
||||
$errors = $toolkit->getErrors();
|
||||
|
||||
if (!empty($errors)) {
|
||||
throw new Error(
|
||||
'Invalid ACS Response: '.implode(', ', $errors)
|
||||
@ -80,6 +107,36 @@ class Saml2Service extends ExternalAuthService
|
||||
return $this->processLoginCallback($id, $attrs);
|
||||
}
|
||||
|
||||
/**
|
||||
* Process a response for the single logout service.
|
||||
* @throws Error
|
||||
*/
|
||||
public function processSlsResponse(?string $requestId): ?string
|
||||
{
|
||||
$toolkit = $this->getToolkit();
|
||||
$redirect = $toolkit->processSLO(true, $requestId, false, null, true);
|
||||
|
||||
$errors = $toolkit->getErrors();
|
||||
|
||||
if (!empty($errors)) {
|
||||
throw new Error(
|
||||
'Invalid SLS Response: '.implode(', ', $errors)
|
||||
);
|
||||
}
|
||||
|
||||
$this->actionLogout();
|
||||
return $redirect;
|
||||
}
|
||||
|
||||
/**
|
||||
* Do the required actions to log a user out.
|
||||
*/
|
||||
protected function actionLogout()
|
||||
{
|
||||
auth()->logout();
|
||||
session()->invalidate();
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the metadata for this service provider.
|
||||
* @throws Error
|
||||
@ -103,8 +160,8 @@ class Saml2Service extends ExternalAuthService
|
||||
|
||||
/**
|
||||
* Load the underlying Onelogin SAML2 toolkit.
|
||||
* @throws \OneLogin\Saml2\Error
|
||||
* @throws \Exception
|
||||
* @throws Error
|
||||
* @throws Exception
|
||||
*/
|
||||
protected function getToolkit(): Auth
|
||||
{
|
||||
|
@ -146,4 +146,23 @@ class LoginController extends Controller
|
||||
session()->put('social-callback', 'login');
|
||||
return $this->socialAuthService->startLogIn($socialDriver);
|
||||
}
|
||||
|
||||
/**
|
||||
* Log the user out of the application.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @return \Illuminate\Http\Response
|
||||
*/
|
||||
public function logout(Request $request)
|
||||
{
|
||||
if (config('saml2.enabled') && session()->get('last_login_type') === 'saml2') {
|
||||
return redirect('/saml2/logout');
|
||||
}
|
||||
|
||||
$this->guard()->logout();
|
||||
|
||||
$request->session()->invalidate();
|
||||
|
||||
return $this->loggedOut($request) ?: redirect('/');
|
||||
}
|
||||
}
|
||||
|
@ -31,6 +31,20 @@ class Saml2Controller extends Controller
|
||||
return redirect($loginDetails['url']);
|
||||
}
|
||||
|
||||
/**
|
||||
* Start the logout flow via SAML2.
|
||||
*/
|
||||
public function logout()
|
||||
{
|
||||
$logoutDetails = $this->samlService->logout();
|
||||
|
||||
if ($logoutDetails['id']) {
|
||||
session()->flash('saml2_logout_request_id', $logoutDetails['id']);
|
||||
}
|
||||
|
||||
return redirect($logoutDetails['url']);
|
||||
}
|
||||
|
||||
/*
|
||||
* Get the metadata for this SAML2 service provider.
|
||||
*/
|
||||
@ -48,7 +62,9 @@ class Saml2Controller extends Controller
|
||||
*/
|
||||
public function sls()
|
||||
{
|
||||
// TODO
|
||||
$requestId = session()->pull('saml2_logout_request_id', null);
|
||||
$redirect = $this->samlService->processSlsResponse($requestId) ?? '/';
|
||||
return redirect($redirect);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -65,6 +81,7 @@ class Saml2Controller extends Controller
|
||||
return redirect('/login');
|
||||
}
|
||||
|
||||
session()->put('last_login_type', 'saml2');
|
||||
return redirect()->intended();
|
||||
}
|
||||
|
||||
|
@ -219,8 +219,7 @@ Route::post('/register', 'Auth\RegisterController@postRegister');
|
||||
// SAML routes
|
||||
// TODO - Prevent access without SAML2 enabled via middleware
|
||||
Route::get('/saml2/login', 'Auth\Saml2Controller@login');
|
||||
// TODO - Handle logout?
|
||||
// Route::get('/saml2/logout', 'Auth\Saml2Controller@logout');
|
||||
Route::get('/saml2/logout', 'Auth\Saml2Controller@logout');
|
||||
Route::get('/saml2/metadata', 'Auth\Saml2Controller@metadata');
|
||||
Route::get('/saml2/sls', 'Auth\Saml2Controller@sls');
|
||||
Route::post('/saml2/acs', 'Auth\Saml2Controller@acs');
|
||||
|
Loading…
Reference in New Issue
Block a user