code-monkeys
diff --git a/‎app/Auth/Access/Saml2Service.php‎
Lines changed: 128 additions & 4 deletions b/‎app/Auth/Access/Saml2Service.php‎
Lines changed: 128 additions & 4 deletions
diff --git a/‎app/Config/app.php‎
Lines changed: 0 additions & 1 deletion b/‎app/Config/app.php‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎app/Config/saml2.php‎
Lines changed: 145 additions & 0 deletions b/‎app/Config/saml2.php‎
Lines changed: 145 additions & 0 deletions
@@ -2,8 +2,11 @@
 
 use BookStack\Auth\User;
 use BookStack\Auth\UserRepo;
+use BookStack\Exceptions\JsonDebugException;
 use BookStack\Exceptions\SamlException;
 use Illuminate\Support\Str;
+use OneLogin\Saml2\Auth;
+use OneLogin\Saml2\Error;
 
 /**
  * Class Saml2Service
@@ -21,10 +24,119 @@ class Saml2Service extends ExternalAuthService
      */
     public function __construct(UserRepo $userRepo, User $user)
     {
-        $this->config = config('services.saml');
+        $this->config = config('saml2');
         $this->userRepo = $userRepo;
         $this->user = $user;
-        $this->enabled = config('saml2_settings.enabled') === true;
+        $this->enabled = config('saml2.enabled') === true;
+    }
+
+    /**
+     * Initiate a login flow.
+     * @throws \OneLogin\Saml2\Error
+     */
+    public function login(): array
+    {
+        $toolKit = $this->getToolkit();
+        $returnRoute = url('/saml2/acs');
+        return [
+            'url' => $toolKit->login($returnRoute, [], false, false, true),
+            'id' => $toolKit->getLastRequestID(),
+        ];
+    }
+
+    /**
+     * Process the ACS response from the idp and return the
+     * matching, or new if registration active, user matched to the idp.
+     * Returns null if not authenticated.
+     * @throws Error
+     * @throws SamlException
+     * @throws \OneLogin\Saml2\ValidationError
+     * @throws JsonDebugException
+     */
+    public function processAcsResponse(?string $requestId): ?User
+    {
+        $toolkit = $this->getToolkit();
+        $toolkit->processResponse($requestId);
+        $errors = $toolkit->getErrors();
+
+        if (is_null($requestId)) {
+            throw new SamlException(trans('errors.saml_invalid_response_id'));
+        }
+
+        if (!empty($errors)) {
+            throw new Error(
+                'Invalid ACS Response: '.implode(', ', $errors)
+            );
+        }
+
+        if (!$toolkit->isAuthenticated()) {
+            return null;
+        }
+
+        $attrs = $toolkit->getAttributes();
+        $id = $toolkit->getNameId();
+
+        return $this->processLoginCallback($id, $attrs);
+    }
+
+    /**
+     * Get the metadata for this service provider.
+     * @throws Error
+     */
+    public function metadata(): string
+    {
+        $toolKit = $this->getToolkit();
+        $settings = $toolKit->getSettings();
+        $metadata = $settings->getSPMetadata();
+        $errors = $settings->validateMetadata($metadata);
+
+        if (!empty($errors)) {
+            throw new Error(
+                'Invalid SP metadata: '.implode(', ', $errors),
+                Error::METADATA_SP_INVALID
+            );
+        }
+
+        return $metadata;
+    }
+
+    /**
+     * Load the underlying Onelogin SAML2 toolkit.
+     * @throws \OneLogin\Saml2\Error
+     */
+    protected function getToolkit(): Auth
+    {
+        $settings = $this->config['onelogin'];
+        $overrides = $this->config['onelogin_overrides'] ?? [];
+
+        if ($overrides && is_string($overrides)) {
+            $overrides = json_decode($overrides, true);
+        }
+
+        $spSettings = $this->loadOneloginServiceProviderDetails();
+        $settings = array_replace_recursive($settings, $spSettings, $overrides);
+        return new Auth($settings);
+    }
+
+    /**
+     * Load dynamic service provider options required by the onelogin toolkit.
+     */
+    protected function loadOneloginServiceProviderDetails(): array
+    {
+        $spDetails = [
+            'entityId' => url('/saml2/metadata'),
+            'assertionConsumerService' => [
+                'url' => url('/saml2/acs'),
+            ],
+            'singleLogoutService' => [
+                'url' => url('/saml2/sls')
+            ],
+        ];
+
+        return [
+            'baseurl' => url('/saml2'),
+            'sp' => $spDetails
+        ];
     }
 
     /**
@@ -155,7 +267,11 @@ protected function registerUser(array $userDetails): User
             'email_confirmed' => true,
         ];
 
-        // TODO - Handle duplicate email address scenario
+        $existingUser = $this->user->newQuery()->where('email', '=', $userDetails['email'])->first();
+        if ($existingUser) {
+            throw new SamlException(trans('errors.saml_email_exists', ['email' => $userDetails['email']]));
+        }
+
         $user = $this->user->forceCreate($userData);
         $this->userRepo->attachDefaultRole($user);
         $this->userRepo->downloadAndAssignUserAvatar($user);
@@ -167,7 +283,7 @@ protected function registerUser(array $userDetails): User
      */
     protected function getOrRegisterUser(array $userDetails): ?User
     {
-        $isRegisterEnabled = config('services.saml.auto_register') === true;
+        $isRegisterEnabled = $this->config['auto_register'] === true;
         $user = $this->user
           ->where('external_auth_id', $userDetails['external_id'])
           ->first();
@@ -183,12 +299,20 @@ protected function getOrRegisterUser(array $userDetails): ?User
      * Process the SAML response for a user. Login the user when
      * they exist, optionally registering them automatically.
      * @throws SamlException
+     * @throws JsonDebugException
      */
     public function processLoginCallback(string $samlID, array $samlAttributes): User
     {
         $userDetails = $this->getUserDetails($samlID, $samlAttributes);
         $isLoggedIn = auth()->check();
 
+        if ($this->config['dump_user_details']) {
+            throw new JsonDebugException([
+                'attrs_from_idp' => $samlAttributes,
+                'attrs_after_parsing' => $userDetails,
+            ]);
+        }
+
         if ($isLoggedIn) {
             throw new SamlException(trans('errors.saml_already_logged_in'), '/login');
         }
 
@@ -105,7 +105,6 @@
         Intervention\Image\ImageServiceProvider::class,
         Barryvdh\DomPDF\ServiceProvider::class,
         Barryvdh\Snappy\ServiceProvider::class,
-        Aacotroneo\Saml2\Saml2ServiceProvider::class,
 
         // BookStack replacement service providers (Extends Laravel)
         BookStack\Providers\PaginationServiceProvider::class,
 
@@ -0,0 +1,145 @@
+<?php
+
+return [
+
+    // Display name, shown to users, for SAML2 option
+    'name' => env('SAML2_NAME', 'SSO'),
+    // Toggle whether the SAML2 option is active
+    'enabled' => env('SAML2_ENABLED', false),
+    // Enable registration via SAML2 authentication
+    'auto_register' => env('SAML2_AUTO_REGISTER', true),
+
+    // Dump user details after a login request for debugging purposes
+    'dump_user_details' => env('SAML2_DUMP_USER_DETAILS', false),
+
+    // Attribute, within a SAML response, to find the user's email address
+    'email_attribute' => env('SAML2_EMAIL_ATTRIBUTE', 'email'),
+    // Attribute, within a SAML response, to find the user's display name
+    'display_name_attributes' => explode('|', env('SAML2_DISPLAY_NAME_ATTRIBUTES', 'username')),
+    // Attribute, within a SAML response, to use to connect a BookStack user to the SAML user.
+    'external_id_attribute' => env('SAML2_EXTERNAL_ID_ATTRIBUTE', null),
+
+    // Group sync options
+    // Enable syncing, upon login, of SAML2 groups to BookStack groups
+    'user_to_groups' => env('SAML2_USER_TO_GROUPS', false),
+    // Attribute, within a SAML response, to find group names on
+    'group_attribute' => env('SAML2_GROUP_ATTRIBUTE', 'group'),
+    // When syncing groups, remove any groups that no longer match. Otherwise sync only adds new groups.
+    'remove_from_groups' => env('SAML2_REMOVE_FROM_GROUPS', false),
+
+    // Overrides, in JSON format, to the configuration passed to underlying onelogin library.
+    'onelogin_overrides' => env('SAML2_ONELOGIN_OVERRIDES', null),
+
+
+    'onelogin' => [
+        // If 'strict' is True, then the PHP Toolkit will reject unsigned
+        // or unencrypted messages if it expects them signed or encrypted
+        // Also will reject the messages if not strictly follow the SAML
+        // standard: Destination, NameId, Conditions ... are validated too.
+        'strict' => true,
+
+        // Enable debug mode (to print errors)
+        'debug' => env('APP_DEBUG', false),
+
+        // Set a BaseURL to be used instead of try to guess
+        // the BaseURL of the view that process the SAML Message.
+        // Ex. http://sp.example.com/
+        //     http://example.com/sp/
+        'baseurl' => null,
+
+        // Service Provider Data that we are deploying
+        'sp' => [
+            // Identifier of the SP entity  (must be a URI)
+            'entityId' => '',
+
+            // Specifies info about where and how the <AuthnResponse> message MUST be
+            // returned to the requester, in this case our SP.
+            'assertionConsumerService' => [
+                // URL Location where the <Response> from the IdP will be returned
+                'url' => '',
+                // SAML protocol binding to be used when returning the <Response>
+                // message.  Onelogin Toolkit supports for this endpoint the
+                // HTTP-POST binding only
+                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST',
+            ],
+
+            // Specifies info about where and how the <Logout Response> message MUST be
+            // returned to the requester, in this case our SP.
+            'singleLogoutService' => [
+                // URL Location where the <Response> from the IdP will be returned
+                'url' => '',
+                // SAML protocol binding to be used when returning the <Response>
+                // message.  Onelogin Toolkit supports for this endpoint the
+                // HTTP-Redirect binding only
+                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            ],
+
+            // Specifies constraints on the name identifier to be used to
+            // represent the requested subject.
+            // Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
+            'NameIDFormat' => 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
+            // Usually x509cert and privateKey of the SP are provided by files placed at
+            // the certs folder. But we can also provide them with the following parameters
+            'x509cert' => '',
+            'privateKey' => '',
+        ],
+        // Identity Provider Data that we want connect with our SP
+        'idp' => [
+            // Identifier of the IdP entity  (must be a URI)
+            'entityId' => env('SAML2_IDP_ENTITYID', null),
+            // SSO endpoint info of the IdP. (Authentication Request protocol)
+            'singleSignOnService' => [
+                // URL Target of the IdP where the SP will send the Authentication Request Message
+                'url' => env('SAML2_IDP_SSO', null),
+                // SAML protocol binding to be used when returning the <Response>
+                // message.  Onelogin Toolkit supports for this endpoint the
+                // HTTP-Redirect binding only
+                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            ],
+            // SLO endpoint info of the IdP.
+            'singleLogoutService' => [
+                // URL Location of the IdP where the SP will send the SLO Request
+                'url' => env('SAML2_IDP_SLO', null),
+                // URL location of the IdP where the SP will send the SLO Response (ResponseLocation)
+                // if not set, url for the SLO Request will be used
+                'responseUrl' => '',
+                // SAML protocol binding to be used when returning the <Response>
+                // message.  Onelogin Toolkit supports for this endpoint the
+                // HTTP-Redirect binding only
+                'binding' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
+            ],
+            // Public x509 certificate of the IdP
+            'x509cert' => env('SAML2_IDP_x509', null),
+            /*
+             *  Instead of use the whole x509cert you can use a fingerprint in
+             *  order to validate the SAMLResponse, but we don't recommend to use
+             *  that method on production since is exploitable by a collision
+             *  attack.
+             *  (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
+             *   or add for example the -sha256 , -sha384 or -sha512 parameter)
+             *
+             *  If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
+             *  let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
+             *  'sha1' is the default value.
+             */
+            // 'certFingerprint' => '',
+            // 'certFingerprintAlgorithm' => 'sha1',
+            /* In some scenarios the IdP uses different certificates for
+             * signing/encryption, or is under key rollover phase and more
+             * than one certificate is published on IdP metadata.
+             * In order to handle that the toolkit offers that parameter.
+             * (when used, 'x509cert' and 'certFingerprint' values are
+             * ignored).
+             */
+            // 'x509certMulti' => array(
+            //      'signing' => array(
+            //          0 => '<cert1-string>',
+            //      ),
+            //      'encryption' => array(
+            //          0 => '<cert2-string>',
+            //      )
+            // ),
+        ],
+    ],
+
+];