~fkooman/vpn-user-portal

ref: 2.3.10 vpn-user-portal/src/PhpSamlSpAuthentication.php -rw-r--r-- 4.6 KiB
e0bd9cc0François Kooman prepare for release 1 year, 19 days ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
<?php

/*
 * eduVPN - End-user friendly VPN.
 *
 * Copyright: 2016-2019, The Commons Conservancy eduVPN Programme
 * SPDX-License-Identifier: AGPL-3.0+
 */

namespace LC\Portal;

use DateTime;
use fkooman\SAML\SP\Api\AuthOptions;
use fkooman\SAML\SP\Api\SamlAuth;
use LC\Common\Config;
use LC\Common\Http\BeforeHookInterface;
use LC\Common\Http\Exception\HttpException;
use LC\Common\Http\RedirectResponse;
use LC\Common\Http\Request;
use LC\Common\Http\Service;
use LC\Common\Http\UserInfo;

class PhpSamlSpAuthentication implements BeforeHookInterface
{
    /** @var \LC\Common\Config */
    private $config;

    /** @var \fkooman\SAML\SP\Api\SamlAuth */
    private $samlAuth;

    /** @var \DateTime */
    private $dateTime;

    public function __construct(Config $config)
    {
        $this->config = $config;
        $this->samlAuth = new SamlAuth();
        $this->dateTime = new DateTime();
    }

    /**
     * @return false|\LC\Common\Http\RedirectResponse|\LC\Common\Http\UserInfo
     */
    public function executeBefore(Request $request, array $hookData)
    {
        $whiteList = [
            'POST' => [
                '/_logout',
            ],
        ];
        if (Service::isWhitelisted($request, $whiteList)) {
            return false;
        }

        $authOptions = new AuthOptions();
        if (null !== $authnContext = $this->config->optionalArray('authnContext')) {
            $authOptions->withAuthnContextClassRef($authnContext);
        }
        if (!$this->samlAuth->isAuthenticated($authOptions)) {
            return new RedirectResponse($this->samlAuth->getLoginURL($authOptions));
        }

        // user is authenticated, get the assertion, make sure the authOptions,
        // i.e. the AuthnContextClassRef are verified here...
        $samlAssertion = $this->samlAuth->getAssertion($authOptions);
        $samlAttributes = $samlAssertion->getAttributes();
        $userIdAttribute = $this->config->requireString('userIdAttribute');
        if (!\array_key_exists($userIdAttribute, $samlAttributes)) {
            throw new HttpException(sprintf('missing SAML user_id attribute "%s"', $userIdAttribute), 500);
        }
        $userId = $samlAttributes[$userIdAttribute][0];
        $userAuthnContext = $samlAssertion->getAuthnContext();
        if (0 !== \count($this->getPermissionAttributeList())) {
            $userPermissions = $this->getPermissionList($samlAttributes);
            $permissionAuthnContext = $this->config->requireArray('permissionAuthnContext', []);
            // if we got a permission that's part of the
            // permissionAuthnContext we have to make sure we have one of
            // the listed AuthnContexts
            foreach ($permissionAuthnContext as $permission => $authnContext) {
                if (\in_array($permission, $userPermissions, true)) {
                    if (!\in_array($userAuthnContext, $authnContext, true)) {
                        // we need another AuthnContextClassRef, but we DO want
                        // to use the same IdP as before to skip the WAYF
                        // (if any)
                        return new RedirectResponse(
                            $this->samlAuth->getLoginURL(
                                $authOptions->withAuthnContextClassRef($authnContext)->withIdp($samlAssertion->getIssuer())
                            )
                        );
                    }
                }
            }
        }

        $userInfo = new UserInfo(
            $userId,
            $this->getPermissionList($samlAttributes)
        );

        return $userInfo;
    }

    /**
     * @param array<string,array<string>> $samlAttributes
     *
     * @return array<string>
     */
    private function getPermissionList(array $samlAttributes)
    {
        $permissionList = [];
        foreach ($this->getPermissionAttributeList() as $permissionAttribute) {
            if (\array_key_exists($permissionAttribute, $samlAttributes)) {
                $permissionList = array_merge($permissionList, $samlAttributes[$permissionAttribute]);
            }
        }

        return $permissionList;
    }

    /**
     * @return array<string>
     */
    private function getPermissionAttributeList()
    {
        /** @var array<string>|string|null */
        $permissionAttributeList = $this->config->optionalItem('permissionAttribute');
        if (\is_string($permissionAttributeList)) {
            $permissionAttributeList = [$permissionAttributeList];
        }
        if (null === $permissionAttributeList) {
            $permissionAttributeList = [];
        }

        return $permissionAttributeList;
    }
}