github-mirror/BookStack
github-mirror/BookStack
2
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-04-02 21:59:06 +08:00
Code Issues Actions4 Packages Projects Releases Wiki Activity

Initial work on SAML integration

Browse Source
This commit is contained in:
Daniel Seiler 2019-08-05 20:06:39 +02:00
parent 0b1ece664d
commit 3c41b15be6
6 changed files with 400 additions and 5 deletions

1
app/Config/app.php

@ -106,6 +106,7 @@ return [
Intervention\Image\ImageServiceProvider::class,
Barryvdh\DomPDF\ServiceProvider::class,
Barryvdh\Snappy\ServiceProvider::class,
Aacotroneo\Saml2\Saml2ServiceProvider::class,
// BookStack replacement service providers (Extends Laravel)

230
app/Config/saml2_settings.php Normal file

@ -0,0 +1,230 @@
<?php
//This is variable is an example - Just make sure that the urls in the 'idp' config are ok.
$idp_host = env('SAML2_IDP_HOST', 'http://localhost:8000/simplesaml');
return $settings = array(
/**
* Whether the SAML login is enabled
*/
'enabled' => env("SAML2_ENABLED", false),
/**
* If 'useRoutes' is set to true, the package defines five new routes:
*
* Method | URI | Name
* -------|--------------------------|------------------
* POST | {routesPrefix}/acs | saml_acs
* GET | {routesPrefix}/login | saml_login
* GET | {routesPrefix}/logout | saml_logout
* GET | {routesPrefix}/metadata | saml_metadata
* GET | {routesPrefix}/sls | saml_sls
*/
'useRoutes' => true,
'routesPrefix' => '/saml2',
/**
* which middleware group to use for the saml routes
* Laravel 5.2 will need a group which includes StartSession
*/
'routesMiddleware' => [],
/**
* Indicates how the parameters will be
* retrieved from the sls request for signature validation
*/
'retrieveParametersFromServer' => false,
/**
* Where to redirect after logout
*/
'logoutRoute' => '/',
/**
* Where to redirect after login if no other option was provided
*/
'loginRoute' => '/',
/**
* Where to redirect after login if no other option was provided
*/
'errorRoute' => '/',
/*****
* One Login Settings
*/
// If 'strict' is True, then the PHP Toolkit will reject unsigned
// or unencrypted messages if it expects them signed or encrypted
// Also will reject the messages if not strictly follow the SAML
// standard: Destination, NameId, Conditions ... are validated too.
'strict' => true, //@todo: make this depend on laravel config
// Enable debug mode (to print errors)
'debug' => env('APP_DEBUG', false),
// If 'proxyVars' is True, then the Saml lib will trust proxy headers
// e.g X-Forwarded-Proto / HTTP_X_FORWARDED_PROTO. This is useful if
// your application is running behind a load balancer which terminates
// SSL.
'proxyVars' => false,
// Service Provider Data that we are deploying
'sp' => array(
// Specifies constraints on the name identifier to be used to
// represent the requested subject.
// Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
// Usually x509cert and privateKey of the SP are provided by files placed at
// the certs folder. But we can also provide them with the following parameters
'x509cert' => env('SAML2_SP_x509',''),
'privateKey' => env('SAML2_SP_PRIVATEKEY',''),
// Identifier (URI) of the SP entity.
// Leave blank to use the 'saml_metadata' route.
'entityId' => env('SAML2_SP_ENTITYID',''),
// Specifies info about where and how the <AuthnResponse> message MUST be
// returned to the requester, in this case our SP.
'assertionConsumerService' => array(
// URL Location where the <Response> from the IdP will be returned,
// using HTTP-POST binding.
// Leave blank to use the 'saml_acs' route
'url' => '',
),
// Specifies info about where and how the <Logout Response> message MUST be
// returned to the requester, in this case our SP.
// Remove this part to not include any URL Location in the metadata.
'singleLogoutService' => array(
// URL Location where the <Response> from the IdP will be returned,
// using HTTP-Redirect binding.
// Leave blank to use the 'saml_sls' route
'url' => '',
),
),
// Identity Provider Data that we want connect with our SP
'idp' => array(
// Identifier of the IdP entity (must be a URI)
'entityId' => env('SAML2_IDP_ENTITYID', $idp_host . '/saml2/idp/metadata.php'),
// SSO endpoint info of the IdP. (Authentication Request protocol)
'singleSignOnService' => array(
// URL Target of the IdP where the SP will send the Authentication Request Message,
// using HTTP-Redirect binding.
'url' => env('SAML2_IDP_SSO', $idp_host . '/saml2/idp/SSOService.php'),
),
// SLO endpoint info of the IdP.
'singleLogoutService' => array(
// URL Location of the IdP where the SP will send the SLO Request,
// using HTTP-Redirect binding.
'url' => env('SAML2_IDP_SLO', $idp_host . '/saml2/idp/SingleLogoutService.php'),
),
// Public x509 certificate of the IdP
'x509cert' => env('SAML2_IDP_x509', 'MIID/TCCAuWgAwIBAgIJAI4R3WyjjmB1MA0GCSqGSIb3DQEBCwUAMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjAeFw0xNDEyMDExNDM2MjVaFw0yNDExMzAxNDM2MjVaMIGUMQswCQYDVQQGEwJBUjEVMBMGA1UECAwMQnVlbm9zIEFpcmVzMRUwEwYDVQQHDAxCdWVub3MgQWlyZXMxDDAKBgNVBAoMA1NJVTERMA8GA1UECwwIU2lzdGVtYXMxFDASBgNVBAMMC09yZy5TaXUuQ29tMSAwHgYJKoZIhvcNAQkBFhFhZG1pbmlAc2l1LmVkdS5hcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbzW/EpEv+qqZzfT1Buwjg9nnNNVrxkCfuR9fQiQw2tSouS5X37W5h7RmchRt54wsm046PDKtbSz1NpZT2GkmHN37yALW2lY7MyVUC7itv9vDAUsFr0EfKIdCKgxCKjrzkZ5ImbNvjxf7eA77PPGJnQ/UwXY7W+cvLkirp0K5uWpDk+nac5W0JXOCFR1BpPUJRbz2jFIEHyChRt7nsJZH6ejzNqK9lABEC76htNy1Ll/D3tUoPaqo8VlKW3N3MZE0DB9O7g65DmZIIlFqkaMH3ALd8adodJtOvqfDU/A6SxuwMfwDYPjoucykGDu1etRZ7dF2gd+W+1Pn7yizPT1q8CAwEAAaNQME4wHQYDVR0OBBYEFPsn8tUHN8XXf23ig5Qro3beP8BuMB8GA1UdIwQYMBaAFPsn8tUHN8XXf23ig5Qro3beP8BuMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGu60odWFiK+DkQekozGnlpNBQz5lQ/bwmOWdktnQj6HYXu43e7sh9oZWArLYHEOyMUekKQAxOK51vbTHzzw66BZU91/nqvaOBfkJyZKGfluHbD0/hfOl/D5kONqI9kyTu4wkLQcYGyuIi75CJs15uA03FSuULQdY/Liv+czS/XYDyvtSLnu43VuAQWN321PQNhuGueIaLJANb2C5qq5ilTBUw6PxY9Z+vtMjAjTJGKEkE/tQs7CvzLPKXX3KTD9lIILmX5yUC3dLgjVKi1KGDqNApYGOMtjr5eoxPQrqDBmyx3flcy0dQTdLXud3UjWVW3N0PYgJtw5yBsS74QTGD4='),
/*
* Instead of use the whole x509cert you can use a fingerprint
* (openssl x509 -noout -fingerprint -in "idp.crt" to generate it)
*/
// 'certFingerprint' => '',
),
/***
*
* OneLogin advanced settings
*
*
*/
// Security settings
'security' => array(
/** signatures and encryptions offered */
// Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
// will be encrypted.
'nameIdEncrypted' => false,
// Indicates whether the <samlp:AuthnRequest> messages sent by this SP
// will be signed. [The Metadata of the SP will offer this info]
'authnRequestsSigned' => false,
// Indicates whether the <samlp:logoutRequest> messages sent by this SP
// will be signed.
'logoutRequestSigned' => false,
// Indicates whether the <samlp:logoutResponse> messages sent by this SP
// will be signed.
'logoutResponseSigned' => false,
/* Sign the Metadata
False || True (use sp certs) || array (
keyFileName => 'metadata.key',
certFileName => 'metadata.crt'
)
*/
'signMetadata' => false,
/** signatures and encryptions required **/
// Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
// <samlp:LogoutResponse> elements received by this SP to be signed.
'wantMessagesSigned' => false,
// Indicates a requirement for the <saml:Assertion> elements received by
// this SP to be signed. [The Metadata of the SP will offer this info]
'wantAssertionsSigned' => false,
// Indicates a requirement for the NameID received by
// this SP to be encrypted.
'wantNameIdEncrypted' => false,
// Authentication context.
// Set to false and no AuthContext will be sent in the AuthNRequest,
// Set true or don't present thi parameter and you will get an AuthContext 'exact' 'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
// Set an array with the possible auth context values: array ('urn:oasis:names:tc:SAML:2.0:ac:classes:Password', 'urn:oasis:names:tc:SAML:2.0:ac:classes:X509'),
'requestedAuthnContext' => true,
),
// Contact information template, it is recommended to suply a technical and support contacts
'contactPerson' => array(
'technical' => array(
'givenName' => 'name',
'emailAddress' => 'no@reply.com'
),
'support' => array(
'givenName' => 'Support',
'emailAddress' => 'no@reply.com'
),
),
// Organization information template, the info in en_US lang is recomended, add more if required
'organization' => array(
'en-US' => array(
'name' => 'Name',
'displayname' => 'Display Name',
'url' => 'http://url'
),
),
/* Interoperable SAML 2.0 Web Browser SSO Profile [saml2int] http://saml2int.org/profile/current
'authnRequestsSigned' => false, // SP SHOULD NOT sign the <samlp:AuthnRequest>,
// MUST NOT assume that the IdP validates the sign
'wantAssertionsSigned' => true,
'wantAssertionsEncrypted' => true, // MUST be enabled if SSL/HTTPs is disabled
'wantNameIdEncrypted' => false,
*/
);

7
app/Http/Controllers/Auth/LoginController.php

@ -118,6 +118,7 @@ class LoginController extends Controller
{
$socialDrivers = $this->socialAuthService->getActiveDrivers();
$authMethod = config('auth.method');
$samlEnabled = config('saml2_settings.enabled') == true;
if ($request->has('email')) {
session()->flashInput([
@ -126,7 +127,11 @@ class LoginController extends Controller
]);
}
return view('auth.login', ['socialDrivers' => $socialDrivers, 'authMethod' => $authMethod]);
return view('auth.login', [
'socialDrivers' => $socialDrivers,
'authMethod' => $authMethod,
'samlEnabled' => $samlEnabled,
]);
}
/**

3
composer.json

@ -28,7 +28,8 @@
"socialiteproviders/gitlab": "^3.0",
"socialiteproviders/twitch": "^3.0",
"socialiteproviders/discord": "^2.0",
"doctrine/dbal": "^2.5"
"doctrine/dbal": "^2.5",
"aacotroneo/laravel-saml2": "^1.0"
},
"require-dev": {
"filp/whoops": "~2.0",

152
composer.lock generated

@ -1,11 +1,70 @@
{
"_readme": [
"This file locks the dependencies of your project to a known state",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
"content-hash": "0946a07729a7a1bfef9bac185a870afd",
"content-hash": "26a2c3ad0409c970f4f0c9b6dad49322",
"packages": [
{
"name": "aacotroneo/laravel-saml2",
"version": "1.0.0",
"source": {
"type": "git",
"url": "https://github.com/aacotroneo/laravel-saml2.git",
"reference": "5045701a07bcd7600a17c92971368669870f546a"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/aacotroneo/laravel-saml2/zipball/5045701a07bcd7600a17c92971368669870f546a",
"reference": "5045701a07bcd7600a17c92971368669870f546a",
"shasum": ""
},
"require": {
"ext-openssl": "*",
"illuminate/support": ">=5.0.0",
"onelogin/php-saml": "^3.0.0",
"php": ">=5.4.0"
},
"require-dev": {
"mockery/mockery": "0.9.*"
},
"type": "library",
"extra": {
"laravel": {
"providers": [
"Aacotroneo\\Saml2\\Saml2ServiceProvider"
],
"aliases": {
"Saml2": "Aacotroneo\\Saml2\\Facades\\Saml2Auth"
}
}
},
"autoload": {
"psr-0": {
"Aacotroneo\\Saml2\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "aacotroneo",
"email": "aacotroneo@gmail.com"
}
],
"description": "A Laravel package for Saml2 integration as a SP (service provider) based on OneLogin toolkit, which is much lightweight than simplesamlphp",
"homepage": "https://github.com/aacotroneo/laravel-saml2",
"keywords": [
"SAML2",
"laravel",
"onelogin",
"saml"
],
"time": "2018-11-08T14:03:58+00:00"
},
{
"name": "aws/aws-sdk-php",
"version": "3.86.2",
@ -1947,6 +2006,56 @@
],
"time": "2018-12-28T10:07:33+00:00"
},
{
"name": "onelogin/php-saml",
"version": "3.2.1",
"source": {
"type": "git",
"url": "https://github.com/onelogin/php-saml.git",
"reference": "845a6ce39e839ed9e687f80bffb02ffde16a70d0"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/onelogin/php-saml/zipball/845a6ce39e839ed9e687f80bffb02ffde16a70d0",
"reference": "845a6ce39e839ed9e687f80bffb02ffde16a70d0",
"shasum": ""
},
"require": {
"php": ">=5.4",
"robrichards/xmlseclibs": ">=3.0.3"
},
"require-dev": {
"pdepend/pdepend": "^2.5.0",
"php-coveralls/php-coveralls": "^1.0.2 || ^2.0",
"phploc/phploc": "^2.1 || ^3.0 || ^4.0",
"phpunit/phpunit": "^4.8.35 || ^5.7 || ^6.5 || ^7.1",
"sebastian/phpcpd": "^2.0 || ^3.0 || ^4.0",
"squizlabs/php_codesniffer": "^3.1.1"
},
"suggest": {
"ext-curl": "Install curl lib to be able to use the IdPMetadataParser for parsing remote XMLs",
"ext-gettext": "Install gettext and php5-gettext libs to handle translations",
"ext-openssl": "Install openssl lib in order to handle with x509 certs (require to support sign and encryption)"
},
"type": "library",
"autoload": {
"psr-4": {
"OneLogin\\": "src/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"description": "OneLogin PHP SAML Toolkit",
"homepage": "https://developers.onelogin.com/saml/php",
"keywords": [
"SAML2",
"onelogin",
"saml"
],
"time": "2019-06-25T10:28:20+00:00"
},
{
"name": "paragonie/random_compat",
"version": "v9.99.99",
@ -2435,6 +2544,44 @@
],
"time": "2018-07-19T23:38:55+00:00"
},
{
"name": "robrichards/xmlseclibs",
"version": "3.0.3",
"source": {
"type": "git",
"url": "https://github.com/robrichards/xmlseclibs.git",
"reference": "406c68ac9124db033d079284b719958b829cb830"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/406c68ac9124db033d079284b719958b829cb830",
"reference": "406c68ac9124db033d079284b719958b829cb830",
"shasum": ""
},
"require": {
"ext-openssl": "*",
"php": ">= 5.4"
},
"type": "library",
"autoload": {
"psr-4": {
"RobRichards\\XMLSecLibs\\": "src"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"BSD-3-Clause"
],
"description": "A PHP library for XML Security",
"homepage": "https://github.com/robrichards/xmlseclibs",
"keywords": [
"security",
"signature",
"xml",
"xmldsig"
],
"time": "2018-11-15T11:59:02+00:00"
},
{
"name": "sabberworm/php-css-parser",
"version": "8.1.0",
@ -5416,6 +5563,7 @@
"mock",
"xunit"
],
"abandoned": true,
"time": "2018-08-09T05:50:03+00:00"
},
{

12
resources/views/auth/login.blade.php

@ -46,6 +46,16 @@
@endforeach
@endif
@if($samlEnabled)
<hr class="my-l">
<div>
<a id="saml-login" class="button outline block svg" href="{{ url("/saml2/login") }}">
{{-- @icon('auth/github') --}}
{{ trans('auth.log_in_with', ['socialDriver' => 'SAML']) }}
</a>
</div>
@endif
@if(setting('registration-enabled', false))
<div class="text-center pb-s">
<hr class="my-l">
@ -55,4 +65,4 @@
</div>
</div>
@stop
@stop