vendor/nbgrp/onelogin-saml-bundle/src/Security/Http/Authenticator/SamlAuthenticator.php line 40

Open in your IDE?
  1. <?php declare(strict_types=1);
  2. // SPDX-License-Identifier: BSD-3-Clause
  4. namespace Nbgrp\OneloginSamlBundle\Security\Http\Authenticator;
  6. use Nbgrp\OneloginSamlBundle\Event\UserCreatedEvent;
  7. use Nbgrp\OneloginSamlBundle\Event\UserModifiedEvent;
  8. use Nbgrp\OneloginSamlBundle\Idp\IdpResolverInterface;
  9. use Nbgrp\OneloginSamlBundle\Onelogin\AuthRegistryInterface;
  10. use Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\Passport\Badge\DeferredEventBadge;
  11. use Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\Passport\Badge\SamlAttributesBadge;
  12. use Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\Token\SamlToken;
  13. use Nbgrp\OneloginSamlBundle\Security\User\SamlUserFactoryInterface;
  14. use Nbgrp\OneloginSamlBundle\Security\User\SamlUserInterface;
  15. use OneLogin\Saml2\Auth;
  16. use OneLogin\Saml2\Utils;
  17. use Psr\Log\LoggerInterface;
  18. use Symfony\Component\DependencyInjection\Attribute\AutoconfigureTag;
  19. use Symfony\Component\HttpFoundation\RedirectResponse;
  20. use Symfony\Component\HttpFoundation\Request;
  21. use Symfony\Component\HttpFoundation\Response;
  22. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  23. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  24. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  25. use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
  26. use Symfony\Component\Security\Core\Exception\LogicException;
  27. use Symfony\Component\Security\Core\Exception\SessionUnavailableException;
  28. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  29. use Symfony\Component\Security\Core\User\UserProviderInterface;
  30. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  31. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  32. use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
  33. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  34. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  35. use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
  36. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  37. use Symfony\Component\Security\Http\HttpUtils;
  39. #[AutoconfigureTag('monolog.logger', ['channel' => 'security'])]
  40. class SamlAuthenticator implements AuthenticatorInterfaceAuthenticationEntryPointInterface
  41. {
  42.     public const SESSION_INDEX_ATTRIBUTE '_saml_session_index';
  43.     public const LAST_REQUEST_ID '_saml_last_request_id';
  45.     public function __construct(
  46.         private HttpUtils $httpUtils,
  47.         private UserProviderInterface $userProvider,
  48.         private IdpResolverInterface $idpResolver,
  49.         private AuthRegistryInterface $authRegistry,
  50.         private AuthenticationSuccessHandlerInterface $successHandler,
  51.         private AuthenticationFailureHandlerInterface $failureHandler,
  52.         private array $options,
  53.         private ?SamlUserFactoryInterface $userFactory,
  54.         private ?LoggerInterface $logger,
  55.         private string $idpParameterName,
  56.         private bool $useProxyVars,
  57.     ) {}
  59.     public function supports(Request $request): ?bool
  60.     {
  61.         return $request->isMethod('POST')
  62.             && $this->httpUtils->checkRequestPath($request, (string) $this->options['check_path']);
  63.     }
  65.     public function start(Request $request, ?AuthenticationException $authException null): Response
  66.     {
  67.         $uri $this->httpUtils->generateUri($request, (string) $this->options['login_path']);
  68.         $idp $this->idpResolver->resolve($request);
  69.         if ($idp) {
  70.             $uri .= '?'.$this->idpParameterName.'='.$idp;
  71.         }
  73.         return new RedirectResponse($uri);
  74.     }
  76.     public function authenticate(Request $request): Passport
  77.     {
  78.         if (!$request->hasSession()) {
  79.             throw new SessionUnavailableException('This authentication method requires a session.');
  80.         }
  82.         if ($this->options['require_previous_session'] && !$request->hasPreviousSession()) {
  83.             throw new SessionUnavailableException('Your session has timed out, or you have disabled cookies.');
  84.         }
  86.         $oneLoginAuth $this->getOneLoginAuth($request);
  87.         Utils::setProxyVars($this->useProxyVars);
  89.         $this->processResponse($oneLoginAuth$request->getSession());
  91.         if ($oneLoginAuth->getErrors()) {
  92.             $errorReason $oneLoginAuth->getLastErrorReason() ?? 'Undefined OneLogin auth error.';
  93.             $this->logger?->error($errorReason);
  95.             throw new AuthenticationException($errorReason);
  96.         }
  98.         return $this->createPassport($oneLoginAuth);
  99.     }
  101.     public function createToken(Passport $passportstring $firewallName): TokenInterface
  102.     {
  103.         if (!$passport->hasBadge(SamlAttributesBadge::class)) {
  104.             throw new LogicException(sprintf('Passport should contains a "%s" badge.'SamlAttributesBadge::class));
  105.         }
  107.         $badge $passport->getBadge(SamlAttributesBadge::class);
  108.         $attributes = [];
  110.         if ($badge instanceof SamlAttributesBadge) {
  111.             $attributes $badge->getAttributes();
  112.         }
  114.         return new SamlToken($passport->getUser(), $firewallName$passport->getUser()->getRoles(), $attributes);
  115.     }
  117.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $firewallName): ?Response
  118.     {
  119.         return $this->successHandler->onAuthenticationSuccess($request$token);
  120.     }
  122.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): ?Response
  123.     {
  124.         return $this->failureHandler->onAuthenticationFailure($request$exception);
  125.     }
  127.     protected function processResponse(Auth $oneLoginAuthSessionInterface $session): void
  128.     {
  129.         $requestId null;
  130.         $security $oneLoginAuth->getSettings()->getSecurityData();
  131.         if ($security['rejectUnsolicitedResponsesWithInResponseTo'] ?? false) {
  132.             /** @var string $requestId */
  133.             $requestId $session->get(self::LAST_REQUEST_ID);
  134.         }
  136.         $oneLoginAuth->processResponse($requestId);
  137.     }
  139.     protected function createPassport(Auth $oneLoginAuth): Passport
  140.     {
  141.         $attributes $this->extractAttributes($oneLoginAuth);
  142.         $this->logger?->debug('SAML attributes extracted'$attributes);
  144.         $deferredEventBadge = new DeferredEventBadge();
  146.         $userBadge = new UserBadge(
  147.             $this->extractIdentifier($oneLoginAuth$attributes),
  148.             function (string $identifier) use ($deferredEventBadge$attributes) {
  149.                 try {
  150.                     try {
  151.                         $user $this->userProvider->loadUserByIdentifier($identifier);
  152.                         if ($user instanceof SamlUserInterface) {
  153.                             $user->setSamlAttributes($attributes);
  154.                             $deferredEventBadge->setEvent(new UserModifiedEvent($user));
  155.                         }
  156.                     } catch (UserNotFoundException $exception) {
  157.                         if (!$this->userFactory instanceof SamlUserFactoryInterface) {
  158.                             throw $exception;
  159.                         }
  161.                         $user $this->userFactory->createUser($identifier$attributes);
  162.                         $deferredEventBadge->setEvent(new UserCreatedEvent($user));
  163.                     }
  164.                 } catch (\Throwable $exception) {
  165.                     if ($exception instanceof UserNotFoundException) {
  166.                         throw $exception;
  167.                     }
  169.                     throw new AuthenticationException('The authentication failed.'0$exception);
  170.                 }
  172.                 return $user;
  173.             },
  174.         );
  176.         return new SelfValidatingPassport($userBadge, [
  177.             new SamlAttributesBadge($attributes),
  178.             $deferredEventBadge,
  179.         ]);
  180.     }
  182.     protected function extractAttributes(Auth $oneLoginAuth): array
  183.     {
  184.         $attributes $this->options['use_attribute_friendly_name'] ?? false
  185.             $oneLoginAuth->getAttributesWithFriendlyName()
  186.             : $oneLoginAuth->getAttributes();
  187.         $attributes[self::SESSION_INDEX_ATTRIBUTE] = $oneLoginAuth->getSessionIndex();
  189.         return $attributes;
  190.     }
  192.     protected function extractIdentifier(Auth $oneLoginAuth, array $attributes): string
  193.     {
  194.         if (empty($this->options['identifier_attribute'])) {
  195.             return $oneLoginAuth->getNameId();
  196.         }
  198.         $identifierAttribute = (string) $this->options['identifier_attribute'];
  199.         if (!\array_key_exists($identifierAttribute$attributes)) {
  200.             throw new \RuntimeException('Attribute "'.$identifierAttribute.'" not found in SAML data.');
  201.         }
  203.         $identifier $attributes[$identifierAttribute];
  204.         if (\is_array($identifier)) {
  205.             /** @var mixed $identifier */
  206.             $identifier reset($identifier);
  207.         }
  209.         if (!\is_string($identifier)) {
  210.             throw new \RuntimeException('Attribute "'.$identifierAttribute.'" does not contain valid user identifier.');
  211.         }
  213.         return $identifier;
  214.     }
  216.     private function getOneLoginAuth(Request $request): Auth
  217.     {
  218.         try {
  219.             $idp $this->idpResolver->resolve($request);
  220.             $authService $idp
  221.                 $this->authRegistry->getService($idp)
  222.                 : $this->authRegistry->getDefaultService();
  223.         } catch (\RuntimeException $exception) {
  224.             $this->logger?->error($exception->getMessage());
  226.             throw new AuthenticationServiceException($exception->getMessage());
  227.         }
  229.         return $authService;
  230.     }
  231. }