-
Notifications
You must be signed in to change notification settings - Fork 26
Expand file tree
/
Copy pathAuthorizationController.php
More file actions
201 lines (172 loc) · 7.93 KB
/
AuthorizationController.php
File metadata and controls
201 lines (172 loc) · 7.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
<?php
declare(strict_types=1);
/*
* This file is part of the simplesamlphp-module-oidc.
*
* Copyright (C) 2018 by the Spanish Research and Academic Network.
*
* This code was developed by Universidad de Córdoba (UCO https://www.uco.es)
* for the RedIRIS SIR service (SIR: http://www.rediris.es/sir)
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace SimpleSAML\Module\oidc\Controllers;
use League\OAuth2\Server\Exception\OAuthServerException;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use SimpleSAML\Auth\ProcessingChain;
use SimpleSAML\Module\oidc\Bridges\PsrHttpBridge;
use SimpleSAML\Module\oidc\ModuleConfig;
use SimpleSAML\Module\oidc\Server\AuthorizationServer;
use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
use SimpleSAML\Module\oidc\Server\RequestTypes\AuthorizationRequest;
use SimpleSAML\Module\oidc\Services\AuthenticationService;
use SimpleSAML\Module\oidc\Services\ErrorResponder;
use SimpleSAML\Module\oidc\Services\LoggerService;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
class AuthorizationController
{
public function __construct(
private readonly AuthenticationService $authenticationService,
private readonly AuthorizationServer $authorizationServer,
private readonly ModuleConfig $moduleConfig,
private readonly LoggerService $loggerService,
private readonly PsrHttpBridge $psrHttpBridge,
private readonly ErrorResponder $errorResponder,
) {
}
/**
* @throws \Exception
* @throws \SimpleSAML\Error\AuthSource
* @throws \SimpleSAML\Error\BadRequest
* @throws \SimpleSAML\Error\NotFound
* @throws \SimpleSAML\Error\Exception
* @throws \League\OAuth2\Server\Exception\OAuthServerException
* @throws \Throwable
*
* @deprecated 7.0.0 Will be moved to Symfony controller method
* @see self::authorization()
*/
public function __invoke(ServerRequestInterface $request): ResponseInterface
{
$queryParameters = $request->getQueryParams();
$state = null;
if (!isset($queryParameters[ProcessingChain::AUTHPARAM])) {
$authorizationRequest = $this->authorizationServer->validateAuthorizationRequest($request);
$state = $this->authenticationService->processRequest($request, $authorizationRequest);
// processState will trigger a redirect
}
$state ??= $this->authenticationService->manageState($queryParameters);
$authorizationRequest = $this->authenticationService->getAuthorizationRequestFromState($state);
$user = $this->authenticationService->getAuthenticateUser($state);
$authorizationRequest->setUser($user);
$authorizationRequest->setAuthorizationApproved(true);
if ($authorizationRequest instanceof AuthorizationRequest) {
$authorizationRequest->setIsCookieBasedAuthn($this->authenticationService->isCookieBasedAuthn());
$authorizationRequest->setAuthSourceId($this->authenticationService->getAuthSourceId());
$authorizationRequest->setSessionId($this->authenticationService->getSessionId());
$this->validatePostAuthnAuthorizationRequest($authorizationRequest);
}
return $this->authorizationServer->completeAuthorizationRequest(
$authorizationRequest,
$this->psrHttpBridge->getResponseFactory()->createResponse(),
);
}
/**
* @param Request $request
*
* @return Response
* @throws \SimpleSAML\Error\AuthSource
* @throws \SimpleSAML\Error\BadRequest
* @throws \SimpleSAML\Error\Error
* @throws \SimpleSAML\Error\Exception
* @throws \SimpleSAML\Error\NotFound
* @throws \Throwable
*/
public function authorization(Request $request): Response
{
try {
/**
* @psalm-suppress DeprecatedMethod Until we drop support for old public/*.php routes, we need to bridge
* between PSR and Symfony HTTP messages.
*/
$response = $this->psrHttpBridge->getHttpFoundationFactory()->createResponse(
$this->__invoke($this->psrHttpBridge->getPsrHttpFactory()->createRequest($request)),
);
// If not already handled, allow CORS (for JS clients).
if (!$response->headers->has('Access-Control-Allow-Origin')) {
$response->headers->set('Access-Control-Allow-Origin', '*');
}
return $response;
} catch (OAuthServerException $exception) {
return $this->errorResponder->forException($exception);
}
}
/**
* Validate authorization request after the authn has been performed. For example, check if the
* ACR claim has been requested and that authn performed satisfies it.
*
* @throws \Exception
*/
protected function validatePostAuthnAuthorizationRequest(AuthorizationRequest $authorizationRequest): void
{
$this->validateAcr($authorizationRequest);
}
/**
* @throws \Exception
*/
protected function validateAcr(AuthorizationRequest $authorizationRequest): void
{
// If no ACRs requested, don't set ACR claim.
if (($requestedAcrValues = $authorizationRequest->getRequestedAcrValues()) === null) {
return;
}
// In order to check available ACRs, we have to know auth source and if authn was based on cookie.
if (($authSourceId = $authorizationRequest->getAuthSourceId()) === null) {
throw OidcServerException::serverError('authSourceId not set on authz request');
}
if (($isCookieBasedAuthn = $authorizationRequest->getIsCookieBasedAuthn()) === null) {
throw OidcServerException::serverError('isCookieBasedAuthn not set on authz request');
}
$authSourceToAcrValuesMap = $this->moduleConfig->getAuthSourcesToAcrValuesMap();
$availableAuthSourceAcrs = is_array($authSourceToAcrValuesMap[$authSourceId]) ?
$authSourceToAcrValuesMap[$authSourceId] :
[];
$forcedAcrForCookieAuthentication = $this->moduleConfig->getForcedAcrValueForCookieAuthentication();
if ($forcedAcrForCookieAuthentication !== null && $isCookieBasedAuthn) {
$availableAuthSourceAcrs = [$forcedAcrForCookieAuthentication];
}
$isRequestedAcrEssential = empty($requestedAcrValues['essential']) ?
false :
boolval($requestedAcrValues['essential']);
$acrs = !empty($requestedAcrValues['values']) && is_array($requestedAcrValues['values']) ?
$requestedAcrValues['values'] :
[];
$matchedAcrs = array_intersect($availableAuthSourceAcrs, $acrs);
// If we have matched ACRs, use the best (first) one (order is important).
if (!empty($matchedAcrs)) {
$authorizationRequest->setAcr((string)current($matchedAcrs));
return;
}
// Since we don't have matched ACRs, and the client marked the requested claim as essential, error out.
if ($isRequestedAcrEssential) {
throw OidcServerException::accessDenied('could not satisfy requested ACR');
}
// If the ACR is not essential, we should return current session ACR (if we have one available)...
if (! empty($availableAuthSourceAcrs)) {
$authorizationRequest->setAcr((string)current($availableAuthSourceAcrs));
return;
}
// ...according to spec we have to return acr claim, and we don't have one available (none configured)...
$genericAcr = 'N/A';
$message = sprintf(
'No ACRs configured for current auth source, whilst specification mandates one. ' .
'Falling back to generic ACR (%s).',
$genericAcr,
);
$this->loggerService->warning($message);
$authorizationRequest->setAcr($genericAcr);
}
}