Merge pull request #11 from activecollab/saml-idp-features

Saml idp features

Author: ilijastuden

src/Saml/AuthnRequestResolver.php

@@ -0,0 +1,92 @@
+<?php
+
+/*
+ * This file is part of the Active Collab Authentication project.
+ *
+ * (c) A51 doo <[email protected]>. All rights reserved.
+ */
+
+namespace ActiveCollab\Authentication\Saml;
+
+use Exception;
+use LightSaml\Binding\BindingFactory;
+use LightSaml\Context\Profile\MessageContext;
+use LightSaml\Credential\KeyHelper;
+use LightSaml\Credential\X509Certificate;
+use LightSaml\Model\Protocol\AuthnRequest;
+use LightSaml\Model\XmlDSig\SignatureStringReader;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Request;
+
+class AuthnRequestResolver
+{
+    /**
+     * @var string
+     */
+    private $saml_crt;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
+    /**
+     * @param string          $saml_crt
+     * @param LoggerInterface $logger
+     */
+    public function __construct($saml_crt, LoggerInterface $logger = null)
+    {
+        $this->saml_crt = $saml_crt;
+        $this->logger = $logger;
+    }
+
+    /**
+     * @param  Request|null $request
+     * @return AuthnRequest
+     */
+    public function resolve(Request $request = null)
+    {
+        if (!$request) {
+            $request = Request::createFromGlobals();
+        }
+
+        $binding_factory = new BindingFactory();
+        $binding = $binding_factory->getBindingByRequest($request);
+
+        $message_context = new MessageContext();
+        $binding->receive($request, $message_context);
+        $message = $message_context->asAuthnRequest();
+
+        $this->validateSignature($message);
+
+        return $message;
+    }
+
+    /**
+     * @param  AuthnRequest $message
+     * @throws Exception
+     */
+    private function validateSignature(AuthnRequest $message)
+    {
+        $key = KeyHelper::createPublicKey(X509Certificate::fromFile($this->saml_crt));
+
+        /** @var SignatureStringReader $signature_reader */
+        $signature_reader = $message->getSignature();
+
+        try {
+            if ($signature_reader->validate($key)) {
+                return;
+            }
+
+            throw new Exception('Signature not validated');
+        } catch (Exception $e) {
+            if ($this->logger) {
+                $this->logger->error("AuthnRequest validation failed with message {$e->getMessage()}.", [
+                    'exception' => $e,
+                ]);
+            }
+
+            throw $e;
+        }
+    }
+}

src/Saml/SamlDataManagerInterface.php

@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Active Collab Authentication project.
+ *
+ * (c) A51 doo <[email protected]>. All rights reserved.
+ */
+
+namespace ActiveCollab\Authentication\Saml;
+
+use LightSaml\Model\Protocol\AuthnRequest;
+use LightSaml\Model\Protocol\SamlMessage;
+
+interface SamlDataManagerInterface
+{
+    /**
+     * @param SamlMessage $message
+     */
+    public function set(SamlMessage $message);
+
+    /**
+     * @param  string            $message_id
+     * @return AuthnRequest|null
+     */
+    public function get($message_id);
+
+    /**
+     * @param string $message_id
+     */
+    public function delete($message_id);
+}

src/Saml/SsoResponse.php

@@ -0,0 +1,154 @@
+<?php
+
+/*
+ * This file is part of the Active Collab Authentication project.
+ *
+ * (c) A51 doo <[email protected]>. All rights reserved.
+ */
+
+namespace ActiveCollab\Authentication\Saml;
+
+use DateTime;
+use LightSaml\Binding\BindingFactory;
+use LightSaml\ClaimTypes;
+use LightSaml\Context\Profile\MessageContext;
+use LightSaml\Credential\KeyHelper;
+use LightSaml\Credential\X509Certificate;
+use LightSaml\Helper;
+use LightSaml\Model\Assertion\Assertion;
+use LightSaml\Model\Assertion\Attribute;
+use LightSaml\Model\Assertion\AttributeStatement;
+use LightSaml\Model\Assertion\AudienceRestriction;
+use LightSaml\Model\Assertion\AuthnContext;
+use LightSaml\Model\Assertion\AuthnStatement;
+use LightSaml\Model\Assertion\Conditions;
+use LightSaml\Model\Assertion\Issuer;
+use LightSaml\Model\Assertion\NameID;
+use LightSaml\Model\Assertion\Subject;
+use LightSaml\Model\Assertion\SubjectConfirmation;
+use LightSaml\Model\Assertion\SubjectConfirmationData;
+use LightSaml\Model\Protocol\Response;
+use LightSaml\Model\XmlDSig\SignatureWriter;
+use LightSaml\SamlConstants;
+use Psr\Log\LoggerInterface;
+use RuntimeException;
+use Symfony\Component\HttpFoundation\Response as SymfonyResponse;
+
+class SsoResponse
+{
+    /**
+     * @var SamlDataManagerInterface
+     */
+    private $saml_data_manager;
+
+    /**
+     * @var LoggerInterface
+     */
+    private $logger;
+
+    /**
+     * @var string
+     */
+    private $saml_crt;
+
+    /**
+     * @var string
+     */
+    private $saml_key;
+
+    /**
+     * @param SamlDataManagerInterface $saml_data_manager
+     * @param string                   $saml_crt
+     * @param string                   $saml_key
+     * @param LoggerInterface          $logger
+     */
+    public function __construct(SamlDataManagerInterface $saml_data_manager, $saml_crt, $saml_key, LoggerInterface $logger = null)
+    {
+        $this->saml_data_manager = $saml_data_manager;
+        $this->logger = $logger;
+        $this->saml_crt = $saml_crt;
+        $this->saml_key = $saml_key;
+    }
+
+    /**
+     * @param  string $email
+     * @param  string $message_id
+     * @return string
+     */
+    public function send($email, $message_id)
+    {
+        $message = $this->saml_data_manager->get($message_id);
+
+        if (!$message) {
+            if ($this->logger) {
+                $this->logger->error("Saml message with id $message_id not found or expired");
+            }
+
+            throw new RuntimeException('Authentication message does not exist');
+        }
+
+        $this->saml_data_manager->delete($message_id);
+
+        $response = new Response();
+        $assertion = new Assertion();
+        $response
+            ->addAssertion($assertion)
+            ->setID(Helper::generateID())
+            ->setIssueInstant(new DateTime())
+            ->setDestination($message->getAssertionConsumerServiceURL())
+            ->setIssuer(new Issuer($message->getIssuer()->getValue()));
+
+        $assertion
+            ->setId(Helper::generateID())
+            ->setIssueInstant(new DateTime())
+            ->setIssuer(new Issuer($message->getIssuer()->getValue()))
+            ->setSubject(
+                (new Subject())
+                    ->setNameID(new NameID($email, SamlConstants::NAME_ID_FORMAT_EMAIL))
+                    ->addSubjectConfirmation(
+                        (new SubjectConfirmation())
+                            ->setMethod(SamlConstants::CONFIRMATION_METHOD_BEARER)
+                            ->setSubjectConfirmationData(
+                                (new SubjectConfirmationData())
+                                    ->setInResponseTo($message->getID())
+                                    ->setNotOnOrAfter(new DateTime('+1 MINUTE'))
+                                    ->setRecipient($message->getAssertionConsumerServiceURL())
+                            )
+                    )
+            )
+            ->setConditions(
+                (new Conditions())
+                    ->setNotBefore(new DateTime())
+                    ->setNotOnOrAfter(new DateTime('+1 MINUTE'))
+                    ->addItem(
+                        new AudienceRestriction([$message->getAssertionConsumerServiceURL()])
+                    )
+            )
+            ->addItem(
+                (new AttributeStatement())
+                    ->addAttribute(new Attribute(ClaimTypes::EMAIL_ADDRESS, $email))
+            )
+            ->addItem(
+                (new AuthnStatement())
+                    ->setAuthnInstant(new DateTime('-10 MINUTE'))
+                    ->setSessionIndex($message_id)
+                    ->setAuthnContext(
+                        (new AuthnContext())->setAuthnContextClassRef(SamlConstants::AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT)
+                    )
+            );
+
+        $certificate = X509Certificate::fromFile($this->saml_crt);
+        $private_key = KeyHelper::createPrivateKey($this->saml_key, '', true);
+
+        $response->setSignature(new SignatureWriter($certificate, $private_key));
+
+        $binding_factory = new BindingFactory();
+        $post_binding = $binding_factory->create(SamlConstants::BINDING_SAML2_HTTP_POST);
+        $message_context = new MessageContext();
+        $message_context->setMessage($response);
+        /** @var SymfonyResponse $http_response */
+        $http_response = $post_binding->send($message_context);
+
+        return $http_response->getContent();
+    }
+}

test/src/Saml/AuthnRequestResolverTest.php

@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of the Active Collab Authentication project.
+ *
+ * (c) A51 doo <[email protected]>. All rights reserved.
+ */
+
+namespace ActiveCollab\Authentication\Test\Saml;
+
+use ActiveCollab\Authentication\Saml\AuthnRequestResolver;
+use ActiveCollab\Authentication\Test\TestCase\TestCase;
+use LightSaml\Model\Protocol\AuthnRequest;
+use Symfony\Component\HttpFoundation\Request;
+
+class AuthnRequestResolverTest extends TestCase
+{
+    /**
+     * @var AuthnRequestResolver
+     */
+    private $authn_request_resolver;
+
+    /**
+     * @var array
+     */
+    private $get;
+
+    public function setUp()
+    {
+        parent::setUp();
+
+        $this->authn_request_resolver = new AuthnRequestResolver(__DIR__ . '/../Fixtures/saml.crt');
+        $this->get = [
+            'SAMLRequest' => 'fZFPb8IwDMXvfIoq95KGltJGpYiNw5CYhqDbYZcpTc3I1CZdnaJ9/IV/EgeEj5af3+/Z2eyvqb0DdKiMnhI2DMgsH2Tz3u71Bn57QOu5CY1T0neaG4EKuRYNILeSb+evKz4aBrztjDXS1MRbLqbkq4Q0TCOIqrQcRZGMRTwOIQ7jSTUpIRHjeJfGQRIGO0a8j6u32+PkiD0sNVqhrWsFLPYZ89m4YAEPE86CT+ItHJTSwp5Ue2tbTmltpKj3Bi1PXFHRKnoYUVW1vnBRQFslhQXirS+gT0pXSn8/TlWeh5C/FMXaX79tC+LNEaE7Wj8bjX0D3Ra6g5Lwvlndh5mcYRjtndBHwGNakmcompqf4nbnC/Nj5zGQuJqT/L6V+8MPSIsZvVmfZ/T2n/ngHw==',
+            'SigAlg' => 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
+            'Signature' => 'HD0lpaP4P6zd0oiGaRfKxV0Be65ClLL7BZ1mm0LVZYm4rwg4wZY1aTlf/aq2vPa1zDJ6e5NLbt7HRde4i6PnTVLpKX0ynab2gQQ2aoYDiwBUXw+01pRXYjnCBexfRfOt57pSBqUatuDuXrxKP6bD9nZ4/9pJAtxqva/5IX6ZqiQ3AEuZ9xcZ4cD+AqRFGvUlGu0I4yZzCNeiYpka4Fr340f69Aqr7q/e8ZRyYZJZPACXCK5Iq6nhRE0hBr5ezNPQESrI2te+SRXtnOTiEufPTQi/6roFfWfvwn/DtKGN1JSbt9shzOmQcbbtEq39U1Vr0OB1Ye8Ck6vCV8cRzlZqAQ==',
+        ];
+    }
+
+    public function testAuthnIsResolved()
+    {
+        $request = Request::create('http://localhost:8887', 'GET', $this->get);
+
+        $authn_request = $this->authn_request_resolver->resolve($request);
+
+        $this->assertInstanceOf(AuthnRequest::class, $authn_request);
+    }
+
+    /**
+     * @expectedException \LightSaml\Error\LightSamlSecurityException
+     * @expectedExceptionMessage Unable to validate signature on query string
+     */
+    public function testSamlRequestSignatureIsNotValid()
+    {
+        $this->get['Signature'] = 'invalid';
+
+        $request = Request::create('http://localhost:8887', 'GET', $this->get);
+
+        $this->authn_request_resolver->resolve($request);
+    }
+}

test/src/Utils/SamlUtilsTest.php renamed to test/src/Saml/SamlUtilsTest.php

@@ -6,7 +6,7 @@
  * (c) A51 doo <[email protected]>. All rights reserved.
  */
 
-namespace ActiveCollab\Authentication\Test\Utils;
+namespace ActiveCollab\Shepherd\Test\Authentication;
 
 use ActiveCollab\Authentication\Saml\SamlUtils;
 use ActiveCollab\Authentication\Test\TestCase\TestCase;
@@ -38,8 +38,8 @@ public function testAuthnRequest()
             'http://localhost/consumer',
             'http://localhost/idp',
             'http://localhost/issuer',
-            file_get_contents(__DIR__.'/../Fixtures/saml.crt'),
-            file_get_contents(__DIR__.'/../Fixtures/saml.key')
+            file_get_contents(__DIR__ . '/../Fixtures/saml.crt'),
+            file_get_contents(__DIR__ . '/../Fixtures/saml.key')
         );
 
         $this->assertStringStartsWith('http://localhost/idp?SAMLRequest=', $result);