|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
/** |
|
4
|
|
|
* Copyright 2014 SURFnet bv |
|
5
|
|
|
* |
|
6
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License"); |
|
7
|
|
|
* you may not use this file except in compliance with the License. |
|
8
|
|
|
* You may obtain a copy of the License at |
|
9
|
|
|
* |
|
10
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0 |
|
11
|
|
|
* |
|
12
|
|
|
* Unless required by applicable law or agreed to in writing, software |
|
13
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS, |
|
14
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
|
15
|
|
|
* See the License for the specific language governing permissions and |
|
16
|
|
|
* limitations under the License. |
|
17
|
|
|
*/ |
|
18
|
|
|
|
|
19
|
|
|
namespace Surfnet\StepupSelfService\SelfServiceBundle\Controller\Registration; |
|
20
|
|
|
|
|
21
|
|
|
use Exception; |
|
22
|
|
|
use Surfnet\SamlBundle\Http\XMLResponse; |
|
23
|
|
|
use Surfnet\SamlBundle\SAML2\AuthnRequestFactory; |
|
24
|
|
|
use Surfnet\SamlBundle\SAML2\Response\Assertion\InResponseTo; |
|
25
|
|
|
use Surfnet\StepupSelfService\SamlStepupProviderBundle\Provider\Provider; |
|
26
|
|
|
use Surfnet\StepupSelfService\SamlStepupProviderBundle\Provider\ViewConfig; |
|
27
|
|
|
use Surfnet\StepupSelfService\SelfServiceBundle\Controller\Controller; |
|
28
|
|
|
use Symfony\Component\HttpFoundation\Request; |
|
29
|
|
|
use Symfony\Component\HttpFoundation\Response; |
|
30
|
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; |
|
31
|
|
|
|
|
32
|
|
|
/** |
|
33
|
|
|
* Controls registration with Generic SAML Stepup Providers (GSSPs), yielding Generic SAML Second Factors (GSSFs). |
|
34
|
|
|
*/ |
|
35
|
|
|
final class GssfController extends Controller |
|
36
|
|
|
{ |
|
37
|
|
|
/** |
|
38
|
|
|
* @param Request $request |
|
39
|
|
|
* @param string $provider |
|
40
|
|
|
* @return array|Response |
|
41
|
|
|
*/ |
|
42
|
|
|
public function initiateAction(Request $request, $provider) |
|
43
|
|
|
{ |
|
44
|
|
|
$this->assertSecondFactorEnabled($provider); |
|
45
|
|
|
|
|
46
|
|
|
return $this->renderInitiateForm( |
|
47
|
|
|
$provider, |
|
48
|
|
|
[ |
|
49
|
|
|
'authenticationFailed' => (bool) $request->get('authenticationFailed'), |
|
50
|
|
|
'proofOfPossessionFailed' => (bool) $request->get('proofOfPossessionFailed'), |
|
51
|
|
|
] |
|
52
|
|
|
); |
|
53
|
|
|
} |
|
54
|
|
|
|
|
55
|
|
|
/** |
|
56
|
|
|
* @param string $provider |
|
57
|
|
|
* @return array|Response |
|
58
|
|
|
*/ |
|
59
|
|
|
public function authenticateAction($provider) |
|
60
|
|
|
{ |
|
61
|
|
|
$this->assertSecondFactorEnabled($provider); |
|
62
|
|
|
|
|
63
|
|
|
$provider = $this->getProvider($provider); |
|
64
|
|
|
|
|
65
|
|
|
$authnRequest = AuthnRequestFactory::createNewRequest( |
|
66
|
|
|
$provider->getServiceProvider(), |
|
67
|
|
|
$provider->getRemoteIdentityProvider() |
|
68
|
|
|
); |
|
69
|
|
|
|
|
70
|
|
|
$stateHandler = $provider->getStateHandler(); |
|
71
|
|
|
$stateHandler->setRequestId($authnRequest->getRequestId()); |
|
72
|
|
|
|
|
73
|
|
|
/** @var \Surfnet\SamlBundle\Http\RedirectBinding $redirectBinding */ |
|
74
|
|
|
$redirectBinding = $this->get('surfnet_saml.http.redirect_binding'); |
|
75
|
|
|
|
|
76
|
|
|
$this->getLogger()->notice(sprintf( |
|
77
|
|
|
'Sending AuthnRequest with request ID: "%s" to GSSP "%s" at "%s"', |
|
78
|
|
|
$authnRequest->getRequestId(), |
|
79
|
|
|
$provider->getName(), |
|
80
|
|
|
$provider->getRemoteIdentityProvider()->getSsoUrl() |
|
81
|
|
|
)); |
|
82
|
|
|
|
|
83
|
|
|
return $redirectBinding->createRedirectResponseFor($authnRequest); |
|
|
|
|
|
|
84
|
|
|
} |
|
85
|
|
|
|
|
86
|
|
|
/** |
|
87
|
|
|
* @param Request $httpRequest |
|
88
|
|
|
* @param string $provider |
|
89
|
|
|
* @return array|Response |
|
90
|
|
|
*/ |
|
91
|
|
|
public function consumeAssertionAction(Request $httpRequest, $provider) |
|
92
|
|
|
{ |
|
93
|
|
|
$this->assertSecondFactorEnabled($provider); |
|
94
|
|
|
|
|
95
|
|
|
$provider = $this->getProvider($provider); |
|
96
|
|
|
|
|
97
|
|
|
$this->get('logger')->notice( |
|
98
|
|
|
sprintf('Received GSSP "%s" SAMLResponse through Gateway, attempting to process', $provider->getName()) |
|
99
|
|
|
); |
|
100
|
|
|
|
|
101
|
|
|
try { |
|
102
|
|
|
/** @var \Surfnet\SamlBundle\Http\PostBinding $postBinding */ |
|
103
|
|
|
$postBinding = $this->get('surfnet_saml.http.post_binding'); |
|
104
|
|
|
$assertion = $postBinding->processResponse( |
|
105
|
|
|
$httpRequest, |
|
106
|
|
|
$provider->getRemoteIdentityProvider(), |
|
107
|
|
|
$provider->getServiceProvider() |
|
108
|
|
|
); |
|
109
|
|
|
} catch (Exception $exception) { |
|
110
|
|
|
$provider->getStateHandler()->clear(); |
|
111
|
|
|
|
|
112
|
|
|
$this->getLogger()->error( |
|
113
|
|
|
sprintf('Could not process received Response, error: "%s"', $exception->getMessage()) |
|
114
|
|
|
); |
|
115
|
|
|
|
|
116
|
|
|
return $this->redirectToInitiationForm( |
|
117
|
|
|
$provider, |
|
118
|
|
|
['authenticationFailed' => true] |
|
119
|
|
|
); |
|
120
|
|
|
} |
|
121
|
|
|
|
|
122
|
|
|
$expectedResponseTo = $provider->getStateHandler()->getRequestId(); |
|
123
|
|
|
$provider->getStateHandler()->clear(); |
|
124
|
|
|
|
|
125
|
|
|
if (!InResponseTo::assertEquals($assertion, $expectedResponseTo)) { |
|
126
|
|
|
$this->getLogger()->critical(sprintf( |
|
127
|
|
|
'Received Response with unexpected InResponseTo, %s', |
|
128
|
|
|
($expectedResponseTo ? 'expected "' . $expectedResponseTo . '"' : ' no response expected') |
|
129
|
|
|
)); |
|
130
|
|
|
|
|
131
|
|
|
return $this->redirectToInitiationForm( |
|
132
|
|
|
$provider, |
|
133
|
|
|
['authenticationFailed' => true] |
|
134
|
|
|
); |
|
135
|
|
|
} |
|
136
|
|
|
|
|
137
|
|
|
$this->get('logger')->notice( |
|
138
|
|
|
sprintf('Processed GSSP "%s" SAMLResponse received through Gateway successfully', $provider->getName()) |
|
139
|
|
|
); |
|
140
|
|
|
|
|
141
|
|
|
/** @var \Surfnet\StepupSelfService\SelfServiceBundle\Service\GssfService $service */ |
|
142
|
|
|
$service = $this->get('surfnet_stepup_self_service_self_service.service.gssf'); |
|
143
|
|
|
/** @var \Surfnet\SamlBundle\SAML2\Attribute\AttributeDictionary $attributeDictionary */ |
|
144
|
|
|
$attributeDictionary = $this->get('surfnet_saml.saml.attribute_dictionary'); |
|
145
|
|
|
$gssfId = $attributeDictionary->translate($assertion)->getNameID(); |
|
146
|
|
|
|
|
147
|
|
|
$secondFactorId = $service->provePossession($this->getIdentity()->id, $provider->getName(), $gssfId); |
|
148
|
|
|
|
|
149
|
|
View Code Duplication |
if ($secondFactorId) { |
|
|
|
|
|
|
150
|
|
|
$this->getLogger()->notice('GSSF possession has been proven successfully'); |
|
151
|
|
|
|
|
152
|
|
|
if ($this->emailVerificationIsRequired()) { |
|
153
|
|
|
return $this->redirectToRoute( |
|
154
|
|
|
'ss_registration_email_verification_email_sent', |
|
155
|
|
|
['secondFactorId' => $secondFactorId] |
|
156
|
|
|
); |
|
157
|
|
|
} else { |
|
158
|
|
|
return $this->redirectToRoute( |
|
159
|
|
|
'ss_registration_registration_email_sent', |
|
160
|
|
|
['secondFactorId' => $secondFactorId] |
|
161
|
|
|
); |
|
162
|
|
|
} |
|
163
|
|
|
} |
|
164
|
|
|
|
|
165
|
|
|
$this->getLogger()->error('Unable to prove GSSF possession'); |
|
166
|
|
|
|
|
167
|
|
|
return $this->redirectToInitiationForm( |
|
168
|
|
|
$provider, |
|
169
|
|
|
['proofOfPossessionFailed' => true] |
|
170
|
|
|
); |
|
171
|
|
|
} |
|
172
|
|
|
|
|
173
|
|
|
/** |
|
174
|
|
|
* @param Provider $provider |
|
175
|
|
|
* @param array $options |
|
176
|
|
|
*/ |
|
177
|
|
|
private function redirectToInitiationForm(Provider $provider, array $options) |
|
178
|
|
|
{ |
|
179
|
|
|
return $this->redirectToRoute( |
|
180
|
|
|
'ss_registration_gssf_initiate', |
|
181
|
|
|
$options + [ |
|
182
|
|
|
'provider' => $provider->getName(), |
|
183
|
|
|
] |
|
184
|
|
|
); |
|
185
|
|
|
} |
|
186
|
|
|
|
|
187
|
|
|
/** |
|
188
|
|
|
* @param string $provider |
|
189
|
|
|
* @return \Symfony\Component\HttpFoundation\Response |
|
190
|
|
|
*/ |
|
191
|
|
|
public function metadataAction($provider) |
|
192
|
|
|
{ |
|
193
|
|
|
$this->assertSecondFactorEnabled($provider); |
|
194
|
|
|
|
|
195
|
|
|
$provider = $this->getProvider($provider); |
|
196
|
|
|
|
|
197
|
|
|
/** @var \Surfnet\SamlBundle\Metadata\MetadataFactory $factory */ |
|
198
|
|
|
$factory = $this->get('gssp.provider.' . $provider->getName() . '.metadata.factory'); |
|
199
|
|
|
|
|
200
|
|
|
return new XMLResponse($factory->generate()); |
|
201
|
|
|
} |
|
202
|
|
|
|
|
203
|
|
|
/** |
|
204
|
|
|
* @param string $provider |
|
205
|
|
|
* @return \Surfnet\StepupSelfService\SamlStepupProviderBundle\Provider\Provider |
|
206
|
|
|
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException |
|
207
|
|
|
*/ |
|
208
|
|
|
private function getProvider($provider) |
|
209
|
|
|
{ |
|
210
|
|
|
/** @var \Surfnet\StepupSelfService\SamlStepupProviderBundle\Provider\ProviderRepository $providerRepository */ |
|
211
|
|
|
$providerRepository = $this->get('gssp.provider_repository'); |
|
212
|
|
|
|
|
213
|
|
|
if (!$providerRepository->has($provider)) { |
|
214
|
|
|
$this->get('logger')->info(sprintf('Requested GSSP "%s" does not exist or is not registered', $provider)); |
|
215
|
|
|
|
|
216
|
|
|
throw new NotFoundHttpException('Requested provider does not exist'); |
|
217
|
|
|
} |
|
218
|
|
|
|
|
219
|
|
|
return $providerRepository->get($provider); |
|
220
|
|
|
} |
|
221
|
|
|
|
|
222
|
|
|
/** |
|
223
|
|
|
* @return \Psr\Log\LoggerInterface |
|
224
|
|
|
*/ |
|
225
|
|
|
private function getLogger() |
|
226
|
|
|
{ |
|
227
|
|
|
return $this->get('logger'); |
|
228
|
|
|
} |
|
229
|
|
|
|
|
230
|
|
|
/** |
|
231
|
|
|
* @param string $provider |
|
232
|
|
|
* @param array $parameters |
|
233
|
|
|
* @return Response |
|
234
|
|
|
*/ |
|
235
|
|
|
private function renderInitiateForm($provider, array $parameters = []) |
|
236
|
|
|
{ |
|
237
|
|
|
/** @var ViewConfig $secondFactorConfig */ |
|
238
|
|
|
$secondFactorConfig = $this->get("gssp.view_config.{$provider}"); |
|
|
|
|
|
|
239
|
|
|
|
|
240
|
|
|
$form = $this->createForm( |
|
241
|
|
|
'ss_initiate_gssf', |
|
242
|
|
|
null, |
|
243
|
|
|
[ |
|
244
|
|
|
'provider' => $provider, |
|
245
|
|
|
/** @Ignore from translation message extraction */ |
|
246
|
|
|
'label' => $secondFactorConfig->getInitiateButton() |
|
247
|
|
|
] |
|
248
|
|
|
); |
|
249
|
|
|
/** @var ViewConfig $secondFactorConfig */ |
|
250
|
|
|
$templateParameters = array_merge( |
|
251
|
|
|
$parameters, |
|
252
|
|
|
[ |
|
253
|
|
|
'form' => $form->createView(), |
|
254
|
|
|
'provider' => $provider, |
|
255
|
|
|
'secondFactorConfig' => $secondFactorConfig, |
|
256
|
|
|
'verifyEmail' => $this->emailVerificationIsRequired(), |
|
257
|
|
|
] |
|
258
|
|
|
); |
|
259
|
|
|
return $this->render( |
|
260
|
|
|
'SurfnetStepupSelfServiceSelfServiceBundle:Registration/Gssf:initiate.html.twig', |
|
261
|
|
|
$templateParameters |
|
262
|
|
|
); |
|
263
|
|
|
} |
|
264
|
|
|
} |
|
265
|
|
|
|
OpenConext /
Stepup-SelfService
Loading history...
This method has been deprecated. The supplier of the class has supplied an explanatory message.
The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead.