Merge branch 'keycloak'

config/bundles.php

@@ -27,4 +27,5 @@ return [
     Scheb\TwoFactorBundle\SchebTwoFactorBundle::class => ['all' => true],
     SpomkyLabs\CborBundle\SpomkyLabsCborBundle::class => ['all' => true],
     Webauthn\Bundle\WebauthnBundle::class => ['all' => true],
+    Hslavich\OneloginSamlBundle\HslavichOneloginSamlBundle::class => ['all' => true],
 ];

config/packages/hslavich_onelogin_saml.yaml

@@ -0,0 +1,60 @@
+# See https://github.com/SAML-Toolkits/php-saml for more information about the SAML settings
+
+hslavich_onelogin_saml:
+  # Basic settings
+  idp:
+    entityId: '%env(string:SAML_IDP_ENTITY_ID)%'
+    singleSignOnService:
+      url: '%env(string:SAML_IDP_SINGLE_SIGN_ON_SERVICE)%'
+      binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
+    singleLogoutService:
+      url: '%env(string:SAML_IDP_SINGLE_LOGOUT_SERVICE)%'
+      binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
+    x509cert: '%env(string:SAML_IDP_X509_CERT)%'
+  sp:
+    entityId: '%env(string:SAML_SP_ENTITY_ID)%'
+    assertionConsumerService:
+      url: '%partdb.default_uri%saml/acs'
+      binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST'
+    singleLogoutService:
+      url: '%partdb.default_uri%logout'
+      binding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
+    x509cert: '%env(string:SAML_SP_X509_CERT)%'
+    privateKey: '%env(string:SAMLP_SP_PRIVATE_KEY)%'
+
+  # Optional settings
+  #baseurl: 'http://myapp.com'
+  strict: true
+  debug: false
+  security:
+     allowRepeatAttributeName: true
+  #  nameIdEncrypted: false
+     authnRequestsSigned: true
+     logoutRequestSigned: true
+     logoutResponseSigned: true
+  #  wantMessagesSigned: false
+  #   wantAssertionsSigned: true
+  #  wantNameIdEncrypted: false
+  #  requestedAuthnContext: true
+  #  signMetadata: false
+  #  wantXMLValidation: true
+  #  relaxDestinationValidation: false
+  #  destinationStrictlyMatches: true
+  #  rejectUnsolicitedResponsesWithInResponseTo: false
+  #  signatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
+  #  digestAlgorithm: 'http://www.w3.org/2001/04/xmlenc#sha256'
+  #contactPerson:
+  #  technical:
+  #    givenName: 'Tech User'
+  #    emailAddress: 'techuser@example.com'
+  #  support:
+  #    givenName: 'Support User'
+  #    emailAddress: 'supportuser@example.com'
+  #  administrative:
+  #    givenName: 'Administrative User'
+  #    emailAddress: 'administrativeuser@example.com'
+  #organization:
+  #  en:
+  #    name: 'Part-DB-name'
+  #    displayname: 'Displayname'
+  #    url: 'http://example.com'

config/packages/routing.yaml

@@ -4,7 +4,7 @@ framework:
 
         # Configure how to generate URLs in non-HTTP contexts, such as CLI commands.
         # See https://symfony.com/doc/current/routing.html#generating-urls-in-commands
-        #default_uri: http://localhost
+        default_uri: '%env(DEFAULT_URI)%'
 
 when@prod:
     framework:

config/packages/security.yaml

@@ -4,7 +4,6 @@ security:
     password_hashers:
         Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
 
-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
     providers:
         # used to reload user from session & other features (e.g. switch_user)
         app_user_provider:
@@ -12,6 +11,7 @@ security:
                 class: App\Entity\UserSystem\User
                 property: name
 
+
     firewalls:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
@@ -20,6 +20,7 @@ security:
             provider: app_user_provider
             lazy: true
             user_checker: App\Security\UserChecker
+            entry_point: form_login
 
             two_factor:
                 auth_form_path: 2fa_login
@@ -29,6 +30,14 @@ security:
             login_throttling:
                 max_attempts: 5 # per minute
 
+            saml:
+                use_referer: true
+                user_factory: saml_user_factory
+                persist_user: true
+                check_path: saml_acs
+                login_path: saml_login
+                failure_path: login
+
             # https://symfony.com/doc/current/security/form_login_setup.html
             form_login:
                 login_path: login

config/packages/twig.yaml

@@ -19,6 +19,7 @@ twig:
         sidebar_tree_updater: '@App\Services\Trees\SidebarTreeUpdater'
         avatar_helper: '@App\Services\UserSystem\UserAvatarHelper'
         available_themes: '%partdb.available_themes%'
+        saml_enabled: '%partdb.saml.enabled%'
 
 when@test:
     twig:

config/parameters.yaml

@@ -13,6 +13,8 @@ parameters:
   partdb.global_theme: ''                                     # The theme to use globally (see public/build/themes/ for choices, use name without .css). Set to '' for default bootstrap theme
   partdb.locale_menu: ['en', 'de', 'fr', 'ru', 'ja']          # The languages that are shown in user drop down menu
 
+  partdb.default_uri: '%env(string:DEFAULT_URI)%'             # The default URI to use for the Part-DB instance (e.g. https://part-db.example.com/). This is used for generating links in emails
+
   ######################################################################################################################
   # Users and Privacy
   ######################################################################################################################
@@ -40,6 +42,11 @@ parameters:
   partdb.error_pages.admin_email: '%env(trim:string:ERROR_PAGE_ADMIN_EMAIL)%'     # You can set an email address here, which is shown on an error page, how to contact an administrator
   partdb.error_pages.show_help: '%env(trim:string:ERROR_PAGE_SHOW_HELP)%'         # If this is set to true, solutions to common problems are shown on error pages. Disable this, if you do not want your users to see them...
 
+  ######################################################################################################################
+  # SAML
+  ######################################################################################################################
+  partdb.saml.enabled: '%env(bool:SAML_ENABLED)%'              # If this is set to true, SAML authentication is enabled
+
   ######################################################################################################################
   # Sidebar
   ######################################################################################################################
@@ -111,3 +118,7 @@ parameters:
 
   env(TRUSTED_PROXIES): '127.0.0.1' #By default trust only our own server
   env(TRUSTED_HOSTS): '' # Trust all host names by default
+
+  env(DEFAULT_URI): 'https://partdb.changeme.invalid/'
+
+  env(SAML_ROLE_MAPPING): '{}'

config/routes/hslavich_saml.yaml

@@ -0,0 +1,4 @@
+hslavich_saml_sp:
+  resource: "@HslavichOneloginSamlBundle/Resources/config/routing.yml"
+  # Only load the SAML routes if SAML is enabled
+  condition: "env('SAML_ENABLED') == '1' or env('SAML_ENABLED') == 'true'"

config/services.yaml

@@ -129,6 +129,15 @@ services:
     # Security
     ####################################################################################################################
 
+    saml_user_factory:
+        alias: App\Security\SamlUserFactory
+        public: true
+
+    App\Security\SamlUserFactory:
+        arguments:
+            $saml_role_mapping: '%env(json:SAML_ROLE_MAPPING)%'
+            $update_group_on_login: '%env(bool:SAML_UPDATE_GROUP_ON_LOGIN)%'
+
     ####################################################################################################################
     # Cache
     ####################################################################################################################
@@ -196,6 +205,10 @@ services:
         arguments:
             $available_themes: '%partdb.available_themes%'
 
+    App\Command\User\ConvertToSAMLUserCommand:
+        arguments:
+            $saml_enabled: '%partdb.saml.enabled%'
+
 
     ####################################################################################################################
     # Label system