Create a new DB user when somebody logs in using SAML

2025-06-20 17:15:51 +02:00 · 2023-02-20 23:04:20 +01:00 · 2023-02-20 23:04:20 +01:00 · 78ec0f1ea3
commit 78ec0f1ea3
parent c0b74d83a5
6 changed files with 75 additions and 18 deletions
--- a/config/packages/hslavich_onelogin_saml.yaml
+++ b/config/packages/hslavich_onelogin_saml.yaml
@ -28,7 +28,7 @@ hslavich_onelogin_saml:
  #  nameIdEncrypted: false
     authnRequestsSigned: true
     logoutRequestSigned: true
-  #  logoutResponseSigned: false
+     logoutResponseSigned: true
  #  wantMessagesSigned: false
  #   wantAssertionsSigned: true
  #  wantNameIdEncrypted: false
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@ -4,23 +4,13 @@ security:
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'

-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
-        local_users:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
            entity:
                class: App\Entity\UserSystem\User
                property: name

-        saml_users:
-            saml:
-                user_class: App\Entity\UserSystem\User
-                default_roles: [ 'ROLE_USER' ]
-
-        # used to reload user from session & other features (e.g. switch_user)
-        app_user_provider:
-            chain:
-                providers: ['local_users', 'saml_users']
-

    firewalls:
        dev:
@ -41,8 +31,9 @@ security:
                max_attempts: 5 # per minute

            saml:
-                #username_attribute: username
-                #use_attribute_friendly_name: false
+                use_referer: true
+                user_factory: saml_user_factory
+                persist_user: true
                check_path: saml_acs
                login_path: saml_login
                failure_path: saml_login
--- a/config/services.yaml
+++ b/config/services.yaml
@ -127,6 +127,9 @@ services:
    # Security
    ####################################################################################################################

+    saml_user_factory:
+        class: App\Security\SamlUserFactory
+
    ####################################################################################################################
    # Cache
    ####################################################################################################################
--- a/src/Entity/UserSystem/User.php
+++ b/src/Entity/UserSystem/User.php
@ -30,6 +30,7 @@ use App\Security\Interfaces\HasPermissionsInterface;
 use App\Validator\Constraints\Selectable;
 use App\Validator\Constraints\ValidPermission;
 use App\Validator\Constraints\ValidTheme;
+use Hslavich\OneloginSamlBundle\Security\User\SamlUserInterface;
 use Jbtronics\TFAWebauthn\Model\LegacyU2FKeyInterface;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Webauthn\PublicKeyCredentialUserEntity;
@ -60,7 +61,8 @@ use Jbtronics\TFAWebauthn\Model\TwoFactorInterface as WebauthnTwoFactorInterface
 * @ORM\EntityListeners({"App\EntityListeners\TreeCacheInvalidationListener"})
 * @UniqueEntity("name", message="validator.user.username_already_used")
 */
-class User extends AttachmentContainingDBElement implements UserInterface, HasPermissionsInterface, TwoFactorInterface, BackupCodeInterface, TrustedDeviceInterface, WebauthnTwoFactorInterface, PreferredProviderInterface, PasswordAuthenticatedUserInterface
+class User extends AttachmentContainingDBElement implements UserInterface, HasPermissionsInterface, TwoFactorInterface,
+                                                            BackupCodeInterface, TrustedDeviceInterface, WebauthnTwoFactorInterface, PreferredProviderInterface, PasswordAuthenticatedUserInterface, SamlUserInterface
 {
    //use MasterAttachmentTrait;

@ -860,4 +862,23 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
    {
        $this->webauthn_keys->add($webauthnKey);
    }
+
+    public function setSamlAttributes(array $attributes)
+    {
+        //When mail attribute exists, set it
+        if (isset($attributes['email'])) {
+            $this->setEmail($attributes['email'][0]);
+        }
+        //When first name attribute exists, set it
+        if (isset($attributes['firstName'])) {
+            $this->setFirstName($attributes['firstName'][0]);
+        }
+        //When last name attribute exists, set it
+        if (isset($attributes['lastName'])) {
+            $this->setLastName($attributes['lastName'][0]);
+        }
+        if (isset($attributes['department'])) {
+            $this->setDepartment($attributes['department'][0]);
+        }
+    }
 }
--- a/src/EventSubscriber/UserSystem/LoginSuccessSubscriber.php
+++ b/src/EventSubscriber/UserSystem/LoginSuccessSubscriber.php
@ -57,10 +57,11 @@ final class LoginSuccessSubscriber implements EventSubscriberInterface
        $ip = $event->getRequest()->getClientIp();
        $log = new UserLoginLogEntry($ip, $this->gpdr_compliance);
        $user = $event->getAuthenticationToken()->getUser();
-        if ($user instanceof User) {
+        if ($user instanceof User && $user->getID()) {
            $log->setTargetElement($user);
+            $this->eventLogger->logAndFlush($log);
        }
-        $this->eventLogger->logAndFlush($log);
+

        $this->flashBag->add('notice', $this->translator->trans('flash.login_successful'));
    }
--- a/src/Security/SamlUserFactory.php
+++ b/src/Security/SamlUserFactory.php
@ -0,0 +1,41 @@
+<?php
+/*
+ * This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
+ *
+ *  Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
+ *
+ *  This program is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU Affero General Public License as published
+ *  by the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU Affero General Public License for more details.
+ *
+ *  You should have received a copy of the GNU Affero General Public License
+ *  along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+namespace App\Security;
+
+use App\Entity\UserSystem\User;
+use Hslavich\OneloginSamlBundle\Security\User\SamlUserFactoryInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+class SamlUserFactory implements SamlUserFactoryInterface
+{
+    public function createUser($username, array $attributes = []): UserInterface
+    {
+        $user = new User();
+        $user->setName($username);
+        $user->setNeedPwChange(false);
+        $user->setPassword('$$SAML$$');
+
+        $user->setSamlAttributes($attributes);
+
+
+        return $user;
+    }
+}