mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-21 09:35:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Create a new DB user when somebody logs in using SAML

Browse source
This commit is contained in:
Jan Böhmer 2023-02-20 23:04:20 +01:00
parent c0b74d83a5
commit 78ec0f1ea3
6 changed files with 75 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

2
config/packages/hslavich_onelogin_saml.yaml
View file

@ -28,7 +28,7 @@ hslavich_onelogin_saml:
# nameIdEncrypted: false # nameIdEncrypted: false
authnRequestsSigned: true authnRequestsSigned: true
logoutRequestSigned: true logoutRequestSigned: true
# logoutResponseSigned: false logoutResponseSigned: true
# wantMessagesSigned: false # wantMessagesSigned: false
# wantAssertionsSigned: true # wantAssertionsSigned: true
# wantNameIdEncrypted: false # wantNameIdEncrypted: false

19
config/packages/security.yaml
View file

@ -4,23 +4,13 @@ security:
password_hashers: password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto' Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers: providers:
local_users: # used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity: entity:
class: App\Entity\UserSystem\User class: App\Entity\UserSystem\User
property: name property: name
saml_users:
saml:
user_class: App\Entity\UserSystem\User
default_roles: [ 'ROLE_USER' ]
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
chain:
providers: ['local_users', 'saml_users']
firewalls: firewalls:
dev: dev:
@ -41,8 +31,9 @@ security:
max_attempts: 5 # per minute max_attempts: 5 # per minute
saml: saml:
#username_attribute: username use_referer: true
#use_attribute_friendly_name: false user_factory: saml_user_factory
persist_user: true
check_path: saml_acs check_path: saml_acs
login_path: saml_login login_path: saml_login
failure_path: saml_login failure_path: saml_login

3
config/services.yaml
View file

@ -127,6 +127,9 @@ services:
# Security # Security
#################################################################################################################### ####################################################################################################################
saml_user_factory:
class: App\Security\SamlUserFactory
#################################################################################################################### ####################################################################################################################
# Cache # Cache
#################################################################################################################### ####################################################################################################################

23
src/Entity/UserSystem/User.php
View file

@ -30,6 +30,7 @@ use App\Security\Interfaces\HasPermissionsInterface;
use App\Validator\Constraints\Selectable; use App\Validator\Constraints\Selectable;
use App\Validator\Constraints\ValidPermission; use App\Validator\Constraints\ValidPermission;
use App\Validator\Constraints\ValidTheme; use App\Validator\Constraints\ValidTheme;
use Hslavich\OneloginSamlBundle\Security\User\SamlUserInterface;
use Jbtronics\TFAWebauthn\Model\LegacyU2FKeyInterface; use Jbtronics\TFAWebauthn\Model\LegacyU2FKeyInterface;
use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface; use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
use Webauthn\PublicKeyCredentialUserEntity; use Webauthn\PublicKeyCredentialUserEntity;
@ -60,7 +61,8 @@ use Jbtronics\TFAWebauthn\Model\TwoFactorInterface as WebauthnTwoFactorInterface
* @ORM\EntityListeners({"App\EntityListeners\TreeCacheInvalidationListener"}) * @ORM\EntityListeners({"App\EntityListeners\TreeCacheInvalidationListener"})
* @UniqueEntity("name", message="validator.user.username_already_used") * @UniqueEntity("name", message="validator.user.username_already_used")
*/ */
class User extends AttachmentContainingDBElement implements UserInterface, HasPermissionsInterface, TwoFactorInterface, BackupCodeInterface, TrustedDeviceInterface, WebauthnTwoFactorInterface, PreferredProviderInterface, PasswordAuthenticatedUserInterface class User extends AttachmentContainingDBElement implements UserInterface, HasPermissionsInterface, TwoFactorInterface,
BackupCodeInterface, TrustedDeviceInterface, WebauthnTwoFactorInterface, PreferredProviderInterface, PasswordAuthenticatedUserInterface, SamlUserInterface
{ {
//use MasterAttachmentTrait; //use MasterAttachmentTrait;
@ -860,4 +862,23 @@ class User extends AttachmentContainingDBElement implements UserInterface, HasPe
{ {
$this->webauthn_keys->add($webauthnKey); $this->webauthn_keys->add($webauthnKey);
} }
public function setSamlAttributes(array $attributes)
{
//When mail attribute exists, set it
if (isset($attributes['email'])) {
$this->setEmail($attributes['email'][0]);
}
//When first name attribute exists, set it
if (isset($attributes['firstName'])) {
$this->setFirstName($attributes['firstName'][0]);
}
//When last name attribute exists, set it
if (isset($attributes['lastName'])) {
$this->setLastName($attributes['lastName'][0]);
}
if (isset($attributes['department'])) {
$this->setDepartment($attributes['department'][0]);
}
}
} }

5
src/EventSubscriber/UserSystem/LoginSuccessSubscriber.php
View file

@ -57,10 +57,11 @@ final class LoginSuccessSubscriber implements EventSubscriberInterface
$ip = $event->getRequest()->getClientIp(); $ip = $event->getRequest()->getClientIp();
$log = new UserLoginLogEntry($ip, $this->gpdr_compliance); $log = new UserLoginLogEntry($ip, $this->gpdr_compliance);
$user = $event->getAuthenticationToken()->getUser(); $user = $event->getAuthenticationToken()->getUser();
if ($user instanceof User) { if ($user instanceof User && $user->getID()) {
$log->setTargetElement($user); $log->setTargetElement($user);
}
$this->eventLogger->logAndFlush($log); $this->eventLogger->logAndFlush($log);
}
$this->flashBag->add('notice', $this->translator->trans('flash.login_successful')); $this->flashBag->add('notice', $this->translator->trans('flash.login_successful'));
} }

41
src/Security/SamlUserFactory.php Normal file
View file

@ -0,0 +1,41 @@
<?php
/*
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
*
* Copyright (C) 2019 - 2023 Jan Böhmer (https://github.com/jbtronics)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published
* by the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <https://www.gnu.org/licenses/>.
*/
namespace App\Security;
use App\Entity\UserSystem\User;
use Hslavich\OneloginSamlBundle\Security\User\SamlUserFactoryInterface;
use Symfony\Component\Security\Core\User\UserInterface;
class SamlUserFactory implements SamlUserFactoryInterface
{
public function createUser($username, array $attributes = []): UserInterface
{
$user = new User();
$user->setName($username);
$user->setNeedPwChange(false);
$user->setPassword('$$SAML$$');
$user->setSamlAttributes($attributes);
return $user;
}
}