mirror/Part-DB.Part-DB-server
1
0
Fork 1
mirror of https://github.com/Part-DB/Part-DB-server.git synced 2025-06-20 17:15:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Allow SAML users to access the API

Browse source 
This fixes issue #765.
This commit is contained in:
Jan Böhmer 2024-12-01 22:54:22 +01:00
parent 80129c0a88
commit ca8ad760d7
2 changed files with 23 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

22
src/Security/EnsureSAMLUserForSAMLLoginChecker.php
View file

@ -25,6 +25,7 @@ namespace App\Security;
use App\Entity\UserSystem\User;
use Nbgrp\OneloginSamlBundle\Security\Http\Authenticator\Token\SamlToken;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Contracts\Translation\TranslatorInterface;
@ -50,13 +51,20 @@ class EnsureSAMLUserForSAMLLoginChecker implements EventSubscriberInterface
$token = $event->getAuthenticationToken();
$user = $token->getUser();
//If we are using SAML, we need to check that the user is a SAML user.
if ($token instanceof SamlToken) {
if ($user instanceof User && !$user->isSamlUser()) {
throw new CustomUserMessageAccountStatusException($this->translator->trans('saml.error.cannot_login_local_user_per_saml', [], 'security'));
}
} elseif ($user instanceof User && $user->isSamlUser()) {
//Ensure that you can not login locally with a SAML user (even if this should not happen, as the password is not set)
//Do not check for anonymous users
if (!$user instanceof User) {
return;
}
//Do not allow SAML users to login as local user
if ($token instanceof SamlToken && !$user->isSamlUser()) {
throw new CustomUserMessageAccountStatusException($this->translator->trans('saml.error.cannot_login_local_user_per_saml',
[], 'security'));
}
//Do not allow local users to login as SAML user via local username and password
if ($token instanceof UsernamePasswordToken && $user->isSamlUser()) {
//Ensure that you can not login locally with a SAML user (even though this should not happen, as the password is not set)
throw new CustomUserMessageAccountStatusException($this->translator->trans('saml.error.cannot_login_saml_user_locally', [], 'security'));
}
}

10
translations/security.en.xlf
View file

@ -1,17 +1,23 @@
<?xml version="1.0" encoding="utf-8"?>
<xliff xmlns="urn:oasis:names:tc:xliff:document:2.0" version="2.0" srcLang="en" trgLang="en">
<file id="security.en">
<unit id="aazoCks" name="user.login_error.user_disabled">
<unit id="GrLNa9P" name="user.login_error.user_disabled">
<segment state="translated">
<source>user.login_error.user_disabled</source>
<target>Your account is disabled! Contact an administrator if you think this is wrong.</target>
</segment>
</unit>
<unit id="Dpb9AmY" name="saml.error.cannot_login_local_user_per_saml">
<unit id="IFQ5XrG" name="saml.error.cannot_login_local_user_per_saml">
<segment state="translated">
<source>saml.error.cannot_login_local_user_per_saml</source>
<target>You cannot login as local user via SSO! Use your local user password instead.</target>
</segment>
</unit>
<unit id="wOYPZmb" name="saml.error.cannot_login_saml_user_locally">
<segment>
<source>saml.error.cannot_login_saml_user_locally</source>
<target>You cannot use local authentication to login as SAML user! Use SSO login instead.</target>
</segment>
</unit>
</file>
</xliff>