Added SAML-Toolkits php-saml to composer and installed it to the vendor folder. Implemented SSO with JumpCloud

Signed-off-by: rodude123 <rodude123@gmail.com>
2024-01-01 13:52:30 +00:00
parent 430e1c65ca
commit 7b8e81e1f7
14 changed files with 351 additions and 72 deletions
@@ -5,6 +5,8 @@ require_once __DIR__ . "/../utils/routesInterface.php";
 require_once "userData.php";

 use api\utils\routesInterface;
+use OneLogin\Saml2\Auth;
+use OneLogin\Saml2\Error;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Slim\App;
@@ -12,14 +14,17 @@ use Slim\App;
 class userRoutes implements routesInterface
 {
    private userData $user;
+    private Auth $samlAuth;

    /**
     * constructor used to instantiate a base user routes, to be used in the index.php file.
     * @param App $app - the slim app used to create the routes
+     * @throws Error
     */
    public function __construct(App $app)
    {
        $this->user = new userData();
+        $this->samlAuth = new Auth($this->user->getSamlConf());
        $this->createRoutes($app);
    }

@@ -30,31 +35,9 @@ class userRoutes implements routesInterface
     */
    public function createRoutes(App $app): void
    {
-        $app->post("/user/login", function (Request $request, Response $response)
+        $app->get("/user/login", function (Request $request, Response $response)
        {
-            // get request data
-            $data = $request->getParsedBody();
-
-            if (empty($data["username"]) || empty($data["password"]))
-            {
-                // uh oh user sent empty data
-                return $response->withStatus(400);
-            }
-
-            if ($this->user->checkUser($data["username"], $data["password"]))
-            {
-                // yay, user is logged in
-                $_SESSION["token"] = $this->user->createToken($data["username"]);
-                $_SESSION["username"] = $data["username"];
-
-                $inactive = 60 * 60 * 48; // 2 days
-                $_SESSION["timeout"] = time() + $inactive;
-
-                $response->getBody()->write(json_encode(array("token" => $_SESSION["token"])));
-                return $response;
-            }
-            $response->getBody()->write(json_encode(array("error" => "Unauthorised")));
-            return $response->withStatus(401);
+            $this->samlAuth->login();
        });

        $app->get("/user/logout", function (Request $request, Response $response)
@@ -92,6 +75,20 @@ class userRoutes implements routesInterface

        });

+        $app->get("/user/metadata", function (Request $request, Response $response)
+        {
+            $settings = $this->samlAuth->getSettings();
+            $metadata = $settings->getSPMetadata();
+            $errors = $settings->validateMetadata($metadata);
+            if (empty($errors))
+            {
+                $response->getBody()->write($metadata);
+                return $response->withHeader("Content-Type", "text/xml");
+            }
+            $response->getBody()->write(json_encode(array("error" => $errors)));
+            return $response->withStatus(500);
+        });
+
        $app->get("/user/checkResetEmail/{email}", function (Request $request, Response $response, array $args)
        {
            if (empty($args["email"]))
@@ -139,6 +136,61 @@ class userRoutes implements routesInterface
            return $response->withStatus(401);
        });

+        $app->post("/user/login", function (Request $request, Response $response)
+        {
+            // get request data
+            $data = $request->getParsedBody();
+
+            if (empty($data["username"]) || empty($data["password"]))
+            {
+                // uh oh user sent empty data
+                return $response->withStatus(400);
+            }
+
+            if ($this->user->checkUser($data["username"], $data["password"]))
+            {
+                // yay, user is logged in
+                $_SESSION["token"] = $this->user->createToken($data["username"]);
+                $_SESSION["username"] = $data["username"];
+
+                $inactive = 60 * 60 * 48; // 2 days
+                $_SESSION["timeout"] = time() + $inactive;
+
+                $response->getBody()->write(json_encode(array("token" => $_SESSION["token"])));
+                return $response;
+            }
+            $response->getBody()->write(json_encode(array("error" => "Unauthorised")));
+            return $response->withStatus(401);
+        });
+
+        $app->post("/user/acs", function (Request $request, Response $response)
+        {
+            $this->samlAuth->processResponse();
+
+            $attributes = $this->samlAuth->getAttributes();
+//            $username = $attributes["username"][0];
+//            $email = $attributes["email"][0];
+
+            $response->getBody()->write(json_encode($attributes));
+            return $response;
+
+//            if ($this->user->checkSAMLUser($username, $email))
+//            {
+//                // yay, user is logged in
+//                $_SESSION["token"] = $this->user->createToken($username);
+//                $_SESSION["username"] = $username;
+//                $_SESSION["email"] = $email;
+//
+//                $inactive = 60 * 60 * 48; // 2 days
+//                $_SESSION["timeout"] = time() + $inactive;
+//
+//                return $response->withHeader("Location", "https://rohitpai.co.uk/editor/editor.html")->withStatus(302);
+//            }
+//
+//            $response->getBody()->write(json_encode(array("error" => "Unauthorised")));
+//            return $response->withStatus(401);
+        });
+
        $app->post("/user/changePassword", function (Request $request, Response $response)
        {
            if (empty($_SESSION["resetToken"]) && empty($_SESSION["resetEmail"]))