-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathadmin.php
127 lines (89 loc) · 3.66 KB
/
admin.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
<?php
$this->bind('/auth/saml/#', function() {
$service = $this->retrieve('config/saml/idp/singleSignOnService');
if (!isset($service['url'])) {
return $this->view('saml:views/error.php', ['errors' => ['singleSignOnService url undefined!']]);
}
$auth = $this->module('saml')->auth();
if (!$auth->isAuthenticated()) {
$this->reroute($auth->login(null, [], false, false, true));
} else {
$this->reroute('/auth/saml/acs');
}
});
$this->bind('/auth/saml/logout', function() {
$service = $this->retrieve('config/saml/idp/singleLogoutService');
if (!isset($service['url'])) {
return $this->view('saml:views/error.php', ['errors' => ['singleLogoutService url undefined!']]);
}
$returnTo = $this['site_url'].$this->baseUrl('/auth/#');
$parameters = [];
$nameId = $_SESSION['samlNameId'] ?? null;
$sessionIndex = $_SESSION['samlSessionIndex'] ?? null;
$nameIdFormat = $_SESSION['samlNameIdFormat'] ?? null;
$url = $this->module('saml')->auth()->logout($returnTo, $parameters, $nameId, $sessionIndex, true, $nameIdFormat);
$this->reroute($url);
});
$this->bind('/auth/saml/acs', function() {
$reqID = $_SESSION['AuthNRequestID'] ?? null;
$auth = $this->module('saml')->auth();
try {
$auth->processResponse($reqID);
} catch (\Exception $e) {
return $this->view('saml:views/error.php', ['errors' => [$e->getMessage()]]);
}
$errors = $auth->getErrors();
if (!empty($errors)) {
return $this->view('saml:views/error.php', ['errors' => $errors]);
}
if (!$auth->isAuthenticated()) {
return $this->view('saml:views/error.php', ['errors' => ['Not authenticated']]);
}
$user = ['saml' => true];
$attrs = $auth->getAttributes();
$mapping = $this->module('saml')->config('mapping');
if ($mapping) {
if (is_array($mapping)) {
foreach ($mapping as $key => $value) {
if (isset($attrs[$key])) {
$user[$value] = $attrs[$key][0];
}
}
} elseif (is_callable($mapping)) {
$mapping($user, $attrs);
}
}
if (!$this->module('cockpit')->hasaccess('cockpit', 'backend', @$user['group'])) {
return $this->view('saml:views/error.php', ['errors' => ['Missing rights to access backend'], 'attributes' => $attrs]);
}
$_SESSION['samlNameId'] = $auth->getNameId();
$_SESSION['samlNameIdFormat'] = $auth->getNameIdFormat();
$_SESSION['samlSessionIndex'] = $auth->getSessionIndex();
unset($_SESSION['AuthNRequestID']);
// if (isset($_REQUEST['RelayState']) && \OneLogin\Saml2\Utils::getSelfURL() != $_REQUEST['RelayState']) {
// $this->reroute($_REQUEST['RelayState']);
// }
$this->trigger('cockpit.account.login', [&$user]);
$this->module('cockpit')->setUser($user);
$this->reroute('/');
});
$this->bind('/auth/saml/meta', function() {
$this->response->mime = 'xml';
$config = $this->module('saml')->config();
$meta = [
'entityID' => $config['sp']['entityId'],
'assertionConsumerService' => $config['sp']['assertionConsumerService']['url'],
'singleLogoutService' => $config['sp']['singleLogoutService']['url'],
];
$body = $this->view('saml:views/meta.php', compact('meta'));
return $body;
});
$this->on('app.login.footer', function() {
echo $this->view('saml:views/partials/#.php');
});
$this->on('cockpit.account.logout', function($user) {
if (isset($user['saml']) && $user['saml']) {
$this->helper('session')->delete('cockpit.app.auth');
$this->reroute('/auth/saml/logout');
}
});