mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-25 05:34:06 -08:00
Enforce SAML assertion ID uniqueness and notValidOnOrAfter attribute
This commit is contained in:
parent
7668a6767d
commit
81b8243e1d
44
app/Console/Commands/SamlClearExpiredNonces.php
Normal file
44
app/Console/Commands/SamlClearExpiredNonces.php
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Console\Commands;
|
||||||
|
|
||||||
|
use Illuminate\Console\Command;
|
||||||
|
use App\Models\SamlNonce;
|
||||||
|
|
||||||
|
class SamlClearExpiredNonces extends Command
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* The name and signature of the console command.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
protected $signature = 'saml:clear_expired_nonces';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* The console command description.
|
||||||
|
*
|
||||||
|
* @var string
|
||||||
|
*/
|
||||||
|
protected $description = 'Command description';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Create a new command instance.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function __construct()
|
||||||
|
{
|
||||||
|
parent::__construct();
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Execute the console command.
|
||||||
|
*
|
||||||
|
* @return int
|
||||||
|
*/
|
||||||
|
public function handle()
|
||||||
|
{
|
||||||
|
SamlNonce::where('not_valid_after','<=',now())->delete();
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
}
|
|
@ -25,6 +25,7 @@ class Kernel extends ConsoleKernel
|
||||||
$schedule->command('backup:clean')->daily();
|
$schedule->command('backup:clean')->daily();
|
||||||
$schedule->command('snipeit:upcoming-audits')->daily();
|
$schedule->command('snipeit:upcoming-audits')->daily();
|
||||||
$schedule->command('auth:clear-resets')->everyFifteenMinutes();
|
$schedule->command('auth:clear-resets')->everyFifteenMinutes();
|
||||||
|
$schedule->command('saml:clear_expired_nonces')->weekly();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -3,6 +3,7 @@
|
||||||
namespace App\Http\Controllers\Auth;
|
namespace App\Http\Controllers\Auth;
|
||||||
|
|
||||||
use App\Http\Controllers\Controller;
|
use App\Http\Controllers\Controller;
|
||||||
|
use App\Models\SamlNonce;
|
||||||
use App\Models\Setting;
|
use App\Models\Setting;
|
||||||
use App\Models\User;
|
use App\Models\User;
|
||||||
use App\Models\Ldap;
|
use App\Models\Ldap;
|
||||||
|
@ -109,7 +110,14 @@ class LoginController extends Controller
|
||||||
|
|
||||||
try {
|
try {
|
||||||
$user = $saml->samlLogin($samlData);
|
$user = $saml->samlLogin($samlData);
|
||||||
|
$notValidAfter = new \Carbon\Carbon(@$samlData['assertionNotOnOrAfter']);
|
||||||
|
if(\Carbon::now()->greaterThanOrEqualTo($notValidAfter)) {
|
||||||
|
abort(400,"Expired SAML Assertion");
|
||||||
|
}
|
||||||
|
if(SamlNonce::where('nonce', @$samlData['nonce'])->count() > 0) {
|
||||||
|
abort(400,"Assertion has already been used");
|
||||||
|
}
|
||||||
|
Log::debug("okay, fine, this is a new nonce then. Good for you.");
|
||||||
if (!is_null($user)) {
|
if (!is_null($user)) {
|
||||||
Auth::login($user);
|
Auth::login($user);
|
||||||
} else {
|
} else {
|
||||||
|
@ -123,10 +131,14 @@ class LoginController extends Controller
|
||||||
$user->last_login = \Carbon::now();
|
$user->last_login = \Carbon::now();
|
||||||
$user->saveQuietly();
|
$user->saveQuietly();
|
||||||
}
|
}
|
||||||
|
$s = new SamlNonce();
|
||||||
|
$s->nonce = @$samlData['nonce'];
|
||||||
|
$s->not_valid_after = $notValidAfter;
|
||||||
|
$s->save();
|
||||||
|
|
||||||
} catch (\Exception $e) {
|
} catch (\Exception $e) {
|
||||||
\Log::debug('There was an error authenticating the SAML user: '.$e->getMessage());
|
\Log::debug('There was an error authenticating the SAML user: '.$e->getMessage());
|
||||||
throw new \Exception($e->getMessage());
|
throw $e;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fallthrough with better logging
|
// Fallthrough with better logging
|
||||||
|
|
15
app/Models/SamlNonce.php
Normal file
15
app/Models/SamlNonce.php
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Models;
|
||||||
|
|
||||||
|
use Illuminate\Database\Eloquent\Factories\HasFactory;
|
||||||
|
use Illuminate\Database\Eloquent\Model;
|
||||||
|
|
||||||
|
class SamlNonce extends Model
|
||||||
|
{
|
||||||
|
use HasFactory;
|
||||||
|
|
||||||
|
protected $fillable = ['nonce','not_on_or_after'];
|
||||||
|
|
||||||
|
public $timestamps = false;
|
||||||
|
}
|
|
@ -394,6 +394,8 @@ class Saml
|
||||||
'nameIdSPNameQualifier' => $auth->getNameIdSPNameQualifier(),
|
'nameIdSPNameQualifier' => $auth->getNameIdSPNameQualifier(),
|
||||||
'sessionIndex' => $auth->getSessionIndex(),
|
'sessionIndex' => $auth->getSessionIndex(),
|
||||||
'sessionExpiration' => $auth->getSessionExpiration(),
|
'sessionExpiration' => $auth->getSessionExpiration(),
|
||||||
|
'nonce' => $auth->getLastAssertionId(),
|
||||||
|
'assertionNotOnOrAfter' => $auth->getLastAssertionNotOnOrAfter(),
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use Illuminate\Database\Schema\Blueprint;
|
||||||
|
use Illuminate\Support\Facades\Schema;
|
||||||
|
|
||||||
|
class CreateSamlNonceTable extends Migration
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
Schema::create('saml_nonces', function (Blueprint $table) {
|
||||||
|
$table->id();
|
||||||
|
$table->string('nonce')->index();
|
||||||
|
$table->datetime('not_valid_after')->index();
|
||||||
|
//$table->timestamps();
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
Schema::dropIfExists('saml_nonces');
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in a new issue