From 4e59b838850bd7b315ff4adbb1cba6788713ea80 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 24 Jan 2024 13:23:10 +0000
Subject: [PATCH 1/6] Merge pull request #14128 from snipe/jerm/upgrade-dot-php

Add remote requirements checking to upgrade.php
---
 upgrade.php | 39 ++++++++++++++++++++++++++++-----------
 1 file changed, 28 insertions(+), 11 deletions(-)

diff --git a/upgrade.php b/upgrade.php
index a287e3d1de..dc03797954 100644
--- a/upgrade.php
+++ b/upgrade.php
@@ -1,8 +1,24 @@
 <?php
 (PHP_SAPI !== 'cli' || isset($_SERVER['HTTP_USER_AGENT'])) && die('Access denied.');
 
-$php_min_works = '7.4.0';
-$php_max_wontwork = '8.2.0';
+$app_environment = 'develop';
+
+// Check if a branch or tag was passed in the command line,
+// otherwise just use master
+(array_key_exists('1', $argv)) ? $branch = $argv[1] : $branch = 'master';
+
+
+// Fetching most current upgrade requirements from github. Read more here: https://github.com/snipe/snipe-it/pull/14127
+$remote_requirements_file = "https://raw.githubusercontent.com/snipe/snipe-it/$branch/.upgrade_requirements.json";
+$upgrade_requirements = json_decode(file_get_contents($remote_requirements_file), true);
+
+if (! $upgrade_requirements) {
+    die("\nERROR: Failed to retrieve remote requirements from $remote_requirements_file\nExiting.\n\n");
+}
+
+$php_min_works = $upgrade_requirements['php_min_version'];
+$php_max_wontwork = $upgrade_requirements['php_max_wontwork'];
+// done fetching requirements
 
 
 if ((strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') || (!function_exists('posix_getpwuid'))) {
@@ -17,12 +33,6 @@ if ((strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') || (!function_exists('posix_get
 }
 
 
-$app_environment = 'develop';
-
-// Check if a branch or tag was passed in the command line,
-// otherwise just use master
-(array_key_exists('1', $argv)) ? $branch = $argv[1] : $branch = 'master';
-
 echo "--------------------------------------------------------\n";
 echo "WELCOME TO THE SNIPE-IT UPGRADER! \n";
 echo "--------------------------------------------------------\n\n";
@@ -45,6 +55,12 @@ echo "--------------------------------------------------------\n\n";
 
 // Check the .env looks ok
 $env = file('.env');
+if (! $env){
+    echo "\n!!!!!!!!!!!!!!!!!!!!!!!!!! .ENV FILE ERROR !!!!!!!!!!!!!!!!!!!!!!!!!!\n";
+    echo "Your .env file doesn't seem to exist in this directory or isn't readable! Please look into that.\n";
+    exit(1);
+}
+
 $env_good = '';
 $env_bad = '';
 
@@ -133,7 +149,7 @@ if ($env_bad !='') {
     echo "!!!!!!!!!!!!!!!!!!!!!!!!! ABORTING THE UPGRADER !!!!!!!!!!!!!!!!!!!!!!\n";
     echo "Please correct the issues above in ".getcwd()."/.env and try again.\n";
     echo "--------------------------------------------------------\n";
-    exit;
+    exit(1);
 }
 
 
@@ -152,7 +168,7 @@ if ((version_compare(phpversion(), $php_min_works, '>=')) && (version_compare(ph
     echo "Snipe-IT requires PHP versions between ".$php_min_works." and ".$php_max_wontwork.".\n";
     echo "Please install a compatible version of PHP and re-run this script again. \n";
     echo "!!!!!!!!!!!!!!!!!!!!!!!!! ABORTING THE UPGRADER !!!!!!!!!!!!!!!!!!!!!!\n";
-    exit;
+    exit(1);
 }
 
 echo "Checking Required PHP extensions... \n\n";
@@ -240,7 +256,7 @@ if ($ext_missing!='') {
     echo "ABORTING THE INSTALLER  \n";
     echo "Please install the extensions above and re-run this script.\n";
     echo "--------------------------------------------------------\n";
-    exit;
+    exit(1);
 } else {
     echo $ext_installed."\n";
 
@@ -295,6 +311,7 @@ if ($dirs_not_writable!='') {
     echo "--------------------- !! ERROR !! ----------------------\n";
     echo "Please check the permissions on the directories above and re-run this script.\n";
     echo "------------------------- :( ---------------------------\n\n";
+    exit(1);
 }
 
 

From 9d1abb0aa7854a2ce48fa32f23eccef336bf1067 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Wed, 17 Jan 2024 13:15:56 +0000
Subject: [PATCH 2/6] Merge pull request #14127 from
 snipe/jerm/upgrade-deps-file

Add php version requirements file for future-proofing upgrades
---
 .upgrade_requirements.json | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 .upgrade_requirements.json

diff --git a/.upgrade_requirements.json b/.upgrade_requirements.json
new file mode 100644
index 0000000000..43d769728d
--- /dev/null
+++ b/.upgrade_requirements.json
@@ -0,0 +1,10 @@
+{
+    "DOC1": "This file is meant to be pulled from the current HEAD of the desired branch, NOT referenced locally",
+    "DOC2": "In other words, what you see locally are the requirements for your _current_ install",
+    "DOC3": "Please don't rely on these versions for planning upgrades unless you've fetched the most recent version",
+    "DOC4": "You should really just ignore it and run upgrade.php. Really",
+    "php_min_version": "8.1.0",
+    "php_max_major_minor": "8.2",
+    "php_max_wontwork": "8.3.0",
+    "current_snipeit_version": "6.3"
+}

From 43c8e98ec7c74f6793d94319dd3f93a4917c6c10 Mon Sep 17 00:00:00 2001
From: Jeremy Price <jeremy@grokability.com>
Date: Thu, 25 Jan 2024 10:12:08 -0800
Subject: [PATCH 3/6] Set v6 upgrade requirements in .upgrade_requirements.json
 -- REVERT FOR v7

This was originally created on the v7 branch, and had v7 requirements,
but we're backporting it so that people have it in-hand before v7 launches.
Since v7 hasn't launched yet, and people can use it for upgrading to new
v6's potentially, we'll make it v6 happy for now.
---
 .upgrade_requirements.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.upgrade_requirements.json b/.upgrade_requirements.json
index 43d769728d..6fe066f8ea 100644
--- a/.upgrade_requirements.json
+++ b/.upgrade_requirements.json
@@ -3,8 +3,8 @@
     "DOC2": "In other words, what you see locally are the requirements for your _current_ install",
     "DOC3": "Please don't rely on these versions for planning upgrades unless you've fetched the most recent version",
     "DOC4": "You should really just ignore it and run upgrade.php. Really",
-    "php_min_version": "8.1.0",
-    "php_max_major_minor": "8.2",
-    "php_max_wontwork": "8.3.0",
+    "php_min_version": "7.4.0",
+    "php_max_major_minor": "8.1",
+    "php_max_wontwork": "8.2.0",
     "current_snipeit_version": "6.3"
 }

From 81b8243e1dbd063d76e608041e27ee1fffa5a5ae Mon Sep 17 00:00:00 2001
From: Brady Wetherington <bwetherington@grokability.com>
Date: Thu, 25 Jan 2024 19:53:24 +0000
Subject: [PATCH 4/6] Enforce SAML assertion ID uniqueness and
 notValidOnOrAfter attribute

---
 .../Commands/SamlClearExpiredNonces.php       | 44 +++++++++++++++++++
 app/Console/Kernel.php                        |  1 +
 app/Http/Controllers/Auth/LoginController.php | 18 ++++++--
 app/Models/SamlNonce.php                      | 15 +++++++
 app/Services/Saml.php                         |  2 +
 ...4_01_24_145544_create_saml_nonce_table.php | 33 ++++++++++++++
 6 files changed, 110 insertions(+), 3 deletions(-)
 create mode 100644 app/Console/Commands/SamlClearExpiredNonces.php
 create mode 100644 app/Models/SamlNonce.php
 create mode 100644 database/migrations/2024_01_24_145544_create_saml_nonce_table.php

diff --git a/app/Console/Commands/SamlClearExpiredNonces.php b/app/Console/Commands/SamlClearExpiredNonces.php
new file mode 100644
index 0000000000..ec20bc37a9
--- /dev/null
+++ b/app/Console/Commands/SamlClearExpiredNonces.php
@@ -0,0 +1,44 @@
+<?php
+
+namespace App\Console\Commands;
+
+use Illuminate\Console\Command;
+use App\Models\SamlNonce;
+
+class SamlClearExpiredNonces extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'saml:clear_expired_nonces';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Command description';
+
+    /**
+     * Create a new command instance.
+     *
+     * @return void
+     */
+    public function __construct()
+    {
+        parent::__construct();
+    }
+
+    /**
+     * Execute the console command.
+     *
+     * @return int
+     */
+    public function handle()
+    {
+        SamlNonce::where('not_valid_after','<=',now())->delete();
+        return 0;
+    }
+}
diff --git a/app/Console/Kernel.php b/app/Console/Kernel.php
index 0b80d2eccd..8d512f303b 100644
--- a/app/Console/Kernel.php
+++ b/app/Console/Kernel.php
@@ -25,6 +25,7 @@ class Kernel extends ConsoleKernel
         $schedule->command('backup:clean')->daily();
         $schedule->command('snipeit:upcoming-audits')->daily();
         $schedule->command('auth:clear-resets')->everyFifteenMinutes();
+        $schedule->command('saml:clear_expired_nonces')->weekly();
     }
 
     /**
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index 100eed12b9..896ca11ff5 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -3,6 +3,7 @@
 namespace App\Http\Controllers\Auth;
 
 use App\Http\Controllers\Controller;
+use App\Models\SamlNonce;
 use App\Models\Setting;
 use App\Models\User;
 use App\Models\Ldap;
@@ -109,7 +110,14 @@ class LoginController extends Controller
 
             try {
                 $user = $saml->samlLogin($samlData);
-
+                $notValidAfter = new \Carbon\Carbon(@$samlData['assertionNotOnOrAfter']);
+                if(\Carbon::now()->greaterThanOrEqualTo($notValidAfter)) {
+                    abort(400,"Expired SAML Assertion");
+                }
+                if(SamlNonce::where('nonce', @$samlData['nonce'])->count() > 0) {
+                    abort(400,"Assertion has already been used");
+                }
+                Log::debug("okay, fine, this is a new nonce then. Good for you.");
                 if (!is_null($user)) {
                     Auth::login($user);
                 } else {
@@ -123,10 +131,14 @@ class LoginController extends Controller
                     $user->last_login = \Carbon::now();
                     $user->saveQuietly();
                 }
-                
+                $s = new SamlNonce();
+                $s->nonce = @$samlData['nonce'];
+                $s->not_valid_after = $notValidAfter;
+                $s->save();
+
             } catch (\Exception $e) {
                 \Log::debug('There was an error authenticating the SAML user: '.$e->getMessage());
-                throw new \Exception($e->getMessage());
+                throw $e;
             }
 
         // Fallthrough with better logging
diff --git a/app/Models/SamlNonce.php b/app/Models/SamlNonce.php
new file mode 100644
index 0000000000..6eb05352d8
--- /dev/null
+++ b/app/Models/SamlNonce.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+
+class SamlNonce extends Model
+{
+    use HasFactory;
+
+    protected $fillable = ['nonce','not_on_or_after'];
+
+    public $timestamps = false;
+}
diff --git a/app/Services/Saml.php b/app/Services/Saml.php
index f80b1c1fb9..b34501366a 100644
--- a/app/Services/Saml.php
+++ b/app/Services/Saml.php
@@ -394,6 +394,8 @@ class Saml
             'nameIdSPNameQualifier' => $auth->getNameIdSPNameQualifier(),
             'sessionIndex' => $auth->getSessionIndex(),
             'sessionExpiration' => $auth->getSessionExpiration(),
+            'nonce' => $auth->getLastAssertionId(),
+            'assertionNotOnOrAfter' => $auth->getLastAssertionNotOnOrAfter(),
         ];
     }
 
diff --git a/database/migrations/2024_01_24_145544_create_saml_nonce_table.php b/database/migrations/2024_01_24_145544_create_saml_nonce_table.php
new file mode 100644
index 0000000000..92c3a16358
--- /dev/null
+++ b/database/migrations/2024_01_24_145544_create_saml_nonce_table.php
@@ -0,0 +1,33 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+class CreateSamlNonceTable extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::create('saml_nonces', function (Blueprint $table) {
+            $table->id();
+            $table->string('nonce')->index();
+            $table->datetime('not_valid_after')->index();
+            //$table->timestamps();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::dropIfExists('saml_nonces');
+    }
+}

From b39b575fecb05720ef6e6fcb4fd38693e07b3124 Mon Sep 17 00:00:00 2001
From: Brady Wetherington <bwetherington@grokability.com>
Date: Thu, 25 Jan 2024 20:07:18 +0000
Subject: [PATCH 5/6] Add table-check; add command-description for Artisan
 command

---
 app/Console/Commands/SamlClearExpiredNonces.php    |  2 +-
 .../2024_01_24_145544_create_saml_nonce_table.php  | 14 ++++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/app/Console/Commands/SamlClearExpiredNonces.php b/app/Console/Commands/SamlClearExpiredNonces.php
index ec20bc37a9..f03b55095e 100644
--- a/app/Console/Commands/SamlClearExpiredNonces.php
+++ b/app/Console/Commands/SamlClearExpiredNonces.php
@@ -19,7 +19,7 @@ class SamlClearExpiredNonces extends Command
      *
      * @var string
      */
-    protected $description = 'Command description';
+    protected $description = 'Clears out expired SAML assertions from the saml_nonces table';
 
     /**
      * Create a new command instance.
diff --git a/database/migrations/2024_01_24_145544_create_saml_nonce_table.php b/database/migrations/2024_01_24_145544_create_saml_nonce_table.php
index 92c3a16358..f12615160e 100644
--- a/database/migrations/2024_01_24_145544_create_saml_nonce_table.php
+++ b/database/migrations/2024_01_24_145544_create_saml_nonce_table.php
@@ -13,12 +13,14 @@ class CreateSamlNonceTable extends Migration
      */
     public function up()
     {
-        Schema::create('saml_nonces', function (Blueprint $table) {
-            $table->id();
-            $table->string('nonce')->index();
-            $table->datetime('not_valid_after')->index();
-            //$table->timestamps();
-        });
+        if (! Schema::hasTable('saml_nonces') ) {
+            Schema::create('saml_nonces', function (Blueprint $table) {
+                $table->id();
+                $table->string('nonce')->index();
+                $table->datetime('not_valid_after')->index();
+                //$table->timestamps();
+            });
+        }
     }
 
     /**

From d3815ddce7e775de2dc85ef9f5be882c532152ea Mon Sep 17 00:00:00 2001
From: Brady Wetherington <bwetherington@grokability.com>
Date: Thu, 25 Jan 2024 20:13:49 +0000
Subject: [PATCH 6/6] Remove commented-out timestamps on the saml_nonces table

---
 .../migrations/2024_01_24_145544_create_saml_nonce_table.php     | 1 -
 1 file changed, 1 deletion(-)

diff --git a/database/migrations/2024_01_24_145544_create_saml_nonce_table.php b/database/migrations/2024_01_24_145544_create_saml_nonce_table.php
index f12615160e..f6305288ee 100644
--- a/database/migrations/2024_01_24_145544_create_saml_nonce_table.php
+++ b/database/migrations/2024_01_24_145544_create_saml_nonce_table.php
@@ -18,7 +18,6 @@ class CreateSamlNonceTable extends Migration
                 $table->id();
                 $table->string('nonce')->index();
                 $table->datetime('not_valid_after')->index();
-                //$table->timestamps();
             });
         }
     }