DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2024-12-28 06:59:41 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/develop'

Browse source
This commit is contained in:
snipe 2024-01-25 20:18:36 +00:00
parent d8a9d93b1d 85a158eaef
commit aa14d5e6b6
8 changed files with 149 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.upgrade_requirements.json Normal file
View file

@ -0,0 +1,10 @@
{
"DOC1": "This file is meant to be pulled from the current HEAD of the desired branch, NOT referenced locally",
"DOC2": "In other words, what you see locally are the requirements for your _current_ install",
"DOC3": "Please don't rely on these versions for planning upgrades unless you've fetched the most recent version",
"DOC4": "You should really just ignore it and run upgrade.php. Really",
"php_min_version": "7.4.0",
"php_max_major_minor": "8.1",
"php_max_wontwork": "8.2.0",
"current_snipeit_version": "6.3"
}

44
app/Console/Commands/SamlClearExpiredNonces.php Normal file
View file

@ -0,0 +1,44 @@
<?php
namespace App\Console\Commands;
use Illuminate\Console\Command;
use App\Models\SamlNonce;
class SamlClearExpiredNonces extends Command
{
/**
* The name and signature of the console command.
*
* @var string
*/
protected $signature = 'saml:clear_expired_nonces';
/**
* The console command description.
*
* @var string
*/
protected $description = 'Clears out expired SAML assertions from the saml_nonces table';
/**
* Create a new command instance.
*
* @return void
*/
public function __construct()
{
parent::__construct();
}
/**
* Execute the console command.
*
* @return int
*/
public function handle()
{
SamlNonce::where('not_valid_after','<=',now())->delete();
return 0;
}
}

1
app/Console/Kernel.php
View file

@ -25,6 +25,7 @@ class Kernel extends ConsoleKernel
$schedule->command('backup:clean')->daily(); $schedule->command('backup:clean')->daily();
$schedule->command('snipeit:upcoming-audits')->daily(); $schedule->command('snipeit:upcoming-audits')->daily();
$schedule->command('auth:clear-resets')->everyFifteenMinutes(); $schedule->command('auth:clear-resets')->everyFifteenMinutes();
$schedule->command('saml:clear_expired_nonces')->weekly();
} }
/** /**

18
app/Http/Controllers/Auth/LoginController.php
View file

@ -3,6 +3,7 @@
namespace App\Http\Controllers\Auth; namespace App\Http\Controllers\Auth;
use App\Http\Controllers\Controller; use App\Http\Controllers\Controller;
use App\Models\SamlNonce;
use App\Models\Setting; use App\Models\Setting;
use App\Models\User; use App\Models\User;
use App\Models\Ldap; use App\Models\Ldap;
@ -109,7 +110,14 @@ class LoginController extends Controller
try { try {
$user = $saml->samlLogin($samlData); $user = $saml->samlLogin($samlData);
$notValidAfter = new \Carbon\Carbon(@$samlData['assertionNotOnOrAfter']);
if(\Carbon::now()->greaterThanOrEqualTo($notValidAfter)) {
abort(400,"Expired SAML Assertion");
}
if(SamlNonce::where('nonce', @$samlData['nonce'])->count() > 0) {
abort(400,"Assertion has already been used");
}
Log::debug("okay, fine, this is a new nonce then. Good for you.");
if (!is_null($user)) { if (!is_null($user)) {
Auth::login($user); Auth::login($user);
} else { } else {
@ -123,10 +131,14 @@ class LoginController extends Controller
$user->last_login = \Carbon::now(); $user->last_login = \Carbon::now();
$user->saveQuietly(); $user->saveQuietly();
} }
$s = new SamlNonce();
$s->nonce = @$samlData['nonce'];
$s->not_valid_after = $notValidAfter;
$s->save();
} catch (\Exception $e) { } catch (\Exception $e) {
\Log::debug('There was an error authenticating the SAML user: '.$e->getMessage()); \Log::debug('There was an error authenticating the SAML user: '.$e->getMessage());
throw new \Exception($e->getMessage()); throw $e;
} }
// Fallthrough with better logging // Fallthrough with better logging

15
app/Models/SamlNonce.php Normal file
View file

@ -0,0 +1,15 @@
<?php
namespace App\Models;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
class SamlNonce extends Model
{
use HasFactory;
protected $fillable = ['nonce','not_on_or_after'];
public $timestamps = false;
}

2
app/Services/Saml.php
View file

@ -394,6 +394,8 @@ class Saml
'nameIdSPNameQualifier' => $auth->getNameIdSPNameQualifier(), 'nameIdSPNameQualifier' => $auth->getNameIdSPNameQualifier(),
'sessionIndex' => $auth->getSessionIndex(), 'sessionIndex' => $auth->getSessionIndex(),
'sessionExpiration' => $auth->getSessionExpiration(), 'sessionExpiration' => $auth->getSessionExpiration(),
'nonce' => $auth->getLastAssertionId(),
'assertionNotOnOrAfter' => $auth->getLastAssertionNotOnOrAfter(),
]; ];
} }

34
database/migrations/2024_01_24_145544_create_saml_nonce_table.php Normal file
View file

@ -0,0 +1,34 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
class CreateSamlNonceTable extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
if (! Schema::hasTable('saml_nonces') ) {
Schema::create('saml_nonces', function (Blueprint $table) {
$table->id();
$table->string('nonce')->index();
$table->datetime('not_valid_after')->index();
});
}
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::dropIfExists('saml_nonces');
}
}

39
upgrade.php
View file

@ -1,8 +1,24 @@
<?php <?php
(PHP_SAPI !== 'cli' || isset($_SERVER['HTTP_USER_AGENT'])) && die('Access denied.'); (PHP_SAPI !== 'cli' || isset($_SERVER['HTTP_USER_AGENT'])) && die('Access denied.');
$php_min_works = '7.4.0'; $app_environment = 'develop';
$php_max_wontwork = '8.2.0';
// Check if a branch or tag was passed in the command line,
// otherwise just use master
(array_key_exists('1', $argv)) ? $branch = $argv[1] : $branch = 'master';
// Fetching most current upgrade requirements from github. Read more here: https://github.com/snipe/snipe-it/pull/14127
$remote_requirements_file = "https://raw.githubusercontent.com/snipe/snipe-it/$branch/.upgrade_requirements.json";
$upgrade_requirements = json_decode(file_get_contents($remote_requirements_file), true);
if (! $upgrade_requirements) {
die("\nERROR: Failed to retrieve remote requirements from $remote_requirements_file\nExiting.\n\n");
}
$php_min_works = $upgrade_requirements['php_min_version'];
$php_max_wontwork = $upgrade_requirements['php_max_wontwork'];
// done fetching requirements
if ((strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') || (!function_exists('posix_getpwuid'))) { if ((strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') || (!function_exists('posix_getpwuid'))) {
@ -17,12 +33,6 @@ if ((strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') || (!function_exists('posix_get
} }
$app_environment = 'develop';
// Check if a branch or tag was passed in the command line,
// otherwise just use master
(array_key_exists('1', $argv)) ? $branch = $argv[1] : $branch = 'master';
echo "--------------------------------------------------------\n"; echo "--------------------------------------------------------\n";
echo "WELCOME TO THE SNIPE-IT UPGRADER! \n"; echo "WELCOME TO THE SNIPE-IT UPGRADER! \n";
echo "--------------------------------------------------------\n\n"; echo "--------------------------------------------------------\n\n";
@ -45,6 +55,12 @@ echo "--------------------------------------------------------\n\n";
// Check the .env looks ok // Check the .env looks ok
$env = file('.env'); $env = file('.env');
if (! $env){
echo "\n!!!!!!!!!!!!!!!!!!!!!!!!!! .ENV FILE ERROR !!!!!!!!!!!!!!!!!!!!!!!!!!\n";
echo "Your .env file doesn't seem to exist in this directory or isn't readable! Please look into that.\n";
exit(1);
}
$env_good = ''; $env_good = '';
$env_bad = ''; $env_bad = '';
@ -133,7 +149,7 @@ if ($env_bad !='') {
echo "!!!!!!!!!!!!!!!!!!!!!!!!! ABORTING THE UPGRADER !!!!!!!!!!!!!!!!!!!!!!\n"; echo "!!!!!!!!!!!!!!!!!!!!!!!!! ABORTING THE UPGRADER !!!!!!!!!!!!!!!!!!!!!!\n";
echo "Please correct the issues above in ".getcwd()."/.env and try again.\n"; echo "Please correct the issues above in ".getcwd()."/.env and try again.\n";
echo "--------------------------------------------------------\n"; echo "--------------------------------------------------------\n";
exit; exit(1);
} }
@ -152,7 +168,7 @@ if ((version_compare(phpversion(), $php_min_works, '>=')) && (version_compare(ph
echo "Snipe-IT requires PHP versions between ".$php_min_works." and ".$php_max_wontwork.".\n"; echo "Snipe-IT requires PHP versions between ".$php_min_works." and ".$php_max_wontwork.".\n";
echo "Please install a compatible version of PHP and re-run this script again. \n"; echo "Please install a compatible version of PHP and re-run this script again. \n";
echo "!!!!!!!!!!!!!!!!!!!!!!!!! ABORTING THE UPGRADER !!!!!!!!!!!!!!!!!!!!!!\n"; echo "!!!!!!!!!!!!!!!!!!!!!!!!! ABORTING THE UPGRADER !!!!!!!!!!!!!!!!!!!!!!\n";
exit; exit(1);
} }
echo "Checking Required PHP extensions... \n\n"; echo "Checking Required PHP extensions... \n\n";
@ -240,7 +256,7 @@ if ($ext_missing!='') {
echo "ABORTING THE INSTALLER \n"; echo "ABORTING THE INSTALLER \n";
echo "Please install the extensions above and re-run this script.\n"; echo "Please install the extensions above and re-run this script.\n";
echo "--------------------------------------------------------\n"; echo "--------------------------------------------------------\n";
exit; exit(1);
} else { } else {
echo $ext_installed."\n"; echo $ext_installed."\n";
@ -295,6 +311,7 @@ if ($dirs_not_writable!='') {
echo "--------------------- !! ERROR !! ----------------------\n"; echo "--------------------- !! ERROR !! ----------------------\n";
echo "Please check the permissions on the directories above and re-run this script.\n"; echo "Please check the permissions on the directories above and re-run this script.\n";
echo "------------------------- :( ---------------------------\n\n"; echo "------------------------- :( ---------------------------\n\n";
exit(1);
} }