SAML Auth bug fixed.

msyk · May 2, 2024 · 3c4d5fb · 3c4d5fb
1 parent 0c2d78e
commit 3c4d5fb
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 24 deletions.
diff --git a/src/php/DB/Auth_Interface_Communication.php b/src/php/DB/Auth_Interface_Communication.php
@@ -28,7 +28,7 @@ public function checkMediaToken(string $user, string $token): bool;
 
     public function addUser(string $username, string $password, bool $isSAML = false, ?array $attrs = null): array;
 
-    public function authSupportGetSalt(string $username): ?string;
+    public function authSupportGetSalt(?string $username): ?string;
 
     public function changePassword(string $username, string $newpassword): bool;
 }
diff --git a/src/php/DB/Proxy.php b/src/php/DB/Proxy.php
@@ -1004,9 +1004,9 @@ public function processingRequest(?string $access = null, bool $bypassAuth = fal
         $this->ignoreFiles = $ignoreFiles;
         $this->suppressMediaToken = true;
 
-        $this->originalAccess = $access;
         $this->access = is_null($access) ? $this->PostData['access'] : $access;
         $this->access = (($this->access == "select") || ($this->access == "load")) ? "read" : $this->access;
+        $this->originalAccess = $this->access;
         $this->logger->setDebugMessage("[processingRequest] decided access={$this->access}", 2);
         $this->access = $this->aggregationJudgement($this->access);
 

diff --git a/src/php/DB/Support/ProxyVisitors/ChallengeVisitor.php b/src/php/DB/Support/ProxyVisitors/ChallengeVisitor.php
@@ -44,7 +44,7 @@ public function visitHandleChallenge(OperationElement $e): void
         $proxy->generatedClientID = IMUtil::generateClientId('', $proxy->passwordHash);
         $userSalt = $proxy->authSupportGetSalt($proxy->paramAuthUser);
 
-        $challenge = $this->generateAndSaveChallenge($proxy->paramAuthUser, $proxy->generatedClientID, "#");
+        $challenge = $this->generateAndSaveChallenge($proxy->paramAuthUser ?? "", $proxy->generatedClientID, "#");
         $proxy->outputOfProcessing['challenge'] = "{$challenge}{$userSalt}";
     }
 

diff --git a/src/php/DB/Support/ProxyVisitors/OperationVisitor.php b/src/php/DB/Support/ProxyVisitors/OperationVisitor.php
@@ -340,21 +340,27 @@ protected function defaultHandleChallenge()
         $proxy = $this->proxy;
         Logger::getInstance()->setDebugMessage("[handleChallenge] access={$proxy->access}, succeed={$proxy->authSucceed}", 2);
 
-        $userSalt = $proxy->authSupportGetSalt($proxy->signedUser);
-        $proxy->generatedClientID = IMUtil::generateClientId('', $proxy->passwordHash);
-        $challenge = $this->generateAndSaveChallenge($proxy->signedUser, $proxy->generatedClientID, "#");
-        $proxy->outputOfProcessing['challenge'] = "{$challenge}{$userSalt}";
-        if ($proxy->authSucceed) {
-             $challenge = $this->generateAndSaveChallenge($proxy->signedUser, $proxy->generatedClientID, "+");
-            if ($proxy->authStoring == 'credential') {
-                $this->setCookieOfChallenge('_im_credential_token',
-                    $challenge, $proxy->generatedClientID, $proxy->hashedPassword);
-            }
-            if ($proxy->required2FA) { // 2FA final step
-                $challenge = $this->generateAndSaveChallenge($proxy->signedUser, $proxy->generatedClientID, "=");
-                $this->setCookieOfChallenge('_im_credential_2FA', $challenge, $proxy->generatedClientID, $proxy->hashedPassword);
+        if ($proxy->signedUser) {
+            $userSalt = $proxy->authSupportGetSalt($proxy->signedUser);
+            $proxy->generatedClientID = IMUtil::generateClientId('', $proxy->passwordHash);
+            $challenge = $this->generateAndSaveChallenge($proxy->signedUser, $proxy->generatedClientID, "#");
+            $proxy->outputOfProcessing['challenge'] = "{$challenge}{$userSalt}";
+            if ($proxy->authSucceed) {
+                $challenge = $this->generateAndSaveChallenge($proxy->signedUser, $proxy->generatedClientID, "+");
+                if (!$proxy->hashedPassword) {
+                    $proxy->hashedPassword = $proxy->dbClass->authHandler->authSupportRetrieveHashedPassword($proxy->signedUser);
+                }
+                if ($proxy->authStoring == 'credential') {
+                    $this->setCookieOfChallenge('_im_credential_token',
+                        $challenge, $proxy->generatedClientID, $proxy->hashedPassword);
+                }
+                if ($proxy->required2FA) { // 2FA final step
+                    $challenge = $this->generateAndSaveChallenge($proxy->signedUser, $proxy->generatedClientID, "=");
+                    $this->setCookieOfChallenge('_im_credential_2FA', $challenge, $proxy->generatedClientID, $proxy->hashedPassword);
+                }
             }
-        } else {
+        }
+        if (!$proxy->authSucceed) {
             $this->clearAuthenticationCookies();
         }
     }

diff --git a/src/php/DB/Support/Proxy_Auth.php b/src/php/DB/Support/Proxy_Auth.php
@@ -111,8 +111,7 @@ public function authenticationAndAuthorization(): void
         $this->dbSettings->setRequireAuthentication(false);
         $this->dbSettings->setRequireAuthorization(false);
         $this->dbSettings->setDBNative(false);
-        if (!is_null($authOptions)
-            || $this->access == 'challenge' || $this->access == 'changepassword' || $this->access == 'credential'
+        if (!is_null($authOptions) || $this->isAuthAccessing()
             || (isset($tableInfo['authentication'])
                 && (isset($tableInfo['authentication']['all']) || isset($tableInfo['authentication'][$this->access])))
         ) {
@@ -132,15 +131,14 @@ public function authenticationAndAuthorization(): void
                 $this->logger->setDebugMessage("[authenticationAndAuthorization] IM-built-in Authentication succeed.");
                 $this->authSucceed = true;
             } else { // Timeout with SAML or Authentication failed
+                $this->dbSettings->setRequireAuthentication(true);
                 if (!$this->dbSettings->getIsSAML()) { // NOT Set up as SAML
-                    $this->dbSettings->setRequireAuthentication(true);
                     $this->logger->setDebugMessage("[authenticationAndAuthorization] Authentication doesn't meet valid."
                         . "{$this->signedUser}/{$this->paramResponse}/{$this->clientId}");
-                    if ($this->access != 'challenge' && $this->access != 'credential'
-                        && $this->access != 'authenticated' && $this->access != 'changepassword') {
+                    if (!$this->isAuthAccessing()) {
                         $this->accessSetToNothing();  // Not Authenticated!
                     }
-                } else {  // Set yp as SAML
+                } else if (!$this->isAuthAccessing()) {  // Set yp as SAML
                     $SAMLAuth = new SAMLAuth($this->dbSettings->getSAMLAuthSource());
                     $SAMLAuth->setSAMLAttrRules($this->dbSettings->getSAMLAttrRules());
                     $SAMLAuth->setSAMLAdditionalRules($this->dbSettings->getSAMLAdditionalRules());
@@ -173,6 +171,11 @@ public function authenticationAndAuthorization(): void
         }
     }
 
+    private function isAuthAccessing()
+    {
+        return $this->access == 'challenge' || $this->access == 'changepassword'
+            || $this->access == 'credential' || $this->access == 'authenticated';
+    }
 
     /**
      * @return void
@@ -235,8 +238,11 @@ function handleMediaToken(): void
      * @param string $username The username as the username field of authuser table.
      * @return string
      */
-    public function authSupportGetSalt(string $username): ?string
+    public function authSupportGetSalt(?string $username): ?string
     {
+        if (is_null($username)) {
+            return "";
+        }
         $hashedpw = $this->proxy->hashedPassword ?? $this->dbClass->authHandler->authSupportRetrieveHashedPassword($username);
         if ($hashedpw) {
             return substr($hashedpw, -8);