Skip to content

Commit

Permalink
move proxy.php to Cas20Controller action
Browse files Browse the repository at this point in the history
  • Loading branch information
@ioigoume
ioigoume committed Nov 27, 2024
1 parent 63269c8 commit e1b3012
Show file tree
Hide file tree
Showing 6 changed files with 383 additions and 139 deletions.
115 changes: 0 additions & 115 deletions public/proxy.php
View file

This file was deleted.

6 changes: 6 additions & 0 deletions routing/routes/routes.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@
$routes->add(RoutesEnum::ProxyValidate->name, RoutesEnum::ProxyValidate->value)
->controller([Cas20Controller::class, 'proxyValidate'])
->methods(['GET']);
$routes->add(RoutesEnum::Proxy->name, RoutesEnum::Proxy->value)
->controller([Cas20Controller::class, 'proxy'])
->methods(['GET']);
$routes->add(RoutesEnum::SamlValidate->name, RoutesEnum::SamlValidate->value)
->controller([Cas30Controller::class, 'samlValidate'])
->methods(['POST']);
Expand All @@ -48,6 +51,9 @@
$routes->add(LegacyRoutesEnum::LegacyProxyValidate->name, LegacyRoutesEnum::LegacyProxyValidate->value)
->controller([Cas20Controller::class, 'proxyValidate'])
->methods(['GET']);
$routes->add(LegacyRoutesEnum::LegacyProxy->name, LegacyRoutesEnum::LegacyProxy->value)
->controller([Cas20Controller::class, 'proxy'])
->methods(['GET']);
$routes->add(LegacyRoutesEnum::LegacySamlValidate->name, LegacyRoutesEnum::LegacySamlValidate->value)
->controller([Cas30Controller::class, 'samlValidate'])
->methods(['POST']);
Expand Down
2 changes: 1 addition & 1 deletion src/Cas/Protocol/Cas20.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ public function getValidateFailureResponse(string $errorCode, string $explanatio
public function getProxySuccessResponse(string $proxyTicketId): ServiceResponse
{
$proxyTicket = new ProxyTicket($proxyTicketId);
$proxySucces = new ProxySuccess($proxyTicket);
$proxySuccess = new ProxySuccess($proxyTicket);
$serviceResponse = new ServiceResponse($proxySuccess);

return $serviceResponse;
Expand Down
115 changes: 93 additions & 22 deletions src/Controller/Cas20Controller.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ public function __construct(

/**
* @param Request $request
* @param string $TARGET // todo: this should go away
* @param string $TARGET
* @param bool $renew [OPTIONAL] - if this parameter is set, ticket validation will only succeed
* if the service ticket was issued from the presentation of the user’s primary
* credentials. It will fail if the ticket was issued from a single sign-on session.
Expand Down Expand Up @@ -97,6 +97,94 @@ public function serviceValidate(
);
}

/**
* /proxy provides proxy tickets to services that have
* acquired proxy-granting tickets and will be proxying authentication to back-end services.
*
* @param Request $request
* @param string|null $targetService [REQUIRED] - the service identifier of the back-end service.
* @param string|null $pgt [REQUIRED] - the proxy-granting ticket acquired by the service
* during service ticket or proxy ticket validation.
*
* @return XmlResponse
*/
public function proxy(
Request $request,
#[MapQueryParameter] ?string $targetService = null,
#[MapQueryParameter] ?string $pgt = null,
): XmlResponse {
$legal_target_service_urls = $this->casConfig->getOptionalValue('legal_target_service_urls', []);
// Fail if
$message = match (true) {
// targetService pareameter is not defined
$targetService === null => 'Missing target service parameter [targetService]',
// pgt parameter is not defined
$pgt === null => 'Missing proxy granting ticket parameter: [pgt]',
!$this->checkServiceURL($this->sanitize($targetService), $legal_target_service_urls) =>

Check warning on line 123 in src/Controller/Cas20Controller.php

View workflow job for this annotation

GitHub Actions / Quality control

DeprecatedMethod 

src/Controller/Cas20Controller.php:123:21: DeprecatedMethod: The method SimpleSAML\Module\casserver\Controller\Traits\UrlTrait::checkServiceURL has been marked as deprecated (see https://psalm.dev/001)
"Target service parameter not listed as a legal service: [targetService] = {$targetService}",
default => null,
};

if (!empty($message)) {
return new XmlResponse(
(string)$this->cas20Protocol->getValidateFailureResponse(C::ERR_INVALID_REQUEST, $message),
Response::HTTP_BAD_REQUEST,
);
}

// Get the ticket
$proxyGrantingTicket = $this->ticketStore->getTicket($pgt);
$message = match (true) {
// targetService parameter is not defined
$proxyGrantingTicket === null => "Ticket {$pgt} not recognized",
// pgt parameter is not defined
!$this->ticketFactory->isProxyGrantingTicket($proxyGrantingTicket)
=> "Not a valid proxy granting ticket id: {$pgt}",
default => null,
};

if (!empty($message)) {
return new XmlResponse(
(string)$this->cas20Protocol->getValidateFailureResponse('BAD_PGT', $message),
Response::HTTP_BAD_REQUEST,
);
}

// Get the session id from the ticket
$sessionTicket = $this->ticketStore->getTicket($proxyGrantingTicket['sessionId']);

if (
$sessionTicket === null
|| $this->ticketFactory->isSessionTicket($sessionTicket) === false
|| $this->ticketFactory->isExpired($sessionTicket)
) {
$message = "Ticket {$pgt} has expired";
Logger::debug('casserver:' . $message);

return new XmlResponse(
(string)$this->cas20Protocol->getValidateFailureResponse('BAD_PGT', $message),
Response::HTTP_BAD_REQUEST,
);
}

$proxyTicket = $this->ticketFactory->createProxyTicket(
[
'service' => $targetService,
'forceAuthn' => $proxyGrantingTicket['forceAuthn'],
'attributes' => $proxyGrantingTicket['attributes'],
'proxies' => $proxyGrantingTicket['proxies'],
'sessionId' => $proxyGrantingTicket['sessionId'],
],
);

$this->ticketStore->addTicket($proxyTicket);

return new XmlResponse(
(string)$this->cas20Protocol->getProxySuccessResponse($proxyTicket['id']),
Response::HTTP_OK,
);
}

/**
* @param Request $request
* @param string $TARGET // todo: this should go away???
Expand Down Expand Up @@ -157,12 +245,8 @@ public function validate(
$message = "casserver: Missing service parameter: [{$messagePostfix}]";
Logger::debug($message);

ob_start();
echo $this->cas20Protocol->getValidateFailureResponse(C::ERR_INVALID_SERVICE, $message);
$responseContent = ob_get_clean();

return new XmlResponse(
$responseContent,
(string)$this->cas20Protocol->getValidateFailureResponse(C::ERR_INVALID_SERVICE, $message),
Response::HTTP_BAD_REQUEST,
);
}
Expand All @@ -178,12 +262,8 @@ public function validate(
$message = 'casserver:serviceValidate: internal server error. ' . var_export($e->getMessage(), true);
Logger::error($message);

ob_start();
echo $this->cas20Protocol->getValidateFailureResponse(C::ERR_INVALID_SERVICE, $message);
$responseContent = ob_get_clean();

return new XmlResponse(
$responseContent,
(string)$this->cas20Protocol->getValidateFailureResponse(C::ERR_INVALID_SERVICE, $message),
Response::HTTP_INTERNAL_SERVER_ERROR,
);
}
Expand Down Expand Up @@ -222,12 +302,8 @@ public function validate(
$finalMessage = 'casserver:validate: ' . $message;
Logger::error($finalMessage);

ob_start();
echo $this->cas20Protocol->getValidateFailureResponse(C::ERR_INVALID_SERVICE, $message);
$responseContent = ob_get_clean();

return new XmlResponse(
$responseContent,
(string)$this->cas20Protocol->getValidateFailureResponse(C::ERR_INVALID_SERVICE, $message),
Response::HTTP_BAD_REQUEST,
);
}
Expand Down Expand Up @@ -268,13 +344,8 @@ public function validate(
}
}

// TODO: Replace with string casting
ob_start();
echo $this->cas20Protocol->getValidateSuccessResponse($serviceTicket['userName']);
$successContent = ob_get_clean();

return new XmlResponse(
$successContent,
(string)$this->cas20Protocol->getValidateSuccessResponse($serviceTicket['userName']),
Response::HTTP_OK,
);
}
Expand Down
Loading

0 comments on commit e1b3012

Please sign in to comment.