From 3c8d70c5fb9dba74105be52b4d5b83ca703b3fd8 Mon Sep 17 00:00:00 2001 From: Alex Janes Date: Thu, 16 Dec 2021 11:44:07 -0500 Subject: [PATCH 1/8] Add option to environment to require SAML for a more secure installation. --- app/Http/Controllers/Auth/LoginController.php | 6 ++++++ config/app.php | 13 ++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index 2c94cc70b..b5f6c63c1 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -74,6 +74,12 @@ class LoginController extends Controller return redirect()->intended('/'); } + //If the environment is set to ALWAYS require SAML, go straight to the SAML route. + if((env("REQUIRE_SAML", false))) + { + return redirect()->route('saml.login'); + } + if ($this->saml->isEnabled() && Setting::getSettings()->saml_forcelogin == '1' && ! ($request->has('nosaml') || $request->session()->has('error'))) { return redirect()->route('saml.login'); } diff --git a/config/app.php b/config/app.php index e8d1ebae4..ceb358e58 100755 --- a/config/app.php +++ b/config/app.php @@ -250,8 +250,19 @@ return [ 'enable_csp' => env('ENABLE_CSP', false), + /* + |-------------------------------------------------------------------------- + | Require SAML Login + |-------------------------------------------------------------------------- + | + | Disable the ability to login via form login, and require all logins to + | process via SAML login. (If you are not using SAML, this option should + | be left alone.) + | + */ - + 'require_saml' => env('REQUIRE_SAML', false), + /* |-------------------------------------------------------------------------- From 696943b04b01c513fbde3b8601e60e3aab91e81d Mon Sep 17 00:00:00 2001 From: Alex Janes Date: Thu, 16 Dec 2021 11:44:34 -0500 Subject: [PATCH 2/8] Add option to environment to require SAML for a more secure installation. --- .env.example | 1 + 1 file changed, 1 insertion(+) diff --git a/.env.example b/.env.example index c2eb5936f..d61960b95 100644 --- a/.env.example +++ b/.env.example @@ -155,4 +155,5 @@ LDAP_TIME_LIM=600 IMPORT_TIME_LIMIT=600 IMPORT_MEMORY_LIMIT=500M REPORT_TIME_LIMIT=12000 +REQUIRE_SAML=false From a6116a1b150ea3e39b98b37ffc04067d7d452a36 Mon Sep 17 00:00:00 2001 From: Alex Janes Date: Thu, 16 Dec 2021 14:33:25 -0500 Subject: [PATCH 3/8] If SAML required, don't accept login form post. --- app/Http/Controllers/Auth/LoginController.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index b5f6c63c1..0802defcc 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -75,6 +75,7 @@ class LoginController extends Controller } //If the environment is set to ALWAYS require SAML, go straight to the SAML route. + //We don't need to check other settings, as this should override those. if((env("REQUIRE_SAML", false))) { return redirect()->route('saml.login'); @@ -207,6 +208,12 @@ class LoginController extends Controller */ public function login(Request $request) { + //If the environment is set to ALWAYS require SAML, return access denied + if((env("REQUIRE_SAML", false))) + { + return view('errors.403'); + } + if (Setting::getSettings()->login_common_disabled == '1') { return view('errors.403'); } From 6898119891466b6017af92f4cdbb915fbe1530ba Mon Sep 17 00:00:00 2001 From: Alex Janes Date: Thu, 16 Dec 2021 16:56:39 -0500 Subject: [PATCH 4/8] Replaced env() with config() to check environment variables Made the app.php description for 'REQUIRE_SAML' a bit more... descriptive. --- app/Http/Controllers/Auth/LoginController.php | 4 ++-- config/app.php | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index 0802defcc..c82ffdc6f 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -76,7 +76,7 @@ class LoginController extends Controller //If the environment is set to ALWAYS require SAML, go straight to the SAML route. //We don't need to check other settings, as this should override those. - if((env("REQUIRE_SAML", false))) + if(config('REQUIRE_SAML')) { return redirect()->route('saml.login'); } @@ -209,7 +209,7 @@ class LoginController extends Controller public function login(Request $request) { //If the environment is set to ALWAYS require SAML, return access denied - if((env("REQUIRE_SAML", false))) + if(config('REQUIRE_SAML')) { return view('errors.403'); } diff --git a/config/app.php b/config/app.php index ceb358e58..c2f39c60e 100755 --- a/config/app.php +++ b/config/app.php @@ -255,9 +255,11 @@ return [ | Require SAML Login |-------------------------------------------------------------------------- | - | Disable the ability to login via form login, and require all logins to - | process via SAML login. (If you are not using SAML, this option should - | be left alone.) + | Disable the ability to login via form login, and disables the 'nosaml' + | workaround. It requires all logins to process via SAML login. + | (This is for high security setups. If your SAML configuration is not + | working, this option should be set to false. This option is not needed + | to successfully configure SAML authentication.) | */ From d99db5c63bc3525d1fa62bc5306031ce81bfa8ca Mon Sep 17 00:00:00 2001 From: Alex Janes Date: Thu, 16 Dec 2021 19:04:37 -0500 Subject: [PATCH 5/8] bug fix and formatting fix --- app/Http/Controllers/Auth/LoginController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index c82ffdc6f..00bd470cd 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -76,7 +76,7 @@ class LoginController extends Controller //If the environment is set to ALWAYS require SAML, go straight to the SAML route. //We don't need to check other settings, as this should override those. - if(config('REQUIRE_SAML')) + if(config('app.require_saml')) { return redirect()->route('saml.login'); } @@ -209,7 +209,7 @@ class LoginController extends Controller public function login(Request $request) { //If the environment is set to ALWAYS require SAML, return access denied - if(config('REQUIRE_SAML')) + if(config('app.require_saml')) { return view('errors.403'); } From a68ec8bb571c6e041498d70cd212316df0d0814c Mon Sep 17 00:00:00 2001 From: Alex Janes <38761237+adagioajanes@users.noreply.github.com> Date: Fri, 17 Dec 2021 18:52:42 -0500 Subject: [PATCH 6/8] Update LoginController.php Updated if statements to match convention exactly. --- app/Http/Controllers/Auth/LoginController.php | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index 00bd470cd..996747c65 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -76,8 +76,7 @@ class LoginController extends Controller //If the environment is set to ALWAYS require SAML, go straight to the SAML route. //We don't need to check other settings, as this should override those. - if(config('app.require_saml')) - { + if(config('app.require_saml')) { return redirect()->route('saml.login'); } @@ -209,8 +208,7 @@ class LoginController extends Controller public function login(Request $request) { //If the environment is set to ALWAYS require SAML, return access denied - if(config('app.require_saml')) - { + if(config('app.require_saml')) { return view('errors.403'); } From 227ca6130133622ed0892641b75dc3ab55dbdfa1 Mon Sep 17 00:00:00 2001 From: Alex Janes Date: Sat, 18 Dec 2021 11:56:36 -0500 Subject: [PATCH 7/8] Changed phrasing of "SAML Force Login" to "SAML Default Login" (English only at this point) --- resources/lang/en-GB/admin/settings/general.php | 2 +- resources/lang/en-ID/admin/settings/general.php | 2 +- resources/lang/en/admin/settings/general.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/resources/lang/en-GB/admin/settings/general.php b/resources/lang/en-GB/admin/settings/general.php index 80497c6c6..959e82191 100644 --- a/resources/lang/en-GB/admin/settings/general.php +++ b/resources/lang/en-GB/admin/settings/general.php @@ -139,7 +139,7 @@ return array( 'saml_idp_metadata_help' => 'You can specify the IdP metadata using a URL or XML file.', 'saml_attr_mapping_username' => 'Attribute Mapping - Username', 'saml_attr_mapping_username_help' => 'NameID will be used if attribute mapping is unspecified or invalid.', - 'saml_forcelogin_label' => 'SAML Force Login', + 'saml_forcelogin_label' => 'SAML Default Login', 'saml_forcelogin' => 'Make SAML the primary login', 'saml_forcelogin_help' => 'You can use \'/login?nosaml\' to get to the normal login page.', 'saml_slo_label' => 'SAML Single Log Out', diff --git a/resources/lang/en-ID/admin/settings/general.php b/resources/lang/en-ID/admin/settings/general.php index 4ccf1b0fa..9202b2fca 100644 --- a/resources/lang/en-ID/admin/settings/general.php +++ b/resources/lang/en-ID/admin/settings/general.php @@ -139,7 +139,7 @@ return array( 'saml_idp_metadata_help' => 'You can specify the IdP metadata using a URL or XML file.', 'saml_attr_mapping_username' => 'Attribute Mapping - Username', 'saml_attr_mapping_username_help' => 'NameID will be used if attribute mapping is unspecified or invalid.', - 'saml_forcelogin_label' => 'SAML Force Login', + 'saml_forcelogin_label' => 'SAML Default Login', 'saml_forcelogin' => 'Make SAML the primary login', 'saml_forcelogin_help' => 'You can use \'/login?nosaml\' to get to the normal login page.', 'saml_slo_label' => 'SAML Single Log Out', diff --git a/resources/lang/en/admin/settings/general.php b/resources/lang/en/admin/settings/general.php index 24ea3d8ce..05f35dff8 100644 --- a/resources/lang/en/admin/settings/general.php +++ b/resources/lang/en/admin/settings/general.php @@ -139,7 +139,7 @@ return [ 'saml_idp_metadata_help' => 'You can specify the IdP metadata using a URL or XML file.', 'saml_attr_mapping_username' => 'Attribute Mapping - Username', 'saml_attr_mapping_username_help' => 'NameID will be used if attribute mapping is unspecified or invalid.', - 'saml_forcelogin_label' => 'SAML Force Login', + 'saml_forcelogin_label' => 'SAML Default Login', 'saml_forcelogin' => 'Make SAML the primary login', 'saml_forcelogin_help' => 'You can use \'/login?nosaml\' to get to the normal login page.', 'saml_slo_label' => 'SAML Single Log Out', From ead142cdf79d4109766c95489e15bb8ceb8bc842 Mon Sep 17 00:00:00 2001 From: Alex Janes Date: Sat, 18 Dec 2021 12:00:07 -0500 Subject: [PATCH 8/8] Corrected a tiny HTML typo in the SAML view. (Unrelated to this PR) --- resources/views/settings/saml.blade.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/views/settings/saml.blade.php b/resources/views/settings/saml.blade.php index 3c1a7146f..d47776191 100644 --- a/resources/views/settings/saml.blade.php +++ b/resources/views/settings/saml.blade.php @@ -39,7 +39,7 @@

SAML -

+