diff --git a/app/controllers/UserController.php b/app/controllers/UserController.php index f139b5e9..7bc50384 100644 --- a/app/controllers/UserController.php +++ b/app/controllers/UserController.php @@ -72,6 +72,7 @@ class UserController extends BaseController $openid_msg = $this->openid_memento_service->getCurrentRequest(); $oauth2_msg = $this->oauth2_memento_service->getCurrentAuthorizationRequest(); + if (!is_null($openid_msg) && $openid_msg->isValid() && OpenIdAuthenticationRequest::IsOpenIdAuthenticationRequest($openid_msg)) { //openid stuff $this->beforeFilter('openid.save.request'); @@ -81,7 +82,7 @@ class UserController extends BaseController } else if (!is_null($oauth2_msg) && $oauth2_msg->isValid()) { $this->beforeFilter('oauth2.save.request'); $this->beforeFilter('oauth2.needs.auth.request', array('only' => array('getConsent'))); - $this->login_strategy = new OAuth2LoginStrategy(); + $this->login_strategy = new OAuth2LoginStrategy($auth_service, $oauth2_memento_service ,$user_action_service); $this->consent_strategy = new OAuth2ConsentStrategy($auth_service, $oauth2_memento_service, $scope_service, $client_service); } else { //default stuff diff --git a/app/libs/auth/AuthService.php b/app/libs/auth/AuthService.php index 313235bc..99259135 100644 --- a/app/libs/auth/AuthService.php +++ b/app/libs/auth/AuthService.php @@ -61,7 +61,6 @@ class AuthService implements IAuthService public function setUserAuthorizationResponse($auth_response) { - //todo : check valid response Session::set("openid.authorization.response", $auth_response); } @@ -81,4 +80,27 @@ class AuthService implements IAuthService { return User::find($id); } + + // Authentication + + public function getUserAuthenticationResponse() + { + if (Session::has("openstackid.authentication.response")) { + $value = Session::get("openstackid.authentication.response"); + return $value; + } + return IAuthService::AuthenticationResponse_None; + } + + public function setUserAuthenticationResponse($auth_response) + { + Session::set("openstackid.authentication.response", $auth_response); + } + + public function clearUserAuthenticationResponse() + { + if (Session::has("openstackid.authentication.response")) { + Session::remove("openstackid.authentication.response"); + } + } } \ No newline at end of file diff --git a/app/libs/oauth2/grant_types/AuthorizationCodeGrantType.php b/app/libs/oauth2/grant_types/AuthorizationCodeGrantType.php index b9fe4199..f3e5d9a4 100644 --- a/app/libs/oauth2/grant_types/AuthorizationCodeGrantType.php +++ b/app/libs/oauth2/grant_types/AuthorizationCodeGrantType.php @@ -145,6 +145,17 @@ class AuthorizationCodeGrantType extends AbstractGrantType throw new ScopeNotAllowedException(sprintf("scope %s", $scope)); $state = $request->getState(); + + $authentication_response = $this->auth_service->getUserAuthenticationResponse(); + + if($authentication_response == IAuthService::AuthenticationResponse_Cancel){ + //clear saved data ... + $this->memento_service->clearCurrentRequest(); + $this->auth_service->clearUserAuthenticationResponse(); + $this->auth_service->clearUserAuthorizationResponse(); + throw new AccessDeniedException; + } + //check user logged if (!$this->auth_service->isUserLogged()) { $this->memento_service->saveCurrentAuthorizationRequest(); diff --git a/app/libs/oauth2/grant_types/ImplicitGrantType.php b/app/libs/oauth2/grant_types/ImplicitGrantType.php index 86eefbff..a8fcb8ea 100644 --- a/app/libs/oauth2/grant_types/ImplicitGrantType.php +++ b/app/libs/oauth2/grant_types/ImplicitGrantType.php @@ -140,6 +140,17 @@ class ImplicitGrantType extends AbstractGrantType $state = $request->getState(); //check user logged + + $authentication_response = $this->auth_service->getUserAuthenticationResponse(); + + if($authentication_response == IAuthService::AuthenticationResponse_Cancel){ + //clear saved data ... + $this->memento_service->clearCurrentRequest(); + $this->auth_service->clearUserAuthenticationResponse(); + $this->auth_service->clearUserAuthorizationResponse(); + throw new AccessDeniedException; + } + if (!$this->auth_service->isUserLogged()) { $this->memento_service->saveCurrentAuthorizationRequest(); return $this->auth_strategy->doLogin($this->memento_service->getCurrentAuthorizationRequest()); @@ -161,6 +172,9 @@ class ImplicitGrantType extends AbstractGrantType return $this->auth_strategy->doConsent($this->memento_service->getCurrentAuthorizationRequest()); } else if ($authorization_response == IAuthService::AuthorizationResponse_DenyOnce) { + //clear saved data ... + $this->memento_service->clearCurrentRequest(); + $this->auth_service->clearUserAuthorizationResponse(); throw new AccessDeniedException; } //save possitive consent diff --git a/app/libs/oauth2/requests/OAuth2AuthorizationRequest.php b/app/libs/oauth2/requests/OAuth2AuthorizationRequest.php index f7118a94..9cd79fe2 100644 --- a/app/libs/oauth2/requests/OAuth2AuthorizationRequest.php +++ b/app/libs/oauth2/requests/OAuth2AuthorizationRequest.php @@ -18,11 +18,13 @@ class OAuth2AuthorizationRequest extends OAuth2Request { } public static $params = array( - OAuth2Protocol::OAuth2Protocol_ResponseType => OAuth2Protocol::OAuth2Protocol_ResponseType, - OAuth2Protocol::OAuth2Protocol_ClientId => OAuth2Protocol::OAuth2Protocol_ClientId, - OAuth2Protocol::OAuth2Protocol_RedirectUri => OAuth2Protocol::OAuth2Protocol_RedirectUri, - OAuth2Protocol::OAuth2Protocol_Scope => OAuth2Protocol::OAuth2Protocol_Scope, - OAuth2Protocol::OAuth2Protocol_State => OAuth2Protocol::OAuth2Protocol_State + OAuth2Protocol::OAuth2Protocol_ResponseType => OAuth2Protocol::OAuth2Protocol_ResponseType, + OAuth2Protocol::OAuth2Protocol_ClientId => OAuth2Protocol::OAuth2Protocol_ClientId, + OAuth2Protocol::OAuth2Protocol_RedirectUri => OAuth2Protocol::OAuth2Protocol_RedirectUri, + OAuth2Protocol::OAuth2Protocol_Scope => OAuth2Protocol::OAuth2Protocol_Scope, + OAuth2Protocol::OAuth2Protocol_State => OAuth2Protocol::OAuth2Protocol_State, + OAuth2Protocol::OAuth2Protocol_Approval_Prompt => OAuth2Protocol::OAuth2Protocol_Approval_Prompt, + OAuth2Protocol::OAuth2Protocol_AccessType => OAuth2Protocol::OAuth2Protocol_AccessType, ); /** diff --git a/app/libs/openid/handlers/OpenIdAuthenticationRequestHandler.php b/app/libs/openid/handlers/OpenIdAuthenticationRequestHandler.php index 36fc543b..55ba88e1 100644 --- a/app/libs/openid/handlers/OpenIdAuthenticationRequestHandler.php +++ b/app/libs/openid/handlers/OpenIdAuthenticationRequestHandler.php @@ -151,7 +151,16 @@ class OpenIdAuthenticationRequestHandler extends OpenIdMessageHandler private function doSetupMode() { - if (!$this->auth_service->isUserLogged()) + $authentication_response = $this->auth_service->getUserAuthenticationResponse(); + if($authentication_response == IAuthService::AuthenticationResponse_Cancel){ + //clear saved data ... + $this->memento_service->clearCurrentRequest(); + $this->auth_service->clearUserAuthenticationResponse(); + $this->auth_service->clearUserAuthorizationResponse(); + return new OpenIdNonImmediateNegativeAssertion($this->current_request->getReturnTo()); + } + + if (!$this->auth_service->isUserLogged()) return $this->doLogin(); //user already logged @@ -163,7 +172,7 @@ class OpenIdAuthenticationRequestHandler extends OpenIdMessageHandler $current_identity = $this->current_request->getIdentity(); // check is claimed identity match with current one // if not logs out and do re login - $current_user = $this->auth_service->getCurrentUser(); + $current_user = $this->auth_service->getCurrentUser(); if (is_null($current_user)) throw new Exception("User not set!"); @@ -372,6 +381,7 @@ class OpenIdAuthenticationRequestHandler extends OpenIdMessageHandler if (!$this->auth_service->isUserLogged()) { return new OpenIdImmediateNegativeAssertion($this->current_request->getReturnTo()); } + $currentUser = $this->auth_service->getCurrentUser(); $this->current_request_context->cleanTrustedData(); diff --git a/app/libs/utils/services/IAuthService.php b/app/libs/utils/services/IAuthService.php index 7d8d7391..6675d34e 100644 --- a/app/libs/utils/services/IAuthService.php +++ b/app/libs/utils/services/IAuthService.php @@ -11,6 +11,9 @@ interface IAuthService const AuthorizationResponse_DenyForever = "DenyForever"; const AuthorizationResponse_DenyOnce = "DenyOnce"; + const AuthenticationResponse_None = "None"; + const AuthenticationResponse_Cancel = "Cancel"; + /** * @return bool */ @@ -33,7 +36,13 @@ interface IAuthService public function setUserAuthorizationResponse($auth_response); - public function clearUserAuthorizationResponse(); + public function clearUserAuthorizationResponse(); + + public function getUserAuthenticationResponse(); + + public function setUserAuthenticationResponse($auth_response); + + public function clearUserAuthenticationResponse(); public function logout(); diff --git a/app/strategies/OAuth2LoginStrategy.php b/app/strategies/OAuth2LoginStrategy.php index 67aeceab..abb97e17 100644 --- a/app/strategies/OAuth2LoginStrategy.php +++ b/app/strategies/OAuth2LoginStrategy.php @@ -3,12 +3,30 @@ namespace strategies; use Auth; +use oauth2\services\IMementoOAuth2AuthenticationRequestService; use Redirect; use View; +use services\IUserActionService; +use utils\services\IAuthService; +use utils\IPHelper; class OAuth2LoginStrategy implements ILoginStrategy{ - public function getLogin() + private $memento_service; + private $user_action_service; + private $auth_service; + + public function __construct(IAuthService $auth_service, + IMementoOAuth2AuthenticationRequestService $memento_service, + IUserActionService $user_action_service + ) + { + $this->memento_service = $memento_service; + $this->user_action_service = $user_action_service; + $this->auth_service = $auth_service; + } + + public function getLogin() { if (Auth::guest()) { return View::make("login"); @@ -17,13 +35,16 @@ class OAuth2LoginStrategy implements ILoginStrategy{ } } - public function postLogin() + public function postLogin() { + $auth_request = $this->memento_service->getCurrentAuthorizationRequest(); + $this->user_action_service->addUserAction($this->auth_service->getCurrentUser(), IPHelper::getUserIp(), IUserActionService::LoginAction, $auth_request->getRedirectUri() ); return Redirect::action("OAuth2ProviderController@authorize"); } - public function cancelLogin() + public function cancelLogin() { + $this->auth_service->setUserAuthenticationResponse(IAuthService::AuthenticationResponse_Cancel); return Redirect::action("OAuth2ProviderController@authorize"); } } \ No newline at end of file diff --git a/app/strategies/OpenIdLoginStrategy.php b/app/strategies/OpenIdLoginStrategy.php index 18206816..b206cb12 100644 --- a/app/strategies/OpenIdLoginStrategy.php +++ b/app/strategies/OpenIdLoginStrategy.php @@ -60,10 +60,7 @@ class OpenIdLoginStrategy implements ILoginStrategy public function cancelLogin() { - $msg = $this->memento_service->getCurrentRequest(); - $cancel_response = new OpenIdNonImmediateNegativeAssertion(); - $cancel_response->setReturnTo($msg->getParam(OpenIdProtocol::OpenIDProtocol_ReturnTo)); - $strategy = OpenIdResponseStrategyFactoryMethod::buildStrategy($cancel_response); - return $strategy->handle($cancel_response); + $this->auth_service->setUserAuthenticationResponse(IAuthService::AuthenticationResponse_Cancel); + return Redirect::action("OpenIdProviderController@endpoint"); } } \ No newline at end of file diff --git a/app/views/oauth2/consent.blade.php b/app/views/oauth2/consent.blade.php index 09c69d18..ba37e0e2 100644 --- a/app/views/oauth2/consent.blade.php +++ b/app/views/oauth2/consent.blade.php @@ -37,7 +37,7 @@

** {{$app_name}} Application and Openstack will use this information in accordance with their respective terms of service and privacy policies.

- {{ Form::open(array('url' => '/accounts/user/consent','id'=>'authorization_form', 'method' => 'post', "autocomplete" => "off")) }} + {{ Form::open(array('url' => URL::action("UserController@postConsent") ,'id'=>'authorization_form', 'method' => 'post', "autocomplete" => "off")) }} diff --git a/app/views/openid/consent.blade.php b/app/views/openid/consent.blade.php index e723c645..c95ea8fb 100644 --- a/app/views/openid/consent.blade.php +++ b/app/views/openid/consent.blade.php @@ -12,7 +12,7 @@ Welcome, {{Auth::user() @section('content')

OpenstackId - Openid verification

- {{ Form::open(array('url' => '/accounts/user/consent','id'=>'authorization_form', 'method' => 'post', "autocomplete" => "off")) }} + {{ Form::open(array('url' => URL::action("UserController@postConsent"),'id'=>'authorization_form', 'method' => 'post', "autocomplete" => "off")) }}
Sign in to {{ $realm }} using your openstackid