garrettmills
97096f619f
All checks were successful
continuous-integration/drone/push Build is passing
94 lines
3.7 KiB
JavaScript
94 lines
3.7 KiB
JavaScript
const { Controller } = require('libflitter')
|
|
const FlitterProfileMapper = require('../../classes/saml/FlitterProfileMapper')
|
|
const samlp = require('samlp')
|
|
|
|
class SAMLController extends Controller {
|
|
static get services() {
|
|
return [...super.services, 'saml', 'output', 'Vue', 'configs', 'models']
|
|
}
|
|
|
|
async get_metadata(req, res, next) {
|
|
return samlp.metadata({
|
|
issuer: this.saml.config().provider_name,
|
|
cert: await this.saml.public_cert(),
|
|
logoutEndpointPaths: {
|
|
redirect: '/saml/logout',
|
|
},
|
|
redirectEndpointPath: '/saml/sso',
|
|
postEndpointPath: '/saml/sso',
|
|
})(req, res, next)
|
|
}
|
|
|
|
async get_sso(req, res, next) {
|
|
const index = await req.saml.participants.issue({ service_provider: req.saml_request.service_provider })
|
|
|
|
// Apply the appropriate IAM policy if this SAML SP is associated with an App
|
|
// If the SAML service provider has no associated application, just allow it
|
|
// TODO test this
|
|
const associated_app = await req.saml_request.service_provider.application()
|
|
if ( associated_app ) {
|
|
const Policy = this.models.get('iam:Policy')
|
|
const can_access = await Policy.check_user_access(req.user, associated_app.id)
|
|
if ( !can_access ) {
|
|
return this.Vue.auth_message(res, {
|
|
message: req.T('saml.no_access').replace('APP_NAME', associated_app.name),
|
|
next_destination: '/dash',
|
|
})
|
|
}
|
|
}
|
|
|
|
return samlp.auth({
|
|
issuer: this.saml.config().provider_name,
|
|
cert: await this.saml.public_cert(),
|
|
key: await this.saml.private_key(),
|
|
getPostURL: (wtrealm, wreply, req, callback) => {
|
|
this.output.debug(`${req.T('saml.redirect_url')} ${req.saml_request.service_provider.acs_url}`)
|
|
return callback(null, req.saml_request.service_provider.acs_url) // fetch this from registered SAML app
|
|
},
|
|
profileMapper: user => new FlitterProfileMapper(user),
|
|
destination: req.saml_request.service_provider.acs_url,
|
|
sessionIndex: index,
|
|
})(req, res, next)
|
|
}
|
|
|
|
async post_logout(req, res, next) {
|
|
return res.api({
|
|
saml: req.saml_request,
|
|
body: req.body,
|
|
query: req.query,
|
|
})
|
|
}
|
|
|
|
async get_logout(req, res, next) {
|
|
return samlp.logout({
|
|
deflate: true,
|
|
issuer: this.saml.config().provider_name,
|
|
cert: await this.saml.public_cert(),
|
|
key: await this.saml.private_key(),
|
|
protocolBinding: 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect',
|
|
clearIdPSession: done => {
|
|
this.output.info(`${req.T('saml.clear_idp_session')} ${req.user.uid.toLowerCase()}`)
|
|
req.saml.participants.clear().then(async () => {
|
|
if ( this.saml.config().slo.end_coreid_session ) {
|
|
await req.user.logout(req)
|
|
|
|
// show logout page
|
|
return this.Vue.auth_message(res, {
|
|
message: req.T('auth.logged_out'),
|
|
next_destination: '/',
|
|
})
|
|
} else {
|
|
return this.Vue.auth_message(res, {
|
|
message: req.T('auth.logged_out'),
|
|
next_destination: '/',
|
|
})
|
|
}
|
|
})
|
|
},
|
|
sessionParticipants: await req.saml.participants.wrapper(),
|
|
})(req, res, next)
|
|
}
|
|
}
|
|
|
|
module.exports = exports = SAMLController
|