fail safe sso logouts, fixes #4731

Closes #4731 Merge request studip/studip!3528

fail safe sso logouts, fixes #4731
c73036f2 · Jan-Hendrik Willms · 38df3d04 · c73036f2 · c73036f2 · c73036f2
Commit c73036f2 authored 6 months ago by Jan-Hendrik Willms
--- a/lib/classes/auth_plugins/StudipAuthAbstract.php
+++ b/lib/classes/auth_plugins/StudipAuthAbstract.php
@@ -125,7 +125,7 @@ class StudipAuthAbstract
                self::$plugin_instances[strtoupper($plugin)] = new $plugin_class($config);
            }
        }
-        return ($plugin_name) ? self::$plugin_instances[strtoupper($plugin_name)]??null : self::$plugin_instances;
+        return $plugin_name ? self::$plugin_instances[strtoupper($plugin_name)] ?? null : self::$plugin_instances;
    }

    /**

--- a/lib/classes/auth_plugins/StudipAuthCAS.php
+++ b/lib/classes/auth_plugins/StudipAuthCAS.php
@@ -18,41 +18,53 @@ class StudipAuthCAS extends StudipAuthSSO

    public $userdata;

+    private $initialized = false;
+
    /**
     * Constructor
     */
    public function __construct($config = [])
    {
        parent::__construct($config);
+
        if (!isset($this->plugin_fullname)) {
            $this->plugin_fullname = _('CAS');
        }
        if (!isset($this->login_description)) {
            $this->login_description = _('für Single Sign On mit CAS');
        }
-        if (Request::get('sso') === $this->plugin_name) {
-            if ($this->proxy) {
-                URLHelper::setBaseUrl($GLOBALS['ABSOLUTE_URI_STUDIP']);
-                phpCAS::proxy(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
-                phpCAS::setPGTStorage(new CAS_PGTStorage_Cache(phpCAS::getCasClient()));
-                phpCAS::setFixedCallbackURL(URLHelper::getURL('dispatch.php/cas/proxy'));
-            } else {
-                phpCAS::client(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
-            }
-
-            if (isset($this->cacert)) {
-                phpCAS::setCasServerCACert($this->cacert);
-            } else {
-                phpCAS::setNoCasServerValidation();
-            }
+    }
+
+    private function initializeClient(): void
+    {
+        if ($this->initialized) {
+            return;
+        }
+
+        if ($this->proxy) {
+            URLHelper::setBaseUrl($GLOBALS['ABSOLUTE_URI_STUDIP']);
+            phpCAS::proxy(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
+            phpCAS::setPGTStorage(new CAS_PGTStorage_Cache(phpCAS::getCasClient()));
+            phpCAS::setFixedCallbackURL(URLHelper::getURL('dispatch.php/cas/proxy'));
+        } else {
+            phpCAS::client(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
+        }
+
+        if (isset($this->cacert)) {
+            phpCAS::setCasServerCACert($this->cacert);
+        } else {
+            phpCAS::setNoCasServerValidation();
        }
+
+        $this->initialized = true;
    }

    /**
     * Return the current username.
     */
-    function getUser()
+    public function getUser()
    {
+        $this->initializeClient();
        return phpCAS::getUser();
    }

@@ -60,19 +72,23 @@ class StudipAuthCAS extends StudipAuthSSO
     * Validate the username passed to the auth plugin.
     * Note: This triggers authentication if needed.
     */
-    function verifyUsername($username)
+    public function verifyUsername($username)
    {
+        $this->initializeClient();
        phpCAS::forceAuthentication();
        return $this->getUser();
    }

-    function getUserData($key)
+    public function getUserData($key)
    {
        $userdataclassname = $this->user_data_mapping_class;
        if (!class_exists($userdataclassname)) {
            Log::error($this->plugin_name . ': no userdataclassname specified or found.');
            return;
        }
+
+        $this->initializeClient();
+
        // get the userdata
        if (empty($this->userdata)) {
            $this->userdata = new $userdataclassname();
@@ -82,6 +98,8 @@ class StudipAuthCAS extends StudipAuthSSO

    public function logout(): void
    {
+        $this->initializeClient();
+
        // do a global cas logout
        phpCAS::client(CAS_VERSION_2_0, $this->host, $this->port, $this->uri, false);
        phpCAS::logout();

--- a/lib/classes/auth_plugins/StudipAuthOAuth2.php
+++ b/lib/classes/auth_plugins/StudipAuthOAuth2.php
@@ -20,7 +20,7 @@ final class StudipAuthOAuth2 extends StudipAuthSSO

    protected ?string $logout_url = null;

-    private GenericProvider $oauth2_provider;
+    private ?GenericProvider $client = null;

    private ?array $user_data = null;

@@ -31,8 +31,11 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
        if (!isset($this->plugin_fullname)) {
            $this->plugin_fullname = _('OAuth2');
        }
+    }

-        if (Request::option('sso') === $this->plugin_name) {
+    private function getProvider(): GenericProvider
+    {
+        if ($this->client === null) {
            $options = [
                'clientId' => $this->client_id,
                'clientSecret' => $this->client_secret,
@@ -47,8 +50,10 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
                $options['verify'] = false;
            }

-            $this->oauth2_provider = new GenericProvider($options);
+            $this->client = new GenericProvider($options);
        }
+
+        return $this->client;
    }

    public function getUser()
@@ -63,10 +68,10 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
        }

        if (!Request::get('code')) {
-            $authorizationUrl = $this->oauth2_provider->getAuthorizationUrl(['scope' => 'profile email']);
+            $authorizationUrl = $this->getProvider()->getAuthorizationUrl(['scope' => 'profile email']);

            $_SESSION[self::class] = [
-                'state' => $this->oauth2_provider->getState(),
+                'state' => $this->getProvider()->getState(),
                'redirect' => Request::url(),
            ];

@@ -82,11 +87,11 @@ final class StudipAuthOAuth2 extends StudipAuthSSO
                unset($_SESSION[self::class]);
            }
        } else {
-            $accessToken = $this->oauth2_provider->getAccessToken('authorization_code', [
+            $accessToken = $this->getProvider()->getAccessToken('authorization_code', [
                'code' => Request::get('code'),
            ]);

-            $resourceOwner = $this->oauth2_provider->getResourceOwner($accessToken);
+            $resourceOwner = $this->getProvider()->getResourceOwner($accessToken);

            $this->user_data = $resourceOwner->toArray();


--- a/lib/classes/auth_plugins/StudipAuthOIDC.php
+++ b/lib/classes/auth_plugins/StudipAuthOIDC.php
@@ -17,7 +17,7 @@ class StudipAuthOIDC extends StudipAuthSSO
    /**
     * @var OpenIDConnectClient
     */
-    private $oidc;
+    private $oidc = null;

    /**
     * @var string
@@ -32,14 +32,9 @@ class StudipAuthOIDC extends StudipAuthSSO
     */
    public $client_secret;

-
-    /**
-     * @param array $config
-     */
-    public function __construct($config = [])
+    private function getClient(): OpenIDConnectClient
    {
-        parent::__construct($config);
-        if (Request::get('sso') === $this->plugin_name) {
+        if ($this->oidc === null) {
            $this->oidc = new OpenIDConnectClient($this->provider_url, $this->client_id, $this->client_secret);
            if (isset($this->ssl_options)) {
                foreach ($this->ssl_options as $option_key => $option_value) {
@@ -47,14 +42,18 @@ class StudipAuthOIDC extends StudipAuthSSO
                        $this->oidc->{'set' . $option_key}($option_value);
                    }
                }
-                if (Config::get()->HTTP_PROXY) {
-                    $this->oidc->setHttpProxy(Config::get()->HTTP_PROXY);
-                }
-                $return_url = URLHelper::getScriptURL($GLOBALS['ABSOLUTE_URI_STUDIP'] . 'index.php', ['sso' => $this->plugin_name, 'again' => 'yes']);
-                $this->oidc->setRedirectURL($return_url);
-                $this->oidc->addScope(['openid', 'email', 'profile']);
            }
+
+            if (Config::get()->HTTP_PROXY) {
+                $this->oidc->setHttpProxy(Config::get()->HTTP_PROXY);
+            }
+
+            $return_url = URLHelper::getScriptURL($GLOBALS['ABSOLUTE_URI_STUDIP'] . 'index.php', ['sso' => $this->plugin_name, 'again' => 'yes']);
+            $this->oidc->setRedirectURL($return_url);
+            $this->oidc->addScope(['openid', 'email', 'profile']);
        }
+
+        return $this->oidc;
    }

    /**
@@ -68,8 +67,8 @@ class StudipAuthOIDC extends StudipAuthSSO
     */
    public function verifyUsername($username)
    {
-        $this->oidc->authenticate();
-        $this->userdata = (array)$this->oidc->requestUserInfo();
+        $this->getClient()->authenticate();
+        $this->userdata = (array) $this->getClient()->requestUserInfo();
        if (isset($this->userdata['sub'])) {
            return $this->userdata['username'] = $this->userdata['sub'] . '@' . $this->domain;
        } else {
@@ -82,7 +81,7 @@ class StudipAuthOIDC extends StudipAuthSSO
     */
    public function getUser()
    {
-        return $this->userdata['username'];
+        return $this->getUserData('username');
    }

    /**
@@ -100,8 +99,7 @@ class StudipAuthOIDC extends StudipAuthSSO
     *
     * @see https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims
     *
-     * @param string  key
-     *
+     * @param string  $key
     * @return  string  parameter value (null if not set)
     */
    public function getUserData($key)
@@ -111,6 +109,9 @@ class StudipAuthOIDC extends StudipAuthSSO

    public function logout(): void
    {
-        $this->oidc->signOut($this->oidc->getIdToken(), null);
+        $this->getClient()->signOut(
+            $this->getClient()->getIdToken(),
+            null
+        );
    }
 }