activate usage of proxy vars if symfony detects a trusted one

kimai · Jan 30, 2020 · 04223e0 · 04223e0
1 parent b2868f9
commit 04223e0
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 14 deletions.
diff --git a/config/services-saml.yaml b/config/services-saml.yaml
@@ -5,12 +5,15 @@ services:
     # SAML
     # ================================================================================
 
+    App\Saml\SamlAuth:
+        alias: onelogin_auth
+
     OneLogin\Saml2\Auth:
         alias: onelogin_auth
 
     onelogin_auth:
-        class: OneLogin\Saml2\Auth
-        arguments: ['%kimai.saml.connection%']
+        class: App\Saml\SamlAuth
+        arguments: ['@request_stack', '%kimai.saml.connection%']
 
     App\Saml\User\SamlUserFactory:
         arguments: ['%kimai.saml%']

diff --git a/src/Saml/Controller/SamlController.php b/src/Saml/Controller/SamlController.php
@@ -9,7 +9,7 @@
 
 namespace App\Saml\Controller;
 
-use OneLogin\Saml2\Auth;
+use App\Saml\SamlAuth;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -22,11 +22,11 @@
 final class SamlController extends AbstractController
 {
     /**
-     * @var Auth
+     * @var SamlAuth
      */
     private $oneLoginAuth;
 
-    public function __construct(Auth $oneLoginAuth)
+    public function __construct(SamlAuth $oneLoginAuth)
     {
         $this->oneLoginAuth = $oneLoginAuth;
     }

diff --git a/src/Saml/Logout/SamlLogoutHandler.php b/src/Saml/Logout/SamlLogoutHandler.php
@@ -9,8 +9,8 @@
 
 namespace App\Saml\Logout;
 
+use App\Saml\SamlAuth;
 use Hslavich\OneloginSamlBundle\Security\Authentication\Token\SamlTokenInterface;
-use OneLogin\Saml2\Auth;
 use OneLogin\Saml2\Error;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -20,11 +20,11 @@
 final class SamlLogoutHandler implements LogoutHandlerInterface
 {
     /**
-     * @var Auth
+     * @var SamlAuth
      */
     private $samlAuth;
 
-    public function __construct(Auth $samlAuth)
+    public function __construct(SamlAuth $samlAuth)
     {
         $this->samlAuth = $samlAuth;
     }

diff --git a/src/Saml/SamlAuth.php b/src/Saml/SamlAuth.php
@@ -0,0 +1,26 @@
+<?php
+
+/*
+ * This file is part of the Kimai time-tracking app.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace App\Saml;
+
+use OneLogin\Saml2\Auth;
+use OneLogin\Saml2\Utils;
+use Symfony\Component\HttpFoundation\RequestStack;
+
+class SamlAuth extends Auth
+{
+    public function __construct(RequestStack $request, array $settings = null)
+    {
+        parent::__construct($settings);
+
+        if (null !== $request->getMasterRequest() && $request->getMasterRequest()->isFromTrustedProxy()) {
+            Utils::setProxyVars(true);
+        }
+    }
+}
diff --git a/tests/Mocks/Saml/SamlAuthFactory.php b/tests/Mocks/Saml/SamlAuthFactory.php
@@ -9,12 +9,14 @@
 
 namespace App\Tests\Mocks\Saml;
 
+use App\Saml\SamlAuth;
 use App\Tests\Mocks\AbstractMockFactory;
-use OneLogin\Saml2\Auth;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
 
 class SamlAuthFactory extends AbstractMockFactory
 {
-    public function create(?array $connection = null): Auth
+    public function create(?array $connection = null): SamlAuth
     {
         if (null === $connection) {
             $connection = [
@@ -74,6 +76,9 @@ public function create(?array $connection = null): Auth
             ];
         }
 
-        return new Auth($connection);
+        $requestStack = new RequestStack();
+        $requestStack->push(new Request());
+
+        return new SamlAuth($requestStack, $connection);
     }
 }
diff --git a/tests/Saml/Logout/SamlLogoutHandlerTest.php b/tests/Saml/Logout/SamlLogoutHandlerTest.php
@@ -11,8 +11,8 @@
 
 use App\Entity\User;
 use App\Saml\Logout\SamlLogoutHandler;
+use App\Saml\SamlAuth;
 use Hslavich\OneloginSamlBundle\Security\Authentication\Token\SamlToken;
-use OneLogin\Saml2\Auth;
 use OneLogin\Saml2\Error;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Request;
@@ -25,7 +25,7 @@ class SamlLogoutHandlerTest extends TestCase
 {
     public function testLogout()
     {
-        $auth = $this->getMockBuilder(Auth::class)->disableOriginalConstructor()->getMock();
+        $auth = $this->getMockBuilder(SamlAuth::class)->disableOriginalConstructor()->getMock();
         $auth->expects($this->once())->method('processSLO')->willThrowException(new Error('blub'));
         $auth->expects($this->once())->method('getSLOurl')->willReturn('');
 
@@ -39,7 +39,7 @@ public function testLogout()
 
     public function testLogoutWithLogoutUrl()
     {
-        $auth = $this->getMockBuilder(Auth::class)->disableOriginalConstructor()->getMock();
+        $auth = $this->getMockBuilder(SamlAuth::class)->disableOriginalConstructor()->getMock();
         $auth->expects($this->once())->method('processSLO')->willThrowException(new Error('blub'));
         $auth->expects($this->once())->method('getSLOurl')->willReturn('/logout');
         $auth->expects($this->once())->method('logout')->willReturnCallback(function () {