From 24969821cf1dfcf3d76467be82ace3276878ddf4 Mon Sep 17 00:00:00 2001
From: Damien <damien.burel@maarch.org>
Date: Fri, 8 Jan 2021 16:22:42 +0100
Subject: [PATCH] FIX #14594 TIME 5:30 WIP azure saml connection

---
 apps/maarch_entreprise/xml/login_method.xml   |  4 +++
 .../controllers/AuthenticationController.php  | 32 +++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/apps/maarch_entreprise/xml/login_method.xml b/apps/maarch_entreprise/xml/login_method.xml
index 240d769031b..99f4b9363d9 100755
--- a/apps/maarch_entreprise/xml/login_method.xml
+++ b/apps/maarch_entreprise/xml/login_method.xml
@@ -24,4 +24,8 @@
         <ID>openam</ID>
         <ENABLED>false</ENABLED>
     </METHOD>
+    <METHOD>
+        <ID>azure_saml</ID>
+        <ENABLED>false</ENABLED>
+    </METHOD>
 </ROOT>
diff --git a/src/core/controllers/AuthenticationController.php b/src/core/controllers/AuthenticationController.php
index 21617588579..829712c9f78 100755
--- a/src/core/controllers/AuthenticationController.php
+++ b/src/core/controllers/AuthenticationController.php
@@ -315,6 +315,15 @@ class AuthenticationController
             if (!AuthenticationController::isUserAuthorized(['login' => $login])) {
                 return $response->withStatus(403)->withJson(['errors' => 'Authentication unauthorized']);
             }
+        } elseif ($loggingMethod['id'] == 'azure_saml') {
+            $authenticated = AuthenticationController::azureSamlConnection();
+            if (!empty($authenticated['errors'])) {
+                return $response->withStatus(401)->withJson(['errors' => $authenticated['errors']]);
+            }
+            $login = strtolower($authenticated['login']);
+            if (!AuthenticationController::isUserAuthorized(['login' => $login])) {
+                return $response->withStatus(403)->withJson(['errors' => 'Authentication unauthorized']);
+            }
         } else {
             return $response->withStatus(403)->withJson(['errors' => 'Logging method unauthorized']);
         }
@@ -635,6 +644,29 @@ class AuthenticationController
         return ['login' => $login];
     }
 
+    private static function azureSamlConnection()
+    {
+        $libDir = CoreConfigModel::getLibrariesDirectory();
+        if (!is_file($libDir . 'simplesamlphp/lib/_autoload.php')) {
+            return ['errors' => 'Library simplesamlphp not present'];
+        }
+
+        require_once($libDir . 'simplesamlphp/lib/_autoload.php');
+        $as = new \SimpleSAML\Auth\Simple('default-sp');
+        $as->requireAuth([
+            'ReturnTo'          => UrlController::getCoreUrl(),
+            'skipRedirection'   => true
+        ]);
+
+        $attributes = $as->getAttributes();
+        $login = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'][0];
+        if (empty($login)) {
+            return ['errors' => 'Authentication Failed : login not present in attributes'];
+        }
+
+        return ['login' => $login];
+    }
+
     public function getRefreshedToken(Request $request, Response $response)
     {
         $queryParams = $request->getQueryParams();
-- 
GitLab