FEAT #15569 TIME 3:30 WIP OpenAm connection

apps/maarch_entreprise/xml/login_method.xml

@@ -20,4 +20,8 @@
         <ID>keycloak</ID>
         <ENABLED>false</ENABLED>
     </METHOD>
+    <METHOD>
+        <ID>openam</ID>
+        <ENABLED>true</ENABLED>
+    </METHOD>
 </ROOT>

apps/maarch_entreprise/xml/openAM.json

+{
+    "connectionUrl" : "https://serveur/openam/UI/Login",
+    "attributeUrl"  : "https://serveur/openam/identity/json/attributes",
+    "cookieName"    : "iPlanetDirectoryPro",
+    "attributeName" : "employeeNumber"
+}

src/core/controllers/AuthenticationController.php

@@ -24,6 +24,7 @@ use Slim\Http\Request;
 use Slim\Http\Response;
 use SrcCore\models\AuthenticationModel;
 use SrcCore\models\CoreConfigModel;
+use SrcCore\models\CurlModel;
 use SrcCore\models\PasswordModel;
 use SrcCore\models\ValidatorModel;
 use Stevenmaguire\OAuth2\Client\Provider\Keycloak;
@@ -68,6 +69,9 @@ class AuthenticationController
             $ssoConfiguration = ConfigurationModel::getByPrivilege(['privilege' => 'admin_sso', 'select' => ['value']]);
             $ssoConfiguration = !empty($ssoConfiguration['value']) ? json_decode($ssoConfiguration['value'], true) : null;
             $authUri          = $ssoConfiguration['url'] ?? null;
+        } elseif ($loggingMethod['id'] == 'openam') {
+            $configuration  = CoreConfigModel::getJsonLoaded(['path' => 'apps/maarch_entreprise/xml/openAM.json']);
+            $authUri        = $configuration['connectionUrl'] ?? null;
         }
 
         $return = [
@@ -302,6 +306,15 @@ class AuthenticationController
             if (!AuthenticationController::isUserAuthorized(['login' => $login])) {
                 return $response->withStatus(403)->withJson(['errors' => 'Authentication unauthorized']);
             }
+        } elseif ($loggingMethod['id'] == 'openam') {
+            $authenticated = AuthenticationController::openAMConnection();
+            if (!empty($authenticated['errors'])) {
+                return $response->withStatus(401)->withJson(['errors' => $authenticated['errors']]);
+            }
+            $login = strtolower($authenticated['login']);
+            if (!AuthenticationController::isUserAuthorized(['login' => $login])) {
+                return $response->withStatus(403)->withJson(['errors' => 'Authentication unauthorized']);
+            }
         } else {
             return $response->withStatus(403)->withJson(['errors' => 'Logging method unauthorized']);
         }
@@ -596,6 +609,32 @@ class AuthenticationController
         return ['logoutUrl' => $url];
     }
 
+    private static function openAMConnection()
+    {
+        //TODO OpenAM 13
+        $configuration = CoreConfigModel::getJsonLoaded(['path' => 'apps/maarch_entreprise/xml/openAM.json']);
+
+        if (empty($configuration['attributeUrl']) || empty($configuration['cookieName']) || empty($configuration['attributeName'])) {
+            return ['errors' => 'OpenAM configuration missing'];
+        }
+
+        if (empty($_COOKIE[$configuration['cookieName']])) {
+            return ['errors' => 'Authentication Failed : User cookie is not set'];
+        }
+        $curlResponse = CurlModel::execSimple([
+            'url'           => "{$configuration['attributeUrl']}?subjectid={$_COOKIE[$configuration['cookieName']]}&attributenames={$configuration['attributeName']}",
+            'method'        => 'GET',
+        ]);
+
+        $login = $curlResponse['response']['attributes'][0]['values'][0] ?? null;
+
+        if (empty($login)) {
+            return ['errors' => 'Authentication Failed : login not present in response'];
+        }
+
+        return ['login' => $login];
+    }
+
     public function getRefreshedToken(Request $request, Response $response)
     {
         $queryParams = $request->getQueryParams();

src/frontend/app/login/login.component.ts

@@ -102,6 +102,8 @@ export class LoginComponent implements OnInit {
                     this.notify.error(this.translate.instant('lang.accountLocked') + ' ' + this.timeLimit.transform(err.error.date));
                 } else if (this.authService.authMode === 'sso' && err.error.errors === 'Authentication Failed : login not present in header' && !this.functionsService.empty(this.authService.authUri)) {
                     window.location.href = this.authService.authUri;
+                } else if (this.authService.authMode === 'openam' && err.error.errors === 'Authentication Failed : User cookie is not set' && !this.functionsService.empty(this.authService.authUri)) {
+                    window.location.href = this.authService.authUri;
                 } else {
                     this.notify.handleSoftErrors(err);
                 }
@@ -111,7 +113,7 @@ export class LoginComponent implements OnInit {
     }
 
     initConnection() {
-        if (['sso'].indexOf(this.authService.authMode) > -1) {
+        if (['sso', 'openam'].indexOf(this.authService.authMode) > -1) {
             this.loginForm.disable();
             this.loginForm.setValidators(null);
             this.onSubmit();