archive/BookStackApp_BookStack
0
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-05-09 10:30:06 +00:00
Code Issues Projects Releases Wiki Activity

Added token and key handling elements for oidc jwt

Browse source 
- Got basic signing support and structure checking done.
- Need to run through actual claim checking before providing details
  back to app.
This commit is contained in:
Dan Brown 2021-10-11 19:05:16 +01:00
parent 8ce696dff6
commit 8c01c55684
No known key found for this signature in database
GPG key ID: 46D9F943C24A2EF9
11 changed files with 444 additions and 11 deletions

2
app/Auth/Access/LoginService.php
View file

@ -47,7 +47,7 @@ class LoginService
// Authenticate on all session guards if a likely admin // Authenticate on all session guards if a likely admin
if ($user->can('users-manage') && $user->can('user-roles-manage')) { if ($user->can('users-manage') && $user->can('user-roles-manage')) {
$guards = ['standard', 'ldap', 'saml2', 'openid']; $guards = ['standard', 'ldap', 'saml2', 'oidc'];
foreach ($guards as $guard) { foreach ($guards as $guard) {
auth($guard)->login($user); auth($guard)->login($user);
} }

8
app/Auth/Access/OpenIdConnect/InvalidKeyException.php Normal file
View file

@ -0,0 +1,8 @@
<?php
namespace BookStack\Auth\Access\OpenIdConnect;
class InvalidKeyException extends \Exception
{
}

10
app/Auth/Access/OpenIdConnect/InvalidTokenException.php Normal file
View file

@ -0,0 +1,10 @@
<?php
namespace BookStack\Auth\Access\OpenIdConnect;
use Exception;
class InvalidTokenException extends Exception
{
}

76
app/Auth/Access/OpenIdConnect/JwtSigningKey.php Normal file
View file

@ -0,0 +1,76 @@
<?php
namespace BookStack\Auth\Access\OpenIdConnect;
use phpseclib3\Crypt\Common\PublicKey;
use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Crypt\RSA;
use phpseclib3\Math\BigInteger;
class JwtSigningKey
{
/**
* @var PublicKey
*/
protected $key;
/**
* Can be created either from a JWK parameter array or local file path to load a certificate from.
* Examples:
* 'file:///var/www/cert.pem'
* ['kty' => 'RSA', 'alg' => 'RS256', 'n' => 'abc123...']
* @param array|string $jwkOrKeyPath
* @throws InvalidKeyException
*/
public function __construct($jwkOrKeyPath)
{
if (is_array($jwkOrKeyPath)) {
$this->loadFromJwkArray($jwkOrKeyPath);
}
}
/**
* @throws InvalidKeyException
*/
protected function loadFromJwkArray(array $jwk)
{
if ($jwk['alg'] !== 'RS256') {
throw new InvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");
}
if ($jwk['use'] !== 'sig') {
throw new InvalidKeyException("Only signature keys are currently supported. Found key for use {$jwk['sig']}");
}
if (empty($jwk['e'] ?? '')) {
throw new InvalidKeyException('An "e" parameter on the provided key is expected');
}
if (empty($jwk['n'] ?? '')) {
throw new InvalidKeyException('A "n" parameter on the provided key is expected');
}
$n = strtr($jwk['n'] ?? '', '-_', '+/');
try {
/** @var RSA $key */
$key = PublicKeyLoader::load([
'e' => new BigInteger(base64_decode($jwk['e']), 256),
'n' => new BigInteger(base64_decode($n), 256),
])->withPadding(RSA::SIGNATURE_PKCS1);
$this->key = $key;
} catch (\Exception $exception) {
throw new InvalidKeyException("Failed to load key from JWK parameters with error: {$exception->getMessage()}");
}
}
/**
* Use this key to sign the given content and return the signature.
*/
public function verify(string $content, string $signature): bool
{
return $this->key->verify($content, $signature);
}
}

54
app/Auth/Access/OpenIdConnect/OpenIdConnectAccessToken.php Normal file
View file

@ -0,0 +1,54 @@
<?php
namespace BookStack\Auth\Access\OpenIdConnect;
use InvalidArgumentException;
use League\OAuth2\Client\Token\AccessToken;
class OpenIdConnectAccessToken extends AccessToken
{
/**
* Constructs an access token.
*
* @param array $options An array of options returned by the service provider
* in the access token request. The `access_token` option is required.
* @throws InvalidArgumentException if `access_token` is not provided in `$options`.
*/
public function __construct(array $options = [])
{
parent::__construct($options);
$this->validate($options);
}
/**
* Validate this access token response for OIDC.
* As per https://openid.net/specs/openid-connect-basic-1_0.html#TokenOK.
*/
private function validate(array $options): void
{
// access_token: REQUIRED. Access Token for the UserInfo Endpoint.
// Performed on the extended class
// token_type: REQUIRED. OAuth 2.0 Token Type value. The value MUST be Bearer, as specified in OAuth 2.0
// Bearer Token Usage [RFC6750], for Clients using this subset.
// Note that the token_type value is case-insensitive.
if (strtolower(($options['token_type'] ?? '')) !== 'bearer') {
throw new InvalidArgumentException('The response token type MUST be "Bearer"');
}
// id_token: REQUIRED. ID Token.
if (empty($options['id_token'])) {
throw new InvalidArgumentException('An "id_token" property must be provided');
}
}
/**
* Get the id token value from this access token response.
*/
public function getIdToken(): string
{
return $this->getValues()['id_token'];
}
}

143
app/Auth/Access/OpenIdConnect/OpenIdConnectIdToken.php Normal file
View file

@ -0,0 +1,143 @@
<?php
namespace BookStack\Auth\Access\OpenIdConnect;
class OpenIdConnectIdToken
{
/**
* @var array
*/
protected $header;
/**
* @var array
*/
protected $payload;
/**
* @var string
*/
protected $signature;
/**
* @var array[]|string[]
*/
protected $keys;
/**
* @var string
*/
protected $issuer;
/**
* @var array
*/
protected $tokenParts = [];
public function __construct(string $token, string $issuer, array $keys)
{
$this->keys = $keys;
$this->issuer = $issuer;
$this->parse($token);
}
/**
* Parse the token content into its components.
*/
protected function parse(string $token): void
{
$this->tokenParts = explode('.', $token);
$this->header = $this->parseEncodedTokenPart($this->tokenParts[0]);
$this->payload = $this->parseEncodedTokenPart($this->tokenParts[1] ?? '');
$this->signature = $this->base64UrlDecode($this->tokenParts[2] ?? '') ?: '';
}
/**
* Parse a Base64-JSON encoded token part.
* Returns the data as a key-value array or empty array upon error.
*/
protected function parseEncodedTokenPart(string $part): array
{
$json = $this->base64UrlDecode($part) ?: '{}';
$decoded = json_decode($json, true);
return is_array($decoded) ? $decoded : [];
}
/**
* Base64URL decode. Needs some character conversions to be compatible
* with PHP's default base64 handling.
*/
protected function base64UrlDecode(string $encoded): string
{
return base64_decode(strtr($encoded, '-_', '+/'));
}
/**
* Validate all possible parts of the id token.
* @throws InvalidTokenException
*/
public function validate()
{
$this->validateTokenStructure();
$this->validateTokenSignature();
$this->validateTokenClaims();
}
/**
* Validate the structure of the given token and ensure we have the required pieces.
* As per https://datatracker.ietf.org/doc/html/rfc7519#section-7.2
* @throws InvalidTokenException
*/
protected function validateTokenStructure(): void
{
foreach (['header', 'payload'] as $prop) {
if (empty($this->$prop) || !is_array($this->$prop)) {
throw new InvalidTokenException("Could not parse out a valid {$prop} within the provided token");
}
}
if (empty($this->signature) || !is_string($this->signature)) {
throw new InvalidTokenException("Could not parse out a valid signature within the provided token");
}
}
/**
* Validate the signature of the given token and ensure it validates against the provided key.
* @throws InvalidTokenException
*/
protected function validateTokenSignature(): void
{
if ($this->header['alg'] !== 'RS256') {
throw new InvalidTokenException("Only RS256 signature validation is supported. Token reports using {$this->header['alg']}");
}
$parsedKeys = array_map(function($key) {
try {
return new JwtSigningKey($key);
} catch (InvalidKeyException $e) {
return null;
}
}, $this->keys);
$parsedKeys = array_filter($parsedKeys);
$contentToSign = $this->tokenParts[0] . '.' . $this->tokenParts[1];
foreach ($parsedKeys as $parsedKey) {
if ($parsedKey->verify($contentToSign, $this->signature)) {
return;
}
}
throw new InvalidTokenException('Token signature could not be validated using the provided keys.');
}
/**
* Validate the claims of the token.
* As per https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation
*/
protected function validateTokenClaims(): void
{
// TODO
}
}

20
app/Auth/Access/OpenIdConnectOAuthProvider.php → app/Auth/Access/OpenIdConnect/OpenIdConnectOAuthProvider.php
View file

@ -1,7 +1,8 @@
<?php <?php
namespace BookStack\Auth\Access; namespace BookStack\Auth\Access\OpenIdConnect;
use League\OAuth2\Client\Grant\AbstractGrant;
use League\OAuth2\Client\Provider\AbstractProvider; use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException; use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Provider\GenericResourceOwner; use League\OAuth2\Client\Provider\GenericResourceOwner;
@ -106,4 +107,21 @@ class OpenIdConnectOAuthProvider extends AbstractProvider
{ {
return new GenericResourceOwner($response, ''); return new GenericResourceOwner($response, '');
} }
/**
* Creates an access token from a response.
*
* The grant that was used to fetch the response can be used to provide
* additional context.
*
* @param array $response
* @param AbstractGrant $grant
* @return OpenIdConnectAccessToken
*/
protected function createAccessToken(array $response, AbstractGrant $grant)
{
return new OpenIdConnectAccessToken($response);
}
} }

26
app/Auth/Access/OpenIdConnectService.php → app/Auth/Access/OpenIdConnect/OpenIdConnectService.php
View file

@ -1,5 +1,8 @@
<?php namespace BookStack\Auth\Access; <?php namespace BookStack\Auth\Access\OpenIdConnect;
use BookStack\Auth\Access\LoginService;
use BookStack\Auth\Access\OpenIdConnect\OpenIdConnectOAuthProvider;
use BookStack\Auth\Access\RegistrationService;
use BookStack\Auth\User; use BookStack\Auth\User;
use BookStack\Exceptions\JsonDebugException; use BookStack\Exceptions\JsonDebugException;
use BookStack\Exceptions\OpenIdConnectException; use BookStack\Exceptions\OpenIdConnectException;
@ -8,6 +11,11 @@ use BookStack\Exceptions\UserRegistrationException;
use Exception; use Exception;
use Lcobucci\JWT\Token; use Lcobucci\JWT\Token;
use League\OAuth2\Client\Token\AccessToken; use League\OAuth2\Client\Token\AccessToken;
use function auth;
use function config;
use function dd;
use function trans;
use function url;
/** /**
* Class OpenIdConnectService * Class OpenIdConnectService
@ -122,17 +130,21 @@ class OpenIdConnectService
* @throws UserRegistrationException * @throws UserRegistrationException
* @throws StoppedAuthenticationException * @throws StoppedAuthenticationException
*/ */
protected function processAccessTokenCallback(AccessToken $accessToken): User protected function processAccessTokenCallback(OpenIdConnectAccessToken $accessToken): User
{ {
dd($accessToken->getValues()); $idTokenText = $accessToken->getIdToken();
$idToken = new OpenIdConnectIdToken(
$idTokenText,
$this->config['issuer'],
[$this->config['jwt_public_key']]
);
// TODO - Create a class to manage token parsing and validation on this // TODO - Create a class to manage token parsing and validation on this
// Using the config params:
// $this->config['jwt_public_key']
// $this->config['issuer']
//
// Ensure ID token validation is done: // Ensure ID token validation is done:
// https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation // https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation
// To full affect and tested // To full affect and tested
// JWT signature algorthims:
// https://datatracker.ietf.org/doc/html/rfc7518#section-3
$userDetails = $this->getUserDetails($accessToken->getIdToken()); $userDetails = $this->getUserDetails($accessToken->getIdToken());
$isLoggedIn = auth()->check(); $isLoggedIn = auth()->check();

2
app/Http/Controllers/Auth/OpenIdConnectController.php
View file

@ -2,7 +2,7 @@
namespace BookStack\Http\Controllers\Auth; namespace BookStack\Http\Controllers\Auth;
use BookStack\Auth\Access\OpenIdConnectService; use BookStack\Auth\Access\OpenIdConnect\OpenIdConnectService;
use BookStack\Http\Controllers\Controller; use BookStack\Http\Controllers\Controller;
use Illuminate\Http\Request; use Illuminate\Http\Request;

1
composer.json
View file

@ -27,6 +27,7 @@
"league/html-to-markdown": "^5.0.0", "league/html-to-markdown": "^5.0.0",
"nunomaduro/collision": "^3.1", "nunomaduro/collision": "^3.1",
"onelogin/php-saml": "^4.0", "onelogin/php-saml": "^4.0",
"phpseclib/phpseclib": "~3.0",
"pragmarx/google2fa": "^8.0", "pragmarx/google2fa": "^8.0",
"predis/predis": "^1.1.6", "predis/predis": "^1.1.6",
"socialiteproviders/discord": "^4.1", "socialiteproviders/discord": "^4.1",

113
composer.lock generated
View file

@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically" "This file is @generated automatically"
], ],
"content-hash": "620412108a5d19ed91d9fe42418b63b5", "content-hash": "5cbbf417bd19cd2164f91b9b2d38600c",
"packages": [ "packages": [
{ {
"name": "aws/aws-crt-php", "name": "aws/aws-crt-php",
@ -3511,6 +3511,117 @@
], ],
"time": "2021-08-28T21:27:29+00:00" "time": "2021-08-28T21:27:29+00:00"
}, },
{
"name": "phpseclib/phpseclib",
"version": "3.0.10",
"source": {
"type": "git",
"url": "https://github.com/phpseclib/phpseclib.git",
"reference": "62fcc5a94ac83b1506f52d7558d828617fac9187"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/phpseclib/phpseclib/zipball/62fcc5a94ac83b1506f52d7558d828617fac9187",
"reference": "62fcc5a94ac83b1506f52d7558d828617fac9187",
"shasum": ""
},
"require": {
"paragonie/constant_time_encoding": "^1|^2",
"paragonie/random_compat": "^1.4|^2.0|^9.99.99",
"php": ">=5.6.1"
},
"require-dev": {
"phing/phing": "~2.7",
"phpunit/phpunit": "^5.7|^6.0|^9.4",
"squizlabs/php_codesniffer": "~2.0"
},
"suggest": {
"ext-gmp": "Install the GMP (GNU Multiple Precision) extension in order to speed up arbitrary precision integer arithmetic operations.",
"ext-libsodium": "SSH2/SFTP can make use of some algorithms provided by the libsodium-php extension.",
"ext-mcrypt": "Install the Mcrypt extension in order to speed up a few other cryptographic operations.",
"ext-openssl": "Install the OpenSSL extension in order to speed up a wide variety of cryptographic operations."
},
"type": "library",
"autoload": {
"files": [
"phpseclib/bootstrap.php"
],
"psr-4": {
"phpseclib3\\": "phpseclib/"
}
},
"notification-url": "https://packagist.org/downloads/",
"license": [
"MIT"
],
"authors": [
{
"name": "Jim Wigginton",
"email": "terrafrost@php.net",
"role": "Lead Developer"
},
{
"name": "Patrick Monnerat",
"email": "pm@datasphere.ch",
"role": "Developer"
},
{
"name": "Andreas Fischer",
"email": "bantu@phpbb.com",
"role": "Developer"
},
{
"name": "Hans-Jürgen Petrich",
"email": "petrich@tronic-media.com",
"role": "Developer"
},
{
"name": "Graham Campbell",
"email": "graham@alt-three.com",
"role": "Developer"
}
],
"description": "PHP Secure Communications Library - Pure-PHP implementations of RSA, AES, SSH2, SFTP, X.509 etc.",
"homepage": "http://phpseclib.sourceforge.net",
"keywords": [
"BigInteger",
"aes",
"asn.1",
"asn1",
"blowfish",
"crypto",
"cryptography",
"encryption",
"rsa",
"security",
"sftp",
"signature",
"signing",
"ssh",
"twofish",
"x.509",
"x509"
],
"support": {
"issues": "https://github.com/phpseclib/phpseclib/issues",
"source": "https://github.com/phpseclib/phpseclib/tree/3.0.10"
},
"funding": [
{
"url": "https://github.com/terrafrost",
"type": "github"
},
{
"url": "https://www.patreon.com/phpseclib",
"type": "patreon"
},
{
"url": "https://tidelift.com/funding/github/packagist/phpseclib/phpseclib",
"type": "tidelift"
}
],
"time": "2021-08-16T04:24:45+00:00"
},
{ {
"name": "pragmarx/google2fa", "name": "pragmarx/google2fa",
"version": "8.0.0", "version": "8.0.0",