/** * @param string $saml_request * * @return null * * @since 1.1.0 */ private function handle_saml_request($saml_request) { $this->saml_request_service->load_saml_request($saml_request); if (!$this->saml_request_service->is_timestamp_within_restrictions($this->wp_facade->time())) { $this->wp_facade->wp_die('Invalid Request', 400); } elseif (!$this->saml_request_service->is_valid_destination($this->wp_facade->wp_login_url())) { $this->wp_facade->wp_die('Invalid Request', 400); } elseif (!($user = $this->wp_facade->get_user_by('login', $this->saml_request_service->get_name()))) { $this->wp_facade->wp_die('Invalid Request', 400); } elseif ($this->saml_request_service->get_session_index() != $user->get("launchkey_sso_session")) { $this->wp_facade->wp_die('Invalid Request', 400); } else { $this->wp_facade->update_user_meta($user->ID, 'launchkey_authorized', 'false'); } }
/** * Front controller for LaunchKey Native/White Label authentication * * * @param WP_User $user Unused parameter always passed first by authenticate filter * @param string $username Username specified by the user in the login screen * @param string $password Password specifiedby the user in the login screen * * @since 1.0.0 */ public function authentication_controller($user, $username, $password) { if ($username && empty($password)) { // If username and no password, user is attempting passwordless login // Find the user by login $user = $this->wp_facade->get_user_by('login', $username); // If we have a user and thatg user is paired if ($user instanceof WP_User && $user->launchkey_username) { // Remove username and password authentication $this->wp_facade->remove_all_filters('authenticate'); // Work Around: Add a bogus filter to make sure that the launchkey_authentication filter will still run $this->wp_facade->add_filter('authenticate', array($this, 'null_method')); // Register LaunchKey authentication $this->wp_facade->add_filter('authenticate', array($this, 'launchkey_user_authentication'), 30, 2); } } elseif (!$username && !$password && ($user = $this->wp_facade->wp_get_current_user())) { // If no username or password and there is a current user, we are validating user is still logged in if ($user && $user->launchkey_username && 'false' === $user->launchkey_authorized) { $this->wp_facade->wp_logout(); } } }
/** * Front controller for LaunchKey Native/White Label authentication * * * @param WP_User $user Unused parameter always passed first by authenticate filter * @param string $username Username specified by the user in the login screen * @param string $password Password specifiedby the user in the login screen * * @since 1.0.0 * @return WP_User */ public function authenticate($user, $username, $password) { if (empty($user) && empty($username) && empty($password) && !empty($_REQUEST['SAMLResponse'])) { $response_element = SAML2_DOMDocumentFactory::fromString(base64_decode($_REQUEST['SAMLResponse']))->documentElement; $signature_info = SAML2_Utils::validateElement($response_element); try { SAML2_Utils::validateSignature($signature_info, $this->security_key); $response = SAML2_StatusResponse::fromXML($response_element); /** @var SAML2_Assertion[] $assertions */ $assertions = $response->getAssertions(); if (empty($assertions)) { throw new Exception("No assertions in SAML response"); } $assertion = $assertions[0]; $name_id = $assertion->getNameId(); $username = $name_id['Value']; $session_id = $assertion->getSessionIndex(); // Find the user by login $user = $this->wp_facade->get_user_by('login', $username); // If we don't have a user, create one if (!$user instanceof WP_User) { $attributes = $assertion->getAttributes(); $user_data = array('user_login' => $username, 'user_pass' => '', 'role' => empty($attributes['role']) ? false : $this->translate_role($attributes['role'][0])); $user_id = $this->wp_facade->wp_insert_user($user_data); // Unset the password - wp_insert_user always generates a hash - it's misleading $this->wp_facade->wp_update_user(array('ID' => $user_id, 'user_pass' => '')); $user = new WP_User($user_id); } // Set the SSO session so we know we are logged in via SSSO $this->wp_facade->update_user_meta($user->ID, 'launchkey_sso_session', $session_id); } catch (Exception $e) { $this->wp_facade->wp_redirect($this->error_url); exit; } return $user; } }