fix some SAML/Shibboleth problems caused by EGroupware running in container behind proxy on host

This commit is contained in:
Ralf Becker 2020-06-21 08:16:31 +02:00
parent 52714f0a63
commit 08b039c4fb

View File

@ -265,7 +265,7 @@ class Saml implements BackendSSO
} }
$replace = $GLOBALS['egw_info']['server']['saml_replace']; $replace = $GLOBALS['egw_info']['server']['saml_replace'];
$with = $GLOBALS['egw_info']['server']['saml_replace_with'] ?? ''; $with = $GLOBALS['egw_info']['server']['saml_replace_with'] ?? '';
$replaced = $replace[0] === '/' ? preg_replace($replaced, $with, $username) : str_replace($replace, $with, $username); $replaced = $replace[0] === '/' ? preg_replace($replace, $with, $username) : str_replace($replace, $with, $username);
if (empty($replaced) || !$GLOBALS['egw']->accounts->name2id($replaced, 'account_lid', 'u')) if (empty($replaced) || !$GLOBALS['egw']->accounts->name2id($replaced, 'account_lid', 'u'))
{ {
@ -358,6 +358,8 @@ class Saml implements BackendSSO
self::updateConfig($config); self::updateConfig($config);
} }
self::checkDefaultConfig($config); self::checkDefaultConfig($config);
// config files are PHP files and EGroupware contaier does not check timestamps
if (function_exists('opcache_reset')) opcache_reset();
// install or remove async job to refresh metadata // install or remove async job to refresh metadata
static $freq2times = [ static $freq2times = [
@ -439,6 +441,9 @@ class Saml implements BackendSSO
$metaloader = new SimpleSAML\Module\metarefresh\MetaLoader(); $metaloader = new SimpleSAML\Module\metarefresh\MetaLoader();
$metaloader->loadSource($source); $metaloader->loadSource($source);
$metaloader->writeMetadataFiles($saml_config.'/metadata'); $metaloader->writeMetadataFiles($saml_config.'/metadata');
// metadata files are PHP files and EGroupware contaier does not check timestamps
if (function_exists('opcache_reset')) opcache_reset();
} }
/** /**
@ -605,6 +610,16 @@ class Saml implements BackendSSO
case 'config.php': case 'config.php':
$cookie_domain = Api\Session::getCookieDomain($cookie_path, $cookie_secure); $cookie_domain = Api\Session::getCookieDomain($cookie_path, $cookie_secure);
$replacements = [ $replacements = [
'$config = [' => <<<EOF
// SimpleSAMLphp does NOT honor X-Forwarded-* headers
// and solution mentioned in docs to just set baseurlpath to correct https-URL does NOT work in all cases
if (isset(\$_SERVER['HTTP_X_FORWARDED_PROTO']) && \$_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
\$_SERVER['HTTPS'] = 'on';
\$_SERVER['SERVER_PORT'] = '443';
}
\$config = [
EOF,
"'baseurlpath' => 'simplesaml/'," => "'baseurlpath' => '".Api\Framework::getUrl(Api\Egw::link('/saml/'))."',", "'baseurlpath' => 'simplesaml/'," => "'baseurlpath' => '".Api\Framework::getUrl(Api\Egw::link('/saml/'))."',",
"'timezone' => null," => "'timezone' => 'Europe/Berlin',", // ToDo: use default prefs "'timezone' => null," => "'timezone' => 'Europe/Berlin',", // ToDo: use default prefs
"'secretsalt' => 'defaultsecretsalt'," => "'secretsalt' => '".Api\Auth::randomstring(32)."',", "'secretsalt' => 'defaultsecretsalt'," => "'secretsalt' => '".Api\Auth::randomstring(32)."',",