fix: [security] KeyCloak login getUser fixes

- removed dead code
- tightened check on the user profile, if the KC user's email address and that of the Cerebrate user disagree, block the authentication

- as reported by SK-CERT
cli-modification-summary
iglocska 2022-09-18 18:51:05 +02:00
parent 822c96dbf0
commit 10ea126a93
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 4 additions and 44 deletions

View File

@ -30,7 +30,7 @@ class AuthKeycloakBehavior extends Behavior
$raw_profile_payload = $profile->access_token->getJwt()->getPayload(); $raw_profile_payload = $profile->access_token->getJwt()->getPayload();
$user = $this->extractProfileData($raw_profile_payload); $user = $this->extractProfileData($raw_profile_payload);
if (!$user) { if (!$user) {
throw new \RuntimeException('Unable to save new user'); throw new \RuntimeException('Unable to authenticate user. The KeyCloak and Cerebrate states of the user differ. This could be due to a missing synchronisation of the data.');
} }
return $user; return $user;
@ -50,50 +50,10 @@ class AuthKeycloakBehavior extends Behavior
$fields[$field] = $mapping[$field]; $fields[$field] = $mapping[$field];
} }
} }
$user = [ $existingUser = $this->_table->find()->where(['username' => $profile_payload[$fields['username']]])->first();
'individual' => [ if ($existingUser['individual']['email'] !== $profile_payload[$fields['email']]) {
'email' => $profile_payload[$fields['email']], return false;
'first_name' => $profile_payload[$fields['first_name']],
'last_name' => $profile_payload[$fields['last_name']]
],
'user' => [
'username' => $profile_payload[$fields['username']],
],
'organisation' => [
'uuid' => $profile_payload[$fields['org_uuid']],
],
'role' => [
'name' => $profile_payload[$fields['role_name']],
]
];
//$user['user']['individual_id'] = $this->_table->captureIndividual($user);
//$user['user']['role_id'] = $this->_table->captureRole($user);
$existingUser = $this->_table->find()->where(['username' => $user['user']['username']])->first();
/*
if (empty($existingUser)) {
$user['user']['password'] = Security::randomString(16);
$existingUser = $this->_table->newEntity($user['user']);
if (!$this->_table->save($existingUser)) {
return false;
}
} else {
$dirty = false;
if ($user['user']['individual_id'] != $existingUser['individual_id']) {
$existingUser['individual_id'] = $user['user']['individual_id'];
$dirty = true;
}
if ($user['user']['role_id'] != $existingUser['role_id']) {
$existingUser['role_id'] = $user['user']['role_id'];
$dirty = true;
}
$existingUser;
if ($dirty) {
if (!$this->_table->save($existingUser)) {
return false;
}
}
} }
*/
return $existingUser; return $existingUser;
} }