fix: [security] KeyCloak login getUser fixes
- removed dead code - tightened check on the user profile, if the KC user's email address and that of the Cerebrate user disagree, block the authentication - as reported by SK-CERTcli-modification-summary
parent
822c96dbf0
commit
10ea126a93
|
@ -30,7 +30,7 @@ class AuthKeycloakBehavior extends Behavior
|
||||||
$raw_profile_payload = $profile->access_token->getJwt()->getPayload();
|
$raw_profile_payload = $profile->access_token->getJwt()->getPayload();
|
||||||
$user = $this->extractProfileData($raw_profile_payload);
|
$user = $this->extractProfileData($raw_profile_payload);
|
||||||
if (!$user) {
|
if (!$user) {
|
||||||
throw new \RuntimeException('Unable to save new user');
|
throw new \RuntimeException('Unable to authenticate user. The KeyCloak and Cerebrate states of the user differ. This could be due to a missing synchronisation of the data.');
|
||||||
}
|
}
|
||||||
|
|
||||||
return $user;
|
return $user;
|
||||||
|
@ -50,50 +50,10 @@ class AuthKeycloakBehavior extends Behavior
|
||||||
$fields[$field] = $mapping[$field];
|
$fields[$field] = $mapping[$field];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$user = [
|
$existingUser = $this->_table->find()->where(['username' => $profile_payload[$fields['username']]])->first();
|
||||||
'individual' => [
|
if ($existingUser['individual']['email'] !== $profile_payload[$fields['email']]) {
|
||||||
'email' => $profile_payload[$fields['email']],
|
return false;
|
||||||
'first_name' => $profile_payload[$fields['first_name']],
|
|
||||||
'last_name' => $profile_payload[$fields['last_name']]
|
|
||||||
],
|
|
||||||
'user' => [
|
|
||||||
'username' => $profile_payload[$fields['username']],
|
|
||||||
],
|
|
||||||
'organisation' => [
|
|
||||||
'uuid' => $profile_payload[$fields['org_uuid']],
|
|
||||||
],
|
|
||||||
'role' => [
|
|
||||||
'name' => $profile_payload[$fields['role_name']],
|
|
||||||
]
|
|
||||||
];
|
|
||||||
//$user['user']['individual_id'] = $this->_table->captureIndividual($user);
|
|
||||||
//$user['user']['role_id'] = $this->_table->captureRole($user);
|
|
||||||
$existingUser = $this->_table->find()->where(['username' => $user['user']['username']])->first();
|
|
||||||
/*
|
|
||||||
if (empty($existingUser)) {
|
|
||||||
$user['user']['password'] = Security::randomString(16);
|
|
||||||
$existingUser = $this->_table->newEntity($user['user']);
|
|
||||||
if (!$this->_table->save($existingUser)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
$dirty = false;
|
|
||||||
if ($user['user']['individual_id'] != $existingUser['individual_id']) {
|
|
||||||
$existingUser['individual_id'] = $user['user']['individual_id'];
|
|
||||||
$dirty = true;
|
|
||||||
}
|
|
||||||
if ($user['user']['role_id'] != $existingUser['role_id']) {
|
|
||||||
$existingUser['role_id'] = $user['user']['role_id'];
|
|
||||||
$dirty = true;
|
|
||||||
}
|
|
||||||
$existingUser;
|
|
||||||
if ($dirty) {
|
|
||||||
if (!$this->_table->save($existingUser)) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
*/
|
|
||||||
return $existingUser;
|
return $existingUser;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue