integration hydra apps

2022-08-27 18:24:56 +02:00
parent 21fb28a6f0
commit c3328a1ba0
13 changed files with 329 additions and 8 deletions
--- a/src/Controller/HydraController.php
+++ b/src/Controller/HydraController.php
@ -0,0 +1,197 @@
+<?php
+namespace App\Controller;
+
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
+use Doctrine\Persistence\ManagerRegistry;
+
+use App\Service\ApiService;
+use App\Service\PasswordEncoder;
+use App\Service\LdapService;
+
+use App\Form\LoginType;
+
+
+class HydraController extends AbstractController
+{
+
+    private $apiservice;
+    private $passwordencoder;
+    private $ldapservice;
+
+    public function __construct(ApiService $apiservice,LdapService $ldapservice,PasswordEncoder $passwordencoder)
+    {
+        $this->apiservice = $apiservice;
+        $this->passwordencoder = $passwordencoder;
+        $this->ldapservice = $ldapservice;
+    }
+
+    public function loginsql(Request $request): Response
+    {       
+
+        $challenge = $request->query->get('login_challenge');
+
+        // S'il n'y a pas de challenge, on déclenche une bad request
+        if (!$challenge) {
+            throw new BadRequestException('pas de challenge');
+        }
+        
+        // On vérifie que la requête d'identification provient bien de hydra
+        $response = $this->apiservice->run("GET",$this->getParameter('hydraLoginchallenge').$challenge,null);
+        if(!$response) 
+            throw new BadRequestException('challenge invalide');
+
+        // si le challenge est validé par hydra, on le stocke en session pour l'utiliser par la suite et on redirige vers une route interne protégée qui va déclencher l'identification FranceConnect
+        $request->getSession()->set('hydraChallenge', $challenge);
+
+        // Création du formulaire
+        $form = $this->createForm(LoginType::class);
+
+        // Récupération des data du formulaire
+        $form->handleRequest($request);
+        
+
+        // Affichage du formulaire
+        return $this->render("Home/loginHYDRA.html.twig", [
+            "useheader"=>false,
+            "usemenu"=>false,
+            "usesidebar"=>false,
+            "form"=>$form->createView(),
+            "mode"=>"SQL",
+        ]);
+    }
+
+    public function checkloginsql(Request $request,ManagerRegistry $em) {
+        $username=$request->get('login')["username"];
+        $password=$request->get('login')["password"];
+
+        // user exist ?
+        $user=$em->getRepository("App\Entity\User")->findOneBy(["username"=>$username]);
+        if(!$user) return $this->redirect($this->generateUrl('app_hydra_loginsql',["login_challenge"=>$request->getSession()->get("hydraChallenge")]));
+
+        $islogin=$this->passwordencoder->verify($user->getPassword(),$password,$user->getSalt());
+        if(!$islogin) return $this->redirect($this->generateUrl('app_hydra_loginsql',["login_challenge"=>$request->getSession()->get("hydraChallenge")]));
+
+        $response = $this->apiservice->run("PUT",$this->getParameter('hydraLoginchallengeaccept').$request->getSession()->get('hydraChallenge'),["subject"=>$user->getEmail(),"acr"=>"string"]);
+        if(!$response||$response->code!="200") 
+            throw new BadRequestException('login accept invalide');
+
+        $datas=[
+            "username"=>$user->getUsername(),
+            "email"=>$user->getEmail(),
+            "firstname"=>$user->getFirstname(),
+            "lastname"=>$user->getLastname()
+        ];
+        $request->getSession()->set("datas",$datas);
+
+        $redirect=$response->body->redirect_to;
+        return $this->redirect($redirect, 301);
+
+    }
+
+    public function loginldap(Request $request): Response
+    {       
+
+        $challenge = $request->query->get('login_challenge');
+
+        // S'il n'y a pas de challenge, on déclenche une bad request
+        if (!$challenge) {
+            throw new BadRequestException('pas de challenge');
+        }
+        
+        // On vérifie que la requête d'identification provient bien de hydra
+        $response = $this->apiservice->run("GET",$this->getParameter('hydraLoginchallenge').$challenge,null);
+        if(!$response) 
+            throw new BadRequestException('challenge invalide');
+
+        // si le challenge est validé par hydra, on le stocke en session pour l'utiliser par la suite et on redirige vers une route interne protégée qui va déclencher l'identification FranceConnect
+        $request->getSession()->set('hydraChallenge', $challenge);
+
+        // Création du formulaire
+        $form = $this->createForm(LoginType::class);
+
+        // Récupération des data du formulaire
+        $form->handleRequest($request);
+        
+
+        // Affichage du formulaire
+        return $this->render("Home/loginHYDRA.html.twig", [
+            "useheader"=>false,
+            "usemenu"=>false,
+            "usesidebar"=>false,
+            "form"=>$form->createView(),
+            "mode"=>"LDAP",
+        ]);
+    }
+
+    public function checkloginldap(Request $request,ManagerRegistry $em) {
+        $username=$request->get('login')["username"];
+        $password=$request->get('login')["password"];
+
+        // L'utilisateur se co à l'annuaire ?
+        $userldap=$this->ldapservice->userconnect($username,$password);
+        if(!$userldap)
+            return $this->redirect($this->generateUrl('app_hydra_loginldap',["login_challenge"=>$request->getSession()->get("hydraChallenge")]));
+
+        $userldap=$userldap[0];
+
+        // Init
+        $email = "$username@nomail.fr";
+        $lastname = $username;
+        $firstname = " ";
+
+        // Rechercher l'utilisateur
+        if(isset($userldap[$this->getParameter('ldapFirstname')]))
+            $firstname = $userldap[$this->getParameter('ldapFirstname')];
+        
+        if(isset($userldap[$this->getParameter('ldapLastname')]))
+            $lastname = $userldap[$this->getParameter('ldapLastname')];
+        
+        if(isset($userldap[$this->getParameter('ldapEmail')]))
+            $email = $userldap[$this->getParameter('ldapEmail')];
+
+        $response = $this->apiservice->run("PUT",$this->getParameter('hydraLoginchallengeaccept').$request->getSession()->get('hydraChallenge'),["subject"=>$email,"acr"=>"string"]);
+        if(!$response||$response->code!="200") 
+            throw new BadRequestException('login accept invalide');
+
+        $datas=[
+            "username"=>$username,
+            "email"=>$email,
+            "firstname"=>$firstname,
+            "lastname"=>$lastname
+        ];
+        $request->getSession()->set("datas",$datas);
+
+        $redirect=$response->body->redirect_to;
+        return $this->redirect($redirect, 301);
+
+    }
+
+
+    public function consent(Request $request)
+    {
+        $challenge = $request->query->get('consent_challenge');
+        if (!$challenge) {
+            throw new BadRequestException("Le challenge n'est pas disponible");
+        }
+
+        // On vérifie que la requête d'identification provient bien de hydra
+        $response = $this->apiservice->run("GET",$this->getParameter('hydraConsentchallenge').$challenge,null);
+        if(!$response) 
+            throw new BadRequestException('challenge invalide');
+
+        $response = $this->apiservice->run("PUT",$this->getParameter('hydraConsentchallengeaccept').$challenge,[
+            'grant_scope' => ['openid', 'offline_access'],
+            'session' => ['id_token' => $request->getSession()->get('datas')]
+        ]);
+
+        if(!$response) 
+            throw new BadRequestException('challenge not accept');
+
+        $redirect=$response->body->redirect_to;
+        return $this->redirect($redirect, 301);
+    }    
+
+}