Override UserPassBaseOrg::handleLogin to be able to store the selected ldap-source

Author: tvdijen

src/Auth/Source/LdapMulti.php

@@ -19,6 +19,7 @@
 use SimpleSAML\Auth;
 use SimpleSAML\Configuration;
 use SimpleSAML\Error;
+use SimpleSAML\Logger;
 use SimpleSAML\Module\core\Auth\UserPassOrgBase;
 
 use function array_change_key_case;
@@ -28,6 +29,12 @@
 
 class LdapMulti extends UserPassOrgBase
 {
+    /**
+     * The key of the OrgId field in the state, identifies which org was selected.
+     */
+    public const string SOURCEID = '\SimpleSAML\Module\ldap\Auth\LdapMulti.SelectedSource';
+
+
     /**
      * An LDAP configuration object.
      */
@@ -160,6 +167,80 @@ public function loginOverload(
     }
 
 
+    /**
+     * Handle login request.
+     *
+     * This function is used by the login form (core/loginuserpassorg) when the user
+     * enters a username and password. On success, it will not return. On wrong
+     * username/password failure, and other errors, it will throw an exception.
+     *
+     * @param string $authStateId  The identifier of the authentication state.
+     * @param string $username  The username the user wrote.
+     * @param string $password  The password the user wrote.
+     * @param string $organization  The id of the organization the user chose.
+     */
+    public static function handleLogin(
+        string $authStateId,
+        string $username,
+        string $password,
+        string $organization,
+    ): void {
+        /* Retrieve the authentication state. */
+        $state = Auth\State::loadState($authStateId, self::STAGEID);
+
+        /* Find authentication source. */
+        Assert::keyExists($state, self::AUTHID);
+
+        /** @var \SimpleSAML\Module\core\Auth\UserPassOrgBase|null $source */
+        $source = Auth\Source::getById($state[self::AUTHID]);
+        if ($source === null) {
+            throw new \Exception('Could not find authentication source with id ' . $state[self::AUTHID]);
+        }
+
+        $orgMethod = $source->getUsernameOrgMethod();
+        if ($orgMethod !== 'none') {
+            $tmp = explode('@', $username, 2);
+            if (count($tmp) === 2) {
+                $username = $tmp[0];
+                $organization = $tmp[1];
+            } else {
+                if ($orgMethod === 'force') {
+                    /* The organization should be a part of the username, but isn't. */
+                    throw new Error\Error(Error\ErrorCodes::WRONGUSERPASS);
+                }
+            }
+        }
+
+        /* Attempt to log in. */
+        try {
+            $attributes = $source->login($username, $password, $organization);
+        } catch (\Exception $e) {
+            Logger::stats('Unsuccessful login attempt from ' . $_SERVER['REMOTE_ADDR'] . '.');
+            throw $e;
+        }
+
+        Logger::stats(
+            'User \'' . $username . '\' at \'' . $organization
+            . '\' successfully authenticated from ' . $_SERVER['REMOTE_ADDR'],
+        );
+
+        // Add the selected Org to the state
+        $mapping = $source->getMapping();
+        $state[self::SOURCEID] = $mapping[$organization]['authsource'];
+        $state[self::ORGID] = $organization;
+        $state['PersistentAuthData'][] = self::ORGID;
+
+        $state['Attributes'] = $attributes;
+        Auth\Source::completeAuth($state);
+
+
+        // Save the $state-array, so that we can restore it after a redirect
+        $authStateId = Auth\State::saveState($state, self::STAGEID);
+
+        parent::handleLogin($authStateId, $username, $password, $organization);
+    }
+
+
     /**
      * Attempt to log in using the given username and password.
      *
@@ -183,4 +264,15 @@ protected function getOrganizations(): array
     {
         return $this->orgs;
     }
+
+
+    /**
+     * Retrieve the mapping
+     *
+     * @return array<mixed> Associative array with the organization/authsource mapping.
+     */
+    protected function getMapping(): array
+    {
+        return $this->mapping;
+    }
 }