Merge pull request #79 from SURFnet/bugfix/auth-white-page

Display informative error pages in case of authentication failures
OpenConext · Jun 12, 2015 · 3529551 · 3529551
2 parents 8058dd3 + 4a670ba
commit 3529551
Show file tree

Hide file tree

Showing 6 changed files with 131 additions and 13 deletions.
diff --git a/app/Resources/translations/messages.en_GB.xliff b/app/Resources/translations/messages.en_GB.xliff
@@ -153,6 +153,21 @@
         <source>ra.error.page_not_found.title</source>
         <target>Page not found</target>
       </trans-unit>
+      <trans-unit id="bc635e1d511d5493da1d62205474b9b528a909e7" resname="ra.error.saml_authentication_exception.button.try_again">
+        <jms:reference-file line="10">Saml/Exception/authenticationException.html.twig</jms:reference-file>
+        <source>ra.error.saml_authentication_exception.button.try_again</source>
+        <target>Retry sign-in</target>
+      </trans-unit>
+      <trans-unit id="807a7c0d931d6c921d28cc278b1fabe039da6aca" resname="ra.error.saml_authentication_exception.text.authentication_exception">
+        <jms:reference-file line="8">Saml/Exception/authenticationException.html.twig</jms:reference-file>
+        <source>ra.error.saml_authentication_exception.text.authentication_exception</source>
+        <target>Sign in unsuccessful. Please try again.</target>
+      </trans-unit>
+      <trans-unit id="c2f8bdc515213137f633b8d91ebe6f4f43692f92" resname="ra.error.saml_authentication_exception.title">
+        <jms:reference-file line="3">Saml/Exception/authenticationException.html.twig</jms:reference-file>
+        <source>ra.error.saml_authentication_exception.title</source>
+        <target>Sign in</target>
+      </trans-unit>
       <trans-unit id="47315f10d842cd2eebc6edd15f7fc5fa5bdeb631" resname="ra.error.saml_authn_failed.button.try_again">
         <jms:reference-file line="10">Saml/Exception/authnFailed.html.twig</jms:reference-file>
         <source>ra.error.saml_authn_failed.button.try_again</source>
@@ -168,6 +183,21 @@
         <source>ra.error.saml_authn_failed.title</source>
         <target>Sign in</target>
       </trans-unit>
+      <trans-unit id="04f2844e0bcb0107e26422ea7817be4493b00b41" resname="ra.error.saml_bad_credentials.button.try_again">
+        <jms:reference-file line="10">Saml/Exception/badCredentialsException.html.twig</jms:reference-file>
+        <source>ra.error.saml_bad_credentials.button.try_again</source>
+        <target>Retry sign-in</target>
+      </trans-unit>
+      <trans-unit id="30a8b063d31913d070d6f0c8ff823512cb1f6dd2" resname="ra.error.saml_bad_credentials.text.bad_credentials">
+        <jms:reference-file line="8">Saml/Exception/badCredentialsException.html.twig</jms:reference-file>
+        <source>ra.error.saml_bad_credentials.text.bad_credentials</source>
+        <target>You are not authorised to sign in.</target>
+      </trans-unit>
+      <trans-unit id="f439b5301a358a31defda15db12d38a35cf1a3bb" resname="ra.error.saml_bad_credentials.title">
+        <jms:reference-file line="3">Saml/Exception/badCredentialsException.html.twig</jms:reference-file>
+        <source>ra.error.saml_bad_credentials.title</source>
+        <target>Sign in</target>
+      </trans-unit>
       <trans-unit id="4c1a7f7aa6b9f7a2928e894933fac97b7d41198c" resname="ra.error.saml_no_authn_context.text.authn_failed">
         <jms:reference-file line="8">Saml/Exception/noAuthnContext.html.twig</jms:reference-file>
         <source>ra.error.saml_no_authn_context.text.authn_failed</source>

diff --git a/app/Resources/translations/messages.nl_NL.xliff b/app/Resources/translations/messages.nl_NL.xliff
@@ -153,6 +153,21 @@
         <source>ra.error.page_not_found.title</source>
         <target>Pagina niet gevonden</target>
       </trans-unit>
+      <trans-unit id="bc635e1d511d5493da1d62205474b9b528a909e7" resname="ra.error.saml_authentication_exception.button.try_again">
+        <jms:reference-file line="10">Saml/Exception/authenticationException.html.twig</jms:reference-file>
+        <source>ra.error.saml_authentication_exception.button.try_again</source>
+        <target>Probeer nogmaals in te loggen</target>
+      </trans-unit>
+      <trans-unit id="807a7c0d931d6c921d28cc278b1fabe039da6aca" resname="ra.error.saml_authentication_exception.text.authentication_exception">
+        <jms:reference-file line="8">Saml/Exception/authenticationException.html.twig</jms:reference-file>
+        <source>ra.error.saml_authentication_exception.text.authentication_exception</source>
+        <target>Inloggen mislukt. Probeer het nog eens.</target>
+      </trans-unit>
+      <trans-unit id="c2f8bdc515213137f633b8d91ebe6f4f43692f92" resname="ra.error.saml_authentication_exception.title">
+        <jms:reference-file line="3">Saml/Exception/authenticationException.html.twig</jms:reference-file>
+        <source>ra.error.saml_authentication_exception.title</source>
+        <target>Inloggen</target>
+      </trans-unit>
       <trans-unit id="47315f10d842cd2eebc6edd15f7fc5fa5bdeb631" resname="ra.error.saml_authn_failed.button.try_again">
         <jms:reference-file line="10">Saml/Exception/authnFailed.html.twig</jms:reference-file>
         <source>ra.error.saml_authn_failed.button.try_again</source>
@@ -168,6 +183,21 @@
         <source>ra.error.saml_authn_failed.title</source>
         <target>Inloggen</target>
       </trans-unit>
+      <trans-unit id="04f2844e0bcb0107e26422ea7817be4493b00b41" resname="ra.error.saml_bad_credentials.button.try_again">
+        <jms:reference-file line="10">Saml/Exception/badCredentialsException.html.twig</jms:reference-file>
+        <source>ra.error.saml_bad_credentials.button.try_again</source>
+        <target>Probeer nogmaals in te loggen</target>
+      </trans-unit>
+      <trans-unit id="30a8b063d31913d070d6f0c8ff823512cb1f6dd2" resname="ra.error.saml_bad_credentials.text.bad_credentials">
+        <jms:reference-file line="8">Saml/Exception/badCredentialsException.html.twig</jms:reference-file>
+        <source>ra.error.saml_bad_credentials.text.bad_credentials</source>
+        <target>Je hebt niet de juiste rechten om in te mogen loggen.</target>
+      </trans-unit>
+      <trans-unit id="f439b5301a358a31defda15db12d38a35cf1a3bb" resname="ra.error.saml_bad_credentials.title">
+        <jms:reference-file line="3">Saml/Exception/badCredentialsException.html.twig</jms:reference-file>
+        <source>ra.error.saml_bad_credentials.title</source>
+        <target>Inloggen</target>
+      </trans-unit>
       <trans-unit id="4c1a7f7aa6b9f7a2928e894933fac97b7d41198c" resname="ra.error.saml_no_authn_context.text.authn_failed">
         <jms:reference-file line="8">Saml/Exception/noAuthnContext.html.twig</jms:reference-file>
         <source>ra.error.saml_no_authn_context.text.authn_failed</source>

diff --git a/app/Resources/views/base.html.twig b/app/Resources/views/base.html.twig
@@ -28,6 +28,7 @@
                 <h1>{{ 'app.name'|trans }}</h1>
             </div>
             {% block menu %}
+            {% if app.user %}
             <div class="row-fluid">
                 <div class="col-sm-6">
                     <ul class="nav nav-pills">
@@ -48,13 +49,11 @@
                     <form name="logout" method="post" action="{{ path('logout') }}" class="pull-right">
                         <button type="submit" class="btn btn-link"><i class="fa fa-sign-out"></i> {{ 'button.logout'|trans }}</button>
                     </form>
-                    {% if app.user %}
                         {% set locale_switcher = stepup_locale_switcher(app.request.locale, 'ra_switch_locale', {'return-url': app.request.uri}) %}
                         {{ form_start(locale_switcher, { attr: { class: 'form-inline' }}) }}
                         {{ form_widget(locale_switcher.locale) }}
                         {{ form_widget(locale_switcher.switch) }}
                         {{ form_end(locale_switcher) }}
-                    {% endif %}
                 {% if is_granted('ROLE_SRAA') %}
                     <ul class="nav nav-pills pull-right">
                         <li role="presentation"{% if app.request.attributes.get('_route') == 'sraa_select_institution' %} class="active"{% endif %}>
@@ -68,6 +67,7 @@
             </div>
             <div class="clearfix"></div>
             <hr>
+            {% endif %}
             {% endblock menu %}
         {% endblock page_header %}
 

diff --git a/...urfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/authenticationException.html.twig b/...urfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/authenticationException.html.twig
@@ -0,0 +1,12 @@
+{% extends '::base.html.twig' %}
+
+{% block page_title %}{{ 'ra.error.saml_authentication_exception.title'|trans }}{% endblock %}
+
+{% block content %}
+    <h2>{{ block('page_title') }}</h2>
+
+    <p>{{ 'ra.error.saml_authentication_exception.text.authentication_exception'|trans }}</p>
+    <a class="btn btn-primary" href="{{ path('ra_vetting_search') }}">
+        {{ 'ra.error.saml_authentication_exception.button.try_again'|trans }}
+    </a>
+{% endblock %}
diff --git a/src/Surfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/badCredentials.html.twig b/src/Surfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/badCredentials.html.twig
@@ -0,0 +1,12 @@
+{% extends '::base.html.twig' %}
+
+{% block page_title %}{{ 'ra.error.saml_bad_credentials.title'|trans }}{% endblock %}
+
+{% block content %}
+    <h2>{{ block('page_title') }}</h2>
+
+    <p>{{ 'ra.error.saml_bad_credentials.text.bad_credentials'|trans }}</p>
+    <a class="btn btn-primary" href="{{ path('ra_vetting_search') }}">
+        {{ 'ra.error.saml_bad_credentials.button.try_again'|trans }}
+    </a>
+{% endblock %}
diff --git a/src/Surfnet/StepupRa/RaBundle/Security/Firewall/SamlListener.php b/src/Surfnet/StepupRa/RaBundle/Security/Firewall/SamlListener.php
@@ -34,6 +34,7 @@
 use Symfony\Component\HttpKernel\Event\GetResponseEvent;
 use Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Http\Firewall\ListenerInterface;
 use Twig_Environment as Twig;
 
@@ -94,7 +95,7 @@ private function handleEvent(GetResponseEvent $event)
             $assertion = $samlInteractionProvider->processSamlResponse($event->getRequest());
         } catch (PreconditionNotMetException $e) {
             $logger->notice(sprintf('SAML response precondition not met: "%s"', $e->getMessage()));
-            $this->setPreconditionExceptionResponse($e, $event);
+            $event->setResponse($this->renderPreconditionExceptionResponse($e));
             return;
         } catch (Exception $e) {
             $logger->error(sprintf('Failed SAMLResponse Parsing: "%s"', $e->getMessage()));
@@ -120,13 +121,21 @@ private function handleEvent(GetResponseEvent $event)
 
         try {
             $authToken = $authenticationManager->authenticate($token);
+        } catch (BadCredentialsException $exception) {
+            $logger->error(
+                sprintf('Bad credentials, reason: "%s"', $exception->getMessage()),
+                ['exception' => $exception]
+            );
+
+            $event->setResponse($this->renderBadCredentialsResponse($exception));
+            return;
         } catch (AuthenticationException $failed) {
-            $logger->error(sprintf('Authentication Failed, reason: "%s"', $failed->getMessage()));
+            $logger->error(
+                sprintf('Authentication Failed, reason: "%s"', $failed->getMessage()),
+                ['exception' => $failed]
+            );
 
-            // By default deny authorization
-            $response = new Response();
-            $response->setStatusCode(Response::HTTP_FORBIDDEN);
-            $event->setResponse($response);
+            $event->setResponse($this->renderAuthenticationExceptionResponse($failed));
             return;
         }
 
@@ -138,10 +147,8 @@ private function handleEvent(GetResponseEvent $event)
         $logger->notice('Authentication succeeded, redirecting to original location');
     }
 
-    private function setPreconditionExceptionResponse(PreconditionNotMetException $exception, GetResponseEvent $event)
+    private function renderPreconditionExceptionResponse(PreconditionNotMetException $exception)
     {
-        $template = null;
-
         if ($exception instanceof AuthnFailedSamlResponseException) {
             $template = 'SurfnetStepupRaRaBundle:Saml/Exception:authnFailed.html.twig';
         } elseif ($exception instanceof NoAuthnContextSamlResponseException) {
@@ -152,10 +159,37 @@ private function setPreconditionExceptionResponse(PreconditionNotMetException $e
             $template = 'SurfnetStepupRaRaBundle:Saml/Exception:preconditionNotMet.html.twig';
         }
 
+        return $this->renderTemplate($template, ['exception' => $exception]);
+    }
+
+    private function renderBadCredentialsResponse(BadCredentialsException $exception)
+    {
+        return $this->renderTemplate(
+            'SurfnetStepupRaRaBundle:Saml/Exception:badCredentials.html.twig',
+            ['exception' => $exception]
+        );
+    }
+
+    private function renderAuthenticationExceptionResponse(AuthenticationException $exception)
+    {
+        return $this->renderTemplate(
+            'SurfnetStepupRaRaBundle:Saml/Exception:authenticationException.html.twig',
+            ['exception' => $exception]
+        );
+    }
+
+    /**
+     * @param       $template
+     * @param array $context
+     * @return Response
+     */
+    private function renderTemplate($template, array $context)
+    {
         /** @var Twig $twig */
         $twig = $this->container->get('twig');
-        $html = $twig->render($template, ['exception' => $exception]);
-        $event->setResponse(new Response($html, Response::HTTP_UNAUTHORIZED));
+        $html = $twig->render($template, $context);
+
+        return new Response($html, Response::HTTP_UNAUTHORIZED);
     }
 
     /**