diff --git a/app/Resources/translations/messages.en_GB.xliff b/app/Resources/translations/messages.en_GB.xliff index b3ceb3bb..fd186c63 100644 --- a/app/Resources/translations/messages.en_GB.xliff +++ b/app/Resources/translations/messages.en_GB.xliff @@ -153,6 +153,21 @@ ra.error.page_not_found.title Page not found + + Saml/Exception/authenticationException.html.twig + ra.error.saml_authentication_exception.button.try_again + Retry sign-in + + + Saml/Exception/authenticationException.html.twig + ra.error.saml_authentication_exception.text.authentication_exception + Sign in unsuccessful. Please try again. + + + Saml/Exception/authenticationException.html.twig + ra.error.saml_authentication_exception.title + Sign in + Saml/Exception/authnFailed.html.twig ra.error.saml_authn_failed.button.try_again @@ -168,6 +183,21 @@ ra.error.saml_authn_failed.title Sign in + + Saml/Exception/badCredentialsException.html.twig + ra.error.saml_bad_credentials.button.try_again + Retry sign-in + + + Saml/Exception/badCredentialsException.html.twig + ra.error.saml_bad_credentials.text.bad_credentials + You are not authorised to sign in. + + + Saml/Exception/badCredentialsException.html.twig + ra.error.saml_bad_credentials.title + Sign in + Saml/Exception/noAuthnContext.html.twig ra.error.saml_no_authn_context.text.authn_failed diff --git a/app/Resources/translations/messages.nl_NL.xliff b/app/Resources/translations/messages.nl_NL.xliff index 462f393a..a7ca1f8e 100644 --- a/app/Resources/translations/messages.nl_NL.xliff +++ b/app/Resources/translations/messages.nl_NL.xliff @@ -153,6 +153,21 @@ ra.error.page_not_found.title Pagina niet gevonden + + Saml/Exception/authenticationException.html.twig + ra.error.saml_authentication_exception.button.try_again + Probeer nogmaals in te loggen + + + Saml/Exception/authenticationException.html.twig + ra.error.saml_authentication_exception.text.authentication_exception + Inloggen mislukt. Probeer het nog eens. + + + Saml/Exception/authenticationException.html.twig + ra.error.saml_authentication_exception.title + Inloggen + Saml/Exception/authnFailed.html.twig ra.error.saml_authn_failed.button.try_again @@ -168,6 +183,21 @@ ra.error.saml_authn_failed.title Inloggen + + Saml/Exception/badCredentialsException.html.twig + ra.error.saml_bad_credentials.button.try_again + Probeer nogmaals in te loggen + + + Saml/Exception/badCredentialsException.html.twig + ra.error.saml_bad_credentials.text.bad_credentials + Je hebt niet de juiste rechten om in te mogen loggen. + + + Saml/Exception/badCredentialsException.html.twig + ra.error.saml_bad_credentials.title + Inloggen + Saml/Exception/noAuthnContext.html.twig ra.error.saml_no_authn_context.text.authn_failed diff --git a/app/Resources/views/base.html.twig b/app/Resources/views/base.html.twig index 99b6257f..548e9482 100644 --- a/app/Resources/views/base.html.twig +++ b/app/Resources/views/base.html.twig @@ -28,6 +28,7 @@

{{ 'app.name'|trans }}

{% block menu %} + {% if app.user %}
    @@ -48,13 +49,11 @@
    - {% if app.user %} {% set locale_switcher = stepup_locale_switcher(app.request.locale, 'ra_switch_locale', {'return-url': app.request.uri}) %} {{ form_start(locale_switcher, { attr: { class: 'form-inline' }}) }} {{ form_widget(locale_switcher.locale) }} {{ form_widget(locale_switcher.switch) }} {{ form_end(locale_switcher) }} - {% endif %} {% if is_granted('ROLE_SRAA') %}
+ {% endif %} {% endblock menu %} {% endblock page_header %} diff --git a/src/Surfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/authenticationException.html.twig b/src/Surfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/authenticationException.html.twig new file mode 100644 index 00000000..6dfb0afb --- /dev/null +++ b/src/Surfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/authenticationException.html.twig @@ -0,0 +1,12 @@ +{% extends '::base.html.twig' %} + +{% block page_title %}{{ 'ra.error.saml_authentication_exception.title'|trans }}{% endblock %} + +{% block content %} +

{{ block('page_title') }}

+ +

{{ 'ra.error.saml_authentication_exception.text.authentication_exception'|trans }}

+ + {{ 'ra.error.saml_authentication_exception.button.try_again'|trans }} + +{% endblock %} diff --git a/src/Surfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/badCredentials.html.twig b/src/Surfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/badCredentials.html.twig new file mode 100644 index 00000000..4bb73a54 --- /dev/null +++ b/src/Surfnet/StepupRa/RaBundle/Resources/views/Saml/Exception/badCredentials.html.twig @@ -0,0 +1,12 @@ +{% extends '::base.html.twig' %} + +{% block page_title %}{{ 'ra.error.saml_bad_credentials.title'|trans }}{% endblock %} + +{% block content %} +

{{ block('page_title') }}

+ +

{{ 'ra.error.saml_bad_credentials.text.bad_credentials'|trans }}

+ + {{ 'ra.error.saml_bad_credentials.button.try_again'|trans }} + +{% endblock %} diff --git a/src/Surfnet/StepupRa/RaBundle/Security/Firewall/SamlListener.php b/src/Surfnet/StepupRa/RaBundle/Security/Firewall/SamlListener.php index 10b869be..08a644b2 100644 --- a/src/Surfnet/StepupRa/RaBundle/Security/Firewall/SamlListener.php +++ b/src/Surfnet/StepupRa/RaBundle/Security/Firewall/SamlListener.php @@ -34,6 +34,7 @@ use Symfony\Component\HttpKernel\Event\GetResponseEvent; use Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager; use Symfony\Component\Security\Core\Exception\AuthenticationException; +use Symfony\Component\Security\Core\Exception\BadCredentialsException; use Symfony\Component\Security\Http\Firewall\ListenerInterface; use Twig_Environment as Twig; @@ -94,7 +95,7 @@ private function handleEvent(GetResponseEvent $event) $assertion = $samlInteractionProvider->processSamlResponse($event->getRequest()); } catch (PreconditionNotMetException $e) { $logger->notice(sprintf('SAML response precondition not met: "%s"', $e->getMessage())); - $this->setPreconditionExceptionResponse($e, $event); + $event->setResponse($this->renderPreconditionExceptionResponse($e)); return; } catch (Exception $e) { $logger->error(sprintf('Failed SAMLResponse Parsing: "%s"', $e->getMessage())); @@ -120,13 +121,21 @@ private function handleEvent(GetResponseEvent $event) try { $authToken = $authenticationManager->authenticate($token); + } catch (BadCredentialsException $exception) { + $logger->error( + sprintf('Bad credentials, reason: "%s"', $exception->getMessage()), + ['exception' => $exception] + ); + + $event->setResponse($this->renderBadCredentialsResponse($exception)); + return; } catch (AuthenticationException $failed) { - $logger->error(sprintf('Authentication Failed, reason: "%s"', $failed->getMessage())); + $logger->error( + sprintf('Authentication Failed, reason: "%s"', $failed->getMessage()), + ['exception' => $failed] + ); - // By default deny authorization - $response = new Response(); - $response->setStatusCode(Response::HTTP_FORBIDDEN); - $event->setResponse($response); + $event->setResponse($this->renderAuthenticationExceptionResponse($failed)); return; } @@ -138,10 +147,8 @@ private function handleEvent(GetResponseEvent $event) $logger->notice('Authentication succeeded, redirecting to original location'); } - private function setPreconditionExceptionResponse(PreconditionNotMetException $exception, GetResponseEvent $event) + private function renderPreconditionExceptionResponse(PreconditionNotMetException $exception) { - $template = null; - if ($exception instanceof AuthnFailedSamlResponseException) { $template = 'SurfnetStepupRaRaBundle:Saml/Exception:authnFailed.html.twig'; } elseif ($exception instanceof NoAuthnContextSamlResponseException) { @@ -152,10 +159,37 @@ private function setPreconditionExceptionResponse(PreconditionNotMetException $e $template = 'SurfnetStepupRaRaBundle:Saml/Exception:preconditionNotMet.html.twig'; } + return $this->renderTemplate($template, ['exception' => $exception]); + } + + private function renderBadCredentialsResponse(BadCredentialsException $exception) + { + return $this->renderTemplate( + 'SurfnetStepupRaRaBundle:Saml/Exception:badCredentials.html.twig', + ['exception' => $exception] + ); + } + + private function renderAuthenticationExceptionResponse(AuthenticationException $exception) + { + return $this->renderTemplate( + 'SurfnetStepupRaRaBundle:Saml/Exception:authenticationException.html.twig', + ['exception' => $exception] + ); + } + + /** + * @param $template + * @param array $context + * @return Response + */ + private function renderTemplate($template, array $context) + { /** @var Twig $twig */ $twig = $this->container->get('twig'); - $html = $twig->render($template, ['exception' => $exception]); - $event->setResponse(new Response($html, Response::HTTP_UNAUTHORIZED)); + $html = $twig->render($template, $context); + + return new Response($html, Response::HTTP_UNAUTHORIZED); } /**