Merge pull request #15277 from uberbrady/silence_saml_errors

Fixed: [sc-26355] Attempt to de-escalate SAML login and logout errors
snipe · Aug 13, 2024 · 72fd997 · 72fd997
2 parents 6e84c29 + 10f35c6
commit 72fd997
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 11 deletions.
diff --git a/app/Http/Controllers/Auth/SamlController.php b/app/Http/Controllers/Auth/SamlController.php
@@ -99,12 +99,18 @@ public function acs(Request $request)
     {
         $saml = $this->saml;
         $auth = $saml->getAuth();
-        $auth->processResponse();
+        $saml_exception = false;
+        try {
+            $auth->processResponse();
+        } catch (\Exception $e) {
+            Log::warning("Exception caught in SAML login: " . $e->getMessage());
+            $saml_exception = true;
+        }
         $errors = $auth->getErrors();
 
-        if (! empty($errors)) {
-            Log::error('There was an error with SAML ACS: '.implode(', ', $errors));
-            Log::error('Reason: '.$auth->getLastErrorReason());
+        if (!empty($errors) || $saml_exception) {
+            Log::warning('There was an error with SAML ACS: ' . implode(', ', $errors));
+            Log::warning('Reason: ' . $auth->getLastErrorReason());
 
             return redirect()->route('login')->with('error', trans('auth/message.signin.error'));
         }
@@ -132,12 +138,18 @@ public function sls(Request $request)
     {
         $auth = $this->saml->getAuth();
         $retrieveParametersFromServer = $this->saml->getSetting('retrieveParametersFromServer', false);
-        $sloUrl = $auth->processSLO(true, null, $retrieveParametersFromServer, null, true);
+        $saml_exception = false;
+        try {
+            $sloUrl = $auth->processSLO(true, null, $retrieveParametersFromServer, null, true);
+        } catch (\Exception $e) {
+            Log::warning("Exception caught in SAML single-logout: " . $e->getMessage());
+            $saml_exception = true;
+        }
         $errors = $auth->getErrors();
 
-        if (! empty($errors)) {
-            Log::error('There was an error with SAML SLS: '.implode(', ', $errors));
-            Log::error('Reason: '.$auth->getLastErrorReason());
+        if (!empty($errors) || $saml_exception) {
+            Log::warning('There was an error with SAML SLS: ' . implode(', ', $errors));
+            Log::warning('Reason: ' . $auth->getLastErrorReason());
 
             return view('errors.403');
         }

diff --git a/app/Services/Saml.php b/app/Services/Saml.php
@@ -337,12 +337,12 @@ public function getAuth()
     /**
      * Get a setting.
      *
-     * @author Johnson Yi <[email protected]>
-     *
      * @param string|array|int $key
      * @param mixed $default
      *
-     * @return void
+     * @return mixed
+     * @author Johnson Yi <[email protected]>
+     *
      */
     public function getSetting($key, $default = null)
     {