Improve gateway parameter handling to properly match the protocol description

Author: ioigoume

config/module_casserver.php.dist

@@ -115,8 +115,10 @@ $config = [
     'service_ticket_expire_time' => 5,
     // how many seconds proxy granting tickets are valid for at most, defaults to 3600
     'proxy_granting_ticket_expire_time' => 600,
-    //how many seconds proxy tickets are valid for, defaults to 5
+    // how many seconds proxy tickets are valid for, defaults to 5
     'proxy_ticket_expire_time' => 5,
+    // OPTIONAL, enable CAS passive mode, defaults to false
+    //'enable_passive_mode' => true,
 
     // If query param debugMode=true is sent to the login endpoint then print cas ticket xml. Default false
     'debugMode' => true,

src/Controller/LoginController.php

@@ -164,34 +164,34 @@ public function login(
         // This will be used to come back from the AuthSource login or from the Processing Chain
         $returnToUrl = $this->getReturnUrl($request, $sessionTicket);
 
-        // Authenticate
-        if (
-            $requestForceAuthenticate || !$this->authSource->isAuthenticated()
-        ) {
-            $params = [
-                'ForceAuthn' => $forceAuthn,
-                'isPassive' => $gateway,
-                'ReturnTo' => $returnToUrl,
-            ];
-
-            if (isset($entityId)) {
-                $params['saml:idp'] = $entityId;
-            }
+        // Use case 4: renew=true and gateway=true are incompatible → prefer interactive login (disable passive)
+        if ($gateway && $forceAuthn) {
+            $gateway = false;
+        }
 
-            if (isset($this->idpList)) {
-                if (count($this->idpList) > 1) {
-                    $params['saml:IDPList'] = $this->idpList;
-                } else {
-                    $params['saml:idp'] = $this->idpList[0];
-                }
+        // Handle passive authentication
+        if ($gateway && !$this->authSource->isAuthenticated() && !$requestForceAuthenticate) {
+            $gwResult = $this->handleUnauthenticatedGateway(
+                $request,
+                $serviceUrl,
+                $entityId,
+                $returnToUrl,
+            );
+            $gateway = $gwResult['gateway'];
+            if ($gwResult['response'] !== null) {
+                return $gwResult['response'];
             }
+        }
 
-            /*
-             *  REDIRECT TO AUTHSOURCE LOGIN
-             * */
-            return new RunnableResponse(
-                [$this->authSource, 'login'],
-                [$params],
+        // Handle interactive authentication
+        if (
+            $requestForceAuthenticate || !$this->authSource->isAuthenticated()
+        ) {
+            return $this->handleInteractiveAuthenticate(
+                forceAuthn: $forceAuthn,
+                gateway: $gateway,
+                returnToUrl: $returnToUrl,
+                entityId: $entityId,
             );
         }
 
@@ -204,9 +204,8 @@ public function login(
             $this->ticketStore->addTicket($sessionTicket);
         }
 
-        /*
-         *  We are done. REDIRECT TO LOGGEDIN
-         * */
+        /* We are done. REDIRECT TO LOGGEDIN */
+
         if (!isset($serviceUrl) && $this->authProcId === null) {
             $loggedInUrl = Module::getModuleURL('casserver/loggedIn');
             return new RunnableResponse(
@@ -251,6 +250,7 @@ public function login(
             return $t;
         }
 
+        // Use case 1: user has SSO or non-interactive auth succeeded → redirect/POST to service WITH a ticket
         $ticketName = $this->calculateTicketName($service);
         $this->postAuthUrlParameters[$ticketName] = $serviceTicket['id'];
 
@@ -464,4 +464,126 @@ private function instantiateClassDependencies(): void
         // Attribute Extractor
         $this->attributeExtractor = new AttributeExtractor($this->casConfig, $processingChainFactory);
     }
+
+    /**
+     * Trigger interactive authentication via the AuthSource.
+     *
+     * @param bool        $forceAuthn
+     * @param bool        $gateway
+     * @param string      $returnToUrl
+     * @param string|null $entityId
+     *
+     * @return RunnableResponse
+     */
+    private function handleInteractiveAuthenticate(
+        bool $forceAuthn,
+        bool $gateway,
+        string $returnToUrl,
+        ?string $entityId,
+    ): RunnableResponse {
+        $params = [
+            'ForceAuthn' => $forceAuthn,
+            'isPassive' => $gateway,
+            'ReturnTo' => $returnToUrl,
+        ];
+
+        if (isset($entityId)) {
+            $params['saml:idp'] = $entityId;
+        }
+
+        if (isset($this->idpList)) {
+            if (sizeof($this->idpList) > 1) {
+                $params['saml:IDPList'] = $this->idpList;
+            } else {
+                $params['saml:idp'] = $this->idpList[0];
+            }
+        }
+
+        return new RunnableResponse(
+            [$this->authSource, 'login'],
+            [$params],
+        );
+    }
+
+
+    /**
+     * Handle the gateway flow when the user is NOT authenticated.
+     * Passive mode is only attempted if 'enable_passive_mode' is enabled in configuration.
+     *
+     * Returns:
+     * - ['response' => RunnableResponse|null, 'gateway' => bool] where 'gateway' may be toggled off for scenario 3.
+     */
+    private function handleUnauthenticatedGateway(
+        Request $request,
+        ?string $serviceUrl,
+        ?string $entityId,
+        string $returnToUrl,
+    ): array {
+        $passiveAllowed = $this->casConfig->getOptionalBoolean('enable_passive_mode', false);
+
+        // If passive is not enabled by configuration, follow scenario 2/3 directly.
+        if (!$passiveAllowed) {
+            if ($serviceUrl !== null) {
+                // Scenario 2: redirect to service WITHOUT any CAS parameters (always via GET redirect)
+                return [
+                    'response' => new RunnableResponse(
+                        [$this->httpUtils, 'redirectTrustedURL'],
+                        [$serviceUrl, []],
+                    ),
+                    'gateway' => true,
+                ];
+            }
+            // Scenario 3: no service → disable gateway and proceed with interactive login
+            return ['response' => null, 'gateway' => false];
+        }
+
+        // Passive mode enabled: try a passive (non-interactive) authentication once
+        $gatewayTried = $this->getRequestParam($request, 'gatewayTried');
+        if ($gatewayTried !== '1') {
+            $rt = str_contains($returnToUrl, 'gatewayTried=')
+                ? $returnToUrl
+                : $returnToUrl . (str_contains($returnToUrl, '?') ? '&' : '?') . 'gatewayTried=1';
+
+            $passiveParams = [
+                'ForceAuthn' => false,
+                'isPassive' => true,
+                'ReturnTo' => $rt,
+            ];
+
+            if (isset($entityId)) {
+                $passiveParams['saml:idp'] = $entityId;
+            }
+
+            if (isset($this->idpList)) {
+                if (sizeof($this->idpList) > 1) {
+                    $passiveParams['saml:IDPList'] = $this->idpList;
+                } else {
+                    $passiveParams['saml:idp'] = $this->idpList[0];
+                }
+            }
+
+            return [
+                'response' => new RunnableResponse(
+                    [$this->authSource, 'login'],
+                    [$passiveParams],
+                ),
+                'gateway' => true,
+            ];
+        }
+
+        // Passive attempt already performed and still not authenticated.
+        if ($serviceUrl !== null) {
+            // Scenario 2: redirect to service WITHOUT any CAS parameters (always via GET redirect)
+            return [
+                'response' => new RunnableResponse(
+                    [$this->httpUtils, 'redirectTrustedURL'],
+                    [$serviceUrl, []],
+                ),
+                'gateway' => true,
+            ];
+        }
+
+        // Scenario 3: no service provided → disable gateway and proceed with interactive login
+        return ['response' => null, 'gateway' => false];
+    }
 }