Merge pull request #195 from silinternational/feature/mfa-module

directly include the mfa module
silinternational · May 18, 2024 · e6ab52a · e6ab52a
2 parents a7c63a7 + e0941ca
commit e6ab52a
Show file tree

Hide file tree

Showing 36 changed files with 4,268 additions and 139 deletions.
diff --git a/README.md b/README.md
@@ -172,6 +172,81 @@ This is adapted from the `ssp-iidp-expirycheck` and `expirycheck` modules.
 Thanks to Alex Mihičinac, Steve Moitozo, and Steve Bagwell for the initial work
 they did on those two modules.
 
+### Multi-Factor Authentication (MFA) simpleSAMLphp Module
+A simpleSAMLphp module for prompting the user for MFA credentials (such as a
+TOTP code, etc.).
+
+This mfa module is implemented as an Authentication Processing Filter,
+or AuthProc. That means it can be configured in the global config.php file or
+the SP remote or IdP hosted metadata.
+
+It is recommended to run the mfa module at the IdP, and configure the
+filter to run before all the other filters you may have enabled.
+
+#### How to use the module
+
+You will need to set filter parameters in your config. We recommend adding
+them to the `'authproc'` array in your `metadata/saml20-idp-hosted.php` file.
+
+Example (for `metadata/saml20-idp-hosted.php`):
+
+    use Sil\PhpEnv\Env;
+    use Sil\Psr3Adapters\Psr3SamlLogger;
+
+    // ...
+
+    'authproc' => [
+        10 => [
+            // Required:
+            'class' => 'mfa:Mfa',
+            'employeeIdAttr' => 'employeeNumber',
+            'idBrokerAccessToken' => Env::get('ID_BROKER_ACCESS_TOKEN'),
+            'idBrokerAssertValidIp' => Env::get('ID_BROKER_ASSERT_VALID_IP'),
+            'idBrokerBaseUri' => Env::get('ID_BROKER_BASE_URI'),
+            'idBrokerTrustedIpRanges' => Env::get('ID_BROKER_TRUSTED_IP_RANGES'),
+            'idpDomainName' => Env::get('IDP_DOMAIN_NAME'),
+            'mfaSetupUrl' => Env::get('MFA_SETUP_URL'),
+
+            // Optional:
+            'loggerClass' => Psr3SamlLogger::class,
+        ],
+        
+        // ...
+    ],
+
+The `employeeIdAttr` parameter represents the SAML attribute name which has
+the user's Employee ID stored in it. In certain situations, this may be
+displayed to the user, as well as being used in log messages.
+
+The `loggerClass` parameter specifies the name of a PSR-3 compatible class that
+can be autoloaded, to use as the logger within ExpiryDate.
+
+The `mfaSetupUrl` parameter is for the URL of where to send the user if they
+want/need to set up MFA.
+
+The `idpDomainName` parameter is used to assemble the Relying Party Origin
+(RP Origin) for WebAuthn MFA options.
+
+#### Why use an AuthProc for MFA?
+Based on...
+
+- the existence of multiple other simpleSAMLphp modules used for MFA and
+  implemented as AuthProcs,
+- implementing my solution as an AuthProc and having a number of tests that all
+  confirm that it is working as desired, and
+- a discussion in the SimpleSAMLphp mailing list about this:  
+  https://groups.google.com/d/msg/simplesamlphp/ocQols0NCZ8/RL_WAcryBwAJ
+
+... it seems sufficiently safe to implement MFA using a simpleSAMLphp AuthProc.
+
+For more of the details, please see this Stack Overflow Q&A:  
+https://stackoverflow.com/q/46566014/3813891
+
+#### Acknowledgements
+This is adapted from the `silinternational/simplesamlphp-module-mfa`
+module, which itself is adapted from other modules. Thanks to all those who
+contributed to that work.
+
 ### Profile Review SimpleSAMLphp Module
 
 A simpleSAMLphp module for prompting the user review their profile (such as

diff --git a/actions-services.yml b/actions-services.yml
@@ -7,9 +7,14 @@ services:
       - ssp-idp1.local
       - ssp-idp2.local
       - ssp-sp1.local
+      - pwmanager.local
       - test-browser
     environment:
-      - PROFILE_URL_FOR_TESTS=http://ssp-sp1.local/module.php/core/authenticate.php?as=ssp-hub
+      - PROFILE_URL_FOR_TESTS=http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub
+      - [email protected]
+      - ADMIN_PASS=b
+      - SECRET_SALT=abc123
+      - IDP_NAME=x
     volumes:
       - ./dockerbuild/run-integration-tests.sh:/data/run-integration-tests.sh
       - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
@@ -75,14 +80,24 @@ services:
 
       # Enable checking our test metadata
       - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
+
+      # Include the features folder (for the FakeIdBrokerClient class)
+      - ./features:/data/features
     command: 'bash -c "/data/enable-exampleauth-module.sh && /data/run.sh"'
     environment:
       ADMIN_EMAIL: "[email protected]"
       ADMIN_PASS: "a"
       SECRET_SALT: "not-secret-h57fjemb&dn^nsJFGNjweJ"
       IDP_NAME: "IDP 1"
-      PROFILE_URL: "http://ssp-hub-sp1:8083/module.php/core/authenticate.php?as=ssp-hub-custom-port"
-      PROFILE_URL_FOR_TESTS: "http://ssp-sp1.local/module.php/core/authenticate.php?as=ssp-hub"
+      IDP_DOMAIN_NAME: "mfaidp"
+      ID_BROKER_ACCESS_TOKEN: "dummy"
+      ID_BROKER_ASSERT_VALID_IP: "false"
+      ID_BROKER_BASE_URI: "dummy"
+      ID_BROKER_TRUSTED_IP_RANGES: "192.168.0.1/8"
+      MFA_SETUP_URL: "http://pwmanager.local:8083/module.php/core/authenticate.php?as=ssp-hub-custom-port"
+      REMEMBER_ME_SECRET: "12345"
+      PROFILE_URL: "http://pwmanager:8083/module.php/core/authenticate.php?as=ssp-hub-custom-port"
+      PROFILE_URL_FOR_TESTS: "http://pwmanager.local/module.php/core/authenticate.php?as=ssp-hub"
       SECURE_COOKIE: "false"
       SHOW_SAML_ERRORS: "true"
       THEME_USE: "default"
@@ -139,3 +154,25 @@ services:
       SHOW_SAML_ERRORS: "true"
       SAML20_IDP_ENABLE: "false"
       ADMIN_PROTECT_INDEX_PAGE: "false"
+
+  pwmanager.local:
+    image: silintl/ssp-base:develop
+    volumes:
+      # Utilize custom certs
+      - ./development/sp-local/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
+
+      # Utilize custom configs
+      - ./development/sp-local/config/authsources-pwmanager.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
+
+      # Utilize custom metadata
+      - ./development/sp-local/metadata/saml20-idp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
+    environment:
+      - [email protected]
+      - ADMIN_PASS=sp1
+      - IDP_NAME=THIS VARIABLE IS REQUIRED BUT PROBABLY NOT USED
+      - SECRET_SALT=NOT-a-secret-k49fjfkw73hjf9t87wjiw
+      - SECURE_COOKIE=false
+      - SHOW_SAML_ERRORS=true
+      - SAML20_IDP_ENABLE=false
+      - ADMIN_PROTECT_INDEX_PAGE=false
+      - THEME_USE=default
diff --git a/behat.yml b/behat.yml
@@ -11,7 +11,7 @@ default:
       contexts: [ 'FeatureContext' ]
     mfa_features:
       paths:    [ '%paths.base%//features//mfa.feature' ]
-      contexts: [ 'FeatureContext' ]
+      contexts: [ 'MfaContext' ]
     profilereview_features:
       paths:    [ '%paths.base%//features//profilereview.feature' ]
       contexts: [ 'ProfileReviewContext' ]
diff --git a/composer.json b/composer.json
@@ -17,13 +17,14 @@
     "simplesamlphp/simplesamlphp": "^1.19.6",
     "simplesamlphp/composer-module-installer": "1.1.8",
     "silinternational/simplesamlphp-module-silauth": "^7.1.1",
-    "silinternational/simplesamlphp-module-mfa": "^5.2.1",
     "silinternational/ssp-utilities": "^1.1.0",
     "silinternational/simplesamlphp-module-material": "^8.1.1",
     "silinternational/simplesamlphp-module-sildisco": "^4.0.0",
     "silinternational/php-env": "^3.1.0",
     "silinternational/psr3-adapters": "^3.1",
-    "gettext/gettext": "^4.8@dev"
+    "gettext/gettext": "^4.8@dev",
+    "silinternational/idp-id-broker-php-client": "^4.3",
+    "sinergi/browser-detector": "^6.1"
   },
   "require-dev": {
     "behat/behat": "^3.8",
@@ -35,7 +36,10 @@
   "autoload": {
     "files": [
       "vendor/yiisoft/yii2/Yii.php"
-    ]
+    ],
+    "psr-4": {
+      "Sil\\SspBase\\Features\\": "features/"
+    }
   },
   "config": {
     "allow-plugins": {