Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[MAJOR] v2 rewrite, removes SimpleSAMLphp for onelogin/php-saml (#19)
Major refactor of silverstripe-realme module to create version 2.0.0 The module now uses the `onelogin/php-saml` SAML library rather than the much more bloated SimpleSAMLphp application. * FEAT: Provide new `RealMeUser` class that encapsulates logon or assert user information. * FEAT: Tidy up of RealMeSetupTask to match new metadata XML * FEAT: Add assert login form * FEAT: Update certificate check to test for \r and \n characters (e.g. on Windows systems) * FEAT: Log error via SS_Log when auth errors are returned by onelogin * FEAT: Switch to using setProxyVars, and only if TRUSTED_PROXY is set to true for security (so someone can't protocol-downgrade if they can bypass a fronting WAF, for example) * FEAT: Set original SAMLResponse in session so it can be retrieved later * FEAT: Add error messages to RealMe form if they exist * FEAT: Add 'standard' error messages, and allow the ability to override by YML * FEAT: Add noopener/noreferer to links that open in target="_blank" * FEAT: Remove ability to set RealMeBackURL by _REQUEST, add ability to set 'RealMeErrorBackURL' separate to 'RealMeBackURL' * FEAT: Add _ss_env detection around Authenticator::register_authenticator() to avoid issues with Deploynaut-based deploys * FEAT: Merge changes from Terraformers team into PR#19 (#1) * FEAT: Session naming convention modified to use dot notation e.g RealMe.SessionData * FEAT: Redundancy checks added to RealMeUser::getFederatedIdentity() * FEAT: RealMeService::getCertDir() modified to handle sub directories * FEAT: Instances of getCertDir() use modified to follow new convention * FEAT: Current real me user features moved away from Config service. * FEAT: RealMeService now implements TemplateGlobalProvider * FEAT: RealMeService::getUserData() functionality moved to RealMeService::user_data() * FEAT: "RealMeUser" definition added to RealMeService::get_template_global_variables() array * FEAT: RealMeDataExtension.php removed, and associated SiteTree/SiteConfig extension definitions in extensions.yml * FEAT: RealMeAuthenticator::on_register() use of cache modified to test for availability of key in cache * FEAT: RealMeUser: Modified isValid to check integration type, and check validity between login and assertion integrations (federated logins have more required attributes) * FEAT: enforceLogin() is now split between authentication and error state -> refactored into new function for error processing & translation; clearLogin() now clears all realme session states (Ideally should be all namespaced). * FEAT: Update to use the default styling (blue background) by default * FEAT: Add ability to include a 'mini' login form, suitable for website header/footers * FEAT: Add ability to specify whether the 'What's RealMe?' popup appears to the left or right under the form * FEAT: Allow ability to override service name that is displayed * FEAT: Properly fix the service names (there are three distinct values that are in slightly different contexts) * FEAT: Add public accessors for info stored on RealMeFederatedIdentity * FIX: Update RealMeLoginForm.ss so it doesn't need to be overwritten for every site * FIX: Update requirement for onelogin/php-saml to hopefully resolve issues with signature verification failing * FIX: Always use the absolute base URL, rather than the current page URL, for the RelayState. For strict SAML, RelayState must be < 80 bytes. We may need to revise this later, or not pass a RelayState for a domain is longer than 80 bytes * FIX: Rename NameID (now called SPNameID) and added UserFederatedTag (either FLT or FIT) * FIX: Fix DateOfBirth to return null if any element is missing (shouldn't occur for valid identities though) * FIX: Update log message to include _errorReason * FIX: Remove invalid springload link from RealMeAssertForm.ss template (copied from Shared Workspace) * FIX: Update RealMe links to be https * FIX: Update broken link in assert form * FIX: Use RealMeBackURL rather than overriding the standard member login form's BackURL, as it can be cleared elsewhere accidentally * FIX: Don't require all federated identity tags, better handle cases where values aren't present (e.g. BirthPlaceQuality) * FIX: Application Name / Service ID part of the entity ID can be up 20 chars * FIX: Update error message for NoAvailableIDP to remove the reference to igovt * FIX: Remove leading/trailing whitespace from certificate contents before returning * FIX: Update requirements per dhensby changes, and change .gitignore * FIX: Update docblocks with changes suggested by Scrutinizer * FIX: Remove 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' from message spec * FIX: Optimise DBField creation in RealMeFederatedIdentity::getDateOfBirth() * FIX: .gitignore removed because it didn't contain any entries relevant to project specifically * FIX: Use of `sizeof($errors) > 0` replaced with `!empty($errors)` in RealMeService::enforceLogin() * FIX: RealMeSecurityExtension: Removed unused constants and unused error handlers/translations * FIX: RealMeService: fixed user_data function to return user * FIX: Add NameIDFormat back (revert 97bf2ce), but make it work for both logon and assert * FIX: Ensure we only redirect users if they aren't already being redirected (allowing application code to redirect users to a custom destination instead) * FIX: Always send a specific NameIDFormat, depending on the integration type. * FIX: RealMe (MTS at least, possible ITE and Prod) will fail oddly if the NameIDFormat provided in AuthN requests does not match the one supplied during metadata upload/submission. On MTS, this results in the AuthN request being successfully validated, but after submitting the resulting form, MTS fails with a HTTP 404 error rather than redirecting back to the issuer. This simple change ensures that the NameIDFormat we use when running dev/tasks/RealMeSetupTask matches the NameIDFormat that is used when submitting the AuthN request. * FIX: Minor style tidyup * FIX: Update comments in RealMeService to be more accurate for enforceLogin- Add tests for getAuth() and various overrides * FIX: Fix issue with running tests via travis doesn't work because of missing env vars (force env var setting during tests) * DOCS: Added @jakxnz to README because I squashed all his commits and lost his hard work. Sorry :( * DOCS: Update installation documentation to remove references to SimpleSAMLphp * DOCS: Update changelog a bit, add note to README, mark getSigningCertPassword() as deprecated, remove old config params * DOCS: Installation instructions updated * DOCS: Changelog updated * DOCS: Readme updated * DOCS: Revert change to installation.md to correct version - still need custom fork of module until changes can be made generic and merged upstream to onelogin/php-saml. * DOCS: Update text to reference latest version of Login and Assert assets * DOCS: Update code example to fix old arg * DOCS: Remove reference to old `REALME_MUTUAL_CERT_FILENAME` const from documentation * DOCS: Update README.md and configuration.md to include new instructions mainly using the RealMe Developers site * DOCS: Remove the ssl-certs.md file as this is adequately covered now by the RealMe Developers site * DOCS: Remove installation.md and migrate content to README; update module overrides * TESTS: Remove bootstrap.php (only needed for SimpleSAMLphp), add parent calls to tests * TESTS: Move temp certificate path into RealMeServiceTest method * TESTS: Update travis to match requirements, only build on 5.4+ and SS 3.5 * TESTS: Test certificate contents moved to files in test directory * TESTS: Only bother with PHP5.6 tests, 5.4 and 5.5 aren't officially supported and shouldn't be used anymore anyway * TESTS: Switch to Codecov.io for coverage based on @robbieaverill suggestion
- Loading branch information
