Merge pull request #193 from silinternational/feature/expirychecker

directly include expirychecker module

Dockerfile

@@ -39,8 +39,12 @@ COPY composer.lock /data/
 RUN composer self-update --no-interaction
 RUN COMPOSER_ALLOW_SUPERUSER=1 composer install --prefer-dist --no-interaction --no-dev --optimize-autoloader --no-scripts --no-progress
 
-# Copy in SSP override files
 ENV SSP_PATH /data/vendor/simplesamlphp/simplesamlphp
+
+# Copy modules into simplesamlphp
+COPY modules/ $SSP_PATH/modules
+
+# Copy in SSP override files
 RUN mv $SSP_PATH/www/index.php $SSP_PATH/www/ssp-index.php
 COPY dockerbuild/ssp-overrides/index.php $SSP_PATH/www/index.php
 RUN mv $SSP_PATH/www/saml2/idp/SingleLogoutService.php $SSP_PATH/www/saml2/idp/ssp-SingleLogoutService.php

README.md

@@ -97,3 +97,77 @@ RUN cd /data/vendor/simplesamlphp/simplesamlphp/modules/material/dictionaries/ov
 ## Misc. Notes
 
 * Use of sildisco's LogUser module is optional and triggered via an authproc.
+
+## Included Modules
+
+### ExpiryChecker simpleSAMLphp Module
+A simpleSAMLphp module for warning users that their password will expire soon
+or that it has already expired.
+
+**NOTE:** This module does *not* prevent the user from logging in. It merely
+shows a warning page (if their password is about to expire), with the option to
+change their password now or later, or it tells the user that their password has
+already expired, with the only option being to go change their password now.
+Both of these pages will be bypassed (for varying lengths of time) if the user
+has recently seen one of those two pages, in order to allow the user to get to
+the change-password website (assuming it is also behind this IdP). If the user
+should not be allowed to log in at all, the simpleSAMLphp Auth. Source should
+consider the credentials provided by the user to be invalid.
+
+The expirychecker module is implemented as an Authentication Processing Filter,
+or AuthProc. That means it can be configured in the global config.php file or
+the SP remote or IdP hosted metadata.
+
+It is recommended to run the expirychecker module at the IdP, and configure the
+filter to run before all the other filters you may have enabled.
+
+#### How to use the module
+
+Set filter parameters in your config. We recommend adding
+them to the `'authproc'` array in your `metadata/saml20-idp-hosted.php` file,
+but you are also able to put them in the `'authproc.idp'` array in your
+`config/config.php` file.
+
+Example (in `metadata/saml20-idp-hosted.php`):
+
+    'authproc' => [
+        10 => [
+            // Required:
+            'class' => 'expirychecker:ExpiryDate',
+            'accountNameAttr' => 'cn',
+            'expiryDateAttr' => 'schacExpiryDate',
+            'passwordChangeUrl' => 'https://idm.example.com/pwdmgr/',
+
+            // Optional:
+            'warnDaysBefore' => 14,
+            'originalUrlParam' => 'originalurl',
+            'dateFormat' => 'm.d.Y', // Use PHP's date syntax.
+            'loggerClass' => '\\Sil\\Psr3Adapters\\Psr3SamlLogger',
+        ],
+        
+        // ...
+    ],
+
+The `accountNameAttr` parameter represents the SAML attribute name which has
+the user's account name stored in it. In certain situations, this will be
+displayed to the user, as well as being used in log messages.
+
+The `expiryDateAttr` parameter represents the SAML attribute name which has
+the user's expiry date, which must be formated as YYYYMMDDHHMMSSZ (e.g.
+`20111011235959Z`). Those two attributes need to be part of the attribute set
+returned when the user successfully authenticates.
+
+The `warnDaysBefore` parameter should be an integer representing how many days
+before the expiry date the "about to expire" warning will be shown to the user.
+
+The `dateFormat` parameter specifies how you want the date to be formatted,
+using PHP `date()` syntax. See <http://php.net/manual/en/function.date.php>.
+
+The `loggerClass` parameter specifies the name of a PSR-3 compatible class that
+can be autoloaded, to use as the logger within ExpiryDate.
+
+#### Acknowledgements
+
+This is adapted from the `ssp-iidp-expirycheck` and `expirycheck` modules.
+Thanks to Alex Mihičinac, Steve Moitozo, and Steve Bagwell for the initial work
+they did on those two modules.

actions-services.yml

@@ -12,6 +12,7 @@ services:
       - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
       - ./dockerbuild/run-tests.sh:/data/run-tests.sh
       - ./features:/data/features
+      - ./behat.yml:/data/behat.yml
       - ./tests:/data/tests
 
   test-browser:

behat.yml

@@ -0,0 +1,17 @@
+default:
+  suites:
+    dictionary_features:
+      paths:    [ '%paths.base%//features//dictionary-overrides.feature' ]
+      contexts: [ 'FeatureContext' ]
+    expiry_features:
+      paths:    [ '%paths.base%//features//expirychecker.feature' ]
+      contexts: [ 'ExpiryContext' ]
+    material_features:
+      paths:    [ '%paths.base%//features//material.feature' ]
+      contexts: [ 'FeatureContext' ]
+    mfa_features:
+      paths:    [ '%paths.base%//features//mfa.feature' ]
+      contexts: [ 'FeatureContext' ]
+    profilereview_features:
+      paths:    [ '%paths.base%//features//profilereview.feature' ]
+      contexts: [ 'FeatureContext' ]

composer.json

@@ -16,7 +16,6 @@
     "ext-memcached": "*",
     "simplesamlphp/simplesamlphp": "^1.19.6",
     "simplesamlphp/composer-module-installer": "1.1.8",
-    "silinternational/simplesamlphp-module-expirychecker": "^3.1.0",
     "silinternational/simplesamlphp-module-silauth": "^7.1.1",
     "silinternational/simplesamlphp-module-mfa": "^5.2.1",
     "silinternational/simplesamlphp-module-profilereview": "^2.1.0",

development/idp-local/config/authsources.php

@@ -24,7 +24,7 @@
                 gmdate('YmdHis\Z', strtotime('+6 months')), // Distant future
             ],
         ],
-        'near_future:a' => [
+        'near_future:b' => [
             'eduPersonPrincipalName' => ['[email protected]'],
             'sn' => ['Future'],
             'givenName' => ['Near'],
@@ -35,7 +35,7 @@
                 gmdate('YmdHis\Z', strtotime('+1 day')), // Very soon
             ],
         ],
-        'already_past:a' => [
+        'already_past:c' => [
             'eduPersonPrincipalName' => ['[email protected]'],
             'sn' => ['Past'],
             'givenName' => ['Already'],
@@ -46,5 +46,24 @@
                 gmdate('YmdHis\Z', strtotime('-1 day')), // In the past
             ],
         ],
+        'missing_exp:d' => [
+            'eduPersonPrincipalName' => ['[email protected]'],
+            'sn' => ['Expiration'],
+            'givenName' => ['Missing'],
+            'mail' => ['[email protected]'],
+            'employeeNumber' => ['44444'],
+            'cn' => ['MISSING_EXP'],
+        ],
+        'invalid_exp:e' => [
+            'eduPersonPrincipalName' => ['[email protected]'],
+            'sn' => ['Expiration'],
+            'givenName' => ['Invalid'],
+            'mail' => ['[email protected]'],
+            'employeeNumber' => ['55555'],
+            'cn' => ['INVALID_EXP'],
+            'schacExpiryDate' => [
+                'invalid'
+            ],
+        ],
     ],
 ];

docker-compose.yml

@@ -3,14 +3,18 @@ services:
   ssp:
     build: .
     volumes:
-      # Utilize custom certs 
+      # Utilize custom certs
       - ./development/ssp/cert:/data/vendor/simplesamlphp/simplesamlphp/cert
 
       # Utilize custom configs
       - ./development/ssp/config/authsources.php:/data/vendor/simplesamlphp/simplesamlphp/config/authsources.php
 
       # Configure the debugger
       - ./development/ssp/run-debug.sh:/data/run-debug.sh
+
+      # Local modules
+      - ./modules/expirychecker:/data/vendor/simplesamlphp/simplesamlphp/modules/expirychecker
+
     command: ["/data/run-debug.sh"]
     ports:
       - "80:80"
@@ -45,7 +49,9 @@ services:
       - ./dockerbuild/run-tests.sh:/data/run-tests.sh
       - ./dockerbuild/apply-dictionaries-overrides.php:/data/apply-dictionaries-overrides.php
       - ./features:/data/features
+      - ./behat.yml:/data/behat.yml
       - ./tests:/data/tests
+      - ./modules/expirychecker:/data/vendor/simplesamlphp/simplesamlphp/modules/expirychecker
     command: ["/data/run-tests.sh"]
 
   test-browser:
@@ -89,6 +95,9 @@ services:
 
       # Enable checking our test metadata
       - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
+
+      # Local modules
+      - ./modules/expirychecker:/data/vendor/simplesamlphp/simplesamlphp/modules/expirychecker
     command: /data/run-debug.sh
     ports:
       - "80:80"
@@ -125,6 +134,9 @@ services:
 
       # Enable checking our test metadata
       - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
+
+      # Local modules
+      - ./modules/expirychecker:/data/vendor/simplesamlphp/simplesamlphp/modules/expirychecker
     command: 'bash -c "/data/enable-exampleauth-module.sh && /data/run.sh"'
     ports:
       - "8085:80"
@@ -155,6 +167,9 @@ services:
       # Utilize custom metadata
       - ./development/idp2-local/metadata/saml20-idp-hosted.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-hosted.php
       - ./development/idp2-local/metadata/saml20-sp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-sp-remote.php
+
+      # Local modules
+      - ./modules/expirychecker:/data/vendor/simplesamlphp/simplesamlphp/modules/expirychecker
     command: /data/run.sh
     ports:
       - "8086:80"
@@ -181,6 +196,9 @@ services:
 
       # Enable checking our test metadata
       - ./dockerbuild/run-metadata-tests.sh:/data/run-metadata-tests.sh
+
+      # Local modules
+      - ./modules/expirychecker:/data/vendor/simplesamlphp/simplesamlphp/modules/expirychecker
     ports:
       - "8081:80"
     environment:
@@ -204,6 +222,9 @@ services:
 
       # Utilize custom metadata
       - ./development/sp2-local/metadata/saml20-idp-remote.php:/data/vendor/simplesamlphp/simplesamlphp/metadata/saml20-idp-remote.php
+
+      # Local modules
+      - ./modules/expirychecker:/data/vendor/simplesamlphp/simplesamlphp/modules/expirychecker
     ports:
       - "8082:80"
     environment:

dockerbuild/run-integration-tests.sh

@@ -11,8 +11,5 @@ whenavail "ssp-idp1.local" 80 10 echo IDP 1 ready
 whenavail "ssp-sp1.local"  80 10 echo SP 1 ready
 
 ./vendor/bin/behat \
-    --append-snippets \
-    --snippets-for=FeatureContext \
     --no-interaction \
-    --stop-on-failure #\
-    #--strict
+    --stop-on-failure