diff --git a/README.md b/README.md deleted file mode 100644 index 9f9d64d..0000000 --- a/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# SimpleSAMLphpAuth -Authentication plugin for SimpleSAMLphp diff --git a/SimpleSAMLphpAuth.php b/SimpleSAMLphpAuth.php new file mode 100644 index 0000000..28d076b --- /dev/null +++ b/SimpleSAMLphpAuth.php @@ -0,0 +1,97 @@ +name = plugin_lang_get( 'title' ); + $this->description = plugin_lang_get( 'description' ); + $this->page = 'config_page'; + + $this->version = '0.1'; + $this->requires = array( + 'MantisCore' => '2.4.0', + ); + + $this->author = 'Erwann PENET'; + $this->contact = ''; + $this->url = 'https://github.com/mantisbt-plugins/SimpleSAMLphpAuth'; + } + + /** + * plugin hooks + * @return array + */ + function hooks() { + $t_hooks = array( + 'EVENT_AUTH_USER_FLAGS' => 'auth_user_flags', + ); + + return $t_hooks; + } + + function config() { + return array( + 'autoloader_path' => '', + 'SP_name' => '', + 'auth_attributes_username' => '', + 'auth_attributes_email' => '' + ); + } + + function auth_user_flags( $p_event_name, $p_args ) { + # Don't access DB if db_is_connected() is false. + + $t_username = $p_args['username']; + + $t_user_id = $p_args['user_id']; + + # If user is unknown, don't handle authentication for it, since this plugin doesn't do + # auto-provisioning + if( !$t_user_id ) { + return null; + } + + # If anonymous user, don't handle it. + if( user_is_anonymous( $t_user_id ) ) { + return null; + } + + $t_access_level = user_get_access_level( $t_user_id, ALL_PROJECTS ); + + /* + # Have administrators use default login flow + if( $t_access_level >= ADMINISTRATOR ) { + return null; + } + */ + + # for everybody else use the custom authentication + $t_flags = new AuthFlags(); + + # Passwords managed externally for all users + $t_flags->setCanUseStandardLogin( false ); + $t_flags->setPasswordManagedExternallyMessage( 'Passwords are no more, you cannot change them!' ); + + # No one can use standard auth mechanism + + # Override Login page and Logout Redirect + $t_flags->setCredentialsPage( helper_url_combine( plugin_page( 'login', /* redirect */ true ), 'username=' . $t_username ) ); + $t_flags->setLogoutRedirectPage( plugin_page( 'logout', /* redirect */ true ) ); + + # No long term session for identity provider to be able to kick users out. + $t_flags->setPermSessionEnabled( false ); + + # Enable re-authentication and use more aggressive timeout. + $t_flags->setReauthenticationEnabled( true ); + $t_flags->setReauthenticationLifetime( 10 ); + + return $t_flags; + } +} diff --git a/lang/strings_english.txt b/lang/strings_english.txt new file mode 100644 index 0000000..1061f98 --- /dev/null +++ b/lang/strings_english.txt @@ -0,0 +1,14 @@ + + +
+
+
+
+
+
+
+

+ + +

+
+ +
+
+
+ + + + + + + + + + + + + + + + + +
+
+
+
+ +
+
+
+
+
+
+
+ +requireAuth(); +if( $t_simplesamlphp_instance->isAuthenticated() ) { + $t_simplesamlphp_attributes = $t_simplesamlphp_instance->getAttributes(); + $f_username = $t_simplesamlphp_attributes[ plugin_config_get( 'auth_attributes_username' ) ][0]; +} + +$t_user_id = is_blank( $f_username ) ? false : user_get_id_by_name( $f_username ); + +if( $t_user_id == false ) { + $t_query_args = array( + 'error' => 1, + 'username' => $f_username, + ); + + if( !is_blank( 'return' ) ) { + $t_query_args['return'] = $t_return; + } + + if( $f_reauthenticate ) { + $t_query_args['reauthenticate'] = 1; + } + + $t_query_text = http_build_query( $t_query_args, '', '&' ); + + $t_uri = auth_login_page( $t_query_text ); + + print_header_redirect( $t_uri ); +} + +# Let user into MantisBT +auth_login_user( $t_user_id ); + +# Redirect to original page user wanted to access before authentication +if( !is_blank( $t_return ) ) { + print_header_redirect( 'login_cookie_test.php?return=' . $t_return ); +} + +# If no return page, redirect to default page +print_header_redirect( config_get( 'default_home_page' ) ); diff --git a/pages/logout.php b/pages/logout.php new file mode 100644 index 0000000..7db914d --- /dev/null +++ b/pages/logout.php @@ -0,0 +1,13 @@ +logout(config_get( 'path' ) . auth_login_page()); + +# User is already logged out from Mantis +# TODO: logout from external identity provider + +print_header_redirect( auth_login_page(), true, false ); diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..6f56418 --- /dev/null +++ b/readme.md @@ -0,0 +1,22 @@ +# SimpleSAMLphpAuth Plugin + +This is an authentication plugin for SimpleSAMLphp. + +The authentication mechanism implemented by this plugin works as follows: +- If users_no_saml config setting is not empty, and contains the user ID, use standard authentication. +- If users_saml config setting is not empty, and **doesn't** contain user ID, use standard authentication. +- If user is not registered in the db, user standard behavior. +- Otherwise, auto-signin the user without a password. + +Users that are auto-signed in, can't manage or use passwords that are stored in the MantisBT database. + +## Configuration options +- **autoloader_path** this is the path to the autoloader for simplesaml (eg. /simplesaml/lib/_autoload.php) +- **service_provider** this is the name of the service provider for simplesaml (eg. default-sp) +- **auth_attributes_username** this is the name of the SAML attribute containing the username of the user (used for matching user account) +- **auth_attributes_email** this is the name of the SAML attribute containing the email of the user (used for user provisionning) +- **users_no_saml** users (one username per line) to bypass SAML authentication (eg. administrators) +- **users_saml** users (one username per line) for which to use SAML authentication (eg. for testing before deploying to all users) + +## Dependencies +MantisBT v2.4.0