From dad747cc6d125d6816e3f35eb4541b2c26169306 Mon Sep 17 00:00:00 2001 From: epenet Date: Tue, 23 May 2017 16:51:07 +0200 Subject: [PATCH 1/6] Initial upload --- SimpleSAMLphpAuth.php | 104 +++++++++++++++++++++++++++++++++++++++ lang/strings_english.txt | 14 ++++++ pages/config_page.php | 79 +++++++++++++++++++++++++++++ pages/config_update.php | 41 +++++++++++++++ pages/login.php | 55 +++++++++++++++++++++ pages/logout.php | 14 ++++++ 6 files changed, 307 insertions(+) create mode 100644 SimpleSAMLphpAuth.php create mode 100644 lang/strings_english.txt create mode 100644 pages/config_page.php create mode 100644 pages/config_update.php create mode 100644 pages/login.php create mode 100644 pages/logout.php diff --git a/SimpleSAMLphpAuth.php b/SimpleSAMLphpAuth.php new file mode 100644 index 0000000..0dd87c6 --- /dev/null +++ b/SimpleSAMLphpAuth.php @@ -0,0 +1,104 @@ +name = plugin_lang_get( 'title' ); + $this->description = plugin_lang_get( 'description' ); + $this->page = 'config_page'; + + $this->version = '0.1'; + $this->requires = array( + 'MantisCore' => '2.4.0', + ); + + $this->author = 'Erwann PENET'; + $this->contact = ''; + $this->url = 'https://github.com/mantisbt-plugins/SimpleSAMLphpAuth'; + } + + /** + * plugin hooks + * @return array + */ + function hooks() { + $t_hooks = array( + 'EVENT_AUTH_USER_FLAGS' => 'auth_user_flags', + ); + + return $t_hooks; + } + + function config() { + return array( + 'autoloader_path' => '', + 'SP_name' => '', + 'auth_attributes_username' => '', + 'auth_attributes_email' => '' + ); + } + + function auth_user_flags( $p_event_name, $p_args ) { + # Don't access DB if db_is_connected() is false. + + $t_username = $p_args['username']; + + $t_user_id = $p_args['user_id']; + + # If user is unknown, don't handle authentication for it, since this plugin doesn't do + # auto-provisioning + if( !$t_user_id ) { + return null; + } + + # If anonymous user, don't handle it. + if( user_is_anonymous( $t_user_id ) ) { + return null; + } + + $t_access_level = user_get_access_level( $t_user_id, ALL_PROJECTS ); + + /* + # Have administrators use default login flow + if( $t_access_level >= ADMINISTRATOR ) { + return null; + } + */ + + # Have Administrator use default login flow + if( $t_user_id == 1 ) { + return null; + } + + + # for everybody else use the custom authentication + $t_flags = new AuthFlags(); + + # Passwords managed externally for all users + $t_flags->setCanUseStandardLogin( false ); + $t_flags->setPasswordManagedExternallyMessage( 'Passwords are no more, you cannot change them!' ); + + # No one can use standard auth mechanism + + # Override Login page and Logout Redirect + $t_flags->setCredentialsPage( helper_url_combine( plugin_page( 'login', /* redirect */ true ), 'username=' . $t_username ) ); + $t_flags->setLogoutRedirectPage( plugin_page( 'logout', /* redirect */ true ) ); + + # No long term session for identity provider to be able to kick users out. + $t_flags->setPermSessionEnabled( false ); + + # Enable re-authentication and use more aggressive timeout. + $t_flags->setReauthenticationEnabled( true ); + $t_flags->setReauthenticationLifetime( 10 ); + + return $t_flags; + } +} diff --git a/lang/strings_english.txt b/lang/strings_english.txt new file mode 100644 index 0000000..1061f98 --- /dev/null +++ b/lang/strings_english.txt @@ -0,0 +1,14 @@ + + +
+
+
+
+
+
+
+

+ + +

+
+ +
+
+
+ + + + + + + + + + + + + + + + + +
+
+
+
+ +
+
+
+
+
+
+
+ + diff --git a/pages/config_update.php b/pages/config_update.php new file mode 100644 index 0000000..5c2ce72 --- /dev/null +++ b/pages/config_update.php @@ -0,0 +1,41 @@ + diff --git a/pages/login.php b/pages/login.php new file mode 100644 index 0000000..68af1c9 --- /dev/null +++ b/pages/login.php @@ -0,0 +1,55 @@ +requireAuth(); +if( $t_simplesamlphp_instance->isAuthenticated() ) { + $t_simplesamlphp_attributes = $t_simplesamlphp_instance->getAttributes(); + $f_username = $t_simplesamlphp_attributes[ plugin_config_get( 'auth_attributes_username' ) ][0]; +} + +$t_user_id = is_blank( $f_username ) ? false : user_get_id_by_name( $f_username ); + +if( $t_user_id == false ) { + $t_query_args = array( + 'error' => 1, + 'username' => $f_username, + ); + + if( !is_blank( 'return' ) ) { + $t_query_args['return'] = $t_return; + } + + if( $f_reauthenticate ) { + $t_query_args['reauthenticate'] = 1; + } + + $t_query_text = http_build_query( $t_query_args, '', '&' ); + + $t_uri = auth_login_page( $t_query_text ); + + print_header_redirect( $t_uri ); +} + +# Let user into MantisBT +auth_login_user( $t_user_id ); + +# Redirect to original page user wanted to access before authentication +if( !is_blank( $t_return ) ) { + print_header_redirect( 'login_cookie_test.php?return=' . $t_return ); +} + +# If no return page, redirect to default page +print_header_redirect( config_get( 'default_home_page' ) ); diff --git a/pages/logout.php b/pages/logout.php new file mode 100644 index 0000000..3e4e15a --- /dev/null +++ b/pages/logout.php @@ -0,0 +1,14 @@ +logout(config_get( 'path' ) . auth_login_page()); + +# User is already logged out from Mantis +# TODO: logout from external identity provider + +print_header_redirect( auth_login_page(), true, false ); From 941ed602eedec0e52e6309f349cddfaf93489b1c Mon Sep 17 00:00:00 2001 From: epenet Date: Tue, 23 May 2017 17:01:27 +0200 Subject: [PATCH 2/6] Add files via upload --- readme.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 readme.md diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..eec8870 --- /dev/null +++ b/readme.md @@ -0,0 +1,19 @@ +# SimpleSAMLphpAuth Plugin + +This is an authentication plugin for SimpleSAMLphp. + +The authentication mechanism implemented by this plugin works as follows: +- If user ID is 1 (Administrator), use standard authentication. +- If user is not registered in the db, user standard behavior. +- Otherwise, auto-signin the user without a password. + +Users that are auto-signed in, can't manage or use passwords that are stored in the MantisBT database. + +## Configuration options +**autoloader_path** this is the path to the autoloader for simplesaml (eg. /simplesaml/lib/_autoload.php) +**SP_name** this is the path to the autoloader for simplesaml (eg. default-sp) +**auth_attributes_username** this is the name of the SAML attribute containing the username of the user +**auth_attributes_email** this is the name of the SAML attribute containing the email of the user + +## Dependencies +MantisBT v2.4.0 From eba11cc24dbb2d9eb4828eb0c7028148afd14016 Mon Sep 17 00:00:00 2001 From: epenet Date: Tue, 23 May 2017 17:02:14 +0200 Subject: [PATCH 3/6] Delete README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 README.md diff --git a/README.md b/README.md deleted file mode 100644 index 9f9d64d..0000000 --- a/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# SimpleSAMLphpAuth -Authentication plugin for SimpleSAMLphp From 0803df52a4a712b20e11cdf4973931aec1de9f94 Mon Sep 17 00:00:00 2001 From: epenet Date: Tue, 23 May 2017 17:02:45 +0200 Subject: [PATCH 4/6] Update readme.md --- readme.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/readme.md b/readme.md index eec8870..287ccec 100644 --- a/readme.md +++ b/readme.md @@ -10,10 +10,10 @@ The authentication mechanism implemented by this plugin works as follows: Users that are auto-signed in, can't manage or use passwords that are stored in the MantisBT database. ## Configuration options -**autoloader_path** this is the path to the autoloader for simplesaml (eg. /simplesaml/lib/_autoload.php) -**SP_name** this is the path to the autoloader for simplesaml (eg. default-sp) -**auth_attributes_username** this is the name of the SAML attribute containing the username of the user -**auth_attributes_email** this is the name of the SAML attribute containing the email of the user +- **autoloader_path** this is the path to the autoloader for simplesaml (eg. /simplesaml/lib/_autoload.php) +- **SP_name** this is the path to the autoloader for simplesaml (eg. default-sp) +- **auth_attributes_username** this is the name of the SAML attribute containing the username of the user +- **auth_attributes_email** this is the name of the SAML attribute containing the email of the user ## Dependencies MantisBT v2.4.0 From c4c27e1f92f7c77263dd3d9ed6cbb6c36cafaa10 Mon Sep 17 00:00:00 2001 From: epenet Date: Tue, 23 May 2017 17:25:01 +0200 Subject: [PATCH 5/6] Add files via upload Updates following feedback from @dregad --- SimpleSAMLphpAuth.php | 7 ------ pages/config_page.php | 33 +++++---------------------- pages/config_update.php | 50 +++++++++++++---------------------------- pages/login.php | 1 - pages/logout.php | 1 - 5 files changed, 21 insertions(+), 71 deletions(-) diff --git a/SimpleSAMLphpAuth.php b/SimpleSAMLphpAuth.php index 0dd87c6..28d076b 100644 --- a/SimpleSAMLphpAuth.php +++ b/SimpleSAMLphpAuth.php @@ -1,5 +1,4 @@
@@ -76,4 +56,3 @@ diff --git a/pages/config_update.php b/pages/config_update.php index 5c2ce72..75a6203 100644 --- a/pages/config_update.php +++ b/pages/config_update.php @@ -1,41 +1,21 @@ +form_security_purge( 'plugin_SimpleSAMLphpAuth_config_update' ); +print_successful_redirect( plugin_page( 'config_page', true ) ); diff --git a/pages/login.php b/pages/login.php index 68af1c9..b6c5ccf 100644 --- a/pages/login.php +++ b/pages/login.php @@ -1,5 +1,4 @@ Date: Mon, 4 Sep 2017 11:08:04 +0200 Subject: [PATCH 6/6] New version of initial branch Updates following feedback from @dregad, @vboctor and @libregeek --- readme.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/readme.md b/readme.md index 287ccec..6f56418 100644 --- a/readme.md +++ b/readme.md @@ -3,7 +3,8 @@ This is an authentication plugin for SimpleSAMLphp. The authentication mechanism implemented by this plugin works as follows: -- If user ID is 1 (Administrator), use standard authentication. +- If users_no_saml config setting is not empty, and contains the user ID, use standard authentication. +- If users_saml config setting is not empty, and **doesn't** contain user ID, use standard authentication. - If user is not registered in the db, user standard behavior. - Otherwise, auto-signin the user without a password. @@ -11,9 +12,11 @@ Users that are auto-signed in, can't manage or use passwords that are stored in ## Configuration options - **autoloader_path** this is the path to the autoloader for simplesaml (eg. /simplesaml/lib/_autoload.php) -- **SP_name** this is the path to the autoloader for simplesaml (eg. default-sp) -- **auth_attributes_username** this is the name of the SAML attribute containing the username of the user -- **auth_attributes_email** this is the name of the SAML attribute containing the email of the user +- **service_provider** this is the name of the service provider for simplesaml (eg. default-sp) +- **auth_attributes_username** this is the name of the SAML attribute containing the username of the user (used for matching user account) +- **auth_attributes_email** this is the name of the SAML attribute containing the email of the user (used for user provisionning) +- **users_no_saml** users (one username per line) to bypass SAML authentication (eg. administrators) +- **users_saml** users (one username per line) for which to use SAML authentication (eg. for testing before deploying to all users) ## Dependencies MantisBT v2.4.0