From e74f053e75e7fb808418fad8249af857ed8e70a1 Mon Sep 17 00:00:00 2001 From: Bas Strooband Date: Tue, 28 Jul 2020 15:57:42 +0200 Subject: [PATCH] Update 4.0.0 documentation Add the changelog and change some documentation to reflect the changes after the upgrade to php72 and Symfony 4.4 (Flex) --- CHANGELOG.md | 12 ++++++++++++ README.md | 4 ++-- bin/extract-translations.sh | 2 +- docs/MiddlewareConfiguration.md | 4 ++-- docs/test-data.md | 6 +++--- 5 files changed, 20 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d6080b75..c370bf4d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,17 @@ # Changelog +# 4.0.0 +From this version PHP 7.2 is supported and support for PHP 5.6 is dropped. + +Be aware that the new Symfony directory structure is now used. So if you are overwriting for example config files it is recommended +to verify the location on forehand. Also the file extensions of Yaml files are changed and some Symfony specific special characters +need to be escaped. + +See: https://github.com/symfony/symfony/blob/4.4/UPGRADE-4.0.md + +**Improvements** +* Upgrade to Symfony4.4 LTS with PHP7.2 support #307 + # 3.1.8 **Feature** * Added identity & token bootstrap console commands (for test) #302 #303 #304 #305 diff --git a/README.md b/README.md index a4d954dae..66068f118 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ This component is part of "Step-up Authentication as-a Service". See [Stepup-Dep Clone the repository or download the archive to a directory. Install the dependencies by running `composer install` and fill out the database credentials et cetera. -Make sure to run database migrations using `app/console middleware:migrations:migrate`. +Make sure to run database migrations using `bin/console middleware:migrations:migrate`. ## Management API @@ -31,7 +31,7 @@ Some of the configuratio of the components is static (i.e. stored in parameteres ### Adding new events -Whenever adding a new event, be sure to update `app/config/events.yml`. +Whenever adding a new event, be sure to update `bin/config/events.yml`. This is a list of events that is shown when replaying events. Also be sure to create or update the event serialization/deserialization tests, for example see [EventSerializationAndDeserializationTest for Configuration events][event-serialization-example] diff --git a/bin/extract-translations.sh b/bin/extract-translations.sh index 755b91c9a..8a9cb3004 100755 --- a/bin/extract-translations.sh +++ b/bin/extract-translations.sh @@ -1,2 +1,2 @@ #!/bin/bash -app/console translation:extract --config=default --env=dev +php72 bin/console translation:extract --config=default --env=dev diff --git a/docs/MiddlewareConfiguration.md b/docs/MiddlewareConfiguration.md index 8a66a6c9a..3f464de09 100644 --- a/docs/MiddlewareConfiguration.md +++ b/docs/MiddlewareConfiguration.md @@ -178,7 +178,7 @@ Each element in the ```service_providers``` array must be an object and contain * `entity_id` has a string as value that identifies the IdP that is listed as Authenticating Authority in the SAML assertion. * `public_key` contains the Base64 encoded X.509 certificate with the the public signing key of the SP (i.e. a PEM certificate, but without the PEM "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" headers and without whitespace). This is value of the X509Certificate element in the KeyDescriptor of the SAML 2.0 metadata of the SP. * The `acs` property contains a list of AssertionConsumerService (ACS) Location URLs to which the SAMLResponse may be sent. The Stepup-Gateway always uses the SAML HTTP-POST Binding to send the SAMLResponse the ACS location of the SP. The first ACS location in the `acs` list is the default location. When multiple ACS locations are present the SP can specify the ACS location to use in the AuthnRequest using the `AssertionConsumerServiceURL` attribute. The requested ACS location must match exacly with one of the enties in the `acs` property, otherwise the default location is used. For an SFO SP multiple ACS locations are not supported and the default location is always used. When the SFO SP is an ADFS MFA Plugin the verification is more relaxed, and it is only verified that the requested ACS location starts with the default location. Multiple ACS locations are supported since Stepup-Gateway 2.9.2 (Release 15) -* The `loa` property must contain a hash (object) with at least the key `__default__` with the default required minimum loa for the SP as value. The LoA values, even for SFO, that are used in the configuration are the values that are defined using the `gateway_loa_loa*` parameters in the [gateway configuration](https://github.com/OpenConext/Stepup-Gateway/blob/develop/app/config/parameters.yml.dist). +* The `loa` property must contain a hash (object) with at least the key `__default__` with the default required minimum loa for the SP as value. The LoA values, even for SFO, that are used in the configuration are the values that are defined using the `gateway_loa_loa*` parameters in the [gateway configuration](https://github.com/OpenConext/Stepup-Gateway/blob/develop/config/legacy/parameters.yml.dist). For specific institutions an alternative minimum LoA can be specified by using the institution identifier (as used in the institution whitelist configuration) as the key, and the required minimum LoA as the value. * `second_factor_only` boolean determines whether this SP is allowed to use the Second Factor Only (SFO) mode. SFO uses different endpoints and metadata (/second-factor-only/metadata). Using SFO is mutually exclusive with using the normal endpoint (/second-factor-only/metadata). * `second_factor_only_nameid_patterns` contains a list of patterns (strings that may contain a '*' wildcard character) that are allowed to use the Second Factor Only mode. E.g. the wilcard pattern `urn:collab:person:example.org:*` matches all NameIDs that start with "urn:collab:person:example.org:". Does nothing if `second_factor_only` is not set to true. @@ -208,7 +208,7 @@ It is possible to specify a LoA in 3 places: The Gateway will require that the user authenticates with the highest LoA of all of these. I.e. it is possible the raise the LoA, not to lower it. -Second Factor Only (SFO) mode requires that AuthnRequests use LoA aliases in the AuthnRequest. However internally these are immediately translated to their equivalent LoAs. This means that the configuration must **not** use Second Factor Only LoA aliases, only the LoAs defined in the `gateway_loa_loa*` parameters in the [gateway configuration](https://github.com/OpenConext/Stepup-Gateway/blob/develop/app/config/parameters.yml.dist). +Second Factor Only (SFO) mode requires that AuthnRequests use LoA aliases in the AuthnRequest. However internally these are immediately translated to their equivalent LoAs. This means that the configuration must **not** use Second Factor Only LoA aliases, only the LoAs defined in the `gateway_loa_loa*` parameters in the [gateway configuration](https://github.com/OpenConext/Stepup-Gateway/blob/develop/config/legacy/parameters.yml.dist). ### Example ```json diff --git a/docs/test-data.md b/docs/test-data.md index 85d672b16..ece9c6755 100644 --- a/docs/test-data.md +++ b/docs/test-data.md @@ -40,7 +40,7 @@ In order of appearance: **Example usage** ```bash -$ app/console middleware:bootstrap:sms urn:collab:person:institution-b:joe-beone institution-b.example.com "+31 (0) 612345678" vetted 'db9b8bdf-720c-44ba-a4c4-154953e45f14' +$ bin/console middleware:bootstrap:sms urn:collab:person:institution-b:joe-beone institution-b.example.com "+31 (0) 612345678" vetted 'db9b8bdf-720c-44ba-a4c4-154953e45f14' Adding a vetted SMS token for Joe Beone Creating an unverified SMS token Creating a verified SMS token @@ -62,7 +62,7 @@ In order of appearance: **Example usage** ```bash -$ app/console middleware:bootstrap:yubikey urn:collab:person:institution-b:joe-beone institution-b.example.com 01622612 vetted 'db9b8bdf-720c-44ba-a4c4-154953e45f14' +$ bin/console middleware:bootstrap:yubikey urn:collab:person:institution-b:joe-beone institution-b.example.com 01622612 vetted 'db9b8bdf-720c-44ba-a4c4-154953e45f14' Adding a vetted Yubikey token for Joe Beone Creating an unverified Yubikey token Creating a verified Yubikey token @@ -85,7 +85,7 @@ In order of appearance: **Example usage** ```bash -$ app/console middleware:bootstrap:gssp urn:collab:person:institution-b:joe-beone institution-b.example.com tiqr t39dk-aas vetted 'db9b8bdf-720c-44ba-a4c4-154953e45f14' +$ bin/console middleware:bootstrap:gssp urn:collab:person:institution-b:joe-beone institution-b.example.com tiqr t39dk-aas vetted 'db9b8bdf-720c-44ba-a4c4-154953e45f14' Adding a vetted tiqr GSSP token for Joe Beone Creating an unverified tiqr token Creating an verified tiqr token